Commit df84a53b authored by allgdante's avatar allgdante Committed by Rasmus Thomsen

testing/apparmor: upgrade to 2.13.4

parent 469f955a
From dcd62ba910aa8c54576cba0e442478cfacd916d6 Mon Sep 17 00:00:00 2001
From 1951d7c3535d46edbfe16b8a1b8d2176d96d4235 Mon Sep 17 00:00:00 2001
From: allgdante <allan.garret@gmail.com>
Date: Wed, 4 Jul 2018 17:11:42 +0200
Subject: [PATCH 5/7] utils: adjust tests to match the Alpine layout
Date: Mon, 23 Mar 2020 16:12:36 +0000
Subject: [PATCH 07/12] utils: adjust tests to match the Alpine layout
Here we need to adjust several utilities path with the ones used by
Alpine
---
utils/test/test-aa.py | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
utils/test/test-aa.py | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/utils/test/test-aa.py b/utils/test/test-aa.py
index d93b8eae..b40a2001 100644
index b5221737..9d1d3ecc 100644
--- a/utils/test/test-aa.py
+++ b/utils/test/test-aa.py
@@ -154,12 +154,12 @@ class AaTest_get_interpreter_and_abstraction(AATest):
@@ -157,15 +157,13 @@ class AaTest_get_interpreter_and_abstraction(AATest):
tests = [
('#!/bin/bash', ('/bin/bash', 'abstractions/bash')),
('#!/bin/dash', ('/bin/dash', 'abstractions/bash')),
......@@ -26,10 +26,13 @@ index d93b8eae..b40a2001 100644
('#!/usr/bin/perl', ('/usr/bin/perl', 'abstractions/perl')),
('#!/usr/bin/perl -w', ('/usr/bin/perl', 'abstractions/perl')), # '-w' is not part of the interpreter path
- ('#!/usr/bin/python', ('/usr/bin/python', 'abstractions/python')),
+ ('#!/usr/bin/python', ('/usr/bin/python', 'abstractions/python')),
('#!/usr/bin/python2', ('/usr/bin/python2', 'abstractions/python')),
('#!/usr/bin/python2.7', ('/usr/bin/python2.7', 'abstractions/python')),
- ('#!/usr/bin/python2', ('/usr/bin/python2', 'abstractions/python')),
- ('#!/usr/bin/python2.7', ('/usr/bin/python2.7', 'abstractions/python')),
('#!/usr/bin/python3', ('/usr/bin/python3', 'abstractions/python')),
+ ('#!/usr/bin/python3.8', ('/usr/bin/python3.8', 'abstractions/python')),
('#!/usr/bin/python4', ('/usr/bin/python4', None)), # python abstraction is only applied to py2 and py3
('#!/usr/bin/ruby', ('/usr/bin/ruby', 'abstractions/ruby')),
('#!/usr/bin/ruby2.2', ('/usr/bin/ruby2.2', 'abstractions/ruby')),
--
2.20.1
2.25.2
From 2a6a482eac7c6290d2e4349ff4bae1b9a749497f Mon Sep 17 00:00:00 2001
From: allgdante <allan.garret@gmail.com>
Date: Sun, 22 Mar 2020 17:30:20 +0000
Subject: [PATCH 08/12] Fix profile loading in busybox
Just apply the patch present in
https://gitlab.com/apparmor/apparmor/-/issues/80
---
parser/rc.apparmor.functions | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/parser/rc.apparmor.functions b/parser/rc.apparmor.functions
index 22e8367f..8c1c57c5 100644
--- a/parser/rc.apparmor.functions
+++ b/parser/rc.apparmor.functions
@@ -140,7 +140,7 @@ force_complain() {
local profile=$1
# if profile not in complain mode
- if ! egrep -q "^/.*[ \t]+flags[ \t]*=[ \t]*\([ \t]*complain[ \t]*\)[ \t]+{" $profile ; then
+ if ! egrep -q '^/.*[ \t]+flags[ \t]*=[ \t]*\([ \t]*complain[ \t]*\)[ \t]+\{' $profile ; then
local link="${PROFILE_DIR}/force-complain/`basename ${profile}`"
if [ -e "$link" ] ; then
aa_log_warning_msg "found $link, forcing complain mode"
--
2.25.2
From 71bbc6a4ce79802ad037227382817c5998ffbb2e Mon Sep 17 00:00:00 2001
From: Eric Chiang <ericchiang@google.com>
Date: Thu, 17 Jan 2019 11:02:57 -0800
Subject: [PATCH 09/12] *: ensure make apparmor_parser is cached
This change updates parser/Makefile to respect target dependencies and
not rebuild apparmor_parser if nothing's changed. The goal is to allow
cross-compiled tests #17 to run on a target system without the tests
attempting to rebuild the parser.
Two changes were made:
* Generate af_names.h in a script so the script timestamp is compared.
* Use FORCE instead of PHONY for libapparmor_re/libapparmor_re.a
Changes to list_af_names are intended to exactly replicate the old
behavior.
Signed-off-by: Eric Chiang <ericchiang@google.com>
---
common/Make.rules | 21 ---------------------
common/list_af_names.sh | 19 +++++++++++++++++++
parser/Makefile | 13 +++++--------
utils/vim/create-apparmor.vim.py | 2 +-
4 files changed, 25 insertions(+), 30 deletions(-)
create mode 100755 common/list_af_names.sh
diff --git a/common/Make.rules b/common/Make.rules
index d2149fcd..357bdec8 100644
--- a/common/Make.rules
+++ b/common/Make.rules
@@ -87,27 +87,6 @@ CAPABILITIES=$(shell echo "\#include <linux/capability.h>" | cpp -dM | LC_ALL=C
list_capabilities: /usr/include/linux/capability.h
@echo "$(CAPABILITIES)"
-# =====================
-# generate list of network protocols based on
-# sys/socket.h for use in multiple locations in
-# the source tree
-# =====================
-
-# These are the families that it doesn't make sense for apparmor
-# to mediate. We use PF_ here since that is what is required in
-# bits/socket.h, but we will rewrite these as AF_.
-
-FILTER_FAMILIES=PF_UNIX
-
-__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
-
-# emits the AF names in a "AF_NAME NUMBER," pattern
-AF_NAMES=$(shell echo "\#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e 's/PF_LOCAL/PF_UNIX/' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2)
-
-.PHONY: list_af_names
-list_af_names:
- @echo "$(AF_NAMES)"
-
# =====================
# manpages
# =====================
diff --git a/common/list_af_names.sh b/common/list_af_names.sh
new file mode 100755
index 00000000..d7987537
--- /dev/null
+++ b/common/list_af_names.sh
@@ -0,0 +1,19 @@
+#!/bin/bash -e
+
+# =====================
+# generate list of network protocols based on
+# sys/socket.h for use in multiple locations in
+# the source tree
+# =====================
+
+# It doesn't make sence for AppArmor to mediate PF_UNIX, filter it out. Search
+# for "PF_" constants since that is what is required in bits/socket.h, but
+# rewrite as "AF_".
+
+echo "#include <sys/socket.h>" | \
+ cpp -dM | \
+ LC_ALL=C sed -n \
+ -e '/PF_UNIX/d' \
+ -e 's/PF_LOCAL/PF_UNIX/' \
+ -e 's/^#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$/AF_\1 \2,/p' | \
+ sort -n -k2
diff --git a/parser/Makefile b/parser/Makefile
index c1ca4b45..aa5ab730 100644
--- a/parser/Makefile
+++ b/parser/Makefile
@@ -281,10 +281,9 @@ parser_version.h: Makefile
# as well as the filtering that occurs for network protocols that
# apparmor should not mediate.
-.PHONY: af_names.h
-af_names.h:
- echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g' -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n# define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n\n/pg' > $@
- echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/.*,[ \t]\+AF_MAX[ \t]\+\([0-9]\+\),\?.*/#define AA_AF_MAX \1\n/p' >> $@
+af_names.h: ../common/list_af_names.sh
+ ../common/list_af_names.sh | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g' -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n# define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n/pg' > $@
+ ../common/list_af_names.sh | LC_ALL=C sed -n -e 's/AF_MAX[ \t]\+\([0-9]\+\),\?.*/\n#define AA_AF_MAX \1\n/p' >> $@
# cat $@
cap_names.h: /usr/include/linux/capability.h
@@ -304,10 +303,7 @@ tests: apparmor_parser ${TESTS}
sh -e -c 'for test in ${TESTS} ; do echo "*** running $${test}" && ./$${test}; done'
$(Q)$(MAKE) -s -C tst tests
-# always need to rebuild.
-.SILENT: $(AAREOBJECT)
-.PHONY: $(AAREOBJECT)
-$(AAREOBJECT):
+$(AAREOBJECT): FORCE
$(MAKE) -C $(AAREDIR) CFLAGS="$(EXTRA_CXXFLAGS)"
.PHONY: install-rhel4
@@ -408,3 +404,4 @@ clean: pod_clean
$(MAKE) -s -C po clean
$(MAKE) -s -C tst clean
+FORCE:
diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py
index 10bd5b8d..fea134f6 100644
--- a/utils/vim/create-apparmor.vim.py
+++ b/utils/vim/create-apparmor.vim.py
@@ -57,7 +57,7 @@ for cap in capabilities:
benign_caps.append(cap)
# get network protos list
-(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_af_names'])
+(rc, output) = cmd(['../../common/list_af_names.sh'])
if rc != 0:
sys.stderr.write("make list_af_names failed: " + output)
exit(rc)
--
2.25.2
From 03baa934e415e4181bb43e466e09af2ec1f512f0 Mon Sep 17 00:00:00 2001
From: allgdante <allan.garret@gmail.com>
Date: Mon, 23 Mar 2020 16:17:59 +0000
Subject: [PATCH 10/12] Revert "utils/test-network.py: fix failing testcase"
This reverts commit 0c65b9aeb925297b95e249caa57d33221295d5ea.
---
utils/test/test-network.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/utils/test/test-network.py b/utils/test/test-network.py
index 8605786d..73a6b9d1 100644
--- a/utils/test/test-network.py
+++ b/utils/test/test-network.py
@@ -31,7 +31,7 @@ exp = namedtuple('exp', ['audit', 'allow_keyword', 'deny', 'comment',
class NetworkKeywordsTest(AATest):
def test_network_keyword_list(self):
- rc, output = cmd(['make', '-s', '--no-print-directory', 'list_af_names'])
+ rc, output = cmd('../../common/list_af_names.sh')
self.assertEqual(rc, 0)
af_names = []
--
2.25.2
From e23c66c45436833046a0f7bdd80ad41fc6ebd050 Mon Sep 17 00:00:00 2001
From: allgdante <allan.garret@gmail.com>
Date: Mon, 23 Mar 2020 15:09:15 +0000
Subject: [PATCH 11/12] Generate CAPABILITIES in a script due to make 4.3
This way we could generate the capabilities in a way that works with
every version of make.
Changes to list_capabilities are intended to exactly replicate the old
behavior.
---
common/Make.rules | 13 -------------
common/list_capabilities.sh | 14 ++++++++++++++
parser/Makefile | 2 +-
utils/Makefile | 2 +-
utils/vim/create-apparmor.vim.py | 2 +-
5 files changed, 17 insertions(+), 16 deletions(-)
create mode 100755 common/list_capabilities.sh
diff --git a/common/Make.rules b/common/Make.rules
index 357bdec8..ecc6181a 100644
--- a/common/Make.rules
+++ b/common/Make.rules
@@ -74,19 +74,6 @@ endif
pod_clean:
-rm -f ${MANPAGES} *.[0-9].gz ${HTMLMANPAGES} pod2htm*.tmp
-# =====================
-# generate list of capabilities based on
-# /usr/include/linux/capabilities.h for use in multiple locations in
-# the source tree
-# =====================
-
-# emits defined capabilities in a simple list, e.g. "CAP_NAME CAP_NAME2"
-CAPABILITIES=$(shell echo "\#include <linux/capability.h>" | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | LC_ALL=C sort)
-
-.PHONY: list_capabilities
-list_capabilities: /usr/include/linux/capability.h
- @echo "$(CAPABILITIES)"
-
# =====================
# manpages
# =====================
diff --git a/common/list_capabilities.sh b/common/list_capabilities.sh
new file mode 100755
index 00000000..4e37cda7
--- /dev/null
+++ b/common/list_capabilities.sh
@@ -0,0 +1,14 @@
+#!/bin/bash -e
+
+# =====================
+# generate list of capabilities based on
+# /usr/include/linux/capabilities.h for use in multiple locations in
+# the source tree
+# =====================
+
+echo "#include <linux/capability.h>" | \
+ cpp -dM | \
+ LC_ALL=C sed -n \
+ -e '/CAP_EMPTY_SET/d' \
+ -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$/CAP_\1/p' | \
+ LC_ALL=C sort
diff --git a/parser/Makefile b/parser/Makefile
index aa5ab730..1df7c143 100644
--- a/parser/Makefile
+++ b/parser/Makefile
@@ -287,7 +287,7 @@ af_names.h: ../common/list_af_names.sh
# cat $@
cap_names.h: /usr/include/linux/capability.h
- echo "$(CAPABILITIES)" | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
+ ../common/list_capabilities.sh | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
tst_lib: lib.c parser.h $(filter-out lib.o, ${TEST_OBJECTS})
$(CXX) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS}) $(TEST_LDFLAGS) $(TEST_LDLIBS)
diff --git a/utils/Makefile b/utils/Makefile
index 01604796..16248083 100644
--- a/utils/Makefile
+++ b/utils/Makefile
@@ -77,7 +77,7 @@ clean: pod_clean
.SILENT: check_severity_db
check_severity_db: /usr/include/linux/capability.h severity.db
# The sed statement is based on the one in the parser's makefile
- RC=0 ; for cap in ${CAPABILITIES} ; do \
+ RC=0 ; for cap in $(shell ../common/list_capabilities.sh) ; do \
if ! grep -q -w $${cap} severity.db ; then \
echo "Warning! capability $${cap} not found in severity.db" ; \
RC=1 ; \
diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py
index fea134f6..6a5f02a2 100644
--- a/utils/vim/create-apparmor.vim.py
+++ b/utils/vim/create-apparmor.vim.py
@@ -45,7 +45,7 @@ def cmd(command, input=None, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, s
return [sp.returncode, out + outerr]
# get capabilities list
-(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_capabilities'])
+(rc, output) = cmd(['../../common/list_capabilities.sh'])
if rc != 0:
sys.stderr.write("make list_capabilities failed: " + output)
exit(rc)
--
2.25.2
# Contributor: Allan Garret <allan.garret@gmail.com>
# Maintainer: Allan Garret <allan.garret@gmail.com>
pkgname=apparmor
pkgver=2.13.3
pkgrel=3
pkgver=2.13.4
pkgrel=0
pkgdesc="Linux application security framework - mandatory access control for programs"
options="!check" # Failing with python3.8
url="https://gitlab.com/apparmor/apparmor/wikis/home"
arch="all"
license="GPL-2.0-only"
......@@ -41,7 +40,10 @@ source="
0005-utils-adjust-tests-to-match-the-Alpine-layout.patch
0006-utils-adjust-rc-functions-for-aa-remove-unknown.patch
0007-Remove-Locale-gettext-from-parser-tests.patch
python-3.8-compat.patch
0008-Fix-profile-loading-in-busybox.patch
0009-ensure-make-apparmor_parser-is-cached.patch
0010-Revert-utils-test-network.py-fix-failing-testcase.patch
0011-Generate-CAPABILITIES-in-a-script-due-to-make-4.3.patch
"
builddir="$srcdir"/$pkgname-v$pkgver
......@@ -217,13 +219,16 @@ _apparmor_vim() {
sha512sums="2f070e84ac3e59dcb1c7835cd2afbdafd10834656391a4f9b86c3cd2cd9a335c40f232328424644732bdc2c926e5db6c2638faf004f12a2612cc1c461ef08410 apparmor-v2.13.3.tar.gz
sha512sums="a3800abc736da725fba3f831d4f26f2ce00179c1c8ad46fc5f27a068dc99c610031979c401cb9f86921bbea9dcb5c33dd2dac0536627040e0068c906c3cda942 apparmor-v2.13.4.tar.gz
1a57cc577ba3aedfbe10ef6148c1e8f5d0bbf65c99e60eec80c52409c9dab59ae002024500c6e4fd0e01e8c7aeb0c85e3e6b41cacee08c17fdd869d31bca614e apparmor.initd
e94f44427ed3c6f64462170939ffc92ce9ac1a58c61c7c7c3483fe16fe8e1c419daade9d56cdd342132e4d823dcac1963a86ad889f10bf71fd52b7f54c4694ed 0001-Fix-linking-against-gettext-on-musl-libc.patch
20817633590c40eb5f6132c11396cf0bbd532b6e436aa90b6ccc61d7c914794d868ec981b91406f6c11f550102aa25a32982610445cc8e5e703ee90697233263 0002-utils-remove-vim-from-the-default-build.patch
568e10bda27745ac6e1b9495bb6863e93466ee1c387912393c2c7396bcedd7400b13ee233dd953f82460328e3aae45dd2f7aba92962edef31330d6b4dbc9951b 0003-parser-remove-specific-tests-for-rttime.patch
3a84fb3b2b19ccf52e179190e98ec0da2469727eaaa73d0094b0e9c85b80738c9cb9da9242d17a472a649e6042933bedb5f78c3f574d555369a4ece38a1d8a8a 0004-parser-remove-specific-tests-for-ofile.patch
be7397ab9db4aff4774b9ee8dd43644ceb36e5755fb2e38a72ab42a53ee67bcdeccc3f8c09ce9279a10f3c110ede2026d72fec81f06f1b66149e160cf9a7dd7c 0005-utils-adjust-tests-to-match-the-Alpine-layout.patch
ebe2494e0023d45a41623038f8126fd5366606507d7c1caadf776253a5a64e2979ed157b00d2240556945c414fd3a6dff3d5ce971a5c975033dfb53db60abecc 0005-utils-adjust-tests-to-match-the-Alpine-layout.patch
38ebb30a0185f8eabd9103925959da365f64ef485f66ffb10180ac596fc172f9c98df39baec0b035138e9ab32056148e69a066faba9faebf9e92bf7a09c150c0 0006-utils-adjust-rc-functions-for-aa-remove-unknown.patch
093c2f216776c5cc67294a134af6ef788dd5a82477592093abbdd244d65591006890a7c911d4f72d7c0ceac5d3ee33927b055a6d3731284701057b35372e7265 0007-Remove-Locale-gettext-from-parser-tests.patch
db4f063e5ca55b6a527de60d8215e4dd516039eca37055407300430a6d10652cd58e127c2ef5b8c719bb50a1232136a985e2ae641d6ea478441fb2d563011e6c python-3.8-compat.patch"
017de8d6632204b0bdf025d25ef94be639adf742281693dc028eca428171409dcf86c7547f61ad6c4c7f4175480940eaca3e3ad888e5a9649946f56eafc50e40 0008-Fix-profile-loading-in-busybox.patch
4e8dc9e0ca8c68b13a5a6c8c0eb1c8fb11fc1d59741753a0fd55a80f1b7f8e6d73c7c13a53a855f374d7555389ca7853adf2e3ee273b084967141a4b30d58fab 0009-ensure-make-apparmor_parser-is-cached.patch
3ffb2927fbdab331bc70391eaae8ed56026245ec7e91a2d88a5a480a344b22b17ce7f45f43e1ff6be531d2c87f0c4b19d73014d7bcfe4d86ff888e2a2fb9fd83 0010-Revert-utils-test-network.py-fix-failing-testcase.patch
938ebb8c88e8d567f434cd849db283fa8aa6184249db7bb4dee0be77d0ddd2362ac1f6d457f822073e0e135520c330f251de36b0d98539cea5ad8816d5c1cb12 0011-Generate-CAPABILITIES-in-a-script-due-to-make-4.3.patch"
From 17b806ac9c24a1ab74285904ae3124c8bd26909d Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Thu, 31 Oct 2019 13:38:19 +0000
Subject: [PATCH] update to newer ax_python_devel
https://www.gnu.org/software/autoconf-archive/ax_python_devel.html
---
.../libapparmor/m4/{ac_python_devel.m4 => ax_python_devel.m4} | 0
1 file changed, 0 insertions(+), 0 deletions(-)
rename libraries/libapparmor/m4/{ac_python_devel.m4 => ax_python_devel.m4} (100%)
diff --git a/libraries/libapparmor/m4/ac_python_devel.m4 b/libraries/libapparmor/m4/ax_python_devel.m4
similarity index 100%
rename from libraries/libapparmor/m4/ac_python_devel.m4
rename to libraries/libapparmor/m4/ax_python_devel.m4
--
2.23.0
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment