From 75e609f7b14b57b27143ec9e8d818fc5fab6d106 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Sat, 30 Mar 2019 14:12:41 -0700 Subject: reorg: move mac recipes to recipes-mac Signed-off-by: Armin Kuster --- recipes-mac/AppArmor/apparmor_2.12.bb | 154 ++++++++++++ recipes-mac/AppArmor/files/apparmor | 227 +++++++++++++++++ recipes-mac/AppArmor/files/apparmor.rc | 98 ++++++++ recipes-mac/AppArmor/files/apparmor.service | 22 ++ .../files/crosscompile_perl_bindings.patch | 25 ++ recipes-mac/AppArmor/files/disable_pdf.patch | 33 +++ .../AppArmor/files/disable_perl_h_check.patch | 19 ++ recipes-mac/AppArmor/files/functions | 271 +++++++++++++++++++++ recipes-mac/AppArmor/files/run-ptest | 4 + recipes-mac/AppArmor/files/tool-paths.patch | 37 +++ recipes-mac/smack/files/run-ptest | 3 + .../smack/files/smack_generator_make_fixup.patch | 18 ++ recipes-mac/smack/smack_1.3.1.bb | 54 ++++ recipes-security/AppArmor/apparmor_2.12.bb | 154 ------------ recipes-security/AppArmor/files/apparmor | 227 ----------------- recipes-security/AppArmor/files/apparmor.rc | 98 -------- recipes-security/AppArmor/files/apparmor.service | 22 -- .../files/crosscompile_perl_bindings.patch | 25 -- recipes-security/AppArmor/files/disable_pdf.patch | 33 --- .../AppArmor/files/disable_perl_h_check.patch | 19 -- recipes-security/AppArmor/files/functions | 271 --------------------- recipes-security/AppArmor/files/run-ptest | 4 - recipes-security/AppArmor/files/tool-paths.patch | 37 --- recipes-security/smack/files/run-ptest | 3 - .../smack/files/smack_generator_make_fixup.patch | 18 -- recipes-security/smack/smack_1.3.1.bb | 54 ---- 26 files changed, 965 insertions(+), 965 deletions(-) create mode 100644 recipes-mac/AppArmor/apparmor_2.12.bb create mode 100644 recipes-mac/AppArmor/files/apparmor create mode 100644 recipes-mac/AppArmor/files/apparmor.rc create mode 100644 recipes-mac/AppArmor/files/apparmor.service create mode 100644 recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch create mode 100644 recipes-mac/AppArmor/files/disable_pdf.patch create mode 100644 recipes-mac/AppArmor/files/disable_perl_h_check.patch create mode 100644 recipes-mac/AppArmor/files/functions create mode 100644 recipes-mac/AppArmor/files/run-ptest create mode 100644 recipes-mac/AppArmor/files/tool-paths.patch create mode 100644 recipes-mac/smack/files/run-ptest create mode 100644 recipes-mac/smack/files/smack_generator_make_fixup.patch create mode 100644 recipes-mac/smack/smack_1.3.1.bb delete mode 100644 recipes-security/AppArmor/apparmor_2.12.bb delete mode 100644 recipes-security/AppArmor/files/apparmor delete mode 100644 recipes-security/AppArmor/files/apparmor.rc delete mode 100644 recipes-security/AppArmor/files/apparmor.service delete mode 100644 recipes-security/AppArmor/files/crosscompile_perl_bindings.patch delete mode 100644 recipes-security/AppArmor/files/disable_pdf.patch delete mode 100644 recipes-security/AppArmor/files/disable_perl_h_check.patch delete mode 100644 recipes-security/AppArmor/files/functions delete mode 100644 recipes-security/AppArmor/files/run-ptest delete mode 100644 recipes-security/AppArmor/files/tool-paths.patch delete mode 100644 recipes-security/smack/files/run-ptest delete mode 100644 recipes-security/smack/files/smack_generator_make_fixup.patch delete mode 100644 recipes-security/smack/smack_1.3.1.bb diff --git a/recipes-mac/AppArmor/apparmor_2.12.bb b/recipes-mac/AppArmor/apparmor_2.12.bb new file mode 100644 index 0000000..efa93e6 --- /dev/null +++ b/recipes-mac/AppArmor/apparmor_2.12.bb @@ -0,0 +1,154 @@ +SUMMARY = "AppArmor another MAC control system" +DESCRIPTION = "user-space parser utility for AppArmor \ + This provides the system initialization scripts needed to use the \ + AppArmor Mandatory Access Control system, including the AppArmor Parser \ + which is required to convert AppArmor text profiles into machine-readable \ + policies that are loaded into the kernel for use with the AppArmor Linux \ + Security Module." +HOMEAPAGE = "http://apparmor.net/" +SECTION = "admin" + +LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0" + +DEPENDS = "bison-native apr gettext-native coreutils-native" + +SRC_URI = " \ + http://archive.ubuntu.com/ubuntu/pool/main/a/${BPN}/${BPN}_${PV}.orig.tar.gz \ + file://disable_perl_h_check.patch \ + file://crosscompile_perl_bindings.patch \ + file://tool-paths.patch \ + file://apparmor.rc \ + file://functions \ + file://apparmor \ + file://apparmor.service \ + file://run-ptest \ + " + +SRC_URI[md5sum] = "49054f58042f8e51ea92cc866575a833" +SRC_URI[sha256sum] = "8a2b0cd083faa4d0640f579024be3a629faa7db3b99540798a1a050e2eaba056" + +PARALLEL_MAKE = "" + +inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan manpages systemd + +PACKAGECONFIG ??= "python perl" +PACKAGECONFIG[manpages] = "--enable-man-pages, --disable-man-pages" +PACKAGECONFIG[python] = "--with-python, --without-python, python3 swig-native" +PACKAGECONFIG[perl] = "--with-perl, --without-perl, perl perl-native swig-native" +PACKAGECONFIG[apache2] = ",,apache2," + +PAMLIB="${@bb.utils.contains('DISTRO_FEATURES', 'pam', '1', '0', d)}" +HTTPD="${@bb.utils.contains('PACKAGECONFIG', 'apache2', '1', '0', d)}" + + +python() { + if 'apache2' in d.getVar('PACKAGECONFIG').split() and \ + 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split(): + raise bb.parse.SkipRecipe('Requires meta-webserver to be present.') +} + +DISABLE_STATIC = "" + +do_configure() { + cd ${S}/libraries/libapparmor + aclocal + autoconf --force + libtoolize --automake -c --force + automake -ac + ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} +} + +do_compile () { + oe_runmake -C ${B}/libraries/libapparmor + oe_runmake -C ${B}/binutils + oe_runmake -C ${B}/utils + oe_runmake -C ${B}/parser + oe_runmake -C ${B}/profiles + + if test -z "${HTTPD}" ; then + oe_runmake -C ${B}/changehat/mod_apparmor + fi + + if test -z "${PAMLIB}" ; then + oe_runmake -C ${B}/changehat/pam_apparmor + fi +} + +do_install () { + install -d ${D}/${INIT_D_DIR} + install -d ${D}/lib/apparmor + + oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install + oe_runmake -C ${B}/binutils DESTDIR="${D}" install + oe_runmake -C ${B}/utils DESTDIR="${D}" install + oe_runmake -C ${B}/parser DESTDIR="${D}" install + oe_runmake -C ${B}/profiles DESTDIR="${D}" install + + # If perl is disabled this script won't be any good + if ! ${@bb.utils.contains('PACKAGECONFIG','perl','true','false', d)}; then + rm -f ${D}${sbindir}/aa-notify + fi + + if test -z "${HTTPD}" ; then + oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install + fi + + if test -z "${PAMLIB}" ; then + oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install + fi + + # aa-easyprof is installed by python-tools-setup.py, fix it up + sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof + chmod 0755 ${D}${bindir}/aa-easyprof + + install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor + install ${WORKDIR}/functions ${D}/lib/apparmor + install -d ${D}${systemd_system_unitdir} + install ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir} +} + +do_compile_ptest () { + oe_runmake -C ${B}/tests/regression/apparmor + oe_runmake -C ${B}/parser/tst + oe_runmake -C ${B}/libraries/libapparmor +} + +do_install_ptest () { + t=${D}/${PTEST_PATH}/testsuite + install -d ${t} + install -d ${t}/tests/regression/apparmor + cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression + + install -d ${t}/parser/tst + cp -rf ${B}/parser/tst ${t}/parser + cp ${B}/parser/apparmor_parser ${t}/parser + cp ${B}/parser/frob_slack_rc ${t}/parser + + install -d ${t}/libraries/libapparmor + cp -rf ${B}/libraries/libapparmor ${t}/libraries + + install -d ${t}/common + cp -rf ${B}/common ${t} + + install -d ${t}/binutils + cp -rf ${B}/binutils ${t} +} + +INITSCRIPT_PACKAGES = "${PN}" +INITSCRIPT_NAME = "apparmor" +INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." + +SYSTEMD_PACKAGES = "${PN}" +SYSTEMD_SERVICE_${PN} = "apparmor.service" +SYSTEMD_AUTO_ENABLE = "disable" + +PACKAGES += "mod-${PN}" + +FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}" +FILES_mod-${PN} = "${libdir}/apache2/modules/*" + +RDEPENDS_${PN} += "bash lsb" +RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3 python3-modules','', d)}" +RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" +RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash" diff --git a/recipes-mac/AppArmor/files/apparmor b/recipes-mac/AppArmor/files/apparmor new file mode 100644 index 0000000..ac3ab9a --- /dev/null +++ b/recipes-mac/AppArmor/files/apparmor @@ -0,0 +1,227 @@ +#!/bin/sh +# ---------------------------------------------------------------------- +# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 +# NOVELL (All rights reserved) +# Copyright (c) 2008, 2009 Canonical, Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, contact Novell, Inc. +# ---------------------------------------------------------------------- +# Authors: +# Steve Beattie +# Kees Cook +# +# /etc/init.d/apparmor +# +### BEGIN INIT INFO +# Provides: apparmor +# Required-Start: $local_fs +# Required-Stop: umountfs +# Default-Start: S +# Default-Stop: +# Short-Description: AppArmor initialization +# Description: AppArmor init script. This script loads all AppArmor profiles. +### END INIT INFO + +log_daemon_msg() { + echo $* +} + +log_end_msg () { + retval=$1 + if [ $retval -eq 0 ]; then + echo "." + else + echo " failed!" + fi + return $retval +} + +. /lib/apparmor/functions +. /lib/lsb/init-functions + +usage() { + echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}" +} + +test -x ${PARSER} || exit 0 # by debian policy +# LSM is built-in, so it is either there or not enabled for this boot +test -d /sys/module/apparmor || exit 0 + +securityfs() { + # Need securityfs for any mode + if [ ! -d "${AA_SFS}" ]; then + if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then + log_daemon_msg "AppArmor not available as kernel LSM." + log_end_msg 1 + exit 1 + else + log_daemon_msg "Mounting securityfs on ${SECURITYFS}" + if ! mount -t securityfs none "${SECURITYFS}"; then + log_end_msg 1 + exit 1 + fi + fi + fi + if [ ! -w "$AA_SFS"/.load ]; then + log_daemon_msg "Insufficient privileges to change profiles." + log_end_msg 1 + exit 1 + fi +} + +handle_system_policy_package_updates() { + apparmor_was_updated=0 + + if ! compare_previous_version ; then + # On snappy flavors, if the current and previous versions are + # different then clear the system cache. snappy will handle + # "$PROFILES_CACHE_VAR" itself (on Touch flavors + # compare_previous_version always returns '0' since snappy + # isn't available). + clear_cache_system + apparmor_was_updated=1 + elif ! compare_and_save_debsums apparmor ; then + # If the system policy has been updated since the last time we + # ran, clear the cache to prevent potentially stale binary + # cache files after an Ubuntu image based upgrade (LP: + # #1350673). This can be removed once all system image flavors + # move to snappy (on snappy systems compare_and_save_debsums + # always returns '0' since /var/lib/dpkg doesn't exist). + clear_cache + apparmor_was_updated=1 + fi + + if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then + # If packages for system policy that affect click packages have + # been updated since the last time we ran, run aa-clickhook -f + force_clickhook=0 + force_profile_hook=0 + if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then + force_clickhook=1 + fi + if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then + force_clickhook=1 + fi + if ! compare_and_save_debsums click-apparmor ; then + force_clickhook=1 + force_profile_hook=1 + fi + if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then + aa-clickhook -f + fi + if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then + aa-profile-hook -f + fi + fi +} + +# Allow "recache" even when running on the liveCD +if [ "$1" = "recache" ]; then + log_daemon_msg "Recaching AppArmor profiles" + recache_profiles + rc=$? + log_end_msg "$rc" + exit $rc +fi + +# do not perform start/stop/reload actions when running from liveCD +test -d /rofs/etc/apparmor.d && exit 0 + +rc=255 +case "$1" in + start) + if test -x /sbin/systemd-detect-virt && \ + systemd-detect-virt --quiet --container && \ + ! is_container_with_internal_policy; then + log_daemon_msg "Not starting AppArmor in container" + log_end_msg 0 + exit 0 + fi + log_daemon_msg "Starting AppArmor profiles" + securityfs + # That is only useful for click, snappy and system images, + # i.e. not in Debian. And it reads and writes to /var, that + # can be remote-mounted, so it would prevent us from using + # Before=sysinit.target without possibly introducing dependency + # loops. + handle_system_policy_package_updates + load_configured_profiles + rc=$? + log_end_msg "$rc" + ;; + stop) + log_daemon_msg "Clearing AppArmor profiles cache" + clear_cache + rc=$? + log_end_msg "$rc" + cat >&2 < and Jamie Strandboge " + +task + +start on starting rc-sysinit + +script + [ -d /rofs/etc/apparmor.d ] && exit 0 # do not load on liveCD + [ -d /sys/module/apparmor ] || exit 0 # do not load without AppArmor + [ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser + + . /lib/apparmor/functions + + systemd-detect-virt --quiet --container && ! is_container_with_internal_policy && exit 0 || true + + # Need securityfs for any mode + if [ ! -d /sys/kernel/security/apparmor ]; then + if cut -d" " -f2,3 /proc/mounts | grep -q "^/sys/kernel/security securityfs"'$' ; then + exit 0 + else + mount -t securityfs none /sys/kernel/security || exit 0 + fi + fi + + [ -w /sys/kernel/security/apparmor/.load ] || exit 0 + + apparmor_was_updated=0 + if ! compare_previous_version ; then + # On snappy flavors, if the current and previous versions are + # different then clear the system cache. snappy will handle + # "$PROFILES_CACHE_VAR" itself (on Touch flavors + # compare_previous_version always returns '0' since snappy + # isn't available). + clear_cache_system + apparmor_was_updated=1 + elif ! compare_and_save_debsums apparmor ; then + # If the system policy has been updated since the last time we + # ran, clear the cache to prevent potentially stale binary + # cache files after an Ubuntu image based upgrade (LP: + # #1350673). This can be removed once all system image flavors + # move to snappy (on snappy systems compare_and_save_debsums + # always returns '0' since /var/lib/dpkg doesn't exist). + clear_cache + apparmor_was_updated=1 + fi + + if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then + # If packages for system policy that affect click packages have + # been updated since the last time we ran, run aa-clickhook -f + force_clickhook=0 + force_profile_hook=0 + if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then + force_clickhook=1 + fi + if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then + force_clickhook=1 + fi + if ! compare_and_save_debsums click-apparmor ; then + force_clickhook=1 + force_profile_hook=1 + fi + if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then + aa-clickhook -f + fi + if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then + aa-profile-hook -f + fi + fi + + if [ "$ACTION" = "teardown" ]; then + running_profile_names | while read profile; do + unload_profile "$profile" + done + exit 0 + fi + + if [ "$ACTION" = "clear" ]; then + clear_cache + exit 0 + fi + + if [ "$ACTION" = "reload" ] || [ "$ACTION" = "force-reload" ]; then + clear_cache + load_configured_profiles + unload_obsolete_profiles + exit 0 + fi + + # Note: if apparmor-easyprof-ubuntu md5sums didn't match up above, + # aa-clickhook will have already compiled the policy, generated the cache + # files and loaded them into the kernel by this point, so reloading click + # policy from cache, while fairly fast (<2 seconds for 250 profiles on + # armhf), is redundant. Fixing this would complicate the logic quite a bit + # and it wouldn't improve the (by far) common case (ie, when + # 'aa-clickhook -f' is not run). + load_configured_profiles +end script diff --git a/recipes-mac/AppArmor/files/apparmor.service b/recipes-mac/AppArmor/files/apparmor.service new file mode 100644 index 0000000..e66afe4 --- /dev/null +++ b/recipes-mac/AppArmor/files/apparmor.service @@ -0,0 +1,22 @@ +[Unit] +Description=AppArmor initialization +After=local-fs.target +Before=sysinit.target +AssertPathIsReadWrite=/sys/kernel/security/apparmor/.load +ConditionSecurity=apparmor +DefaultDependencies=no +Documentation=man:apparmor(7) +Documentation=http://wiki.apparmor.net/ + +# Don't start this unit on the Ubuntu Live CD +ConditionPathExists=!/rofs/etc/apparmor.d + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/etc/init.d/apparmor start +ExecStop=/etc/init.d/apparmor stop +ExecReload=/etc/init.d/apparmor reload + +[Install] +WantedBy=sysinit.target diff --git a/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch b/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch new file mode 100644 index 0000000..ef55de7 --- /dev/null +++ b/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch @@ -0,0 +1,25 @@ +Upstream-Status: Inappropriate [configuration] + +As we're cross-compiling here we need to override CC/LD that MakeMaker has +stuck in the generated Makefile with our cross tools. In this case, linking is +done via the compiler rather than the linker directly so pass in CC not LD +here. + +Signed-Off-By: Tom Rini + +--- a/libraries/libapparmor/swig/perl/Makefile.am.orig 2017-06-13 19:04:43.296676212 -0400 ++++ b/libraries/libapparmor/swig/perl/Makefile.am 2017-06-13 19:05:03.488676693 -0400 +@@ -16,11 +16,11 @@ + + LibAppArmor.so: libapparmor_wrap.c Makefile.perl + if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi +- $(MAKE) -fMakefile.perl ++ $(MAKE) -fMakefile.perl CC='$(CC)' LD='$(CC)' + if test $(top_srcdir) != $(top_builddir) ; then rm -f libapparmor_wrap.c ; fi + + install-exec-local: Makefile.perl +- $(MAKE) -fMakefile.perl install_vendor ++ $(MAKE) -fMakefile.perl install_vendor CC='$(CC)' LD='$(CC)' + + # sadly there is no make uninstall for perl + #uninstall-local: Makefile.perl diff --git a/recipes-mac/AppArmor/files/disable_pdf.patch b/recipes-mac/AppArmor/files/disable_pdf.patch new file mode 100644 index 0000000..c6b4bdd --- /dev/null +++ b/recipes-mac/AppArmor/files/disable_pdf.patch @@ -0,0 +1,33 @@ +Index: apparmor-2.10.95/parser/Makefile +=================================================================== +--- apparmor-2.10.95.orig/parser/Makefile ++++ apparmor-2.10.95/parser/Makefile +@@ -139,17 +139,6 @@ export Q VERBOSE BUILD_OUTPUT + po/${NAME}.pot: ${SRCS} ${HDRS} + $(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}" + +-techdoc.pdf: techdoc.tex +- timestamp=$(shell date --utc "+%Y%m%d%H%M%S%z" -r $< );\ +- while pdflatex "\def\fixedpdfdate{$$timestamp}\input $<" ${BUILD_OUTPUT} || exit 1 ; \ +- grep -q "Label(s) may have changed" techdoc.log; \ +- do :; done +- +-techdoc/index.html: techdoc.pdf +- latex2html -show_section_numbers -split 0 -noinfo -nonavigation -noaddress techdoc.tex ${BUILD_OUTPUT} +- +-techdoc.txt: techdoc/index.html +- w3m -dump $< > $@ + + # targets arranged this way so that people who don't want full docs can + # pick specific targets they want. +@@ -159,9 +148,7 @@ manpages: $(MANPAGES) + + htmlmanpages: $(HTMLMANPAGES) + +-pdf: techdoc.pdf +- +-docs: manpages htmlmanpages pdf ++docs: manpages htmlmanpages + + indep: docs + $(Q)$(MAKE) -C po all diff --git a/recipes-mac/AppArmor/files/disable_perl_h_check.patch b/recipes-mac/AppArmor/files/disable_perl_h_check.patch new file mode 100644 index 0000000..cf2640f --- /dev/null +++ b/recipes-mac/AppArmor/files/disable_perl_h_check.patch @@ -0,0 +1,19 @@ +Upstream-Status: Inappropriate [configuration] + +Remove file check for $perl_includedir/perl.h. AC_CHECK_FILE will fail on +cross compilation. Rather than try and get a compile check to work here, +we know that we have what's required via our metadata so remove only this +check. + +Signed-Off-By: Tom Rini + +--- a/libraries/libapparmor/configure.ac.orig 2017-06-13 16:41:38.668471495 -0400 ++++ b/libraries/libapparmor/configure.ac 2017-06-13 16:41:40.708471543 -0400 +@@ -58,7 +58,6 @@ + AC_PATH_PROG(PERL, perl) + test -z "$PERL" && AC_MSG_ERROR([perl is required when enabling perl bindings]) + perl_includedir="`$PERL -e 'use Config; print $Config{archlib}'`/CORE" +- AC_CHECK_FILE($perl_includedir/perl.h, enable_perl=yes, enable_perl=no) + fi + + diff --git a/recipes-mac/AppArmor/files/functions b/recipes-mac/AppArmor/files/functions new file mode 100644 index 0000000..cef8cfe --- /dev/null +++ b/recipes-mac/AppArmor/files/functions @@ -0,0 +1,271 @@ +# /lib/apparmor/functions for Debian -*- shell-script -*- +# ---------------------------------------------------------------------- +# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 +# NOVELL (All rights reserved) +# Copyright (c) 2008-2010 Canonical, Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, contact Novell, Inc. +# ---------------------------------------------------------------------- +# Authors: +# Kees Cook + +PROFILES="/etc/apparmor.d" +PROFILES_CACHE="$PROFILES/cache" +PROFILES_VAR="/var/lib/apparmor/profiles" +PROFILES_SNAPPY="/var/lib/snapd/apparmor/profiles" +PROFILES_CACHE_VAR="/var/cache/apparmor" +PARSER="/sbin/apparmor_parser" +SECURITYFS="/sys/kernel/security" +export AA_SFS="$SECURITYFS/apparmor" + +# Suppress warnings when booting in quiet mode +quiet_arg="" +[ "${QUIET:-no}" = yes ] && quiet_arg="-q" +[ "${quiet:-n}" = y ] && quiet_arg="-q" + +foreach_configured_profile() { + rc_all="0" + for pdir in "$PROFILES" "$PROFILES_VAR" "$PROFILES_SNAPPY" ; do + if [ ! -d "$pdir" ]; then + continue + fi + num=`find "$pdir" -type f ! -name '*.md5sums' | wc -l` + if [ "$num" = "0" ]; then + continue + fi + + cache_dir="$PROFILES_CACHE" + if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then + cache_dir="$PROFILES_CACHE_VAR" + fi + cache_args="--cache-loc=$cache_dir" + if [ ! -d "$cache_dir" ]; then + cache_args= + fi + + # LP: #1383858 - expr tree simplification is too slow for + # Touch policy on ARM, so disable it for now + cache_extra_args= + if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then + cache_extra_args="-O no-expr-simplify" + fi + + # If need to compile everything, then use -n1 with xargs to + # take advantage of -P. When cache files are in use, omit -n1 + # since it is considerably faster on moderately sized profile + # sets to give the parser all the profiles to load at once + n1_args= + num=`find "$cache_dir" -type f ! -name '.features' | wc -l` + if [ "$num" = "0" ]; then + n1_args="-n1" + fi + + (ls -1 "$pdir" | egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \ + while read profile; do + if [ -f "$pdir"/"$profile" ]; then + echo "$pdir"/"$profile" + fi + done) | \ + xargs $n1_args -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || { + rc_all="$?" + # FIXME: when the parser properly handles broken + # profiles (LP: #1377338), remove this if statement. + # For now, if the xargs returns with error, just run + # through everything with -n1. (This could be broken + # out and refactored, but this is temporary so make it + # easy to understand and revert) + if [ "$rc_all" != "0" ]; then + (ls -1 "$pdir" | \ + egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \ + while read profile; do + if [ -f "$pdir"/"$profile" ]; then + echo "$pdir"/"$profile" + fi + done) | \ + xargs -n1 -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || { + rc_all="$?" + } + fi + } + done + return $rc_all +} + +load_configured_profiles() { + clear_cache_if_outdated + foreach_configured_profile $quiet_arg --write-cache --replace +} + +load_configured_profiles_without_caching() { + foreach_configured_profile $quiet_arg --replace +} + +recache_profiles() { + clear_cache + foreach_configured_profile $quiet_arg --write-cache --skip-kernel-load +} + +configured_profile_names() { + foreach_configured_profile $quiet_arg -N 2>/dev/null | LC_COLLATE=C sort | grep -v '//' +} + +running_profile_names() { + # Output a sorted list of loaded profiles, skipping libvirt's + # dynamically generated files + cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | egrep -v '^libvirt-[0-9a-f\-]+$' | LC_COLLATE=C sort | grep -v '//' +} + +unload_profile() { + echo -n "$1" > "$AA_SFS"/.remove +} + +clear_cache() { + clear_cache_system + clear_cache_var +} + +clear_cache_system() { + find "$PROFILES_CACHE" -maxdepth 1 -type f -print0 | xargs -0 rm -f -- +} + +clear_cache_var() { + find "$PROFILES_CACHE_VAR" -maxdepth 1 -type f -print0 | xargs -0 rm -f -- +} + +read_features_dir() +{ + for f in `ls -AU "$1"` ; do + if [ -f "$1/$f" ] ; then + read -r KF < "$1/$f" || true + echo -n "$f {$KF } " + elif [ -d "$1/$f" ] ; then + echo -n "$f {" + KF=`read_features_dir "$1/$f"` || true + echo -n "$KF} " + fi + done +} + +clear_cache_if_outdated() { + if [ -r "$PROFILES_CACHE"/.features ]; then + if [ -d "$AA_SFS"/features ]; then + KERN_FEATURES=`read_features_dir "$AA_SFS"/features` + else + read -r KERN_FEATURES < "$AA_SFS"/features + fi + CACHE_FEATURES=`tr '\n' ' ' < "$PROFILES_CACHE"/.features` + if [ "$KERN_FEATURES" != "$CACHE_FEATURES" ]; then + clear_cache + fi + fi +} + +unload_obsolete_profiles() { + # Currently we must re-parse all the profiles to get policy names. :( + aa_configured=$(mktemp -t aa-XXXXXX) + configured_profile_names > "$aa_configured" || true + aa_loaded=$(mktemp -t aa-XXXXXX) + running_profile_names > "$aa_loaded" || true + LC_COLLATE=C comm -2 -3 "$aa_loaded" "$aa_configured" | while read profile ; do + unload_profile "$profile" + done + rm -f "$aa_configured" "$aa_loaded" +} + +# If the system debsum differs from the saved debsum, the new system debsum is +# saved and non-zero is returned. Returns 0 if the two debsums matched or if +# the system debsum file does not exist. This can be removed when system image +# flavors all move to snappy. +compare_and_save_debsums() { + pkg="$1" + + if [ -n $pkg ] && [ -d "$PROFILES_VAR" ]; then + sums="/var/lib/dpkg/info/${pkg}.md5sums" + # store saved md5sums in /var/lib/apparmor/profiles since + # /var/cache/apparmor might be cleared by apparmor + saved_sums="${PROFILES_VAR}/.${pkg}.md5sums" + + if [ -f "$sums" ] && \ + ! diff -q "$sums" "$saved_sums" 2>&1 >/dev/null ; then + cp -f "$sums" "$saved_sums" + return 1 + fi + fi + + return 0 +} + +compare_previous_version() { + installed="/usr/share/snappy/security-policy-version" + previous="/var/lib/snappy/security-policy-version" + + # When just $previous doesn't exist, assume this is a new system with + # no cache and don't do anything special. + if [ -f "$installed" ] && [ -f "$previous" ]; then + pv=`grep '^apparmor/' "$previous" | cut -d ' ' -f 2` + iv=`grep '^apparmor/' "$installed" | cut -d ' ' -f 2` + if [ -n "$iv" ] && [ -n "$pv" ] && [ "$iv" != "$pv" ]; then + # snappy updates $previous elsewhere, so just return + return 1 + fi + fi + + return 0 +} + +# Checks to see if the current container is capable of having internal AppArmor +# profiles that should be loaded. Callers of this function should have already +# verified that they're running inside of a container environment with +# something like `systemd-detect-virt --container`. +# +# The only known container environments capable of supporting internal policy +# are LXD and LXC environment. +# +# Returns 0 if the container environment is capable of having its own internal +# policy and non-zero otherwise. +# +# IMPORTANT: This function will return 0 in the case of a non-LXD/non-LXC +# system container technology being nested inside of a LXD/LXC container that +# utilized an AppArmor namespace and profile stacking. The reason 0 will be +# returned is because .ns_stacked will be "yes" and .ns_name will still match +# "lx[dc]-*" since the nested system container technology will not have set up +# a new AppArmor profile namespace. This will result in the nested system +# container's boot process to experience failed policy loads but the boot +# process should continue without any loss of functionality. This is an +# unsupported configuration that cannot be properly handled by this function. +is_container_with_internal_policy() { + local ns_stacked_path="${AA_SFS}/.ns_stacked" + local ns_name_path="${AA_SFS}/.ns_name" + local ns_stacked + local ns_name + + if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then + return 1 + fi + + read -r ns_stacked < "$ns_stacked_path" + if [ "$ns_stacked" != "yes" ]; then + return 1 + fi + + # LXD and LXC set up AppArmor namespaces starting with "lxd-" and + # "lxc-", respectively. Return non-zero for all other namespace + # identifiers. + read -r ns_name < "$ns_name_path" + if [ "${ns_name#lxd-*}" = "$ns_name" ] && \ + [ "${ns_name#lxc-*}" = "$ns_name" ]; then + return 1 + fi + + return 0 +} diff --git a/recipes-mac/AppArmor/files/run-ptest b/recipes-mac/AppArmor/files/run-ptest new file mode 100644 index 0000000..3b8e427 --- /dev/null +++ b/recipes-mac/AppArmor/files/run-ptest @@ -0,0 +1,4 @@ +#! /bin/sh +cd testsuite + +make -C tests/regression/apparmor tests diff --git a/recipes-mac/AppArmor/files/tool-paths.patch b/recipes-mac/AppArmor/files/tool-paths.patch new file mode 100644 index 0000000..aaf08da --- /dev/null +++ b/recipes-mac/AppArmor/files/tool-paths.patch @@ -0,0 +1,37 @@ +Upstream-Status: Backport +Signed-off-by: Ross Burton + +From e7edd937adcbf1b3c8d38a31de5bacb2029b1965 Mon Sep 17 00:00:00 2001 +From: John Johansen +Date: Thu, 4 Oct 2018 23:15:28 -0700 +Subject: [PATCH] parser: fix Makefile hardcoded paths to flex and bison + +The hardcoded paths for flex and python can break builds on systems +where those tools are stored in an alternate location. Use which +to lookup where flex and bison are available. + +This fixes issue #4 + +Signed-off-by: John Johansen +--- + parser/Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/parser/Makefile b/parser/Makefile +index 4d370c36..015c218d 100644 +--- a/parser/Makefile ++++ b/parser/Makefile +@@ -27,9 +27,9 @@ INSTALL_CONFDIR=${DESTDIR}${CONFDIR} + LOCALEDIR=/usr/share/locale + MANPAGES=apparmor.d.5 apparmor.7 apparmor_parser.8 subdomain.conf.5 + +-YACC := /usr/bin/bison ++YACC := bison + YFLAGS := -d +-LEX := /usr/bin/flex ++LEX := flex + LEXFLAGS = -B -v + WARNINGS = -Wall + EXTRA_WARNINGS = -Wsign-compare -Wmissing-field-initializers -Wformat-security -Wunused-parameter +-- +2.11.0 diff --git a/recipes-mac/smack/files/run-ptest b/recipes-mac/smack/files/run-ptest new file mode 100644 index 0000000..049a9b4 --- /dev/null +++ b/recipes-mac/smack/files/run-ptest @@ -0,0 +1,3 @@ +#!/bin/sh +./tests/make_policies.bash ./tests/generator +./tests/make_policies.bash ./tests/generator labels diff --git a/recipes-mac/smack/files/smack_generator_make_fixup.patch b/recipes-mac/smack/files/smack_generator_make_fixup.patch new file mode 100644 index 0000000..4d677e7 --- /dev/null +++ b/recipes-mac/smack/files/smack_generator_make_fixup.patch @@ -0,0 +1,18 @@ +Upstream-Status: Pending + +Signed-off-by: Armin Kuster + + +Index: git/tests/Makefile +=================================================================== +--- git.orig/tests/Makefile ++++ git/tests/Makefile +@@ -4,7 +4,7 @@ clean: + rm -rf ./out ./generator + + generator: generator.c +- gcc -Wall -O3 generator.c -o ./generator ++ ${CC} ${LDFLAGS} generator.c -o ./generator + + policies: ./generator ./make_policies.bash + ./make_policies.bash ./generator diff --git a/recipes-mac/smack/smack_1.3.1.bb b/recipes-mac/smack/smack_1.3.1.bb new file mode 100644 index 0000000..246562a --- /dev/null +++ b/recipes-mac/smack/smack_1.3.1.bb @@ -0,0 +1,54 @@ +DESCRIPTION = "Selection of tools for developers working with Smack" +HOMEPAGE = "https://github.com/smack-team/smack" +SECTION = "Security/Access Control" +LICENSE = "LGPL-2.1" + +LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" + +SRCREV = "4a102c7584b39ce693995ffb65e0918a9df98dd8" +SRC_URI = " \ + git://github.com/smack-team/smack.git \ + file://smack_generator_make_fixup.patch \ + file://run-ptest" + +PV = "1.3.1" + +inherit autotools update-rc.d pkgconfig ptest ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)} + +S = "${WORKDIR}/git" + +PACKAGECONFIG ??= "" +PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" + +PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_system_unitdir}, --without-systemdsystemunitdir, systemd" + +do_compile_append () { + oe_runmake -C ${S}/tests generator +} + +do_install_append () { + install -d ${D}${sysconfdir}/init.d + install -d ${D}${sysconfdir}/smack + install -d ${D}${sysconfdir}/smack/accesses.d + install -d ${D}${sysconfdir}/smack/cipso.d + install ${S}/init/smack.rc ${D}/${sysconfdir}/init.d/smack +} + +do_install_ptest () { + install -d ${D}${PTEST_PATH}/tests + install ${S}/tests/generator ${D}/${PTEST_PATH}/tests + install ${S}/tests/generate-rules.sh ${D}${PTEST_PATH}/tests + install ${S}/tests/make_policies.bash ${D}${PTEST_PATH}/tests +} + +INITSCRIPT_PACKAGES = "${PN}" +INITSCRIPT_NAME = "smack" +INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." + +FILES_${PN} += "${sysconfdir}/init.d/smack" +FILES_${PN}-ptest += "generator" + +RDEPENDS_${PN} += "coreutils" +RDEPENDS_${PN}-ptest += "make bash bc" + +BBCLASSEXTEND = "native" diff --git a/recipes-security/AppArmor/apparmor_2.12.bb b/recipes-security/AppArmor/apparmor_2.12.bb deleted file mode 100644 index efa93e6..0000000 --- a/recipes-security/AppArmor/apparmor_2.12.bb +++ /dev/null @@ -1,154 +0,0 @@ -SUMMARY = "AppArmor another MAC control system" -DESCRIPTION = "user-space parser utility for AppArmor \ - This provides the system initialization scripts needed to use the \ - AppArmor Mandatory Access Control system, including the AppArmor Parser \ - which is required to convert AppArmor text profiles into machine-readable \ - policies that are loaded into the kernel for use with the AppArmor Linux \ - Security Module." -HOMEAPAGE = "http://apparmor.net/" -SECTION = "admin" - -LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+" -LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0" - -DEPENDS = "bison-native apr gettext-native coreutils-native" - -SRC_URI = " \ - http://archive.ubuntu.com/ubuntu/pool/main/a/${BPN}/${BPN}_${PV}.orig.tar.gz \ - file://disable_perl_h_check.patch \ - file://crosscompile_perl_bindings.patch \ - file://tool-paths.patch \ - file://apparmor.rc \ - file://functions \ - file://apparmor \ - file://apparmor.service \ - file://run-ptest \ - " - -SRC_URI[md5sum] = "49054f58042f8e51ea92cc866575a833" -SRC_URI[sha256sum] = "8a2b0cd083faa4d0640f579024be3a629faa7db3b99540798a1a050e2eaba056" - -PARALLEL_MAKE = "" - -inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan manpages systemd - -PACKAGECONFIG ??= "python perl" -PACKAGECONFIG[manpages] = "--enable-man-pages, --disable-man-pages" -PACKAGECONFIG[python] = "--with-python, --without-python, python3 swig-native" -PACKAGECONFIG[perl] = "--with-perl, --without-perl, perl perl-native swig-native" -PACKAGECONFIG[apache2] = ",,apache2," - -PAMLIB="${@bb.utils.contains('DISTRO_FEATURES', 'pam', '1', '0', d)}" -HTTPD="${@bb.utils.contains('PACKAGECONFIG', 'apache2', '1', '0', d)}" - - -python() { - if 'apache2' in d.getVar('PACKAGECONFIG').split() and \ - 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split(): - raise bb.parse.SkipRecipe('Requires meta-webserver to be present.') -} - -DISABLE_STATIC = "" - -do_configure() { - cd ${S}/libraries/libapparmor - aclocal - autoconf --force - libtoolize --automake -c --force - automake -ac - ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} -} - -do_compile () { - oe_runmake -C ${B}/libraries/libapparmor - oe_runmake -C ${B}/binutils - oe_runmake -C ${B}/utils - oe_runmake -C ${B}/parser - oe_runmake -C ${B}/profiles - - if test -z "${HTTPD}" ; then - oe_runmake -C ${B}/changehat/mod_apparmor - fi - - if test -z "${PAMLIB}" ; then - oe_runmake -C ${B}/changehat/pam_apparmor - fi -} - -do_install () { - install -d ${D}/${INIT_D_DIR} - install -d ${D}/lib/apparmor - - oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install - oe_runmake -C ${B}/binutils DESTDIR="${D}" install - oe_runmake -C ${B}/utils DESTDIR="${D}" install - oe_runmake -C ${B}/parser DESTDIR="${D}" install - oe_runmake -C ${B}/profiles DESTDIR="${D}" install - - # If perl is disabled this script won't be any good - if ! ${@bb.utils.contains('PACKAGECONFIG','perl','true','false', d)}; then - rm -f ${D}${sbindir}/aa-notify - fi - - if test -z "${HTTPD}" ; then - oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install - fi - - if test -z "${PAMLIB}" ; then - oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install - fi - - # aa-easyprof is installed by python-tools-setup.py, fix it up - sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof - chmod 0755 ${D}${bindir}/aa-easyprof - - install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor - install ${WORKDIR}/functions ${D}/lib/apparmor - install -d ${D}${systemd_system_unitdir} - install ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir} -} - -do_compile_ptest () { - oe_runmake -C ${B}/tests/regression/apparmor - oe_runmake -C ${B}/parser/tst - oe_runmake -C ${B}/libraries/libapparmor -} - -do_install_ptest () { - t=${D}/${PTEST_PATH}/testsuite - install -d ${t} - install -d ${t}/tests/regression/apparmor - cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression - - install -d ${t}/parser/tst - cp -rf ${B}/parser/tst ${t}/parser - cp ${B}/parser/apparmor_parser ${t}/parser - cp ${B}/parser/frob_slack_rc ${t}/parser - - install -d ${t}/libraries/libapparmor - cp -rf ${B}/libraries/libapparmor ${t}/libraries - - install -d ${t}/common - cp -rf ${B}/common ${t} - - install -d ${t}/binutils - cp -rf ${B}/binutils ${t} -} - -INITSCRIPT_PACKAGES = "${PN}" -INITSCRIPT_NAME = "apparmor" -INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." - -SYSTEMD_PACKAGES = "${PN}" -SYSTEMD_SERVICE_${PN} = "apparmor.service" -SYSTEMD_AUTO_ENABLE = "disable" - -PACKAGES += "mod-${PN}" - -FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}" -FILES_mod-${PN} = "${libdir}/apache2/modules/*" - -RDEPENDS_${PN} += "bash lsb" -RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3 python3-modules','', d)}" -RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" -RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash" diff --git a/recipes-security/AppArmor/files/apparmor b/recipes-security/AppArmor/files/apparmor deleted file mode 100644 index ac3ab9a..0000000 --- a/recipes-security/AppArmor/files/apparmor +++ /dev/null @@ -1,227 +0,0 @@ -#!/bin/sh -# ---------------------------------------------------------------------- -# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 -# NOVELL (All rights reserved) -# Copyright (c) 2008, 2009 Canonical, Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, contact Novell, Inc. -# ---------------------------------------------------------------------- -# Authors: -# Steve Beattie -# Kees Cook -# -# /etc/init.d/apparmor -# -### BEGIN INIT INFO -# Provides: apparmor -# Required-Start: $local_fs -# Required-Stop: umountfs -# Default-Start: S -# Default-Stop: -# Short-Description: AppArmor initialization -# Description: AppArmor init script. This script loads all AppArmor profiles. -### END INIT INFO - -log_daemon_msg() { - echo $* -} - -log_end_msg () { - retval=$1 - if [ $retval -eq 0 ]; then - echo "." - else - echo " failed!" - fi - return $retval -} - -. /lib/apparmor/functions -. /lib/lsb/init-functions - -usage() { - echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}" -} - -test -x ${PARSER} || exit 0 # by debian policy -# LSM is built-in, so it is either there or not enabled for this boot -test -d /sys/module/apparmor || exit 0 - -securityfs() { - # Need securityfs for any mode - if [ ! -d "${AA_SFS}" ]; then - if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then - log_daemon_msg "AppArmor not available as kernel LSM." - log_end_msg 1 - exit 1 - else - log_daemon_msg "Mounting securityfs on ${SECURITYFS}" - if ! mount -t securityfs none "${SECURITYFS}"; then - log_end_msg 1 - exit 1 - fi - fi - fi - if [ ! -w "$AA_SFS"/.load ]; then - log_daemon_msg "Insufficient privileges to change profiles." - log_end_msg 1 - exit 1 - fi -} - -handle_system_policy_package_updates() { - apparmor_was_updated=0 - - if ! compare_previous_version ; then - # On snappy flavors, if the current and previous versions are - # different then clear the system cache. snappy will handle - # "$PROFILES_CACHE_VAR" itself (on Touch flavors - # compare_previous_version always returns '0' since snappy - # isn't available). - clear_cache_system - apparmor_was_updated=1 - elif ! compare_and_save_debsums apparmor ; then - # If the system policy has been updated since the last time we - # ran, clear the cache to prevent potentially stale binary - # cache files after an Ubuntu image based upgrade (LP: - # #1350673). This can be removed once all system image flavors - # move to snappy (on snappy systems compare_and_save_debsums - # always returns '0' since /var/lib/dpkg doesn't exist). - clear_cache - apparmor_was_updated=1 - fi - - if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then - # If packages for system policy that affect click packages have - # been updated since the last time we ran, run aa-clickhook -f - force_clickhook=0 - force_profile_hook=0 - if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then - force_clickhook=1 - fi - if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then - force_clickhook=1 - fi - if ! compare_and_save_debsums click-apparmor ; then - force_clickhook=1 - force_profile_hook=1 - fi - if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then - aa-clickhook -f - fi - if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then - aa-profile-hook -f - fi - fi -} - -# Allow "recache" even when running on the liveCD -if [ "$1" = "recache" ]; then - log_daemon_msg "Recaching AppArmor profiles" - recache_profiles - rc=$? - log_end_msg "$rc" - exit $rc -fi - -# do not perform start/stop/reload actions when running from liveCD -test -d /rofs/etc/apparmor.d && exit 0 - -rc=255 -case "$1" in - start) - if test -x /sbin/systemd-detect-virt && \ - systemd-detect-virt --quiet --container && \ - ! is_container_with_internal_policy; then - log_daemon_msg "Not starting AppArmor in container" - log_end_msg 0 - exit 0 - fi - log_daemon_msg "Starting AppArmor profiles" - securityfs - # That is only useful for click, snappy and system images, - # i.e. not in Debian. And it reads and writes to /var, that - # can be remote-mounted, so it would prevent us from using - # Before=sysinit.target without possibly introducing dependency - # loops. - handle_system_policy_package_updates - load_configured_profiles - rc=$? - log_end_msg "$rc" - ;; - stop) - log_daemon_msg "Clearing AppArmor profiles cache" - clear_cache - rc=$? - log_end_msg "$rc" - cat >&2 < and Jamie Strandboge " - -task - -start on starting rc-sysinit - -script - [ -d /rofs/etc/apparmor.d ] && exit 0 # do not load on liveCD - [ -d /sys/module/apparmor ] || exit 0 # do not load without AppArmor - [ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser - - . /lib/apparmor/functions - - systemd-detect-virt --quiet --container && ! is_container_with_internal_policy && exit 0 || true - - # Need securityfs for any mode - if [ ! -d /sys/kernel/security/apparmor ]; then - if cut -d" " -f2,3 /proc/mounts | grep -q "^/sys/kernel/security securityfs"'$' ; then - exit 0 - else - mount -t securityfs none /sys/kernel/security || exit 0 - fi - fi - - [ -w /sys/kernel/security/apparmor/.load ] || exit 0 - - apparmor_was_updated=0 - if ! compare_previous_version ; then - # On snappy flavors, if the current and previous versions are - # different then clear the system cache. snappy will handle - # "$PROFILES_CACHE_VAR" itself (on Touch flavors - # compare_previous_version always returns '0' since snappy - # isn't available). - clear_cache_system - apparmor_was_updated=1 - elif ! compare_and_save_debsums apparmor ; then - # If the system policy has been updated since the last time we - # ran, clear the cache to prevent potentially stale binary - # cache files after an Ubuntu image based upgrade (LP: - # #1350673). This can be removed once all system image flavors - # move to snappy (on snappy systems compare_and_save_debsums - # always returns '0' since /var/lib/dpkg doesn't exist). - clear_cache - apparmor_was_updated=1 - fi - - if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then - # If packages for system policy that affect click packages have - # been updated since the last time we ran, run aa-clickhook -f - force_clickhook=0 - force_profile_hook=0 - if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then - force_clickhook=1 - fi - if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then - force_clickhook=1 - fi - if ! compare_and_save_debsums click-apparmor ; then - force_clickhook=1 - force_profile_hook=1 - fi - if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then - aa-clickhook -f - fi - if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then - aa-profile-hook -f - fi - fi - - if [ "$ACTION" = "teardown" ]; then - running_profile_names | while read profile; do - unload_profile "$profile" - done - exit 0 - fi - - if [ "$ACTION" = "clear" ]; then - clear_cache - exit 0 - fi - - if [ "$ACTION" = "reload" ] || [ "$ACTION" = "force-reload" ]; then - clear_cache - load_configured_profiles - unload_obsolete_profiles - exit 0 - fi - - # Note: if apparmor-easyprof-ubuntu md5sums didn't match up above, - # aa-clickhook will have already compiled the policy, generated the cache - # files and loaded them into the kernel by this point, so reloading click - # policy from cache, while fairly fast (<2 seconds for 250 profiles on - # armhf), is redundant. Fixing this would complicate the logic quite a bit - # and it wouldn't improve the (by far) common case (ie, when - # 'aa-clickhook -f' is not run). - load_configured_profiles -end script diff --git a/recipes-security/AppArmor/files/apparmor.service b/recipes-security/AppArmor/files/apparmor.service deleted file mode 100644 index e66afe4..0000000 --- a/recipes-security/AppArmor/files/apparmor.service +++ /dev/null @@ -1,22 +0,0 @@ -[Unit] -Description=AppArmor initialization -After=local-fs.target -Before=sysinit.target -AssertPathIsReadWrite=/sys/kernel/security/apparmor/.load -ConditionSecurity=apparmor -DefaultDependencies=no -Documentation=man:apparmor(7) -Documentation=http://wiki.apparmor.net/ - -# Don't start this unit on the Ubuntu Live CD -ConditionPathExists=!/rofs/etc/apparmor.d - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/etc/init.d/apparmor start -ExecStop=/etc/init.d/apparmor stop -ExecReload=/etc/init.d/apparmor reload - -[Install] -WantedBy=sysinit.target diff --git a/recipes-security/AppArmor/files/crosscompile_perl_bindings.patch b/recipes-security/AppArmor/files/crosscompile_perl_bindings.patch deleted file mode 100644 index ef55de7..0000000 --- a/recipes-security/AppArmor/files/crosscompile_perl_bindings.patch +++ /dev/null @@ -1,25 +0,0 @@ -Upstream-Status: Inappropriate [configuration] - -As we're cross-compiling here we need to override CC/LD that MakeMaker has -stuck in the generated Makefile with our cross tools. In this case, linking is -done via the compiler rather than the linker directly so pass in CC not LD -here. - -Signed-Off-By: Tom Rini - ---- a/libraries/libapparmor/swig/perl/Makefile.am.orig 2017-06-13 19:04:43.296676212 -0400 -+++ b/libraries/libapparmor/swig/perl/Makefile.am 2017-06-13 19:05:03.488676693 -0400 -@@ -16,11 +16,11 @@ - - LibAppArmor.so: libapparmor_wrap.c Makefile.perl - if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi -- $(MAKE) -fMakefile.perl -+ $(MAKE) -fMakefile.perl CC='$(CC)' LD='$(CC)' - if test $(top_srcdir) != $(top_builddir) ; then rm -f libapparmor_wrap.c ; fi - - install-exec-local: Makefile.perl -- $(MAKE) -fMakefile.perl install_vendor -+ $(MAKE) -fMakefile.perl install_vendor CC='$(CC)' LD='$(CC)' - - # sadly there is no make uninstall for perl - #uninstall-local: Makefile.perl diff --git a/recipes-security/AppArmor/files/disable_pdf.patch b/recipes-security/AppArmor/files/disable_pdf.patch deleted file mode 100644 index c6b4bdd..0000000 --- a/recipes-security/AppArmor/files/disable_pdf.patch +++ /dev/null @@ -1,33 +0,0 @@ -Index: apparmor-2.10.95/parser/Makefile -=================================================================== ---- apparmor-2.10.95.orig/parser/Makefile -+++ apparmor-2.10.95/parser/Makefile -@@ -139,17 +139,6 @@ export Q VERBOSE BUILD_OUTPUT - po/${NAME}.pot: ${SRCS} ${HDRS} - $(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}" - --techdoc.pdf: techdoc.tex -- timestamp=$(shell date --utc "+%Y%m%d%H%M%S%z" -r $< );\ -- while pdflatex "\def\fixedpdfdate{$$timestamp}\input $<" ${BUILD_OUTPUT} || exit 1 ; \ -- grep -q "Label(s) may have changed" techdoc.log; \ -- do :; done -- --techdoc/index.html: techdoc.pdf -- latex2html -show_section_numbers -split 0 -noinfo -nonavigation -noaddress techdoc.tex ${BUILD_OUTPUT} -- --techdoc.txt: techdoc/index.html -- w3m -dump $< > $@ - - # targets arranged this way so that people who don't want full docs can - # pick specific targets they want. -@@ -159,9 +148,7 @@ manpages: $(MANPAGES) - - htmlmanpages: $(HTMLMANPAGES) - --pdf: techdoc.pdf -- --docs: manpages htmlmanpages pdf -+docs: manpages htmlmanpages - - indep: docs - $(Q)$(MAKE) -C po all diff --git a/recipes-security/AppArmor/files/disable_perl_h_check.patch b/recipes-security/AppArmor/files/disable_perl_h_check.patch deleted file mode 100644 index cf2640f..0000000 --- a/recipes-security/AppArmor/files/disable_perl_h_check.patch +++ /dev/null @@ -1,19 +0,0 @@ -Upstream-Status: Inappropriate [configuration] - -Remove file check for $perl_includedir/perl.h. AC_CHECK_FILE will fail on -cross compilation. Rather than try and get a compile check to work here, -we know that we have what's required via our metadata so remove only this -check. - -Signed-Off-By: Tom Rini - ---- a/libraries/libapparmor/configure.ac.orig 2017-06-13 16:41:38.668471495 -0400 -+++ b/libraries/libapparmor/configure.ac 2017-06-13 16:41:40.708471543 -0400 -@@ -58,7 +58,6 @@ - AC_PATH_PROG(PERL, perl) - test -z "$PERL" && AC_MSG_ERROR([perl is required when enabling perl bindings]) - perl_includedir="`$PERL -e 'use Config; print $Config{archlib}'`/CORE" -- AC_CHECK_FILE($perl_includedir/perl.h, enable_perl=yes, enable_perl=no) - fi - - diff --git a/recipes-security/AppArmor/files/functions b/recipes-security/AppArmor/files/functions deleted file mode 100644 index cef8cfe..0000000 --- a/recipes-security/AppArmor/files/functions +++ /dev/null @@ -1,271 +0,0 @@ -# /lib/apparmor/functions for Debian -*- shell-script -*- -# ---------------------------------------------------------------------- -# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 -# NOVELL (All rights reserved) -# Copyright (c) 2008-2010 Canonical, Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, contact Novell, Inc. -# ---------------------------------------------------------------------- -# Authors: -# Kees Cook - -PROFILES="/etc/apparmor.d" -PROFILES_CACHE="$PROFILES/cache" -PROFILES_VAR="/var/lib/apparmor/profiles" -PROFILES_SNAPPY="/var/lib/snapd/apparmor/profiles" -PROFILES_CACHE_VAR="/var/cache/apparmor" -PARSER="/sbin/apparmor_parser" -SECURITYFS="/sys/kernel/security" -export AA_SFS="$SECURITYFS/apparmor" - -# Suppress warnings when booting in quiet mode -quiet_arg="" -[ "${QUIET:-no}" = yes ] && quiet_arg="-q" -[ "${quiet:-n}" = y ] && quiet_arg="-q" - -foreach_configured_profile() { - rc_all="0" - for pdir in "$PROFILES" "$PROFILES_VAR" "$PROFILES_SNAPPY" ; do - if [ ! -d "$pdir" ]; then - continue - fi - num=`find "$pdir" -type f ! -name '*.md5sums' | wc -l` - if [ "$num" = "0" ]; then - continue - fi - - cache_dir="$PROFILES_CACHE" - if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then - cache_dir="$PROFILES_CACHE_VAR" - fi - cache_args="--cache-loc=$cache_dir" - if [ ! -d "$cache_dir" ]; then - cache_args= - fi - - # LP: #1383858 - expr tree simplification is too slow for - # Touch policy on ARM, so disable it for now - cache_extra_args= - if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then - cache_extra_args="-O no-expr-simplify" - fi - - # If need to compile everything, then use -n1 with xargs to - # take advantage of -P. When cache files are in use, omit -n1 - # since it is considerably faster on moderately sized profile - # sets to give the parser all the profiles to load at once - n1_args= - num=`find "$cache_dir" -type f ! -name '.features' | wc -l` - if [ "$num" = "0" ]; then - n1_args="-n1" - fi - - (ls -1 "$pdir" | egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \ - while read profile; do - if [ -f "$pdir"/"$profile" ]; then - echo "$pdir"/"$profile" - fi - done) | \ - xargs $n1_args -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || { - rc_all="$?" - # FIXME: when the parser properly handles broken - # profiles (LP: #1377338), remove this if statement. - # For now, if the xargs returns with error, just run - # through everything with -n1. (This could be broken - # out and refactored, but this is temporary so make it - # easy to understand and revert) - if [ "$rc_all" != "0" ]; then - (ls -1 "$pdir" | \ - egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \ - while read profile; do - if [ -f "$pdir"/"$profile" ]; then - echo "$pdir"/"$profile" - fi - done) | \ - xargs -n1 -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || { - rc_all="$?" - } - fi - } - done - return $rc_all -} - -load_configured_profiles() { - clear_cache_if_outdated - foreach_configured_profile $quiet_arg --write-cache --replace -} - -load_configured_profiles_without_caching() { - foreach_configured_profile $quiet_arg --replace -} - -recache_profiles() { - clear_cache - foreach_configured_profile $quiet_arg --write-cache --skip-kernel-load -} - -configured_profile_names() { - foreach_configured_profile $quiet_arg -N 2>/dev/null | LC_COLLATE=C sort | grep -v '//' -} - -running_profile_names() { - # Output a sorted list of loaded profiles, skipping libvirt's - # dynamically generated files - cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | egrep -v '^libvirt-[0-9a-f\-]+$' | LC_COLLATE=C sort | grep -v '//' -} - -unload_profile() { - echo -n "$1" > "$AA_SFS"/.remove -} - -clear_cache() { - clear_cache_system - clear_cache_var -} - -clear_cache_system() { - find "$PROFILES_CACHE" -maxdepth 1 -type f -print0 | xargs -0 rm -f -- -} - -clear_cache_var() { - find "$PROFILES_CACHE_VAR" -maxdepth 1 -type f -print0 | xargs -0 rm -f -- -} - -read_features_dir() -{ - for f in `ls -AU "$1"` ; do - if [ -f "$1/$f" ] ; then - read -r KF < "$1/$f" || true - echo -n "$f {$KF } " - elif [ -d "$1/$f" ] ; then - echo -n "$f {" - KF=`read_features_dir "$1/$f"` || true - echo -n "$KF} " - fi - done -} - -clear_cache_if_outdated() { - if [ -r "$PROFILES_CACHE"/.features ]; then - if [ -d "$AA_SFS"/features ]; then - KERN_FEATURES=`read_features_dir "$AA_SFS"/features` - else - read -r KERN_FEATURES < "$AA_SFS"/features - fi - CACHE_FEATURES=`tr '\n' ' ' < "$PROFILES_CACHE"/.features` - if [ "$KERN_FEATURES" != "$CACHE_FEATURES" ]; then - clear_cache - fi - fi -} - -unload_obsolete_profiles() { - # Currently we must re-parse all the profiles to get policy names. :( - aa_configured=$(mktemp -t aa-XXXXXX) - configured_profile_names > "$aa_configured" || true - aa_loaded=$(mktemp -t aa-XXXXXX) - running_profile_names > "$aa_loaded" || true - LC_COLLATE=C comm -2 -3 "$aa_loaded" "$aa_configured" | while read profile ; do - unload_profile "$profile" - done - rm -f "$aa_configured" "$aa_loaded" -} - -# If the system debsum differs from the saved debsum, the new system debsum is -# saved and non-zero is returned. Returns 0 if the two debsums matched or if -# the system debsum file does not exist. This can be removed when system image -# flavors all move to snappy. -compare_and_save_debsums() { - pkg="$1" - - if [ -n $pkg ] && [ -d "$PROFILES_VAR" ]; then - sums="/var/lib/dpkg/info/${pkg}.md5sums" - # store saved md5sums in /var/lib/apparmor/profiles since - # /var/cache/apparmor might be cleared by apparmor - saved_sums="${PROFILES_VAR}/.${pkg}.md5sums" - - if [ -f "$sums" ] && \ - ! diff -q "$sums" "$saved_sums" 2>&1 >/dev/null ; then - cp -f "$sums" "$saved_sums" - return 1 - fi - fi - - return 0 -} - -compare_previous_version() { - installed="/usr/share/snappy/security-policy-version" - previous="/var/lib/snappy/security-policy-version" - - # When just $previous doesn't exist, assume this is a new system with - # no cache and don't do anything special. - if [ -f "$installed" ] && [ -f "$previous" ]; then - pv=`grep '^apparmor/' "$previous" | cut -d ' ' -f 2` - iv=`grep '^apparmor/' "$installed" | cut -d ' ' -f 2` - if [ -n "$iv" ] && [ -n "$pv" ] && [ "$iv" != "$pv" ]; then - # snappy updates $previous elsewhere, so just return - return 1 - fi - fi - - return 0 -} - -# Checks to see if the current container is capable of having internal AppArmor -# profiles that should be loaded. Callers of this function should have already -# verified that they're running inside of a container environment with -# something like `systemd-detect-virt --container`. -# -# The only known container environments capable of supporting internal policy -# are LXD and LXC environment. -# -# Returns 0 if the container environment is capable of having its own internal -# policy and non-zero otherwise. -# -# IMPORTANT: This function will return 0 in the case of a non-LXD/non-LXC -# system container technology being nested inside of a LXD/LXC container that -# utilized an AppArmor namespace and profile stacking. The reason 0 will be -# returned is because .ns_stacked will be "yes" and .ns_name will still match -# "lx[dc]-*" since the nested system container technology will not have set up -# a new AppArmor profile namespace. This will result in the nested system -# container's boot process to experience failed policy loads but the boot -# process should continue without any loss of functionality. This is an -# unsupported configuration that cannot be properly handled by this function. -is_container_with_internal_policy() { - local ns_stacked_path="${AA_SFS}/.ns_stacked" - local ns_name_path="${AA_SFS}/.ns_name" - local ns_stacked - local ns_name - - if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then - return 1 - fi - - read -r ns_stacked < "$ns_stacked_path" - if [ "$ns_stacked" != "yes" ]; then - return 1 - fi - - # LXD and LXC set up AppArmor namespaces starting with "lxd-" and - # "lxc-", respectively. Return non-zero for all other namespace - # identifiers. - read -r ns_name < "$ns_name_path" - if [ "${ns_name#lxd-*}" = "$ns_name" ] && \ - [ "${ns_name#lxc-*}" = "$ns_name" ]; then - return 1 - fi - - return 0 -} diff --git a/recipes-security/AppArmor/files/run-ptest b/recipes-security/AppArmor/files/run-ptest deleted file mode 100644 index 3b8e427..0000000 --- a/recipes-security/AppArmor/files/run-ptest +++ /dev/null @@ -1,4 +0,0 @@ -#! /bin/sh -cd testsuite - -make -C tests/regression/apparmor tests diff --git a/recipes-security/AppArmor/files/tool-paths.patch b/recipes-security/AppArmor/files/tool-paths.patch deleted file mode 100644 index aaf08da..0000000 --- a/recipes-security/AppArmor/files/tool-paths.patch +++ /dev/null @@ -1,37 +0,0 @@ -Upstream-Status: Backport -Signed-off-by: Ross Burton - -From e7edd937adcbf1b3c8d38a31de5bacb2029b1965 Mon Sep 17 00:00:00 2001 -From: John Johansen -Date: Thu, 4 Oct 2018 23:15:28 -0700 -Subject: [PATCH] parser: fix Makefile hardcoded paths to flex and bison - -The hardcoded paths for flex and python can break builds on systems -where those tools are stored in an alternate location. Use which -to lookup where flex and bison are available. - -This fixes issue #4 - -Signed-off-by: John Johansen ---- - parser/Makefile | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/parser/Makefile b/parser/Makefile -index 4d370c36..015c218d 100644 ---- a/parser/Makefile -+++ b/parser/Makefile -@@ -27,9 +27,9 @@ INSTALL_CONFDIR=${DESTDIR}${CONFDIR} - LOCALEDIR=/usr/share/locale - MANPAGES=apparmor.d.5 apparmor.7 apparmor_parser.8 subdomain.conf.5 - --YACC := /usr/bin/bison -+YACC := bison - YFLAGS := -d --LEX := /usr/bin/flex -+LEX := flex - LEXFLAGS = -B -v - WARNINGS = -Wall - EXTRA_WARNINGS = -Wsign-compare -Wmissing-field-initializers -Wformat-security -Wunused-parameter --- -2.11.0 diff --git a/recipes-security/smack/files/run-ptest b/recipes-security/smack/files/run-ptest deleted file mode 100644 index 049a9b4..0000000 --- a/recipes-security/smack/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -./tests/make_policies.bash ./tests/generator -./tests/make_policies.bash ./tests/generator labels diff --git a/recipes-security/smack/files/smack_generator_make_fixup.patch b/recipes-security/smack/files/smack_generator_make_fixup.patch deleted file mode 100644 index 4d677e7..0000000 --- a/recipes-security/smack/files/smack_generator_make_fixup.patch +++ /dev/null @@ -1,18 +0,0 @@ -Upstream-Status: Pending - -Signed-off-by: Armin Kuster - - -Index: git/tests/Makefile -=================================================================== ---- git.orig/tests/Makefile -+++ git/tests/Makefile -@@ -4,7 +4,7 @@ clean: - rm -rf ./out ./generator - - generator: generator.c -- gcc -Wall -O3 generator.c -o ./generator -+ ${CC} ${LDFLAGS} generator.c -o ./generator - - policies: ./generator ./make_policies.bash - ./make_policies.bash ./generator diff --git a/recipes-security/smack/smack_1.3.1.bb b/recipes-security/smack/smack_1.3.1.bb deleted file mode 100644 index 246562a..0000000 --- a/recipes-security/smack/smack_1.3.1.bb +++ /dev/null @@ -1,54 +0,0 @@ -DESCRIPTION = "Selection of tools for developers working with Smack" -HOMEPAGE = "https://github.com/smack-team/smack" -SECTION = "Security/Access Control" -LICENSE = "LGPL-2.1" - -LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" - -SRCREV = "4a102c7584b39ce693995ffb65e0918a9df98dd8" -SRC_URI = " \ - git://github.com/smack-team/smack.git \ - file://smack_generator_make_fixup.patch \ - file://run-ptest" - -PV = "1.3.1" - -inherit autotools update-rc.d pkgconfig ptest ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)} - -S = "${WORKDIR}/git" - -PACKAGECONFIG ??= "" -PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" - -PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_system_unitdir}, --without-systemdsystemunitdir, systemd" - -do_compile_append () { - oe_runmake -C ${S}/tests generator -} - -do_install_append () { - install -d ${D}${sysconfdir}/init.d - install -d ${D}${sysconfdir}/smack - install -d ${D}${sysconfdir}/smack/accesses.d - install -d ${D}${sysconfdir}/smack/cipso.d - install ${S}/init/smack.rc ${D}/${sysconfdir}/init.d/smack -} - -do_install_ptest () { - install -d ${D}${PTEST_PATH}/tests - install ${S}/tests/generator ${D}/${PTEST_PATH}/tests - install ${S}/tests/generate-rules.sh ${D}${PTEST_PATH}/tests - install ${S}/tests/make_policies.bash ${D}${PTEST_PATH}/tests -} - -INITSCRIPT_PACKAGES = "${PN}" -INITSCRIPT_NAME = "smack" -INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." - -FILES_${PN} += "${sysconfdir}/init.d/smack" -FILES_${PN}-ptest += "generator" - -RDEPENDS_${PN} += "coreutils" -RDEPENDS_${PN}-ptest += "make bash bc" - -BBCLASSEXTEND = "native" -- cgit v1.2.3-54-g00ecf