* [Buildroot] [PATCH v2] package/libapparmor: new package
@ 2020-03-26 18:01 Angelo Compagnucci
2020-03-26 18:56 ` Yann E. MORIN
0 siblings, 1 reply; 4+ messages in thread
From: Angelo Compagnucci @ 2020-03-26 18:01 UTC (permalink / raw)
To: buildroot
From: Angelo Compagnucci <angelo.compagnucci@gmail.com>
This patch adds libapparmor and it's related tools.
The patch is quite complicated by the layout of the source tree:
* The first step is to compile libraries/libapparmor using the autotools
infrastructure. Autoreconf is needed due to the attached patches.
Libapparmor library needs to be installed in staging directory before
compiling the rest of the tools.
* The second step is to compile tools and optional components distrubuted
in sub directories, this is done in POST_INSTALL_STAGING_HOOKS.
* If python3 is available, swig bindings and python utils are compiled.
* parser/apparmor.systemd is actually a systemv init script
* Package will enable profiles cache if the system is writable
* All Apparmor kernel code is now upstream, so no other patches are
needed.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
---
Changelog:
v1->v2:
Using the upstream patches
DEVELOPERS | 1 +
linux/linux.mk | 6 ++
package/Config.in | 1 +
...el-fixing-for-crosscompiling-environ.patch | 91 +++++++++++++++++++
...ng-setup.py-call-when-crosscompiling.patch | 30 ++++++
package/libapparmor/Config.in | 34 +++++++
package/libapparmor/libapparmor.hash | 3 +
package/libapparmor/libapparmor.mk | 87 ++++++++++++++++++
8 files changed, 253 insertions(+)
create mode 100644 package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch
create mode 100644 package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch
create mode 100644 package/libapparmor/Config.in
create mode 100644 package/libapparmor/libapparmor.hash
create mode 100644 package/libapparmor/libapparmor.mk
diff --git a/DEVELOPERS b/DEVELOPERS
index dd44331b85..a96b031def 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -188,6 +188,7 @@ N: Angelo Compagnucci <angelo.compagnucci@gmail.com>
F: package/corkscrew/
F: package/fail2ban/
F: package/i2c-tools/
+F: package/libapparmor/
F: package/mender/
F: package/mender-artifact/
F: package/mono/
diff --git a/linux/linux.mk b/linux/linux.mk
index 4b60f33ff3..5032481069 100644
--- a/linux/linux.mk
+++ b/linux/linux.mk
@@ -359,6 +359,12 @@ define LINUX_KCONFIG_FIXUP_CMDS
$(if $(BR2_PACKAGE_INTEL_MICROCODE),
$(call KCONFIG_ENABLE_OPT,CONFIG_MICROCODE,$(@D)/.config)
$(call KCONFIG_ENABLE_OPT,CONFIG_MICROCODE_INTEL,$(@D)/.config))
+ $(if $(BR2_PACKAGE_LIBAPPARMOR),
+ $(call KCONFIG_ENABLE_OPT,CONFIG_AUDIT,$(@D)/.config)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_SECURITY,$(@D)/.config)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_SECURITY_APPARMOR,$(@D)/.config)
+ $(call KCONFIG_ENABLE_OPT,CONFIG_DEFAULT_SECURITY_APPARMOR,$(@D)/.config)
+ $(call KCONFIG_SET_OPT,CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE,1,$(@D)/.config))
$(if $(BR2_PACKAGE_KTAP),
$(call KCONFIG_ENABLE_OPT,CONFIG_DEBUG_FS,$(@D)/.config)
$(call KCONFIG_ENABLE_OPT,CONFIG_ENABLE_DEFAULT_TRACERS,$(@D)/.config)
diff --git a/package/Config.in b/package/Config.in
index edf7687ab7..d9ed053b77 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1862,6 +1862,7 @@ endif
endmenu
menu "Security"
+ source "package/libapparmor/Config.in"
source "package/libselinux/Config.in"
source "package/libsemanage/Config.in"
source "package/libsepol/Config.in"
diff --git a/package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch b/package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch
new file mode 100644
index 0000000000..564a7758d7
--- /dev/null
+++ b/package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch
@@ -0,0 +1,91 @@
+From 64e5c6b23de9c147881680f3daccb995263c34a3 Mon Sep 17 00:00:00 2001
+From: Angelo Compagnucci <angelo@amarulasolutions.com>
+Date: Tue, 24 Mar 2020 22:53:37 +0100
+Subject: [PATCH] m4: ac_python_devel: fixing for crosscompiling environments
+
+In a crosscompiling environment it's common to have a python executable
+running for the host system with a python-config reporting the host
+configuration and a second python-config reporting the target configuration.
+In such cases, relying on the default oython-config is wrong and breaks
+the cross compilation.
+
+This patch adds a PYTHON_CONFIG variable that can be pointed to the second
+python-config and fixes the rest of the m4 accordingly.
+
+Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
+---
+ libraries/libapparmor/m4/ac_python_devel.m4 | 23 ++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/libraries/libapparmor/m4/ac_python_devel.m4 b/libraries/libapparmor/m4/ac_python_devel.m4
+index 29cf090d..6454e2d8 100644
+--- a/libraries/libapparmor/m4/ac_python_devel.m4
++++ b/libraries/libapparmor/m4/ac_python_devel.m4
+@@ -13,6 +13,11 @@ AC_DEFUN([AC_PYTHON_DEVEL],[
+ PYTHON_VERSION=""
+ fi
+
++ AC_PATH_PROG([PYTHON_CONFIG],[`basename [$PYTHON]-config`])
++ if test -z "$PYTHON_CONFIG"; then
++ AC_MSG_ERROR([Cannot find python$PYTHON_VERSION-config in your system path])
++ fi
++
+ #
+ # Check for a version of Python >= 2.1.0
+ #
+@@ -79,8 +84,8 @@ $ac_distutils_result])
+ # Check for Python include path
+ #
+ AC_MSG_CHECKING([for Python include path])
+- if type $PYTHON-config; then
+- PYTHON_CPPFLAGS=`$PYTHON-config --includes`
++ if type $PYTHON_CONFIG; then
++ PYTHON_CPPFLAGS=`$PYTHON_CONFIG --includes`
+ fi
+ if test -z "$PYTHON_CPPFLAGS"; then
+ python_path=`$PYTHON -c "import sys; import distutils.sysconfig;\
+@@ -97,8 +102,8 @@ sys.stdout.write('%s\n' % distutils.sysconfig.get_python_inc());"`
+ # Check for Python library path
+ #
+ AC_MSG_CHECKING([for Python library path])
+- if type $PYTHON-config; then
+- PYTHON_LDFLAGS=`$PYTHON-config --ldflags`
++ if type $PYTHON_CONFIG; then
++ PYTHON_LDFLAGS=`$PYTHON_CONFIG --ldflags`
+ fi
+ if test -z "$PYTHON_LDFLAGS"; then
+ # (makes two attempts to ensure we've got a version number
+@@ -136,6 +141,10 @@ sys.stdout.write('%s\n' % distutils.sysconfig.get_python_lib(0,0));"`
+ # libraries which must be linked in when embedding
+ #
+ AC_MSG_CHECKING(python extra libraries)
++ if type $PYTHON_CONFIG; then
++ PYTHON_EXTRA_LIBS=`$PYTHON_CONFIG --libs --embed` || \
++ PYTHON_EXTRA_LIBS=''
++ fi
+ if test -z "$PYTHON_EXTRA_LIBS"; then
+ PYTHON_EXTRA_LIBS=`$PYTHON -c "import sys; import distutils.sysconfig; \
+ conf = distutils.sysconfig.get_config_var; \
+@@ -148,6 +157,10 @@ sys.stdout.write('%s %s %s\n' % (conf('BLDLIBRARY'), conf('LOCALMODLIBS'), conf(
+ # linking flags needed when embedding
+ #
+ AC_MSG_CHECKING(python extra linking flags)
++ if type $PYTHON_CONFIG; then
++ PYTHON_EXTRA_LDFLAGS=`$PYTHON_CONFIG --ldflags --embed` || \
++ PYTHON_EXTRA_LDFLAGS=''
++ fi
+ if test -z "$PYTHON_EXTRA_LDFLAGS"; then
+ PYTHON_EXTRA_LDFLAGS=`$PYTHON -c "import sys; import distutils.sysconfig; \
+ conf = distutils.sysconfig.get_config_var; \
+@@ -164,7 +177,7 @@ sys.stdout.write('%s\n' % conf('LINKFORSHARED'))"`
+ # save current global flags
+ ac_save_LIBS="$LIBS"
+ ac_save_CPPFLAGS="$CPPFLAGS"
+- LIBS="$ac_save_LIBS $PYTHON_LDFLAGS $PYTHON_EXTRA_LIBS"
++ LIBS="$ac_save_LIBS $PYTHON_EXTRA_LIBS $PYTHON_LDFLAGS"
+ CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
+ AC_TRY_LINK([
+ #include <Python.h>
+--
+2.17.1
+
diff --git a/package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch b/package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch
new file mode 100644
index 0000000000..ce550d3f34
--- /dev/null
+++ b/package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch
@@ -0,0 +1,30 @@
+From 88c81d7b73e657240314ef868e6a75bbeb444cc0 Mon Sep 17 00:00:00 2001
+From: Angelo Compagnucci <angelo@amarulasolutions.com>
+Date: Tue, 24 Mar 2020 23:02:08 +0100
+Subject: [PATCH] libapparmor: fixing setup.py call when crosscompiling
+
+When crosscompiling, setupy.py should be called passing the settings
+discovered by ac_python_devel.m4 and not using the default system
+settings.
+
+Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
+---
+ libraries/libapparmor/swig/python/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libraries/libapparmor/swig/python/Makefile.am b/libraries/libapparmor/swig/python/Makefile.am
+index 421acba9..6c60181e 100644
+--- a/libraries/libapparmor/swig/python/Makefile.am
++++ b/libraries/libapparmor/swig/python/Makefile.am
+@@ -11,7 +11,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.py
+
+ all-local: libapparmor_wrap.c setup.py
+ if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi
+- $(PYTHON) setup.py build
++ CC="$(CC)" CFLAGS="$(PYTHON_CPPFLAGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(PYTHON_LDFLAGS)" $(PYTHON) setup.py build
+
+ install-exec-local:
+ $(PYTHON) setup.py install --root="/$(DESTDIR)" --prefix="$(prefix)"
+--
+2.17.1
+
diff --git a/package/libapparmor/Config.in b/package/libapparmor/Config.in
new file mode 100644
index 0000000000..c93199cf37
--- /dev/null
+++ b/package/libapparmor/Config.in
@@ -0,0 +1,34 @@
+config BR2_PACKAGE_LIBAPPARMOR
+ bool "libapparmor"
+ depends on BR2_USE_WCHAR
+ select BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
+ select BR2_PACKAGE_GREP
+ select BR2_PACKAGE_PYTHON3_READLINE if BR2_PACKAGE_PYTHON3
+ help
+ AppArmor is an effective and easy-to-use Linux application
+ security system. AppArmor proactively protects the operating
+ system and applications from external or internal threats,
+ even zero-day attacks, by enforcing good behavior and
+ preventing even unknown application flaws from being exploited.
+ AppArmor security policies completely define what system
+ resources individual applications can access, and with what
+ privileges. A number of default policies are included with
+ AppArmor, and using a combination of advanced static analysis
+ and learning-based tools, AppArmor policies for even very
+ complex applications can be deployed successfully in a
+ matter of hours.
+
+ http://wiki.apparmor.net
+
+if BR2_PACKAGE_LIBAPPARMOR
+
+config BR2_PACKAGE_LIBAPPARMOR_PROFILES
+ bool "install profiles"
+ default y
+ help
+ This option install Apparmor default profiles
+
+endif
+
+comment "AppArmor needs needs a toolchain w/ wchar"
+ depends on !BR2_USE_WCHAR
diff --git a/package/libapparmor/libapparmor.hash b/package/libapparmor/libapparmor.hash
new file mode 100644
index 0000000000..e5ae65d91c
--- /dev/null
+++ b/package/libapparmor/libapparmor.hash
@@ -0,0 +1,3 @@
+# locally computed
+sha256 267053234c68cdb122c5294d7c276b6e2f5fa7e75c6c2d23e3ce69f95d9a7639 apparmor-2.13.3.tar.gz
+sha256 a7e0cdcbea5c14927cedfc600d46526bdcbb1eb0a4d951e2ea53c2a6de159cb4 LICENSE
diff --git a/package/libapparmor/libapparmor.mk b/package/libapparmor/libapparmor.mk
new file mode 100644
index 0000000000..3935f3435a
--- /dev/null
+++ b/package/libapparmor/libapparmor.mk
@@ -0,0 +1,87 @@
+################################################################################
+#
+# libapparmor
+#
+################################################################################
+
+LIBAPPARMOR_BASE_VERSION = 2.13
+LIBAPPARMOR_VERSION = $(LIBAPPARMOR_BASE_VERSION).3
+LIBAPPARMOR_SOURCE = apparmor-$(LIBAPPARMOR_VERSION).tar.gz
+LIBAPPARMOR_SITE = https://launchpad.net/apparmor/$(LIBAPPARMOR_BASE_VERSION)/$(LIBAPPARMOR_VERSION)/+download
+LIBAPPARMOR_LICENSE = GPL-2.0
+LIBAPPARMOR_LICENSE_FILES = LICENSE
+LIBAPPARMOR_SUBDIR = libraries/libapparmor
+LIBAPPARMOR_AUTORECONF = YES
+LIBAPPARMOR_INSTALL_STAGING = YES
+LIBAPPARMOR_CONF_OPTS = --enable-static --enable-man-pages=no
+
+LIBAPPARMOR_SUBDIRS = parser binutils
+
+ifeq ($(BR2_PACKAGE_LIBAPPARMOR_PROFILES),y)
+LIBAPPARMOR_SUBDIRS += profiles
+endif
+
+ifeq ($(BR2_PACKAGE_APACHE),y)
+LIBAPPARMOR_DEPENDENCIES += apache
+LIBAPPARMOR_SUBDIRS += changehat/mod_apparmor
+LIBAPPARMOR_SUBDIRS_BUILD_OPTS += APXS=$(STAGING_DIR)/usr/bin/apxs
+endif
+
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+LIBAPPARMOR_DEPENDENCIES += linux-pam
+LIBAPPARMOR_SUBDIRS += changehat/pam_apparmor
+endif
+
+LIBAPPARMOR_SUBDIRS_BUILD_OPTS = USE_SYSTEM=1
+
+LIBAPPARMOR_SUBDIRS_BUILD_CMD = $(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) \
+ $(MAKE) $(LIBAPPARMOR_SUBDIRS_BUILD_OPTS) -C $(@D)/$(d)
+
+# libapparmor source code is in libraries/libapparmor and needs to be compiled
+# and installed in staging before actually compiling subdirs components
+define LIBAPPARMOR_SUBDIRS_BUILD_CMDS
+ $(foreach d,$(LIBAPPARMOR_SUBDIRS), \
+ $(LIBAPPARMOR_SUBDIRS_BUILD_CMD)
+ )
+endef
+LIBAPPARMOR_POST_INSTALL_STAGING_HOOKS += LIBAPPARMOR_SUBDIRS_BUILD_CMDS
+
+define LIBAPPARMOR_SUBDIRS_INSTALL_TARGET_CMDS
+ $(foreach d,$(LIBAPPARMOR_SUBDIRS), \
+ $(LIBAPPARMOR_SUBDIRS_BUILD_CMD) DESTDIR=$(TARGET_DIR) install
+ )
+endef
+LIBAPPARMOR_POST_INSTALL_TARGET_HOOKS += LIBAPPARMOR_SUBDIRS_INSTALL_TARGET_CMDS
+
+ifeq ($(BR2_PACKAGE_PYTHON3),y)
+
+LIBAPPARMOR_CONF_OPTS += --with-python PYTHON=$(HOST_DIR)/usr/bin/python3 \
+ PYTHON_CONFIG=$(STAGING_DIR)/usr/bin/python3-config \
+ SWIG=$(HOST_DIR)/usr/bin/swig
+LIBAPPARMOR_DEPENDENCIES += host-python3 host-swig python3
+LIBAPPARMOR_SUBDIRS += utils
+LIBAPPARMOR_SUBDIRS_BUILD_CMD += PYTHON=$(HOST_DIR)/usr/bin/python3
+
+endif
+
+# Enabling rules caching if the system is mounted R/W
+ifeq ($(BR2_TARGET_GENERIC_REMOUNT_ROOTFS_RW),y)
+define LIBAPPARMOR_ENABLE_PROFILE_CACHE
+ $(SED) '/^#write-cache/c\write-cache' $(TARGET_DIR)/etc/apparmor/parser.conf
+endef
+LIBAPPARMOR_POST_INSTALL_TARGET_HOOKS += LIBAPPARMOR_ENABLE_PROFILE_CACHE
+endif
+
+define LIBAPPARMOR_INSTALL_INIT_SYSV
+ $(INSTALL) -D -m 0755 $(@D)/parser/apparmor.systemd \
+ $(TARGET_DIR)/etc/init.d/S10apparmor
+endef
+
+define LIBAPPARMOR_INSTALL_INIT_SYSTEMD
+ $(INSTALL) -D -m 0755 $(@D)/parser/apparmor.systemd \
+ $(TARGET_DIR)/lib/apparmor/apparmor.systemd
+ $(INSTALL) -D -m 0755 $(@D)/parser/apparmor.service \
+ $(TARGET_DIR)/usr/lib/systemd/system/apparmor.service
+endef
+
+$(eval $(autotools-package))
--
2.17.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH v2] package/libapparmor: new package
2020-03-26 18:01 [Buildroot] [PATCH v2] package/libapparmor: new package Angelo Compagnucci
@ 2020-03-26 18:56 ` Yann E. MORIN
2020-03-26 20:34 ` Angelo Compagnucci
0 siblings, 1 reply; 4+ messages in thread
From: Yann E. MORIN @ 2020-03-26 18:56 UTC (permalink / raw)
To: buildroot
On 2020-03-26 19:01 +0100, Angelo Compagnucci spake thusly:
> From: Angelo Compagnucci <angelo.compagnucci@gmail.com>
>
> This patch adds libapparmor and it's related tools.
*its
> The patch is quite complicated by the layout of the source tree:
>
> * The first step is to compile libraries/libapparmor using the autotools
> infrastructure. Autoreconf is needed due to the attached patches.
> Libapparmor library needs to be installed in staging directory before
> compiling the rest of the tools.
> * The second step is to compile tools and optional components distrubuted
> in sub directories, this is done in POST_INSTALL_STAGING_HOOKS.
I've looked at the .mk, and I don't like it.
Why don't you provide multiple packages:
- libapparmor
- apparmor-utils
Then have apparmor-utils depend on libapparmor.
We don;t care that the two packages share the same source code. You can
even commonalise the local download directory:
APPARMOR_UTILS_DL_SUBDIR = libapparmor
The libapparmor paCkage would then only build and install the library in
staging/, and the apparmor-tools will build everything else (still
protected by the proper conditions, like pam, apache...).
Also, I'd like if you could even split the apprmor-utils in a few
patches:
- apparmor-utils, with just the parser (and binutils?) sub-dirs
- pam
- apache
- python
- profiles
- rules caching
That will help reviewing and applying as many bits as we can.
I've not even looked more at the code than just a cursory look, but
given the above sugegstion, I've marked your patch as changes requested
on patchwork.
Thanks!
> * If python3 is available, swig bindings and python utils are compiled.
> * parser/apparmor.systemd is actually a systemv init script
> * Package will enable profiles cache if the system is writable
> * All Apparmor kernel code is now upstream, so no other patches are
> needed.
>
> Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> ---
> Changelog:
>
> v1->v2:
> Using the upstream patches
>
> DEVELOPERS | 1 +
> linux/linux.mk | 6 ++
> package/Config.in | 1 +
> ...el-fixing-for-crosscompiling-environ.patch | 91 +++++++++++++++++++
> ...ng-setup.py-call-when-crosscompiling.patch | 30 ++++++
> package/libapparmor/Config.in | 34 +++++++
> package/libapparmor/libapparmor.hash | 3 +
> package/libapparmor/libapparmor.mk | 87 ++++++++++++++++++
> 8 files changed, 253 insertions(+)
> create mode 100644 package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch
> create mode 100644 package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch
> create mode 100644 package/libapparmor/Config.in
> create mode 100644 package/libapparmor/libapparmor.hash
> create mode 100644 package/libapparmor/libapparmor.mk
>
> diff --git a/DEVELOPERS b/DEVELOPERS
> index dd44331b85..a96b031def 100644
> --- a/DEVELOPERS
> +++ b/DEVELOPERS
> @@ -188,6 +188,7 @@ N: Angelo Compagnucci <angelo.compagnucci@gmail.com>
> F: package/corkscrew/
> F: package/fail2ban/
> F: package/i2c-tools/
> +F: package/libapparmor/
> F: package/mender/
> F: package/mender-artifact/
> F: package/mono/
> diff --git a/linux/linux.mk b/linux/linux.mk
> index 4b60f33ff3..5032481069 100644
> --- a/linux/linux.mk
> +++ b/linux/linux.mk
> @@ -359,6 +359,12 @@ define LINUX_KCONFIG_FIXUP_CMDS
> $(if $(BR2_PACKAGE_INTEL_MICROCODE),
> $(call KCONFIG_ENABLE_OPT,CONFIG_MICROCODE,$(@D)/.config)
> $(call KCONFIG_ENABLE_OPT,CONFIG_MICROCODE_INTEL,$(@D)/.config))
> + $(if $(BR2_PACKAGE_LIBAPPARMOR),
> + $(call KCONFIG_ENABLE_OPT,CONFIG_AUDIT,$(@D)/.config)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_SECURITY,$(@D)/.config)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_SECURITY_APPARMOR,$(@D)/.config)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_DEFAULT_SECURITY_APPARMOR,$(@D)/.config)
> + $(call KCONFIG_SET_OPT,CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE,1,$(@D)/.config))
> $(if $(BR2_PACKAGE_KTAP),
> $(call KCONFIG_ENABLE_OPT,CONFIG_DEBUG_FS,$(@D)/.config)
> $(call KCONFIG_ENABLE_OPT,CONFIG_ENABLE_DEFAULT_TRACERS,$(@D)/.config)
> diff --git a/package/Config.in b/package/Config.in
> index edf7687ab7..d9ed053b77 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -1862,6 +1862,7 @@ endif
> endmenu
>
> menu "Security"
> + source "package/libapparmor/Config.in"
> source "package/libselinux/Config.in"
> source "package/libsemanage/Config.in"
> source "package/libsepol/Config.in"
> diff --git a/package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch b/package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch
> new file mode 100644
> index 0000000000..564a7758d7
> --- /dev/null
> +++ b/package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch
> @@ -0,0 +1,91 @@
> +From 64e5c6b23de9c147881680f3daccb995263c34a3 Mon Sep 17 00:00:00 2001
> +From: Angelo Compagnucci <angelo@amarulasolutions.com>
> +Date: Tue, 24 Mar 2020 22:53:37 +0100
> +Subject: [PATCH] m4: ac_python_devel: fixing for crosscompiling environments
> +
> +In a crosscompiling environment it's common to have a python executable
> +running for the host system with a python-config reporting the host
> +configuration and a second python-config reporting the target configuration.
> +In such cases, relying on the default oython-config is wrong and breaks
> +the cross compilation.
> +
> +This patch adds a PYTHON_CONFIG variable that can be pointed to the second
> +python-config and fixes the rest of the m4 accordingly.
> +
> +Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> +---
> + libraries/libapparmor/m4/ac_python_devel.m4 | 23 ++++++++++++++++-----
> + 1 file changed, 18 insertions(+), 5 deletions(-)
> +
> +diff --git a/libraries/libapparmor/m4/ac_python_devel.m4 b/libraries/libapparmor/m4/ac_python_devel.m4
> +index 29cf090d..6454e2d8 100644
> +--- a/libraries/libapparmor/m4/ac_python_devel.m4
> ++++ b/libraries/libapparmor/m4/ac_python_devel.m4
> +@@ -13,6 +13,11 @@ AC_DEFUN([AC_PYTHON_DEVEL],[
> + PYTHON_VERSION=""
> + fi
> +
> ++ AC_PATH_PROG([PYTHON_CONFIG],[`basename [$PYTHON]-config`])
> ++ if test -z "$PYTHON_CONFIG"; then
> ++ AC_MSG_ERROR([Cannot find python$PYTHON_VERSION-config in your system path])
> ++ fi
> ++
> + #
> + # Check for a version of Python >= 2.1.0
> + #
> +@@ -79,8 +84,8 @@ $ac_distutils_result])
> + # Check for Python include path
> + #
> + AC_MSG_CHECKING([for Python include path])
> +- if type $PYTHON-config; then
> +- PYTHON_CPPFLAGS=`$PYTHON-config --includes`
> ++ if type $PYTHON_CONFIG; then
> ++ PYTHON_CPPFLAGS=`$PYTHON_CONFIG --includes`
> + fi
> + if test -z "$PYTHON_CPPFLAGS"; then
> + python_path=`$PYTHON -c "import sys; import distutils.sysconfig;\
> +@@ -97,8 +102,8 @@ sys.stdout.write('%s\n' % distutils.sysconfig.get_python_inc());"`
> + # Check for Python library path
> + #
> + AC_MSG_CHECKING([for Python library path])
> +- if type $PYTHON-config; then
> +- PYTHON_LDFLAGS=`$PYTHON-config --ldflags`
> ++ if type $PYTHON_CONFIG; then
> ++ PYTHON_LDFLAGS=`$PYTHON_CONFIG --ldflags`
> + fi
> + if test -z "$PYTHON_LDFLAGS"; then
> + # (makes two attempts to ensure we've got a version number
> +@@ -136,6 +141,10 @@ sys.stdout.write('%s\n' % distutils.sysconfig.get_python_lib(0,0));"`
> + # libraries which must be linked in when embedding
> + #
> + AC_MSG_CHECKING(python extra libraries)
> ++ if type $PYTHON_CONFIG; then
> ++ PYTHON_EXTRA_LIBS=`$PYTHON_CONFIG --libs --embed` || \
> ++ PYTHON_EXTRA_LIBS=''
> ++ fi
> + if test -z "$PYTHON_EXTRA_LIBS"; then
> + PYTHON_EXTRA_LIBS=`$PYTHON -c "import sys; import distutils.sysconfig; \
> + conf = distutils.sysconfig.get_config_var; \
> +@@ -148,6 +157,10 @@ sys.stdout.write('%s %s %s\n' % (conf('BLDLIBRARY'), conf('LOCALMODLIBS'), conf(
> + # linking flags needed when embedding
> + #
> + AC_MSG_CHECKING(python extra linking flags)
> ++ if type $PYTHON_CONFIG; then
> ++ PYTHON_EXTRA_LDFLAGS=`$PYTHON_CONFIG --ldflags --embed` || \
> ++ PYTHON_EXTRA_LDFLAGS=''
> ++ fi
> + if test -z "$PYTHON_EXTRA_LDFLAGS"; then
> + PYTHON_EXTRA_LDFLAGS=`$PYTHON -c "import sys; import distutils.sysconfig; \
> + conf = distutils.sysconfig.get_config_var; \
> +@@ -164,7 +177,7 @@ sys.stdout.write('%s\n' % conf('LINKFORSHARED'))"`
> + # save current global flags
> + ac_save_LIBS="$LIBS"
> + ac_save_CPPFLAGS="$CPPFLAGS"
> +- LIBS="$ac_save_LIBS $PYTHON_LDFLAGS $PYTHON_EXTRA_LIBS"
> ++ LIBS="$ac_save_LIBS $PYTHON_EXTRA_LIBS $PYTHON_LDFLAGS"
> + CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
> + AC_TRY_LINK([
> + #include <Python.h>
> +--
> +2.17.1
> +
> diff --git a/package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch b/package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch
> new file mode 100644
> index 0000000000..ce550d3f34
> --- /dev/null
> +++ b/package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch
> @@ -0,0 +1,30 @@
> +From 88c81d7b73e657240314ef868e6a75bbeb444cc0 Mon Sep 17 00:00:00 2001
> +From: Angelo Compagnucci <angelo@amarulasolutions.com>
> +Date: Tue, 24 Mar 2020 23:02:08 +0100
> +Subject: [PATCH] libapparmor: fixing setup.py call when crosscompiling
> +
> +When crosscompiling, setupy.py should be called passing the settings
> +discovered by ac_python_devel.m4 and not using the default system
> +settings.
> +
> +Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> +---
> + libraries/libapparmor/swig/python/Makefile.am | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/libraries/libapparmor/swig/python/Makefile.am b/libraries/libapparmor/swig/python/Makefile.am
> +index 421acba9..6c60181e 100644
> +--- a/libraries/libapparmor/swig/python/Makefile.am
> ++++ b/libraries/libapparmor/swig/python/Makefile.am
> +@@ -11,7 +11,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.py
> +
> + all-local: libapparmor_wrap.c setup.py
> + if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi
> +- $(PYTHON) setup.py build
> ++ CC="$(CC)" CFLAGS="$(PYTHON_CPPFLAGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(PYTHON_LDFLAGS)" $(PYTHON) setup.py build
> +
> + install-exec-local:
> + $(PYTHON) setup.py install --root="/$(DESTDIR)" --prefix="$(prefix)"
> +--
> +2.17.1
> +
> diff --git a/package/libapparmor/Config.in b/package/libapparmor/Config.in
> new file mode 100644
> index 0000000000..c93199cf37
> --- /dev/null
> +++ b/package/libapparmor/Config.in
> @@ -0,0 +1,34 @@
> +config BR2_PACKAGE_LIBAPPARMOR
> + bool "libapparmor"
> + depends on BR2_USE_WCHAR
> + select BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
> + select BR2_PACKAGE_GREP
> + select BR2_PACKAGE_PYTHON3_READLINE if BR2_PACKAGE_PYTHON3
> + help
> + AppArmor is an effective and easy-to-use Linux application
> + security system. AppArmor proactively protects the operating
> + system and applications from external or internal threats,
> + even zero-day attacks, by enforcing good behavior and
> + preventing even unknown application flaws from being exploited.
> + AppArmor security policies completely define what system
> + resources individual applications can access, and with what
> + privileges. A number of default policies are included with
> + AppArmor, and using a combination of advanced static analysis
> + and learning-based tools, AppArmor policies for even very
> + complex applications can be deployed successfully in a
> + matter of hours.
> +
> + http://wiki.apparmor.net
> +
> +if BR2_PACKAGE_LIBAPPARMOR
> +
> +config BR2_PACKAGE_LIBAPPARMOR_PROFILES
> + bool "install profiles"
> + default y
> + help
> + This option install Apparmor default profiles
> +
> +endif
> +
> +comment "AppArmor needs needs a toolchain w/ wchar"
> + depends on !BR2_USE_WCHAR
> diff --git a/package/libapparmor/libapparmor.hash b/package/libapparmor/libapparmor.hash
> new file mode 100644
> index 0000000000..e5ae65d91c
> --- /dev/null
> +++ b/package/libapparmor/libapparmor.hash
> @@ -0,0 +1,3 @@
> +# locally computed
> +sha256 267053234c68cdb122c5294d7c276b6e2f5fa7e75c6c2d23e3ce69f95d9a7639 apparmor-2.13.3.tar.gz
> +sha256 a7e0cdcbea5c14927cedfc600d46526bdcbb1eb0a4d951e2ea53c2a6de159cb4 LICENSE
> diff --git a/package/libapparmor/libapparmor.mk b/package/libapparmor/libapparmor.mk
> new file mode 100644
> index 0000000000..3935f3435a
> --- /dev/null
> +++ b/package/libapparmor/libapparmor.mk
> @@ -0,0 +1,87 @@
> +################################################################################
> +#
> +# libapparmor
> +#
> +################################################################################
> +
> +LIBAPPARMOR_BASE_VERSION = 2.13
> +LIBAPPARMOR_VERSION = $(LIBAPPARMOR_BASE_VERSION).3
> +LIBAPPARMOR_SOURCE = apparmor-$(LIBAPPARMOR_VERSION).tar.gz
> +LIBAPPARMOR_SITE = https://launchpad.net/apparmor/$(LIBAPPARMOR_BASE_VERSION)/$(LIBAPPARMOR_VERSION)/+download
> +LIBAPPARMOR_LICENSE = GPL-2.0
> +LIBAPPARMOR_LICENSE_FILES = LICENSE
> +LIBAPPARMOR_SUBDIR = libraries/libapparmor
> +LIBAPPARMOR_AUTORECONF = YES
> +LIBAPPARMOR_INSTALL_STAGING = YES
> +LIBAPPARMOR_CONF_OPTS = --enable-static --enable-man-pages=no
> +
> +LIBAPPARMOR_SUBDIRS = parser binutils
> +
> +ifeq ($(BR2_PACKAGE_LIBAPPARMOR_PROFILES),y)
> +LIBAPPARMOR_SUBDIRS += profiles
> +endif
> +
> +ifeq ($(BR2_PACKAGE_APACHE),y)
> +LIBAPPARMOR_DEPENDENCIES += apache
> +LIBAPPARMOR_SUBDIRS += changehat/mod_apparmor
> +LIBAPPARMOR_SUBDIRS_BUILD_OPTS += APXS=$(STAGING_DIR)/usr/bin/apxs
> +endif
> +
> +ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
> +LIBAPPARMOR_DEPENDENCIES += linux-pam
> +LIBAPPARMOR_SUBDIRS += changehat/pam_apparmor
> +endif
> +
> +LIBAPPARMOR_SUBDIRS_BUILD_OPTS = USE_SYSTEM=1
> +
> +LIBAPPARMOR_SUBDIRS_BUILD_CMD = $(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) \
> + $(MAKE) $(LIBAPPARMOR_SUBDIRS_BUILD_OPTS) -C $(@D)/$(d)
> +
> +# libapparmor source code is in libraries/libapparmor and needs to be compiled
> +# and installed in staging before actually compiling subdirs components
> +define LIBAPPARMOR_SUBDIRS_BUILD_CMDS
> + $(foreach d,$(LIBAPPARMOR_SUBDIRS), \
> + $(LIBAPPARMOR_SUBDIRS_BUILD_CMD)
> + )
> +endef
> +LIBAPPARMOR_POST_INSTALL_STAGING_HOOKS += LIBAPPARMOR_SUBDIRS_BUILD_CMDS
> +
> +define LIBAPPARMOR_SUBDIRS_INSTALL_TARGET_CMDS
> + $(foreach d,$(LIBAPPARMOR_SUBDIRS), \
> + $(LIBAPPARMOR_SUBDIRS_BUILD_CMD) DESTDIR=$(TARGET_DIR) install
> + )
> +endef
> +LIBAPPARMOR_POST_INSTALL_TARGET_HOOKS += LIBAPPARMOR_SUBDIRS_INSTALL_TARGET_CMDS
> +
> +ifeq ($(BR2_PACKAGE_PYTHON3),y)
> +
> +LIBAPPARMOR_CONF_OPTS += --with-python PYTHON=$(HOST_DIR)/usr/bin/python3 \
> + PYTHON_CONFIG=$(STAGING_DIR)/usr/bin/python3-config \
> + SWIG=$(HOST_DIR)/usr/bin/swig
> +LIBAPPARMOR_DEPENDENCIES += host-python3 host-swig python3
> +LIBAPPARMOR_SUBDIRS += utils
> +LIBAPPARMOR_SUBDIRS_BUILD_CMD += PYTHON=$(HOST_DIR)/usr/bin/python3
> +
> +endif
> +
> +# Enabling rules caching if the system is mounted R/W
> +ifeq ($(BR2_TARGET_GENERIC_REMOUNT_ROOTFS_RW),y)
> +define LIBAPPARMOR_ENABLE_PROFILE_CACHE
> + $(SED) '/^#write-cache/c\write-cache' $(TARGET_DIR)/etc/apparmor/parser.conf
> +endef
> +LIBAPPARMOR_POST_INSTALL_TARGET_HOOKS += LIBAPPARMOR_ENABLE_PROFILE_CACHE
> +endif
> +
> +define LIBAPPARMOR_INSTALL_INIT_SYSV
> + $(INSTALL) -D -m 0755 $(@D)/parser/apparmor.systemd \
> + $(TARGET_DIR)/etc/init.d/S10apparmor
> +endef
> +
> +define LIBAPPARMOR_INSTALL_INIT_SYSTEMD
> + $(INSTALL) -D -m 0755 $(@D)/parser/apparmor.systemd \
> + $(TARGET_DIR)/lib/apparmor/apparmor.systemd
> + $(INSTALL) -D -m 0755 $(@D)/parser/apparmor.service \
> + $(TARGET_DIR)/usr/lib/systemd/system/apparmor.service
> +endef
> +
> +$(eval $(autotools-package))
> --
> 2.17.1
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH v2] package/libapparmor: new package
2020-03-26 18:56 ` Yann E. MORIN
@ 2020-03-26 20:34 ` Angelo Compagnucci
2020-03-26 20:56 ` Yann E. MORIN
0 siblings, 1 reply; 4+ messages in thread
From: Angelo Compagnucci @ 2020-03-26 20:34 UTC (permalink / raw)
To: buildroot
On Thu, Mar 26, 2020 at 7:57 PM Yann E. MORIN <yann.morin.1998@free.fr> wrote:
>
> On 2020-03-26 19:01 +0100, Angelo Compagnucci spake thusly:
> > From: Angelo Compagnucci <angelo.compagnucci@gmail.com>
> >
> > This patch adds libapparmor and it's related tools.
>
> *its
>
> > The patch is quite complicated by the layout of the source tree:
> >
> > * The first step is to compile libraries/libapparmor using the autotools
> > infrastructure. Autoreconf is needed due to the attached patches.
> > Libapparmor library needs to be installed in staging directory before
> > compiling the rest of the tools.
> > * The second step is to compile tools and optional components distrubuted
> > in sub directories, this is done in POST_INSTALL_STAGING_HOOKS.
>
> I've looked at the .mk, and I don't like it.
>
> Why don't you provide multiple packages:
>
> - libapparmor
> - apparmor-utils
>
> Then have apparmor-utils depend on libapparmor.
>
> We don;t care that the two packages share the same source code. You can
> even commonalise the local download directory:
>
> APPARMOR_UTILS_DL_SUBDIR = libapparmor
>
> The libapparmor paCkage would then only build and install the library in
> staging/, and the apparmor-tools will build everything else (still
> protected by the proper conditions, like pam, apache...).
I don't know. I've tried that approach at in the end it was a mess.
Some of the steps to build the swig python are embedded into the
makefile, so we need to call configure and make even for a package
that instead could have been a simple python one.
> Also, I'd like if you could even split the apprmor-utils in a few
> patches:
>
> - apparmor-utils, with just the parser (and binutils?) sub-dirs
> - pam
> - apache
> - python
> - profiles
> - rules caching
>
> That will help reviewing and applying as many bits as we can.
You mean having a patch series that will add bit by bit to the package?
>
> I've not even looked more at the code than just a cursory look, but
> given the above sugegstion, I've marked your patch as changes requested
> on patchwork.
>
> Thanks!
>
> > * If python3 is available, swig bindings and python utils are compiled.
> > * parser/apparmor.systemd is actually a systemv init script
> > * Package will enable profiles cache if the system is writable
> > * All Apparmor kernel code is now upstream, so no other patches are
> > needed.
> >
> > Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> > ---
> > Changelog:
> >
> > v1->v2:
> > Using the upstream patches
> >
> > DEVELOPERS | 1 +
> > linux/linux.mk | 6 ++
> > package/Config.in | 1 +
> > ...el-fixing-for-crosscompiling-environ.patch | 91 +++++++++++++++++++
> > ...ng-setup.py-call-when-crosscompiling.patch | 30 ++++++
> > package/libapparmor/Config.in | 34 +++++++
> > package/libapparmor/libapparmor.hash | 3 +
> > package/libapparmor/libapparmor.mk | 87 ++++++++++++++++++
> > 8 files changed, 253 insertions(+)
> > create mode 100644 package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch
> > create mode 100644 package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch
> > create mode 100644 package/libapparmor/Config.in
> > create mode 100644 package/libapparmor/libapparmor.hash
> > create mode 100644 package/libapparmor/libapparmor.mk
> >
> > diff --git a/DEVELOPERS b/DEVELOPERS
> > index dd44331b85..a96b031def 100644
> > --- a/DEVELOPERS
> > +++ b/DEVELOPERS
> > @@ -188,6 +188,7 @@ N: Angelo Compagnucci <angelo.compagnucci@gmail.com>
> > F: package/corkscrew/
> > F: package/fail2ban/
> > F: package/i2c-tools/
> > +F: package/libapparmor/
> > F: package/mender/
> > F: package/mender-artifact/
> > F: package/mono/
> > diff --git a/linux/linux.mk b/linux/linux.mk
> > index 4b60f33ff3..5032481069 100644
> > --- a/linux/linux.mk
> > +++ b/linux/linux.mk
> > @@ -359,6 +359,12 @@ define LINUX_KCONFIG_FIXUP_CMDS
> > $(if $(BR2_PACKAGE_INTEL_MICROCODE),
> > $(call KCONFIG_ENABLE_OPT,CONFIG_MICROCODE,$(@D)/.config)
> > $(call KCONFIG_ENABLE_OPT,CONFIG_MICROCODE_INTEL,$(@D)/.config))
> > + $(if $(BR2_PACKAGE_LIBAPPARMOR),
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_AUDIT,$(@D)/.config)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_SECURITY,$(@D)/.config)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_SECURITY_APPARMOR,$(@D)/.config)
> > + $(call KCONFIG_ENABLE_OPT,CONFIG_DEFAULT_SECURITY_APPARMOR,$(@D)/.config)
> > + $(call KCONFIG_SET_OPT,CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE,1,$(@D)/.config))
> > $(if $(BR2_PACKAGE_KTAP),
> > $(call KCONFIG_ENABLE_OPT,CONFIG_DEBUG_FS,$(@D)/.config)
> > $(call KCONFIG_ENABLE_OPT,CONFIG_ENABLE_DEFAULT_TRACERS,$(@D)/.config)
> > diff --git a/package/Config.in b/package/Config.in
> > index edf7687ab7..d9ed053b77 100644
> > --- a/package/Config.in
> > +++ b/package/Config.in
> > @@ -1862,6 +1862,7 @@ endif
> > endmenu
> >
> > menu "Security"
> > + source "package/libapparmor/Config.in"
> > source "package/libselinux/Config.in"
> > source "package/libsemanage/Config.in"
> > source "package/libsepol/Config.in"
> > diff --git a/package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch b/package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch
> > new file mode 100644
> > index 0000000000..564a7758d7
> > --- /dev/null
> > +++ b/package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch
> > @@ -0,0 +1,91 @@
> > +From 64e5c6b23de9c147881680f3daccb995263c34a3 Mon Sep 17 00:00:00 2001
> > +From: Angelo Compagnucci <angelo@amarulasolutions.com>
> > +Date: Tue, 24 Mar 2020 22:53:37 +0100
> > +Subject: [PATCH] m4: ac_python_devel: fixing for crosscompiling environments
> > +
> > +In a crosscompiling environment it's common to have a python executable
> > +running for the host system with a python-config reporting the host
> > +configuration and a second python-config reporting the target configuration.
> > +In such cases, relying on the default oython-config is wrong and breaks
> > +the cross compilation.
> > +
> > +This patch adds a PYTHON_CONFIG variable that can be pointed to the second
> > +python-config and fixes the rest of the m4 accordingly.
> > +
> > +Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> > +---
> > + libraries/libapparmor/m4/ac_python_devel.m4 | 23 ++++++++++++++++-----
> > + 1 file changed, 18 insertions(+), 5 deletions(-)
> > +
> > +diff --git a/libraries/libapparmor/m4/ac_python_devel.m4 b/libraries/libapparmor/m4/ac_python_devel.m4
> > +index 29cf090d..6454e2d8 100644
> > +--- a/libraries/libapparmor/m4/ac_python_devel.m4
> > ++++ b/libraries/libapparmor/m4/ac_python_devel.m4
> > +@@ -13,6 +13,11 @@ AC_DEFUN([AC_PYTHON_DEVEL],[
> > + PYTHON_VERSION=""
> > + fi
> > +
> > ++ AC_PATH_PROG([PYTHON_CONFIG],[`basename [$PYTHON]-config`])
> > ++ if test -z "$PYTHON_CONFIG"; then
> > ++ AC_MSG_ERROR([Cannot find python$PYTHON_VERSION-config in your system path])
> > ++ fi
> > ++
> > + #
> > + # Check for a version of Python >= 2.1.0
> > + #
> > +@@ -79,8 +84,8 @@ $ac_distutils_result])
> > + # Check for Python include path
> > + #
> > + AC_MSG_CHECKING([for Python include path])
> > +- if type $PYTHON-config; then
> > +- PYTHON_CPPFLAGS=`$PYTHON-config --includes`
> > ++ if type $PYTHON_CONFIG; then
> > ++ PYTHON_CPPFLAGS=`$PYTHON_CONFIG --includes`
> > + fi
> > + if test -z "$PYTHON_CPPFLAGS"; then
> > + python_path=`$PYTHON -c "import sys; import distutils.sysconfig;\
> > +@@ -97,8 +102,8 @@ sys.stdout.write('%s\n' % distutils.sysconfig.get_python_inc());"`
> > + # Check for Python library path
> > + #
> > + AC_MSG_CHECKING([for Python library path])
> > +- if type $PYTHON-config; then
> > +- PYTHON_LDFLAGS=`$PYTHON-config --ldflags`
> > ++ if type $PYTHON_CONFIG; then
> > ++ PYTHON_LDFLAGS=`$PYTHON_CONFIG --ldflags`
> > + fi
> > + if test -z "$PYTHON_LDFLAGS"; then
> > + # (makes two attempts to ensure we've got a version number
> > +@@ -136,6 +141,10 @@ sys.stdout.write('%s\n' % distutils.sysconfig.get_python_lib(0,0));"`
> > + # libraries which must be linked in when embedding
> > + #
> > + AC_MSG_CHECKING(python extra libraries)
> > ++ if type $PYTHON_CONFIG; then
> > ++ PYTHON_EXTRA_LIBS=`$PYTHON_CONFIG --libs --embed` || \
> > ++ PYTHON_EXTRA_LIBS=''
> > ++ fi
> > + if test -z "$PYTHON_EXTRA_LIBS"; then
> > + PYTHON_EXTRA_LIBS=`$PYTHON -c "import sys; import distutils.sysconfig; \
> > + conf = distutils.sysconfig.get_config_var; \
> > +@@ -148,6 +157,10 @@ sys.stdout.write('%s %s %s\n' % (conf('BLDLIBRARY'), conf('LOCALMODLIBS'), conf(
> > + # linking flags needed when embedding
> > + #
> > + AC_MSG_CHECKING(python extra linking flags)
> > ++ if type $PYTHON_CONFIG; then
> > ++ PYTHON_EXTRA_LDFLAGS=`$PYTHON_CONFIG --ldflags --embed` || \
> > ++ PYTHON_EXTRA_LDFLAGS=''
> > ++ fi
> > + if test -z "$PYTHON_EXTRA_LDFLAGS"; then
> > + PYTHON_EXTRA_LDFLAGS=`$PYTHON -c "import sys; import distutils.sysconfig; \
> > + conf = distutils.sysconfig.get_config_var; \
> > +@@ -164,7 +177,7 @@ sys.stdout.write('%s\n' % conf('LINKFORSHARED'))"`
> > + # save current global flags
> > + ac_save_LIBS="$LIBS"
> > + ac_save_CPPFLAGS="$CPPFLAGS"
> > +- LIBS="$ac_save_LIBS $PYTHON_LDFLAGS $PYTHON_EXTRA_LIBS"
> > ++ LIBS="$ac_save_LIBS $PYTHON_EXTRA_LIBS $PYTHON_LDFLAGS"
> > + CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
> > + AC_TRY_LINK([
> > + #include <Python.h>
> > +--
> > +2.17.1
> > +
> > diff --git a/package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch b/package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch
> > new file mode 100644
> > index 0000000000..ce550d3f34
> > --- /dev/null
> > +++ b/package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch
> > @@ -0,0 +1,30 @@
> > +From 88c81d7b73e657240314ef868e6a75bbeb444cc0 Mon Sep 17 00:00:00 2001
> > +From: Angelo Compagnucci <angelo@amarulasolutions.com>
> > +Date: Tue, 24 Mar 2020 23:02:08 +0100
> > +Subject: [PATCH] libapparmor: fixing setup.py call when crosscompiling
> > +
> > +When crosscompiling, setupy.py should be called passing the settings
> > +discovered by ac_python_devel.m4 and not using the default system
> > +settings.
> > +
> > +Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> > +---
> > + libraries/libapparmor/swig/python/Makefile.am | 2 +-
> > + 1 file changed, 1 insertion(+), 1 deletion(-)
> > +
> > +diff --git a/libraries/libapparmor/swig/python/Makefile.am b/libraries/libapparmor/swig/python/Makefile.am
> > +index 421acba9..6c60181e 100644
> > +--- a/libraries/libapparmor/swig/python/Makefile.am
> > ++++ b/libraries/libapparmor/swig/python/Makefile.am
> > +@@ -11,7 +11,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.py
> > +
> > + all-local: libapparmor_wrap.c setup.py
> > + if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi
> > +- $(PYTHON) setup.py build
> > ++ CC="$(CC)" CFLAGS="$(PYTHON_CPPFLAGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(PYTHON_LDFLAGS)" $(PYTHON) setup.py build
> > +
> > + install-exec-local:
> > + $(PYTHON) setup.py install --root="/$(DESTDIR)" --prefix="$(prefix)"
> > +--
> > +2.17.1
> > +
> > diff --git a/package/libapparmor/Config.in b/package/libapparmor/Config.in
> > new file mode 100644
> > index 0000000000..c93199cf37
> > --- /dev/null
> > +++ b/package/libapparmor/Config.in
> > @@ -0,0 +1,34 @@
> > +config BR2_PACKAGE_LIBAPPARMOR
> > + bool "libapparmor"
> > + depends on BR2_USE_WCHAR
> > + select BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
> > + select BR2_PACKAGE_GREP
> > + select BR2_PACKAGE_PYTHON3_READLINE if BR2_PACKAGE_PYTHON3
> > + help
> > + AppArmor is an effective and easy-to-use Linux application
> > + security system. AppArmor proactively protects the operating
> > + system and applications from external or internal threats,
> > + even zero-day attacks, by enforcing good behavior and
> > + preventing even unknown application flaws from being exploited.
> > + AppArmor security policies completely define what system
> > + resources individual applications can access, and with what
> > + privileges. A number of default policies are included with
> > + AppArmor, and using a combination of advanced static analysis
> > + and learning-based tools, AppArmor policies for even very
> > + complex applications can be deployed successfully in a
> > + matter of hours.
> > +
> > + http://wiki.apparmor.net
> > +
> > +if BR2_PACKAGE_LIBAPPARMOR
> > +
> > +config BR2_PACKAGE_LIBAPPARMOR_PROFILES
> > + bool "install profiles"
> > + default y
> > + help
> > + This option install Apparmor default profiles
> > +
> > +endif
> > +
> > +comment "AppArmor needs needs a toolchain w/ wchar"
> > + depends on !BR2_USE_WCHAR
> > diff --git a/package/libapparmor/libapparmor.hash b/package/libapparmor/libapparmor.hash
> > new file mode 100644
> > index 0000000000..e5ae65d91c
> > --- /dev/null
> > +++ b/package/libapparmor/libapparmor.hash
> > @@ -0,0 +1,3 @@
> > +# locally computed
> > +sha256 267053234c68cdb122c5294d7c276b6e2f5fa7e75c6c2d23e3ce69f95d9a7639 apparmor-2.13.3.tar.gz
> > +sha256 a7e0cdcbea5c14927cedfc600d46526bdcbb1eb0a4d951e2ea53c2a6de159cb4 LICENSE
> > diff --git a/package/libapparmor/libapparmor.mk b/package/libapparmor/libapparmor.mk
> > new file mode 100644
> > index 0000000000..3935f3435a
> > --- /dev/null
> > +++ b/package/libapparmor/libapparmor.mk
> > @@ -0,0 +1,87 @@
> > +################################################################################
> > +#
> > +# libapparmor
> > +#
> > +################################################################################
> > +
> > +LIBAPPARMOR_BASE_VERSION = 2.13
> > +LIBAPPARMOR_VERSION = $(LIBAPPARMOR_BASE_VERSION).3
> > +LIBAPPARMOR_SOURCE = apparmor-$(LIBAPPARMOR_VERSION).tar.gz
> > +LIBAPPARMOR_SITE = https://launchpad.net/apparmor/$(LIBAPPARMOR_BASE_VERSION)/$(LIBAPPARMOR_VERSION)/+download
> > +LIBAPPARMOR_LICENSE = GPL-2.0
> > +LIBAPPARMOR_LICENSE_FILES = LICENSE
> > +LIBAPPARMOR_SUBDIR = libraries/libapparmor
> > +LIBAPPARMOR_AUTORECONF = YES
> > +LIBAPPARMOR_INSTALL_STAGING = YES
> > +LIBAPPARMOR_CONF_OPTS = --enable-static --enable-man-pages=no
> > +
> > +LIBAPPARMOR_SUBDIRS = parser binutils
> > +
> > +ifeq ($(BR2_PACKAGE_LIBAPPARMOR_PROFILES),y)
> > +LIBAPPARMOR_SUBDIRS += profiles
> > +endif
> > +
> > +ifeq ($(BR2_PACKAGE_APACHE),y)
> > +LIBAPPARMOR_DEPENDENCIES += apache
> > +LIBAPPARMOR_SUBDIRS += changehat/mod_apparmor
> > +LIBAPPARMOR_SUBDIRS_BUILD_OPTS += APXS=$(STAGING_DIR)/usr/bin/apxs
> > +endif
> > +
> > +ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
> > +LIBAPPARMOR_DEPENDENCIES += linux-pam
> > +LIBAPPARMOR_SUBDIRS += changehat/pam_apparmor
> > +endif
> > +
> > +LIBAPPARMOR_SUBDIRS_BUILD_OPTS = USE_SYSTEM=1
> > +
> > +LIBAPPARMOR_SUBDIRS_BUILD_CMD = $(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) \
> > + $(MAKE) $(LIBAPPARMOR_SUBDIRS_BUILD_OPTS) -C $(@D)/$(d)
> > +
> > +# libapparmor source code is in libraries/libapparmor and needs to be compiled
> > +# and installed in staging before actually compiling subdirs components
> > +define LIBAPPARMOR_SUBDIRS_BUILD_CMDS
> > + $(foreach d,$(LIBAPPARMOR_SUBDIRS), \
> > + $(LIBAPPARMOR_SUBDIRS_BUILD_CMD)
> > + )
> > +endef
> > +LIBAPPARMOR_POST_INSTALL_STAGING_HOOKS += LIBAPPARMOR_SUBDIRS_BUILD_CMDS
> > +
> > +define LIBAPPARMOR_SUBDIRS_INSTALL_TARGET_CMDS
> > + $(foreach d,$(LIBAPPARMOR_SUBDIRS), \
> > + $(LIBAPPARMOR_SUBDIRS_BUILD_CMD) DESTDIR=$(TARGET_DIR) install
> > + )
> > +endef
> > +LIBAPPARMOR_POST_INSTALL_TARGET_HOOKS += LIBAPPARMOR_SUBDIRS_INSTALL_TARGET_CMDS
> > +
> > +ifeq ($(BR2_PACKAGE_PYTHON3),y)
> > +
> > +LIBAPPARMOR_CONF_OPTS += --with-python PYTHON=$(HOST_DIR)/usr/bin/python3 \
> > + PYTHON_CONFIG=$(STAGING_DIR)/usr/bin/python3-config \
> > + SWIG=$(HOST_DIR)/usr/bin/swig
> > +LIBAPPARMOR_DEPENDENCIES += host-python3 host-swig python3
> > +LIBAPPARMOR_SUBDIRS += utils
> > +LIBAPPARMOR_SUBDIRS_BUILD_CMD += PYTHON=$(HOST_DIR)/usr/bin/python3
> > +
> > +endif
> > +
> > +# Enabling rules caching if the system is mounted R/W
> > +ifeq ($(BR2_TARGET_GENERIC_REMOUNT_ROOTFS_RW),y)
> > +define LIBAPPARMOR_ENABLE_PROFILE_CACHE
> > + $(SED) '/^#write-cache/c\write-cache' $(TARGET_DIR)/etc/apparmor/parser.conf
> > +endef
> > +LIBAPPARMOR_POST_INSTALL_TARGET_HOOKS += LIBAPPARMOR_ENABLE_PROFILE_CACHE
> > +endif
> > +
> > +define LIBAPPARMOR_INSTALL_INIT_SYSV
> > + $(INSTALL) -D -m 0755 $(@D)/parser/apparmor.systemd \
> > + $(TARGET_DIR)/etc/init.d/S10apparmor
> > +endef
> > +
> > +define LIBAPPARMOR_INSTALL_INIT_SYSTEMD
> > + $(INSTALL) -D -m 0755 $(@D)/parser/apparmor.systemd \
> > + $(TARGET_DIR)/lib/apparmor/apparmor.systemd
> > + $(INSTALL) -D -m 0755 $(@D)/parser/apparmor.service \
> > + $(TARGET_DIR)/usr/lib/systemd/system/apparmor.service
> > +endef
> > +
> > +$(eval $(autotools-package))
> > --
> > 2.17.1
> >
> > _______________________________________________
> > buildroot mailing list
> > buildroot at busybox.net
> > http://lists.busybox.net/mailman/listinfo/buildroot
>
> --
> .-----------------.--------------------.------------------.--------------------.
> | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
> | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
> | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
> | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
> '------------------------------^-------^------------------^--------------------'
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH v2] package/libapparmor: new package
2020-03-26 20:34 ` Angelo Compagnucci
@ 2020-03-26 20:56 ` Yann E. MORIN
0 siblings, 0 replies; 4+ messages in thread
From: Yann E. MORIN @ 2020-03-26 20:56 UTC (permalink / raw)
To: buildroot
Angelo, All,
On 2020-03-26 21:34 +0100, Angelo Compagnucci spake thusly:
> On Thu, Mar 26, 2020 at 7:57 PM Yann E. MORIN <yann.morin.1998@free.fr> wrote:
> > On 2020-03-26 19:01 +0100, Angelo Compagnucci spake thusly:
> > > From: Angelo Compagnucci <angelo.compagnucci@gmail.com>
> > > This patch adds libapparmor and it's related tools.
> > > The patch is quite complicated by the layout of the source tree:
[--SNIP--]
> > I've looked at the .mk, and I don't like it.
[--SNIP--]
> > Why don't you provide multiple packages:
> > - libapparmor
[--SNIP--]
> > - apparmor-utils, with just the parser (and binutils?) sub-dirs
> > - pam
> > - apache
> > - python
> > - profiles
> > - rules caching
> I don't know. I've tried that approach at in the end it was a mess.
> Some of the steps to build the swig python are embedded into the
> makefile, so we need to call configure and make even for a package
> that instead could have been a simple python one.
Well, as far as I can see, that's exactly what your patch does: it
installs libapparmor, and then as post-staging hooks, it then builds the
rest of the package.
This is exactly what having two packages would provide.
Now, specifically about the python bindings: maybe they should be built
from the libapparmor package rather than the utils one, sure, if it
makes more sense...
> You mean having a patch series that will add bit by bit to the package?
Yes.
As you say yourself, the package is a mess as it is. By splitting it in
a series that adds each pieces one by one, it will:
- allow you to provide a detailed commit log with full explanations
about the required uglyness,
- allow reviewers to understand that problem and better asses the
uglyness, and see if it is indeed needed.
Also, "it was a mess" is not descriptive enough to dismiss the
multi-package attempt (where 'multi' may well be just '2').
Regards,
Yann E. MORIN.
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-03-26 20:56 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-26 18:01 [Buildroot] [PATCH v2] package/libapparmor: new package Angelo Compagnucci
2020-03-26 18:56 ` Yann E. MORIN
2020-03-26 20:34 ` Angelo Compagnucci
2020-03-26 20:56 ` Yann E. MORIN
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.