diff options
Diffstat (limited to 'testing/apparmor/0009-ensure-make-apparmor_parser-is-cached.patch')
| -rw-r--r-- | testing/apparmor/0009-ensure-make-apparmor_parser-is-cached.patch | 135 |
1 files changed, 135 insertions, 0 deletions
diff --git a/testing/apparmor/0009-ensure-make-apparmor_parser-is-cached.patch b/testing/apparmor/0009-ensure-make-apparmor_parser-is-cached.patch new file mode 100644 index 0000000000..cb6a92cf82 --- /dev/null +++ b/testing/apparmor/0009-ensure-make-apparmor_parser-is-cached.patch @@ -0,0 +1,135 @@ +From 71bbc6a4ce79802ad037227382817c5998ffbb2e Mon Sep 17 00:00:00 2001 +From: Eric Chiang <ericchiang@google.com> +Date: Thu, 17 Jan 2019 11:02:57 -0800 +Subject: [PATCH 09/12] *: ensure make apparmor_parser is cached + +This change updates parser/Makefile to respect target dependencies and +not rebuild apparmor_parser if nothing's changed. The goal is to allow +cross-compiled tests #17 to run on a target system without the tests +attempting to rebuild the parser. + +Two changes were made: + +* Generate af_names.h in a script so the script timestamp is compared. +* Use FORCE instead of PHONY for libapparmor_re/libapparmor_re.a + +Changes to list_af_names are intended to exactly replicate the old +behavior. + +Signed-off-by: Eric Chiang <ericchiang@google.com> +--- + common/Make.rules | 21 --------------------- + common/list_af_names.sh | 19 +++++++++++++++++++ + parser/Makefile | 13 +++++-------- + utils/vim/create-apparmor.vim.py | 2 +- + 4 files changed, 25 insertions(+), 30 deletions(-) + create mode 100755 common/list_af_names.sh + +diff --git a/common/Make.rules b/common/Make.rules +index d2149fcd..357bdec8 100644 +--- a/common/Make.rules ++++ b/common/Make.rules +@@ -87,27 +87,6 @@ CAPABILITIES=$(shell echo "\#include <linux/capability.h>" | cpp -dM | LC_ALL=C + list_capabilities: /usr/include/linux/capability.h + @echo "$(CAPABILITIES)" + +-# ===================== +-# generate list of network protocols based on +-# sys/socket.h for use in multiple locations in +-# the source tree +-# ===================== +- +-# These are the families that it doesn't make sense for apparmor +-# to mediate. We use PF_ here since that is what is required in +-# bits/socket.h, but we will rewrite these as AF_. +- +-FILTER_FAMILIES=PF_UNIX +- +-__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g') +- +-# emits the AF names in a "AF_NAME NUMBER," pattern +-AF_NAMES=$(shell echo "\#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e 's/PF_LOCAL/PF_UNIX/' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2) +- +-.PHONY: list_af_names +-list_af_names: +- @echo "$(AF_NAMES)" +- + # ===================== + # manpages + # ===================== +diff --git a/common/list_af_names.sh b/common/list_af_names.sh +new file mode 100755 +index 00000000..d7987537 +--- /dev/null ++++ b/common/list_af_names.sh +@@ -0,0 +1,19 @@ ++#!/bin/bash -e ++ ++# ===================== ++# generate list of network protocols based on ++# sys/socket.h for use in multiple locations in ++# the source tree ++# ===================== ++ ++# It doesn't make sence for AppArmor to mediate PF_UNIX, filter it out. Search ++# for "PF_" constants since that is what is required in bits/socket.h, but ++# rewrite as "AF_". ++ ++echo "#include <sys/socket.h>" | \ ++ cpp -dM | \ ++ LC_ALL=C sed -n \ ++ -e '/PF_UNIX/d' \ ++ -e 's/PF_LOCAL/PF_UNIX/' \ ++ -e 's/^#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$/AF_\1 \2,/p' | \ ++ sort -n -k2 +diff --git a/parser/Makefile b/parser/Makefile +index c1ca4b45..aa5ab730 100644 +--- a/parser/Makefile ++++ b/parser/Makefile +@@ -281,10 +281,9 @@ parser_version.h: Makefile + # as well as the filtering that occurs for network protocols that + # apparmor should not mediate. + +-.PHONY: af_names.h +-af_names.h: +- echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g' -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n# define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n\n/pg' > $@ +- echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/.*,[ \t]\+AF_MAX[ \t]\+\([0-9]\+\),\?.*/#define AA_AF_MAX \1\n/p' >> $@ ++af_names.h: ../common/list_af_names.sh ++ ../common/list_af_names.sh | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g' -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n# define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n/pg' > $@ ++ ../common/list_af_names.sh | LC_ALL=C sed -n -e 's/AF_MAX[ \t]\+\([0-9]\+\),\?.*/\n#define AA_AF_MAX \1\n/p' >> $@ + # cat $@ + + cap_names.h: /usr/include/linux/capability.h +@@ -304,10 +303,7 @@ tests: apparmor_parser ${TESTS} + sh -e -c 'for test in ${TESTS} ; do echo "*** running $${test}" && ./$${test}; done' + $(Q)$(MAKE) -s -C tst tests + +-# always need to rebuild. +-.SILENT: $(AAREOBJECT) +-.PHONY: $(AAREOBJECT) +-$(AAREOBJECT): ++$(AAREOBJECT): FORCE + $(MAKE) -C $(AAREDIR) CFLAGS="$(EXTRA_CXXFLAGS)" + + .PHONY: install-rhel4 +@@ -408,3 +404,4 @@ clean: pod_clean + $(MAKE) -s -C po clean + $(MAKE) -s -C tst clean + ++FORCE: +diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py +index 10bd5b8d..fea134f6 100644 +--- a/utils/vim/create-apparmor.vim.py ++++ b/utils/vim/create-apparmor.vim.py +@@ -57,7 +57,7 @@ for cap in capabilities: + benign_caps.append(cap) + + # get network protos list +-(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_af_names']) ++(rc, output) = cmd(['../../common/list_af_names.sh']) + if rc != 0: + sys.stderr.write("make list_af_names failed: " + output) + exit(rc) +-- +2.25.2 + |