Commit 6d3e7490 authored by Steve Beattie's avatar Steve Beattie

Import the rest of the core functionality of the internal apparmor

development tree (trunk branch). From svn repo version 6381.
parent 8fbbf6c9
This diff is collapsed.
# $Id: Makefile 6262 2006-02-11 07:30:00Z steve $
# ----------------------------------------------------------------------
# Copyright (c) 2004, 2005, 2006 NOVELL (All rights reserved)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2.1 of the GNU Lesser
# General Public License published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this program; if not, contact Novell, Inc.
# ----------------------------------------------------------------------
NAME := libapparmor
all:
COMMONDIR:=$(strip $(shell if [ -d "../common/" ] ; then \
echo "../common/" ; \
elif [ -d "../../common/" ] ; then \
echo "../../common/" ; \
else \
echo "/common_dir_not_found" ; \
fi))
include Make.rules
COMMONDIR_EXISTS=$(strip $(shell [ -d ${COMMONDIR} ] && echo true))
ifeq ($(COMMONDIR_EXISTS), true)
Make.rules: $(COMMONDIR)/Make.rules
ln -f $(COMMONDIR)/Make.rules .
endif
SO_VERS = 1
DESTDIR =
LIB = lib/
LIBDIR = /usr/${LIB}
TARGET=libapparmor
TARGETS=${TARGET}.so ${TARGET}.a
OLDTARGET=libimmunix.so.1
OBJECTS=change_hat.o
TESTS=tst-sgdh tst-cdh tst-sgkey tst-sgdh-static tst-cdh-static tst-sgkey-static
CFLAGS=-g -O2 -Wall -Wstrict-prototypes -pipe
EXTRA_CFLAGS=$(CFLAGS) -fpic -D_REENTRANT
ARFLAGS=-rcs
TEST_CFLAGS=$(CFLAGS) $(CANARY_FLAG) $(FORMATGUARD_FLAG)
TEST_LDFLAGS= -L. -limmunix
all: ${TARGETS} ${OLDTARGET}
%.o: %.c
$(CC) ${EXTRA_CFLAGS} -c -shared -o [email protected] $<
${TARGET}.so: ${OBJECTS}
${CC} ${EXTRA_CFLAGS} -o [email protected].$(SO_VERS) -Wl,-soname,[email protected].$(SO_VERS) -Wl,--version-script=${TARGET}.map -W,-z,defs -shared -dynamic $^
ln -fs [email protected].$(SO_VERS) [email protected]
${OLDTARGET}: ${OBJECTS} libimmunix_warning.o
${CC} ${EXTRA_CFLAGS} -o [email protected] -Wl,-soname,[email protected] -Wl,--version-script=${TARGET}.map -W,-z,defs -shared -dynamic $^
${TARGET}.a: ${OBJECTS}
ar ${ARFLAGS} [email protected] $^
${POSTINSTALLBIN}: ${POSTINSTALLBIN}.c
$(CC) -static -Os -o [email protected] $(CANARY_FLAG) $(FORMATGUARD_FLAG) $^
# Ugh, dunno how to do an auto rule for the TESTS
tst-sgdh: tst-sgdh.c ${TARGET}.so
$(CC) ${TEST_CFLAGS} -o [email protected] $< ${TEST_LDFLAGS}
tst-cdh: tst-cdh.c ${TARGET}.so
$(CC) ${TEST_CFLAGS} -o [email protected] $< ${TEST_LDFLAGS}
tst-sgkey: tst-sgkey.c ${TARGET}.so
$(CC) ${TEST_CFLAGS} -o [email protected] $< ${TEST_LDFLAGS}
tst-sgdh-static: tst-sgdh.c ${TARGET}.a
$(CC) -static ${TEST_CFLAGS} -o [email protected] $< ${TEST_LDFLAGS}
tst-cdh-static: tst-cdh.c ${TARGET}.a
$(CC) -static ${TEST_CFLAGS} -o [email protected] $< ${TEST_LDFLAGS}
tst-sgkey-static: tst-sgkey.c ${TARGET}.a
$(CC) -static ${TEST_CFLAGS} -o [email protected] $< ${TEST_LDFLAGS}
check: $(TESTS)
-LD_LIBRARY_PATH=. ./tst-sgdh
-LD_LIBRARY_PATH=. ./tst-cdh
-LD_LIBRARY_PATH=. ./tst-sgkey
-./tst-sgdh-static
-./tst-cdh-static
-./tst-sgkey-static
.PHONY: install
install: $(TARGETS)
install -d $(DESTDIR)/${LIB} $(DESTDIR)${LIBDIR}
install -d ${DESTDIR}/usr/include/sys
mv -f $(TARGET).so.$(SO_VERS) $(TARGET)-$(VERSION)-$(RELEASE).so.$(SO_VERS)
install -m 755 $(TARGET)-$(VERSION)-$(RELEASE).so.$(SO_VERS) ${DESTDIR}/${LIB}
ln -sf $(TARGET)-$(VERSION)-$(RELEASE).so.$(SO_VERS) ${DESTDIR}/${LIB}/$(TARGET).so.$(SO_VERS)
install -m 755 $(TARGET).a ${DESTDIR}${LIBDIR}
install -m 644 apparmor.h ${DESTDIR}/usr/include/sys
ln -sf /${LIB}/$(TARGET).so.$(SO_VERS) ${DESTDIR}${LIBDIR}/$(TARGET).so
# compatability with old libimmunix
install -m 755 $(OLDTARGET) ${DESTDIR}/${LIB}
ln -sf apparmor.h ${DESTDIR}/usr/include/sys/immunix.h
.PHONY: clean
clean:
rm -f *.o $(TARGET)*.so* ${TARGETS} ${OLDTARGET}
rm -f ${NAME}-${VERSION}*.tar.gz ${TESTS} $(NAME)-*.tgz ${SPECFILE}
/* $Id: apparmor.h 6203 2006-02-02 22:03:41Z steve $
Copyright (c) 2003, 2004, 2005, 2006 Novell, Inc. (All rights reserved)
The libapparmor library is licensed under the terms of the GNU
Lesser General Public License, version 2.1. Please see the file
COPYING.LGPL.
*/
#ifndef _SYS_APPARMOR_H_
#define _SYS_APPARMOR_H 1
__BEGIN_DECLS
/* Prototype for change_hat as defined by the AppArmor project
* <http://forge.novell.com/modules/xfmod/project/?apparmor> */
extern int change_hat(const char *subprofile, unsigned int magic_token);
__END_DECLS
#endif /* sys/apparmor.h */
/* $Id: change_hat.c 6288 2006-02-27 17:29:04Z steve $
Copyright (c) 2003, 2004, 2005, 2006 Novell, Inc. (All rights reserved)
The libapparmor library is licensed under the terms of the GNU
Lesser General Public License, version 2.1. Please see the file
COPYING.LGPL.
*/
#define _GNU_SOURCE /* for asprintf */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <fcntl.h>
#include <errno.h>
#include <limits.h>
int change_hat(char *subprofile, unsigned int token)
{
int rc = -1;
int fd, ret, len = 0, ctlerr = 0;
char *buf = NULL;
const char *cmd = "changehat";
char *ctl = NULL;
pid_t tid = syscall(SYS_gettid);
/* both may not be null */
if (!(token || subprofile)) {
errno = EINVAL;
goto out;
}
if (subprofile && strnlen(subprofile, PATH_MAX + 1) > PATH_MAX) {
errno = EPROTO;
goto out;
}
len = asprintf(&buf, "%s %08x^%s", cmd, token,
subprofile ? subprofile : "");
if (len < 0) {
goto out;
}
ctlerr = asprintf(&ctl, "/proc/%d/attr/current", tid);
if (ctlerr < 0) {
goto out;
}
fd = open(ctl, O_WRONLY);
if (fd == -1) {
goto out;
}
ret = write(fd, buf, len);
if (ret != len) {
int saved;
if (ret != -1) {
errno = EPROTO;
}
saved = errno;
(void)close(fd);
errno = saved;
goto out;
}
rc = 0;
(void)close(fd);
out:
if (buf) {
/* clear local copy of magic token before freeing */
memset(buf, '\0', len);
free(buf);
}
if (ctl) {
free(ctl);
}
return rc;
}
IMMUNIX_1.0 {
global:
change_hat;
local:
*;
};
APPARMOR_1.0 {
global:
change_hat;
local:
*;
};
# $Id: libapparmor.spec.in 6284 2006-02-24 17:11:53Z steve $
# ----------------------------------------------------------------------
# Copyright (c) 2004, 2005, 2006 NOVELL (All rights reserved)
#
# This software is licensed under the terms of the GNU Lesser General
# Public License, version 2.1. Please see the file COPYING.LGPL.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this program; if not, contact Novell, Inc.
# ----------------------------------------------------------------------
#
# norootforbuild
#
# Check first to see if distro is already defined. It should be defined
# by our makefile
%if ! %{?distro:1}0
%define distro suse
%endif
# Check to see what architecture we are building on so we know where
# the lib should be installed.
# Note: alpha and ia64 are 64bit systems but they have no 32 bit userland
# so they install their libs to /lib instead of /lib64
# FIXME: will see what happens when we need to do a 64bit build on RHEL
%ifarch x86_64 mips64 ppc64 sparc64 s390x
%define build64 1
%endif
# else anything that doesn't specifically have a lib64 dir
# i386 i686 mips ppc sparc arm alpha ia64
Name: libapparmor
Summary: Library to provide key AppArmor symbols
Version: @@[email protected]@
Release: 6
%if %distro == "suse"
Group: System/Libraries
%else
Group: System Environment/Libraries
%endif
Source: %{name}-%{version}[email protected]@[email protected]@.tar.gz
License: LGPL
BuildRoot: %{?_tmppath:}%{!?_tmppath:/var/tmp}/%{name}-%{version}-build
URL: http://forge.novell.com/modules/xfmod/project/?apparmor
BuildRequires: glibc-devel
%if %{?build64:1}0
#BuildRequires: linux32
%endif
Obsoletes: libimmunix
Provides: libimmunix
%description
This package provides the libapparmor library, which contains the change_hat(2)
symbol, used for sub-process confinement by AppArmor. Applications that
wish to make use of change_hat(2) need to link against this library.
This package is part of a suite of tools that used to be named SubDomain.
%prep
%if %{?build64:1}0
%setup -q -c -n %{name}32
%setup -D -q
%else
%setup -q
%endif
%build
[ "${RPM_BUILD_ROOT}" != "/" ] && rm -rf ${RPM_BUILD_ROOT}
%if %{?build64:1}0
# build 32 bit version first
%define CFLAGS32 "-g -O2 -Wall -Wstrict-prototypes -pipe -fpic -m32"
%ifarch x86_64
%define env32 linux32
%endif
%ifarch mips64
# FIXME don't know what's supposed to be here
%define env32 mips32
%endif
%ifarch ppc64
%define env32 powerpc32
%endif
%ifarch sparc64
%define env32 sparc32
%endif
%ifarch s390x
%define env32 s390
# s390 isn't actually 32bit it an odd ball 31bit machine
%undefine CFLAGS32
%define CFLAGS32 "-g -O2 -Wall -Wstrict-prototypes -pipe -fpic -m31"
%endif
# FIXME - disabled 32bit builds on 64bit platforms
echo "FIXME - disabled 32bit builds on 64bit platforms"
#%{env32} make CFLAGS=%{CFLAGS32} -C ../%{name}32/%{name}-%{version}
%endif
make CFLAGS="${RPM_OPT_FLAGS}"
%install
[ "${RPM_BUILD_ROOT}" != "/" ] && rm -rf ${RPM_BUILD_ROOT}
%if %{?build64:1}0
# FIXME - disabled 32bit builds on 64bit platforms
echo "FIXME - disabled 32bit installs on 64bit platforms"
#make install DESTDIR=${RPM_BUILD_ROOT} LIB=lib -C ../%{name}32/%{name}-%{version}
%endif
make install DESTDIR=${RPM_BUILD_ROOT} LIB=%{_lib} VERSION=%{version} RELEASE=%{release}
# don't use -p here, breaks slackware package builds
%post
/sbin/ldconfig
%postun
/sbin/ldconfig
%files
%defattr (-,root,root)
%if %{?build64:1}0
# FIXME - disabled 32bit builds on 64bit platforms
#/lib/lib*
#/usr/lib/lib*
%endif
/%{_lib}/lib*
%{_libdir}/lib*
%{_prefix}/include/sys/*.h
%doc COPYING.LGPL
%changelog
* Fri Feb 17 2006 Seth Arnold <[email protected]> 2.0-4.1
- use gettid() instead of /proc/self
* Fri Feb 10 2006 Steve Beattie <[email protected]> 2.0-3.2
- Use RPM_OPT_FLAGS
- Fix installed library version to match specfile version
* Wed Feb 1 2006 Steve Beattie <[email protected]> 2.0-3.1
- Fix prototype to match change_hat(2) manpage
* Mon Jan 23 2006 Steve Beattie <[email protected]> 2.0-3
- Rename to libapparmor.so and apparmor.h
* Thu Jan 5 2006 Steve Beattie <[email protected]> 2.0-2
- Add svn repo number to tarball
* Wed Dec 7 2005 Steve Beattie <[email protected]> 2.0-1
- Reset version for inclusion is SUSE autobuild
* Wed Dec 7 2005 Steve Beattie <[email protected]> 1.99-8
- Disable 32bit builds on 64bit platforms for now
* Mon Dec 5 2005 Steve Beattie <[email protected]> 1.99-7
- Rename package to libapparmor
* Wed Aug 10 2005 Steve Beattie <[email protected]> 1.99-6_imnx
- Cleanup some of the deprecated exported symbols
* Thu Aug 4 2005 John Johansen <[email protected]> 1.99-5_imnx
- and -m31 flag for s390
* Mon Jul 11 2005 Steve Beattie <[email protected]> 1.99-4_imnx
- get rid of libimmunix_post_upgrade
- Re-license to LGPL
- update description