Merge from trunk rev 1698: Update the toplevel README file to discuss

the needed apparmor compatibility patches, mention the profile
consistency check, and remove some variables that no longer need to
be set at build time.

Makefile

@@ -16,7 +16,7 @@ DIRS=parser \
      common \
      tests
 
-REPO_URL?=lp:apparmor
+REPO_URL?=lp:apparmor/2.6
 # alternate possibilities to export from
 #REPO_URL=.
 #REPO_URL="bzr+ssh://bazaar.launchpad.net/~sbeattie/+junk/apparmor-dev/"

README

@@ -30,13 +30,26 @@ AppArmor consists of several different parts:
 changehat/	source for using changehat with Apache, PAM and Tomcat
 common/		common makefile rules
 desktop/	empty
-kernel-patches/	patches for various kernel versions
+kernel-patches/	compatibility patches for various kernel versions
 libraries/	libapparmor source and language bindings
 parser/		source for parser/loader and corresponding documentation
 profiles/	configuration files, reference profiles and abstractions
 tests/		regression and stress testsuites
 utils/		high-level utilities for working with AppArmor
 
+--------------------------------------
+Important note on AppArmor kernel code
+--------------------------------------
+
+While most of the kernel AppArmor code has been accepted in the
+upstream Linux kernel, a few important pieces were not included. These
+missing pieces unfortunately are important bits for AppArmor userspace
+and kernel interaction; therefore we have included compatibility
+patches in the kernel-patches/ subdirectory, versioned by upstream
+kernel (2.6.37 patches should apply cleanly to 2.6.38 source).
+
+Without these patches applied to the kernel, the AppArmor userspace
+will not function correctly.
 
 ------------------------------------------
 Building and Installing AppArmor Userspace
@@ -49,10 +62,14 @@ the following order.
 libapparmor:
 $ cd ./libraries/libapparmor
 $ sh ./autogen.sh
-$ sh ./configure --prefix=/usr --with-perl
+$ sh ./configure --prefix=/usr --with-perl	# see below
 $ make
 $ make check
 
+[optional arguments to libapparmor's configure include --with-python
+ and --with-ruby, to generate python and ruby bindings to libapparmor,
+ respectively.]
+
 
 Utilities:
 $ cd utils
@@ -70,23 +87,23 @@ $ make install
 
 Apache mod_apparmor:
 $ cd changehat/mod_apparmor
-$ LIBS="-lapparmor" make
+$ make		# depends on libapparmor having been built first
 $ make install
 
 
 PAM AppArmor:
 $ cd changehat/pam_apparmor
-$ LIBS="-lapparmor -lpam" make
+$ make		# depends on libapparmor having been built first
 $ make install
 
 
 Profiles:
 $ cd profiles
 $ make
+$ make check	# depends on the parser having been built first
 $ make install
 
 
-
 -------------------
 AppArmor Testsuites
 -------------------
@@ -124,6 +141,14 @@ For details on structure and adding tests, see libraries/libapparmor/README.
 $ cd libraries/libapparmor
 $ make check
 
+Profile checks
+--------------
+A basic consistency check to ensure that the parser and aa-logprof parse
+successfully the current set of shipped profiles. The system or other
+parser and logprof can be passed in by overriding the PARSER and LOGPROF
+variables.
+$ cd profiles
+$ make && make check
 
 Stress Tests
 ------------

changehat/mod_apparmor/Makefile

@@ -41,12 +41,15 @@ APXS:=$(shell if [ -x "/usr/sbin/apxs2" ] ; then \
 	      fi ) 
 APXS_INSTALL_DIR=$(shell ${APXS} -q LIBEXECDIR)
 DESTDIR=
-LIBAPPARMOR_FLAGS="-I../../libraries/libapparmor/src -L../../libraries/libapparmor/src/.libs -lapparmor"
+# Need to pass -Wl twice here to get past both apxs2 and libtool, as
+# libtool will add the path to the RPATH of the library if passed -L/some/path
+LIBAPPARMOR_FLAGS=-I../../libraries/libapparmor/src -Wl,-Wl,-L../../libraries/libapparmor/src/.libs
+LDLIBS=-lapparmor
 
 all: $(TARGET) ${MANPAGES} ${HTMLMANPAGES}
 
 %.so: %.c
-	${APXS} ${LIBAPPARMOR_FLAGS} -c $<
+	${APXS} ${LIBAPPARMOR_FLAGS} -c $< ${LDLIBS}
 	mv .libs/$@ .
 
 .PHONY: install

common/Version

@@ -1 +1 @@
-2.6.0
+2.6.1~rc1

parser/Makefile

@@ -196,7 +196,7 @@ parser_version.h: Makefile
 # These are the families that it doesn't make sense for apparmor to mediate.
 # We use PF_ here since that is what is required in bits/socket.h, but we will
 # rewrite these as AF_.
-FILTER_FAMILIES=PF_RXRPC PF_MAX PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK PF_LLC PF_IUCV PF_TIPC PF_CAN PF_ISDN PF_PHONET
+FILTER_FAMILIES=PF_MAX PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK
 
 __FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
 

parser/rc.apparmor.functions

@@ -170,7 +170,7 @@ parse_profiles() {
 			exit 1
 			;;
 	esac
-	aa_log_action_begin "$PARSER_MSG"
+	aa_log_action_start "$PARSER_MSG"
 	# run the parser on all of the apparmor profiles
 	if [ ! -f "$PARSER" ]; then
 		aa_log_failure_msg "AppArmor parser not found"
@@ -409,9 +409,9 @@ remove_profiles() {
 
 	retval=0
 	#the list of profiles isn't stable once we start adding or removing
-	#them so stor to tmp first
+	#them so store to tmp first (in reverse order so hat profiles are removed first)
 	MODULE_PLIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX)
-	sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort >"$MODULE_PLIST"
+	sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort -r > "$MODULE_PLIST"
 	cat "$MODULE_PLIST" | while read profile ; do
 		echo -n "$profile" > "$SFS_MOUNTPOINT/.remove"
 		rc=$?
@@ -427,7 +427,7 @@ apparmor_stop() {
 	aa_log_daemon_msg "Unloading AppArmor profiles "
 	remove_profiles
 	rc=$?
-	log_end_msg $rc
+	aa_log_end_msg $rc
 	return $rc
 }
 

profiles/Makefile

@@ -20,7 +20,7 @@
 # Makefile for LSM-based AppArmor profiles
 
 NAME=apparmor-profiles
-ALL:
+ALL: local
 COMMONDIR=../common/
 
 include common/Make.rules
@@ -81,23 +81,22 @@ endif
 
 ifndef PARSER
 # use system parser
-PARSER=/sbin/apparmor_parser
+PARSER=../parser/apparmor_parser
 endif
 
 ifndef LOGPROF
-# use system logprof
+# use ../utils logprof
-LOGPROF=/usr/sbin/aa-logprof
+LOGPROF=perl -I../utils/ ../utils/aa-logprof
 endif
 
-EXTRAS_PATH=${EXTRAS_SOURCE}/profiles/extras
+IGNORE_FILES=${EXTRAS_SOURCE}/README
-IGNORE_FILES=${EXTRAS_PATH}/README
+CHECK_PROFILES=$(filter-out ${IGNORE_FILES} ${SUBDIRS_MUST_BE_SKIPPED}, $(wildcard ${PROFILES_SOURCE}/*) $(wildcard ${EXTRAS_SOURCE}/*))
-CHECK_PROFILES=$(filter-out ${IGNORE_FILES}, $(wildcard ${PROFILES_SOURCE}/*) $(wildcard ${EXTRAS_PATH}/*))
 
 .PHONY: check
 check:
-	@echo "*** Checking profiles from ${PROFILES_SOURCE} and ${EXTRAS_PATH} against apparmor_parser"
+	@echo "*** Checking profiles from ${PROFILES_SOURCE} and ${EXTRAS_SOURCE} against apparmor_parser"
 	$(Q)for profile in ${CHECK_PROFILES} ; do \
-		${PARSER} -S -I ${PWD}/apparmor.d $${profile} > /dev/null ; \
+		${PARSER} -S -b ${PWD}/apparmor.d $${profile} > /dev/null || exit 1; \
 	done
 	@echo "*** Checking profiles from ${PROFILES_SOURCE} against logprof"
-	$(Q)${LOGPROF} -d ${PROFILES_SOURCE} -f /dev/null
+	$(Q)${LOGPROF} -d ${PROFILES_SOURCE} -f /dev/null || exit 1

profiles/apparmor/profiles/extras/usr.lib.firefox.firefox

@@ -122,5 +122,7 @@
   deny /usr/share/mozilla/ w,
 
   # Site-specific additions and overrides. See local/README for details.
-  #include <local/usr.bin.firefox>
+  # Local path is disabled, we only enable them for profiles we promote
+  # out of extras.
+  ## include <local/usr.bin.firefox>
 }