diff options
Diffstat (limited to 'meta-security/recipes-mac')
| -rw-r--r-- | meta-security/recipes-mac/AppArmor/apparmor_2.13.6.bb (renamed from meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb) | 8 | ||||
| -rw-r--r-- | meta-security/recipes-mac/AppArmor/files/0001-Use-build-environment-C-preprocessor.patch | 39 | ||||
| -rw-r--r-- | meta-security/recipes-mac/AppArmor/files/0001-regression-tests-Don-t-build-syscall_sysctl-if-missi.patch | 96 | ||||
| -rw-r--r-- | meta-security/recipes-mac/AppArmor/files/0001-tests-regression-fix-failure-on-older-versions-of-Ma.patch | 40 | ||||
| -rw-r--r-- | meta-security/recipes-mac/AppArmor/files/0002-Correctly-escape-in-Makefile.patch | 25 | ||||
| -rw-r--r-- | meta-security/recipes-mac/AppArmor/files/disable_pdf.patch | 33 |
6 files changed, 68 insertions, 173 deletions
diff --git a/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb b/meta-security/recipes-mac/AppArmor/apparmor_2.13.6.bb index ba58fc5c6c..bc1454578f 100644 --- a/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb +++ b/meta-security/recipes-mac/AppArmor/apparmor_2.13.6.bb @@ -22,19 +22,19 @@ SRC_URI = " \ file://apparmor \ file://apparmor.service \ file://0001-Makefile.am-suppress-perllocal.pod.patch \ + file://0001-Use-build-environment-C-preprocessor.patch \ + file://0002-Correctly-escape-in-Makefile.patch \ file://run-ptest \ - file://0001-regression-tests-Don-t-build-syscall_sysctl-if-missi.patch \ - file://0001-tests-regression-fix-failure-on-older-versions-of-Ma.patch \ " -SRCREV = "df0ac742f7a1146181d8734d03334494f2015134" +SRCREV = "c16fff8cb487cf150e3e5ad536b7ff2d4cb4f784" S = "${WORKDIR}/git" PARALLEL_MAKE = "" COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*" -inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan manpages systemd features_check +inherit pkgconfig autotools-brokensep update-rc.d python3native python3targetconfig perlnative ptest cpan manpages systemd features_check REQUIRED_DISTRO_FEATURES = "apparmor" PACKAGECONFIG ??= "python perl aa-decode" diff --git a/meta-security/recipes-mac/AppArmor/files/0001-Use-build-environment-C-preprocessor.patch b/meta-security/recipes-mac/AppArmor/files/0001-Use-build-environment-C-preprocessor.patch new file mode 100644 index 0000000000..76e334ac74 --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/0001-Use-build-environment-C-preprocessor.patch @@ -0,0 +1,39 @@ +From b19d65886263cee40c7283d329ff05f43cbb2047 Mon Sep 17 00:00:00 2001 +From: Omer Akram <omer@thing.com> +Date: Mon, 12 Apr 2021 22:24:13 +0500 +Subject: [PATCH] Use build environment C preprocessor + +--- + common/list_af_names.sh | 2 +- + common/list_capabilities.sh | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/common/list_af_names.sh b/common/list_af_names.sh +index d7987537..23d9ba7f 100755 +--- a/common/list_af_names.sh ++++ b/common/list_af_names.sh +@@ -11,7 +11,7 @@ + # rewrite as "AF_". + + echo "#include <sys/socket.h>" | \ +- cpp -dM | \ ++ ${CPP} -dM - | \ + LC_ALL=C sed -n \ + -e '/PF_UNIX/d' \ + -e 's/PF_LOCAL/PF_UNIX/' \ +diff --git a/common/list_capabilities.sh b/common/list_capabilities.sh +index 4e37cda7..d07111de 100755 +--- a/common/list_capabilities.sh ++++ b/common/list_capabilities.sh +@@ -7,7 +7,7 @@ + # ===================== + + echo "#include <linux/capability.h>" | \ +- cpp -dM | \ ++ ${CPP} -dM - | \ + LC_ALL=C sed -n \ + -e '/CAP_EMPTY_SET/d' \ + -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$/CAP_\1/p' | \ +-- +2.25.1 + diff --git a/meta-security/recipes-mac/AppArmor/files/0001-regression-tests-Don-t-build-syscall_sysctl-if-missi.patch b/meta-security/recipes-mac/AppArmor/files/0001-regression-tests-Don-t-build-syscall_sysctl-if-missi.patch deleted file mode 100644 index 3cd1e88ae3..0000000000 --- a/meta-security/recipes-mac/AppArmor/files/0001-regression-tests-Don-t-build-syscall_sysctl-if-missi.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 7a7c7fb346ded6f017c8df44486778a5f032d41a Mon Sep 17 00:00:00 2001 -From: John Johansen <john.johansen@canonical.com> -Date: Tue, 29 Sep 2020 03:05:22 -0700 -Subject: [PATCH] regression tests: Don't build syscall_sysctl if missing - kernel headers - -sys/sysctl.h is not guaranteed to exist anymore since -https://sourceware.org/pipermail/glibc-cvs/2020q2/069366.html - -which is a follow on to the kernel commit -61a47c1ad3a4 sysctl: Remove the sysctl system call - -While the syscall_sysctl currently checks if the kernel supports -sysctrs before running the tests. The tests can't even build if the -kernel headers don't have the sysctl defines. - -Fixes: https://gitlab.com/apparmor/apparmor/-/issues/119 -Fixes: https://bugs.launchpad.net/apparmor/+bug/1897288 -MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/637 -Signed-off-by: John Johansen <john.johansen@canonical.com> -Acked-by: Steve Beattie <steve.beattie@canonical.com> -(cherry picked from commit 2e5a266eb715fc7e526520235a6450444775791f) - -Upstream-Status: Backport -Signed-off-by: Armin Kuster <akuster808@gmail.com> - ---- - tests/regression/apparmor/Makefile | 10 +++++++++- - tests/regression/apparmor/syscall_sysctl.sh | 15 +++++++++++---- - 2 files changed, 20 insertions(+), 5 deletions(-) - -diff --git a/tests/regression/apparmor/Makefile b/tests/regression/apparmor/Makefile -index 198ca421..c3d0cfb7 100644 ---- a/tests/regression/apparmor/Makefile -+++ b/tests/regression/apparmor/Makefile -@@ -69,6 +69,9 @@ endif # USE_SYSTEM - - CFLAGS += -g -O0 -Wall -Wstrict-prototypes - -+USE_SYSCTL:=$(shell echo "#include <sys/sysctl.h>" | cpp -dM >/dev/null 2>/dev/null && echo true) -+ -+ - SRC=access.c \ - at_secure.c \ - introspect.c \ -@@ -130,7 +133,6 @@ SRC=access.c \ - syscall_sethostname.c \ - syscall_setdomainname.c \ - syscall_setscheduler.c \ -- syscall_sysctl.c \ - sysctl_proc.c \ - tcp.c \ - transition.c \ -@@ -146,6 +148,12 @@ ifneq (,$(findstring $(shell uname -i),i386 i486 i586 i686 x86 x86_64)) - SRC+=syscall_ioperm.c syscall_iopl.c - endif - -+#only do sysctl syscall test if defines installed and OR supported by the -+# kernel -+ifeq ($(USE_SYSCTL),true) -+SRC+=syscall_sysctl.c -+endif -+ - #only do dbus if proper libs are installl - ifneq (,$(shell pkg-config --exists dbus-1 && echo TRUE)) - SRC+=dbus_eavesdrop.c dbus_message.c dbus_service.c dbus_unrequested_reply.c -diff --git a/tests/regression/apparmor/syscall_sysctl.sh b/tests/regression/apparmor/syscall_sysctl.sh -index f93946f3..5f856984 100644 ---- a/tests/regression/apparmor/syscall_sysctl.sh -+++ b/tests/regression/apparmor/syscall_sysctl.sh -@@ -148,11 +148,18 @@ test_sysctl_proc() - # check if the kernel supports CONFIG_SYSCTL_SYSCALL - # generally we want to encourage kernels to disable it, but if it's - # enabled we want to test against it --settest syscall_sysctl --if ! res="$(${test} ro 2>&1)" && [ "$res" = "FAIL: sysctl read failed - Function not implemented" ] ; then -- echo " WARNING: syscall sysctl not implemented, skipping tests ..." -+# In addition test that sysctl exists in the kernel headers, if it does't -+# then we can't even built the syscall_sysctl test -+if echo "#include <sys/sysctl.h>" | cpp -dM >/dev/null 2>/dev/null ; then -+ settest syscall_sysctl -+ -+ if ! res="$(${test} ro 2>&1)" && [ "$res" = "FAIL: sysctl read failed - Function not implemented" ] ; then -+ echo " WARNING: syscall sysctl not implemented, skipping tests ..." -+ else -+ test_syscall_sysctl -+ fi - else -- test_syscall_sysctl -+ echo " WARNING: syscall sysctl not supported by kernel headers, skipping tests ..." - fi - - # now test /proc/sys/ paths --- -2.17.1 - diff --git a/meta-security/recipes-mac/AppArmor/files/0001-tests-regression-fix-failure-on-older-versions-of-Ma.patch b/meta-security/recipes-mac/AppArmor/files/0001-tests-regression-fix-failure-on-older-versions-of-Ma.patch deleted file mode 100644 index a23d889630..0000000000 --- a/meta-security/recipes-mac/AppArmor/files/0001-tests-regression-fix-failure-on-older-versions-of-Ma.patch +++ /dev/null @@ -1,40 +0,0 @@ -From bf8c4ca570c27cf58e882e03680b40357223e6e7 Mon Sep 17 00:00:00 2001 -From: John Johansen <john.johansen@canonical.com> -Date: Wed, 30 Sep 2020 13:36:23 -0700 -Subject: [PATCH] tests regression: fix failure on older versions of Make - -Older versions of Make will choke on the # character in the $(shell -expression, treating it as the beginning of a comment. Resulting in -the following error - -make unterminated call to function 'shell': missing ')'. Stop. - -MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/639 -Signed-off-by: John Johansen <john.johansen@canonical.com> -Acked-by: Steve Beattie <steve.beattie@canonical.com> -(cherry picked from commit 8cf3534a5b11643c5913e5eb74e491f2f014d792) - -Upstream-Status: Backport -[Minor fixup] -Signed-off-by: Armin Kuster <akuster808@gmail.com> ---- - tests/regression/apparmor/Makefile | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/tests/regression/apparmor/Makefile b/tests/regression/apparmor/Makefile -index c3d0cfb7..1d55547c 100644 ---- a/tests/regression/apparmor/Makefile -+++ b/tests/regression/apparmor/Makefile -@@ -69,7 +69,8 @@ endif # USE_SYSTEM - - CFLAGS += -g -O0 -Wall -Wstrict-prototypes - --USE_SYSCTL:=$(shell echo "#include <sys/sysctl.h>" | cpp -dM >/dev/null 2>/dev/null && echo true) -+SYSCTL_INCLUDE="\#include <sys/sysctl.h>" -+USE_SYSCTL:=$(shell echo $(SYSCTL_INCLUDE) | cpp -dM >/dev/null 2>/dev/null && echo true) - - - SRC=access.c \ --- -2.17.1 - diff --git a/meta-security/recipes-mac/AppArmor/files/0002-Correctly-escape-in-Makefile.patch b/meta-security/recipes-mac/AppArmor/files/0002-Correctly-escape-in-Makefile.patch new file mode 100644 index 0000000000..f3cae7d9bf --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/0002-Correctly-escape-in-Makefile.patch @@ -0,0 +1,25 @@ +From 4ffd666a2cedeabc8eef42371c03be52fc2a3d66 Mon Sep 17 00:00:00 2001 +From: Omer Akram <omer@thing.com> +Date: Mon, 12 Apr 2021 22:54:52 +0500 +Subject: [PATCH] Correctly escape # in Makefile + +--- + tests/regression/apparmor/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/regression/apparmor/Makefile b/tests/regression/apparmor/Makefile +index c3d0cfb7..b41dbe47 100644 +--- a/tests/regression/apparmor/Makefile ++++ b/tests/regression/apparmor/Makefile +@@ -69,7 +69,7 @@ endif # USE_SYSTEM + + CFLAGS += -g -O0 -Wall -Wstrict-prototypes + +-USE_SYSCTL:=$(shell echo "#include <sys/sysctl.h>" | cpp -dM >/dev/null 2>/dev/null && echo true) ++USE_SYSCTL:=$(shell echo "\#include <sys/sysctl.h>" | cpp -dM >/dev/null 2>/dev/null && echo true) + + + SRC=access.c \ +-- +2.25.1 + diff --git a/meta-security/recipes-mac/AppArmor/files/disable_pdf.patch b/meta-security/recipes-mac/AppArmor/files/disable_pdf.patch deleted file mode 100644 index c6b4bddc25..0000000000 --- a/meta-security/recipes-mac/AppArmor/files/disable_pdf.patch +++ /dev/null @@ -1,33 +0,0 @@ -Index: apparmor-2.10.95/parser/Makefile -=================================================================== ---- apparmor-2.10.95.orig/parser/Makefile -+++ apparmor-2.10.95/parser/Makefile -@@ -139,17 +139,6 @@ export Q VERBOSE BUILD_OUTPUT - po/${NAME}.pot: ${SRCS} ${HDRS} - $(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}" - --techdoc.pdf: techdoc.tex -- timestamp=$(shell date --utc "+%Y%m%d%H%M%S%z" -r $< );\ -- while pdflatex "\def\fixedpdfdate{$$timestamp}\input $<" ${BUILD_OUTPUT} || exit 1 ; \ -- grep -q "Label(s) may have changed" techdoc.log; \ -- do :; done -- --techdoc/index.html: techdoc.pdf -- latex2html -show_section_numbers -split 0 -noinfo -nonavigation -noaddress techdoc.tex ${BUILD_OUTPUT} -- --techdoc.txt: techdoc/index.html -- w3m -dump $< > $@ - - # targets arranged this way so that people who don't want full docs can - # pick specific targets they want. -@@ -159,9 +148,7 @@ manpages: $(MANPAGES) - - htmlmanpages: $(HTMLMANPAGES) - --pdf: techdoc.pdf -- --docs: manpages htmlmanpages pdf -+docs: manpages htmlmanpages - - indep: docs - $(Q)$(MAKE) -C po all |