Re: [apparmor] [patch 2/6] abstract out cap and net proto generation to common/Make.rules
On Thu, 2012-03-22 at 23:20 +0100, Christian Boltz wrote:
>
> > --- a/common/Make.rules
> > +++ b/common/Make.rules
> > @@ -151,6 +151,40 @@ _clean:
> > -rm -f ${MANPAGES} *.[0-9].gz ${HTMLMANPAGES} pod2htm*.tmp
> >
> > # =
> > +# generate list of capabilities based on
> > +# /usr/include/sys/capabilities.h for use in multiple locations in
>
> I don't have /usr/include/sys/capability.h on my system (openSUSE 12.1)
> Either I need to install another package (thanks to OBS, I don't have
> too many devel packages on my system) or it's at another location.
>
> # locate capability.h
> /usr/include/linux/capability.h
> /usr/src/linux-3.1.0-1.2/include/linux/capability.h
> /usr/src/linux-3.1.9-1.4/include/linux/capability.h
>
> Do I miss a package or are the paths really different on openSUSE?
There was a mistake. You need r2008.
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 2/6] abstract out cap and net proto generation to common/Make.rules
Hello,
(also affects patch 3/6, but splitting the mail wouldn't make sense)
Am Donnerstag, 22. März 2012 schrieb Steve Beattie:
> This patch abstracts out the generation of the lists of capabilities
> and network protocol names to the common Make.rules file that is
> included in most locations in the build tree, to allow it to be
> re-used in the utils/ tree and possibly elsewhere.
I like the idea, but the implementation is, well, suboptimal...
> --- a/common/Make.rules
> +++ b/common/Make.rules
> @@ -151,6 +151,40 @@ _clean:
> -rm -f ${MANPAGES} *.[0-9].gz ${HTMLMANPAGES} pod2htm*.tmp
>
> # =
> +# generate list of capabilities based on
> +# /usr/include/sys/capabilities.h for use in multiple locations in
I don't have /usr/include/sys/capability.h on my system (openSUSE 12.1)
Either I need to install another package (thanks to OBS, I don't have
too many devel packages on my system) or it's at another location.
# locate capability.h
/usr/include/linux/capability.h
/usr/src/linux-3.1.0-1.2/include/linux/capability.h
/usr/src/linux-3.1.9-1.4/include/linux/capability.h
Do I miss a package or are the paths really different on openSUSE?
> +# emits defined capabilities in a simple list, e.g. "CAP_NAME
> CAP_NAME2"
> +CAPABILITIES=$(shell echo "\#include " | cpp -dM |
LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-
Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | sort)
Now let me paste a sniplet from patch 3/6 (utils/Makefile):
> +# ${CAPABILITIES} is defined in common/Make.rules
> +.PHONY: check_severity_db
> +.SILENT: check_severity_db
> +check_severity_db: /usr/include/sys/capability.h severity.db
The problem I see here is that the Makefile contains an "indirect"
dependency. IMHO that's not a clean solution and might cause maintenance
fun if capability.h ever moves.
I'd like to propose an alternative solution that avoids this problem:
In common/Make.rules, write the capability list to a file instead of
storing it in a variable:
capability_list: /usr/include/linux/capability.h
echo "\#include " | cpp -dM | LC_ALL=C sed -n -e
'/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[
\t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | sort > capability_list
now back to utils/Makefile:
> +check_severity_db: /usr/include/sys/capability.h severity.db
> + # The sed statement is based on the one in the parser's
makefile
Outdated comment? I see no sed in the check_severity_db target.
> + RC=0 ; for cap in ${CAPABILITIES} ; do \
Would then be
check_severity_db: capability_list severity.db
RC=0 ; for cap in `cat capability_list` ; do \
AF_NAMES shares this problem and should also be implemented with a file
instead of using a make variable.
Note that everything above is untested ;-)
BTW: "make clean" should delete the capability_list file.
Regards,
Christian Boltz
--
Unix: Alles ist ein File, und was kein File ist, hat sich gefaelligst
als ein solches zu tarnen. [Wolfgang Weisselberg in linux-liste]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 2/6] abstract out cap and net proto generation to common/Make.rules
On Thu, Mar 22, 2012 at 10:06:09AM -0700, Steve Beattie wrote: > It also sorts the resulting lists, which causes it to output differently > than the before case. I did confirm that the results for the generated > files used in the parser build were the same after taking the sorting > into account. Okay, good. I'm still nervous that this sorting will break something, but I suppose it would be better to be more robust in this regard anyway. -- Kees Cook -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 2/6] abstract out cap and net proto generation to common/Make.rules
On Thu, Mar 22, 2012 at 11:36:04AM -0700, John Johansen wrote: > On 03/22/2012 10:06 AM, Steve Beattie wrote: > > This patch abstracts out the generation of the lists of capabilities > > and network protocol names to the common Make.rules file that is > > included in most locations in the build tree, to allow it to be > > re-used in the utils/ tree and possibly elsewhere. > > > > It provides the lists in both make variables and as make targets. > > > > It also sorts the resulting lists, which causes it to output differently > > than the before case. I did confirm that the results for the generated > > files used in the parser build were the same after taking the sorting > > into account. > > > > Well I can wish that the ordering of af_names was the same to make the > comparison easier but it looks good. So When testing, I compared output with the sort command removed and then diff'ed the output to ensure that I was getting anything different. But yes, comparing the output with the sort in place is more difficult, alas. -- Steve Beattie http://NxNW.org/~steve/ signature.asc Description: Digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 2/6] abstract out cap and net proto generation to common/Make.rules
On 03/22/2012 10:06 AM, Steve Beattie wrote:
> This patch abstracts out the generation of the lists of capabilities
> and network protocol names to the common Make.rules file that is
> included in most locations in the build tree, to allow it to be
> re-used in the utils/ tree and possibly elsewhere.
>
> It provides the lists in both make variables and as make targets.
>
> It also sorts the resulting lists, which causes it to output differently
> than the before case. I did confirm that the results for the generated
> files used in the parser build were the same after taking the sorting
> into account.
>
Well I can wish that the ordering of af_names was the same to make the
comparison easier but it looks good. So
Acked-by: John Johansen
> ---
> common/Make.rules | 34 ++
> parser/Makefile | 16 ++--
> 2 files changed, 40 insertions(+), 10 deletions(-)
>
> Index: b/common/Make.rules
> ===
> --- a/common/Make.rules
> +++ b/common/Make.rules
> @@ -151,6 +151,40 @@ _clean:
> -rm -f ${MANPAGES} *.[0-9].gz ${HTMLMANPAGES} pod2htm*.tmp
>
> # =
> +# generate list of capabilities based on
> +# /usr/include/sys/capabilities.h for use in multiple locations in
> +# the source tree
> +# =
> +
> +# emits defined capabilities in a simple list, e.g. "CAP_NAME CAP_NAME2"
> +CAPABILITIES=$(shell echo "\#include " | cpp -dM |
> LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[
> \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | sort)
> +
> +.PHONY: list_capabilities
> +list_capabilities: /usr/include/linux/capability.h
> + @echo "$(CAPABILITIES)"
> +
> +# =
> +# generate list of network protocols based on
> +# sys/socket.h for use in multiple locations in
> +# the source tree
> +# =
> +
> +# These are the families that it doesn't make sense for apparmor
> +# to mediate. We use PF_ here since that is what is required in
> +# bits/socket.h, but we will rewrite these as AF_.
> +
> +FILTER_FAMILIES=PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK
> +
> +__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
> +
> +# emits the AF names in a "AF_NAME NUMBER," pattern
> +AF_NAMES=$(shell echo "\#include " | cpp -dM | LC_ALL=C sed -n
> -e '/$(__FILTER)/d' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[
> \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2)
> +
> +.PHONY: list_af_names
> +list_af_names:
> + @echo "$(AF_NAMES)"
> +
> +# =
> # manpages
> # =
>
> Index: b/parser/Makefile
> ===
> --- a/parser/Makefile
> +++ b/parser/Makefile
> @@ -207,22 +207,18 @@ parser_version.h: Makefile
> @echo \#define PARSER_VERSION \"$(VERSION)\" > .ver
> @mv -f .ver $@
>
> -# These are the families that it doesn't make sense for apparmor to mediate.
> -# We use PF_ here since that is what is required in bits/socket.h, but we
> will
> -# rewrite these as AF_.
> -FILTER_FAMILIES=PF_MAX PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK
> -
> -
> -__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
> +# af_names and capabilities generation has moved to common/Make.rules,
> +# as well as the filtering that occurs for network protocols that
> +# apparmor should not mediate.
>
> .PHONY: af_names.h
> af_names.h:
> - echo "#include " | cpp -dM | LC_ALL=C sed -n -e
> '/$(__FILTER)/d' -e "s/^\#define[ \\t]\\+PF_\\([A-Z0-9_]\\+\\)[
> \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/#ifndef AF_\\1\\n# define AF_\\1
> \\2\\n#endif\\nAA_GEN_NET_ENT(\"\\L\\1\", \\UAF_\\1)\\n/p" > $@
> - echo "#include " | cpp -dM | LC_ALL=C sed -n -e
> "s/^\#define[ \\t]\\+PF_MAX[ \\t]\\+\\([0-9]\\+\\)\\+.*/#define AA_AF_MAX
> \\1\n/p" >> $@
> + echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[
> \t]\+[0-9]\+,//g' -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[
> \t]\+\([0-9]\+\),/#ifndef AF_\1\n# define AF_\1
> \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n\n/pg' > $@
> + echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/.*,[ \t]\+AF_MAX[
> \t]\+\([0-9]\+\),\?.*/#define AA_AF_MAX \1\n/p' >> $@
> # cat $@
>
> cap_names.h: /usr/include/linux/capability.h
> - LC_ALL=C sed -n -e "/CAP_EMPTY_SET/d" -e "s/^\#define[
> \\t]\\+CAP_\\([A-Z0-9_]\\+\\)[
> \\t]\\+\\([0-9xa-f]\\+\\)\\(.*\\)\$$/\{\"\\L\\1\", \\UCAP_\\1\},/p" $< > $@
> + echo "$(CAPABILITIES)" | LC_ALL=C sed -n -e "s/[
> \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
>
> tst_%: parser_%.c parser.h $(filter-out parser_%.o, ${TEST_OBJECTS})
> $(CC) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS})
> $(TEST_LDFLAGS)
>
>
> -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or
> unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>
--
AppArmor mailing
[apparmor] [patch 2/6] abstract out cap and net proto generation to common/Make.rules
This patch abstracts out the generation of the lists of capabilities
and network protocol names to the common Make.rules file that is
included in most locations in the build tree, to allow it to be
re-used in the utils/ tree and possibly elsewhere.
It provides the lists in both make variables and as make targets.
It also sorts the resulting lists, which causes it to output differently
than the before case. I did confirm that the results for the generated
files used in the parser build were the same after taking the sorting
into account.
---
common/Make.rules | 34 ++
parser/Makefile | 16 ++--
2 files changed, 40 insertions(+), 10 deletions(-)
Index: b/common/Make.rules
===
--- a/common/Make.rules
+++ b/common/Make.rules
@@ -151,6 +151,40 @@ _clean:
-rm -f ${MANPAGES} *.[0-9].gz ${HTMLMANPAGES} pod2htm*.tmp
# =
+# generate list of capabilities based on
+# /usr/include/sys/capabilities.h for use in multiple locations in
+# the source tree
+# =
+
+# emits defined capabilities in a simple list, e.g. "CAP_NAME CAP_NAME2"
+CAPABILITIES=$(shell echo "\#include " | cpp -dM | LC_ALL=C
sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[
\t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | sort)
+
+.PHONY: list_capabilities
+list_capabilities: /usr/include/linux/capability.h
+ @echo "$(CAPABILITIES)"
+
+# =
+# generate list of network protocols based on
+# sys/socket.h for use in multiple locations in
+# the source tree
+# =
+
+# These are the families that it doesn't make sense for apparmor
+# to mediate. We use PF_ here since that is what is required in
+# bits/socket.h, but we will rewrite these as AF_.
+
+FILTER_FAMILIES=PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK
+
+__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
+
+# emits the AF names in a "AF_NAME NUMBER," pattern
+AF_NAMES=$(shell echo "\#include " | cpp -dM | LC_ALL=C sed -n
-e '/$(__FILTER)/d' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[
\t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2)
+
+.PHONY: list_af_names
+list_af_names:
+ @echo "$(AF_NAMES)"
+
+# =
# manpages
# =
Index: b/parser/Makefile
===
--- a/parser/Makefile
+++ b/parser/Makefile
@@ -207,22 +207,18 @@ parser_version.h: Makefile
@echo \#define PARSER_VERSION \"$(VERSION)\" > .ver
@mv -f .ver $@
-# These are the families that it doesn't make sense for apparmor to mediate.
-# We use PF_ here since that is what is required in bits/socket.h, but we will
-# rewrite these as AF_.
-FILTER_FAMILIES=PF_MAX PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK
-
-
-__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
+# af_names and capabilities generation has moved to common/Make.rules,
+# as well as the filtering that occurs for network protocols that
+# apparmor should not mediate.
.PHONY: af_names.h
af_names.h:
- echo "#include " | cpp -dM | LC_ALL=C sed -n -e
'/$(__FILTER)/d' -e "s/^\#define[ \\t]\\+PF_\\([A-Z0-9_]\\+\\)[
\\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/#ifndef AF_\\1\\n# define AF_\\1
\\2\\n#endif\\nAA_GEN_NET_ENT(\"\\L\\1\", \\UAF_\\1)\\n/p" > $@
- echo "#include " | cpp -dM | LC_ALL=C sed -n -e
"s/^\#define[ \\t]\\+PF_MAX[ \\t]\\+\\([0-9]\\+\\)\\+.*/#define AA_AF_MAX
\\1\n/p" >> $@
+ echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[
\t]\+[0-9]\+,//g' -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef
AF_\1\n# define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n\n/pg' > $@
+ echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/.*,[ \t]\+AF_MAX[
\t]\+\([0-9]\+\),\?.*/#define AA_AF_MAX \1\n/p' >> $@
# cat $@
cap_names.h: /usr/include/linux/capability.h
- LC_ALL=C sed -n -e "/CAP_EMPTY_SET/d" -e "s/^\#define[
\\t]\\+CAP_\\([A-Z0-9_]\\+\\)[
\\t]\\+\\([0-9xa-f]\\+\\)\\(.*\\)\$$/\{\"\\L\\1\", \\UCAP_\\1\},/p" $< > $@
+ echo "$(CAPABILITIES)" | LC_ALL=C sed -n -e "s/[
\\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
tst_%: parser_%.c parser.h $(filter-out parser_%.o, ${TEST_OBJECTS})
$(CC) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS})
$(TEST_LDFLAGS)
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
