mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/profiles/Makefile

154 lines
6 KiB
Makefile
Raw Normal View History

Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
# ------------------------------------------------------------------
#
adjust profiles/Makefile for local files
2010-08-05 15:10:33 -05:00
# Copyright (C) 2002-2009 Novell/SUSE
build: make documentation at tarball creation time, not during build The latex based techdoc in the parser/ tree adds a number of build dependencies for downstreams to create it; it also is the primary element to make the builds unrepeatable. Creating the techdoc and other documentation when generating a tarball for distribution avoids all that. * Makefile: build documentation as part of the tarball creation. Skip the libraries/libapparmor directory as it needs to have configure run before the manpages can be made. * changehat/mod_apparmor/Makefile, changehat/mod_apparmor/Makefile, utils/Makefile, profiles/Makefile: create separate docs target, some of them dummies. * parser/Makefile: pull the techdoc out of the default build target, add an extra_docs target to create it. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: John Johansen <john.johansen@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de>
2016-12-10 10:25:31 -08:00
# Copyright (C) 2010-2016 Canonical Ltd.
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
This patch adds two new make targets to the profiles package: 'check' and 'check-install'. The 'check' target will attempt to run the profiles in the working subversion directory (both in enabled/ and extras/ directories) through the apparmor_parser as a means of sanity checking the profiles. The 'check-install' target will also run the 'check' target, only against the installed location, modifiable by DESTDIR and EXTRASDIR (to match the behavior of the 'install' target). It also will run logprof (with an empty logfile) on the installation location, as logprof and the parser have differing ideas of what is a valid profile :-( . Thus 'make install check-install DESTDIR=/some/path EXTRASDIR=/other/path' will install the profiles into a location and cycle the parser and logprof over the profiles in that The 'check' target cannot run logprof as the subversion layout does not conform to a hierarchy logprof can deal with. The limitations also mean that logprof will not check the profiles in the extras/ directory. There are other passable variables that impact the 'check' and 'check-install' targets: VERBOSE - setting this variable will emit the actual commands run, mostly useful for debugging where the implementation of 'check' has gone wrong. PARSER, LOGPROF - setting these with a path to a different parser or logprof location will have the check targets use those version rather than the system utilities; e.g. "make check-install LOGPROF=../utils/logprof" to test a modified logprof in our current forge svn layout.
2006-06-05 16:39:29 +00:00
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, contact Novell, Inc.
#
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
# ------------------------------------------------------------------
adjust profiles/Makefile for local files
2010-08-05 15:10:33 -05:00
# Makefile for LSM-based AppArmor profiles
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
NAME=apparmor-profiles
build: make documentation at tarball creation time, not during build The latex based techdoc in the parser/ tree adds a number of build dependencies for downstreams to create it; it also is the primary element to make the builds unrepeatable. Creating the techdoc and other documentation when generating a tarball for distribution avoids all that. * Makefile: build documentation as part of the tarball creation. Skip the libraries/libapparmor directory as it needs to have configure run before the manpages can be made. * changehat/mod_apparmor/Makefile, changehat/mod_apparmor/Makefile, utils/Makefile, profiles/Makefile: create separate docs target, some of them dummies. * parser/Makefile: pull the techdoc out of the default build target, add an extra_docs target to create it. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: John Johansen <john.johansen@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de>
2016-12-10 10:25:31 -08:00
all: local docs
Update svn:keywords properties. Fix makefile to find new common/ location.
2006-04-12 20:35:41 +00:00
COMMONDIR=../common/
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
Entire tree: makefile cruft removal - drop the symlink magic of the common/ directory, and just include files directly from there. - update comments indicating required steps to take when including common/Make.rules - drop make clean steps that refer to no longer generated tarballs, specfiles, and symlinks to the common directory/Make.rules. - don't silence clean steps if VERBOSE is set Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian "Ghostbuster" Boltz <apparmor@cboltz.de>
2015-01-23 15:52:09 -08:00
include $(COMMONDIR)/Make.rules
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
DESTDIR=/
Grand profile repository re-organization. Move directories around to make the final install layout match the layout in the repository (at long last :) -- now we can use a single 'make check' target to check the profiles in the repository against both apparmor_parser and logprof.
2007-05-16 18:51:46 +00:00
PROFILES_DEST=${DESTDIR}/etc/apparmor.d
Install extra profiles in /usr/share/apparmor/extra-profiles/ instead of /etc/apparmor/profiles/extras/, and update the path at various places. Also update the mailinglist address in extra-profiles README and recommend cp instead of mv. Note: if you want to have a symlink /etc/apparmor/profiles/extras -> /usr/share/apparmor/extra-profiles/ for backward compability, you'll have to create it yourself (for example in the .spec file) This also fixes https://bugzilla.novell.com/show_bug.cgi?id=713647 Acked-by: John Johansen <john.johansen@canonical.com>
2012-09-27 23:57:21 +02:00
EXTRAS_DEST=${DESTDIR}/usr/share/apparmor/extra-profiles/
Grand profile repository re-organization. Move directories around to make the final install layout match the layout in the repository (at long last :) -- now we can use a single 'make check' target to check the profiles in the repository against both apparmor_parser and logprof.
2007-05-16 18:51:46 +00:00
PROFILES_SOURCE=./apparmor.d
profiles/Makefile: test abstractions against apparmor_parser Update Makefile to test abstractions by generating temporary profile, to check for missing (not backported) abstractions or other issues.
2018-10-13 15:41:15 +03:00
ABSTRACTIONS_SOURCE=./apparmor.d/abstractions
Grand profile repository re-organization. Move directories around to make the final install layout match the layout in the repository (at long last :) -- now we can use a single 'make check' target to check the profiles in the repository against both apparmor_parser and logprof.
2007-05-16 18:51:46 +00:00
EXTRAS_SOURCE=./apparmor/profiles/extras/
This patch fixes an existing install failure in the profiles tree, due to the apparmor_api subtree not getting added in the Makefile. Rather Rather than require every sub-directory that gets added to be enumerated, it uses find to determine what directories and files to install, to avoid future breakage. It is admittedly slower than the original code because install(1) is being invoked for every file in the apparmor.d tree, rather than acting on wildcard globs. That said, I think it's an acceptable tradeoff. Signed-off-by: Steve Beattie <sbeattie@ubuntu.com> Acked-by: John Johansen <john.johansen@canonical.com>
2012-11-21 07:39:40 -08:00
SUBDIRS=$(shell find ${PROFILES_SOURCE} -type d -print)
TOPLEVEL_PROFILES=$(filter-out ${SUBDIRS}, $(wildcard ${PROFILES_SOURCE}/*))
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
profiles: Update 'make check' to select tools based on USE_SYSTEM The profiles dirs make check is not always using the correct tools. Update it to be similar to other Makefiles where the var USE_SYSTEM make check USE_SYSTEM=1 is used to indicated that the system installed tools should be used and make check is used to run the tests against the in tree tools MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/580 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de>
2020-07-09 17:17:29 -07:00
ifdef USE_SYSTEM
PYTHONPATH=
PARSER?=apparmor_parser
LOGPROF?=aa-logprof
else
# PYTHON_DIST_BUILD_PATH based on libapparmor/swig/python/test/Makefile.am
PYTHON_DIST_BUILD_PATH = ../libraries/libapparmor/swig/python/build/$$($(PYTHON) -c "import distutils.util; import platform; print(\"lib.%s-%s\" %(distutils.util.get_platform(), platform.python_version()[:3]))")
profiles/Makefile: fix aa-logprof invocation The commit c8b6d8b393be ("profiles: Update 'make check' to select tools based on USE_SYSTEM") set a bunch of variables but neglected to apply them when invoking aa-logprof. This commit addresses this by: * correcting the PYTHONPATH used with aa-logprof * setting LD_LIBRARY_PATH when invoking aa-logprof * adjusting LD_LIBRARY_PATH to include both the directory location of libapparmor but also the swig libapparmor library needed for python tools to function. * adjusts the test for the presence of libapparmor to not use LD_LIBRARY_PATH but instead a libapparmor specific variable LIBAPPARMOR_PATH Bug: https://gitlab.com/apparmor/apparmor/-/issues/98 Fixes: c8b6d8b393be Signed-off-by: Steve Beattie <steve.beattie@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
2020-07-23 19:14:34 -07:00
LIBAPPARMOR_PATH=../libraries/libapparmor/src/.libs/
LD_LIBRARY_PATH=$(LIBAPPARMOR_PATH):$(PYTHON_DIST_BUILD_PATH)
profiles: Update 'make check' to select tools based on USE_SYSTEM The profiles dirs make check is not always using the correct tools. Update it to be similar to other Makefiles where the var USE_SYSTEM make check USE_SYSTEM=1 is used to indicated that the system installed tools should be used and make check is used to run the tests against the in tree tools MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/580 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de>
2020-07-09 17:17:29 -07:00
PYTHONPATH=../utils/:$(PYTHON_DIST_BUILD_PATH)
PARSER?=../parser/apparmor_parser
# use ../utils logprof
use aa-logprof --configdir ../utils in profile testsuite (except if USE_SYSTEM is given) This also needs an additional parser path in utils/test/logprof.conf, which then needs an update in test-config.py.
2020-10-25 15:53:29 +01:00
LOGPROF?=LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) PYTHONPATH=$(PYTHONPATH) $(PYTHON) ../utils/aa-logprof --configdir ../utils/test/
profiles: Update 'make check' to select tools based on USE_SYSTEM The profiles dirs make check is not always using the correct tools. Update it to be similar to other Makefiles where the var USE_SYSTEM make check USE_SYSTEM=1 is used to indicated that the system installed tools should be used and make check is used to run the tests against the in tree tools MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/580 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de>
2020-07-09 17:17:29 -07:00
endif
Fix $(PWD) when using "make -C profiles" By default, it stays at the "calling directory" instead of the directory of the Makefile, which breaks "make -C profiles check". Explicitely set it in the Makefile to get the right directory.
2018-03-18 17:13:18 +01:00
# $(PWD) is wrong when using "make -C profiles" - explicitely set it here to get the right value
PWD=$(shell pwd)
profiles/Makefile: local target does not depend on parser The "local" make target does not depend on the parser having been built. Create a separate "test-dependencies" target and have the tests that need them depend on that and the "local" target, when validating the profile set against the apparmor tools. Fixes: c8b6d8b393be Bug: https://gitlab.com/apparmor/apparmor/-/issues/98 Signed-off-by: Steve Beattie <steve.beattie@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
2020-07-23 18:57:53 -07:00
.PHONY: test-dependencies
profiles/Makefile: add check for built libapparmor When running the 'check-logprof' test using tools in the tree, libapparmor needs to have been built for the python utilities to work. Add a check for its existence to the test-dependencies target. Bug: https://gitlab.com/apparmor/apparmor/-/issues/98 Signed-off-by: Steve Beattie <steve.beattie@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
2020-07-23 19:08:41 -07:00
test-dependencies: __parser __libapparmor
profiles: Update 'make check' to select tools based on USE_SYSTEM The profiles dirs make check is not always using the correct tools. Update it to be similar to other Makefiles where the var USE_SYSTEM make check USE_SYSTEM=1 is used to indicated that the system installed tools should be used and make check is used to run the tests against the in tree tools MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/580 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de>
2020-07-09 17:17:29 -07:00
profiles/Makefile: add check for built libapparmor When running the 'check-logprof' test using tools in the tree, libapparmor needs to have been built for the python utilities to work. Add a check for its existence to the test-dependencies target. Bug: https://gitlab.com/apparmor/apparmor/-/issues/98 Signed-off-by: Steve Beattie <steve.beattie@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
2020-07-23 19:08:41 -07:00
.PHONY: __parser __libapparmor
profiles: Update 'make check' to select tools based on USE_SYSTEM The profiles dirs make check is not always using the correct tools. Update it to be similar to other Makefiles where the var USE_SYSTEM make check USE_SYSTEM=1 is used to indicated that the system installed tools should be used and make check is used to run the tests against the in tree tools MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/580 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de>
2020-07-09 17:17:29 -07:00
__parser:
ifndef USE_SYSTEM
@if [ ! -f $(PARSER) ]; then \
echo "error: $(PARSER) is missing. Pick one of these possible solutions:" 1>&2; \
echo " 1) Test using the in-tree parser by building it first and then trying again. See the top-level README for help." 1>&2; \
echo " 2) Test using the system parser by adding USE_SYSTEM=1 to your make command." 1>&2; \
exit 1; \
fi
endif
profiles/Makefile: add check for built libapparmor When running the 'check-logprof' test using tools in the tree, libapparmor needs to have been built for the python utilities to work. Add a check for its existence to the test-dependencies target. Bug: https://gitlab.com/apparmor/apparmor/-/issues/98 Signed-off-by: Steve Beattie <steve.beattie@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
2020-07-23 19:08:41 -07:00
__libapparmor:
ifndef USE_SYSTEM
profiles/Makefile: fix aa-logprof invocation The commit c8b6d8b393be ("profiles: Update 'make check' to select tools based on USE_SYSTEM") set a bunch of variables but neglected to apply them when invoking aa-logprof. This commit addresses this by: * correcting the PYTHONPATH used with aa-logprof * setting LD_LIBRARY_PATH when invoking aa-logprof * adjusting LD_LIBRARY_PATH to include both the directory location of libapparmor but also the swig libapparmor library needed for python tools to function. * adjusts the test for the presence of libapparmor to not use LD_LIBRARY_PATH but instead a libapparmor specific variable LIBAPPARMOR_PATH Bug: https://gitlab.com/apparmor/apparmor/-/issues/98 Fixes: c8b6d8b393be Signed-off-by: Steve Beattie <steve.beattie@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
2020-07-23 19:14:34 -07:00
@if [ ! -f $(LIBAPPARMOR_PATH)libapparmor.so ]; then \
echo "error: $(LIBAPPARMOR_PATH)libapparmor.so is missing. Pick one of these possible solutions:" 1>&2; \
profiles/Makefile: add check for built libapparmor When running the 'check-logprof' test using tools in the tree, libapparmor needs to have been built for the python utilities to work. Add a check for its existence to the test-dependencies target. Bug: https://gitlab.com/apparmor/apparmor/-/issues/98 Signed-off-by: Steve Beattie <steve.beattie@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
2020-07-23 19:08:41 -07:00
echo " 1) Build against the in-tree libapparmor by building it first and then trying again. See the top-level README for help." 1>&2; \
echo " 2) Build against the system libapparmor by adding USE_SYSTEM=1 to your make command." 1>&2; \
exit 1; \
fi
endif
profiles/Makefile: local target does not depend on parser The "local" make target does not depend on the parser having been built. Create a separate "test-dependencies" target and have the tests that need them depend on that and the "local" target, when validating the profile set against the apparmor tools. Fixes: c8b6d8b393be Bug: https://gitlab.com/apparmor/apparmor/-/issues/98 Signed-off-by: Steve Beattie <steve.beattie@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
2020-07-23 18:57:53 -07:00
local:
This patch fixes an existing install failure in the profiles tree, due to the apparmor_api subtree not getting added in the Makefile. Rather Rather than require every sub-directory that gets added to be enumerated, it uses find to determine what directories and files to install, to avoid future breakage. It is admittedly slower than the original code because install(1) is being invoked for every file in the apparmor.d tree, rather than acting on wildcard globs. That said, I think it's an acceptable tradeoff. Signed-off-by: Steve Beattie <sbeattie@ubuntu.com> Acked-by: John Johansen <john.johansen@canonical.com>
2012-11-21 07:39:40 -08:00
for profile in ${TOPLEVEL_PROFILES}; do \
adjust profiles/Makefile for local files
2010-08-05 15:10:33 -05:00
fn=$$(basename $$profile); \
echo "# Site-specific additions and overrides for '$$fn'" > ${PROFILES_SOURCE}/local/$$fn; \
adjust check for local/ includes to "include if exists"
2020-04-28 22:28:12 +02:00
grep "include[[:space:]]\\+if[[:space:]]\\+exists[[:space:]]\\+<local/$$fn>" "$$profile" >/dev/null || { echo "$$profile doesn't contain include if exists <local/$$fn>" ; exit 1; } ; \
adjust profiles/Makefile for local files
2010-08-05 15:10:33 -05:00
done; \
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
.PHONY: install
adjust profiles/Makefile for local files
2010-08-05 15:10:33 -05:00
install: local
Grand profile repository re-organization. Move directories around to make the final install layout match the layout in the repository (at long last :) -- now we can use a single 'make check' target to check the profiles in the repository against both apparmor_parser and logprof.
2007-05-16 18:51:46 +00:00
install -m 755 -d ${PROFILES_DEST}
This patch fixes an existing install failure in the profiles tree, due to the apparmor_api subtree not getting added in the Makefile. Rather Rather than require every sub-directory that gets added to be enumerated, it uses find to determine what directories and files to install, to avoid future breakage. It is admittedly slower than the original code because install(1) is being invoked for every file in the apparmor.d tree, rather than acting on wildcard globs. That said, I think it's an acceptable tradeoff. Signed-off-by: Steve Beattie <sbeattie@ubuntu.com> Acked-by: John Johansen <john.johansen@canonical.com>
2012-11-21 07:39:40 -08:00
install -m 755 -d ${PROFILES_DEST}/disable
for dir in ${SUBDIRS} ; do \
install -m 755 -d "${PROFILES_DEST}/$${dir#${PROFILES_SOURCE}}" ; \
done
for file in $$(find ${PROFILES_SOURCE} -type f -print) ; do \
install -m 644 "$${file}" "${PROFILES_DEST}/$$(dirname $${file#${PROFILES_SOURCE}})" ; \
done
Grand profile repository re-organization. Move directories around to make the final install layout match the layout in the repository (at long last :) -- now we can use a single 'make check' target to check the profiles in the repository against both apparmor_parser and logprof.
2007-05-16 18:51:46 +00:00
install -m 755 -d ${EXTRAS_DEST}
install -m 644 ${EXTRAS_SOURCE}/* ${EXTRAS_DEST}
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
profiles/Makefile: use LOCAL_ADDITIONS using filter-out in clean target, which is much cleaner.
2010-08-05 16:00:23 -05:00
LOCAL_ADDITIONS=$(filter-out ${PROFILES_SOURCE}/local/README, $(wildcard ${PROFILES_SOURCE}/local/*))
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00
.PHONY: clean
clean:
Entire tree: makefile cruft removal - drop the symlink magic of the common/ directory, and just include files directly from there. - update comments indicating required steps to take when including common/Make.rules - drop make clean steps that refer to no longer generated tarballs, specfiles, and symlinks to the common directory/Make.rules. - don't silence clean steps if VERBOSE is set Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian "Ghostbuster" Boltz <apparmor@cboltz.de>
2015-01-23 15:52:09 -08:00
-rm -f ${LOCAL_ADDITIONS}
This patch adds two new make targets to the profiles package: 'check' and 'check-install'. The 'check' target will attempt to run the profiles in the working subversion directory (both in enabled/ and extras/ directories) through the apparmor_parser as a means of sanity checking the profiles. The 'check-install' target will also run the 'check' target, only against the installed location, modifiable by DESTDIR and EXTRASDIR (to match the behavior of the 'install' target). It also will run logprof (with an empty logfile) on the installation location, as logprof and the parser have differing ideas of what is a valid profile :-( . Thus 'make install check-install DESTDIR=/some/path EXTRASDIR=/other/path' will install the profiles into a location and cycle the parser and logprof over the profiles in that The 'check' target cannot run logprof as the subversion layout does not conform to a hierarchy logprof can deal with. The limitations also mean that logprof will not check the profiles in the extras/ directory. There are other passable variables that impact the 'check' and 'check-install' targets: VERBOSE - setting this variable will emit the actual commands run, mostly useful for debugging where the implementation of 'check' has gone wrong. PARSER, LOGPROF - setting these with a path to a different parser or logprof location will have the check targets use those version rather than the system utilities; e.g. "make check-install LOGPROF=../utils/logprof" to test a modified logprof in our current forge svn layout.
2006-06-05 16:39:29 +00:00
ifndef VERBOSE
Q=@
else
Q=
endif
build: make documentation at tarball creation time, not during build The latex based techdoc in the parser/ tree adds a number of build dependencies for downstreams to create it; it also is the primary element to make the builds unrepeatable. Creating the techdoc and other documentation when generating a tarball for distribution avoids all that. * Makefile: build documentation as part of the tarball creation. Skip the libraries/libapparmor directory as it needs to have configure run before the manpages can be made. * changehat/mod_apparmor/Makefile, changehat/mod_apparmor/Makefile, utils/Makefile, profiles/Makefile: create separate docs target, some of them dummies. * parser/Makefile: pull the techdoc out of the default build target, add an extra_docs target to create it. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: John Johansen <john.johansen@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de>
2016-12-10 10:25:31 -08:00
.PHONY: docs
# docs: should we have some here?
docs:
profiles/Makefile: fix 'check' target to iterate over the profiles in the extras directory as intended and fail the make if a parse failure occurs. Also, set the default parser and logprof to be the intree ones; the system ones can still be used by setting environment variables. Finally, have the 'all' target generate the local files. Also, set the parser base directory to the apparmor.d directory (rather than as an added include, to avoid outside contamination from system profiles and includes). With these changes, make && make check should verify the profile set is compilable and mostly consistent. (Alas, the current profiles are not quite consistent).
2011-03-18 22:31:26 -07:00
IGNORE_FILES=${EXTRAS_SOURCE}/README
Subject: profiles - fix make check When I corrected the profiles/Makefile to automatically find files to install, I converted one variable name but missed a later location where that variable was used, which broke the 'make check' target, because directories would be handed to the apparmor parser. This patch corrects that and also makes the VERBOSE flag report each profile name as it's being handed to the parser. Signed-off-by: Steve Beattie <sbeattie@ubuntu.com> Acked-By: Jamie Strandboge <jamie@canonical.com> Acked-By: Seth Arnold <seth.arnold@canonical.com>
2012-12-21 22:43:11 -08:00
CHECK_PROFILES=$(filter-out ${IGNORE_FILES} ${SUBDIRS}, $(wildcard ${PROFILES_SOURCE}/*) $(wildcard ${EXTRAS_SOURCE}/*))
profiles/Makefile: test abstractions against apparmor_parser Update Makefile to test abstractions by generating temporary profile, to check for missing (not backported) abstractions or other issues.
2018-10-13 15:41:15 +03:00
# use find because Make wildcard is not recursive:
CHECK_ABSTRACTIONS=$(shell find ${ABSTRACTIONS_SOURCE} -type f -print)
This patch adds two new make targets to the profiles package: 'check' and 'check-install'. The 'check' target will attempt to run the profiles in the working subversion directory (both in enabled/ and extras/ directories) through the apparmor_parser as a means of sanity checking the profiles. The 'check-install' target will also run the 'check' target, only against the installed location, modifiable by DESTDIR and EXTRASDIR (to match the behavior of the 'install' target). It also will run logprof (with an empty logfile) on the installation location, as logprof and the parser have differing ideas of what is a valid profile :-( . Thus 'make install check-install DESTDIR=/some/path EXTRASDIR=/other/path' will install the profiles into a location and cycle the parser and logprof over the profiles in that The 'check' target cannot run logprof as the subversion layout does not conform to a hierarchy logprof can deal with. The limitations also mean that logprof will not check the profiles in the extras/ directory. There are other passable variables that impact the 'check' and 'check-install' targets: VERBOSE - setting this variable will emit the actual commands run, mostly useful for debugging where the implementation of 'check' has gone wrong. PARSER, LOGPROF - setting these with a path to a different parser or logprof location will have the check targets use those version rather than the system utilities; e.g. "make check-install LOGPROF=../utils/logprof" to test a modified logprof in our current forge svn layout.
2006-06-05 16:39:29 +00:00
.PHONY: check
add test to ensure abstractions have '#include if exists <*.d>' Exceptions are - ubuntu-browsers (because we already have ubuntu-browsers.d with different usage) - ubuntu-helpers (which includes the sanitized_helper subprofile, so adding something in the global area wouldn't make much sense) Also adjust abstractions/postfix-common to use the style all abstractions use.
2019-01-27 19:13:50 +01:00
check: check-parser check-logprof check-abstractions.d
Subject: profiles - separate out logprof checks from parser checks This patch separates out make check in the profiles/ directory into two sub targets, for checking profiles against the built parser and aa-logprof respectively. The logprof check currently makes some assumptions about the environment that make it difficult to run in a minimal chroot environment. Signed-off-by: Steve Beattie <sbeattie@ubuntu.com> Acked-By: Jamie Strandboge <jamie@canonical.com>
2013-01-02 14:33:12 -08:00
.PHONY: check-parser
profiles/Makefile: local target does not depend on parser The "local" make target does not depend on the parser having been built. Create a separate "test-dependencies" target and have the tests that need them depend on that and the "local" target, when validating the profile set against the apparmor tools. Fixes: c8b6d8b393be Bug: https://gitlab.com/apparmor/apparmor/-/issues/98 Signed-off-by: Steve Beattie <steve.beattie@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
2020-07-23 18:57:53 -07:00
check-parser: test-dependencies local
profiles/Makefile: fix 'check' target to iterate over the profiles in the extras directory as intended and fail the make if a parse failure occurs. Also, set the default parser and logprof to be the intree ones; the system ones can still be used by setting environment variables. Finally, have the 'all' target generate the local files. Also, set the parser base directory to the apparmor.d directory (rather than as an added include, to avoid outside contamination from system profiles and includes). With these changes, make && make check should verify the profile set is compilable and mostly consistent. (Alas, the current profiles are not quite consistent).
2011-03-18 22:31:26 -07:00
@echo "*** Checking profiles from ${PROFILES_SOURCE} and ${EXTRAS_SOURCE} against apparmor_parser"
This patch adds two new make targets to the profiles package: 'check' and 'check-install'. The 'check' target will attempt to run the profiles in the working subversion directory (both in enabled/ and extras/ directories) through the apparmor_parser as a means of sanity checking the profiles. The 'check-install' target will also run the 'check' target, only against the installed location, modifiable by DESTDIR and EXTRASDIR (to match the behavior of the 'install' target). It also will run logprof (with an empty logfile) on the installation location, as logprof and the parser have differing ideas of what is a valid profile :-( . Thus 'make install check-install DESTDIR=/some/path EXTRASDIR=/other/path' will install the profiles into a location and cycle the parser and logprof over the profiles in that The 'check' target cannot run logprof as the subversion layout does not conform to a hierarchy logprof can deal with. The limitations also mean that logprof will not check the profiles in the extras/ directory. There are other passable variables that impact the 'check' and 'check-install' targets: VERBOSE - setting this variable will emit the actual commands run, mostly useful for debugging where the implementation of 'check' has gone wrong. PARSER, LOGPROF - setting these with a path to a different parser or logprof location will have the check targets use those version rather than the system utilities; e.g. "make check-install LOGPROF=../utils/logprof" to test a modified logprof in our current forge svn layout.
2006-06-05 16:39:29 +00:00
$(Q)for profile in ${CHECK_PROFILES} ; do \
Subject: profiles - fix make check When I corrected the profiles/Makefile to automatically find files to install, I converted one variable name but missed a later location where that variable was used, which broke the 'make check' target, because directories would be handed to the apparmor parser. This patch corrects that and also makes the VERBOSE flag report each profile name as it's being handed to the parser. Signed-off-by: Steve Beattie <sbeattie@ubuntu.com> Acked-By: Jamie Strandboge <jamie@canonical.com> Acked-By: Seth Arnold <seth.arnold@canonical.com>
2012-12-21 22:43:11 -08:00
[ -n "${VERBOSE}" ] && echo "Testing $${profile}" ; \
Use parser/tst/parser.conf in profiles 'make check' This avoids problems if the system-wide parser.conf has caching enabled, and the cache location is not writeable for the user running 'make check'.
2018-09-16 22:06:46 +02:00
${PARSER} --config-file=../parser/tst/parser.conf -S -b ${PWD}/apparmor.d $${profile} > /dev/null || exit 1; \
This patch adds two new make targets to the profiles package: 'check' and 'check-install'. The 'check' target will attempt to run the profiles in the working subversion directory (both in enabled/ and extras/ directories) through the apparmor_parser as a means of sanity checking the profiles. The 'check-install' target will also run the 'check' target, only against the installed location, modifiable by DESTDIR and EXTRASDIR (to match the behavior of the 'install' target). It also will run logprof (with an empty logfile) on the installation location, as logprof and the parser have differing ideas of what is a valid profile :-( . Thus 'make install check-install DESTDIR=/some/path EXTRASDIR=/other/path' will install the profiles into a location and cycle the parser and logprof over the profiles in that The 'check' target cannot run logprof as the subversion layout does not conform to a hierarchy logprof can deal with. The limitations also mean that logprof will not check the profiles in the extras/ directory. There are other passable variables that impact the 'check' and 'check-install' targets: VERBOSE - setting this variable will emit the actual commands run, mostly useful for debugging where the implementation of 'check' has gone wrong. PARSER, LOGPROF - setting these with a path to a different parser or logprof location will have the check targets use those version rather than the system utilities; e.g. "make check-install LOGPROF=../utils/logprof" to test a modified logprof in our current forge svn layout.
2006-06-05 16:39:29 +00:00
done
Subject: profiles - separate out logprof checks from parser checks This patch separates out make check in the profiles/ directory into two sub targets, for checking profiles against the built parser and aa-logprof respectively. The logprof check currently makes some assumptions about the environment that make it difficult to run in a minimal chroot environment. Signed-off-by: Steve Beattie <sbeattie@ubuntu.com> Acked-By: Jamie Strandboge <jamie@canonical.com>
2013-01-02 14:33:12 -08:00
profiles/Makefile: test abstractions against apparmor_parser Update Makefile to test abstractions by generating temporary profile, to check for missing (not backported) abstractions or other issues.
2018-10-13 15:41:15 +03:00
@echo "*** Checking abstractions from ${ABSTRACTIONS_SOURCE} against apparmor_parser"
$(Q)for abstraction in ${CHECK_ABSTRACTIONS} ; do \
[ -n "${VERBOSE}" ] && echo "Testing $${abstraction}" ; \
Define abi when checking abstractions This fixes lots of warnings like ``` *** Checking abstractions from ./apparmor.d/abstractions against apparmor_parser Warning from stdin (stdin line 1): ../parser/apparmor_parser: File 'stdin' missing feature abi, falling back to default policy feature abi Warning from stdin ([...]/profiles/./apparmor.d/abstractions/apparmor_api/change_profile line 9): ../parser/apparmor_parser: [...]/profiles/./apparmor.d/abstractions/apparmor_api/change_profile features abi 'abi/3.0' differes from policy declared feature abi, using the features abi declared in policy ```
2020-05-31 00:45:17 +02:00
echo "abi <abi/3.0>, #include <tunables/global> profile test { #include <$${abstraction}> }" \
profiles/Makefile: test abstractions against apparmor_parser Update Makefile to test abstractions by generating temporary profile, to check for missing (not backported) abstractions or other issues.
2018-10-13 15:41:15 +03:00
| ${PARSER} --config-file=../parser/tst/parser.conf -S -b ${PWD}/apparmor.d -I ${PWD} > /dev/null \
|| exit 1; \
done
Subject: profiles - separate out logprof checks from parser checks This patch separates out make check in the profiles/ directory into two sub targets, for checking profiles against the built parser and aa-logprof respectively. The logprof check currently makes some assumptions about the environment that make it difficult to run in a minimal chroot environment. Signed-off-by: Steve Beattie <sbeattie@ubuntu.com> Acked-By: Jamie Strandboge <jamie@canonical.com>
2013-01-02 14:33:12 -08:00
.PHONY: check-logprof
profiles/Makefile: local target does not depend on parser The "local" make target does not depend on the parser having been built. Create a separate "test-dependencies" target and have the tests that need them depend on that and the "local" target, when validating the profile set against the apparmor tools. Fixes: c8b6d8b393be Bug: https://gitlab.com/apparmor/apparmor/-/issues/98 Signed-off-by: Steve Beattie <steve.beattie@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
2020-07-23 18:57:53 -07:00
check-logprof: test-dependencies local
Grand profile repository re-organization. Move directories around to make the final install layout match the layout in the repository (at long last :) -- now we can use a single 'make check' target to check the profiles in the repository against both apparmor_parser and logprof.
2007-05-16 18:51:46 +00:00
@echo "*** Checking profiles from ${PROFILES_SOURCE} against logprof"
profiles/Makefile: fix 'check' target to iterate over the profiles in the extras directory as intended and fail the make if a parse failure occurs. Also, set the default parser and logprof to be the intree ones; the system ones can still be used by setting environment variables. Finally, have the 'all' target generate the local files. Also, set the parser base directory to the apparmor.d directory (rather than as an added include, to avoid outside contamination from system profiles and includes). With these changes, make && make check should verify the profile set is compilable and mostly consistent. (Alas, the current profiles are not quite consistent).
2011-03-18 22:31:26 -07:00
$(Q)${LOGPROF} -d ${PROFILES_SOURCE} -f /dev/null || exit 1
add test to ensure abstractions have '#include if exists <*.d>' Exceptions are - ubuntu-browsers (because we already have ubuntu-browsers.d with different usage) - ubuntu-helpers (which includes the sanitized_helper subprofile, so adding something in the global area wouldn't make much sense) Also adjust abstractions/postfix-common to use the style all abstractions use.
2019-01-27 19:13:50 +01:00
.PHONY: check-abstractions.d
check-abstractions.d:
abstractions: remove '#' from 'include if exists' This matches what we use in the profiles for local abstractions. Also adjust the check in the Makefile to expect the variant without '#'.
2020-05-30 19:46:08 +02:00
@echo "*** Checking if all abstractions (with a few exceptions) contain include if exists <abstractions/*.d>"
add test to ensure abstractions have '#include if exists <*.d>' Exceptions are - ubuntu-browsers (because we already have ubuntu-browsers.d with different usage) - ubuntu-helpers (which includes the sanitized_helper subprofile, so adding something in the global area wouldn't make much sense) Also adjust abstractions/postfix-common to use the style all abstractions use.
2019-01-27 19:13:50 +01:00
$(Q)cd apparmor.d/abstractions && for file in * ; do \
test -d "$$file" && continue ; \
Make check-abstractions.d compatible with more shells
2020-01-27 23:44:59 +01:00
test "$$file" = 'ubuntu-browsers' && continue ; \
test "$$file" = 'ubuntu-helpers' && continue ; \
abstractions: remove '#' from 'include if exists' This matches what we use in the profiles for local abstractions. Also adjust the check in the Makefile to expect the variant without '#'.
2020-05-30 19:46:08 +02:00
grep -q "^ include if exists <abstractions/$${file}.d>$$" $$file || { echo "$$file does not contain 'include if exists <abstractions/$${file}.d>'"; exit 1; } ; \
add test to ensure abstractions have '#include if exists <*.d>' Exceptions are - ubuntu-browsers (because we already have ubuntu-browsers.d with different usage) - ubuntu-helpers (which includes the sanitized_helper subprofile, so adding something in the global area wouldn't make much sense) Also adjust abstractions/postfix-common to use the style all abstractions use.
2019-01-27 19:13:50 +01:00
done
Reference in a new issue Copy permalink