apparmor/changehat/pam_apparmor/Makefile

# ----------------------------------------------------------------------
#    Copyright (c) 1999, 2004, 2005 NOVELL (All rights reserved)
#    Copyright (c) 2016 Canonical, Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, contact Novell, Inc.
# ----------------------------------------------------------------------
NAME=pam_apparmor
all:
COMMONDIR=../../common/

include $(COMMONDIR)/Make.rules

ifdef USE_SYSTEM
  LIBAPPARMOR = $(shell if pkg-config --exists libapparmor ; then \
                                pkg-config --silence-errors --libs libapparmor ; \
                        elif ldconfig -p | grep -q libapparmor\.so$$ ; then \
                                echo -lapparmor ; \
                        fi )
  ifeq ($(strip $(LIBAPPARMOR)),)
    ERROR_MESSAGE = $(error ${nl}\
************************************************************************${nl}\
Unable to find libapparmor installed on this system; either${nl}\
install libapparmor devel packages, set the LIBAPPARMOR variable${nl}\
manually, or build against in-tree libapparmor.${nl}\
************************************************************************${nl})
  endif
  LIBAPPARMOR_INCLUDE =
  AA_LDLIBS = $(LIBAPPARMOR)
  AA_LINK_FLAGS =
else
  LIBAPPARMOR_SRC := ../../libraries/libapparmor/
  LIBAPPARMOR_INCLUDE_PATH = $(LIBAPPARMOR_SRC)/include
  LIBAPPARMOR_PATH := $(LIBAPPARMOR_SRC)/src/.libs/
    ifeq ($(realpath $(LIBAPPARMOR_PATH)/libapparmor.a),)
        ERROR_MESSAGE = $(error ${nl}\
************************************************************************${nl}\
$(LIBAPPARMOR_PATH)/libapparmor.a is missing; either build against${nl}\
the in-tree libapparmor by building it first and then trying again${nl}\
(see the top-level README for help) or build against the system${nl}\
libapparmor by adding USE_SYSTEM=1 to your make command.${nl}\
************************************************************************${nl})
    endif
  LIBAPPARMOR_INCLUDE = -I$(LIBAPPARMOR_INCLUDE_PATH)
  AA_LINK_FLAGS = -L$(LIBAPPARMOR_PATH)
  AA_LDLIBS = -lapparmor
endif
EXTRA_CFLAGS=$(CFLAGS) $(CPPFLAGS) -fPIC -shared -Wall $(EXTRA_WARNINGS) $(LIBAPPARMOR_INCLUDE)
LINK_FLAGS=-Xlinker -x $(AA_LINK_FLAGS) $(LDFLAGS)
LIBS=-lpam $(AA_LDLIBS)
OBJECTS=${NAME}.o get_options.o

.PHONY: libapparmor_check
.SILENT: libapparmor_check
libapparmor_check: ; $(ERROR_MESSAGE)

all: libapparmor_check $(NAME).so docs

.PHONY: docs
# docs: we should have some
docs:

$(NAME).so: ${OBJECTS}
	$(CC) $(EXTRA_CFLAGS) $(LINK_FLAGS) -o $@ ${OBJECTS} $(LIBS)

%.o: %.c
	$(CC) $(EXTRA_CFLAGS) -c -o $@ $<

# need some better way of determining this
DESTDIR=/
SECDIR ?= ${DESTDIR}/lib/security

.PHONY: install
install: $(NAME).so
	install -m 755 -d $(SECDIR)
	install -m 755 $(NAME).so $(SECDIR)/
	
.PHONY: clean
clean:
	rm -f core core.* *.so *.o *.s *.a *~
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00			`# ----------------------------------------------------------------------`
			`# Copyright (c) 1999, 2004, 2005 NOVELL (All rights reserved)`
build: make documentation at tarball creation time, not during build The latex based techdoc in the parser/ tree adds a number of build dependencies for downstreams to create it; it also is the primary element to make the builds unrepeatable. Creating the techdoc and other documentation when generating a tarball for distribution avoids all that. * Makefile: build documentation as part of the tarball creation. Skip the libraries/libapparmor directory as it needs to have configure run before the manpages can be made. * changehat/mod_apparmor/Makefile, changehat/mod_apparmor/Makefile, utils/Makefile, profiles/Makefile: create separate docs target, some of them dummies. * parser/Makefile: pull the techdoc out of the default build target, add an extra_docs target to create it. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: John Johansen <john.johansen@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de> 2016-12-10 10:25:31 -08:00			`# Copyright (c) 2016 Canonical, Ltd.`
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00			`#`
			`# This program is free software; you can redistribute it and/or`
			`# modify it under the terms of version 2 of the GNU General Public`
			`# License published by the Free Software Foundation.`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
			`# along with this program; if not, contact Novell, Inc.`
			`# ----------------------------------------------------------------------`
			`NAME=pam_apparmor`
			`all:`
			`COMMONDIR=../../common/`

Entire tree: makefile cruft removal - drop the symlink magic of the common/ directory, and just include files directly from there. - update comments indicating required steps to take when including common/Make.rules - drop make clean steps that refer to no longer generated tarballs, specfiles, and symlinks to the common directory/Make.rules. - don't silence clean steps if VERBOSE is set Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian "Ghostbuster" Boltz <apparmor@cboltz.de> 2015-01-23 15:52:09 -08:00			`include $(COMMONDIR)/Make.rules`
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00
mod_apparmor/pam_apparmor: fix libapparmor search path and add USE_SYSTEM support This patch adds support for the USE_SYSTEM make flag and adjusts search paths for mod_apparmor and pam_apparmor, as well as fixing up a couple of the (probably ought to be deprecated) tomcat locations where apparmor.h is included. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2014-01-09 11:57:13 -08:00			`ifdef USE_SYSTEM`
			`LIBAPPARMOR = $(shell if pkg-config --exists libapparmor ; then \`
			`pkg-config --silence-errors --libs libapparmor ; \`
			`elif ldconfig -p \| grep -q libapparmor\.so$$ ; then \`
			`echo -lapparmor ; \`
			`fi )`
			`ifeq ($(strip $(LIBAPPARMOR)),)`
Makefiles: add ${nl} for errors, apply when failing to find libapparmor Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: John Johansen <john.johansen@canonical.com> 2014-03-11 14:42:23 -07:00			`ERROR_MESSAGE = $(error ${nl}\`
			`************************************************************************${nl}\`
			`Unable to find libapparmor installed on this system; either${nl}\`
			`install libapparmor devel packages, set the LIBAPPARMOR variable${nl}\`
			`manually, or build against in-tree libapparmor.${nl}\`
			`************************************************************************${nl})`
mod_apparmor/pam_apparmor: fix libapparmor search path and add USE_SYSTEM support This patch adds support for the USE_SYSTEM make flag and adjusts search paths for mod_apparmor and pam_apparmor, as well as fixing up a couple of the (probably ought to be deprecated) tomcat locations where apparmor.h is included. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2014-01-09 11:57:13 -08:00			`endif`
			`LIBAPPARMOR_INCLUDE =`
			`AA_LDLIBS = $(LIBAPPARMOR)`
			`AA_LINK_FLAGS =`
			`else`
			`LIBAPPARMOR_SRC := ../../libraries/libapparmor/`
			`LIBAPPARMOR_INCLUDE_PATH = $(LIBAPPARMOR_SRC)/include`
			`LIBAPPARMOR_PATH := $(LIBAPPARMOR_SRC)/src/.libs/`
			`ifeq ($(realpath $(LIBAPPARMOR_PATH)/libapparmor.a),)`
Makefiles: add ${nl} for errors, apply when failing to find libapparmor Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: John Johansen <john.johansen@canonical.com> 2014-03-11 14:42:23 -07:00			`ERROR_MESSAGE = $(error ${nl}\`
			`************************************************************************${nl}\`
			`$(LIBAPPARMOR_PATH)/libapparmor.a is missing; either build against${nl}\`
			`the in-tree libapparmor by building it first and then trying again${nl}\`
			`(see the top-level README for help) or build against the system${nl}\`
			`libapparmor by adding USE_SYSTEM=1 to your make command.${nl}\`
			`************************************************************************${nl})`
mod_apparmor/pam_apparmor: fix libapparmor search path and add USE_SYSTEM support This patch adds support for the USE_SYSTEM make flag and adjusts search paths for mod_apparmor and pam_apparmor, as well as fixing up a couple of the (probably ought to be deprecated) tomcat locations where apparmor.h is included. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2014-01-09 11:57:13 -08:00			`endif`
			`LIBAPPARMOR_INCLUDE = -I$(LIBAPPARMOR_INCLUDE_PATH)`
			`AA_LINK_FLAGS = -L$(LIBAPPARMOR_PATH)`
			`AA_LDLIBS = -lapparmor`
			`endif`
build: add and use global EXTRA_WARNINGS from common/Make.rules Define EXTRA_WARNINGS in the common/Make.rules helper so that adding additional warnings can be done in one(-ish) location, and replace locally defined C compiler warning flags with EXTRA_WARNINGS in most locations in the build tree. v2: issue a warning for any compiler option that the compiler does not support Signed-off-by: Steve Beattie <steve.beattie@canonical.com> 2020-05-28 09:55:31 -07:00			`EXTRA_CFLAGS=$(CFLAGS) $(CPPFLAGS) -fPIC -shared -Wall $(EXTRA_WARNINGS) $(LIBAPPARMOR_INCLUDE)`
pass LDFLAGS fully into build Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tyler Hicks <tyhicks@canonical.com> 2017-01-19 23:04:34 +00:00			`LINK_FLAGS=-Xlinker -x $(AA_LINK_FLAGS) $(LDFLAGS)`
mod_apparmor/pam_apparmor: fix libapparmor search path and add USE_SYSTEM support This patch adds support for the USE_SYSTEM make flag and adjusts search paths for mod_apparmor and pam_apparmor, as well as fixing up a couple of the (probably ought to be deprecated) tomcat locations where apparmor.h is included. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2014-01-09 11:57:13 -08:00			`LIBS=-lpam $(AA_LDLIBS)`
This (updated) patch provides some limited configurability for pam_apparmor pam module. The default behavior is to use the user's primary groupname, and to fall back to the DEFAULT hat. You can change this behavior by appending order=type1[,type2,type3] to the pam_apparmor session line in the pam config for the application you're applying pam_apparmor to. The available types are 'user' for username, 'group' for groupname, and 'default' for DEFAULT. Thus, adding a configuration entry like: session optional pam_apparmor.so order=group,default is equivalent to the default behavior for pam_apparmor. The parse_option code got a little more complicated than I'd hoped it would be; I could have just had types by space delimited options to module, but I thought I'd leave open the possibility of adding additional options to the module ('debug' immediately comes to mind). I disabled the short-circuit that occurs if EPERM is returned by change_hat, as we can't detect that this is because there's no hats or that the application is entirely undefined; if ECHILD makes it in then we can re-enable this. I am less convinced now that pam_apparmor needs to be 'optional' than 'required'; killing the session if none of the change_hats succeeds is starting to feel like reasonable behavior. --- changehat/pam_apparmor/Makefile \| 11 + changehat/pam_apparmor/README \| 74 +++++++++++++ changehat/pam_apparmor/get_options.c \| 157 ++++++++++++++++++++++++++++ changehat/pam_apparmor/pam_apparmor.c \| 155 +++++++++++++++++++-------- changehat/pam_apparmor/pam_apparmor.h \| 56 +++++++++ changehat/pam_apparmor/pam_apparmor.spec.in \| 2 6 files changed, 406 insertions(+), 49 deletions(-) 2006-10-31 15:54:47 +00:00			`OBJECTS=${NAME}.o get_options.o`
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00
Convert make errors finding libapparmor to only occur when building By raising an error for being unable to find libapparmor any time a make command is run, we break things like make clean and other targets that don't strictly depend on libapparmor existing (note that Tyler's implementation for the parser did not do this). This patch fixes this for the regression tests, mod_apparmor and pam_apparmor by making a separate libapparmor_check target that looks to see if an error message should be generated. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2014-01-09 12:11:19 -08:00			`.PHONY: libapparmor_check`
			`.SILENT: libapparmor_check`
Makefiles: add ${nl} for errors, apply when failing to find libapparmor Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: John Johansen <john.johansen@canonical.com> 2014-03-11 14:42:23 -07:00			`libapparmor_check: ; $(ERROR_MESSAGE)`
Convert make errors finding libapparmor to only occur when building By raising an error for being unable to find libapparmor any time a make command is run, we break things like make clean and other targets that don't strictly depend on libapparmor existing (note that Tyler's implementation for the parser did not do this). This patch fixes this for the regression tests, mod_apparmor and pam_apparmor by making a separate libapparmor_check target that looks to see if an error message should be generated. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2014-01-09 12:11:19 -08:00
build: make documentation at tarball creation time, not during build The latex based techdoc in the parser/ tree adds a number of build dependencies for downstreams to create it; it also is the primary element to make the builds unrepeatable. Creating the techdoc and other documentation when generating a tarball for distribution avoids all that. * Makefile: build documentation as part of the tarball creation. Skip the libraries/libapparmor directory as it needs to have configure run before the manpages can be made. * changehat/mod_apparmor/Makefile, changehat/mod_apparmor/Makefile, utils/Makefile, profiles/Makefile: create separate docs target, some of them dummies. * parser/Makefile: pull the techdoc out of the default build target, add an extra_docs target to create it. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: John Johansen <john.johansen@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de> 2016-12-10 10:25:31 -08:00			`all: libapparmor_check $(NAME).so docs`

			`.PHONY: docs`
			`# docs: we should have some`
			`docs:`
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00
This (updated) patch provides some limited configurability for pam_apparmor pam module. The default behavior is to use the user's primary groupname, and to fall back to the DEFAULT hat. You can change this behavior by appending order=type1[,type2,type3] to the pam_apparmor session line in the pam config for the application you're applying pam_apparmor to. The available types are 'user' for username, 'group' for groupname, and 'default' for DEFAULT. Thus, adding a configuration entry like: session optional pam_apparmor.so order=group,default is equivalent to the default behavior for pam_apparmor. The parse_option code got a little more complicated than I'd hoped it would be; I could have just had types by space delimited options to module, but I thought I'd leave open the possibility of adding additional options to the module ('debug' immediately comes to mind). I disabled the short-circuit that occurs if EPERM is returned by change_hat, as we can't detect that this is because there's no hats or that the application is entirely undefined; if ECHILD makes it in then we can re-enable this. I am less convinced now that pam_apparmor needs to be 'optional' than 'required'; killing the session if none of the change_hats succeeds is starting to feel like reasonable behavior. --- changehat/pam_apparmor/Makefile \| 11 + changehat/pam_apparmor/README \| 74 +++++++++++++ changehat/pam_apparmor/get_options.c \| 157 ++++++++++++++++++++++++++++ changehat/pam_apparmor/pam_apparmor.c \| 155 +++++++++++++++++++-------- changehat/pam_apparmor/pam_apparmor.h \| 56 +++++++++ changehat/pam_apparmor/pam_apparmor.spec.in \| 2 6 files changed, 406 insertions(+), 49 deletions(-) 2006-10-31 15:54:47 +00:00			`$(NAME).so: ${OBJECTS}`
			`$(CC) $(EXTRA_CFLAGS) $(LINK_FLAGS) -o $@ ${OBJECTS} $(LIBS)`

			`%.o: %.c`
			`$(CC) $(EXTRA_CFLAGS) -c -o $@ $<`
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00
			`# need some better way of determining this`
			`DESTDIR=/`
From: Jeff Mahoney <jeffm@suse.com> Subject: adjust includes for pam_apparmor to point at the intree version of libapparmor, rather than depend on an external version to be installed. 2011-02-08 07:21:20 -08:00			`SECDIR ?= ${DESTDIR}/lib/security`
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00
			`.PHONY: install`
Patch from Mathias Gug <mathiaz@ubuntu.com> of Ubuntu [Message-ID: <20070813195328.GB11381@mathias.mathiaz.net>]. This fixes the make install target of pam_apparmor so that it depends on the library already being built. 2007-08-14 19:06:19 +00:00			`install: $(NAME).so`
Ralf Spenneberg fixup for make install target 2006-08-09 22:39:20 +00:00			`install -m 755 -d $(SECDIR)`
Install pam_apparmor.so with write permission for its owner. I could not find the reason why the upstream Makefile has been installing it with permissions 555: this predates the migration from SVN. Regardless, at least on Debian and derivatives, dh_fixperms has been changing these permissions to 755 forever so it was causing problems, likely we would know about it by now. The initial motivation for this change is supporting rootless builds on Debian and derivatives, also known as "Rules-Requires-Root: no": - /usr/share/doc/dpkg-dev/rootless-builds.txt* on a Debian system with a sufficiently recent dpkg-dev installed - https://nthykier.wordpress.com/2017/10/29/building-packages-without-fakeroot/ - https://lists.debian.org/debian-devel/2017/10/msg00520.html With this change applied upstream, Debian-based downstreams don't need to adjust their debian/rules to make this work with "Rules-Requires-Root: no": chrpath -d $(CURDIR)/debian/tmp/lib/security/pam_apparmor.so 2018-01-19 08:22:35 +00:00			`install -m 755 $(NAME).so $(SECDIR)/`
Import the rest of the core functionality of the internal apparmor development tree (trunk branch). From svn repo version 6381. 2006-04-11 21:52:54 +00:00
			`.PHONY: clean`
Entire tree: makefile cruft removal - drop the symlink magic of the common/ directory, and just include files directly from there. - update comments indicating required steps to take when including common/Make.rules - drop make clean steps that refer to no longer generated tarballs, specfiles, and symlinks to the common directory/Make.rules. - don't silence clean steps if VERBOSE is set Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian "Ghostbuster" Boltz <apparmor@cboltz.de> 2015-01-23 15:52:09 -08:00			`clean:`
Remove automatic editing of pam's session-common files. Use RPM_OPT_FLAGS for CFLAGS when building with rpm. Cleanup older tarballs during make clean. 2006-10-25 20:13:48 +00:00			`rm -f core core.* .so .o .s .a *~`