As discussed a while ago, switch the utils (including their tests) to
use python3 by default. While on it, drop usage of "env" to always get
the system python3 instead of a random one that happens to live
somewhere in $PATH.
In practise, this patch doesn't change much - AFAIK openSUSE, Debian and
Ubuntu already patch aa-* to use python3.
Also add a note to README to officially deprecate Python 2.x.
(I won't break Python 2.x support intentionally - unless some future
change gives me a very good reason to finally drop Python 2.x support.)
Acked-by: Seth Arnold <seth.arnold@canonical.com>
(since 2016-08-23, but the commit had to wait for the FileRule series
because it touches test-file.py)
After looking at matchliteral(), I found out that it's only user is
rematchfrag(), which is only called in a) an "if False:" block and
b) match_include_to_path() - and that is only called by the also unused
match_prof_incs_to_path() function.
This patch drops some dead code (like the mentioned "if False:" block)
and the now unused functions
- matchliteral()
- rematchfrag()
- match_include_to_path()
- match_prof_incs_to_path()
This patch is also THE ANSWER to the question when I'll finally consider
this patch series complete.
42. It can't become better than that! ;-)
Acked-by: Steve Beattie <steve@nxnw.org>
If a merged profile contains additional hats or subprofiles, the "old"
aa-mergeprof silently created them as additional hasher elements (partly
buggy, because subprofiles would end up as '^/subprofile' instead of
'profile /subprofile'). After switching to FileRule, aa-mergeprof crashes
on new hats or subprofiles.
This patch adds code to ask the user if the new hat or subprofile should
be added - which means this patch replaces two bugs (crash + silently
adding subprofiles and hats) with a new feature ;-)
The new questions also add a new text CMD_ADDSUBPROFILE in ui.py.
Finally, the new "button" combinations get added to test-translations.py.
If you want to test, try to aa-mergeprof this profile (the subprofile
and hat are dummies, nothing ping would really require):
#include <tunables/global>
/{usr/,}bin/ping {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
capability net_raw,
capability setuid,
network inet raw,
network inet6 raw,
/{,usr/}bin/ping mixr,
/etc/modules.conf r,
^hat {
/bin/hat r,
/bin/bash px,
}
profile /subprofile {
/bin/subprofile r,
/bin/bash px,
}
# Site-specific additions and overrides. See local/README for details.
#include <local/bin.ping>
}
Note that this patch is not covered by unittests, but it passed all my
manual tests.
Acked-by: Steve Beattie <steve@nxnw.org>
Bug: https://launchpad.net/bugs/1507469
aa-mergeprof empties 'includes' when running reset_aa(). The result is
KeyError: 'abstractions/newly_added_abstraction'
if an include file gets added because it isn't part of 'includes' at
this time. Note that you'll need to add another rule after adding the
include to trigger checking the includes for superfluous rules.
This fixes the regression found by Steve - which isn't really a
regression, "just" one more thing that got more visible with the new
code. Before, it was just an ill-addressed hasher that didn't complain ;-)
Acked-by: Steve Beattie <steve@nxnw.org>
The switch to FileRule made some bugs visible that survived unnoticed
with hasher for years.
If aa-logprof sees an exec event for a non-existing profile _and_ a
profile file matching the expected profile filename exists in
/etc/apparmor.d/, it asks for the exec mode nevertheless (instead of
being silent). In the old code, this created a superfluous entry
somewhere in the aa hasher, and caused the existing profile to be
rewritten (without changes).
However, with FileRule it causes a crash saying
File ".../utils/apparmor/aa.py", line 1335, in handle_children
aa[profile][hat]['file'].add(FileRule(exec_target, file_perm, exec_mode, rule_to_name, owner=False, log_event=True))
AttributeError: 'collections.defaultdict' object has no attribute 'add'
This patch makes sure exec events for unknown profiles get ignored.
Reproducer:
python3 aa-logprof -f <(echo 'type=AVC msg=audit(1407865079.883:215): apparmor="ALLOWED" operation="exec" profile="/sbin/klogd" name="/does/not/exist" pid=11832 comm="foo" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/sbin/klogd//null-1"')
This causes a crash without this patch because
/etc/apparmor.d/sbin.klogd exists, but has
profile klogd /{usr/,}sbin/klogd {
References: https://bugs.launchpad.net/bugs/1379874
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
FileRule uses RE_PROFILE_FILE_ENTRY, which also means
RE_PROFILE_PATH_ENTRY, RE_PROFILE_BARE_FILE_ENTRY and RE_OWNER are now
unused.
This patch drops these regexes and their tests in test-regex_matches.py.
Acked-by: Steve Beattie <steve@nxnw.org>
rank() in severity.py is a dispatcher that calls the needed function
(rank_path(), rank_capability()) based on the parameter. Since all
calling code knows what rule type it is handling, this dispatcher is
superfluous - the calling code can call rank_path() or rank_capability()
directly.
This patch drops rank() and switches the remaining users of rank() to
call the rank_*() functions directly. For the tests, this means to drop
the CAP_ prefix because rank_capability doesn't expect this prefix.
Acked-by: Steve Beattie <steve@nxnw.org>
After switching to FileRule, several functions in aamode.py are no
longer used and can be deleted:
- print_mode()
- sub_mode_to_str()
- is_user_mode()
- split_mode()
- mode_to_str()
- flatten_mode()
- owner_flatten_mode()
- mode_to_str_user()
- log_str_to_mode()
The AA_EXEC_TYPE and ALL_AA_EXEC_TYPE variables are also unused now.
Acked-by: Steve Beattie <steve@nxnw.org>
When an user adds a new rule to a profile, cleanup / delete existing
rules that are covered by the new rule, and report the number of deleted
rules.
Acked-by: Steve Beattie <steve@nxnw.org>
Adding a rule to *Ruleset means it simply gets added. This also means
that then-superfluous rules will be kept.
This patch adds an optional cleanup flag to add(). If set, rules covered
by the new rule will be deleted. The difference to delete_duplicates()
is that cleanup only deletes rules that are covered by the new rule, but
keeps other, unrelated superfluous rules.
Also return the number of deleted rules to give the UI a chance to
report this number.
Finally, adjust the existing tests for FileRuleset to ensure default
mode (without cleanup) doesn't delete any rules, and add a test using
the cleanup flag.
Acked-by: Steve Beattie <steve@nxnw.org>
Replace the old (hasher-based) conflict_mode() with the new
(FileRule-based) ask_conflict_mode() function. If it detects conflicting
exec rules, it asks the user which one to keep.
Also call ask_conflict_mode() from ask_the_questions() so that it is
actually used.
Note: This patch isn't covered by unittests, but I did some manual
testing to make sure it works as expected.
Acked-by: Steve Beattie <steve@nxnw.org>
get_exec_rules_for_path() returns a FileRuleset with all rules matching
the given path.
get_exec_conflict_rules() returns a FileRuleset with all exec rules that
conflict with the given oldrule. This will be used by aa-mergeprof to
ask the user which rule he wants to keep.
Also add tests for both functions.
Acked-by: Steve Beattie <steve@nxnw.org>
The clear_common() call was disabled because it crashed in
delete_path_duplicates(). With the switch to FileRule, this function
no longer exists and therefore it can't crash ;-)
This patch re-enables the clear_common() call to avoid asking
superfluous questions.
References: https://bugs.launchpad.net/apparmor/+bug/1382236
Acked-by: Steve Beattie <steve@nxnw.org>
This is the correct way of doing AARE matches. However, this check is
more strict when matching against an AARE containing wildcards etc.
(which can "by luck" match when doing str matching)
To avoid breaking DbusRule, PtraceRule and SignalRule (especially their
tests), introduce _is_covered_aare_compat() which keeps the previous
behaviour of doing str matching, and use it in these classes.
On the long term, _is_covered_aare_compat() needs to go away, but doing
the changes needed in DbusRule, PtraceRule and SignalRule (or ideally
just in AARE) are out of scope for the FileRule patch series.
Acked-by: Steve Beattie <steve@nxnw.org>
When matching an AARE against another AARE, most AARE objects don't
contain orig_regex (only AARE instances originating from a log event
contain orig_regex).
In this case, match() will use is_equal() to error out on the safe side.
Unfortunately this also means that there are lots of false negative
cases where match() returns False errornously.
With this patch, match() checks the given AARE regex and, if it doesn't
contain any special characters (wildcards, alternations or variables),
handles it as plain path. This avoids most of the false negatives.
Also extend the AARE tests to check a bunch of plain path regexes using
AARE matching instead of only str matching.
Acked-by: Steve Beattie <steve@nxnw.org>
Merge the existing and requested permissions into a nice set of headers
that can be displayed by aa-logprof. This will look like:
Path: /foo
Old Mode: r + owner w
New Mode: rw
Also split off a _join_given_perms() function off _joint_perms() so that
we can use the permission string merging for things not stored in self.*.
Finally add some tests for logprof_header().
Acked-by: Steve Beattie <steve@nxnw.org>
If the audit.log contains an event for a non-existing profile (this can
happen when running with a foreign log or if the user manually deleted a
profile or hat), propose_file_rules() crashes because rule_obj is None
instead of a profile_storage() struct.
This patch adds a check that skips events for non-existing profiles and
hats.
Note: I'm quite sure this happens only for file events (because the
other rule types don't have something similar to propose_file_rules()),
therefore no backport to older versions is needed.
Acked-by: Steve Beattie <steve@nxnw.org>
Add set_options_audit_mode() to switch the audit mode in all options
offered by aa-logprof and aa-mergeprof, not only the "original" rule
(in aa-logprof, this means the non-globbed rule_obj).
As usual, add some tests to ensure the function works as expected.
Acked-by: Steve Beattie <steve@nxnw.org>
aa.py:
- add propose_file_rules() - will propose matching paths from existing
rules in the profile or one of the includes
- save user_globs if user selects '(N)ew' (will be re-used when
proposing rules)
- change user_globs to a dict so that it can carry the human-readable
path and an AARE object for it
- change order_globs() to ensure the original path (given as parameter)
is always the last item in the resulting list
- add a ruletype switch to ask_the_questions() so that it uses
propose_file_rules() for file events (I don't like this
ruletype-specific solution too much, but everything else would make
things even more complicated)
Also keep aa-mergeprof ask_the_questions() in sync with aa.py.
In FileRule, add original_perms (might be set by propose_file_rules())
Finally, add some tests to ensure propose_file_rules() does what it promises.
Acked-by: Steve Beattie <steve@nxnw.org>
get_file_perms() collects the existing permissions for a file from
various rules (exact matches, wildcards) in the main profile and the
included abstractions.
It will be used to get displaying the current permissions back, and
also to propose rules with merged permissions (next patch).
Also add some tests to make sure it does what it promises ;-)
Acked-by: Steve Beattie <steve@nxnw.org>
- get_rules_for_path() returns all rules matching the given path
(both exact matches and AARE matches)
- get_perms_for_path() returns the merged permissions for the given
path and a list of paths used in the matching rules
Also add tests for these two functions.
Acked-by: Steve Beattie <steve@nxnw.org>
Also add a rank_path() function to severity.py and change rank() to call
rank_path() for paths.
Long-term goal: get rid of the type "guessing" in rank()
Finally add some tests, mostly based on test-severity.py SeverityTest
Acked-by: Steve Beattie <steve@nxnw.org>
This brings back the edit option for the path of file rules.
Also add it to aa-mergeprof to keep ask_the_questions() in sync.
Note: aa-mergeprof will ask about path mismatchs basically always.
That's because AARE is too careful on the matching - something to be
fixed in a later patch.
Acked-by: Steve Beattie <steve@nxnw.org>
This means adding
- self.can_edit - True if editing via '(N)ew' should be possible (will
be False for bare file rules)
- edit_header() - returns the prompt text and the current path
- validate_edit() - checks if the new path matches the original one
- store_edit() - changes the path to the new one (even if it doesn't
match the old one)
self.can_edit and the 3 functions are also added to BaseRule:
- can_edit is False by default
- the functions raise a NotImplementedError
Also add tests for the added code.
Acked-by: Steve Beattie <steve@nxnw.org>
This change also needs some other changes in ask_the_questions():
- set q.options and q.selected inside the loop (because glob() and
glob_ext() add another option)
- set 'selection' outside the if block to avoid doing it in nearly every
if branch
- make sure to add the selected rule, not just rule_obj (which doesn't
contain a modified, for example globbed, rule)
- skip 'deny' if an #include is selected
- re-add handling for CMD_GLOB and CMD_GLOB_EXT (was lost when switching
to FileRule)
- add selection_to_rule_obj() helper function
- add glob and glob with ext buttons in available_buttons() if
rule_obj.can_glob or rule_obj.can_glob_ext
Also apply the changes in ask_the_questions() to aa-mergeprof to keep it
in sync with aa.py, and disable the old path handling in aa-mergeprof.
Note: in its current state, aa-mergeprof will ask for some "superfluous"
file permissions, and doesn't check for 'x' conflicts. One of the
following patches will fix that.
Acked-by: Steve Beattie <steve@nxnw.org>
Add the glob() and glob_ext() functions to FileRule, and set
self.can_glob and self.can_glob_ext. Also add some tests (just enough to
make sure the FileRule integration works - the globbing is handled
inside AARE,and the AARE tests contain more testcases).
Note that the implementation differs from the original plan (which was
to have globbing in *Ruleset). Therefore add can_glob and can_glob_ext
to BaseRule (both default to False), and add a comment to BaseRuleset
that globbing needs to be removed from all *Ruleset classes.
Acked-by: Steve Beattie <steve@nxnw.org>
As discussed, I added a pointer to the test-aare.py globbing tests in
test-file.py.
glob_path() and glob_path_ext() modify a (path) regex, so move them to
AARE. Also change them to use self.regex instead of the newpath
parameter, and to return a new AARE object.
While on it, also add several tests to test-aare.py.
Note: There are still glob_path() and glob_path_ext() calls in aa.py,
but those calls are in a (since the middle of this patch series) dead
code section. pyflakes will complain about them nevertheless ;-)
Acked-by: Steve Beattie <steve@nxnw.org>
This patch changes handle_children() (which asks about exec events) and
ask_the_questions() (which asks everything else) to FileRule. This
solves the "brain split" introduced by the previous patch.
This means aa-logprof and aa-genprof ask useful questions again, and
store the answers at the right place.
In detail, this means (with '-' line number from the diff)
- (391) handle_binfmt(): use FileRule. Also avoid breakage if glob_common()
returns an empty result.
- (484) profile_storage(): drop profile['allow']['path'] and
profile['deny']['path']
- (510) create_new_profile(): switch to FileRule
- (1190..1432) lots of changes in handle_children():
- drop escaping (done in FileRule)
- don't add events with 'x' perms to prelog
- use is_known_rule() instead of profile_known_exec()
- replace several regexes for the selected CMD_* with more readable
'in' clauses. While on it, drop unused parts of the regex.
- use plain 'ix', 'px' (as str) instead of str_to_mode() format
- call handle_binfmt() for the interpreter in ix, Pix and Cix rules
- (1652) ask_the_questions(): disable the old file-specific code
(not dropped because some features aren't ported to FileRule yet)
- (2336) collapse_log():
- convert file log events to FileRule (and add some workarounds and
TODOs for logparser.py behaviour that needs to change)
- disable the old file-specific code (not dropped because merging of
existing permissions isn't ported to FileRule yet)
- (2403) drop now unused validate_profile_mode() and the regexes it used
- (3374) drop now unused profile_known_exec()
Test changes:
- adjust fake_ldd to handle /bin/bash
- change test-aa.py AaTest_create_new_profile to expect FileRule instead
of a path hasher. Also copy the profiles to the tempdir and load the
abstractions that are needed by the test.
(These tests get skipped on py2 because changing
apparmor.aa.cfg['settings']['ldd'] doesn't work for some unknown reason)
Important: Some nice-to-have features are not yet implemented for
FileRule:
- globbing
- (N)ew (allowing the user to enter a custom path)
- displaying and merging of permissions already existing in the profile
This means: aa-logprof works, but it's not as user-friendly as before.
The next patches will fix that ;-)
Also note that pyflakes will fail for ask_the_questions_OLD_FILE_CODE()
because of undefined symbols (aamode, profile, hat). This will be fixed
when the old code gets dropped in one of the later patches.
Acked-by: Steve Beattie <steve@nxnw.org>
Bug: https://launchpad.net/bugs/1569316
Change aa.py to use FileRule and FileRuleset for parsing and saving
profiles.
In detail, this means:
- add 'file' to the list of rule classes to enable it at various places
- store file rules in aa[profile][hat]['file'] (not 'path' as before)
to be consistent with the FileRule name
- drop the no longer needed delete_path_duplicates() - this is now
handled by FileRuleset like in all other rule classes.
(same change in cleanprofile.py)
- replace usage of RE_PROFILE_BARE_FILE_ENTRY and RE_PROFILE_PATH_ENTRY
with FileRule.match()
- drop write_path_rules() and write_paths() and replace them with the
new write_file() function.
- adjust several code sections to use write_file() and 'file' instead of
'path'
FileRule doesn't drop optional keywords ('allow' and 'file'), therefore
adjust cleanprof_test.out to the changed behaviour. (If someone insists
on dropping optional keywords in aa-cleanprof, that's something for a
future patch.)
Also adjust the list of known failures in test-parser-simple-tests.py -
switching to FileRule avoids several test failures (and introduces a few
new ones ;-)
IMPORTANT:
This patch introduces a "brain split" which means
- parsing and writing the profile and aa-cleanprof use the new location
(aa[profile][hat]['file'])
- aa-logprof and aa-genprof still save data to the old location
(aa[profile][hat]['allow']['path']) and probably ask superfluous
questions because there are no rules existing in the old location
TL;DR: don't try aa-logprof or aa-genprof with only this patch applied.
I know this isn't ideal, but still better than an even bigger and
totally unreadable patch ;-)
Acked-by: Steve Beattie <steve@nxnw.org>
aa-logprof needs to check if an exec rule for a given path exists.
This patch adds a __FileAnyExec class to FileRule, as well as ANY_EXEC
(which should be used externally, similar to ALL), and adjusts several
checks to allow it as a special execute mode.
This will allow to use is_covered() (or aa.py is_known_rule()) to find
out if execute is permitted, which replaces aa.py profile_known_exec()
in one of the following patches.
As usual, also add some tests.
Acked-by: Steve Beattie <steve@nxnw.org>
Note: as discussed, I adjusted the comment for 'pass' around line 240.
Patch 14 will drop the RE_PROFILE_PATH_ENTRY and
RE_PROFILE_BARE_FILE_ENTRY import from apparmor.aa.
This would break test-regex_matches.py, therefore
import these regexes from apparmor.regex.
Acked-by: Steve Beattie <steve@nxnw.org>
The parser accepts duplicated execute permissions as long as they don't
conflict. For example,
/bin/foo pxpxpxpx,
is a valid rule.
This patch changes FileRule to also accept those duplicated permissions,
even if it's unlikely to hit them outside of the parser tests ;-)
Also add some tests to make sure the parsing works as expected.
Acked-by: Steve Beattie <steve@nxnw.org>
RE_PATH expected (simplified) '/.+', however this excludes a plain '/'
that can appear in path rules.
This patch changes the regex so that it also matches '/'.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
After dropping the dead code in handle_children(), there's only one use
of contains() left in log_str_to_mode().
This patch changes log_str_to_mode to use mode_contains() and drops the
now unused contains() function.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The 'exec' handling in handle_children starts with
if do_execute:
if profile_known_exec(...)
continue
which means if profile_known_exec() returns True, the rest of the loop
will be skipped. profile_known_exec() will return True if it finds an
exec rule in the profile or an include (independent of the exec type,
and (thanks to rematchfrag()) even if the path is globbed.
Later in the loop, there are checks for various exec modes - but those
checks can only be reached without an existing x rule, so they'll never
be hit.
This patch removes the dead code in the handle_children() / 'exec' / 'no
existing x rule found' section.
I confirmed that this code is really dead by
a) reading the code and, after being confused
b) two manual aa-logprof runs with coverage enabled - in one of them, I
added some ix, Px and Cx rules, and in the second one, no more exec
rules were needed/asked.
After dropping the dead code, combinedmode and combinedaudit are no
longer used, so we can also drop the code that sets those variables.
Sidenote: this patch drops 2% of the lines in aa.py ;-)
Acked-by: Seth Arnold <seth.arnold@canonical.com>
These classes handle file rules, including file rules with leading
perms, and are meant to replace lots of file rule code in aa.py and
aa-mergeprof.
Note: get_glob() and logprof_header_localvars() don't even look
finalized and will be changed in a later patch. (Some other things will
also be changed or added with later patches - but you probably won't
notice them while reviewing this patch.)
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Kshitij Gupta <kgupta8592@gmail.com> (with some suggestions for a follow-up patch)
v1.1: remove 'and not deny' from a condition in split_perms() to get
more helpful error messages for rules like "deny /foo pix,"
Acked-by: Steve Beattie <steve@nxnw.org>
_is_covered_list() has a sanity check that raises an exception if both
other_value and other_all evaluate to False. This breaks when using
_is_covered_list() for FileRule.perms which can be empty if exec_perms
are specified.
This patch adds an optional parameter that allows to skip the sanity
check.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
For now, use an additional regex RE_PROFILE_FILE_ENTRY to avoid
breakage of the existing code by the added match groups.
The regex includes support for file rules with leading and trailing
permissions as well as bare file rules.
Note: even with the restriction to the permission letters we actually
use, it's in theory still possible that a future additional rule type or
permission letter might lead to additional matches for other rule types.
Therefore the parsing code should check for all other rule types before
matching for file rules.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
File permissions can be an empty list (if only exec permissions are
specified). This patch adds the optional allow_empty_list parameter so
that the function can handle this case.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
File rules contain some optional details (like leading permissions and
the file keyword) which should be ignored in non-strict mode.
This patch passes through the 'strict' parameter to is_equal_localvars
and adds it as function parameter in all existing rule classes.
It also adjusts test-baserule.py to test with the additional parameter.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The features_struct.size variable is used to hold a buffer size and it
is also passed in as the size parameter to read(). It should be a size_t
instead of an int.
A new helper function, features_buffer_remaining(), is created to handle
the two places where the remaining bytes in the features buffer are
calculated.
This patch also changes the size parameter of load_features_dir() to a
size_t to match the same parameter of load_features_file() as well as
the features_struct.size change described above.
Two casts were needed when comparing signed types to unsigned types.
These casts are safe because the signed value is checked for "< 0"
immediately before the casts.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The load_features_file() function returned an int but calculated the
value by subtracting two pointers. On 64 bit systems, that results in a
64 bit value being represented as a 32 bit type.
Coverity CID #55992
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
In 2011 (r1803), the traceroute profile was changed to also match
/usr/bin/traceroute.db:
/usr/{sbin/traceroute,bin/traceroute.db} {
However, permissions for /usr/bin/traceroute.db were never added.
This patch fixes this.
While on it, also change the /usr/sbin/traceroute permissions from
rmix to the less confusing mrix.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
https://launchpad.net/bugs/1628745
The following upstream kernel commit changed the semantics of the exec
permission check in the 4.8 kernel:
commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Mon Aug 22 16:41:46 2016 -0700
binfmt_elf: switch to new creds when switching to new mm
That change means that the target profile of an exec transition must
have permission to map the binary being executed. This patch fixes
regression test failures while the exec_stack.sh test is running against
4.8 and newer kernels by granting mapping permission to the target
profile.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
For reasons that aren't entirely clear, the action to set
apparmor.aa.cfg['settings']['ldd'] to './fake_ldd' does not actually
work on python2.7, get_reqs() tries to use /usr/bin/ldd anyway (printing
out the contents of apparmor.aa.cfg['settings']['ldd'] after the set
operation shows it to still contain '/usr/bin/ldd' o.O). Therefore, skip
these two tests when running under python2.7.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Bug: https://launchpad.net/bugs/1522938
Fixes build error when attempting to build and test the 2.10.95 release
on Ubuntu 14.04:
$ (cd libraries/libapparmor/ && ./autogen.sh && ./configure && \
make && make check) > /dev/null
...
libtool: Version mismatch error. This is libtool 2.4.6 Debian-2.4.6-0.1, but the
libtool: definition of this LT_INIT comes from libtool 2.4.2.
libtool: You should recreate aclocal.m4 with macros from libtool 2.4.6 Debian-2.4.6-0.1
libtool: and run autoconf again.
make[2]: *** [grammar.lo] Error 63
make[1]: *** [all] Error 2
make: *** [all-recursive] Error 1
The --force option is needed to regenerate the libtool file in
libraries/libapparmor/.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
