Each coverity command writes its debugging output to
cov-int/build-log.txt, which means that multiple runs of cov-build
overwrite previous logs, resulting in only the last invocation's output
remaining at the end of the build, making debugging why failures to
capture coverity output difficult. Fix this by renaming the build-log to
per-directory log files.
(This would still be an issue even if we had a single build command
for the entire tree, as capturing python and other interpreted
files requires a second invocation of cov-build to scan for those
file types.)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/145
Coverity now supports scanning python (and other languages). Apply the
fs-capture-search option to the libapparmor and utils directpries to
capture the python source.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
This patch supports rolling a tarball for a release, as well as doing
'make tag'. Only stuff that's been committed should get incorporated
into the tarball.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The latex based techdoc in the parser/ tree adds a number of build
dependencies for downstreams to create it; it also is the primary
element to make the builds unrepeatable. Creating the techdoc and other
documentation when generating a tarball for distribution avoids all
that.
* Makefile: build documentation as part of the tarball creation. Skip
the libraries/libapparmor directory as it needs to have configure run
before the manpages can be made.
* changehat/mod_apparmor/Makefile, changehat/mod_apparmor/Makefile,
utils/Makefile, profiles/Makefile: create separate docs target,
some of them dummies.
* parser/Makefile: pull the techdoc out of the default build target, add
an extra_docs target to create it.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
The snapshot/tarball builds use some shell constructs that end
up causing failures at various stages to be ignored. This commit
addresses that.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Add a target that uses cov-build, which must be found in $PATH, to
generate an intermediate Coverity directory called cov-int. The
intermediate Coverity directory will be based on a clean snapshot of the
last commit in the bzr tree. Finally, the intermediate directory is
converted to a compressed tarball, stored in
apparmor-<SNAPSHOT_VERSION>-cov-int.tar.gz, and is suitable for
uploading to scan.coverity.com.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Turn REPO_VERSION and SNAPSHOT_DIR into make variables that may be
reused by future targets that specify the snapshot target as a
prerequisite. This prevents us from having to repeatedly call out to
potentially slow commands on bound bzr branches, such as the bzr
version-info command stored in the REPO_VERSION_CMD make variable.
The new REPO_VERSION make variable is turned into a "simply expanded"
variable as to not require a callout to bzr each time it is expanded.
The SNAPSHOT_DIR shell variable is renamed to SNAPSHOT_NAME as a make
variable. The new name may be slightly more descriptive in the future as
the variable will be reused in other ways besides a simple directory
name.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Order the DIRS variable according to build order. This allows the DIRS
variable to be iterated over to build libapparmor, binutils, parser,
utils, etc., without having to reorder the list.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
The new aa-enabled program can be used as a barebones replacement for
`aa-status --enabled`. It is written in C, rather than Python, which
keeps its dependencies to a minimum.
By default, aa-enabled prints a human-readable status of AppArmor's
availability to stdout. It supports a --quiet option which allows for
functionality equivalent to `aa-status --enabled`, which does not print
any messages.
The aa-enabled exit statuses mimic the behavior documented in the
aa-status(8) man page.
Signed-off-by: John Johansen <john.johansen@canonical.com>
[tyhicks: Incorporated feedback from the code review process]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
This patch removes a bunch of the per-directory tarball and rpm
generation cruft that is no longer needed now that we've been
distributing a unified tarball in our releases.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
- drop the symlink magic of the common/ directory, and just include
files directly from there.
- update comments indicating required steps to take when including
common/Make.rules
- drop make clean steps that refer to no longer generated tarballs,
specfiles, and symlinks to the common directory/Make.rules.
- don't silence clean steps if VERBOSE is set
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian "Ghostbuster" Boltz <apparmor@cboltz.de>
make sure nothing accidently hits the first-best target (well,
first-not-so-good would better describe the rpm target ;-)
Also add a dummy "all:" target to the toplevel Makefile with a short
hint towards README.
(see "[patch] fun with the toplevel Makefile") on the ML for the fun
that lead to this patch)
Acked-by: Steve Beattie <steve@nxnw.org>
After removing the tools that had lingered in the deprecated directory
for too long, don't exclude the deprecated/ subdirectory from tarball
creation, as SUSE needs access to the deprecated perl modules for YaST.
Add a make variable for adding back in exclusions if needed.
'~' replaced by '-'. This is needed for mirroring to git as git can't
handle '~'s embedded in tag or branch names.
Tested by setting up a separate tag_version target like so:
tag_version:
echo ${TAG_VERSION}
This is a rather large rearrangement of how a subset of the parser global
variables are defined. Right now, there are unit tests built without
linking against parser_main.c. As a result, none of the globals defined in
parser_main.c could be used in the code that is built for unit tests
(misc, regex, symtab, variable). To get a clean build, either stubs needed
to be added to "#ifdef UNIT_TEST" blocks in each .c file, or we had to
depend on link-time optimizations that would throw out the unused routines.
First, this is a problem because all the compile-time warnings had to be
explicitly silenced, so reviewing the build logs becomes difficult on
failures, and we can potentially (in really unlucky situations) test
something that isn't actually part of the "real" parser.
Second, not all compilers will allow this kind of linking (e.g. mips gcc),
and the missing symbols at link time will fail the entire build even though
they're technically not needed.
To solve all of this, I've moved all of the global variables used in lex,
yacc, and main to parser_common.c, and adjusted the .h files. On top of
this, I made sure to fully link the tst builds so all symbols are resolved
(including aare lib) and removedonly tst build-log silencing (for now,
deferring to another future patchset to consolidate the build silencing).
Signed-off-by: Kees Cook <kees.cook@canonical.com>
tarball. Let's drop this from future tarball creation.
Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
tarballs and converts some of the common/Make.rules targets to get
version information from bzr. As part of this, the tarball generation
creates a .stamp_rev file in the common directory which contains both
the name of the bzr repo exported from as well as the revision.
slow) for getting a clean export of the source. But too many of the
packages make some assumptions that they're in a checked out svn tree
that a lot of the auto-rpm building infrastructure breaks. Use at your
own risk.
