On Tue, 08 Sep 2009, Jamie Strandboge wrote: > > [PATCH 6] > > patch_6_autoconf.patch: > > Updates Makefile.am and configure.in for AppArmor. It is based on and > > should operate the same as the SELinux configuration. > > -- Jamie Strandboge | http://www.canonical.com
diff -Nurp ./libvirt.orig/configure.in ./libvirt/configure.in --- ./libvirt.orig/configure.in 2009-09-08 12:59:59.000000000 -0500 +++ ./libvirt/configure.in 2009-09-08 15:32:22.000000000 -0500 @@ -799,6 +799,84 @@ fi AM_CONDITIONAL([WITH_SECDRIVER_SELINUX], [test "$with_secdriver_selinux" != "no"]) +dnl AppArmor +AC_ARG_WITH([apparmor], + [ --with-apparmor use AppArmor to manage security], + [], + [with_apparmor=check]) + +APPARMOR_CFLAGS= +APPARMOR_LIBS= +if test "$with_apparmor" != "no"; then + old_cflags="$CFLAGS" + old_libs="$LIBS" + if test "$with_apparmor" = "check"; then + AC_CHECK_HEADER([sys/apparmor.h],[],[with_apparmor=no]) + AC_CHECK_LIB([apparmor], [aa_change_profile],[],[with_apparmor=no]) + AC_CHECK_LIB([apparmor], [aa_change_hat],[],[with_apparmor=no]) + if test "$with_apparmor" != "no"; then + with_apparmor="yes" + fi + else + fail=0 + AC_CHECK_HEADER([sys/apparmor.h],[],[fail=1]) + AC_CHECK_LIB([apparmor], [aa_change_profile],[],[fail=1]) + AC_CHECK_LIB([apparmor], [aa_change_hat],[],[fail=1]) + test $fail = 1 && + AC_MSG_ERROR([You must install the AppArmor development package in order to compile libvirt]) + fi + CFLAGS="$old_cflags" + LIBS="$old_libs" +fi +if test "$with_apparmor" = "yes"; then + APPARMOR_LIBS="-lapparmor" + AC_DEFINE_UNQUOTED([HAVE_APPARMOR], 1, [whether AppArmor is available for security]) + AC_DEFINE_UNQUOTED([APPARMOR_DIR], "/etc/apparmor.d", [path to apparmor directory]) + AC_DEFINE_UNQUOTED([APPARMOR_PROFILES_PATH], "/sys/kernel/security/apparmor/profiles", [path to kernel profiles]) + AC_DEFINE_UNQUOTED([VIRT_AA_HELPER_PATH], "$prefix/bin/virt-aa-helper", [path to virt-aa-helper]) +fi +AM_CONDITIONAL([HAVE_APPARMOR], [test "$with_apparmor" != "no"]) +AC_SUBST([APPARMOR_CFLAGS]) +AC_SUBST([APPARMOR_LIBS]) + + +AC_ARG_WITH([secdriver-apparmor], + [ --with-secdriver-apparmor use AppArmor security driver], + [], + [with_secdriver_apparmor=check]) + +if test "$with_apparmor" != "yes" ; then + if test "$with_secdriver_apparmor" = "check" ; then + with_secdriver_apparmor=no + else + AC_MSG_ERROR([You must install the AppArmor development package in order to compile libvirt]) + fi +else + old_cflags="$CFLAGS" + old_libs="$LIBS" + CFLAGS="$CFLAGS $APPARMOR_CFLAGS" + LIBS="$CFLAGS $APPARMOR_LIBS" + + fail=0 + AC_CHECK_FUNC([change_hat], [], [fail=1]) + AC_CHECK_FUNC([aa_change_profile], [], [fail=1]) + CFLAGS="$old_cflags" + LIBS="$old_libs" + + if test "$fail" = "1" ; then + if test "$with_secdriver_apparmor" = "check" ; then + with_secdriver_apparmor=no + else + AC_MSG_ERROR([You must install the AppArmor development package in order to compile libvirt]) + fi + else + with_secdriver_apparmor=yes + AC_DEFINE_UNQUOTED([WITH_SECDRIVER_APPARMOR], 1, [whether AppArmor security driver is available]) + fi +fi +AM_CONDITIONAL([WITH_SECDRIVER_APPARMOR], [test "$with_secdriver_apparmor" != "no"]) + + dnl NUMA lib AC_ARG_WITH([numactl], @@ -1706,6 +1784,7 @@ AC_MSG_NOTICE([]) AC_MSG_NOTICE([Security Drivers]) AC_MSG_NOTICE([]) AC_MSG_NOTICE([ SELinux: $with_secdriver_selinux]) +AC_MSG_NOTICE([ AppArmor: $with_secdriver_apparmor]) AC_MSG_NOTICE([]) AC_MSG_NOTICE([Driver Loadable Modules]) AC_MSG_NOTICE([]) @@ -1753,6 +1832,11 @@ AC_MSG_NOTICE([ selinux: $SELINUX_CFLAGS else AC_MSG_NOTICE([ selinux: no]) fi +if test "$with_apparmor" = "yes" ; then +AC_MSG_NOTICE([ apparmor: $APPARMOR_CFLAGS $APPARMOR_LIBS]) +else +AC_MSG_NOTICE([ apparmor: no]) +fi if test "$with_numactl" = "yes" ; then AC_MSG_NOTICE([ numactl: $NUMACTL_CFLAGS $NUMACTL_LIBS]) else diff -Nurp ./libvirt.orig/src/Makefile.am ./libvirt/src/Makefile.am --- ./libvirt.orig/src/Makefile.am 2009-09-08 13:00:00.000000000 -0500 +++ ./libvirt/src/Makefile.am 2009-09-08 15:32:22.000000000 -0500 @@ -9,6 +9,7 @@ INCLUDES = \ $(LIBSSH2_CFLAGS) \ $(XEN_CFLAGS) \ $(SELINUX_CFLAGS) \ + $(APPARMOR_CFLAGS) \ $(DRIVER_MODULE_CFLAGS) \ -DLIBDIR=\""$(libdir)"\" \ -DBINDIR=\""$(libexecdir)"\" \ @@ -216,6 +217,8 @@ SECURITY_DRIVER_SOURCES = \ SECURITY_DRIVER_SELINUX_SOURCES = \ security_selinux.h security_selinux.c +SECURITY_DRIVER_APPARMOR_SOURCES = \ + security_apparmor.h security_apparmor.c NODE_DEVICE_DRIVER_SOURCES = \ node_device.c node_device.h @@ -527,6 +530,9 @@ libvirt_la_LIBADD += libvirt_driver_secu if WITH_SECDRIVER_SELINUX libvirt_driver_security_la_SOURCES += $(SECURITY_DRIVER_SELINUX_SOURCES) endif +if WITH_SECDRIVER_APPARMOR +libvirt_driver_security_la_SOURCES += $(SECURITY_DRIVER_APPARMOR_SOURCES) +endif # Add all conditional sources just in case... EXTRA_DIST += \ @@ -615,7 +621,7 @@ libvirt_la_LIBADD += \ libvirt_la_LDFLAGS = $(VERSION_SCRIPT_FLAGS)libvirt.syms \ -version-info @LIBVIRT_VERSION_INFO@ \ $(COVERAGE_CFLAGS:-f%=-Wc,-f%) \ - $(LIBXML_LIBS) $(SELINUX_LIBS) \ + $(LIBXML_LIBS) $(SELINUX_LIBS) $(APPARMOR_LIBS) \ $(XEN_LIBS) $(DRIVER_MODULE_LIBS) \ $(DEVMAPPER_LIBS) \ @CYGWIN_EXTRA_LDFLAGS@ @MINGW_EXTRA_LDFLAGS@ @@ -654,6 +660,23 @@ virsh_LDADD = \ ../gnulib/lib/libgnu.la \ $(VIRSH_LIBS) virsh_CFLAGS = $(COVERAGE_CFLAGS) $(READLINE_CFLAGS) $(NUMACTL_CFLAGS) + +if WITH_SECDRIVER_APPARMOR +bin_PROGRAMS += virt-aa-helper + +virt_aa_helper_SOURCES = \ + virt-aa-helper.c + +virt_aa_helper_LDFLAGS = $(WARN_CFLAGS) $(COVERAGE_LDFLAGS) +virt_aa_helper_LDADD = \ + $(STATIC_BINARIES) \ + $(WARN_CFLAGS) \ + libvirt.la \ + ../gnulib/lib/libgnu.la \ + $(VIRSH_LIBS) +virt_aa_helper_CFLAGS = $(COVERAGE_CFLAGS) +endif + BUILT_SOURCES = virsh-net-edit.c virsh-pool-edit.c libvirt.syms virsh-net-edit.c: virsh.c Makefile.am
Attachment:
signature.asc
Description: Digital signature
-- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list