On Tue, Sep 08, 2009 at 04:23:34PM -0500, Jamie Strandboge wrote: > On Tue, 08 Sep 2009, Jamie Strandboge wrote: > > > > [PATCH 6] > > > patch_6_autoconf.patch: > > > Updates Makefile.am and configure.in for AppArmor. It is based on and > > > should operate the same as the SELinux configuration. > > > > > -- > Jamie Strandboge | http://www.canonical.com > diff -Nurp ./libvirt.orig/configure.in ./libvirt/configure.in > --- ./libvirt.orig/configure.in 2009-09-08 12:59:59.000000000 -0500 > +++ ./libvirt/configure.in 2009-09-08 15:32:22.000000000 -0500 > @@ -799,6 +799,84 @@ fi > AM_CONDITIONAL([WITH_SECDRIVER_SELINUX], [test "$with_secdriver_selinux" != "no"]) > > > +dnl AppArmor > +AC_ARG_WITH([apparmor], > + [ --with-apparmor use AppArmor to manage security], > + [], > + [with_apparmor=check]) > + > +APPARMOR_CFLAGS= > +APPARMOR_LIBS= > +if test "$with_apparmor" != "no"; then > + old_cflags="$CFLAGS" > + old_libs="$LIBS" > + if test "$with_apparmor" = "check"; then > + AC_CHECK_HEADER([sys/apparmor.h],[],[with_apparmor=no]) > + AC_CHECK_LIB([apparmor], [aa_change_profile],[],[with_apparmor=no]) > + AC_CHECK_LIB([apparmor], [aa_change_hat],[],[with_apparmor=no]) > + if test "$with_apparmor" != "no"; then > + with_apparmor="yes" > + fi > + else > + fail=0 > + AC_CHECK_HEADER([sys/apparmor.h],[],[fail=1]) > + AC_CHECK_LIB([apparmor], [aa_change_profile],[],[fail=1]) > + AC_CHECK_LIB([apparmor], [aa_change_hat],[],[fail=1]) > + test $fail = 1 && > + AC_MSG_ERROR([You must install the AppArmor development package in order to compile libvirt]) > + fi > + CFLAGS="$old_cflags" > + LIBS="$old_libs" > +fi > +if test "$with_apparmor" = "yes"; then > + APPARMOR_LIBS="-lapparmor" > + AC_DEFINE_UNQUOTED([HAVE_APPARMOR], 1, [whether AppArmor is available for security]) > + AC_DEFINE_UNQUOTED([APPARMOR_DIR], "/etc/apparmor.d", [path to apparmor directory]) > + AC_DEFINE_UNQUOTED([APPARMOR_PROFILES_PATH], "/sys/kernel/security/apparmor/profiles", [path to kernel profiles]) > + AC_DEFINE_UNQUOTED([VIRT_AA_HELPER_PATH], "$prefix/bin/virt-aa-helper", [path to virt-aa-helper]) > +fi > +AM_CONDITIONAL([HAVE_APPARMOR], [test "$with_apparmor" != "no"]) > +AC_SUBST([APPARMOR_CFLAGS]) > +AC_SUBST([APPARMOR_LIBS]) > + > + > +AC_ARG_WITH([secdriver-apparmor], > + [ --with-secdriver-apparmor use AppArmor security driver], > + [], > + [with_secdriver_apparmor=check]) > + > +if test "$with_apparmor" != "yes" ; then > + if test "$with_secdriver_apparmor" = "check" ; then > + with_secdriver_apparmor=no > + else > + AC_MSG_ERROR([You must install the AppArmor development package in order to compile libvirt]) > + fi > +else > + old_cflags="$CFLAGS" > + old_libs="$LIBS" > + CFLAGS="$CFLAGS $APPARMOR_CFLAGS" > + LIBS="$CFLAGS $APPARMOR_LIBS" > + > + fail=0 > + AC_CHECK_FUNC([change_hat], [], [fail=1]) > + AC_CHECK_FUNC([aa_change_profile], [], [fail=1]) > + CFLAGS="$old_cflags" > + LIBS="$old_libs" > + > + if test "$fail" = "1" ; then > + if test "$with_secdriver_apparmor" = "check" ; then > + with_secdriver_apparmor=no > + else > + AC_MSG_ERROR([You must install the AppArmor development package in order to compile libvirt]) > + fi > + else > + with_secdriver_apparmor=yes > + AC_DEFINE_UNQUOTED([WITH_SECDRIVER_APPARMOR], 1, [whether AppArmor security driver is available]) > + fi > +fi > +AM_CONDITIONAL([WITH_SECDRIVER_APPARMOR], [test "$with_secdriver_apparmor" != "no"]) > + > + > > dnl NUMA lib > AC_ARG_WITH([numactl], > @@ -1706,6 +1784,7 @@ AC_MSG_NOTICE([]) > AC_MSG_NOTICE([Security Drivers]) > AC_MSG_NOTICE([]) > AC_MSG_NOTICE([ SELinux: $with_secdriver_selinux]) > +AC_MSG_NOTICE([ AppArmor: $with_secdriver_apparmor]) > AC_MSG_NOTICE([]) > AC_MSG_NOTICE([Driver Loadable Modules]) > AC_MSG_NOTICE([]) > @@ -1753,6 +1832,11 @@ AC_MSG_NOTICE([ selinux: $SELINUX_CFLAGS > else > AC_MSG_NOTICE([ selinux: no]) > fi > +if test "$with_apparmor" = "yes" ; then > +AC_MSG_NOTICE([ apparmor: $APPARMOR_CFLAGS $APPARMOR_LIBS]) > +else > +AC_MSG_NOTICE([ apparmor: no]) > +fi > if test "$with_numactl" = "yes" ; then > AC_MSG_NOTICE([ numactl: $NUMACTL_CFLAGS $NUMACTL_LIBS]) > else > diff -Nurp ./libvirt.orig/src/Makefile.am ./libvirt/src/Makefile.am > --- ./libvirt.orig/src/Makefile.am 2009-09-08 13:00:00.000000000 -0500 > +++ ./libvirt/src/Makefile.am 2009-09-08 15:32:22.000000000 -0500 > @@ -9,6 +9,7 @@ INCLUDES = \ > $(LIBSSH2_CFLAGS) \ > $(XEN_CFLAGS) \ > $(SELINUX_CFLAGS) \ > + $(APPARMOR_CFLAGS) \ > $(DRIVER_MODULE_CFLAGS) \ > -DLIBDIR=\""$(libdir)"\" \ > -DBINDIR=\""$(libexecdir)"\" \ > @@ -216,6 +217,8 @@ SECURITY_DRIVER_SOURCES = \ > SECURITY_DRIVER_SELINUX_SOURCES = \ > security_selinux.h security_selinux.c > > +SECURITY_DRIVER_APPARMOR_SOURCES = \ > + security_apparmor.h security_apparmor.c > > NODE_DEVICE_DRIVER_SOURCES = \ > node_device.c node_device.h > @@ -527,6 +530,9 @@ libvirt_la_LIBADD += libvirt_driver_secu > if WITH_SECDRIVER_SELINUX > libvirt_driver_security_la_SOURCES += $(SECURITY_DRIVER_SELINUX_SOURCES) > endif > +if WITH_SECDRIVER_APPARMOR > +libvirt_driver_security_la_SOURCES += $(SECURITY_DRIVER_APPARMOR_SOURCES) > +endif > > # Add all conditional sources just in case... > EXTRA_DIST += \ > @@ -615,7 +621,7 @@ libvirt_la_LIBADD += \ > libvirt_la_LDFLAGS = $(VERSION_SCRIPT_FLAGS)libvirt.syms \ > -version-info @LIBVIRT_VERSION_INFO@ \ > $(COVERAGE_CFLAGS:-f%=-Wc,-f%) \ > - $(LIBXML_LIBS) $(SELINUX_LIBS) \ > + $(LIBXML_LIBS) $(SELINUX_LIBS) $(APPARMOR_LIBS) \ > $(XEN_LIBS) $(DRIVER_MODULE_LIBS) \ > $(DEVMAPPER_LIBS) \ > @CYGWIN_EXTRA_LDFLAGS@ @MINGW_EXTRA_LDFLAGS@ > @@ -654,6 +660,23 @@ virsh_LDADD = \ > ../gnulib/lib/libgnu.la \ > $(VIRSH_LIBS) > virsh_CFLAGS = $(COVERAGE_CFLAGS) $(READLINE_CFLAGS) $(NUMACTL_CFLAGS) > + > +if WITH_SECDRIVER_APPARMOR > +bin_PROGRAMS += virt-aa-helper > + > +virt_aa_helper_SOURCES = \ > + virt-aa-helper.c > + > +virt_aa_helper_LDFLAGS = $(WARN_CFLAGS) $(COVERAGE_LDFLAGS) > +virt_aa_helper_LDADD = \ > + $(STATIC_BINARIES) \ > + $(WARN_CFLAGS) \ > + libvirt.la \ > + ../gnulib/lib/libgnu.la \ > + $(VIRSH_LIBS) > +virt_aa_helper_CFLAGS = $(COVERAGE_CFLAGS) > +endif > + > BUILT_SOURCES = virsh-net-edit.c virsh-pool-edit.c libvirt.syms > > virsh-net-edit.c: virsh.c Makefile.am ACK, though again this patch needs to be adjusted wrt the others, since earlier patches look like they have build time depends on this one. It is probably counter-productive to try & split up this series since it is all one big feature. Probably just have the first generic cleanup, then the apparmour implementation, and then the documentation patch Regards, Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list