Merge #8897: AppArmor updates

This commit is contained in:
Vladimír Čunát 2015-09-17 21:21:44 +02:00
commit f2d03ee0d0
4 changed files with 166 additions and 302 deletions

View File

@ -1,183 +0,0 @@
{ stdenv, fetchurl, autoconf, automake, libtool, pkgconfig, perl, which
, glibc, flex, bison, python27, swig, dbus, pam
}:
let
apparmor-series = "2.9";
apparmor-patchver = "2";
apparmor-version = "${apparmor-series}.${apparmor-patchver}";
apparmor-meta = component: with stdenv.lib; {
homepage = http://apparmor.net/;
description = "Linux application security system - ${component}";
license = licenses.gpl2;
maintainers = with maintainers; [ phreedom thoughtpolice joachifm ];
platforms = platforms.linux;
};
apparmor-sources = fetchurl {
url = "https://launchpad.net/apparmor/${apparmor-series}/${apparmor-version}/+download/apparmor-${apparmor-version}.tar.gz";
sha256 = "1mayly7d7w959fya7z8q6kab2x3jcwhqhkpx36jsvpjhxkhmc4fh";
};
prePatchCommon = ''
substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2man" "${perl}/bin/pod2man"
substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2html" "${perl}/bin/pod2html"
substituteInPlace ./common/Make.rules --replace "/usr/include/linux/capability.h" "${glibc}/include/linux/capability.h"
substituteInPlace ./common/Make.rules --replace "/usr/share/man" "share/man"
'';
libapparmor = stdenv.mkDerivation {
name = "libapparmor-${apparmor-version}";
src = apparmor-sources;
buildInputs = [
autoconf
automake
bison
flex
dbus # requires patch to dbus ...
glibc
libtool
perl
pkgconfig
python27
swig
which
];
prePatch = prePatchCommon + ''
substituteInPlace ./libraries/libapparmor/src/Makefile.am --replace "/usr/include/netinet/in.h" "${glibc}/include/netinet/in.h"
substituteInPlace ./libraries/libapparmor/src/Makefile.in --replace "/usr/include/netinet/in.h" "${glibc}/include/netinet/in.h"
'';
buildPhase = ''
cd ./libraries/libapparmor
./autogen.sh
./configure --prefix="$out" --with-python --with-perl
make
'';
installPhase = ''
make install
'';
meta = apparmor-meta "library";
};
apparmor-utils = stdenv.mkDerivation {
name = "apparmor-utils-${apparmor-version}";
src = apparmor-sources;
buildInputs = [
python27
libapparmor
which
];
prePatch = prePatchCommon;
buildPhase = ''
cd ./utils
make LANGS=""
'';
installPhase = ''
make install LANGS="" DESTDIR="$out" BINDIR="$out/bin" VIM_INSTALL_PATH="$out/share" PYPREFIX=""
'';
meta = apparmor-meta "user-land utilities";
};
apparmor-parser = stdenv.mkDerivation {
name = "apparmor-parser-${apparmor-version}";
src = apparmor-sources;
buildInputs = [
libapparmor
bison
flex
which
];
prePatch = prePatchCommon + ''
substituteInPlace ./parser/Makefile --replace "/usr/bin/bison" "${bison}/bin/bison"
substituteInPlace ./parser/Makefile --replace "/usr/bin/flex" "${flex}/bin/flex"
substituteInPlace ./parser/Makefile --replace "/usr/include/linux/capability.h" "${glibc}/include/linux/capability.h"
## techdoc.pdf still doesn't build ...
substituteInPlace ./parser/Makefile --replace "manpages htmlmanpages pdf" "manpages htmlmanpages"
'';
buildPhase = ''
cd ./parser
make LANGS="" USE_SYSTEM=1 INCLUDEDIR=${libapparmor}/include
'';
installPhase = ''
make install LANGS="" USE_SYSTEM=1 INCLUDEDIR=${libapparmor}/include DESTDIR="$out" DISTRO="unknown"
'';
meta = apparmor-meta "rule parser";
};
apparmor-pam = stdenv.mkDerivation {
name = "apparmor-pam-${apparmor-version}";
src = apparmor-sources;
buildInputs = [
libapparmor
pam
pkgconfig
which
];
buildPhase = ''
cd ./changehat/pam_apparmor
make USE_SYSTEM=1
'';
installPhase = ''
make install DESTDIR="$out"
'';
meta = apparmor-meta "PAM service";
};
apparmor-profiles = stdenv.mkDerivation {
name = "apparmor-profiles-${apparmor-version}";
src = apparmor-sources;
buildInputs = [ which ];
buildPhase = ''
cd ./profiles
make
'';
installPhase = ''
make install DESTDIR="$out" EXTRAS_DEST="$out/share/apparmor/extra-profiles"
'';
meta = apparmor-meta "profiles";
};
apparmor-kernel-patches = stdenv.mkDerivation {
name = "apparmor-kernel-patches-${apparmor-version}";
src = apparmor-sources;
phases = ''unpackPhase installPhase'';
installPhase = ''
mkdir "$out"
cp -R ./kernel-patches "$out"
'';
meta = apparmor-meta "kernel patches";
};
in
{
inherit libapparmor apparmor-utils apparmor-parser apparmor-pam
apparmor-profiles apparmor-kernel-patches;
}

View File

@ -1,16 +0,0 @@
Description: allow parser to build even when not on Linux.
Author: Kees Cook <kees@debian.org>
Index: apparmor-debian/common/Make.rules
===================================================================
--- apparmor-debian.orig/common/Make.rules 2012-05-05 14:41:25.967259523 -0700
+++ apparmor-debian/common/Make.rules 2012-05-05 14:41:28.451291053 -0700
@@ -160,7 +160,7 @@
CAPABILITIES=$(shell echo "\#include <linux/capability.h>" | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | sort)
.PHONY: list_capabilities
-list_capabilities: /usr/include/linux/capability.h
+list_capabilities:
@echo "$(CAPABILITIES)"
# =====================

View File

@ -1,98 +1,167 @@
{ stdenv, fetchurl
, autoconf, automake, libtool, makeWrapper
, perl, bison, flex, glibc, gettext, which, rpm, LocaleGettext
, bash, pam, TermReadKey, RpcXML, swig, python}:
stdenv.mkDerivation rec {
{ stdenv, fetchurl, makeWrapper, autoconf, autoreconfHook, automake, libtool, pkgconfig, perl, which
, glibc, flex, bison, python27Packages, swig, pam
}:
name = "apparmor-${version}";
version = "2.8.4";
let
apparmor-series = "2.10";
apparmor-version = apparmor-series;
src = fetchurl {
url = "http://launchpad.net/apparmor/2.8/${version}/+download/${name}.tar.gz";
sha256 = "1mki4c44ljmr7dpn55grzn33929kdjx149jx00s80yp1war83jwq";
};
buildInputs = [
autoconf automake libtool perl bison flex gettext which rpm
LocaleGettext pam TermReadKey RpcXML swig makeWrapper python ];
prePatch = ''
substituteInPlace libraries/libapparmor/src/Makefile.in --replace "/usr/include" "${glibc}/include"
substituteInPlace libraries/libapparmor/src/Makefile.am --replace "/usr/include" "${glibc}/include"
substituteInPlace common/Make.rules --replace "/usr/bin/pod2man" "${perl}/bin/pod2man"
substituteInPlace common/Make.rules --replace "/usr/bin/pod2html" "${perl}/bin/pod2html"
substituteInPlace common/Make.rules --replace "cpp -dM" "cpp -dM -I${glibc}/include"
substituteInPlace parser/Makefile --replace "/usr/bin/bison" "${bison}/bin/bison"
substituteInPlace parser/Makefile --replace "/usr/bin/flex" "${flex}/bin/flex"
substituteInPlace parser/Makefile --replace "/usr/include/bits/socket.h" "${glibc}/include/bits/socket.h"
substituteInPlace parser/Makefile --replace "/usr/include/linux/capability.h" "${glibc}/include/linux/capability.h"
#substituteInPlace parser/utils/vim/Makefile --replace "/usr/include/linux/capability.h" "${glibc}/include/linux/capability.h"
# for some reason pdf documentation doesn't build
substituteInPlace parser/Makefile --replace "manpages htmlmanpages pdf" "manpages htmlmanpages"
substituteInPlace parser/tst/gen-xtrans.pl --replace "/usr/bin/perl" "${perl}/bin/perl"
substituteInPlace parser/tst/Makefile --replace "/usr/bin/prove" "${perl}/bin/prove"
substituteInPlace parser/tst/Makefile --replace "./caching.sh" "${bash}/bin/bash ./caching.sh"
'';
patches = ./capability.patch;
buildPhase =''
PERL5LIB=$PERL5LIB:$out/lib/perl5/site_perl:$out/lib
cd libraries/libapparmor
./autogen.sh
./configure --prefix=$out --with-perl # see below
make
make check
make install
mkdir -p $out/lib/perl5/site_perl/
cp swig/perl/LibAppArmor.pm $out/lib/perl5/site_perl/
cp swig/perl/LibAppArmor.bs $out/lib/perl5/site_perl/
# this is automatically copied elsewhere....
cd ../../utils
make
make install DESTDIR=$out BINDIR=$out/bin VENDOR_PERL=/lib/perl5/site_perl
cd ../parser
make
make install DESTDIR=$out DISTRO=unknown
# cd ../changehat/mod_apparmor
# make # depends on libapparmor having been built first
# make install
cd ../changehat/pam_apparmor
make # depends on libapparmor having been built first
make install DESTDIR=$out
cd ../../profiles
LD_LIBRARY_PATH=$out/lib make
#LD_LIBRARY_PATH=$out/lib make check # depends on the parser having been built first
make install DESTDIR=$out
cd ..
cp -r kernel-patches $out
'';
installPhase = let
perlVersion = (builtins.parseDrvName perl.name).version;
in ''
for i in $out/bin/*; do
wrapProgram $i --prefix PERL5LIB : \
"$PERL5LIB:$out/lib/perl5/${perlVersion}/${stdenv.system}-thread-multi/"
done
'';
meta = with stdenv.lib; {
apparmor-meta = component: with stdenv.lib; {
homepage = http://apparmor.net/;
description = "Linux application security system";
description = "Linux application security system - ${component}";
license = licenses.gpl2;
maintainers = [ maintainers.phreedom maintainers.thoughtpolice ];
maintainers = with maintainers; [ phreedom thoughtpolice joachifm ];
platforms = platforms.linux;
};
}
apparmor-sources = fetchurl {
url = "https://launchpad.net/apparmor/${apparmor-series}/${apparmor-version}/+download/apparmor-${apparmor-version}.tar.gz";
sha256 = "1x06qmmbha9krx7880pxj2k3l8fxy3nm945xjjv735m2ax1243jd";
};
prePatchCommon = ''
substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2man" "${perl}/bin/pod2man"
substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2html" "${perl}/bin/pod2html"
substituteInPlace ./common/Make.rules --replace "/usr/include/linux/capability.h" "${glibc}/include/linux/capability.h"
substituteInPlace ./common/Make.rules --replace "/usr/share/man" "share/man"
'';
libapparmor = stdenv.mkDerivation {
name = "libapparmor-${apparmor-version}";
src = apparmor-sources;
buildInputs = [
autoconf
automake
autoreconfHook
bison
flex
glibc
libtool
perl
pkgconfig
python27Packages.python
swig
which
];
# required to build apparmor-parser
dontDisableStatic = true;
prePatch = prePatchCommon + ''
substituteInPlace ./libraries/libapparmor/src/Makefile.am --replace "/usr/include/netinet/in.h" "${glibc}/include/netinet/in.h"
substituteInPlace ./libraries/libapparmor/src/Makefile.in --replace "/usr/include/netinet/in.h" "${glibc}/include/netinet/in.h"
'';
postPatch = "cd ./libraries/libapparmor";
configureFlags = "--with-python --with-perl";
meta = apparmor-meta "library";
};
apparmor-utils = stdenv.mkDerivation {
name = "apparmor-utils-${apparmor-version}";
src = apparmor-sources;
buildInputs = [
perl
python27Packages.python
python27Packages.readline
libapparmor
makeWrapper
which
];
prePatch = prePatchCommon;
postPatch = "cd ./utils";
makeFlags = ''LANGS='';
installFlags = ''DESTDIR=$(out) BINDIR=$(out)/bin VIM_INSTALL_PATH=$(out)/share PYPREFIX='';
postInstall = ''
for prog in aa-audit aa-autodep aa-cleanprof aa-complain aa-disable aa-enforce aa-genprof aa-logprof aa-mergeprof aa-status aa-unconfined ; do
wrapProgram $out/bin/$prog --prefix PYTHONPATH : "$out/lib/${python27Packages.python.libPrefix}/site-packages:$PYTHONPATH"
done
for prog in aa-exec aa-notify ; do
wrapProgram $out/bin/$prog --prefix PERL5LIB : "${libapparmor}/lib/perl5:$PERL5LIB"
done
'';
meta = apparmor-meta "user-land utilities";
};
apparmor-parser = stdenv.mkDerivation {
name = "apparmor-parser-${apparmor-version}";
src = apparmor-sources;
buildInputs = [
libapparmor
bison
flex
which
];
prePatch = prePatchCommon + ''
substituteInPlace ./parser/Makefile --replace "/usr/bin/bison" "${bison}/bin/bison"
substituteInPlace ./parser/Makefile --replace "/usr/bin/flex" "${flex}/bin/flex"
substituteInPlace ./parser/Makefile --replace "/usr/include/linux/capability.h" "${glibc}/include/linux/capability.h"
## techdoc.pdf still doesn't build ...
substituteInPlace ./parser/Makefile --replace "manpages htmlmanpages pdf" "manpages htmlmanpages"
'';
postPatch = "cd ./parser";
makeFlags = ''LANGS= USE_SYSTEM=1 INCLUDEDIR=${libapparmor}/include'';
installFlags = ''DESTDIR=$(out) DISTRO=unknown'';
meta = apparmor-meta "rule parser";
};
apparmor-pam = stdenv.mkDerivation {
name = "apparmor-pam-${apparmor-version}";
src = apparmor-sources;
buildInputs = [
libapparmor
pam
pkgconfig
which
];
postPatch = "cd ./changehat/pam_apparmor";
makeFlags = ''USE_SYSTEM=1'';
installFlags = ''DESTDIR=$(out)'';
meta = apparmor-meta "PAM service";
};
apparmor-profiles = stdenv.mkDerivation {
name = "apparmor-profiles-${apparmor-version}";
src = apparmor-sources;
buildInputs = [ which ];
postPatch = "cd ./profiles";
installFlags = ''DESTDIR=$(out) EXTRAS_DEST=$(out)/share/apparmor/extra-profiles'';
meta = apparmor-meta "profiles";
};
apparmor-kernel-patches = stdenv.mkDerivation {
name = "apparmor-kernel-patches-${apparmor-version}";
src = apparmor-sources;
phases = ''unpackPhase installPhase'';
installPhase = ''
mkdir "$out"
cp -R ./kernel-patches "$out"
'';
meta = apparmor-meta "kernel patches";
};
in
{
inherit libapparmor apparmor-utils apparmor-parser apparmor-pam
apparmor-profiles apparmor-kernel-patches;
}

View File

@ -9291,18 +9291,12 @@ let
microcodeIntel = callPackage ../os-specific/linux/microcode/intel.nix { };
apparmor = callPackage ../os-specific/linux/apparmor {
inherit (perlPackages) LocaleGettext TermReadKey RpcXML;
bison = bison2;
perl = perl516; # ${perl}/.../CORE/handy.h:124:34: error: 'bool' undeclared
};
apparmor_2_9 = callPackage ../os-specific/linux/apparmor/2.9 { };
libapparmor = apparmor_2_9.libapparmor;
apparmor-pam = apparmor_2_9.apparmor-pam;
apparmor-parser = apparmor_2_9.apparmor-parser;
apparmor-profiles = apparmor_2_9.apparmor-profiles;
apparmor-utils = apparmor_2_9.apparmor-utils;
apparmor = callPackage ../os-specific/linux/apparmor { swig = swig2; };
libapparmor = apparmor.libapparmor;
apparmor-pam = apparmor.apparmor-pam;
apparmor-parser = apparmor.apparmor-parser;
apparmor-profiles = apparmor.apparmor-profiles;
apparmor-utils = apparmor.apparmor-utils;
atop = callPackage ../os-specific/linux/atop { };