1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, contact Novell, Inc.
#
# ------------------------------------------------------------------
# Makefile for LSM-based AppArmor profiles
NAME=apparmor-profiles
ALL: local
COMMONDIR=../common/
include common/Make.rules
COMMONDIR_EXISTS=$(strip $(shell [ -d ${COMMONDIR} ] && echo true))
ifeq ($(COMMONDIR_EXISTS), true)
common/Make.rules: $(COMMONDIR)/Make.rules
ln -sf $(COMMONDIR) .
endif
DESTDIR=/
PROFILES_DEST=${DESTDIR}/etc/apparmor.d
EXTRAS_DEST=${DESTDIR}/usr/share/apparmor/extra-profiles/
PROFILES_SOURCE=./apparmor.d
EXTRAS_SOURCE=./apparmor/profiles/extras/
SUBDIRS=$(shell find ${PROFILES_SOURCE} -type d -print)
TOPLEVEL_PROFILES=$(filter-out ${SUBDIRS}, $(wildcard ${PROFILES_SOURCE}/*))
local:
for profile in ${TOPLEVEL_PROFILES}; do \
fn=$$(basename $$profile); \
echo "# Site-specific additions and overrides for '$$fn'" > ${PROFILES_SOURCE}/local/$$fn; \
grep "include[[:space:]]\\+<local/$$fn>" "$$profile" >/dev/null || { echo "$$profile doesn't contain #include <local/$$fn>" ; exit 1; } ; \
done; \
.PHONY: install
install: local
install -m 755 -d ${PROFILES_DEST}
install -m 755 -d ${PROFILES_DEST}/disable
for dir in ${SUBDIRS} ; do \
install -m 755 -d "${PROFILES_DEST}/$${dir#${PROFILES_SOURCE}}" ; \
done
for file in $$(find ${PROFILES_SOURCE} -type f -print) ; do \
install -m 644 "$${file}" "${PROFILES_DEST}/$$(dirname $${file#${PROFILES_SOURCE}})" ; \
done
install -m 755 -d ${EXTRAS_DEST}
install -m 644 ${EXTRAS_SOURCE}/* ${EXTRAS_DEST}
LOCAL_ADDITIONS=$(filter-out ${PROFILES_SOURCE}/local/README, $(wildcard ${PROFILES_SOURCE}/local/*))
.PHONY: clean
clean:
-rm -f $(NAME)-$(VERSION)*.tar.gz Make.rules ${LOCAL_ADDITIONS} common
ifndef VERBOSE
Q=@
else
Q=
endif
ifndef PARSER
# use system parser
PARSER=../parser/apparmor_parser
endif
ifndef LOGPROF
# use ../utils logprof
LOGPROF=PYTHONPATH=../utils $(PYTHON) ../utils/aa-logprof
endif
IGNORE_FILES=${EXTRAS_SOURCE}/README
CHECK_PROFILES=$(filter-out ${IGNORE_FILES} ${SUBDIRS}, $(wildcard ${PROFILES_SOURCE}/*) $(wildcard ${EXTRAS_SOURCE}/*))
# check-logprof is disabled here because it has not kept up with
# advances in the apparmor policy language. Re-enable when it is
# updated.
.PHONY: check
check: check-parser
.PHONY: check-parser
check-parser:
@echo "*** Checking profiles from ${PROFILES_SOURCE} and ${EXTRAS_SOURCE} against apparmor_parser"
$(Q)for profile in ${CHECK_PROFILES} ; do \
[ -n "${VERBOSE}" ] && echo "Testing $${profile}" ; \
${PARSER} -S -b ${PWD}/apparmor.d $${profile} > /dev/null || exit 1; \
done
.PHONY: check-logprof
check-logprof:
@echo "*** Checking profiles from ${PROFILES_SOURCE} against logprof"
$(Q)${LOGPROF} -d ${PROFILES_SOURCE} -f /dev/null || exit 1
|