[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] Resubmission: [PATCH 6/6] sVirt AppArmor security driver



On Tue, 08 Sep 2009, Jamie Strandboge wrote:

> > [PATCH 6]
> > patch_6_autoconf.patch:
> > Updates Makefile.am and configure.in for AppArmor. It is based on and
> > should operate the same as the SELinux configuration.
> > 

-- 
Jamie Strandboge             | http://www.canonical.com
diff -Nurp ./libvirt.orig/configure.in ./libvirt/configure.in
--- ./libvirt.orig/configure.in	2009-09-08 12:59:59.000000000 -0500
+++ ./libvirt/configure.in	2009-09-08 15:32:22.000000000 -0500
@@ -799,6 +799,84 @@ fi
 AM_CONDITIONAL([WITH_SECDRIVER_SELINUX], [test "$with_secdriver_selinux" != "no"])
 
 
+dnl AppArmor
+AC_ARG_WITH([apparmor],
+  [  --with-apparmor        use AppArmor to manage security],
+  [],
+  [with_apparmor=check])
+
+APPARMOR_CFLAGS=
+APPARMOR_LIBS=
+if test "$with_apparmor" != "no"; then
+  old_cflags="$CFLAGS"
+  old_libs="$LIBS"
+  if test "$with_apparmor" = "check"; then
+    AC_CHECK_HEADER([sys/apparmor.h],[],[with_apparmor=no])
+    AC_CHECK_LIB([apparmor], [aa_change_profile],[],[with_apparmor=no])
+    AC_CHECK_LIB([apparmor], [aa_change_hat],[],[with_apparmor=no])
+    if test "$with_apparmor" != "no"; then
+      with_apparmor="yes"
+    fi
+  else
+    fail=0
+    AC_CHECK_HEADER([sys/apparmor.h],[],[fail=1])
+    AC_CHECK_LIB([apparmor], [aa_change_profile],[],[fail=1])
+    AC_CHECK_LIB([apparmor], [aa_change_hat],[],[fail=1])
+    test $fail = 1 &&
+      AC_MSG_ERROR([You must install the AppArmor development package in order to compile libvirt])
+  fi
+  CFLAGS="$old_cflags"
+  LIBS="$old_libs"
+fi
+if test "$with_apparmor" = "yes"; then
+  APPARMOR_LIBS="-lapparmor"
+  AC_DEFINE_UNQUOTED([HAVE_APPARMOR], 1, [whether AppArmor is available for security])
+  AC_DEFINE_UNQUOTED([APPARMOR_DIR], "/etc/apparmor.d", [path to apparmor directory])
+  AC_DEFINE_UNQUOTED([APPARMOR_PROFILES_PATH], "/sys/kernel/security/apparmor/profiles", [path to kernel profiles])
+  AC_DEFINE_UNQUOTED([VIRT_AA_HELPER_PATH], "$prefix/bin/virt-aa-helper", [path to virt-aa-helper])
+fi
+AM_CONDITIONAL([HAVE_APPARMOR], [test "$with_apparmor" != "no"])
+AC_SUBST([APPARMOR_CFLAGS])
+AC_SUBST([APPARMOR_LIBS])
+
+
+AC_ARG_WITH([secdriver-apparmor],
+  [  --with-secdriver-apparmor         use AppArmor security driver],
+  [],
+  [with_secdriver_apparmor=check])
+
+if test "$with_apparmor" != "yes" ; then
+  if test "$with_secdriver_apparmor" = "check" ; then
+    with_secdriver_apparmor=no
+  else
+    AC_MSG_ERROR([You must install the AppArmor development package in order to compile libvirt])
+  fi
+else
+  old_cflags="$CFLAGS"
+  old_libs="$LIBS"
+  CFLAGS="$CFLAGS $APPARMOR_CFLAGS"
+  LIBS="$CFLAGS $APPARMOR_LIBS"
+
+  fail=0
+  AC_CHECK_FUNC([change_hat], [], [fail=1])
+  AC_CHECK_FUNC([aa_change_profile], [], [fail=1])
+  CFLAGS="$old_cflags"
+  LIBS="$old_libs"
+
+  if test "$fail" = "1" ; then
+    if test "$with_secdriver_apparmor" = "check" ; then
+      with_secdriver_apparmor=no
+    else
+      AC_MSG_ERROR([You must install the AppArmor development package in order to compile libvirt])
+    fi
+  else
+    with_secdriver_apparmor=yes
+    AC_DEFINE_UNQUOTED([WITH_SECDRIVER_APPARMOR], 1, [whether AppArmor security driver is available])
+  fi
+fi
+AM_CONDITIONAL([WITH_SECDRIVER_APPARMOR], [test "$with_secdriver_apparmor" != "no"])
+
+
 
 dnl NUMA lib
 AC_ARG_WITH([numactl],
@@ -1706,6 +1784,7 @@ AC_MSG_NOTICE([])
 AC_MSG_NOTICE([Security Drivers])
 AC_MSG_NOTICE([])
 AC_MSG_NOTICE([ SELinux: $with_secdriver_selinux])
+AC_MSG_NOTICE([ AppArmor: $with_secdriver_apparmor])
 AC_MSG_NOTICE([])
 AC_MSG_NOTICE([Driver Loadable Modules])
 AC_MSG_NOTICE([])
@@ -1753,6 +1832,11 @@ AC_MSG_NOTICE([ selinux: $SELINUX_CFLAGS
 else
 AC_MSG_NOTICE([ selinux: no])
 fi
+if test "$with_apparmor" = "yes" ; then
+AC_MSG_NOTICE([ apparmor: $APPARMOR_CFLAGS $APPARMOR_LIBS])
+else
+AC_MSG_NOTICE([ apparmor: no])
+fi
 if test "$with_numactl" = "yes" ; then
 AC_MSG_NOTICE([ numactl: $NUMACTL_CFLAGS $NUMACTL_LIBS])
 else
diff -Nurp ./libvirt.orig/src/Makefile.am ./libvirt/src/Makefile.am
--- ./libvirt.orig/src/Makefile.am	2009-09-08 13:00:00.000000000 -0500
+++ ./libvirt/src/Makefile.am	2009-09-08 15:32:22.000000000 -0500
@@ -9,6 +9,7 @@ INCLUDES = \
 	   $(LIBSSH2_CFLAGS) \
 	   $(XEN_CFLAGS) \
 	   $(SELINUX_CFLAGS) \
+	   $(APPARMOR_CFLAGS) \
 	   $(DRIVER_MODULE_CFLAGS) \
 	   -DLIBDIR=\""$(libdir)"\" \
 	   -DBINDIR=\""$(libexecdir)"\" \
@@ -216,6 +217,8 @@ SECURITY_DRIVER_SOURCES =					\
 SECURITY_DRIVER_SELINUX_SOURCES =				\
 		security_selinux.h security_selinux.c
 
+SECURITY_DRIVER_APPARMOR_SOURCES =				\
+		security_apparmor.h security_apparmor.c
 
 NODE_DEVICE_DRIVER_SOURCES =					\
 		node_device.c node_device.h
@@ -527,6 +530,9 @@ libvirt_la_LIBADD += libvirt_driver_secu
 if WITH_SECDRIVER_SELINUX
 libvirt_driver_security_la_SOURCES += $(SECURITY_DRIVER_SELINUX_SOURCES)
 endif
+if WITH_SECDRIVER_APPARMOR
+libvirt_driver_security_la_SOURCES += $(SECURITY_DRIVER_APPARMOR_SOURCES)
+endif
 
 # Add all conditional sources just in case...
 EXTRA_DIST +=							\
@@ -615,7 +621,7 @@ libvirt_la_LIBADD += \
 libvirt_la_LDFLAGS = $(VERSION_SCRIPT_FLAGS)libvirt.syms \
                      -version-info @LIBVIRT_VERSION_INFO@ \
                     $(COVERAGE_CFLAGS:-f%=-Wc,-f%) \
-                    $(LIBXML_LIBS) $(SELINUX_LIBS) \
+                    $(LIBXML_LIBS) $(SELINUX_LIBS) $(APPARMOR_LIBS) \
 		    $(XEN_LIBS) $(DRIVER_MODULE_LIBS) \
 		    $(DEVMAPPER_LIBS) \
 		    @CYGWIN_EXTRA_LDFLAGS@ @MINGW_EXTRA_LDFLAGS@
@@ -654,6 +660,23 @@ virsh_LDADD =							\
 		../gnulib/lib/libgnu.la				\
 		$(VIRSH_LIBS)
 virsh_CFLAGS = $(COVERAGE_CFLAGS) $(READLINE_CFLAGS) $(NUMACTL_CFLAGS)
+
+if WITH_SECDRIVER_APPARMOR
+bin_PROGRAMS += virt-aa-helper
+
+virt_aa_helper_SOURCES =					\
+	virt-aa-helper.c
+
+virt_aa_helper_LDFLAGS = $(WARN_CFLAGS) $(COVERAGE_LDFLAGS)
+virt_aa_helper_LDADD =						\
+		$(STATIC_BINARIES)				\
+		$(WARN_CFLAGS)					\
+		libvirt.la					\
+		../gnulib/lib/libgnu.la				\
+		$(VIRSH_LIBS)
+virt_aa_helper_CFLAGS = $(COVERAGE_CFLAGS)
+endif
+
 BUILT_SOURCES = virsh-net-edit.c virsh-pool-edit.c libvirt.syms
 
 virsh-net-edit.c: virsh.c Makefile.am

Attachment: signature.asc
Description: Digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]