linux/security/apparmor/Makefile

# Makefile for AppArmor Linux Security Module
#
obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o

apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
              path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
              resource.o secid.o file.o policy_ns.o label.o mount.o
apparmor-$(CONFIG_SECURITY_APPARMOR_HASH) += crypto.o

clean-files := capability_names.h rlim_names.h


# Build a lower case string table of capability names
# Transforms lines from
#    #define CAP_DAC_OVERRIDE     1
# to
#    [1] = "dac_override",
quiet_cmd_make-caps = GEN     $@
cmd_make-caps = echo "static const char *const capability_names[] = {" > $@ ;\
	sed $< >>$@ -r -n -e '/CAP_FS_MASK/d' \
	-e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/[\2] = "\L\1",/p';\
	echo "};" >> $@ ;\
	printf '%s' '\#define AA_SFS_CAPS_MASK "' >> $@ ;\
	sed $< -r -n -e '/CAP_FS_MASK/d' \
	    -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/\L\1/p' | \
	     tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@


# Build a lower case string table of rlimit names.
# Transforms lines from
#    #define RLIMIT_STACK		3	/* max stack size */
# to
#    [RLIMIT_STACK] = "stack",
#
# and build a second integer table (with the second sed cmd), that maps
# RLIMIT defines to the order defined in asm-generic/resource.h  This is
# required by policy load to map policy ordering of RLIMITs to internal
# ordering for architectures that redefine an RLIMIT.
# Transforms lines from
#    #define RLIMIT_STACK		3	/* max stack size */
# to
# RLIMIT_STACK, 
#
# and build the securityfs entries for the mapping.
# Transforms lines from
#    #define RLIMIT_FSIZE        1   /* Maximum filesize */
#    #define RLIMIT_STACK		3	/* max stack size */
# to
# #define AA_SFS_RLIMIT_MASK "fsize stack"
quiet_cmd_make-rlim = GEN     $@
cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \
	> $@ ;\
	sed $< >> $@ -r -n \
	    -e 's/^\# ?define[ \t]+(RLIMIT_([A-Z0-9_]+)).*/[\1] = "\L\2",/p';\
	echo "};" >> $@ ;\
	echo "static const int rlim_map[RLIM_NLIMITS] = {" >> $@ ;\
	sed -r -n "s/^\# ?define[ \t]+(RLIMIT_[A-Z0-9_]+).*/\1,/p" $< >> $@ ;\
	echo "};" >> $@ ; \
	printf '%s' '\#define AA_SFS_RLIMIT_MASK "' >> $@ ;\
	sed -r -n 's/^\# ?define[ \t]+RLIMIT_([A-Z0-9_]+).*/\L\1/p' $< | \
	    tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@

$(obj)/capability.o : $(obj)/capability_names.h
$(obj)/resource.o : $(obj)/rlim_names.h
$(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \
			    $(src)/Makefile
	$(call cmd,make-caps)
$(obj)/rlim_names.h : $(srctree)/include/uapi/asm-generic/resource.h \
		      $(src)/Makefile
	$(call cmd,make-rlim)
AppArmor: Enable configuring and building of the AppArmor security module Kconfig and Makefiles to enable configuration and building of AppArmor. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org> 2010-07-30 03:46:33 +00:00			`# Makefile for AppArmor Linux Security Module`
			`#`
			`obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o`

			`apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \`
			`path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \`
apparmor: add mount mediation Add basic mount mediation. That allows controlling based on basic mount parameters. It does not include special mount parameters for apparmor, super block labeling, or any triggers for apparmor namespace parameter modifications on pivot root. default userspace policy rules have the form of MOUNT RULE = ( MOUNT \| REMOUNT \| UMOUNT ) MOUNT = [ QUALIFIERS ] 'mount' [ MOUNT CONDITIONS ] [ SOURCE FILEGLOB ] [ '->' MOUNTPOINT FILEGLOB ] REMOUNT = [ QUALIFIERS ] 'remount' [ MOUNT CONDITIONS ] MOUNTPOINT FILEGLOB UMOUNT = [ QUALIFIERS ] 'umount' [ MOUNT CONDITIONS ] MOUNTPOINT FILEGLOB MOUNT CONDITIONS = [ ( 'fstype' \| 'vfstype' ) ( '=' \| 'in' ) MOUNT FSTYPE EXPRESSION ] [ 'options' ( '=' \| 'in' ) MOUNT FLAGS EXPRESSION ] MOUNT FSTYPE EXPRESSION = ( MOUNT FSTYPE LIST \| MOUNT EXPRESSION ) MOUNT FSTYPE LIST = Comma separated list of valid filesystem and virtual filesystem types (eg ext4, debugfs, etc) MOUNT FLAGS EXPRESSION = ( MOUNT FLAGS LIST \| MOUNT EXPRESSION ) MOUNT FLAGS LIST = Comma separated list of MOUNT FLAGS. MOUNT FLAGS = ( 'ro' \| 'rw' \| 'nosuid' \| 'suid' \| 'nodev' \| 'dev' \| 'noexec' \| 'exec' \| 'sync' \| 'async' \| 'remount' \| 'mand' \| 'nomand' \| 'dirsync' \| 'noatime' \| 'atime' \| 'nodiratime' \| 'diratime' \| 'bind' \| 'rbind' \| 'move' \| 'verbose' \| 'silent' \| 'loud' \| 'acl' \| 'noacl' \| 'unbindable' \| 'runbindable' \| 'private' \| 'rprivate' \| 'slave' \| 'rslave' \| 'shared' \| 'rshared' \| 'relatime' \| 'norelatime' \| 'iversion' \| 'noiversion' \| 'strictatime' \| 'nouser' \| 'user' ) MOUNT EXPRESSION = ( ALPHANUMERIC \| AARE ) ... PIVOT ROOT RULE = [ QUALIFIERS ] pivot_root [ oldroot=OLD PUT FILEGLOB ] [ NEW ROOT FILEGLOB ] SOURCE FILEGLOB = FILEGLOB MOUNTPOINT FILEGLOB = FILEGLOB eg. mount, mount /dev/foo, mount options=ro /dev/foo -> /mnt/, mount options in (ro,atime) /dev/foo -> /mnt/, mount options=ro options=atime, Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2017-07-19 06:04:47 +00:00			`resource.o secid.o file.o policy_ns.o label.o mount.o`
apparmor: add the ability to report a sha1 hash of loaded policy Provide userspace the ability to introspect a sha1 hash value for each profile currently loaded. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2013-08-14 18:27:36 +00:00			`apparmor-$(CONFIG_SECURITY_APPARMOR_HASH) += crypto.o`
AppArmor: Enable configuring and building of the AppArmor security module Kconfig and Makefiles to enable configuration and building of AppArmor. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org> 2010-07-30 03:46:33 +00:00
AppArmor: cleanup generated files correctly clean-files should be defined as a variable not a target. Signed-off-by: Michal Hocko <mhocko@suse.cz> Signed-off-by: John Johansen <john.johansen@canonical.com> 2011-01-07 14:03:02 +00:00			`clean-files := capability_names.h rlim_names.h`
AppArmor: Enable configuring and building of the AppArmor security module Kconfig and Makefiles to enable configuration and building of AppArmor. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org> 2010-07-30 03:46:33 +00:00
AppArmor: Cleanup make file to remove cruft and make it easier to read Cleanups based on comments from Sam Ravnborg, * remove references to the currently unused af_names.h * add rlim_names.h to clean-files: * rework cmd_make-XXX to make them more readable by adding comments, reworking the expressions to put logical components on individual lines, and keep lines < 80 characters. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Sam Ravnborg <sam@ravnborg.org> 2011-03-05 10:18:02 +00:00
			`# Build a lower case string table of capability names`
			`# Transforms lines from`
			`# #define CAP_DAC_OVERRIDE 1`
			`# to`
			`# [1] = "dac_override",`
AppArmor: Enable configuring and building of the AppArmor security module Kconfig and Makefiles to enable configuration and building of AppArmor. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org> 2010-07-30 03:46:33 +00:00			`quiet_cmd_make-caps = GEN $@`
AppArmor: Fix location of const qualifier on generated string tables Signed-off-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> Signed-off-by: John Johansen <john.johansen@canonical.com> 2012-03-15 06:41:17 +00:00			`cmd_make-caps = echo "static const char *const capability_names[] = {" > $@ ;\`
AppArmor: Cleanup make file to remove cruft and make it easier to read Cleanups based on comments from Sam Ravnborg, * remove references to the currently unused af_names.h * add rlim_names.h to clean-files: * rework cmd_make-XXX to make them more readable by adding comments, reworking the expressions to put logical components on individual lines, and keep lines < 80 characters. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Sam Ravnborg <sam@ravnborg.org> 2011-03-05 10:18:02 +00:00			`sed $< >>$@ -r -n -e '/CAP_FS_MASK/d' \`
			`-e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/[\2] = "\L\1",/p';\`
apparmor: export set of capabilities supported by the apparmor module Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2013-08-14 18:27:32 +00:00			`echo "};" >> $@ ;\`
apparmor: rename apparmor file fns and data to indicate use prefixes are used for fns/data that are not static to apparmorfs.c with the prefixes being aafs - special magic apparmorfs for policy namespace data aa_sfs - for fns/data that go into securityfs aa_fs - for fns/data that may be used in the either of aafs or securityfs Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Reviewed-by: Kees Cook <keescook@chromium.org> 2017-05-25 13:23:42 +00:00			`printf '%s' '\#define AA_SFS_CAPS_MASK "' >> $@ ;\`
apparmor: export set of capabilities supported by the apparmor module Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2013-08-14 18:27:32 +00:00			`sed $< -r -n -e '/CAP_FS_MASK/d' \`
			`-e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/\L\1/p' \| \`
			`tr '\n' ' ' \| sed -e 's/ $$/"\n/' >> $@`
AppArmor: Cleanup make file to remove cruft and make it easier to read Cleanups based on comments from Sam Ravnborg, * remove references to the currently unused af_names.h * add rlim_names.h to clean-files: * rework cmd_make-XXX to make them more readable by adding comments, reworking the expressions to put logical components on individual lines, and keep lines < 80 characters. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Sam Ravnborg <sam@ravnborg.org> 2011-03-05 10:18:02 +00:00
AppArmor: Enable configuring and building of the AppArmor security module Kconfig and Makefiles to enable configuration and building of AppArmor. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org> 2010-07-30 03:46:33 +00:00
AppArmor: Cleanup make file to remove cruft and make it easier to read Cleanups based on comments from Sam Ravnborg, * remove references to the currently unused af_names.h * add rlim_names.h to clean-files: * rework cmd_make-XXX to make them more readable by adding comments, reworking the expressions to put logical components on individual lines, and keep lines < 80 characters. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Sam Ravnborg <sam@ravnborg.org> 2011-03-05 10:18:02 +00:00			`# Build a lower case string table of rlimit names.`
			`# Transforms lines from`
			`# #define RLIMIT_STACK 3 /* max stack size */`
			`# to`
			`# [RLIMIT_STACK] = "stack",`
			`#`
			`# and build a second integer table (with the second sed cmd), that maps`
AppArmor: export known rlimit names/value mappings in securityfs Since the parser needs to know which rlimits are known to the kernel, export the list via a mask file in the "rlimit" subdirectory in the securityfs "features" directory. Signed-off-by: Kees Cook <kees@ubuntu.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2012-01-27 00:29:23 +00:00			`# RLIMIT defines to the order defined in asm-generic/resource.h This is`
AppArmor: Cleanup make file to remove cruft and make it easier to read Cleanups based on comments from Sam Ravnborg, * remove references to the currently unused af_names.h * add rlim_names.h to clean-files: * rework cmd_make-XXX to make them more readable by adding comments, reworking the expressions to put logical components on individual lines, and keep lines < 80 characters. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Sam Ravnborg <sam@ravnborg.org> 2011-03-05 10:18:02 +00:00			`# required by policy load to map policy ordering of RLIMITs to internal`
			`# ordering for architectures that redefine an RLIMIT.`
			`# Transforms lines from`
			`# #define RLIMIT_STACK 3 /* max stack size */`
			`# to`
			`# RLIMIT_STACK,`
AppArmor: export known rlimit names/value mappings in securityfs Since the parser needs to know which rlimits are known to the kernel, export the list via a mask file in the "rlimit" subdirectory in the securityfs "features" directory. Signed-off-by: Kees Cook <kees@ubuntu.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2012-01-27 00:29:23 +00:00			`#`
			`# and build the securityfs entries for the mapping.`
			`# Transforms lines from`
			`# #define RLIMIT_FSIZE 1 /* Maximum filesize */`
			`# #define RLIMIT_STACK 3 /* max stack size */`
			`# to`
apparmor: rename apparmor file fns and data to indicate use prefixes are used for fns/data that are not static to apparmorfs.c with the prefixes being aafs - special magic apparmorfs for policy namespace data aa_sfs - for fns/data that go into securityfs aa_fs - for fns/data that may be used in the either of aafs or securityfs Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Reviewed-by: Kees Cook <keescook@chromium.org> 2017-05-25 13:23:42 +00:00			`# #define AA_SFS_RLIMIT_MASK "fsize stack"`
AppArmor: Enable configuring and building of the AppArmor security module Kconfig and Makefiles to enable configuration and building of AppArmor. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org> 2010-07-30 03:46:33 +00:00			`quiet_cmd_make-rlim = GEN $@`
AppArmor: Fix location of const qualifier on generated string tables Signed-off-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> Signed-off-by: John Johansen <john.johansen@canonical.com> 2012-03-15 06:41:17 +00:00			`cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \`
AppArmor: Add const qualifiers to generated string tables Signed-off-by: John Johansen <john.johansen@canonical.com> 2012-03-14 12:53:40 +00:00			`> $@ ;\`
AppArmor: Cleanup make file to remove cruft and make it easier to read Cleanups based on comments from Sam Ravnborg, * remove references to the currently unused af_names.h * add rlim_names.h to clean-files: * rework cmd_make-XXX to make them more readable by adding comments, reworking the expressions to put logical components on individual lines, and keep lines < 80 characters. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Sam Ravnborg <sam@ravnborg.org> 2011-03-05 10:18:02 +00:00			`sed $< >> $@ -r -n \`
			`-e 's/^\# ?define[ \t]+(RLIMIT_([A-Z0-9_]+)).*/[\1] = "\L\2",/p';\`
			`echo "};" >> $@ ;\`
AppArmor: export known rlimit names/value mappings in securityfs Since the parser needs to know which rlimits are known to the kernel, export the list via a mask file in the "rlimit" subdirectory in the securityfs "features" directory. Signed-off-by: Kees Cook <kees@ubuntu.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2012-01-27 00:29:23 +00:00			`echo "static const int rlim_map[RLIM_NLIMITS] = {" >> $@ ;\`
AppArmor: Cleanup make file to remove cruft and make it easier to read Cleanups based on comments from Sam Ravnborg, * remove references to the currently unused af_names.h * add rlim_names.h to clean-files: * rework cmd_make-XXX to make them more readable by adding comments, reworking the expressions to put logical components on individual lines, and keep lines < 80 characters. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Sam Ravnborg <sam@ravnborg.org> 2011-03-05 10:18:02 +00:00			`sed -r -n "s/^\# ?define[ \t]+(RLIMIT_[A-Z0-9_]+).*/\1,/p" $< >> $@ ;\`
AppArmor: export known rlimit names/value mappings in securityfs Since the parser needs to know which rlimits are known to the kernel, export the list via a mask file in the "rlimit" subdirectory in the securityfs "features" directory. Signed-off-by: Kees Cook <kees@ubuntu.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2012-01-27 00:29:23 +00:00			`echo "};" >> $@ ; \`
apparmor: rename apparmor file fns and data to indicate use prefixes are used for fns/data that are not static to apparmorfs.c with the prefixes being aafs - special magic apparmorfs for policy namespace data aa_sfs - for fns/data that go into securityfs aa_fs - for fns/data that may be used in the either of aafs or securityfs Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Reviewed-by: Kees Cook <keescook@chromium.org> 2017-05-25 13:23:42 +00:00			`printf '%s' '\#define AA_SFS_RLIMIT_MASK "' >> $@ ;\`
AppArmor: export known rlimit names/value mappings in securityfs Since the parser needs to know which rlimits are known to the kernel, export the list via a mask file in the "rlimit" subdirectory in the securityfs "features" directory. Signed-off-by: Kees Cook <kees@ubuntu.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2012-01-27 00:29:23 +00:00			`sed -r -n 's/^\# ?define[ \t]+RLIMIT_([A-Z0-9_]+).*/\L\1/p' $< \| \`
			`tr '\n' ' ' \| sed -e 's/ $$/"\n/' >> $@`
AppArmor: Enable configuring and building of the AppArmor security module Kconfig and Makefiles to enable configuration and building of AppArmor. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org> 2010-07-30 03:46:33 +00:00
			`$(obj)/capability.o : $(obj)/capability_names.h`
			`$(obj)/resource.o : $(obj)/rlim_names.h`
apparmor: fix apparmor OOPS in audit_log_untrustedstring+0x1c/0x40 The capability defines have moved causing the auto generated names of capabilities that apparmor uses in logging to be incorrect. Fix the autogenerated table source to uapi/linux/capability.h Reported-by: YanHong <clouds.yan@gmail.com> Reported-by: Krzysztof Kolasa <kkolasa@winsoft.pl> Analyzed-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: David Howells <dhowells@redhat.com> Acked-by: James Morris <james.l.morris@oracle.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2012-10-17 20:29:33 +00:00			`$(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \`
AppArmor: export known rlimit names/value mappings in securityfs Since the parser needs to know which rlimits are known to the kernel, export the list via a mask file in the "rlimit" subdirectory in the securityfs "features" directory. Signed-off-by: Kees Cook <kees@ubuntu.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2012-01-27 00:29:23 +00:00			`$(src)/Makefile`
AppArmor: Enable configuring and building of the AppArmor security module Kconfig and Makefiles to enable configuration and building of AppArmor. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org> 2010-07-30 03:46:33 +00:00			`$(call cmd,make-caps)`
UAPI: (Scripted) Disintegrate include/asm-generic Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: Michael Kerrisk <mtk.manpages@gmail.com> Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Acked-by: Dave Jones <davej@redhat.com> 2012-10-04 17:20:15 +00:00			`$(obj)/rlim_names.h : $(srctree)/include/uapi/asm-generic/resource.h \`
AppArmor: export known rlimit names/value mappings in securityfs Since the parser needs to know which rlimits are known to the kernel, export the list via a mask file in the "rlimit" subdirectory in the securityfs "features" directory. Signed-off-by: Kees Cook <kees@ubuntu.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2012-01-27 00:29:23 +00:00			`$(src)/Makefile`
AppArmor: Enable configuring and building of the AppArmor security module Kconfig and Makefiles to enable configuration and building of AppArmor. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org> 2010-07-30 03:46:33 +00:00			`$(call cmd,make-rlim)`