* [meta-security][PATCH 1/2] apparmor: fix build issue with ptest enabled.
@ 2020-10-02 16:09 akuster
2020-10-02 16:09 ` [meta-security][PATCH 2/2] security-test-image: tweak to get more tests to runn akuster
0 siblings, 1 reply; 2+ messages in thread
From: akuster @ 2020-10-02 16:09 UTC (permalink / raw
To: yocto
minor spacing cleanup
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
recipes-mac/AppArmor/apparmor_2.13.4.bb | 181 +++++++++---------
...-Don-t-build-syscall_sysctl-if-missi.patch | 96 ++++++++++
2 files changed, 186 insertions(+), 91 deletions(-)
create mode 100644 recipes-mac/AppArmor/files/0001-regression-tests-Don-t-build-syscall_sysctl-if-missi.patch
diff --git a/recipes-mac/AppArmor/apparmor_2.13.4.bb b/recipes-mac/AppArmor/apparmor_2.13.4.bb
index dcdc1f7..6ba1ea8 100644
--- a/recipes-mac/AppArmor/apparmor_2.13.4.bb
+++ b/recipes-mac/AppArmor/apparmor_2.13.4.bb
@@ -14,16 +14,17 @@ LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0"
DEPENDS = "bison-native apr gettext-native coreutils-native"
SRC_URI = " \
- git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-2.13 \
- file://disable_perl_h_check.patch \
- file://crosscompile_perl_bindings.patch \
- file://apparmor.rc \
- file://functions \
- file://apparmor \
- file://apparmor.service \
- file://0001-Makefile.am-suppress-perllocal.pod.patch \
- file://run-ptest \
- "
+ git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-2.13 \
+ file://disable_perl_h_check.patch \
+ file://crosscompile_perl_bindings.patch \
+ file://apparmor.rc \
+ file://functions \
+ file://apparmor \
+ file://apparmor.service \
+ file://0001-Makefile.am-suppress-perllocal.pod.patch \
+ file://run-ptest \
+ file://0001-regression-tests-Don-t-build-syscall_sysctl-if-missi.patch \
+ "
SRCREV = "df0ac742f7a1146181d8734d03334494f2015134"
S = "${WORKDIR}/git"
@@ -54,76 +55,76 @@ python() {
DISABLE_STATIC = ""
do_configure() {
- cd ${S}/libraries/libapparmor
- aclocal
- autoconf --force
- libtoolize --automake -c --force
- automake -ac
- ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF}
+ cd ${S}/libraries/libapparmor
+ aclocal
+ autoconf --force
+ libtoolize --automake -c --force
+ automake -ac
+ ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF}
}
do_compile () {
- # Fixes:
- # | sed -ie 's///g' Makefile.perl
- # | sed: -e expression #1, char 0: no previous regular expression
- #| Makefile:478: recipe for target 'Makefile.perl' failed
- sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile
-
-
- oe_runmake -C ${B}/libraries/libapparmor
- oe_runmake -C ${B}/binutils
- oe_runmake -C ${B}/utils
- oe_runmake -C ${B}/parser
- oe_runmake -C ${B}/profiles
-
- if test -z "${HTTPD}" ; then
- oe_runmake -C ${B}/changehat/mod_apparmor
- fi
-
- if test -z "${PAMLIB}" ; then
- oe_runmake -C ${B}/changehat/pam_apparmor
- fi
+ # Fixes:
+ # | sed -ie 's///g' Makefile.perl
+ # | sed: -e expression #1, char 0: no previous regular expression
+ #| Makefile:478: recipe for target 'Makefile.perl' failed
+ sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile
+
+
+ oe_runmake -C ${B}/libraries/libapparmor
+ oe_runmake -C ${B}/binutils
+ oe_runmake -C ${B}/utils
+ oe_runmake -C ${B}/parser
+ oe_runmake -C ${B}/profiles
+
+ if test -z "${HTTPD}" ; then
+ oe_runmake -C ${B}/changehat/mod_apparmor
+ fi
+
+ if test -z "${PAMLIB}" ; then
+ oe_runmake -C ${B}/changehat/pam_apparmor
+ fi
}
do_install () {
- install -d ${D}/${INIT_D_DIR}
- install -d ${D}/lib/apparmor
- oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install
- oe_runmake -C ${B}/binutils DESTDIR="${D}" install
- oe_runmake -C ${B}/utils DESTDIR="${D}" install
- oe_runmake -C ${B}/parser DESTDIR="${D}" install
- oe_runmake -C ${B}/profiles DESTDIR="${D}" install
-
- # If perl is disabled this script won't be any good
- if ! ${@bb.utils.contains('PACKAGECONFIG','perl','true','false', d)}; then
- rm -f ${D}${sbindir}/aa-notify
- fi
-
- if ! ${@bb.utils.contains('PACKAGECONFIG','aa-decode','true','false', d)}; then
- rm -f ${D}${sbindir}/aa-decode
- fi
-
- if test -z "${HTTPD}" ; then
- oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install
- fi
-
- if test -z "${PAMLIB}" ; then
- oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install
- fi
-
- # aa-easyprof is installed by python-tools-setup.py, fix it up
- sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof
- chmod 0755 ${D}${bindir}/aa-easyprof
-
- install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor
- install ${WORKDIR}/functions ${D}/lib/apparmor
- sed -i -e 's/getconf _NPROCESSORS_ONLN/nproc/' ${D}/lib/apparmor/functions
- sed -i -e 's/ls -AU/ls -A/' ${D}/lib/apparmor/functions
-
- if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
- install -d ${D}${systemd_system_unitdir}
- install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir}
- fi
+ install -d ${D}/${INIT_D_DIR}
+ install -d ${D}/lib/apparmor
+ oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install
+ oe_runmake -C ${B}/binutils DESTDIR="${D}" install
+ oe_runmake -C ${B}/utils DESTDIR="${D}" install
+ oe_runmake -C ${B}/parser DESTDIR="${D}" install
+ oe_runmake -C ${B}/profiles DESTDIR="${D}" install
+
+ # If perl is disabled this script won't be any good
+ if ! ${@bb.utils.contains('PACKAGECONFIG','perl','true','false', d)}; then
+ rm -f ${D}${sbindir}/aa-notify
+ fi
+
+ if ! ${@bb.utils.contains('PACKAGECONFIG','aa-decode','true','false', d)}; then
+ rm -f ${D}${sbindir}/aa-decode
+ fi
+
+ if test -z "${HTTPD}" ; then
+ oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install
+ fi
+
+ if test -z "${PAMLIB}" ; then
+ oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install
+ fi
+
+ # aa-easyprof is installed by python-tools-setup.py, fix it up
+ sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof
+ chmod 0755 ${D}${bindir}/aa-easyprof
+
+ install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor
+ install ${WORKDIR}/functions ${D}/lib/apparmor
+ sed -i -e 's/getconf _NPROCESSORS_ONLN/nproc/' ${D}/lib/apparmor/functions
+ sed -i -e 's/ls -AU/ls -A/' ${D}/lib/apparmor/functions
+
+ if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+ install -d ${D}${systemd_system_unitdir}
+ install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir}
+ fi
}
#Building ptest on arm fails.
@@ -136,30 +137,28 @@ do_compile_ptest_arm () {
}
do_compile_ptest () {
- oe_runmake -C ${B}/tests/regression/apparmor
- oe_runmake -C ${B}/parser/tst
- oe_runmake -C ${B}/libraries/libapparmor
+ sed -i -e 's/cpp \-dM/${HOST_PREFIX}gcc \-dM/' ${B}/tests/regression/apparmor/Makefile
+ oe_runmake -C ${B}/tests/regression/apparmor
+ oe_runmake -C ${B}/libraries/libapparmor
}
do_install_ptest () {
- t=${D}/${PTEST_PATH}/testsuite
- install -d ${t}
- install -d ${t}/tests/regression/apparmor
- cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression
+ t=${D}/${PTEST_PATH}/testsuite
+ install -d ${t}
+ install -d ${t}/tests/regression/apparmor
+ cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression
- install -d ${t}/parser/tst
- cp -rf ${B}/parser/tst ${t}/parser
- cp ${B}/parser/apparmor_parser ${t}/parser
- cp ${B}/parser/frob_slack_rc ${t}/parser
+ cp ${B}/parser/apparmor_parser ${t}/parser
+ cp ${B}/parser/frob_slack_rc ${t}/parser
- install -d ${t}/libraries/libapparmor
- cp -rf ${B}/libraries/libapparmor ${t}/libraries
+ install -d ${t}/libraries/libapparmor
+ cp -rf ${B}/libraries/libapparmor ${t}/libraries
- install -d ${t}/common
- cp -rf ${B}/common ${t}
+ install -d ${t}/common
+ cp -rf ${B}/common ${t}
- install -d ${t}/binutils
- cp -rf ${B}/binutils ${t}
+ install -d ${t}/binutils
+ cp -rf ${B}/binutils ${t}
}
#Building ptest on arm fails.
diff --git a/recipes-mac/AppArmor/files/0001-regression-tests-Don-t-build-syscall_sysctl-if-missi.patch b/recipes-mac/AppArmor/files/0001-regression-tests-Don-t-build-syscall_sysctl-if-missi.patch
new file mode 100644
index 0000000..3cd1e88
--- /dev/null
+++ b/recipes-mac/AppArmor/files/0001-regression-tests-Don-t-build-syscall_sysctl-if-missi.patch
@@ -0,0 +1,96 @@
+From 7a7c7fb346ded6f017c8df44486778a5f032d41a Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Tue, 29 Sep 2020 03:05:22 -0700
+Subject: [PATCH] regression tests: Don't build syscall_sysctl if missing
+ kernel headers
+
+sys/sysctl.h is not guaranteed to exist anymore since
+https://sourceware.org/pipermail/glibc-cvs/2020q2/069366.html
+
+which is a follow on to the kernel commit
+61a47c1ad3a4 sysctl: Remove the sysctl system call
+
+While the syscall_sysctl currently checks if the kernel supports
+sysctrs before running the tests. The tests can't even build if the
+kernel headers don't have the sysctl defines.
+
+Fixes: https://gitlab.com/apparmor/apparmor/-/issues/119
+Fixes: https://bugs.launchpad.net/apparmor/+bug/1897288
+MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/637
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Acked-by: Steve Beattie <steve.beattie@canonical.com>
+(cherry picked from commit 2e5a266eb715fc7e526520235a6450444775791f)
+
+Upstream-Status: Backport
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ tests/regression/apparmor/Makefile | 10 +++++++++-
+ tests/regression/apparmor/syscall_sysctl.sh | 15 +++++++++++----
+ 2 files changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/tests/regression/apparmor/Makefile b/tests/regression/apparmor/Makefile
+index 198ca421..c3d0cfb7 100644
+--- a/tests/regression/apparmor/Makefile
++++ b/tests/regression/apparmor/Makefile
+@@ -69,6 +69,9 @@ endif # USE_SYSTEM
+
+ CFLAGS += -g -O0 -Wall -Wstrict-prototypes
+
++USE_SYSCTL:=$(shell echo "#include <sys/sysctl.h>" | cpp -dM >/dev/null 2>/dev/null && echo true)
++
++
+ SRC=access.c \
+ at_secure.c \
+ introspect.c \
+@@ -130,7 +133,6 @@ SRC=access.c \
+ syscall_sethostname.c \
+ syscall_setdomainname.c \
+ syscall_setscheduler.c \
+- syscall_sysctl.c \
+ sysctl_proc.c \
+ tcp.c \
+ transition.c \
+@@ -146,6 +148,12 @@ ifneq (,$(findstring $(shell uname -i),i386 i486 i586 i686 x86 x86_64))
+ SRC+=syscall_ioperm.c syscall_iopl.c
+ endif
+
++#only do sysctl syscall test if defines installed and OR supported by the
++# kernel
++ifeq ($(USE_SYSCTL),true)
++SRC+=syscall_sysctl.c
++endif
++
+ #only do dbus if proper libs are installl
+ ifneq (,$(shell pkg-config --exists dbus-1 && echo TRUE))
+ SRC+=dbus_eavesdrop.c dbus_message.c dbus_service.c dbus_unrequested_reply.c
+diff --git a/tests/regression/apparmor/syscall_sysctl.sh b/tests/regression/apparmor/syscall_sysctl.sh
+index f93946f3..5f856984 100644
+--- a/tests/regression/apparmor/syscall_sysctl.sh
++++ b/tests/regression/apparmor/syscall_sysctl.sh
+@@ -148,11 +148,18 @@ test_sysctl_proc()
+ # check if the kernel supports CONFIG_SYSCTL_SYSCALL
+ # generally we want to encourage kernels to disable it, but if it's
+ # enabled we want to test against it
+-settest syscall_sysctl
+-if ! res="$(${test} ro 2>&1)" && [ "$res" = "FAIL: sysctl read failed - Function not implemented" ] ; then
+- echo " WARNING: syscall sysctl not implemented, skipping tests ..."
++# In addition test that sysctl exists in the kernel headers, if it does't
++# then we can't even built the syscall_sysctl test
++if echo "#include <sys/sysctl.h>" | cpp -dM >/dev/null 2>/dev/null ; then
++ settest syscall_sysctl
++
++ if ! res="$(${test} ro 2>&1)" && [ "$res" = "FAIL: sysctl read failed - Function not implemented" ] ; then
++ echo " WARNING: syscall sysctl not implemented, skipping tests ..."
++ else
++ test_syscall_sysctl
++ fi
+ else
+- test_syscall_sysctl
++ echo " WARNING: syscall sysctl not supported by kernel headers, skipping tests ..."
+ fi
+
+ # now test /proc/sys/ paths
+--
+2.17.1
+
--
2.17.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [meta-security][PATCH 2/2] security-test-image: tweak to get more tests to runn
2020-10-02 16:09 [meta-security][PATCH 1/2] apparmor: fix build issue with ptest enabled akuster
@ 2020-10-02 16:09 ` akuster
0 siblings, 0 replies; 2+ messages in thread
From: akuster @ 2020-10-02 16:09 UTC (permalink / raw
To: yocto
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
recipes-core/images/security-test-image.bb | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/recipes-core/images/security-test-image.bb b/recipes-core/images/security-test-image.bb
index babe3fd..54d8978 100644
--- a/recipes-core/images/security-test-image.bb
+++ b/recipes-core/images/security-test-image.bb
@@ -8,4 +8,11 @@ TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec sma
INSTALL_CLAMAV_CVD = "1"
-IMAGE_ROOTFS_EXTRA_SPACE = "5242880"
+IMAGE_OVERHEAD_FACTOR = "1.0"
+IMAGE_ROOTFS_EXTRA_SPACE = "1124288"
+
+# ptests need more memory than standard to avoid the OOM killer
+# also lttng-tools needs /tmp that has at least 1G
+QB_MEM = "-m 2048"
+
+PTEST_EXPECT_FAILURE = "1"
--
2.17.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-10-02 16:09 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-10-02 16:09 [meta-security][PATCH 1/2] apparmor: fix build issue with ptest enabled akuster
2020-10-02 16:09 ` [meta-security][PATCH 2/2] security-test-image: tweak to get more tests to runn akuster
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.