diff --git a/config.h.in b/config.h.in index ac94b4983..d0be95822 100644 --- a/config.h.in +++ b/config.h.in @@ -51,6 +51,9 @@ /* Define to 1 if you use AIX general authentication. */ #undef HAVE_AIXAUTH +/* Define to 1 to enable AppArmor support. */ +#undef HAVE_APPARMOR + /* Define to 1 if you have the `arc4random' function. */ #undef HAVE_ARC4RANDOM diff --git a/configure.ac b/configure.ac index 541f62066..71325fb5a 100644 --- a/configure.ac +++ b/configure.ac @@ -67,6 +67,7 @@ AC_SUBST([BAMAN]) AC_SUBST([LCMAN]) AC_SUBST([PSMAN]) AC_SUBST([SEMAN]) +AC_SUBST([AAMAN]) AC_SUBST([devdir]) AC_SUBST([mansectsu]) AC_SUBST([mansectform]) @@ -251,6 +252,7 @@ BAMAN=0 LCMAN=0 PSMAN=0 SEMAN=0 +AAMAN=0 LIBINTL= LIBCRYPTO= LIBMD= @@ -1483,6 +1485,19 @@ AC_ARG_WITH(selinux, [AS_HELP_STRING([--with-selinux], [enable SELinux support]) ;; esac], [with_selinux=no]) +AC_ARG_WITH(apparmor, [AS_HELP_STRING([--with-apparmor], [enable AppArmor support])], +[case $with_apparmor in + yes) AC_DEFINE(HAVE_APPARMOR) + AAMAN=1 + SUDO_OBJS="${SUDO_OBJS} apparmor.o" + AC_CHECK_LIB(apparmor, aa_change_profile, + [SUDO_LIBS="${SUDO_LIBS} -lapparmor"]) + ;; + no) ;; + *) AC_MSG_ERROR([--with-apparmor does not take an argument.]) + +esac], [with_apparmor=no]) + AC_ARG_ENABLE(sasl, [AS_HELP_STRING([--enable-sasl], [Enable/disable LDAP SASL support])], [ case "$enableval" in @@ -5416,6 +5431,7 @@ AH_TEMPLATE(HAVE_PROJECT_H, [Define to 1 if you have the header file AH_TEMPLATE(HAVE_SECURID, [Define to 1 if you use SecurID for authentication.]) AH_TEMPLATE(HAVE_SELINUX, [Define to 1 to enable SELinux RBAC support.]) AH_TEMPLATE(HAVE_SETKEYCREATECON, [Define to 1 if you have the `setkeycreatecon' function.]) +AH_TEMPLATE(HAVE_APPARMOR, [Define to 1 to enable AppArmor support.]) AH_TEMPLATE(HAVE_SHL_LOAD, [Define to 1 if you have the `shl_load' function.]) AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.]) AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().]) diff --git a/scripts/mkdep.pl b/scripts/mkdep.pl index 3d6e6b65e..380439384 100755 --- a/scripts/mkdep.pl +++ b/scripts/mkdep.pl @@ -115,7 +115,7 @@ sub mkdep { # Expand some configure bits $makefile =~ s:\@DEV\@::g; $makefile =~ s:\@COMMON_OBJS\@:aix.lo event_poll.lo event_select.lo:; - $makefile =~ s:\@SUDO_OBJS\@:intercept.pb-c.o openbsd.o preload.o selinux.o sesh.o solaris.o:; + $makefile =~ s:\@SUDO_OBJS\@:intercept.pb-c.o openbsd.o preload.o apparmor.o selinux.o sesh.o solaris.o:; $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo ldap_util.lo ldap_conf.lo solaris_audit.lo sssd.lo:; # XXX - fill in AUTH_OBJS from contents of the auth dir instead $makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid5.lo sia.lo:; diff --git a/scripts/mkpkg b/scripts/mkpkg index 294a77723..b477c8053 100755 --- a/scripts/mkpkg +++ b/scripts/mkpkg @@ -269,6 +269,23 @@ case "$osversion" in make_opts="${make_opts}${make_opts+ }"'docdir=$(datarootdir)/doc/packages/$(PACKAGE_TARNAME)' ;; deb*|ubu*) + # AppArmor is enabled by default starting in + # Debian: Debian 10 (Buster) + # Ubuntu: Ubuntu 12.04 (Precise Pangolin) + osmajor=`sed -n -e 's/^VERSION_ID=\"\([0-9]*\).*$/\1/p' /etc/os-release` + case "$osversion" in + deb*) + if [ -z $osmajor ] || [ $osmajor -ge 10 ]; then + with_apparmor=true + fi + ;; + ubu*) + if [ -z $osmajor ] || [ $osmajor -ge 14 ]; then + with_apparmor=true + fi + ;; + esac + # Encrypted remote I/O log support. with_openssl=true # Python plugins @@ -295,6 +312,9 @@ case "$osversion" in configure_opts="${configure_opts}${configure_opts+$tab}--with-sssd-lib=/usr/lib/$MULTIARCH" fi fi + if [ X"$with_apparmor" = X"true" ]; then + configure_opts="${configure_opts}${configure_opts+$tab}--with-apparmor" + fi configure_opts="--prefix=/usr --with-all-insults --with-pam @@ -311,7 +331,6 @@ case "$osversion" in --with-sendmail=/usr/sbin/sendmail --mandir=/usr/share/man --libexecdir=/usr/lib - --with-selinux --with-linux-audit $configure_opts" # Use correct libaudit dependency