isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add a --with-apparmor build flag

Browse Source 
Add a new build flag, --with-apparmor, that builds sudo with AppArmor
support. Modify the build script for Debian and Ubuntu to enable this
flag by default.
This commit is contained in:
kernelmethod
2022-05-23 00:55:16 -06:00
parent b203753013
commit 0b541c2029
4 changed files with 40 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
config.h.in
View File

@@ -51,6 +51,9 @@
/* Define to 1 if you use AIX general authentication. */ /* Define to 1 if you use AIX general authentication. */
#undef HAVE_AIXAUTH #undef HAVE_AIXAUTH
/* Define to 1 to enable AppArmor support. */
#undef HAVE_APPARMOR
/* Define to 1 if you have the `arc4random' function. */ /* Define to 1 if you have the `arc4random' function. */
#undef HAVE_ARC4RANDOM #undef HAVE_ARC4RANDOM

16
configure.ac
View File

@@ -67,6 +67,7 @@ AC_SUBST([BAMAN])
AC_SUBST([LCMAN]) AC_SUBST([LCMAN])
AC_SUBST([PSMAN]) AC_SUBST([PSMAN])
AC_SUBST([SEMAN]) AC_SUBST([SEMAN])
AC_SUBST([AAMAN])
AC_SUBST([devdir]) AC_SUBST([devdir])
AC_SUBST([mansectsu]) AC_SUBST([mansectsu])
AC_SUBST([mansectform]) AC_SUBST([mansectform])
@@ -251,6 +252,7 @@ BAMAN=0
LCMAN=0 LCMAN=0
PSMAN=0 PSMAN=0
SEMAN=0 SEMAN=0
AAMAN=0
LIBINTL= LIBINTL=
LIBCRYPTO= LIBCRYPTO=
LIBMD= LIBMD=
@@ -1483,6 +1485,19 @@ AC_ARG_WITH(selinux, [AS_HELP_STRING([--with-selinux], [enable SELinux support])
;; ;;
esac], [with_selinux=no]) esac], [with_selinux=no])
AC_ARG_WITH(apparmor, [AS_HELP_STRING([--with-apparmor], [enable AppArmor support])],
[case $with_apparmor in
yes) AC_DEFINE(HAVE_APPARMOR)
AAMAN=1
SUDO_OBJS="${SUDO_OBJS} apparmor.o"
AC_CHECK_LIB(apparmor, aa_change_profile,
[SUDO_LIBS="${SUDO_LIBS} -lapparmor"])
;;
no) ;;
*) AC_MSG_ERROR([--with-apparmor does not take an argument.])
esac], [with_apparmor=no])
AC_ARG_ENABLE(sasl, AC_ARG_ENABLE(sasl,
[AS_HELP_STRING([--enable-sasl], [Enable/disable LDAP SASL support])], [AS_HELP_STRING([--enable-sasl], [Enable/disable LDAP SASL support])],
[ case "$enableval" in [ case "$enableval" in
@@ -5416,6 +5431,7 @@ AH_TEMPLATE(HAVE_PROJECT_H, [Define to 1 if you have the <project.h> header file
AH_TEMPLATE(HAVE_SECURID, [Define to 1 if you use SecurID for authentication.]) AH_TEMPLATE(HAVE_SECURID, [Define to 1 if you use SecurID for authentication.])
AH_TEMPLATE(HAVE_SELINUX, [Define to 1 to enable SELinux RBAC support.]) AH_TEMPLATE(HAVE_SELINUX, [Define to 1 to enable SELinux RBAC support.])
AH_TEMPLATE(HAVE_SETKEYCREATECON, [Define to 1 if you have the `setkeycreatecon' function.]) AH_TEMPLATE(HAVE_SETKEYCREATECON, [Define to 1 if you have the `setkeycreatecon' function.])
AH_TEMPLATE(HAVE_APPARMOR, [Define to 1 to enable AppArmor support.])
AH_TEMPLATE(HAVE_SHL_LOAD, [Define to 1 if you have the `shl_load' function.]) AH_TEMPLATE(HAVE_SHL_LOAD, [Define to 1 if you have the `shl_load' function.])
AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.]) AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.])
AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().]) AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().])

2
scripts/mkdep.pl
View File

@@ -115,7 +115,7 @@ sub mkdep {
# Expand some configure bits # Expand some configure bits
$makefile =~ s:\@DEV\@::g; $makefile =~ s:\@DEV\@::g;
$makefile =~ s:\@COMMON_OBJS\@:aix.lo event_poll.lo event_select.lo:; $makefile =~ s:\@COMMON_OBJS\@:aix.lo event_poll.lo event_select.lo:;
$makefile =~ s:\@SUDO_OBJS\@:intercept.pb-c.o openbsd.o preload.o selinux.o sesh.o solaris.o:; $makefile =~ s:\@SUDO_OBJS\@:intercept.pb-c.o openbsd.o preload.o apparmor.o selinux.o sesh.o solaris.o:;
$makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo ldap_util.lo ldap_conf.lo solaris_audit.lo sssd.lo:; $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo ldap_util.lo ldap_conf.lo solaris_audit.lo sssd.lo:;
# XXX - fill in AUTH_OBJS from contents of the auth dir instead # XXX - fill in AUTH_OBJS from contents of the auth dir instead
$makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid5.lo sia.lo:; $makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid5.lo sia.lo:;

21
scripts/mkpkg
View File

@@ -269,6 +269,23 @@ case "$osversion" in
make_opts="${make_opts}${make_opts+ }"'docdir=$(datarootdir)/doc/packages/$(PACKAGE_TARNAME)' make_opts="${make_opts}${make_opts+ }"'docdir=$(datarootdir)/doc/packages/$(PACKAGE_TARNAME)'
;; ;;
deb*|ubu*) deb*|ubu*)
# AppArmor is enabled by default starting in
# Debian: Debian 10 (Buster)
# Ubuntu: Ubuntu 12.04 (Precise Pangolin)
osmajor=`sed -n -e 's/^VERSION_ID=\"\([0-9]*\).*$/\1/p' /etc/os-release`
case "$osversion" in
deb*)
if [ -z $osmajor ] || [ $osmajor -ge 10 ]; then
with_apparmor=true
fi
;;
ubu*)
if [ -z $osmajor ] || [ $osmajor -ge 14 ]; then
with_apparmor=true
fi
;;
esac
# Encrypted remote I/O log support. # Encrypted remote I/O log support.
with_openssl=true with_openssl=true
# Python plugins # Python plugins
@@ -295,6 +312,9 @@ case "$osversion" in
configure_opts="${configure_opts}${configure_opts+$tab}--with-sssd-lib=/usr/lib/$MULTIARCH" configure_opts="${configure_opts}${configure_opts+$tab}--with-sssd-lib=/usr/lib/$MULTIARCH"
fi fi
fi fi
if [ X"$with_apparmor" = X"true" ]; then
configure_opts="${configure_opts}${configure_opts+$tab}--with-apparmor"
fi
configure_opts="--prefix=/usr configure_opts="--prefix=/usr
--with-all-insults --with-all-insults
--with-pam --with-pam
@@ -311,7 +331,6 @@ case "$osversion" in
--with-sendmail=/usr/sbin/sendmail --with-sendmail=/usr/sbin/sendmail
--mandir=/usr/share/man --mandir=/usr/share/man
--libexecdir=/usr/lib --libexecdir=/usr/lib
--with-selinux
--with-linux-audit --with-linux-audit
$configure_opts" $configure_opts"
# Use correct libaudit dependency # Use correct libaudit dependency