Add a --with-apparmor build flag

Add a new build flag, --with-apparmor, that builds sudo with AppArmor
support. Modify the build script for Debian and Ubuntu to enable this
flag by default.

config.h.in

@@ -51,6 +51,9 @@
 /* Define to 1 if you use AIX general authentication. */
 #undef HAVE_AIXAUTH
 
+/* Define to 1 to enable AppArmor support. */
+#undef HAVE_APPARMOR
+
 /* Define to 1 if you have the `arc4random' function. */
 #undef HAVE_ARC4RANDOM
 

configure.ac

@@ -67,6 +67,7 @@ AC_SUBST([BAMAN])
 AC_SUBST([LCMAN])
 AC_SUBST([PSMAN])
 AC_SUBST([SEMAN])
+AC_SUBST([AAMAN])
 AC_SUBST([devdir])
 AC_SUBST([mansectsu])
 AC_SUBST([mansectform])
@@ -251,6 +252,7 @@ BAMAN=0
 LCMAN=0
 PSMAN=0
 SEMAN=0
+AAMAN=0
 LIBINTL=
 LIBCRYPTO=
 LIBMD=
@@ -1483,6 +1485,19 @@ AC_ARG_WITH(selinux, [AS_HELP_STRING([--with-selinux], [enable SELinux support])
 		;;
 esac], [with_selinux=no])
 
+AC_ARG_WITH(apparmor, [AS_HELP_STRING([--with-apparmor], [enable AppArmor support])],
+[case $with_apparmor in
+    yes)        AC_DEFINE(HAVE_APPARMOR)
+                AAMAN=1
+                SUDO_OBJS="${SUDO_OBJS} apparmor.o"
+                AC_CHECK_LIB(apparmor, aa_change_profile,
+                    [SUDO_LIBS="${SUDO_LIBS} -lapparmor"])
+                ;;
+    no)         ;;
+    *)          AC_MSG_ERROR([--with-apparmor does not take an argument.])
+
+esac], [with_apparmor=no])
+
 AC_ARG_ENABLE(sasl,
 [AS_HELP_STRING([--enable-sasl], [Enable/disable LDAP SASL support])],
 [ case "$enableval" in
@@ -5416,6 +5431,7 @@ AH_TEMPLATE(HAVE_PROJECT_H, [Define to 1 if you have the <project.h> header file
 AH_TEMPLATE(HAVE_SECURID, [Define to 1 if you use SecurID for authentication.])
 AH_TEMPLATE(HAVE_SELINUX, [Define to 1 to enable SELinux RBAC support.])
 AH_TEMPLATE(HAVE_SETKEYCREATECON, [Define to 1 if you have the `setkeycreatecon' function.])
+AH_TEMPLATE(HAVE_APPARMOR, [Define to 1 to enable AppArmor support.])
 AH_TEMPLATE(HAVE_SHL_LOAD, [Define to 1 if you have the `shl_load' function.])
 AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.])
 AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().])

scripts/mkdep.pl

@@ -115,7 +115,7 @@ sub mkdep {
     # Expand some configure bits
     $makefile =~ s:\@DEV\@::g;
     $makefile =~ s:\@COMMON_OBJS\@:aix.lo event_poll.lo event_select.lo:;
-    $makefile =~ s:\@SUDO_OBJS\@:intercept.pb-c.o openbsd.o preload.o selinux.o sesh.o solaris.o:;
+    $makefile =~ s:\@SUDO_OBJS\@:intercept.pb-c.o openbsd.o preload.o apparmor.o selinux.o sesh.o solaris.o:;
     $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo ldap_util.lo ldap_conf.lo solaris_audit.lo sssd.lo:;
     # XXX - fill in AUTH_OBJS from contents of the auth dir instead
     $makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid5.lo sia.lo:;

scripts/mkpkg

@@ -269,6 +269,23 @@ case "$osversion" in
 	make_opts="${make_opts}${make_opts+ }"'docdir=$(datarootdir)/doc/packages/$(PACKAGE_TARNAME)'
 	;;
     deb*|ubu*)
+	# AppArmor is enabled by default starting in
+	# Debian: Debian 10 (Buster)
+	# Ubuntu: Ubuntu 12.04 (Precise Pangolin)
+	osmajor=`sed -n -e 's/^VERSION_ID=\"\([0-9]*\).*$/\1/p' /etc/os-release`
+	case "$osversion" in
+	    deb*)
+		if [ -z $osmajor ] || [ $osmajor -ge 10 ]; then
+		    with_apparmor=true
+		fi
+		;;
+	    ubu*)
+		if [ -z $osmajor ] || [ $osmajor -ge 14 ]; then
+		    with_apparmor=true
+		fi
+		;;
+	esac
+
 	# Encrypted remote I/O log support.
 	with_openssl=true
 	# Python plugins
@@ -295,6 +312,9 @@ case "$osversion" in
 		configure_opts="${configure_opts}${configure_opts+$tab}--with-sssd-lib=/usr/lib/$MULTIARCH"
 	    fi
 	fi
+	if [ X"$with_apparmor" = X"true" ]; then
+		configure_opts="${configure_opts}${configure_opts+$tab}--with-apparmor"
+	fi
 	configure_opts="--prefix=/usr
 		--with-all-insults
 		--with-pam
@@ -311,7 +331,6 @@ case "$osversion" in
 		--with-sendmail=/usr/sbin/sendmail
 		--mandir=/usr/share/man
 		--libexecdir=/usr/lib
-		--with-selinux
 		--with-linux-audit
 		$configure_opts"
 	# Use correct libaudit dependency