SPECS (LINUX_2_6): kernel.spec - shy apparmor back, needs testing so bconded

Thu May 29 16:20:26 CEST 2008

Author: zbyniu                       Date: Thu May 29 14:20:26 2008 GMT
Module: SPECS                         Tag: LINUX_2_6
---- Log message:
- shy apparmor back, needs testing so bconded

---- Files affected:
SPECS:
   kernel.spec (1.441.2.1913 -> 1.441.2.1914) 

---- Diffs:

================================================================
Index: SPECS/kernel.spec
diff -u SPECS/kernel.spec:1.441.2.1913 SPECS/kernel.spec:1.441.2.1914

--- SPECS/kernel.spec:1.441.2.1913	Mon May 26 17:45:44 2008
+++ SPECS/kernel.spec	Thu May 29 16:20:20 2008
@@ -7,7 +7,7 @@
 #
 # TODO:
 # - benchmark NO_HZ & HZ=1000 vs HZ=300 on i686
-# - apparmor (no future?)
+# - apparmor (needs testing)
 #
 # FUTURE:
 # - update xen patch
@@ -41,8 +41,8 @@
 
 %bcond_without	vserver		# support for VServer (enabled by default)
 %bcond_without	tuxonice	# support for tuxonice (ex-suspend2) (enabled by default)
-
 %bcond_with	vs22		# use vserver 2.2 instead of 2.3 (see comment near patch 102)
+%bcond_with	apparmor	# build kernel with apparmor (very exerimental mix)
 
 %bcond_with	rescuecd	# build kernel for our rescue
 
@@ -335,8 +335,10 @@
 # (only warnings, so just remove parts of this patch if conflics)
 Patch2500:	linux-2.6-warnings.patch
 
-Patch5000:	apparmor-2.6.20.3-v405-fullseries.diff
-Patch5001:	linux-2.6-apparmor-caps.patch
+# based on https://forgesvn1.novell.com/svn/apparmor/trunk/kernel-patches/2.6.25 rev 1266
+# repatched and adapted for vserver/grsec changes in vfs API, very experimental
+Patch5000:	kernel-apparmor.patch
+#Patch5001:	linux-2.6-apparmor-caps.patch
 
 # for rescuecd
 # based on http://ftp.leg.uct.ac.za/pub/linux/rip/inittmpfs-2.6.14.diff.gz
@@ -877,11 +879,6 @@
 
 %patch2500 -p1
 
-# FIXME !!! 2.6.24 (no modular security? crap)
-# Apparmor
-# %patch5000 -p1
-# %patch5001 -p1
-
 %if %{with rescuecd}
 %patch7000 -p1
 %patch7001 -p1
@@ -926,6 +923,12 @@
 #
 # end of grsecurity & pax stuff
 
+# apparmor
+%if %{with apparmor}
+%patch5000 -p1
+# %patch5001 -p1
+%endif
+
 %ifarch ppc ppc64
 #patch200 -p1
 %endif
@@ -1173,6 +1176,17 @@
 	RescueConfig %{defconfig}
 %endif
 
+# apparmor, will be moved to external file if works
+%if %{with apparmor}
+echo CONFIG_SECURITY_APPARMOR=y >> %{defconfig}
+echo CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 >> %{defconfig}
+echo "# CONFIG_SECURITY_APPARMOR_DISABLE is not set" >> %{defconfig}
+# patch for unionfs not ready yet
+sed -i "s:CONFIG_UNION_FS=m:# CONFIG_UNION_FS is not set:" %{defconfig}
+# some conflict with smack, todo
+sed -i "s:CONFIG_SECURITY_SMACK=y:# CONFIG_SECURITY_SMACK is not set:" %{defconfig}
+%endif
+
 %{?debug:sed -i "s:# CONFIG_DEBUG_SLAB is not set:CONFIG_DEBUG_SLAB=y:" %{defconfig}}
 %{?debug:sed -i "s:# CONFIG_DEBUG_PREEMPT is not set:CONFIG_DEBUG_PREEMPT=y:" %{defconfig}}
 %{?debug:sed -i "s:# CONFIG_RT_DEADLOCK_DETECT is not set:CONFIG_RT_DEADLOCK_DETECT=y:" %{defconfig}}
@@ -1686,6 +1700,9 @@
 All persons listed below can be reached at <cvs_login>@pld-linux.org
 
 $Log$
+Revision 1.441.2.1914  2008-05-29 14:20:20  zbyniu
+- shy apparmor back, needs testing so bconded
+
 Revision 1.441.2.1913  2008-05-26 15:45:44  zbyniu
 - bcond myown; fixed %files on sparc
 
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SPECS/kernel.spec?r1=1.441.2.1913&r2=1.441.2.1914&f=u

