[packages/apparmor-parser.git] / apparmor-2.13.4-make4.3.patch

From fc2beaca9d642fb93736066f26e3588ad30ec7a4 Mon Sep 17 00:00:00 2001
From: Eric Chiang <ericchiang@google.com>
Date: Thu, 17 Jan 2019 11:02:57 -0800
Subject: [PATCH 1/4] *: ensure make apparmor_parser is cached

This change updates parser/Makefile to respect target dependencies and
not rebuild apparmor_parser if nothing's changed. The goal is to allow
cross-compiled tests #17 to run on a target system without the tests
attempting to rebuild the parser.

Two changes were made:

* Generate af_names.h in a script so the script timestamp is compared.
* Use FORCE instead of PHONY for libapparmor_re/libapparmor_re.a

Changes to list_af_names are intended to exactly replicate the old
behavior.

Signed-off-by: Eric Chiang <ericchiang@google.com>
(cherry picked from commit cb8c3377babfed4600446d1f60d53d8e2a581578)
---
 common/Make.rules                | 21 ---------------------
 common/list_af_names.sh          | 19 +++++++++++++++++++
 parser/Makefile                  | 13 +++++--------
 utils/vim/create-apparmor.vim.py |  2 +-
 4 files changed, 25 insertions(+), 30 deletions(-)
 create mode 100755 common/list_af_names.sh

diff --git a/common/Make.rules b/common/Make.rules
index d2149fcd..357bdec8 100644
--- a/common/Make.rules
+++ b/common/Make.rules
@@ -87,27 +87,6 @@ CAPABILITIES=$(shell echo "\#include <linux/capability.h>" | cpp -dM | LC_ALL=C
 list_capabilities: /usr/include/linux/capability.h
 	@echo "$(CAPABILITIES)"
 
-# =====================
-# generate list of network protocols based on
-# sys/socket.h for use in multiple locations in
-# the source tree
-# =====================
-
-# These are the families that it doesn't make sense for apparmor
-# to mediate. We use PF_ here since that is what is required in
-# bits/socket.h, but we will rewrite these as AF_.
-
-FILTER_FAMILIES=PF_UNIX
-
-__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
-
-# emits the AF names in a "AF_NAME NUMBER," pattern
-AF_NAMES=$(shell echo "\#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e 's/PF_LOCAL/PF_UNIX/' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2)
-
-.PHONY: list_af_names
-list_af_names:
-	@echo "$(AF_NAMES)"
-
 # =====================
 # manpages
 # =====================
diff --git a/common/list_af_names.sh b/common/list_af_names.sh
new file mode 100755
index 00000000..d7987537
--- /dev/null
+++ b/common/list_af_names.sh
@@ -0,0 +1,19 @@
+#!/bin/bash -e
+
+# =====================
+# generate list of network protocols based on
+# sys/socket.h for use in multiple locations in
+# the source tree
+# =====================
+
+# It doesn't make sence for AppArmor to mediate PF_UNIX, filter it out. Search
+# for "PF_" constants since that is what is required in bits/socket.h, but
+# rewrite as "AF_".
+
+echo "#include <sys/socket.h>" | \
+  cpp -dM | \
+  LC_ALL=C sed -n \
+    -e '/PF_UNIX/d' \
+    -e 's/PF_LOCAL/PF_UNIX/' \
+    -e 's/^#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$/AF_\1 \2,/p' | \
+  sort -n -k2
diff --git a/parser/Makefile b/parser/Makefile
index 73e88f5c..c22d32da 100644
--- a/parser/Makefile
+++ b/parser/Makefile
@@ -281,10 +281,9 @@ parser_version.h: Makefile
 # as well as the filtering that occurs for network protocols that
 # apparmor should not mediate.
 
-.PHONY: af_names.h
-af_names.h:
-	echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g'  -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n#  define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n\n/pg' > $@
-	echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/.*,[ \t]\+AF_MAX[ \t]\+\([0-9]\+\),\?.*/#define AA_AF_MAX \1\n/p' >> $@
+af_names.h: ../common/list_af_names.sh
+	../common/list_af_names.sh | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g'  -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n#  define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n/pg' > $@
+	../common/list_af_names.sh | LC_ALL=C sed -n -e 's/AF_MAX[ \t]\+\([0-9]\+\),\?.*/\n#define AA_AF_MAX \1\n/p' >> $@
 	# cat $@
 
 cap_names.h: /usr/include/linux/capability.h
@@ -304,10 +303,7 @@ tests: apparmor_parser ${TESTS}
 	sh -e -c 'for test in ${TESTS} ; do echo "*** running $${test}" && ./$${test}; done'
 	$(Q)$(MAKE) -s -C tst tests
 
-# always need to rebuild.
-.SILENT: $(AAREOBJECT)
-.PHONY: $(AAREOBJECT)
-$(AAREOBJECT):
+$(AAREOBJECT): FORCE
 	$(MAKE) -C $(AAREDIR) CFLAGS="$(EXTRA_CXXFLAGS)"
 
 .PHONY: install-rhel4
@@ -408,3 +404,4 @@ clean: pod_clean
 	$(MAKE) -s -C po clean
 	$(MAKE) -s -C tst clean
 
+FORCE:
diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py
index 10bd5b8d..fea134f6 100644
--- a/utils/vim/create-apparmor.vim.py
+++ b/utils/vim/create-apparmor.vim.py
@@ -57,7 +57,7 @@ for cap in capabilities:
         benign_caps.append(cap)
 
 # get network protos list
-(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_af_names'])
+(rc, output) = cmd(['../../common/list_af_names.sh'])
 if rc != 0:
     sys.stderr.write("make list_af_names failed: " + output)
     exit(rc)
-- 
2.26.2


From 69651fc6565cf033ab763a607d786eb14143b7c6 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Fri, 14 Jun 2019 01:04:22 -0700
Subject: [PATCH 2/4] Revert "utils/test-network.py: fix failing testcase"

This reverts commit 378519d23f8b6e55b1c0741e8cd197863e0ff8a0.
this commit was meant for the 2.13 branch not master

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 9144e39d252cd75dd2d6941154e014f7d46147ca)
---
 utils/test/test-network.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/test/test-network.py b/utils/test/test-network.py
index 8605786d..73a6b9d1 100644
--- a/utils/test/test-network.py
+++ b/utils/test/test-network.py
@@ -31,7 +31,7 @@ exp = namedtuple('exp', ['audit', 'allow_keyword', 'deny', 'comment',
 
 class NetworkKeywordsTest(AATest):
     def test_network_keyword_list(self):
-        rc, output = cmd(['make', '-s', '--no-print-directory', 'list_af_names'])
+        rc, output = cmd('../../common/list_af_names.sh')
         self.assertEqual(rc, 0)
 
         af_names = []
-- 
2.26.2


From 0d8e4cda3fb5194b82e288cadbcce98998064b7a Mon Sep 17 00:00:00 2001
From: allgdante <allan.garret@gmail.com>
Date: Mon, 23 Mar 2020 15:09:15 +0000
Subject: [PATCH 3/4] Generate CAPABILITIES in a script due to make 4.3

This way we could generate the capabilities in a way that works with
every version of make.
Changes to list_capabilities are intended to exactly replicate the old
behavior.

(cherry picked from commit e92da079ca12e776991bd36524430bd67c1cb72a)
---
 common/Make.rules                | 13 -------------
 common/list_capabilities.sh      | 14 ++++++++++++++
 parser/Makefile                  |  2 +-
 utils/Makefile                   |  2 +-
 utils/vim/create-apparmor.vim.py |  2 +-
 5 files changed, 17 insertions(+), 16 deletions(-)
 create mode 100755 common/list_capabilities.sh

diff --git a/common/Make.rules b/common/Make.rules
index 357bdec8..ecc6181a 100644
--- a/common/Make.rules
+++ b/common/Make.rules
@@ -74,19 +74,6 @@ endif
 pod_clean:
 	-rm -f ${MANPAGES} *.[0-9].gz ${HTMLMANPAGES} pod2htm*.tmp
 
-# =====================
-# generate list of capabilities based on
-# /usr/include/linux/capabilities.h for use in multiple locations in
-# the source tree
-# =====================
-
-# emits defined capabilities in a simple list, e.g. "CAP_NAME CAP_NAME2"
-CAPABILITIES=$(shell echo "\#include <linux/capability.h>" | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | LC_ALL=C sort)
-
-.PHONY: list_capabilities
-list_capabilities: /usr/include/linux/capability.h
-	@echo "$(CAPABILITIES)"
-
 # =====================
 # manpages
 # =====================
diff --git a/common/list_capabilities.sh b/common/list_capabilities.sh
new file mode 100755
index 00000000..4e37cda7
--- /dev/null
+++ b/common/list_capabilities.sh
@@ -0,0 +1,14 @@
+#!/bin/bash -e
+
+# =====================
+# generate list of capabilities based on
+# /usr/include/linux/capabilities.h for use in multiple locations in
+# the source tree
+# =====================
+
+echo "#include <linux/capability.h>" | \
+  cpp -dM | \
+  LC_ALL=C sed -n \
+    -e '/CAP_EMPTY_SET/d' \
+    -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$/CAP_\1/p' | \
+  LC_ALL=C sort
diff --git a/parser/Makefile b/parser/Makefile
index c22d32da..3e50125a 100644
--- a/parser/Makefile
+++ b/parser/Makefile
@@ -287,7 +287,7 @@ af_names.h: ../common/list_af_names.sh
 	# cat $@
 
 cap_names.h: /usr/include/linux/capability.h
-	echo "$(CAPABILITIES)" | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
+	../common/list_capabilities.sh | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
 
 tst_lib: lib.c parser.h $(filter-out lib.o, ${TEST_OBJECTS})
 	$(CXX) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS}) $(TEST_LDFLAGS) $(TEST_LDLIBS)
diff --git a/utils/Makefile b/utils/Makefile
index 68f8c376..ea9e0601 100644
--- a/utils/Makefile
+++ b/utils/Makefile
@@ -80,7 +80,7 @@ clean: pod_clean
 .SILENT: check_severity_db
 check_severity_db: /usr/include/linux/capability.h severity.db
 	# The sed statement is based on the one in the parser's makefile
-	RC=0 ; for cap in ${CAPABILITIES} ; do \
+	RC=0 ; for cap in $(shell ../common/list_capabilities.sh) ; do \
 	    if !  grep -q -w $${cap} severity.db ; then \
 		echo "Warning! capability $${cap} not found in severity.db" ; \
 		RC=1 ; \
diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py
index fea134f6..6a5f02a2 100644
--- a/utils/vim/create-apparmor.vim.py
+++ b/utils/vim/create-apparmor.vim.py
@@ -45,7 +45,7 @@ def cmd(command, input=None, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, s
     return [sp.returncode, out + outerr]
 
 # get capabilities list
-(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_capabilities'])
+(rc, output) = cmd(['../../common/list_capabilities.sh'])
 if rc != 0:
     sys.stderr.write("make list_capabilities failed: " + output)
     exit(rc)
-- 
2.26.2


From af0c288fcd4b9ddbf3a062d6d0e1c9618e8f3c75 Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Sun, 29 Mar 2020 00:07:11 +0100
Subject: [PATCH 4/4] fix capabilities in apparmor.vim

https://gitlab.com/apparmor/apparmor/-/merge_requests/461 /
e92da079ca12e776991bd36524430bd67c1cb72a changed creating the
capabilities to use a script.

A side effect is that the list is now separated by \n instead of
spaces. Adjust create-apparmor.vim.py to the new output.

(cherry picked from commit 60b005788e79c1be7276349242e0cc97b99f7118)
---
 utils/vim/create-apparmor.vim.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py
index 6a5f02a2..b5df957a 100644
--- a/utils/vim/create-apparmor.vim.py
+++ b/utils/vim/create-apparmor.vim.py
@@ -50,7 +50,7 @@ if rc != 0:
     sys.stderr.write("make list_capabilities failed: " + output)
     exit(rc)
 
-capabilities = re.sub('CAP_', '', output.strip()).lower().split(" ")
+capabilities = re.sub('CAP_', '', output.strip()).lower().split('\n')
 benign_caps = []
 for cap in capabilities:
     if cap not in danger_caps:
-- 
2.26.2
Commit	Line	Data
fb064503 AM	1	From fc2beaca9d642fb93736066f26e3588ad30ec7a4 Mon Sep 17 00:00:00 2001
	2	From: Eric Chiang <ericchiang@google.com>
	3	Date: Thu, 17 Jan 2019 11:02:57 -0800
	4	Subject: [PATCH 1/4] *: ensure make apparmor_parser is cached
	5
	6	This change updates parser/Makefile to respect target dependencies and
	7	not rebuild apparmor_parser if nothing's changed. The goal is to allow
	8	cross-compiled tests #17 to run on a target system without the tests
	9	attempting to rebuild the parser.
	10
	11	Two changes were made:
	12
	13	* Generate af_names.h in a script so the script timestamp is compared.
	14	* Use FORCE instead of PHONY for libapparmor_re/libapparmor_re.a
	15
	16	Changes to list_af_names are intended to exactly replicate the old
	17	behavior.
	18
	19	Signed-off-by: Eric Chiang <ericchiang@google.com>
	20	(cherry picked from commit cb8c3377babfed4600446d1f60d53d8e2a581578)
	21	---
	22	common/Make.rules \| 21 ---------------------
	23	common/list_af_names.sh \| 19 +++++++++++++++++++
	24	parser/Makefile \| 13 +++++--------
	25	utils/vim/create-apparmor.vim.py \| 2 +-
	26	4 files changed, 25 insertions(+), 30 deletions(-)
	27	create mode 100755 common/list_af_names.sh
	28
	29	diff --git a/common/Make.rules b/common/Make.rules
	30	index d2149fcd..357bdec8 100644
	31	--- a/common/Make.rules
	32	+++ b/common/Make.rules
	33	@@ -87,27 +87,6 @@ CAPABILITIES=$(shell echo "\#include <linux/capability.h>" \| cpp -dM \| LC_ALL=C
	34	list_capabilities: /usr/include/linux/capability.h
	35	@echo "$(CAPABILITIES)"
	36
	37	-# =====================
	38	-# generate list of network protocols based on
	39	-# sys/socket.h for use in multiple locations in
	40	-# the source tree
	41	-# =====================
	42	-
	43	-# These are the families that it doesn't make sense for apparmor
	44	-# to mediate. We use PF_ here since that is what is required in
	45	-# bits/socket.h, but we will rewrite these as AF_.
	46	-
	47	-FILTER_FAMILIES=PF_UNIX
	48	-
	49	-__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) \| sed -e 's/ /\\\\|/g')
	50	-
	51	-# emits the AF names in a "AF_NAME NUMBER," pattern
	52	-AF_NAMES=$(shell echo "\#include <sys/socket.h>" \| cpp -dM \| LC_ALL=C sed -n -e '/$(__FILTER)/d' -e 's/PF_LOCAL/PF_UNIX/' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' \| sort -n -k2)
	53	-
	54	-.PHONY: list_af_names
	55	-list_af_names:
	56	- @echo "$(AF_NAMES)"
	57	-
	58	# =====================
	59	# manpages
	60	# =====================
	61	diff --git a/common/list_af_names.sh b/common/list_af_names.sh
	62	new file mode 100755
	63	index 00000000..d7987537
	64	--- /dev/null
65	+++ b/common/list_af_names.sh
66	@@ -0,0 +1,19 @@
67	+#!/bin/bash -e
68	+
69	+# =====================
70	+# generate list of network protocols based on
71	+# sys/socket.h for use in multiple locations in
72	+# the source tree
73	+# =====================
74	+
75	+# It doesn't make sence for AppArmor to mediate PF_UNIX, filter it out. Search
76	+# for "PF_" constants since that is what is required in bits/socket.h, but
77	+# rewrite as "AF_".
78	+
79	+echo "#include <sys/socket.h>" \| \
80	+ cpp -dM \| \
81	+ LC_ALL=C sed -n \
82	+ -e '/PF_UNIX/d' \
83	+ -e 's/PF_LOCAL/PF_UNIX/' \
84	+ -e 's/^#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$/AF_\1 \2,/p' \| \
85	+ sort -n -k2
86	diff --git a/parser/Makefile b/parser/Makefile
87	index 73e88f5c..c22d32da 100644
88	--- a/parser/Makefile
89	+++ b/parser/Makefile
90	@@ -281,10 +281,9 @@ parser_version.h: Makefile
91	# as well as the filtering that occurs for network protocols that
92	# apparmor should not mediate.
93
94	-.PHONY: af_names.h
95	-af_names.h:
96	- echo "$(AF_NAMES)" \| LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g' -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n# define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n\n/pg' > $@
97	- echo "$(AF_NAMES)" \| LC_ALL=C sed -n -e 's/.,[ \t]\+AF_MAX[ \t]\+\([0-9]\+\),\?./#define AA_AF_MAX \1\n/p' >> $@
98	+af_names.h: ../common/list_af_names.sh
99	+ ../common/list_af_names.sh \| LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g' -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n# define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n/pg' > $@
100	+ ../common/list_af_names.sh \| LC_ALL=C sed -n -e 's/AF_MAX[ \t]\+\([0-9]\+\),\?.*/\n#define AA_AF_MAX \1\n/p' >> $@
101	# cat $@
102
103	cap_names.h: /usr/include/linux/capability.h
104	@@ -304,10 +303,7 @@ tests: apparmor_parser ${TESTS}
105	sh -e -c 'for test in ${TESTS} ; do echo "*** running $${test}" && ./$${test}; done'
106	$(Q)$(MAKE) -s -C tst tests
107
108	-# always need to rebuild.
109	-.SILENT: $(AAREOBJECT)
110	-.PHONY: $(AAREOBJECT)
111	-$(AAREOBJECT):
112	+$(AAREOBJECT): FORCE
113	$(MAKE) -C $(AAREDIR) CFLAGS="$(EXTRA_CXXFLAGS)"
114
115	.PHONY: install-rhel4
116	@@ -408,3 +404,4 @@ clean: pod_clean
117	$(MAKE) -s -C po clean
118	$(MAKE) -s -C tst clean
119
120	+FORCE:
121	diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py
122	index 10bd5b8d..fea134f6 100644
123	--- a/utils/vim/create-apparmor.vim.py
124	+++ b/utils/vim/create-apparmor.vim.py
125	@@ -57,7 +57,7 @@ for cap in capabilities:
126	benign_caps.append(cap)
127
128	# get network protos list
129	-(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_af_names'])
130	+(rc, output) = cmd(['../../common/list_af_names.sh'])
131	if rc != 0:
132	sys.stderr.write("make list_af_names failed: " + output)
133	exit(rc)
134	--
135	2.26.2
136
137
138	From 69651fc6565cf033ab763a607d786eb14143b7c6 Mon Sep 17 00:00:00 2001
139	From: John Johansen <john.johansen@canonical.com>
140	Date: Fri, 14 Jun 2019 01:04:22 -0700
141	Subject: [PATCH 2/4] Revert "utils/test-network.py: fix failing testcase"
142
143	This reverts commit 378519d23f8b6e55b1c0741e8cd197863e0ff8a0.
144	this commit was meant for the 2.13 branch not master
145
146	Signed-off-by: John Johansen <john.johansen@canonical.com>
147	(cherry picked from commit 9144e39d252cd75dd2d6941154e014f7d46147ca)
148	---
149	utils/test/test-network.py \| 2 +-
150	1 file changed, 1 insertion(+), 1 deletion(-)
151
152	diff --git a/utils/test/test-network.py b/utils/test/test-network.py
153	index 8605786d..73a6b9d1 100644
154	--- a/utils/test/test-network.py
155	+++ b/utils/test/test-network.py
156	@@ -31,7 +31,7 @@ exp = namedtuple('exp', ['audit', 'allow_keyword', 'deny', 'comment',
157
158	class NetworkKeywordsTest(AATest):
159	def test_network_keyword_list(self):
160	- rc, output = cmd(['make', '-s', '--no-print-directory', 'list_af_names'])
161	+ rc, output = cmd('../../common/list_af_names.sh')
162	self.assertEqual(rc, 0)
163
164	af_names = []
165	--
166	2.26.2
167
168
169	From 0d8e4cda3fb5194b82e288cadbcce98998064b7a Mon Sep 17 00:00:00 2001
170	From: allgdante <allan.garret@gmail.com>
171	Date: Mon, 23 Mar 2020 15:09:15 +0000
172	Subject: [PATCH 3/4] Generate CAPABILITIES in a script due to make 4.3
173
174	This way we could generate the capabilities in a way that works with
175	every version of make.
176	Changes to list_capabilities are intended to exactly replicate the old
177	behavior.
178
179	(cherry picked from commit e92da079ca12e776991bd36524430bd67c1cb72a)
180	---
181	common/Make.rules \| 13 -------------
182	common/list_capabilities.sh \| 14 ++++++++++++++
183	parser/Makefile \| 2 +-
184	utils/Makefile \| 2 +-
185	utils/vim/create-apparmor.vim.py \| 2 +-
186	5 files changed, 17 insertions(+), 16 deletions(-)
187	create mode 100755 common/list_capabilities.sh
188
189	diff --git a/common/Make.rules b/common/Make.rules
190	index 357bdec8..ecc6181a 100644
191	--- a/common/Make.rules
192	+++ b/common/Make.rules
193	@@ -74,19 +74,6 @@ endif
194	pod_clean:
195	-rm -f ${MANPAGES} .[0-9].gz ${HTMLMANPAGES} pod2htm.tmp
196
197	-# =====================
198	-# generate list of capabilities based on
199	-# /usr/include/linux/capabilities.h for use in multiple locations in
200	-# the source tree
201	-# =====================
202	-
203	-# emits defined capabilities in a simple list, e.g. "CAP_NAME CAP_NAME2"
204	-CAPABILITIES=$(shell echo "\#include <linux/capability.h>" \| cpp -dM \| LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' \| LC_ALL=C sort)
205	-
206	-.PHONY: list_capabilities
207	-list_capabilities: /usr/include/linux/capability.h
208	- @echo "$(CAPABILITIES)"
209	-
210	# =====================
211	# manpages
212	# =====================
213	diff --git a/common/list_capabilities.sh b/common/list_capabilities.sh
214	new file mode 100755
215	index 00000000..4e37cda7
216	--- /dev/null
217	+++ b/common/list_capabilities.sh
218	@@ -0,0 +1,14 @@
219	+#!/bin/bash -e
220	+
221	+# =====================
222	+# generate list of capabilities based on
223	+# /usr/include/linux/capabilities.h for use in multiple locations in
224	+# the source tree
225	+# =====================
226	+
227	+echo "#include <linux/capability.h>" \| \
228	+ cpp -dM \| \
229	+ LC_ALL=C sed -n \
230	+ -e '/CAP_EMPTY_SET/d' \
231	+ -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$/CAP_\1/p' \| \
232	+ LC_ALL=C sort
233	diff --git a/parser/Makefile b/parser/Makefile
234	index c22d32da..3e50125a 100644
235	--- a/parser/Makefile
236	+++ b/parser/Makefile
237	@@ -287,7 +287,7 @@ af_names.h: ../common/list_af_names.sh
238	# cat $@
239
240	cap_names.h: /usr/include/linux/capability.h
241	- echo "$(CAPABILITIES)" \| LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
242	+ ../common/list_capabilities.sh \| LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
243
244	tst_lib: lib.c parser.h $(filter-out lib.o, ${TEST_OBJECTS})
245	$(CXX) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS}) $(TEST_LDFLAGS) $(TEST_LDLIBS)
246	diff --git a/utils/Makefile b/utils/Makefile
247	index 68f8c376..ea9e0601 100644
248	--- a/utils/Makefile
249	+++ b/utils/Makefile
250	@@ -80,7 +80,7 @@ clean: pod_clean
251	.SILENT: check_severity_db
252	check_severity_db: /usr/include/linux/capability.h severity.db
253	# The sed statement is based on the one in the parser's makefile
254	- RC=0 ; for cap in ${CAPABILITIES} ; do \
255	+ RC=0 ; for cap in $(shell ../common/list_capabilities.sh) ; do \
256	if ! grep -q -w $${cap} severity.db ; then \
257	echo "Warning! capability $${cap} not found in severity.db" ; \
258	RC=1 ; \
259	diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py
260	index fea134f6..6a5f02a2 100644
261	--- a/utils/vim/create-apparmor.vim.py
262	+++ b/utils/vim/create-apparmor.vim.py
263	@@ -45,7 +45,7 @@ def cmd(command, input=None, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, s
264	return [sp.returncode, out + outerr]
265
266	# get capabilities list
267	-(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_capabilities'])
268	+(rc, output) = cmd(['../../common/list_capabilities.sh'])
269	if rc != 0:
270	sys.stderr.write("make list_capabilities failed: " + output)
271	exit(rc)
272	--
273	2.26.2
274
275
276	From af0c288fcd4b9ddbf3a062d6d0e1c9618e8f3c75 Mon Sep 17 00:00:00 2001
277	From: Christian Boltz <apparmor@cboltz.de>
278	Date: Sun, 29 Mar 2020 00:07:11 +0100
279	Subject: [PATCH 4/4] fix capabilities in apparmor.vim
280
281	https://gitlab.com/apparmor/apparmor/-/merge_requests/461 /
282	e92da079ca12e776991bd36524430bd67c1cb72a changed creating the
283	capabilities to use a script.
284
285	A side effect is that the list is now separated by \n instead of
286	spaces. Adjust create-apparmor.vim.py to the new output.
287
288	(cherry picked from commit 60b005788e79c1be7276349242e0cc97b99f7118)
289	---
290	utils/vim/create-apparmor.vim.py \| 2 +-
291	1 file changed, 1 insertion(+), 1 deletion(-)
292
293	diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py
294	index 6a5f02a2..b5df957a 100644
295	--- a/utils/vim/create-apparmor.vim.py
296	+++ b/utils/vim/create-apparmor.vim.py
297	@@ -50,7 +50,7 @@ if rc != 0:
298	sys.stderr.write("make list_capabilities failed: " + output)
299	exit(rc)
300
301	-capabilities = re.sub('CAP_', '', output.strip()).lower().split(" ")
302	+capabilities = re.sub('CAP_', '', output.strip()).lower().split('\n')
303	benign_caps = []
304	for cap in capabilities:
305	if cap not in danger_caps:
306	--
307	2.26.2
308