MacでRaspberry Pi用kernelをcross-compileする時に発生するAppArmorのエラー回避方法
security/apparmor/Makefileを下記の通り修正
# SPDX-License-Identifier: GPL-2.0
# Makefile for AppArmor Linux Security Module
#
obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
apparmor-y := apparmorfs.o audit.o capability.o task.o ipc.o lib.o match.o \
path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
resource.o secid.o file.o policy_ns.o label.o mount.o net.o
apparmor-$(CONFIG_SECURITY_APPARMOR_HASH) += crypto.o
#clean-files := capability_names.h rlim_names.h net_names.h
# Build a lower case string table of address family names
# Transform lines from
# #define AF_LOCAL 1 /* POSIX name for AF_UNIX */
# #define AF_INET 2 /* Internet IP Protocol */
# to
# [1] = "local",
# [2] = "inet",
#
# and build the securityfs entries for the mapping.
# Transforms lines from
# #define AF_INET 2 /* Internet IP Protocol */
# to
# #define AA_SFS_AF_MASK "local inet"
#quiet_cmd_make-af = GEN $@
#cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\
# sed $< >>$@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e "/AF_ROUTE/d" -e \
# 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\
# echo "};" >> $@ ;\
# printf '%s' '\#define AA_SFS_AF_MASK "' >> $@ ;\
# sed -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e "/AF_ROUTE/d" -e \
# 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/\L\1/p'\
# $< | tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
# Build a lower case string table of sock type names
# Transform lines from
# SOCK_STREAM = 1,
# to
# [1] = "stream",
#quiet_cmd_make-sock = GEN $@
#cmd_make-sock = echo "static const char *sock_type_names[] = {" >> $@ ;\
# sed $^ >>$@ -r -n \
# -e 's/^\tSOCK_([A-Z0-9_]+)[\t]+=[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\
# echo "};" >> $@
# Build a lower case string table of capability names
# Transforms lines from
# #define CAP_DAC_OVERRIDE 1
# to
# [1] = "dac_override",
#quiet_cmd_make-caps = GEN $@
#cmd_make-caps = echo "static const char *const capability_names[] = {" > $@ ;\
# sed $< >>$@ -r -n -e '/CAP_FS_MASK/d' \
# -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/[\2] = "\L\1",/p';\
# echo "};" >> $@ ;\
# printf '%s' '\#define AA_SFS_CAPS_MASK "' >> $@ ;\
# sed $< -r -n -e '/CAP_FS_MASK/d' \
# -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/\L\1/p' | \
# tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
# Build a lower case string table of rlimit names.
# Transforms lines from
# #define RLIMIT_STACK 3 /* max stack size */
# to
# [RLIMIT_STACK] = "stack",
#
# and build a second integer table (with the second sed cmd), that maps
# RLIMIT defines to the order defined in asm-generic/resource.h This is
# required by policy load to map policy ordering of RLIMITs to internal
# ordering for architectures that redefine an RLIMIT.
# Transforms lines from
# #define RLIMIT_STACK 3 /* max stack size */
# to
# RLIMIT_STACK,
#
# and build the securityfs entries for the mapping.
# Transforms lines from
# #define RLIMIT_FSIZE 1 /* Maximum filesize */
# #define RLIMIT_STACK 3 /* max stack size */
# to
# #define AA_SFS_RLIMIT_MASK "fsize stack"
#quiet_cmd_make-rlim = GEN $@
#cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \
# > $@ ;\
# sed $< >> $@ -r -n \
# -e 's/^\# ?define[ \t]+(RLIMIT_([A-Z0-9_]+)).*/[\1] = "\L\2",/p';\
# echo "};" >> $@ ;\
# echo "static const int rlim_map[RLIM_NLIMITS] = {" >> $@ ;\
# sed -r -n "s/^\# ?define[ \t]+(RLIMIT_[A-Z0-9_]+).*/\1,/p" $< >> $@ ;\
# echo "};" >> $@ ; \
# printf '%s' '\#define AA_SFS_RLIMIT_MASK "' >> $@ ;\
# sed -r -n 's/^\# ?define[ \t]+RLIMIT_([A-Z0-9_]+).*/\L\1/p' $< | \
# tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
$(obj)/capability.o : $(obj)/capability_names.h
$(obj)/net.o : $(obj)/net_names.h
$(obj)/resource.o : $(obj)/rlim_names.h
$(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \
$(src)/Makefile
$(call cmd,make-caps)
$(obj)/rlim_names.h : $(srctree)/include/uapi/asm-generic/resource.h \
$(src)/Makefile
$(call cmd,make-rlim)
$(obj)/net_names.h : $(srctree)/include/linux/socket.h \
$(srctree)/include/linux/net.h \
$(src)/Makefile
$(call cmd,make-af)
$(call cmd,make-sock)
Raspberry Piでnative buildした時にRaspberry Piのsecurity/apparmorディレクトリに生成されるcapability_names.h、rlim_names.h、net_names.hをMacのsecurity/apparmorフォルダにコピーする。Raspberry Pi Model 4B 2GBでデフォルトの設定でkernel 5.18をビルドした際に生成される各ファイルの内容は下記の通り。
capability_names.h
static const char *const capability_names[] = {
[0] = "chown",
[1] = "dac_override",
[2] = "dac_read_search",
[3] = "fowner",
[4] = "fsetid",
[5] = "kill",
[6] = "setgid",
[7] = "setuid",
[8] = "setpcap",
[9] = "linux_immutable",
[10] = "net_bind_service",
[11] = "net_broadcast",
[12] = "net_admin",
[13] = "net_raw",
[14] = "ipc_lock",
[15] = "ipc_owner",
[16] = "sys_module",
[17] = "sys_rawio",
[18] = "sys_chroot",
[19] = "sys_ptrace",
[20] = "sys_pacct",
[21] = "sys_admin",
[22] = "sys_boot",
[23] = "sys_nice",
[24] = "sys_resource",
[25] = "sys_time",
[26] = "sys_tty_config",
[27] = "mknod",
[28] = "lease",
[29] = "audit_write",
[30] = "audit_control",
[31] = "setfcap",
[32] = "mac_override",
[33] = "mac_admin",
[34] = "syslog",
[35] = "wake_alarm",
[36] = "block_suspend",
[37] = "audit_read",
[38] = "perfmon",
[39] = "bpf",
[40] = "checkpoint_restore",
};
#define AA_SFS_CAPS_MASK "chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf checkpoint_restore"
net_names.h
static const char *address_family_names[] = {
[0] = "unspec",
[1] = "unix",
[2] = "inet",
[3] = "ax25",
[4] = "ipx",
[5] = "appletalk",
[6] = "netrom",
[7] = "bridge",
[8] = "atmpvc",
[9] = "x25",
[10] = "inet6",
[11] = "rose",
[13] = "netbeui",
[14] = "security",
[15] = "key",
[16] = "netlink",
[17] = "packet",
[18] = "ash",
[19] = "econet",
[20] = "atmsvc",
[21] = "rds",
[22] = "sna",
[23] = "irda",
[24] = "pppox",
[25] = "wanpipe",
[26] = "llc",
[27] = "ib",
[28] = "mpls",
[29] = "can",
[30] = "tipc",
[31] = "bluetooth",
[32] = "iucv",
[33] = "rxrpc",
[34] = "isdn",
[35] = "phonet",
[36] = "ieee802154",
[37] = "caif",
[38] = "alg",
[39] = "nfc",
[40] = "vsock",
[41] = "kcm",
[42] = "qipcrtr",
[43] = "smc",
[44] = "xdp",
[45] = "mctp",
};
#define AA_SFS_AF_MASK "unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp mctp"
static const char *sock_type_names[] = {
[1] = "stream",
[2] = "dgram",
[3] = "raw",
[4] = "rdm",
[5] = "seqpacket",
[6] = "dccp",
[10] = "packet",
};
rlim_names.h
static const char *const rlim_names[RLIM_NLIMITS] = {
[RLIMIT_CPU] = "cpu",
[RLIMIT_FSIZE] = "fsize",
[RLIMIT_DATA] = "data",
[RLIMIT_STACK] = "stack",
[RLIMIT_CORE] = "core",
[RLIMIT_RSS] = "rss",
[RLIMIT_NPROC] = "nproc",
[RLIMIT_NOFILE] = "nofile",
[RLIMIT_MEMLOCK] = "memlock",
[RLIMIT_AS] = "as",
[RLIMIT_LOCKS] = "locks",
[RLIMIT_SIGPENDING] = "sigpending",
[RLIMIT_MSGQUEUE] = "msgqueue",
[RLIMIT_NICE] = "nice",
[RLIMIT_RTPRIO] = "rtprio",
[RLIMIT_RTTIME] = "rttime",
};
static const int rlim_map[RLIM_NLIMITS] = {
RLIMIT_CPU,
RLIMIT_FSIZE,
RLIMIT_DATA,
RLIMIT_STACK,
RLIMIT_CORE,
RLIMIT_RSS,
RLIMIT_NPROC,
RLIMIT_NOFILE,
RLIMIT_MEMLOCK,
RLIMIT_AS,
RLIMIT_LOCKS,
RLIMIT_SIGPENDING,
RLIMIT_MSGQUEUE,
RLIMIT_NICE,
RLIMIT_RTPRIO,
RLIMIT_RTTIME,
};
#define AA_SFS_RLIMIT_MASK "cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime"
以上の手順でMacのcross-compileでAppArmorがビルドできるようになりました。
