DISTCHECK_CONFIGURE_FLAGS = $(CONFIGURE_ARGS) \
--with-sysusersdir=no \
--with-systemdsystemunitdir=no \
- --with-launchddaemonsdir=no
+ --with-launchddaemonsdir=no \
+ --with-apparmordir=no
+
case of static linking.
+ Introduce the notion of default local port. New interfaces will
use it as a base. This allows setting various MED stuff.
+ + Provide an apparmor profile (untested).
lldpd (0.7.17)
* Fix:
AM_CONDITIONAL(HAVE_SYSUSERSDIR,
[test -n "$with_sysusersdir" -a "x$with_sysusersdir" != xno ])
+# AppArmor
+lldp_ARG_WITH([apparmordir], [Directory for AppArmor profiles (Linux)],
+ [no])
+AC_SUBST([apparmordir], [$with_apparmordir])
+AM_CONDITIONAL(HAVE_APPARMORDIR,
+ [test -n "$with_apparmordir" -a "x$with_apprmordir" != xno ])
+
# Systemtap/DTrace
lldp_SYSTEMTAP
edit = $(SED) \
-e 's|@bindir[@]|$(bindir)|g' \
-e 's|@sbindir[@]|$(sbindir)|g' \
+ -e 's|@sysconfdir[@]|$(sysconfdir)|g' \
-e 's|@pkgdatadir[@]|$(pkgdatadir)|g' \
-e 's|@libdir[@]|$(libdir)|g' \
-e 's|@includedir[@]|$(includedir)|g' \
-e 's|@PRIVSEP_USER[@]|$(PRIVSEP_USER)|g' \
-e 's|@PRIVSEP_GROUP[@]|$(PRIVSEP_GROUP)|g' \
-e 's|@PRIVSEP_CHROOT[@]|$(PRIVSEP_CHROOT)|g' \
- -e 's|@LLDPD_CTL_SOCKET[@]|$(LLDPD_CTL_SOCKET)|g'
+ -e 's|@LLDPD_PID_FILE[@]|$(LLDPD_PID_FILE)|g' \
+ -e 's|@LLDPD_CTL_SOCKET[@]|$(LLDPD_CTL_SOCKET)|g' \
+ -e 's|@PRIVSEP_CHROOT[@]|$(PRIVSEP_CHROOT)|g'
$(TEMPLATES): Makefile
$(AM_V_GEN)mkdir -p $(@D) && $(edit) $(srcdir)/$@.in > $@.tmp && mv $@.tmp $@
sysusers_DATA = lldpd.sysusers.conf
endif
-TEMPLATES = lldpd.8 lldpd.service lldpd.sysusers.conf
-EXTRA_DIST += lldpd.8.in lldpd.service.in lldpd.sysusers.conf.in
+if HOST_OS_LINUX
+if HAVE_APPARMORDIR
+apparmor_DATA = usr.sbin.lldpd
+endif
+endif
+
+TEMPLATES = lldpd.8 lldpd.service lldpd.sysusers.conf usr.sbin.lldpd
+EXTRA_DIST += lldpd.8.in lldpd.service.in lldpd.sysusers.conf.in usr.sbin.lldpd.in
CLEANFILES += $(TEMPLATES)
lldpd.8: lldpd.8.in
lldpd.service: lldpd.service.in
lldpd.sysusers.conf: lldpd.sysusers.conf.in
+usr.sbin.lldpd: usr.sbin.lldpd.in
include $(top_srcdir)/edit.am
--- /dev/null
+#include <tunables/global>
+
+@sbindir@/lldpd {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ capability chown,
+ capability dac_override,
+ capability fowner,
+ capability fsetid,
+ capability kill,
+ capability net_admin,
+ capability net_raw,
+ capability setgid,
+ capability setuid,
+ capability sys_chroot,
+ capability sys_module,
+
+ # Need to receive/send raw packets
+ network packet raw,
+
+ @sbindir@/lldpd mr,
+
+ # Ability to run lldpcli for self-configuration
+ @sbindir@/lldpcli rix,
+ @sysconfdir@/lldpd.d/* r,
+ @sysconfdir@/lldpd.conf r,
+
+ # PID file and socket
+ @LLDPD_PID_FILE@ rw,
+ @LLDPD_CTL_SOCKET@ rw,
+
+ # Chroot setup
+ @PRIVSEP_CHROOT@/etc/ rw,
+ @PRIVSEP_CHROOT@/etc/localtime rw,
+
+ # Gather system description
+ /etc/os-release r,
+ /usr/lib/os-release r,
+ /usr/bin/lsb_release Cxr -> lsb_release,
+ profile lsb_release {
+ #include <abstractions/base>
+ #include <abstractions/python>
+ /usr/bin/lsb_release r,
+ /bin/dash ixr,
+ /usr/bin/dpkg-query ixr,
+ /usr/include/python2.[4567]/pyconfig.h r,
+ /etc/lsb-release r,
+ /etc/debian_version r,
+ /var/lib/dpkg/** r,
+
+ /usr/local/lib/python3.[0-4]/dist-packages/ r,
+ /usr/bin/ r,
+ /usr/bin/python3.[0-4] r,
+ }
+
+ # Gather network information
+ @{PROC}/sys/net/ipv4/ip_forward r,
+ @{PROC}/net/bonding/* r,
+ @{PROC}/self/net/bonding/* r,
+ /sys/devices/virtual/dmi/** r,
+ /sys/devices/pci**/net/*/ifalias r,
+}
projects / thirdparty / lldpd.git / commitdiff
