HardenedBSD/contrib/openbsm/FREEBSD-upgrade
2024-05-31 13:49:17 -06:00

55 lines
2.6 KiB
Plaintext

Upgrade Instructions for OpenBSM
--------------------------------
OpenBSM integrates into the FreeBSD source tree in several places:
src/contrib/openbsm The OpenBSM distribution itself
src/sys/bsm Modified versions of some bsm/ include files
src/sys/security/audit Kernel audit framework, some OpenBSM-based files
src/usr.sbin/*audit* Makefiles for various OpenBSM tools
src/etc/Makefile Installation of /etc OpenBSM files
src/lib/libbsm/* Build for OpenBSM library
OpenBSM is normally built using an integrated autoconf/automake build
system. For the purposes of tight integration with FreeBSD, we use an
adapted BSD make (bmake) build system loosely based on the automake
setup. We also rely on a static config.h generated when OpenBSM is
imported, rather than re-configuring every build. This leads to a
more reproduceable build environment, and avoids dependence on things
not in the base tree (i.e., autoconf, automake, GNU make, etc). An
upgrade of OpenBSM generally involves the following steps:
- Vendor import of OpenBSM into src/contrib.
- Run configure, commit src/contrib/openbsm/config/config.h.
- Replication of src/contrib/openbsm/bsm changes into src/sys/bsm.
- Possible updates to src/sys/security/audit, especially relating to
audit_bsm_token.c.
- Update any library, tool, or etc BSD Makefiles to add new files,
defines, or other generally useful or necessary things.
Certain files are present only in the vendor branch, and not in FreeBSD
development branches:
contrib/openbsm/bsm audit.h audit_internal.h audit_kevents.h
audit_record.h
This prevents confusion regarding whether the src/sys/bsm or contrib
versions of the include files should be used in the build. Normally, the
CVS vendor import goes along the following lines:
cd ~/p4/projects/trustedbsd/openbsm
cvs -n -d rwatson@repoman.FreeBSD.org:/home/ncvs -q import \
src/contrib/openbsm TrustedBSD OPENBSM_1_0_ALPHA_1
Replacing the version string as required. Remove the "-n" argument once
the import is tested in order to perform the actual import.
Propagation of changes to src/sys/{bsm,security/audit} is something that
requires careful coordination and attention to detail. These files are
not on CVS vendor branches, but do have the same local vs. vendor merge
issues. Remember that contrib/openbsm (and the rest of the system) will
be built with the version of the bsm/ include files in src/sys/bsm, not
the version in contrib/openbsm/bsm, so buildworld tests before committing
are necessary, and the commits to various parts of the system must be
made in close succession.