apparmor.d/configure

179 lines
4.9 KiB
Plaintext
Raw Normal View History

2021-04-02 19:12:15 +02:00
#!/usr/bin/env bash
# Configure the apparmor.d package
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
2021-05-01 15:27:14 +02:00
readonly ROOT=.build
2021-04-02 19:12:15 +02:00
_die() { printf 'Error: %s\n' "$*" >&2 && exit 1; }
2021-09-19 21:39:13 +02:00
_warning() { printf ' Warning: %s\n' "$*" >&2; }
2021-04-02 19:12:15 +02:00
2021-09-19 21:39:13 +02:00
# Displace files in the package sources
# $@ List of files to displace
_displace_files() {
for path in "$@"; do
mv "${ROOT:?}/$path" "${ROOT:?}/$path.apparmor.d"
2021-04-02 19:12:15 +02:00
done
}
# Initialize a new clean apparmor.d build directory
initialize() {
2021-09-19 21:39:13 +02:00
rm -rf "${ROOT:?}" && rsync -a --exclude=.git . "$ROOT"
2021-04-02 19:12:15 +02:00
}
# Ignore profiles in profiles.ignore
ignore() {
2021-09-19 21:39:13 +02:00
echo " Ignore profiles in profiles.ignore."
while read -r profile; do
[[ "$profile" =~ ^\# ]] && continue
if [[ "$profile" == */ ]]; then
find "$ROOT/apparmor.d" -iname "${profile////}" -type d -exec rm -r {} \;
else
find "$ROOT/apparmor.d" -iname "$profile" -type f -exec rm {} \;
fi
done <profiles.ignore
}
# Set the distribution specificities
configure() {
2021-09-19 21:39:13 +02:00
case "$DISTRIBUTION" in
archlinux)
echo " Ignore non Archlinux profiles."
rm -rf \
"${ROOT:?}"/apparmor.d/abstractions/apt-common \
"${ROOT:?}"/apparmor.d/groups/apt \
"${ROOT:?}"/apparmor.d/groups/cron \
"${ROOT:?}"/root/etc/initramfs-tools
echo " Configure libexec."
sed -i -e '/Debian/d' "$ROOT/apparmor.d/tunables/extend"
2021-09-19 21:39:13 +02:00
;;
debian)
echo " Ignore non Debian profiles."
rm -rf \
"${ROOT:?}"/apparmor.d/groups/pacman \
"${ROOT:?}"/root/usr/share/libalpm/hooks/apparmor.hook
echo " Configure libexec."
sed -i -e '/Archlinux/d' "$ROOT/apparmor.d/tunables/extend"
2021-09-19 21:39:13 +02:00
echo " Debian does not support abi 3.0 yet."
find "$ROOT/apparmor.d" -type f -exec sed -e '/abi /d' -i {} \;
2021-09-19 21:39:13 +02:00
echo " Debian does not have etc tunable."
sed -i -e '/etc/d' "$ROOT/apparmor.d/tunables/global"
echo " Displace overwritten files."
_displace_files apparmor.d/tunables/global apparmor.d/tunables/xdg-user-dirs
if [[ "$(lsb_release -is)" == "Ubuntu" ]]; then
echo " Ubuntu LTS compatibility."
echo "@{run}=/run/ /var/run/" > "$ROOT/apparmor.d/tunables/run"
sed -i -e '/capability bpf/d' -e '/capability perfmon/d' \
"$ROOT/apparmor.d/groups/virt/libvirtd"
fi
2021-09-19 21:39:13 +02:00
;;
*) _die "$DISTRIBUTION is not a supported distribution." ;;
esac
}
# Synchronise all profile in a new apparmor.d directory.
synchronise() {
echo "Synchronise all profiles."
mv "${ROOT:?}/apparmor.d/groups/"*/* "${ROOT:?}/apparmor.d/"
2021-04-02 19:12:15 +02:00
rm -rf "${ROOT:?}/apparmor.d/groups/"
2021-09-15 17:57:38 +02:00
for dir in profiles-a-f profiles-g-l profiles-m-r profiles-s-z; do
mv "${ROOT:?}/apparmor.d/$dir/"* "${ROOT:?}/apparmor.d/"
2021-04-02 19:12:15 +02:00
rm -rf "${ROOT:?}/apparmor.d/$dir"
done
}
# Set flags on some profile
setflags() {
echo "Set apparmor flags from profiles.flags"
2021-04-02 19:12:15 +02:00
while read -r profile; do
IFS=' ' read -r -a manifest <<< "$profile"
profile="${manifest[0]}" flags="${manifest[1]}"
2021-09-19 21:39:13 +02:00
[[ "$profile" =~ ^\# || -z "$profile" ]] && continue
path="${ROOT:?}/apparmor.d/$profile"
2021-04-04 00:51:57 +02:00
if [[ ! -f "$path" ]]; then
2021-04-04 17:47:47 +02:00
_warning "Profile $profile not found"
2021-04-12 13:58:59 +02:00
continue
2021-04-04 00:22:09 +02:00
fi
2021-04-02 19:12:15 +02:00
# If flags is set, overwrite profile flag
if [[ -n "$flags" ]]; then
# Remove all flags definition, then set manifest' flags
sed -e "s/flags=(.*)//" \
-e "s/ {$/ flags=(${flags//,/ }) {/" \
-i "$path"
fi
done <profiles.flags
}
# Set AppArmor for full system policy
full() {
echo WIP
}
# Set complain flag on all profile (Dev only)
complain() {
echo "Set complain flag on all profile"
for path in "${ROOT:?}/apparmor.d/"*; do
[[ -d "$path" ]] && continue
flags="$(grep -o -m 1 'flags=(.*)' "$path" | cut -d '(' -f2 | cut -d ')' -f1)"
[[ "$flags" =~ complain ]] && continue
echo -n .
sed -e "s/flags=(.*)//" \
-e "s/ {$/ flags=(complain $flags) {/" \
-i "$path"
done
echo
2021-04-02 19:12:15 +02:00
}
# Print help message
cmd_help() {
cat <<-_EOF
./configure [options] - Configure the apparmor.d package
Options:
-d DIST, --dist=DIST Set the target Linux distribution: archlinux, debian
-f, --full Set AppArmor for full system policy
-c, --complain Set complain flag on all profiles
-h, --help Print this help message and exit
2021-04-02 19:12:15 +02:00
_EOF
}
main() {
local opts err full=0 complain=0
small_arg="d:cfh"
long_arg="dist:,complain,full,help"
opts="$(getopt -o $small_arg -l $long_arg -n "$PROGRAM" -- "$@")"
2021-04-02 19:12:15 +02:00
err=$?
eval set -- "$opts"
while true; do case $1 in
-d|--dist) DISTRIBUTION="$2"; shift 2 ;;
-f|--full) full=1; shift ;;
-c|--complain) complain=1; shift ;;
2021-04-02 19:12:15 +02:00
-h|--help) shift; cmd_help; exit 0 ;;
--) shift; break ;;
esac done
[[ $err -ne 0 ]] && { cmd_help; exit 1; }
echo "Set the configuration for $DISTRIBUTION."
initialize || _die "initializing build directory"
ignore || _die "removing ignored profiles"
configure || _die "configuring distributaion"
synchronise || _die "merging profiles"
setflags || _die "settings flags"
2021-04-02 19:12:15 +02:00
}
main "$@"