2021-12-02 13:35:13 +01:00
|
|
|
name: Ubuntu
|
|
|
|
|
|
|
|
|
|
on: [push, pull_request, workflow_dispatch]
|
|
|
|
|
|
|
|
|
|
jobs:
|
2024-11-12 23:31:16 +01:00
|
|
|
check:
|
|
|
|
|
runs-on: ubuntu-24.04
|
|
|
|
|
steps:
|
|
|
|
|
- name: Check out repository code
|
|
|
|
|
uses: actions/checkout@v4
|
|
|
|
|
|
|
|
|
|
- name: Run basic profile linter check
|
|
|
|
|
run: |
|
|
|
|
|
make check
|
|
|
|
|
|
2021-12-02 13:35:13 +01:00
|
|
|
build:
|
2024-05-08 21:10:17 +02:00
|
|
|
runs-on: ${{ matrix.os }}
|
2024-11-19 20:34:04 +01:00
|
|
|
needs: check
|
2024-01-23 15:08:52 +01:00
|
|
|
strategy:
|
|
|
|
|
matrix:
|
2024-05-08 21:10:17 +02:00
|
|
|
os:
|
2024-10-06 17:19:11 +02:00
|
|
|
- ubuntu-24.04
|
2024-10-21 22:12:46 +02:00
|
|
|
- ubuntu-22.04
|
2024-01-23 15:08:52 +01:00
|
|
|
mode:
|
|
|
|
|
- default
|
2024-10-21 22:12:46 +02:00
|
|
|
- full-system-policy
|
2021-12-02 13:35:13 +01:00
|
|
|
steps:
|
|
|
|
|
- name: Check out repository code
|
2024-02-27 21:44:07 +01:00
|
|
|
uses: actions/checkout@v4
|
2021-12-02 13:35:13 +01:00
|
|
|
|
2024-10-06 17:19:11 +02:00
|
|
|
- name: Install Build dependencies
|
2021-12-02 13:35:13 +01:00
|
|
|
run: |
|
|
|
|
|
sudo apt-get update -q
|
|
|
|
|
sudo apt-get install -y \
|
2022-10-16 13:05:28 +02:00
|
|
|
devscripts debhelper config-package-dev \
|
2023-01-27 23:07:19 +01:00
|
|
|
auditd apparmor-profiles apparmor-utils
|
2022-03-31 22:19:30 +02:00
|
|
|
sudo rm /etc/apparmor.d/usr.lib.snapd.snap-confine.real
|
2021-12-02 13:35:13 +01:00
|
|
|
|
|
|
|
|
- name: Build the apparmor.d package
|
2023-01-28 20:21:18 +01:00
|
|
|
run: |
|
2024-01-23 15:08:52 +01:00
|
|
|
if [[ ${{ matrix.mode }} == full-system-policy ]]; then
|
|
|
|
|
echo -e "\noverride_dh_auto_build:\n\tmake full" >> debian/rules
|
|
|
|
|
fi
|
2024-10-21 22:12:46 +02:00
|
|
|
bash dists/build.sh dpkg
|
2021-12-02 13:35:13 +01:00
|
|
|
|
|
|
|
|
- name: Install apparmor.d
|
2024-10-21 22:12:46 +02:00
|
|
|
run: sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true
|
2021-12-02 13:35:13 +01:00
|
|
|
|
2022-05-21 19:17:29 +02:00
|
|
|
- name: Reload AppArmor
|
2024-10-06 17:19:11 +02:00
|
|
|
run: |
|
2022-05-21 19:17:29 +02:00
|
|
|
sudo systemctl restart apparmor.service || true
|
|
|
|
|
sudo systemctl status apparmor.service
|
2021-12-02 13:35:13 +01:00
|
|
|
|
2023-09-03 21:19:53 +02:00
|
|
|
- name: Ensure compatibility with some AppArmor userspace tools
|
2024-10-21 20:49:11 +02:00
|
|
|
if: matrix.os != 'ubuntu-24.04'
|
2024-10-06 18:44:46 +02:00
|
|
|
run: |
|
2024-10-21 20:49:11 +02:00
|
|
|
sudo aa-enforce /etc/apparmor.d/aa-notify
|
2023-09-03 21:19:53 +02:00
|
|
|
|
|
|
|
|
- name: Show AppArmor log and rules
|
2023-03-03 13:13:57 +01:00
|
|
|
run: |
|
|
|
|
|
sudo aa-log
|
|
|
|
|
sudo aa-log -s
|
2023-09-03 21:19:53 +02:00
|
|
|
sudo aa-log -r
|
2022-10-01 19:39:20 +02:00
|
|
|
|
|
|
|
|
- name: Show Number of loaded profile
|
|
|
|
|
run: sudo aa-status --profiled
|
2024-10-21 20:49:11 +02:00
|
|
|
|
2024-10-21 22:12:46 +02:00
|
|
|
- name: Cache the build package
|
2024-10-21 20:49:11 +02:00
|
|
|
if: matrix.mode == 'default' && matrix.os == 'ubuntu-24.04'
|
2024-10-21 22:12:46 +02:00
|
|
|
uses: actions/cache/save@v4
|
|
|
|
|
with:
|
|
|
|
|
path: .pkg/apparmor.d_*_amd64.deb
|
|
|
|
|
key: ${{ matrix.os }}-${{ matrix.mode }}-${{ hashFiles('.pkg/apparmor.d_*_amd64.deb') }}
|
|
|
|
|
|
|
|
|
|
tests:
|
|
|
|
|
runs-on: ubuntu-24.04
|
|
|
|
|
needs: build
|
|
|
|
|
steps:
|
|
|
|
|
- name: Check out repository code
|
|
|
|
|
uses: actions/checkout@v4
|
|
|
|
|
|
|
|
|
|
- name: Restore the cached build package
|
|
|
|
|
uses: actions/cache/restore@v4
|
|
|
|
|
with:
|
|
|
|
|
fail-on-cache-miss: true
|
|
|
|
|
path: .pkg/apparmor.d_*_amd64.deb
|
|
|
|
|
key: ubuntu-24.04-default-${{ hashFiles('.pkg/apparmor.d_*_amd64.deb') }}
|
|
|
|
|
restore-keys: |
|
|
|
|
|
ubuntu-24.04-default-
|
|
|
|
|
|
|
|
|
|
- name: Install Tests dependencies
|
2024-10-21 20:49:11 +02:00
|
|
|
run: |
|
|
|
|
|
sudo apt-get update -q
|
|
|
|
|
sudo apt-get install -y \
|
2024-10-21 22:12:46 +02:00
|
|
|
apparmor-profiles apparmor-utils \
|
2024-10-21 20:49:11 +02:00
|
|
|
bats bats-support
|
2024-12-11 23:17:27 +01:00
|
|
|
sudo install -Dm0644 .github/local/needrestart /etc/apparmor.d/local/needrestart
|
2024-10-21 20:49:11 +02:00
|
|
|
|
2024-10-21 22:12:46 +02:00
|
|
|
- name: Install apparmor.d
|
|
|
|
|
run: |
|
|
|
|
|
sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true
|
2024-10-22 00:49:56 +02:00
|
|
|
sudo systemctl restart apparmor.service
|
2024-10-21 22:12:46 +02:00
|
|
|
|
2024-11-19 20:34:04 +01:00
|
|
|
- name: Restart some services to ensure they are confined
|
|
|
|
|
run: |
|
|
|
|
|
services=(
|
|
|
|
|
containerd cron
|
|
|
|
|
dbus docker
|
|
|
|
|
ModemManager multipathd
|
|
|
|
|
networkd-dispatcher
|
|
|
|
|
packagekit polkit
|
|
|
|
|
snapd
|
|
|
|
|
systemd-journald systemd-hostnamed systemd-logind systemd-networkd
|
|
|
|
|
systemd-resolved systemd-udevd
|
|
|
|
|
udisks2
|
|
|
|
|
)
|
|
|
|
|
sudo systemctl daemon-reload
|
|
|
|
|
for service in "${services[@]}"; do
|
|
|
|
|
sudo systemctl restart "$service" || systemctl status "$service.service" || true
|
|
|
|
|
done
|
|
|
|
|
sudo ps auxZ | grep -v '\[.*\]'
|
|
|
|
|
sudo aa-log -s --raw
|
|
|
|
|
|
|
|
|
|
- name: Install integration dependencies
|
|
|
|
|
run: |
|
|
|
|
|
bash tests/requirements.sh
|
|
|
|
|
|
2024-10-21 20:49:11 +02:00
|
|
|
- name: Run the bats integration tests
|
|
|
|
|
run: |
|
|
|
|
|
make bats
|
2024-10-21 22:12:46 +02:00
|
|
|
|
2024-11-19 21:00:04 +01:00
|
|
|
- name: Show final AppArmor logs
|
2024-10-22 00:49:56 +02:00
|
|
|
if: always()
|
2024-10-21 22:12:46 +02:00
|
|
|
run: |
|
2024-10-22 00:49:56 +02:00
|
|
|
sudo aa-log -s --raw
|
2024-11-19 21:00:04 +01:00
|
|
|
|
|
|
|
|
- name: Show final processes security context
|
|
|
|
|
if: always()
|
|
|
|
|
run: |
|
2024-11-19 20:34:04 +01:00
|
|
|
sudo ps auxZ | grep -v '\[.*\]'
|
