2023-05-06 14:01:07 +02:00
|
|
|
// apparmor.d - Full set of apparmor profiles
|
2024-02-07 00:16:21 +01:00
|
|
|
// Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
|
2023-05-06 14:01:07 +02:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
|
|
|
|
|
|
package prebuild
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"os"
|
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
|
|
"github.com/arduino/go-paths-helper"
|
|
|
|
|
"golang.org/x/exp/slices"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var (
|
2023-07-25 23:07:38 +02:00
|
|
|
osReleaseFile = "/etc/os-release"
|
|
|
|
|
supportedDists = map[string][]string{
|
2023-07-25 23:02:18 +02:00
|
|
|
"arch": {},
|
|
|
|
|
"debian": {},
|
|
|
|
|
"ubuntu": {},
|
2024-02-29 00:27:57 +01:00
|
|
|
"opensuse": {"suse", "opensuse-tumbleweed"},
|
2023-07-25 23:02:18 +02:00
|
|
|
"whonix": {},
|
|
|
|
|
}
|
2024-02-29 01:38:29 +01:00
|
|
|
)
|
2023-05-06 14:01:07 +02:00
|
|
|
|
2024-02-28 18:35:14 +01:00
|
|
|
func NewOSRelease() map[string]string {
|
|
|
|
|
var lines []string
|
|
|
|
|
var err error
|
|
|
|
|
for _, name := range []string{osReleaseFile, "/usr/lib/os-release"} {
|
|
|
|
|
path := paths.New(name)
|
|
|
|
|
if path.Exist() {
|
|
|
|
|
lines, err = path.ReadFileAsLines()
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
break
|
|
|
|
|
}
|
2023-05-06 14:01:07 +02:00
|
|
|
}
|
2024-02-28 18:35:14 +01:00
|
|
|
os := map[string]string{}
|
2023-05-06 14:01:07 +02:00
|
|
|
for _, line := range lines {
|
|
|
|
|
item := strings.Split(line, "=")
|
2024-02-28 18:35:14 +01:00
|
|
|
if len(item) == 2 {
|
|
|
|
|
os[item[0]] = strings.Trim(item[1], "\"")
|
2023-05-06 14:01:07 +02:00
|
|
|
}
|
|
|
|
|
}
|
2024-02-28 18:35:14 +01:00
|
|
|
return os
|
|
|
|
|
}
|
2023-05-06 14:01:07 +02:00
|
|
|
|
2024-02-28 18:35:14 +01:00
|
|
|
func getSupportedDistribution() string {
|
|
|
|
|
dist, present := os.LookupEnv("DISTRIBUTION")
|
|
|
|
|
if present {
|
|
|
|
|
return dist
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
os := NewOSRelease()
|
|
|
|
|
id := os["ID"]
|
2023-07-26 00:06:14 +02:00
|
|
|
if id == "ubuntu" {
|
|
|
|
|
return id
|
|
|
|
|
}
|
2024-02-28 18:35:14 +01:00
|
|
|
id_like := os["ID_LIKE"]
|
2023-07-25 23:02:18 +02:00
|
|
|
for main, based := range supportedDists {
|
|
|
|
|
if main == id || main == id_like {
|
|
|
|
|
return main
|
|
|
|
|
} else if slices.Contains(based, id) {
|
|
|
|
|
return main
|
|
|
|
|
} else if slices.Contains(based, id_like) {
|
|
|
|
|
return main
|
|
|
|
|
}
|
2023-05-06 14:01:07 +02:00
|
|
|
}
|
|
|
|
|
return id
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func copyTo(src *paths.Path, dst *paths.Path) error {
|
2023-11-19 15:47:55 +01:00
|
|
|
files, err := src.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories(), paths.FilterOutNames("README.md"))
|
2023-05-06 14:01:07 +02:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
for _, file := range files {
|
|
|
|
|
destination, err := file.RelFrom(src)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
destination = dst.JoinPath(destination)
|
2023-11-19 15:20:14 +01:00
|
|
|
if err := destination.Parent().MkdirAll(); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2023-05-06 14:01:07 +02:00
|
|
|
if err := file.CopyTo(destination); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2024-02-28 18:35:14 +01:00
|
|
|
|
2024-03-10 15:43:43 +01:00
|
|
|
// Overwrite upstream profile: rename our profile & hide upstream
|
|
|
|
|
func debianOverwrite(files []string) {
|
2024-02-28 18:35:14 +01:00
|
|
|
const ext = ".apparmor.d"
|
2024-03-10 15:43:43 +01:00
|
|
|
file, err := paths.New("debian/apparmor.d.hide").Append()
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
2024-02-28 18:35:14 +01:00
|
|
|
for _, name := range files {
|
|
|
|
|
origin := RootApparmord.Join(name)
|
|
|
|
|
dest := RootApparmord.Join(name + ext)
|
|
|
|
|
if err := origin.Rename(dest); err != nil {
|
2024-03-10 15:43:43 +01:00
|
|
|
panic(err)
|
2024-02-28 18:35:14 +01:00
|
|
|
}
|
2024-03-10 15:43:43 +01:00
|
|
|
if _, err := file.WriteString("/etc/apparmor.d/" + name + "\n"); err != nil {
|
|
|
|
|
panic(err)
|
2024-02-28 18:35:14 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-03-10 15:43:43 +01:00
|
|
|
// Clean the debian/apparmor.d.hide file
|
|
|
|
|
func debianOverwriteClean() {
|
|
|
|
|
const debianHide = `# This file is generated by "make", all edit will be lost.
|
|
|
|
|
|
|
|
|
|
/etc/apparmor.d/usr.bin.firefox
|
|
|
|
|
/etc/apparmor.d/usr.sbin.cups-browsed
|
|
|
|
|
/etc/apparmor.d/usr.sbin.cupsd
|
|
|
|
|
/etc/apparmor.d/usr.sbin.rsyslogd
|
|
|
|
|
`
|
|
|
|
|
path := paths.New("debian/apparmor.d.hide")
|
|
|
|
|
if err := path.WriteFile([]byte(debianHide)); err != nil {
|
2024-02-29 01:03:39 +01:00
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-03-10 15:43:43 +01:00
|
|
|
// Get the list of upstream profiles to overwrite from dist/overwrite
|
|
|
|
|
func getOverwriteProfiles() []string {
|
2024-02-28 18:35:14 +01:00
|
|
|
res := []string{}
|
2024-03-10 15:43:43 +01:00
|
|
|
lines, err := DistDir.Join("overwrite").ReadFileAsLines()
|
2024-02-28 18:35:14 +01:00
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
for _, line := range lines {
|
|
|
|
|
if strings.HasPrefix(line, "#") || line == "" {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
res = append(res, line)
|
|
|
|
|
}
|
|
|
|
|
return res
|
|
|
|
|
}
|
|
|
|
|
|
