apparmor.d/configure

#!/usr/bin/env bash
# Configure the apparmor.d package
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

readonly ROOT=.build
declare -a REMOVE_LIST

_die()  { printf '%s\n' "$*" >&2 && exit 1; }
_warning() { printf 'Warning: %s\n' "$*" >&2; }
_init() { rm -rf "${ROOT:?}" && rsync -a --exclude=.git . "$ROOT"; }

# Remove files or directories in the package
remove_files() {
	msg="Remove unneeded profiles/resources:"
	for path in "${REMOVE_LIST[@]}"; do
    	[[ ! -e "${ROOT:?}/$path" ]] && continue
    	msg+=$'\n'"  $(stat -c '%A  %u:%g' "${ROOT:?}/$path")  $path"
	done
	echo "$msg"

	for path in "${REMOVE_LIST[@]}"; do
		rm -rf "${ROOT:?}/$path"
	done
}

# Set the distribution, flavor & groups
configure() {
	echo "Set the configuration for $DISTRIBUTION."
	if [[ "$DISTRIBUTION" == archlinux ]]; then
		REMOVE_LIST+=(
			apparmor.d/abstractions/apt-common
			apparmor.d/groups/apt
			apparmor.d/groups/cron
		)

	elif [[ "$DISTRIBUTION" == debian ]]; then
		REMOVE_LIST+=(
			apparmor.d/groups/pacman
			root/usr/share/libalpm/hooks/apparmor.hook
		)

	fi

}

# Initialise the apparmor.d with the selected configuration.
initialise() {
	_init
	remove_files

	echo "Ignore profiles in profiles.ignore."
    while read -r profile; do
		[[ "$profile" =~ ^\# ]] && continue
		if [[ "$profile" == */ ]]; then
			find "$ROOT/apparmor.d" -iname "${profile////}" -type d -exec rm -r {} \; 
		else
			find "$ROOT/apparmor.d" -iname "$profile" -type f -exec rm {} \;
		fi
    done <profiles.ignore

	echo "Synchronise all profiles."
	mv "${ROOT:?}/apparmor.d/groups/"*/* "${ROOT:?}/apparmor.d/"
	rm -rf "${ROOT:?}/apparmor.d/groups/"
	for dir in profiles-a-l profiles-m-z; do
		mv "${ROOT:?}/apparmor.d/$dir/"* "${ROOT:?}/apparmor.d/"
		rm -rf "${ROOT:?}/apparmor.d/$dir"
	done
}

# Set flags on some profile
setflags() {
	echo "Set apparmor flags from profiles.flags"
    while read -r profile; do
        IFS=' ' read -r -a manifest <<< "$profile"
        profile="${manifest[0]}" flags="${manifest[1]}"

        [[ "$profile" =~ ^\# ]] && continue
		path="${ROOT:?}/apparmor.d/$profile"
        if [[ ! -f "$path" ]]; then
			_warning "Profile $profile not found"
			continue
		fi

		# If flags is set, overwrite profile flag
        if [[ -n "$flags" ]]; then
			# Remove all flags definition, then set manifest' flags
			sed -e "s/flags=(.*)//" \
			 	-e "s/ {$/ flags=(${flags//,/ }) {/" \
				-i "$path"
        fi

    done <profiles.flags
}

# Print help message
cmd_help() {
	cat <<-_EOF
	./configure [options] - Configure the apparmor.d package

	Options:
	    --distribution=DIST Set the target Linux distribution (Archlinux, Debian)
	    --help              Print this help message and exit.
	_EOF
}

main() {
	local opts err
	opts="$(getopt -o h -l distribution:,help -n "$PROGRAM" -- "$@")"
	err=$?
	eval set -- "$opts"
	while true; do case $1 in
		--distribution) DISTRIBUTION="$2"; shift 2 ;;
		-h|--help) shift; cmd_help; exit 0 ;;
		--) shift; break ;;
	esac done

	[[ $err -ne 0 ]] && { cmd_help; exit 1; }

	configure
	initialise
	setflags

	exit 0
}

main "$@"