2024-03-26 00:34:14 +01:00
|
|
|
// apparmor.d - Full set of apparmor profiles
|
|
|
|
// Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
|
|
|
|
package prepare
|
|
|
|
|
|
|
|
import (
|
|
|
|
"strings"
|
|
|
|
|
2024-04-28 01:36:16 +02:00
|
|
|
"github.com/roddhjav/apparmor.d/pkg/paths"
|
2024-10-02 17:22:46 +02:00
|
|
|
"github.com/roddhjav/apparmor.d/pkg/prebuild"
|
2024-03-26 00:34:14 +01:00
|
|
|
"github.com/roddhjav/apparmor.d/pkg/util"
|
|
|
|
)
|
|
|
|
|
|
|
|
type FullSystemPolicy struct {
|
2024-10-02 17:22:46 +02:00
|
|
|
prebuild.Base
|
2024-03-26 00:34:14 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
func init() {
|
|
|
|
RegisterTask(&FullSystemPolicy{
|
2024-10-02 17:22:46 +02:00
|
|
|
Base: prebuild.Base{
|
2024-03-26 00:34:14 +01:00
|
|
|
Keyword: "fsp",
|
|
|
|
Msg: "Configure AppArmor for full system policy",
|
|
|
|
},
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func (p FullSystemPolicy) Apply() ([]string, error) {
|
|
|
|
res := []string{}
|
|
|
|
|
|
|
|
// Install full system policy profiles
|
2024-10-12 16:40:17 +02:00
|
|
|
if err := paths.CopyTo(paths.New("apparmor.d/groups/_full/"), prebuild.Root.Join("apparmor.d")); err != nil {
|
2024-03-26 00:34:14 +01:00
|
|
|
return res, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Set systemd profile name
|
2024-10-02 17:22:46 +02:00
|
|
|
path := prebuild.RootApparmord.Join("tunables/multiarch.d/system")
|
2024-10-12 16:31:24 +02:00
|
|
|
out, err := path.ReadFileAsString()
|
2024-03-26 00:34:14 +01:00
|
|
|
if err != nil {
|
|
|
|
return res, err
|
|
|
|
}
|
2024-04-02 18:48:03 +02:00
|
|
|
out = strings.Replace(out, "@{p_systemd}=unconfined", "@{p_systemd}=systemd", -1)
|
2024-04-02 14:41:08 +02:00
|
|
|
out = strings.Replace(out, "@{p_systemd_user}=unconfined", "@{p_systemd_user}=systemd-user", -1)
|
2024-03-26 00:34:14 +01:00
|
|
|
if err := path.WriteFile([]byte(out)); err != nil {
|
|
|
|
return res, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Fix conflicting x modifiers in abstractions - FIXME: Temporary solution
|
2024-10-02 17:22:46 +02:00
|
|
|
path = prebuild.RootApparmord.Join("abstractions/gstreamer")
|
2024-10-12 16:31:24 +02:00
|
|
|
out, err = path.ReadFileAsString()
|
2024-03-26 00:34:14 +01:00
|
|
|
if err != nil {
|
|
|
|
return res, err
|
|
|
|
}
|
|
|
|
regFixConflictX := util.ToRegexRepl([]string{`.*gst-plugin-scanner.*`, ``})
|
|
|
|
out = regFixConflictX.Replace(out)
|
|
|
|
if err := path.WriteFile([]byte(out)); err != nil {
|
|
|
|
return res, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Set systemd unit drop-in files
|
2024-10-12 16:40:17 +02:00
|
|
|
return res, paths.CopyTo(prebuild.SystemdDir.Join("full"), prebuild.Root.Join("systemd"))
|
2024-03-26 00:34:14 +01:00
|
|
|
}
|