From 0177b683080a052e8e43ff3b15794e72230ef073 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 13 Sep 2022 18:14:58 +0100 Subject: [PATCH] build: default to complain mode. --- PKGBUILD | 2 +- README.md | 22 ++++++++++------------ debian/rules | 2 +- 3 files changed, 12 insertions(+), 14 deletions(-) diff --git a/PKGBUILD b/PKGBUILD index 407ff648..71187a67 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -20,7 +20,7 @@ prepare() { git clone "$startdir" "$srcdir/$pkgname" cd "$srcdir/$pkgname" - ./configure + ./configure --complain } build() { diff --git a/README.md b/README.md index 01a0bfb4..1733bd4f 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,8 @@ This is fundamentally different from how AppArmor is used on Linux server as it ## Installation +> **Warning**: In order to not break your system, the default package configuration install all profiles in complain mode. They can be enforced later. See [Enforce Mode](#enfore_mode) + **Requirements** * An `apparmor` based linux distribution. * Base profiles and abstractions shipped with AppArmor are supposed to be @@ -62,7 +64,6 @@ sudo pacman -U apparmor.d-*.pkg.tar.zst \ --overwrite etc/apparmor.d/abstractions/trash ``` -> **Warning**: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting) **Debian / Ubuntu** @@ -74,8 +75,6 @@ dpkg-buildpackage -b -d --no-sign sudo dpkg -i ../apparmor.d_*_all.deb ``` -> **Warning**: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting) - **Partial install** For test purpose, you can install a specific profile with the following commands. The tool will also install required abstractions and tunables: @@ -162,18 +161,17 @@ profile, create a file `/etc/apparmor.d/local/gnome-shell` and add your rules. Then, reload the apparmor rules with `sudo systemctl restart apparmor`. -## Troubleshooting +## Enfore Mode -**Complain mode** - -On first install and for test purposes, it is recommended to pass all profiles -in *complain* mode. To do this, edit `PKGBUILD` on Archlinux or `debian/rules` -on Debian and add the `--complain` option to the configure script. Then build -the package as usual: -```sh -./configure --complain +The default package configuration installs all profile in *complain* mode. +You can easily swicth to *enforce* mode. To do this, edit `PKGBUILD` on Archlinux or `debian/rules` on Debian and remove the `--complain` option to the configure script. Then build the package as usual: +```diff +- ./configure --complain ++ ./configure ``` +## Troubleshooting + **AppArmor messages** Ensure that `auditd` is installed and running on your system in order to read diff --git a/debian/rules b/debian/rules index 2772b4bc..a2bb88e4 100755 --- a/debian/rules +++ b/debian/rules @@ -13,7 +13,7 @@ go build ./cmd/aa-log override_dh_auto_configure: - ./configure + ./configure --complain override_dh_install: mv systemd system