mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-23 19:38:12 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Add Github Action & add support for the last Ubuntu LTS.

Browse source
This commit is contained in:
Alexandre Pujol 2021-12-02 12:35:13 +00:00
parent b52cbe564c
commit 0fc9c8b5b0
Failed to generate hash of commit
14 changed files with 518 additions and 44 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
.github/workflows/main.yml vendored Normal file
View file

@ -0,0 +1,37 @@
name: Ubuntu
on: [push, pull_request, workflow_dispatch]
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Check out repository code
uses: actions/checkout@v2
- name: Install Build dependencies
run: |
sudo apt-get update -q
sudo apt-get install -y \
devscripts debhelper config-package-dev \
auditd apparmor-profiles
- name: Build the apparmor.d package
run: dpkg-buildpackage -b -d --no-sign
- name: Install apparmor.d
run: sudo dpkg --install ../apparmor.d_*_all.deb
- name: Reload AppArmor
run: |
sudo systemctl restart apparmor.service || true
sudo systemctl status apparmor.service
- name: Show AppArmor log
run: sudo aa-log
- name: Verify apparmor status
run: |
aa-status
sudo aa-status

47
apparmor.d/abstractions/dbus-network-manager-strict Normal file
View file

@ -0,0 +1,47 @@
# vim:syntax=apparmor
abi <abi/3.0>,
dbus send
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=org.freedesktop.NetworkManager),
dbus send
bus=system
path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager
member=GetDevices
peer=(name=org.freedesktop.NetworkManager),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=org.freedesktop.NetworkManager),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Devices/[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=org.freedesktop.NetworkManager),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Settings
interface=org.freedesktop.NetworkManager.Settings
member={GetDevices,ListConnections}
peer=(name=org.freedesktop.NetworkManager),
dbus send
bus=system
path=/org/freedesktop/NetworkManager/Settings/[0-9]*
interface=org.freedesktop.NetworkManager.Settings.Connection
member=GetSettings
peer=(name=org.freedesktop.NetworkManager),
include if exists <abstractions/dbus-network-manager-strict.d>

76
apparmor.d/abstractions/exo-open Normal file
View file

@ -0,0 +1,76 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via exo-open helper.
#
# NOTE: most likely you want to use xdg-open abstraction instead for better
# portability across desktop environments, unless you are sure that confined
# application only uses /usr/bin/exo-open directly.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/exo-open rPx -> foo//exo-open,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//exo-open {
# include <abstractions/exo-open>
#
# # needed for ubuntu-* abstractions
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # Add if accesibility access is considered as required
# # (for message boxe in case exo-open fails)
# include <abstractions/dbus-accessibility>
#
# # < add additional allowed applications here >
# }
include <abstractions/X>
include <abstractions/audio> # for alert messages
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/gnome>
# Main executables
/usr/bin/exo-open rix,
/usr/lib{32,64,/@{multiarch}}/xfce4/exo-[0-9]/exo-helper-[0-9] ix,
# Other executables
/{,usr/}bin/which rix,
# Deny DBus
# for GTK error message dialog, not required exo-open to work.
deny dbus send
bus=session
path=/org/gtk/vfs/mounttracker,
# System files
/etc/xdg/{,xdg-*/}xfce4/helpers.rc r,
/etc/xfce4/defaults.list r, # TODO: move into xfce4 abstraction?
/usr/share/sounds/freedesktop/** r, # for message box alert sound
/usr/share/xfce4/helpers/*.desktop r,
/usr/share/{xfce{,4},xubuntu}/applications/{,*.list} r,
# User files
owner @{PROC}/@{pid}/fd/ r,
owner @{HOME}/.config/xfce4/helpers.rc r,
owner @{HOME}/.local/share/xfce4/helpers/*.desktop r,
# Include additions to the abstraction
include if exists <abstractions/exo-open.d>

57
apparmor.d/abstractions/gio-open Normal file
View file

@ -0,0 +1,57 @@
# vim:syntax=apparmor
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via gio helper.
#
# NOTE: most likely you want to use xdg-open abstraction instead for better
# portability across desktop environments, unless you are sure that confined
# application only uses /usr/bin/gio directly.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/gio rPx -> foo//gio-open,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//gio-open {
# include <abstractions/gio-open>
#
# # needed for ubuntu-* abstractions
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # < add additional allowed applications here >
# }
include <abstractions/base>
include <abstractions/dbus-session-strict>
# Main executables
/usr/bin/gio rix,
/usr/bin/gio-launch-desktop ix, # for OpenSUSE
/usr/lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop ix,
# System files
/etc/gnome/defaults.list r,
/usr/share/mime/* r,
/usr/share/{,*/}applications/{,**} r,
/var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
/var/lib/snapd/desktop/applications/{,**} r,
# User files
owner @{HOME}/.config/mimeapps.list r,
owner @{HOME}/.local/share/applications/{,*.desktop} r,
owner @{PROC}/@{pid}/fd/ r,
# Include additions to the abstraction
include if exists <abstractions/gio-open.d>

46
apparmor.d/abstractions/gvfs-open Normal file
View file

@ -0,0 +1,46 @@
# vim:syntax=apparmor
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via gvfs-open helper.
#
# NOTE: most likely you want to use xdg-open abstraction instead for better
# portability across desktop environments, unless you are sure that confined
# application only uses /usr/bin/gvfs-open directly.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/gvfs-open rPx -> foo//gvfs-open,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//gvfs-open {
# include <abstractions/gvfs-open>
#
# # needed for ubuntu-* abstractions
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # < add additional allowed applications here >
# }
# ```
include <abstractions/base>
# gvfs-open is deprecated, it launches gio open <uri>
include <abstractions/gio-open>
# Main executables
/usr/bin/gvfs-open r,
/{,usr/}bin/dash mr,
# Include additions to the abstraction
include if exists <abstractions/gvfs-open.d>

104
apparmor.d/abstractions/kde-open5 Normal file
View file

@ -0,0 +1,104 @@
# vim:syntax=apparmor
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via kde-open5 helper.
#
# NOTE: most likely you want to use xdg-open abstraction instead for better
# portability across desktop environments, unless you are sure that confined
# application only uses /usr/bin/kde-open5 directly.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/kde-open5 rPx -> foo//kde-open5,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//kde-open5 {
# include <abstractions/kde-open5>
#
# # needed for ubuntu-* abstractions
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # Add if accesibility access is considered as required
# # (for message boxe in case exo-open fails)
# include <abstractions/dbus-accessibility>
#
# # Add if audio support for message box is
# # considered as required.
# include if exists <abstractions/gstreamer>
#
# # < add additional allowed applications here >
# }
# ```
include <abstractions/audio> # for alert messages
include <abstractions/base>
include <abstractions/dbus-accessibility-strict>
include <abstractions/dbus-network-manager-strict>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
include <abstractions/kde-icon-cache-write>
include <abstractions/kde>
include <abstractions/nameservice> # for IceProcessMessages () from libICE.so (called by libQtCore.so)
include <abstractions/openssl>
include <abstractions/qt5>
include <abstractions/recent-documents-write>
include <abstractions/X>
# Main executables
/usr/bin/kde-open5 rix,
/usr/lib/@{multiarch}/libexec/kf5/kioslave{,5} ix,
# DBus
dbus
bus=session
interface=org.kde.KLauncher
member=start_service_by_desktop_path
peer=(name=org.kde.klauncher5),
# Denied system files
deny /usr/lib/vlc/plugins/* w, # VLC backed tries to create plugins.dat.16109
# libpcre2 on openSUSE tries to mmap() shared memory on directory.
# see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
# AppArmor does not allow to distinguish "real" file vs shared memory one,
# so we deny this path to protect from loading exploits from /tmp.
deny /tmp/#[0-9]*[0-9] m,
# System files
/dev/tty r,
/etc/xdg/accept-languages.codes r,
/etc/xdg/menus/{,*/} r,
/usr/share/*fonts*/conf.avail/*.conf r, # for openSUSE, when showing error message box
/usr/share/ghostscript/fonts/ r, # for openSUSE, when showing error message box
/usr/share/hwdata/pnp.ids r, # for openSUSE, when showing error message box, for QXcbConnection::initializeScreens() from libQt5XcbQpa.so
/usr/share/icu/[0-9]*.[0-9]*/*.dat r, # for openSUSE
/usr/share/kservices5/{,**} r, # for KProtocolManager::defaultUserAgent() from libKF5KIOCore.so
/usr/share/mime/ r,
/usr/share/mime/generic-icons r,
/usr/share/plasma/look-and-feel/*/contents/defaults r, # TODO: move to kde abstraction?
/usr/share/sounds/ r,
@{PROC}/sys/kernel/core_pattern r,
@{PROC}/sys/kernel/random/boot_id r,
# User files
owner /tmp/xauth-[0-9]*-_[0-9] r, # for libQt5XcbQpa.so
owner @{run}/user/[0-9]*/#[0-9]* rw, # for /run/user/1000/#13
owner @{run}/user/[0-9]*/kioclient*slave-socket lrw -> @{run}/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure)
owner @{HOME}/.cache/kio_http/ rw,
# Include additions to the abstraction
include if exists <abstractions/kde-open5.d>

84
apparmor.d/abstractions/xdg-open Normal file
View file

@ -0,0 +1,84 @@
# vim:syntax=apparmor
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via xdg-open helper. xdg-open abstraction
# will allow to use gio-open, kde-open5 and other helpers of the different
# desktop environments.
#
# Usage example:
#
# ```
# profile foo /usr/bin/foo {
# ...
# /usr/bin/xdg-open rPx -> foo//xdg-open,
# ...
# } # end of main profile
#
# # out-of-line child profile
# profile foo//xdg-open {
# include <abstractions/xdg-open>
#
# # Enable a11y support if considered required by
# # profile author for (rare) error message boxes.
# include <abstractions/dbus-accessibility>
#
# # Enable gstreamer support if considered required by
# # profile author for (rare) error message boxes.
# include if exists <abstractions/gstreamer>
#
# # needed for ubuntu-* abstractions
# include <abstractions/ubuntu-helpers>
#
# # Only allow to handle http[s]: and mailto: links
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
# # < add additional allowed applications here >
# }
# ```
include <abstractions/base>
# for openin with `exo-open`
include <abstractions/exo-open>
# for opening with `gio open <uri>`
include <abstractions/gio-open>
# for opening with gvfs-open (deprecated)
include <abstractions/gvfs-open>
# for opening with kde-open5
include <abstractions/kde-open5>
# Main executables
/{,usr/}bin/{b,d}ash mr,
/usr/bin/xdg-open r,
# Additional executables
/usr/bin/xdg-mime rix,
/{,usr/}bin/cut rix, # for xdg-mime
/{,usr/}bin/head rix, # for xdg-mime
/{,usr/}bin/sed rix, # for xdg-open
/{,usr/}bin/tr rix, # for xdg-mime
/{,usr/}bin/which rix, # for xdg-open
/{,usr/}bin/{grep,egrep} rix, # for xdg-open
# System files
/dev/pts/[0-9]* rw,
/dev/tty w,
/etc/gnome/defaults.list r, # for grep
/usr/share/applications/mimeinfo.cache r, # for grep
/usr/share/terminfo/s/screen r, # for bash on openSUSE
/usr/share/{,*/}applications/{,*.desktop} r, # for xdg-mime
/var/lib/menu-xdg/applications/ r, # for xdg-mime
# Usr files
owner @{HOME}/.local/share/applications/{,*.desktop} r,
# Include additions to the abstraction
include if exists <abstractions/xdg-open.d>

4
apparmor.d/profiles-a-f/apparmor.systemd
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /{usr/,}lib/apparmor/apparmor.systemd @{exec_path} = /{usr/,}lib/apparmor/apparmor.systemd
profile apparmor.systemd @{exec_path} { profile apparmor.systemd @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -15,7 +15,7 @@ profile apparmor.systemd @{exec_path} {
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/getconf rix, /{usr/,}bin/getconf rix,
/{usr/,}bin/grep rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/ls rix, /{usr/,}bin/ls rix,
/{usr/,}bin/xargs rix, /{usr/,}bin/xargs rix,
/{usr/,}{s,}bin/aa-status rPx, /{usr/,}{s,}bin/aa-status rPx,

3
apparmor.d/tunables/extend
View file

@ -10,6 +10,7 @@
@{MOUNTS}=/media/ @{run}/media /mnt @{MOUNTS}=/media/ @{run}/media /mnt
# Libexec path. Different in some distribution # Libexec path. Different in some distribution
@{libexec}=/usr/lib @{libexec}=/usr/lib # Archlinux
@{libexec}=/usr/libexec # Debian/Ubuntu
include if exists <tunables/extend.d> include if exists <tunables/extend.d>

82
configure vendored
View file

@ -5,17 +5,9 @@
readonly ROOT=.build readonly ROOT=.build
_die() { printf '%s\n' "$*" >&2 && exit 1; } _die() { printf 'Error: %s\n' "$*" >&2 && exit 1; }
_warning() { printf ' Warning: %s\n' "$*" >&2; } _warning() { printf ' Warning: %s\n' "$*" >&2; }
has_option() {
local item option="$1";
for item in "${OPTIONS[@]}"; do
[[ "$item" == "$option" ]] && return 0
done
return 1
}
# Displace files in the package sources # Displace files in the package sources
# $@ List of files to displace # $@ List of files to displace
_displace_files() { _displace_files() {
@ -24,15 +16,13 @@ _displace_files() {
done done
} }
# Initialise a new clean apparmor.d build directory # Initialize a new clean apparmor.d build directory
initialise() { initialize() {
rm -rf "${ROOT:?}" && rsync -a --exclude=.git . "$ROOT" rm -rf "${ROOT:?}" && rsync -a --exclude=.git . "$ROOT"
} }
# Set the distribution specificities # Ignore profiles in profiles.ignore
configure() { ignore() {
echo "Set the configuration for $DISTRIBUTION."
echo " Ignore profiles in profiles.ignore." echo " Ignore profiles in profiles.ignore."
while read -r profile; do while read -r profile; do
[[ "$profile" =~ ^\# ]] && continue [[ "$profile" =~ ^\# ]] && continue
@ -42,14 +32,21 @@ configure() {
find "$ROOT/apparmor.d" -iname "$profile" -type f -exec rm {} \; find "$ROOT/apparmor.d" -iname "$profile" -type f -exec rm {} \;
fi fi
done <profiles.ignore done <profiles.ignore
}
# Set the distribution specificities
configure() {
case "$DISTRIBUTION" in case "$DISTRIBUTION" in
archlinux) archlinux)
echo " Ignore non Archlinux profiles." echo " Ignore non Archlinux profiles."
rm -rf \ rm -rf \
"${ROOT:?}"/apparmor.d/abstractions/apt-common \ "${ROOT:?}"/apparmor.d/abstractions/apt-common \
"${ROOT:?}"/apparmor.d/groups/apt \ "${ROOT:?}"/apparmor.d/groups/apt \
"${ROOT:?}"/apparmor.d/groups/cron "${ROOT:?}"/apparmor.d/groups/cron \
"${ROOT:?}"/root/etc/initramfs-tools
echo " Configure libexec."
sed -i -e '/Debian/d' "$ROOT/apparmor.d/tunables/extend"
;; ;;
@ -59,6 +56,9 @@ configure() {
"${ROOT:?}"/apparmor.d/groups/pacman \ "${ROOT:?}"/apparmor.d/groups/pacman \
"${ROOT:?}"/root/usr/share/libalpm/hooks/apparmor.hook "${ROOT:?}"/root/usr/share/libalpm/hooks/apparmor.hook
echo " Configure libexec."
sed -i -e '/Archlinux/d' "$ROOT/apparmor.d/tunables/extend"
echo " Debian does not support abi 3.0 yet." echo " Debian does not support abi 3.0 yet."
find "$ROOT/apparmor.d" -type f -exec sed -e '/abi /d' -i {} \; find "$ROOT/apparmor.d" -type f -exec sed -e '/abi /d' -i {} \;
@ -68,6 +68,13 @@ configure() {
echo " Displace overwritten files." echo " Displace overwritten files."
_displace_files apparmor.d/tunables/global apparmor.d/tunables/xdg-user-dirs _displace_files apparmor.d/tunables/global apparmor.d/tunables/xdg-user-dirs
if [[ "$(lsb_release -is)" == "Ubuntu" ]]; then
echo " Ubuntu LTS compatibility."
echo "@{run}=/run/ /var/run/" > "$ROOT/apparmor.d/tunables/run"
sed -i -e '/capability bpf/d' -e '/capability perfmon/d' \
"$ROOT/apparmor.d/groups/virt/libvirtd"
fi
;; ;;
*) _die "$DISTRIBUTION is not a supported distribution." ;; *) _die "$DISTRIBUTION is not a supported distribution." ;;
@ -109,13 +116,15 @@ setflags() {
done <profiles.flags done <profiles.flags
if has_option complain; then }
setflag_complain
fi # Set AppArmor for full system policy
full() {
echo WIP
} }
# Set complain flag on all profile (Dev only) # Set complain flag on all profile (Dev only)
setflag_complain() { complain() {
echo "Set complain flag on all profile" echo "Set complain flag on all profile"
for path in "${ROOT:?}/apparmor.d/"*; do for path in "${ROOT:?}/apparmor.d/"*; do
[[ -d "$path" ]] && continue [[ -d "$path" ]] && continue
@ -135,34 +144,35 @@ cmd_help() {
./configure [options] - Configure the apparmor.d package ./configure [options] - Configure the apparmor.d package
Options: Options:
--distribution=DIST Set the target Linux distribution: archlinux, debian -d DIST, --dist=DIST Set the target Linux distribution: archlinux, debian
--options=OPT Set prefefined build options. -f, --full Set AppArmor for full system policy
--help Print this help message and exit. -c, --complain Set complain flag on all profiles
-h, --help Print this help message and exit
_EOF _EOF
} }
main() { main() {
local opts err local opts err full=0 complain=0
opts="$(getopt -o h -l distribution:,options:,help -n "$PROGRAM" -- "$@")" small_arg="d:cfh"
long_arg="dist:,complain,full,help"
opts="$(getopt -o $small_arg -l $long_arg -n "$PROGRAM" -- "$@")"
err=$? err=$?
eval set -- "$opts" eval set -- "$opts"
while true; do case $1 in while true; do case $1 in
--distribution) DISTRIBUTION="$2"; shift 2 ;; -d|--dist) DISTRIBUTION="$2"; shift 2 ;;
--options) -f|--full) full=1; shift ;;
# shellcheck disable=SC2206 -c|--complain) complain=1; shift ;;
OPTIONS=(${2//,/ }); shift 2 ;;
-h|--help) shift; cmd_help; exit 0 ;; -h|--help) shift; cmd_help; exit 0 ;;
--) shift; break ;; --) shift; break ;;
esac done esac done
[[ $err -ne 0 ]] && { cmd_help; exit 1; } [[ $err -ne 0 ]] && { cmd_help; exit 1; }
initialise echo "Set the configuration for $DISTRIBUTION."
configure initialize || _die "initializing build directory"
synchronise ignore || _die "removing ignored profiles"
setflags configure || _die "configuring distributaion"
synchronise || _die "merging profiles"
exit 0 setflags || _die "settings flags"
} }
main "$@" main "$@"

7
debian/control vendored
View file

@ -2,7 +2,12 @@ Source: apparmor.d
Section: admin Section: admin
Priority: optional Priority: optional
Maintainer: Alexandre Pujol <alexandre@pujol.io> Maintainer: Alexandre Pujol <alexandre@pujol.io>
Build-Depends: debhelper (>= 13), debhelper-compat (= 13), config-package-dev, curl Build-Depends: debhelper (>= 13.4),
debhelper-compat (= 13),
golang-any,
lsb-release,
config-package-dev,
rsync,
Homepage: https://github.com/roddhjav/apparmor.d Homepage: https://github.com/roddhjav/apparmor.d
Vcs-Browser: https://github.com/roddhjav/apparmor.d Vcs-Browser: https://github.com/roddhjav/apparmor.d
Vcs-Git: https://github.com/roddhjav/apparmor.d.git Vcs-Git: https://github.com/roddhjav/apparmor.d.git

11
debian/rules vendored
View file

@ -3,16 +3,21 @@
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# #
DH_OPTIONS ?=
%: %:
dh $@ --with=config-package dh $@ --with=config-package
override_dh_auto_configure: override_dh_auto_configure:
./configure --distribution=debian --options=$(DH_OPTIONS) ./configure --dist=debian
export CGO_CPPFLAGS="${CPPFLAGS}"
export CGO_CFLAGS="${CFLAGS}"
export CGO_CXXFLAGS="${CXXFLAGS}"
export CGO_LDFLAGS="${LDFLAGS}"
export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw"
go build -o .build/ ./cmd/aa-log
override_dh_install: override_dh_install:
mv systemd system mv systemd system
find system -type f -exec \ find system -type f -exec \
install -Dm0644 {} $$(pwd)/debian/apparmor.d/usr/lib/systemd/{}.d/apparmor.conf \; install -Dm0644 {} $$(pwd)/debian/apparmor.d/usr/lib/systemd/{}.d/apparmor.conf \;
install -Dm755 .build/aa-log $$(pwd)/debian/apparmor.d/usr/bin/aa-log
dh_install dh_install

1
profiles.flags
View file

@ -1,5 +1,6 @@
acpid attach_disconnected,complain acpid attach_disconnected,complain
adb complain adb complain
aa-status
agetty complain agetty complain
arch-audit complain arch-audit complain
at-spi-bus-launcher attach_disconnected at-spi-bus-launcher attach_disconnected

1
profiles.ignore
View file

@ -1,5 +1,6 @@
anki anki
apps/ apps/
apparmor.systemd
torbrowser.Browser.firefox torbrowser.Browser.firefox
torbrowser.Browser.plugin-container torbrowser.Browser.plugin-container
torbrowser.Tor.tor torbrowser.Tor.tor