From 15e33a1fe6654f67a187cd5157c9968061b9511e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 28 Jan 2023 22:29:33 +0000 Subject: [PATCH] feat: rewrite the local installation method. --- .gitlab-ci.yml | 2 +- Makefile | 20 +++++++++-- README.md | 21 ++++++------ pick | 93 -------------------------------------------------- 4 files changed, 30 insertions(+), 106 deletions(-) delete mode 100755 pick diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index c06667b9..080a248b 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -22,7 +22,7 @@ bash: image: koalaman/shellcheck-alpine script: - shellcheck --shell=bash - PKGBUILD configure pick + PKGBUILD configure debian/apparmor.d.postinst debian/apparmor.d.postrm golangci-lint: diff --git a/Makefile b/Makefile index 08896e04..3f4e9d1a 100644 --- a/Makefile +++ b/Makefile @@ -6,8 +6,9 @@ DESTDIR ?= / BUILD := .build PKGNAME := apparmor.d +P = $(notdir $(wildcard ${BUILD}/apparmor.d/*)) -.PHONY: all install lint archlinux debian ubuntu whonix clean +.PHONY: all install $(P) lint archlinux debian ubuntu whonix clean all: @go build -o ${BUILD}/ ./cmd/aa-log @@ -31,6 +32,21 @@ install: install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \ done +ABSTRACTIONS = $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n") +TUNABLES = $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n") +$(P): + @[[ -f ${BUILD}/aa-log ]] || exit 0; install -Dm755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log + @for file in ${ABSTRACTIONS}; do \ + install -Dm0644 "${BUILD}/apparmor.d/abstractions/$${file}" "${DESTDIR}/etc/apparmor.d/abstractions/$${file}"; \ + done; + @for file in ${TUNABLES}; do \ + install -Dm0644 "${BUILD}/apparmor.d/tunables/$${file}" "${DESTDIR}/etc/apparmor.d/tunables/$${file}"; \ + done; + @for file in ${@}; do \ + install -Dvm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ + done; + @systemctl restart apparmor || systemctl status apparmor + lint: @shellcheck --shell=bash \ PKGBUILD configure pick dists/build/build.sh \ @@ -50,6 +66,6 @@ whonix: clean: @rm -rf \ - debian/.debhelper debian/debhelper* debian/*.debhelper \ + debian/.debhelper debian/debhelper* debian/*.debhelper debian/${PKGNAME} \ ${PKGNAME}-*.pkg.tar.zst.sig ${PKGNAME}-*.pkg.tar.zst \ ${PKGNAME}_*.* ${BUILD} diff --git a/README.md b/README.md index 7723a3d6..15255f1a 100644 --- a/README.md +++ b/README.md @@ -83,18 +83,19 @@ sudo dpkg -i ../apparmor.d_*_all.deb **Partial install** -> **Note**: Manual installation is discouraged because files undergo post-processing dependent on the OS and desired configuration +For test purpose, you can install a specific profile with the following commands. +Abstractions, tunables, and most of the OS dependent post-processing is managed. -For test purpose, you can install a specific profile with the following commands. The tool will also install required abstractions and tunables: +```sh +./configure --complain +make +sudo make profile-names... ``` -sudo ./pick -``` -However, `pick` does not fully automate single profile installation yet (the PR is welcome [#77](https://github.com/roddhjav/apparmor.d/issues/77)). For convenient usage you should: -- Ensure all related abstractions are installed (automated) -- Ensure all related tunables are installed (automated) -- Remove `abi` statement if needed (automated) -- Set distribution-related flags from `dists/flags` (not automated) -- Either switch desired `rPx` rules to `rPUx` (fallback to unconfined) or install these related profiles (not automated) + +> **Note** Partial installation is discouraged because profile dependencies are +> not fetched. You may need to Either switch desired `rPx` rules to `rPUx` +> (fallback to unconfined) or install these related profiles. +> (PR is welcome [#77](https://github.com/roddhjav/apparmor.d/issues/77)) ## Usage diff --git a/pick b/pick deleted file mode 100755 index c5607b1a..00000000 --- a/pick +++ /dev/null @@ -1,93 +0,0 @@ -#!/usr/bin/env bash -# pick - Install some AppArmor profile(s) -# Copyright (C) 2021 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -set -eu - -DISTRIBUTION="$(lsb_release --id --short)" -readonly DISTRIBUTION="${DISTRIBUTION,,}" - -_set_complain() { - local path="$1" - [[ -d "$path" ]] && return - flags="$(grep -o -m 1 'flags=(.*)' "$path" | cut -d '(' -f2 | cut -d ')' -f1)" - [[ "$flags" =~ complain ]] && return - sed -e "s/flags=(.*)//" \ - -e "s/ {$/ flags=(complain $flags) {/" \ - -i "$path" -} - -_install_abstractions() { - mapfile -t abstractions < <(find apparmor.d/abstractions/ -type f -printf "%P\n") - for file in "${abstractions[@]}"; do - install -Dm0644 "apparmor.d/abstractions/$file" \ - "/etc/apparmor.d/abstractions/$file" - done -} - -_install_tunables() { - for path in apparmor.d/tunables/*; do - install -Dm0644 "$path" "/etc/apparmor.d/tunables/$(basename "$path")" - done - case "$DISTRIBUTION" in - arch) - sed -i -e '/Debian/d' /etc/apparmor.d/tunables/extend ;; - debian|ubuntu|whonix) - sed -i -e '/Archlinux/d' /etc/apparmor.d/tunables/extend ;; - *) _die "$DISTRIBUTION is not a supported distribution." ;; - esac -} - -_reload_apparmor() { - systemctl restart apparmor || true - systemctl status apparmor -} - -pick() { - for profile in "$@"; do - path="$(find apparmor.d -iname "$profile" -type f -not -path './apparmor.d/tunables/*' -not -path './apparmor.d/abstractions/*')" - if [[ -f "$path" ]]; then - install -Dm0644 "$path" "/etc/apparmor.d/$profile" - if [[ "$COMPLAIN" == 1 ]]; then - _set_complain "/etc/apparmor.d/$profile" - fi - if [[ "$DISTRIBUTION" == debian ]]; then - sed -i -e '/abi /d' "/etc/apparmor.d/$profile" - fi - fi - done -} - -# Print help message -cmd_help() { - cat <<-_EOF - ./pick [options] - Install some AppArmor profile(s) - - Options: - -c, --complain Set profile on complain mode - -h, --help Print this help message and exit - _EOF -} - -main() { - local opts err - small_arg="ch" - long_arg="complain,help" - opts="$(getopt -o $small_arg -l $long_arg -n "pick" -- "$@")" - err=$? - eval set -- "$opts" - while true; do case $1 in - -c|--complain) COMPLAIN=1; shift ;; - -h|--help) shift; cmd_help; exit 0 ;; - --) shift; break ;; - esac done - [[ $err -ne 0 ]] && { cmd_help; exit 1; } - - _install_abstractions - _install_tunables - pick "$@" && _reload_apparmor -} - -COMPLAIN=0 -main "$@"