feat: rewrite the local installation method.

This commit is contained in:
Alexandre Pujol 2023-01-28 22:29:33 +00:00
parent aea5184251
commit 15e33a1fe6
Failed to generate hash of commit
4 changed files with 30 additions and 106 deletions

View file

@ -22,7 +22,7 @@ bash:
image: koalaman/shellcheck-alpine image: koalaman/shellcheck-alpine
script: script:
- shellcheck --shell=bash - shellcheck --shell=bash
PKGBUILD configure pick PKGBUILD configure
debian/apparmor.d.postinst debian/apparmor.d.postrm debian/apparmor.d.postinst debian/apparmor.d.postrm
golangci-lint: golangci-lint:

View file

@ -6,8 +6,9 @@
DESTDIR ?= / DESTDIR ?= /
BUILD := .build BUILD := .build
PKGNAME := apparmor.d PKGNAME := apparmor.d
P = $(notdir $(wildcard ${BUILD}/apparmor.d/*))
.PHONY: all install lint archlinux debian ubuntu whonix clean .PHONY: all install $(P) lint archlinux debian ubuntu whonix clean
all: all:
@go build -o ${BUILD}/ ./cmd/aa-log @go build -o ${BUILD}/ ./cmd/aa-log
@ -31,6 +32,21 @@ install:
install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \ install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \
done done
ABSTRACTIONS = $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n")
TUNABLES = $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n")
$(P):
@[[ -f ${BUILD}/aa-log ]] || exit 0; install -Dm755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log
@for file in ${ABSTRACTIONS}; do \
install -Dm0644 "${BUILD}/apparmor.d/abstractions/$${file}" "${DESTDIR}/etc/apparmor.d/abstractions/$${file}"; \
done;
@for file in ${TUNABLES}; do \
install -Dm0644 "${BUILD}/apparmor.d/tunables/$${file}" "${DESTDIR}/etc/apparmor.d/tunables/$${file}"; \
done;
@for file in ${@}; do \
install -Dvm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
done;
@systemctl restart apparmor || systemctl status apparmor
lint: lint:
@shellcheck --shell=bash \ @shellcheck --shell=bash \
PKGBUILD configure pick dists/build/build.sh \ PKGBUILD configure pick dists/build/build.sh \
@ -50,6 +66,6 @@ whonix:
clean: clean:
@rm -rf \ @rm -rf \
debian/.debhelper debian/debhelper* debian/*.debhelper \ debian/.debhelper debian/debhelper* debian/*.debhelper debian/${PKGNAME} \
${PKGNAME}-*.pkg.tar.zst.sig ${PKGNAME}-*.pkg.tar.zst \ ${PKGNAME}-*.pkg.tar.zst.sig ${PKGNAME}-*.pkg.tar.zst \
${PKGNAME}_*.* ${BUILD} ${PKGNAME}_*.* ${BUILD}

View file

@ -83,18 +83,19 @@ sudo dpkg -i ../apparmor.d_*_all.deb
**Partial install** **Partial install**
> **Note**: Manual installation is discouraged because files undergo post-processing dependent on the OS and desired configuration For test purpose, you can install a specific profile with the following commands.
Abstractions, tunables, and most of the OS dependent post-processing is managed.
For test purpose, you can install a specific profile with the following commands. The tool will also install required abstractions and tunables: ```sh
./configure --complain
make
sudo make profile-names...
``` ```
sudo ./pick <profiles-name>
``` > **Note** Partial installation is discouraged because profile dependencies are
However, `pick` does not fully automate single profile installation yet (the PR is welcome [#77](https://github.com/roddhjav/apparmor.d/issues/77)). For convenient usage you should: > not fetched. You may need to Either switch desired `rPx` rules to `rPUx`
- Ensure all related abstractions are installed (automated) > (fallback to unconfined) or install these related profiles.
- Ensure all related tunables are installed (automated) > (PR is welcome [#77](https://github.com/roddhjav/apparmor.d/issues/77))
- Remove `abi` statement if needed (automated)
- Set distribution-related flags from `dists/flags` (not automated)
- Either switch desired `rPx` rules to `rPUx` (fallback to unconfined) or install these related profiles (not automated)
## Usage ## Usage

93
pick
View file

@ -1,93 +0,0 @@
#!/usr/bin/env bash
# pick - Install some AppArmor profile(s)
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
set -eu
DISTRIBUTION="$(lsb_release --id --short)"
readonly DISTRIBUTION="${DISTRIBUTION,,}"
_set_complain() {
local path="$1"
[[ -d "$path" ]] && return
flags="$(grep -o -m 1 'flags=(.*)' "$path" | cut -d '(' -f2 | cut -d ')' -f1)"
[[ "$flags" =~ complain ]] && return
sed -e "s/flags=(.*)//" \
-e "s/ {$/ flags=(complain $flags) {/" \
-i "$path"
}
_install_abstractions() {
mapfile -t abstractions < <(find apparmor.d/abstractions/ -type f -printf "%P\n")
for file in "${abstractions[@]}"; do
install -Dm0644 "apparmor.d/abstractions/$file" \
"/etc/apparmor.d/abstractions/$file"
done
}
_install_tunables() {
for path in apparmor.d/tunables/*; do
install -Dm0644 "$path" "/etc/apparmor.d/tunables/$(basename "$path")"
done
case "$DISTRIBUTION" in
arch)
sed -i -e '/Debian/d' /etc/apparmor.d/tunables/extend ;;
debian|ubuntu|whonix)
sed -i -e '/Archlinux/d' /etc/apparmor.d/tunables/extend ;;
*) _die "$DISTRIBUTION is not a supported distribution." ;;
esac
}
_reload_apparmor() {
systemctl restart apparmor || true
systemctl status apparmor
}
pick() {
for profile in "$@"; do
path="$(find apparmor.d -iname "$profile" -type f -not -path './apparmor.d/tunables/*' -not -path './apparmor.d/abstractions/*')"
if [[ -f "$path" ]]; then
install -Dm0644 "$path" "/etc/apparmor.d/$profile"
if [[ "$COMPLAIN" == 1 ]]; then
_set_complain "/etc/apparmor.d/$profile"
fi
if [[ "$DISTRIBUTION" == debian ]]; then
sed -i -e '/abi /d' "/etc/apparmor.d/$profile"
fi
fi
done
}
# Print help message
cmd_help() {
cat <<-_EOF
./pick [options] <profiles> - Install some AppArmor profile(s)
Options:
-c, --complain Set profile on complain mode
-h, --help Print this help message and exit
_EOF
}
main() {
local opts err
small_arg="ch"
long_arg="complain,help"
opts="$(getopt -o $small_arg -l $long_arg -n "pick" -- "$@")"
err=$?
eval set -- "$opts"
while true; do case $1 in
-c|--complain) COMPLAIN=1; shift ;;
-h|--help) shift; cmd_help; exit 0 ;;
--) shift; break ;;
esac done
[[ $err -ne 0 ]] && { cmd_help; exit 1; }
_install_abstractions
_install_tunables
pick "$@" && _reload_apparmor
}
COMPLAIN=0
main "$@"