mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-12-25 06:27:49 +01:00
feat: rewrite the local installation method.
This commit is contained in:
parent
aea5184251
commit
15e33a1fe6
4 changed files with 30 additions and 106 deletions
|
@ -22,7 +22,7 @@ bash:
|
||||||
image: koalaman/shellcheck-alpine
|
image: koalaman/shellcheck-alpine
|
||||||
script:
|
script:
|
||||||
- shellcheck --shell=bash
|
- shellcheck --shell=bash
|
||||||
PKGBUILD configure pick
|
PKGBUILD configure
|
||||||
debian/apparmor.d.postinst debian/apparmor.d.postrm
|
debian/apparmor.d.postinst debian/apparmor.d.postrm
|
||||||
|
|
||||||
golangci-lint:
|
golangci-lint:
|
||||||
|
|
20
Makefile
20
Makefile
|
@ -6,8 +6,9 @@
|
||||||
DESTDIR ?= /
|
DESTDIR ?= /
|
||||||
BUILD := .build
|
BUILD := .build
|
||||||
PKGNAME := apparmor.d
|
PKGNAME := apparmor.d
|
||||||
|
P = $(notdir $(wildcard ${BUILD}/apparmor.d/*))
|
||||||
|
|
||||||
.PHONY: all install lint archlinux debian ubuntu whonix clean
|
.PHONY: all install $(P) lint archlinux debian ubuntu whonix clean
|
||||||
|
|
||||||
all:
|
all:
|
||||||
@go build -o ${BUILD}/ ./cmd/aa-log
|
@go build -o ${BUILD}/ ./cmd/aa-log
|
||||||
|
@ -31,6 +32,21 @@ install:
|
||||||
install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \
|
install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \
|
||||||
done
|
done
|
||||||
|
|
||||||
|
ABSTRACTIONS = $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n")
|
||||||
|
TUNABLES = $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n")
|
||||||
|
$(P):
|
||||||
|
@[[ -f ${BUILD}/aa-log ]] || exit 0; install -Dm755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log
|
||||||
|
@for file in ${ABSTRACTIONS}; do \
|
||||||
|
install -Dm0644 "${BUILD}/apparmor.d/abstractions/$${file}" "${DESTDIR}/etc/apparmor.d/abstractions/$${file}"; \
|
||||||
|
done;
|
||||||
|
@for file in ${TUNABLES}; do \
|
||||||
|
install -Dm0644 "${BUILD}/apparmor.d/tunables/$${file}" "${DESTDIR}/etc/apparmor.d/tunables/$${file}"; \
|
||||||
|
done;
|
||||||
|
@for file in ${@}; do \
|
||||||
|
install -Dvm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
|
||||||
|
done;
|
||||||
|
@systemctl restart apparmor || systemctl status apparmor
|
||||||
|
|
||||||
lint:
|
lint:
|
||||||
@shellcheck --shell=bash \
|
@shellcheck --shell=bash \
|
||||||
PKGBUILD configure pick dists/build/build.sh \
|
PKGBUILD configure pick dists/build/build.sh \
|
||||||
|
@ -50,6 +66,6 @@ whonix:
|
||||||
|
|
||||||
clean:
|
clean:
|
||||||
@rm -rf \
|
@rm -rf \
|
||||||
debian/.debhelper debian/debhelper* debian/*.debhelper \
|
debian/.debhelper debian/debhelper* debian/*.debhelper debian/${PKGNAME} \
|
||||||
${PKGNAME}-*.pkg.tar.zst.sig ${PKGNAME}-*.pkg.tar.zst \
|
${PKGNAME}-*.pkg.tar.zst.sig ${PKGNAME}-*.pkg.tar.zst \
|
||||||
${PKGNAME}_*.* ${BUILD}
|
${PKGNAME}_*.* ${BUILD}
|
||||||
|
|
21
README.md
21
README.md
|
@ -83,18 +83,19 @@ sudo dpkg -i ../apparmor.d_*_all.deb
|
||||||
|
|
||||||
**Partial install**
|
**Partial install**
|
||||||
|
|
||||||
> **Note**: Manual installation is discouraged because files undergo post-processing dependent on the OS and desired configuration
|
For test purpose, you can install a specific profile with the following commands.
|
||||||
|
Abstractions, tunables, and most of the OS dependent post-processing is managed.
|
||||||
|
|
||||||
For test purpose, you can install a specific profile with the following commands. The tool will also install required abstractions and tunables:
|
```sh
|
||||||
|
./configure --complain
|
||||||
|
make
|
||||||
|
sudo make profile-names...
|
||||||
```
|
```
|
||||||
sudo ./pick <profiles-name>
|
|
||||||
```
|
> **Note** Partial installation is discouraged because profile dependencies are
|
||||||
However, `pick` does not fully automate single profile installation yet (the PR is welcome [#77](https://github.com/roddhjav/apparmor.d/issues/77)). For convenient usage you should:
|
> not fetched. You may need to Either switch desired `rPx` rules to `rPUx`
|
||||||
- Ensure all related abstractions are installed (automated)
|
> (fallback to unconfined) or install these related profiles.
|
||||||
- Ensure all related tunables are installed (automated)
|
> (PR is welcome [#77](https://github.com/roddhjav/apparmor.d/issues/77))
|
||||||
- Remove `abi` statement if needed (automated)
|
|
||||||
- Set distribution-related flags from `dists/flags` (not automated)
|
|
||||||
- Either switch desired `rPx` rules to `rPUx` (fallback to unconfined) or install these related profiles (not automated)
|
|
||||||
|
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
|
|
93
pick
93
pick
|
@ -1,93 +0,0 @@
|
||||||
#!/usr/bin/env bash
|
|
||||||
# pick - Install some AppArmor profile(s)
|
|
||||||
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
|
||||||
|
|
||||||
set -eu
|
|
||||||
|
|
||||||
DISTRIBUTION="$(lsb_release --id --short)"
|
|
||||||
readonly DISTRIBUTION="${DISTRIBUTION,,}"
|
|
||||||
|
|
||||||
_set_complain() {
|
|
||||||
local path="$1"
|
|
||||||
[[ -d "$path" ]] && return
|
|
||||||
flags="$(grep -o -m 1 'flags=(.*)' "$path" | cut -d '(' -f2 | cut -d ')' -f1)"
|
|
||||||
[[ "$flags" =~ complain ]] && return
|
|
||||||
sed -e "s/flags=(.*)//" \
|
|
||||||
-e "s/ {$/ flags=(complain $flags) {/" \
|
|
||||||
-i "$path"
|
|
||||||
}
|
|
||||||
|
|
||||||
_install_abstractions() {
|
|
||||||
mapfile -t abstractions < <(find apparmor.d/abstractions/ -type f -printf "%P\n")
|
|
||||||
for file in "${abstractions[@]}"; do
|
|
||||||
install -Dm0644 "apparmor.d/abstractions/$file" \
|
|
||||||
"/etc/apparmor.d/abstractions/$file"
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
_install_tunables() {
|
|
||||||
for path in apparmor.d/tunables/*; do
|
|
||||||
install -Dm0644 "$path" "/etc/apparmor.d/tunables/$(basename "$path")"
|
|
||||||
done
|
|
||||||
case "$DISTRIBUTION" in
|
|
||||||
arch)
|
|
||||||
sed -i -e '/Debian/d' /etc/apparmor.d/tunables/extend ;;
|
|
||||||
debian|ubuntu|whonix)
|
|
||||||
sed -i -e '/Archlinux/d' /etc/apparmor.d/tunables/extend ;;
|
|
||||||
*) _die "$DISTRIBUTION is not a supported distribution." ;;
|
|
||||||
esac
|
|
||||||
}
|
|
||||||
|
|
||||||
_reload_apparmor() {
|
|
||||||
systemctl restart apparmor || true
|
|
||||||
systemctl status apparmor
|
|
||||||
}
|
|
||||||
|
|
||||||
pick() {
|
|
||||||
for profile in "$@"; do
|
|
||||||
path="$(find apparmor.d -iname "$profile" -type f -not -path './apparmor.d/tunables/*' -not -path './apparmor.d/abstractions/*')"
|
|
||||||
if [[ -f "$path" ]]; then
|
|
||||||
install -Dm0644 "$path" "/etc/apparmor.d/$profile"
|
|
||||||
if [[ "$COMPLAIN" == 1 ]]; then
|
|
||||||
_set_complain "/etc/apparmor.d/$profile"
|
|
||||||
fi
|
|
||||||
if [[ "$DISTRIBUTION" == debian ]]; then
|
|
||||||
sed -i -e '/abi /d' "/etc/apparmor.d/$profile"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
# Print help message
|
|
||||||
cmd_help() {
|
|
||||||
cat <<-_EOF
|
|
||||||
./pick [options] <profiles> - Install some AppArmor profile(s)
|
|
||||||
|
|
||||||
Options:
|
|
||||||
-c, --complain Set profile on complain mode
|
|
||||||
-h, --help Print this help message and exit
|
|
||||||
_EOF
|
|
||||||
}
|
|
||||||
|
|
||||||
main() {
|
|
||||||
local opts err
|
|
||||||
small_arg="ch"
|
|
||||||
long_arg="complain,help"
|
|
||||||
opts="$(getopt -o $small_arg -l $long_arg -n "pick" -- "$@")"
|
|
||||||
err=$?
|
|
||||||
eval set -- "$opts"
|
|
||||||
while true; do case $1 in
|
|
||||||
-c|--complain) COMPLAIN=1; shift ;;
|
|
||||||
-h|--help) shift; cmd_help; exit 0 ;;
|
|
||||||
--) shift; break ;;
|
|
||||||
esac done
|
|
||||||
[[ $err -ne 0 ]] && { cmd_help; exit 1; }
|
|
||||||
|
|
||||||
_install_abstractions
|
|
||||||
_install_tunables
|
|
||||||
pick "$@" && _reload_apparmor
|
|
||||||
}
|
|
||||||
|
|
||||||
COMPLAIN=0
|
|
||||||
main "$@"
|
|
Loading…
Reference in a new issue