diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4043c1f1..d83d5222 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -30,8 +30,3 @@ jobs: - name: Show AppArmor log run: sudo aa-log - - - name: Verify apparmor status - run: | - aa-status - sudo aa-status diff --git a/PKGBUILD b/PKGBUILD index b4d2e23c..7c7c7ec8 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -12,15 +12,15 @@ depends=('apparmor') makedepends=('go' 'git') pkgver() { - cd "$srcdir/$pkgname" - echo "0.$(git rev-list --count HEAD)" + cd "$srcdir/$pkgname" + echo "0.$(git rev-list --count HEAD)" } prepare() { git clone "$startdir" "$srcdir/$pkgname" cd "$srcdir/$pkgname" - ./configure --distribution=archlinux + ./configure } build() { diff --git a/configure b/configure index 9aacd5b5..251d724a 100755 --- a/configure +++ b/configure @@ -3,10 +3,14 @@ # Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +DISTRIBUTION="$(lsb_release --id --short)" +readonly DISTRIBUTION="${DISTRIBUTION,,}" readonly ROOT=.build _die() { printf 'Error: %s\n' "$*" >&2 && exit 1; } -_warning() { printf ' Warning: %s\n' "$*" >&2; } +_warning() { printf ' Warning: %s\n' "$*" >&2; } +_title() { printf '%s\n' "$*" >&2; } +_msg() { printf ' - %s\n' "$*" >&2; } # Displace files in the package sources # $@ List of files to displace @@ -18,61 +22,63 @@ _displace_files() { # Initialize a new clean apparmor.d build directory initialize() { - rm -rf "${ROOT:?}" && rsync -a --exclude=.git . "$ROOT" + rm -rf "${ROOT:?}" + rsync -a ./apparmor.d "$ROOT" + rsync -a ./root "$ROOT" } -# Ignore profiles in profiles.ignore +# Ignore profiles and files as defined in dists/ignore/ ignore() { - echo " Ignore profiles in profiles.ignore." - while read -r profile; do - [[ "$profile" =~ ^\# ]] && continue - if [[ "$profile" == */ ]]; then - find "$ROOT/apparmor.d" -iname "${profile////}" -type d -exec rm -r {} \; - else - find "$ROOT/apparmor.d" -iname "$profile" -type f -exec rm {} \; - fi - done "$ROOT/apparmor.d/tunables/run" sed -i -e '/capability bpf/d' -e '/capability perfmon/d' \ - "$ROOT/apparmor.d/groups/virt/libvirtd" + "$ROOT/apparmor.d/libvirtd" + cp -a dists/ubuntu/abstractions/* $ROOT/apparmor.d/abstractions fi ;; @@ -81,51 +87,37 @@ configure() { esac } -# Synchronise all profile in a new apparmor.d directory. -synchronise() { - echo "Synchronise all profiles." - mv "${ROOT:?}/apparmor.d/groups/"*/* "${ROOT:?}/apparmor.d/" - rm -rf "${ROOT:?}/apparmor.d/groups/" - for dir in profiles-a-f profiles-g-l profiles-m-r profiles-s-z; do - mv "${ROOT:?}/apparmor.d/$dir/"* "${ROOT:?}/apparmor.d/" - rm -rf "${ROOT:?}/apparmor.d/$dir" - done -} - # Set flags on some profile -setflags() { - echo "Set apparmor flags from profiles.flags" - while read -r profile; do - IFS=' ' read -r -a manifest <<< "$profile" - profile="${manifest[0]}" flags="${manifest[1]}" +flags() { + for name in main.flags "$DISTRIBUTION.flags"; do + _msg "Set profiles flags from dists/flags/$name" - [[ "$profile" =~ ^\# || -z "$profile" ]] && continue - path="${ROOT:?}/apparmor.d/$profile" - if [[ ! -f "$path" ]]; then - _warning "Profile $profile not found" - continue - fi + while read -r profile; do + IFS=' ' read -r -a manifest <<< "$profile" + profile="${manifest[0]}" flags="${manifest[1]}" - # If flags is set, overwrite profile flag - if [[ -n "$flags" ]]; then - # Remove all flags definition, then set manifest' flags - sed -e "s/flags=(.*)//" \ - -e "s/ {$/ flags=(${flags//,/ }) {/" \ - -i "$path" - fi + [[ "$profile" =~ ^\# || -z "$profile" ]] && continue + path="${ROOT:?}/apparmor.d/$profile" + if [[ ! -f "$path" ]]; then + _warning "Profile $profile not found" + continue + fi - done ' + acpid attach_disconnected,complain adb complain -aa-status agetty complain -arch-audit complain at-spi-bus-launcher attach_disconnected auditd complain badblocks complain @@ -37,9 +38,6 @@ fsck-ext4 complain fuse-overlayfs complain fusermount complain gdisk complain -gdm attach_disconnected,complain -gdm-session-worker attach_disconnected,complain -gdm-wayland-session complain gdm-x-session attach_disconnected,complain gdm-xsession complain git complain @@ -98,19 +96,6 @@ obexfs complain obexpush-atd complain obexpushd complain oomctl complain -pacman complain -pacman-conf attach_disconnected,complain -pacman-hook-dconf complain -pacman-hook-depmod complain -pacman-hook-dkms complain -pacman-hook-fontconfig complain -pacman-hook-gio complain -pacman-hook-gtk complain -pacman-hook-mkinitcpio-install complain -pacman-hook-mkinitcpio-remove complain -pacman-hook-perl complain -pacman-hook-systemd complain -pacman-key complain pass complain pass-import complain pinentry-gtk-2 complain @@ -178,7 +163,7 @@ systemd-socket-activate complain systemd-socket-proxyd complain systemd-stdio-bridge complain systemd-sulogin-shell complain -systemd-sysctl complain +systemd-sysctl attach_disconnected,complain systemd-sysext complain systemd-sysusers attach_disconnected,complain systemd-time-wait-sync complain diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags new file mode 100644 index 00000000..d196607b --- /dev/null +++ b/dists/flags/ubuntu.flags @@ -0,0 +1 @@ +aa-status complain diff --git a/dists/ignore/arch.ignore b/dists/ignore/arch.ignore new file mode 100644 index 00000000..daa99587 --- /dev/null +++ b/dists/ignore/arch.ignore @@ -0,0 +1,3 @@ +apparmor.d/abstractions/apt-common +apparmor.d/groups/apt +apparmor.d/groups/cron diff --git a/dists/ignore/debian.ignore b/dists/ignore/debian.ignore new file mode 100644 index 00000000..e392fa44 --- /dev/null +++ b/dists/ignore/debian.ignore @@ -0,0 +1,2 @@ +apparmor.d/groups/pacman +root/usr/share/libalpm/hooks/apparmor.hook diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore new file mode 100644 index 00000000..24c75ed0 --- /dev/null +++ b/dists/ignore/main.ignore @@ -0,0 +1,13 @@ +# Common ignore file for all distributions +# One ignore by line. Can be a profile name or a directory to ignore + +# Contains profile for full system confinement, only included when ./configure +# is given the --full option +apparmor.d/groups/_full + +apparmor.d/groups/apps + +anki +torbrowser.Browser.firefox +torbrowser.Browser.plugin-container +torbrowser.Tor.tor diff --git a/dists/ignore/ubuntu.ignore b/dists/ignore/ubuntu.ignore new file mode 100644 index 00000000..02f74b14 --- /dev/null +++ b/dists/ignore/ubuntu.ignore @@ -0,0 +1,3 @@ +apparmor.d/groups/pacman +apparmor.systemd +root/usr/share/libalpm/hooks/apparmor.hook diff --git a/apparmor.d/abstractions/dbus-network-manager-strict b/dists/ubuntu/abstractions/dbus-network-manager-strict similarity index 98% rename from apparmor.d/abstractions/dbus-network-manager-strict rename to dists/ubuntu/abstractions/dbus-network-manager-strict index 9930c80d..dd43ca8b 100644 --- a/apparmor.d/abstractions/dbus-network-manager-strict +++ b/dists/ubuntu/abstractions/dbus-network-manager-strict @@ -1,7 +1,5 @@ # vim:syntax=apparmor - abi , - dbus send bus=system path=/org/freedesktop/NetworkManager diff --git a/apparmor.d/abstractions/exo-open b/dists/ubuntu/abstractions/exo-open similarity index 99% rename from apparmor.d/abstractions/exo-open rename to dists/ubuntu/abstractions/exo-open index d92ea371..d2d75391 100644 --- a/apparmor.d/abstractions/exo-open +++ b/dists/ubuntu/abstractions/exo-open @@ -1,7 +1,5 @@ # vim:syntax=apparmor - abi , - # This abstraction is designed to be used in a child profile to limit what # confined application can invoke via exo-open helper. # diff --git a/apparmor.d/abstractions/gio-open b/dists/ubuntu/abstractions/gio-open similarity index 100% rename from apparmor.d/abstractions/gio-open rename to dists/ubuntu/abstractions/gio-open diff --git a/apparmor.d/abstractions/gvfs-open b/dists/ubuntu/abstractions/gvfs-open similarity index 100% rename from apparmor.d/abstractions/gvfs-open rename to dists/ubuntu/abstractions/gvfs-open diff --git a/apparmor.d/abstractions/kde-open5 b/dists/ubuntu/abstractions/kde-open5 similarity index 100% rename from apparmor.d/abstractions/kde-open5 rename to dists/ubuntu/abstractions/kde-open5 diff --git a/apparmor.d/abstractions/xdg-open b/dists/ubuntu/abstractions/xdg-open similarity index 100% rename from apparmor.d/abstractions/xdg-open rename to dists/ubuntu/abstractions/xdg-open diff --git a/profiles.ignore b/profiles.ignore deleted file mode 100644 index 06706c7a..00000000 --- a/profiles.ignore +++ /dev/null @@ -1,6 +0,0 @@ -anki -apps/ -apparmor.systemd -torbrowser.Browser.firefox -torbrowser.Browser.plugin-container -torbrowser.Tor.tor