Rethink the configure process.

This commit is contained in:
Alexandre Pujol 2021-12-04 22:09:20 +00:00
parent 0fc9c8b5b0
commit 1644b70d6d
Failed to generate hash of commit
19 changed files with 156 additions and 125 deletions

View file

@ -30,8 +30,3 @@ jobs:
- name: Show AppArmor log - name: Show AppArmor log
run: sudo aa-log run: sudo aa-log
- name: Verify apparmor status
run: |
aa-status
sudo aa-status

View file

@ -12,15 +12,15 @@ depends=('apparmor')
makedepends=('go' 'git') makedepends=('go' 'git')
pkgver() { pkgver() {
cd "$srcdir/$pkgname" cd "$srcdir/$pkgname"
echo "0.$(git rev-list --count HEAD)" echo "0.$(git rev-list --count HEAD)"
} }
prepare() { prepare() {
git clone "$startdir" "$srcdir/$pkgname" git clone "$startdir" "$srcdir/$pkgname"
cd "$srcdir/$pkgname" cd "$srcdir/$pkgname"
./configure --distribution=archlinux ./configure
} }
build() { build() {

167
configure vendored
View file

@ -3,10 +3,14 @@
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
DISTRIBUTION="$(lsb_release --id --short)"
readonly DISTRIBUTION="${DISTRIBUTION,,}"
readonly ROOT=.build readonly ROOT=.build
_die() { printf 'Error: %s\n' "$*" >&2 && exit 1; } _die() { printf 'Error: %s\n' "$*" >&2 && exit 1; }
_warning() { printf ' Warning: %s\n' "$*" >&2; } _warning() { printf ' Warning: %s\n' "$*" >&2; }
_title() { printf '%s\n' "$*" >&2; }
_msg() { printf ' - %s\n' "$*" >&2; }
# Displace files in the package sources # Displace files in the package sources
# $@ List of files to displace # $@ List of files to displace
@ -18,61 +22,63 @@ _displace_files() {
# Initialize a new clean apparmor.d build directory # Initialize a new clean apparmor.d build directory
initialize() { initialize() {
rm -rf "${ROOT:?}" && rsync -a --exclude=.git . "$ROOT" rm -rf "${ROOT:?}"
rsync -a ./apparmor.d "$ROOT"
rsync -a ./root "$ROOT"
} }
# Ignore profiles in profiles.ignore # Ignore profiles and files as defined in dists/ignore/
ignore() { ignore() {
echo " Ignore profiles in profiles.ignore." for name in main.ignore "$DISTRIBUTION.ignore"; do
while read -r profile; do _msg "Ignore profiles/files in dists/ignore/$name"
[[ "$profile" =~ ^\# ]] && continue while read -r profile; do
if [[ "$profile" == */ ]]; then [[ "$profile" =~ ^\# ]] && continue
find "$ROOT/apparmor.d" -iname "${profile////}" -type d -exec rm -r {} \; if [[ -e "$profile" ]]; then
else rm -r "${ROOT:?}/$profile"
find "$ROOT/apparmor.d" -iname "$profile" -type f -exec rm {} \; else
fi find "$ROOT/apparmor.d" -iname "$profile" -type f -exec rm {} \;
done <profiles.ignore fi
done <"dists/ignore/$name"
done
}
# Synchronise all profiles in a new apparmor.d directory.
synchronise() {
_msg "Synchronise all profiles."
mv "${ROOT:?}/apparmor.d/groups/"*/* "${ROOT:?}/apparmor.d/"
rm -rf "${ROOT:?}/apparmor.d/groups/"
mv "${ROOT:?}/apparmor.d/profiles-"*-*/* "${ROOT:?}/apparmor.d/"
rm -rf "${ROOT:?}/apparmor.d/profiles-"*
} }
# Set the distribution specificities # Set the distribution specificities
configure() { configure() {
case "$DISTRIBUTION" in case "$DISTRIBUTION" in
archlinux) arch)
echo " Ignore non Archlinux profiles." _msg "Configure libexec."
rm -rf \
"${ROOT:?}"/apparmor.d/abstractions/apt-common \
"${ROOT:?}"/apparmor.d/groups/apt \
"${ROOT:?}"/apparmor.d/groups/cron \
"${ROOT:?}"/root/etc/initramfs-tools
echo " Configure libexec."
sed -i -e '/Debian/d' "$ROOT/apparmor.d/tunables/extend" sed -i -e '/Debian/d' "$ROOT/apparmor.d/tunables/extend"
;; ;;
debian) debian|ubuntu)
echo " Ignore non Debian profiles." _msg "Configure libexec."
rm -rf \
"${ROOT:?}"/apparmor.d/groups/pacman \
"${ROOT:?}"/root/usr/share/libalpm/hooks/apparmor.hook
echo " Configure libexec."
sed -i -e '/Archlinux/d' "$ROOT/apparmor.d/tunables/extend" sed -i -e '/Archlinux/d' "$ROOT/apparmor.d/tunables/extend"
echo " Debian does not support abi 3.0 yet." _msg "$DISTRIBUTION does not support abi 3.0 yet."
find "$ROOT/apparmor.d" -type f -exec sed -e '/abi /d' -i {} \; find "$ROOT/apparmor.d" -type f -exec sed -e '/abi /d' -i {} \;
echo " Debian does not have etc tunable." _msg "$DISTRIBUTION does not have etc tunable."
sed -i -e '/etc/d' "$ROOT/apparmor.d/tunables/global" sed -i -e '/etc/d' "$ROOT/apparmor.d/tunables/global"
echo " Displace overwritten files." _msg "Displace overwritten files."
_displace_files apparmor.d/tunables/global apparmor.d/tunables/xdg-user-dirs _displace_files apparmor.d/tunables/global apparmor.d/tunables/xdg-user-dirs
if [[ "$(lsb_release -is)" == "Ubuntu" ]]; then if [[ "$DISTRIBUTION" == "ubuntu" ]]; then
echo " Ubuntu LTS compatibility." _msg "Ubuntu LTS compatibility."
echo "@{run}=/run/ /var/run/" > "$ROOT/apparmor.d/tunables/run" echo "@{run}=/run/ /var/run/" > "$ROOT/apparmor.d/tunables/run"
sed -i -e '/capability bpf/d' -e '/capability perfmon/d' \ sed -i -e '/capability bpf/d' -e '/capability perfmon/d' \
"$ROOT/apparmor.d/groups/virt/libvirtd" "$ROOT/apparmor.d/libvirtd"
cp -a dists/ubuntu/abstractions/* $ROOT/apparmor.d/abstractions
fi fi
;; ;;
@ -81,51 +87,37 @@ configure() {
esac esac
} }
# Synchronise all profile in a new apparmor.d directory.
synchronise() {
echo "Synchronise all profiles."
mv "${ROOT:?}/apparmor.d/groups/"*/* "${ROOT:?}/apparmor.d/"
rm -rf "${ROOT:?}/apparmor.d/groups/"
for dir in profiles-a-f profiles-g-l profiles-m-r profiles-s-z; do
mv "${ROOT:?}/apparmor.d/$dir/"* "${ROOT:?}/apparmor.d/"
rm -rf "${ROOT:?}/apparmor.d/$dir"
done
}
# Set flags on some profile # Set flags on some profile
setflags() { flags() {
echo "Set apparmor flags from profiles.flags" for name in main.flags "$DISTRIBUTION.flags"; do
while read -r profile; do _msg "Set profiles flags from dists/flags/$name"
IFS=' ' read -r -a manifest <<< "$profile"
profile="${manifest[0]}" flags="${manifest[1]}"
[[ "$profile" =~ ^\# || -z "$profile" ]] && continue while read -r profile; do
path="${ROOT:?}/apparmor.d/$profile" IFS=' ' read -r -a manifest <<< "$profile"
if [[ ! -f "$path" ]]; then profile="${manifest[0]}" flags="${manifest[1]}"
_warning "Profile $profile not found"
continue
fi
# If flags is set, overwrite profile flag [[ "$profile" =~ ^\# || -z "$profile" ]] && continue
if [[ -n "$flags" ]]; then path="${ROOT:?}/apparmor.d/$profile"
# Remove all flags definition, then set manifest' flags if [[ ! -f "$path" ]]; then
sed -e "s/flags=(.*)//" \ _warning "Profile $profile not found"
-e "s/ {$/ flags=(${flags//,/ }) {/" \ continue
-i "$path" fi
fi
done <profiles.flags # If flags is set, overwrite profile flag
if [[ -n "$flags" ]]; then
# Remove all flags definition, then set manifest' flags
sed -e "s/flags=(.*)//" \
-e "s/ {$/ flags=(${flags//,/ }) {/" \
-i "$path"
fi
} done <"dists/flags/$name"
done
# Set AppArmor for full system policy
full() {
echo WIP
} }
# Set complain flag on all profile (Dev only) # Set complain flag on all profile (Dev only)
complain() { complain() {
echo "Set complain flag on all profile" _msg "Set complain flag on all profiles"
for path in "${ROOT:?}/apparmor.d/"*; do for path in "${ROOT:?}/apparmor.d/"*; do
[[ -d "$path" ]] && continue [[ -d "$path" ]] && continue
flags="$(grep -o -m 1 'flags=(.*)' "$path" | cut -d '(' -f2 | cut -d ')' -f1)" flags="$(grep -o -m 1 'flags=(.*)' "$path" | cut -d '(' -f2 | cut -d ')' -f1)"
@ -138,41 +130,50 @@ complain() {
echo echo
} }
# Set AppArmor for full system policy
# See https://gitlab.com/apparmor/apparmor/-/wikis/FullSystemPolicy
full() {
cp -a apparmor.d/groups/_full/* "$ROOT/apparmor.d/"
}
# Print help message # Print help message
cmd_help() { cmd_help() {
cat <<-_EOF cat <<-_EOF
./configure [options] - Configure the apparmor.d package ./configure [options] - Configure the apparmor.d package
Options: Options:
-d DIST, --dist=DIST Set the target Linux distribution: archlinux, debian -f, --full Set AppArmor for full system policy
-f, --full Set AppArmor for full system policy -c, --complain Set complain flag on all profiles
-c, --complain Set complain flag on all profiles -h, --help Print this help message and exit
-h, --help Print this help message and exit
_EOF _EOF
} }
main() { main() {
local opts err full=0 complain=0 local opts err
small_arg="d:cfh" FULL=0
long_arg="dist:,complain,full,help" COMPLAIN=0
small_arg="cfh"
long_arg="complain,full,help"
opts="$(getopt -o $small_arg -l $long_arg -n "$PROGRAM" -- "$@")" opts="$(getopt -o $small_arg -l $long_arg -n "$PROGRAM" -- "$@")"
err=$? err=$?
eval set -- "$opts" eval set -- "$opts"
while true; do case $1 in while true; do case $1 in
-d|--dist) DISTRIBUTION="$2"; shift 2 ;; -f|--full) FULL=1; shift ;;
-f|--full) full=1; shift ;; -c|--complain) COMPLAIN=1; shift ;;
-c|--complain) complain=1; shift ;;
-h|--help) shift; cmd_help; exit 0 ;; -h|--help) shift; cmd_help; exit 0 ;;
--) shift; break ;; --) shift; break ;;
esac done esac done
[[ $err -ne 0 ]] && { cmd_help; exit 1; } [[ $err -ne 0 ]] && { cmd_help; exit 1; }
echo "Set the configuration for $DISTRIBUTION." _title "Set the configuration for $DISTRIBUTION."
initialize || _die "initializing build directory" initialize || _die "initializing build directory"
ignore || _die "removing ignored profiles" ignore || _die "removing ignored profiles"
configure || _die "configuring distributaion"
synchronise || _die "merging profiles" synchronise || _die "merging profiles"
setflags || _die "settings flags" configure || _die "configuring distributaion"
flags || _die "settings flags"
[[ "$COMPLAIN" == 1 ]] && complain
[[ "$FULL" == 1 ]] && full
return 0
} }
main "$@" main "$@"

10
debian/rules vendored
View file

@ -5,19 +5,19 @@
%: %:
dh $@ --with=config-package dh $@ --with=config-package
override_dh_auto_configure:
./configure --dist=debian
export CGO_CPPFLAGS="${CPPFLAGS}" export CGO_CPPFLAGS="${CPPFLAGS}"
export CGO_CFLAGS="${CFLAGS}" export CGO_CFLAGS="${CFLAGS}"
export CGO_CXXFLAGS="${CXXFLAGS}" export CGO_CXXFLAGS="${CXXFLAGS}"
export CGO_LDFLAGS="${LDFLAGS}" export CGO_LDFLAGS="${LDFLAGS}"
export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw" export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw"
go build -o .build/ ./cmd/aa-log go build ./cmd/aa-log
override_dh_auto_configure:
./configure
override_dh_install: override_dh_install:
mv systemd system mv systemd system
find system -type f -exec \ find system -type f -exec \
install -Dm0644 {} $$(pwd)/debian/apparmor.d/usr/lib/systemd/{}.d/apparmor.conf \; install -Dm0644 {} $$(pwd)/debian/apparmor.d/usr/lib/systemd/{}.d/apparmor.conf \;
install -Dm755 .build/aa-log $$(pwd)/debian/apparmor.d/usr/bin/aa-log install -Dm755 aa-log $$(pwd)/debian/apparmor.d/usr/bin/aa-log
dh_install dh_install

16
dists/flags/arch.flags Normal file
View file

@ -0,0 +1,16 @@
arch-audit complain
archlinux-java complain
aurpublish complain
pacman complain
pacman-conf attach_disconnected,complain
pacman-hook-dconf complain
pacman-hook-depmod complain
pacman-hook-dkms complain
pacman-hook-fontconfig complain
pacman-hook-gio complain
pacman-hook-gtk complain
pacman-hook-mkinitcpio-install attach_disconnected,complain
pacman-hook-mkinitcpio-remove complain
pacman-hook-perl complain
pacman-hook-systemd complain
pacman-key complain

22
dists/flags/debian.flags Normal file
View file

@ -0,0 +1,22 @@
dhclient complain
dhclient-script complain
dpkg complain
dpkg-architecture complain
dpkg-buildflags complain
dpkg-checkbuilddeps complain
dpkg-deb complain
dpkg-divert complain
dpkg-genbuildinfo complain
dpkg-genchanges complain
dpkg-preconfigure complain
dpkg-query complain
dpkg-split complain
dpkg-status complain
dpkg-trigger complain
dpkg-vendor complain
ifup complain
macchanger complain
resolvconf complain
run-parts complain
unattended-upgrade complain
unattended-upgrade-shutdown attach_disconnected,complain

View file

@ -1,8 +1,9 @@
# Common profile flags definition for all distributions
# One profile by line using the format: '<profile> <flags>'
acpid attach_disconnected,complain acpid attach_disconnected,complain
adb complain adb complain
aa-status
agetty complain agetty complain
arch-audit complain
at-spi-bus-launcher attach_disconnected at-spi-bus-launcher attach_disconnected
auditd complain auditd complain
badblocks complain badblocks complain
@ -37,9 +38,6 @@ fsck-ext4 complain
fuse-overlayfs complain fuse-overlayfs complain
fusermount complain fusermount complain
gdisk complain gdisk complain
gdm attach_disconnected,complain
gdm-session-worker attach_disconnected,complain
gdm-wayland-session complain
gdm-x-session attach_disconnected,complain gdm-x-session attach_disconnected,complain
gdm-xsession complain gdm-xsession complain
git complain git complain
@ -98,19 +96,6 @@ obexfs complain
obexpush-atd complain obexpush-atd complain
obexpushd complain obexpushd complain
oomctl complain oomctl complain
pacman complain
pacman-conf attach_disconnected,complain
pacman-hook-dconf complain
pacman-hook-depmod complain
pacman-hook-dkms complain
pacman-hook-fontconfig complain
pacman-hook-gio complain
pacman-hook-gtk complain
pacman-hook-mkinitcpio-install complain
pacman-hook-mkinitcpio-remove complain
pacman-hook-perl complain
pacman-hook-systemd complain
pacman-key complain
pass complain pass complain
pass-import complain pass-import complain
pinentry-gtk-2 complain pinentry-gtk-2 complain
@ -178,7 +163,7 @@ systemd-socket-activate complain
systemd-socket-proxyd complain systemd-socket-proxyd complain
systemd-stdio-bridge complain systemd-stdio-bridge complain
systemd-sulogin-shell complain systemd-sulogin-shell complain
systemd-sysctl complain systemd-sysctl attach_disconnected,complain
systemd-sysext complain systemd-sysext complain
systemd-sysusers attach_disconnected,complain systemd-sysusers attach_disconnected,complain
systemd-time-wait-sync complain systemd-time-wait-sync complain

1
dists/flags/ubuntu.flags Normal file
View file

@ -0,0 +1 @@
aa-status complain

3
dists/ignore/arch.ignore Normal file
View file

@ -0,0 +1,3 @@
apparmor.d/abstractions/apt-common
apparmor.d/groups/apt
apparmor.d/groups/cron

View file

@ -0,0 +1,2 @@
apparmor.d/groups/pacman
root/usr/share/libalpm/hooks/apparmor.hook

13
dists/ignore/main.ignore Normal file
View file

@ -0,0 +1,13 @@
# Common ignore file for all distributions
# One ignore by line. Can be a profile name or a directory to ignore
# Contains profile for full system confinement, only included when ./configure
# is given the --full option
apparmor.d/groups/_full
apparmor.d/groups/apps
anki
torbrowser.Browser.firefox
torbrowser.Browser.plugin-container
torbrowser.Tor.tor

View file

@ -0,0 +1,3 @@
apparmor.d/groups/pacman
apparmor.systemd
root/usr/share/libalpm/hooks/apparmor.hook

View file

@ -1,7 +1,5 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>,
dbus send dbus send
bus=system bus=system
path=/org/freedesktop/NetworkManager path=/org/freedesktop/NetworkManager

View file

@ -1,7 +1,5 @@
# vim:syntax=apparmor # vim:syntax=apparmor
abi <abi/3.0>,
# This abstraction is designed to be used in a child profile to limit what # This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via exo-open helper. # confined application can invoke via exo-open helper.
# #

View file

@ -1,6 +0,0 @@
anki
apps/
apparmor.systemd
torbrowser.Browser.firefox
torbrowser.Browser.plugin-container
torbrowser.Tor.tor