From 2d01001020e501380c89d36e9d428ae4590eebbc Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 2 Apr 2021 18:12:15 +0100
Subject: [PATCH] Add PKGBUILD & ./configure

---
 PKGBUILD  |  44 ++++++++++++++++++
 configure | 136 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 180 insertions(+)
 create mode 100644 PKGBUILD
 create mode 100755 configure

diff --git a/PKGBUILD b/PKGBUILD
new file mode 100644
index 00000000..e59fd77e
--- /dev/null
+++ b/PKGBUILD
@@ -0,0 +1,44 @@
+# Maintainer: Alexandre Pujol <alexandre@pujol.io>
+# shellcheck disable=SC2034,SC2154,SC2164
+
+pkgname=apparmor.d
+pkgver=21.0402
+pkgrel=1
+pkgdesc="Full set of apparmor profiles"
+arch=("any")
+url="https://gitlab.com/archlex/hardening/$pkgname"
+license=('GPL2')
+depends=('apparmor')
+source=("git+file://$PWD?signed")
+sha512sums=('SKIP')
+validpgpkeys=("06A26D531D56C42D66805049C5469996F0DF68EC")
+
+pkgver() {
+  date +%y.%m%d
+}
+
+prepare() {
+  cd "$srcdir/$pkgname"
+
+  ./configure --distribution=archlinux --flavor=desktop
+}
+
+package() {
+  local _root='_build'
+  cd "$srcdir/$pkgname"
+
+  # Install all files from root/
+  cp --recursive --preserve=mode,ownership,timestamps "$_root/root/"* "$pkgdir/"
+
+  # Install all files from apparmor.d/
+  install -d "$pkgdir"/etc/apparmor.d/
+  cp --recursive --preserve=mode,ownership,timestamps \
+    $_root/apparmor.d/* "$pkgdir"/etc/apparmor.d/
+
+  # Ensure some systemd services do not start before apparmor rules are loaded
+  for path in systemd/*; do
+    service=$(basename "$path")
+    install -Dm0644 "$path" \
+      "$pkgdir/usr/lib/systemd/system/$service.d/apparmor.conf"
+  done
+}
diff --git a/configure b/configure
new file mode 100755
index 00000000..a43282f2
--- /dev/null
+++ b/configure
@@ -0,0 +1,136 @@
+#!/usr/bin/env bash
+# Configure the apparmor.d package
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+readonly ROOT=_build
+declare -a REMOVE_LIST
+
+_die()  { echo "$@" && exit 1; }
+_cd() { cd "$1" || _die "unable to move into $1"; }
+_init() { rm -rf "${ROOT:?}" && rsync -a --exclude=.git . "$ROOT"; }
+
+# Remove files or directories in the package
+remove_files() {
+	msg="Remove unneeded profiles/resources:"
+	for path in "${REMOVE_LIST[@]}"; do
+    	[[ ! -e "${ROOT:?}/$path" ]] && continue
+    	msg+=$'\n'"  $(stat -c '%A  %u:%g' "${ROOT:?}/$path")  $path"
+	done
+	echo "$msg"
+
+	for path in "${REMOVE_LIST[@]}"; do
+		rm -rf "${ROOT:?}/$path"
+	done
+}
+
+# Set the distribution, flavor & groups
+configure() {
+	echo "Set the configuration for $DISTRIBUTION."
+	if [[ "$DISTRIBUTION" == archlinux ]]; then
+		REMOVE_LIST+=(
+			apparmor.d/abstractions/apt-common
+			apparmor.d/groups/apt
+			apparmor.d/groups/cron
+		)
+
+	elif [[ "$DISTRIBUTION" == debian ]]; then
+		REMOVE_LIST+=(
+			apparmor.d/groups/pacman
+			root/usr/share/libalpm/hooks/apparmor.hook
+		)
+
+	else
+		_die  "Distribution $DISTRIBUTION not supported."
+
+	fi
+
+	echo "Set the configuration for a $FLAVOR."
+	if [[ "$FLAVOR" == server ]]; then
+		REMOVE_LIST+=(
+			apparmor.d/groups/apps
+			apparmor.d/groups/browsers
+			apparmor.d/groups/desktop
+			apparmor.d/groups/gnome
+			apparmor.d/groups/gvfs
+			apparmor.d/groups/network/NetworkManager
+			apparmor.d/groups/network/nm-*
+		)
+
+	fi
+}
+
+# Initialise the apparmor.d with the selected configuration.
+initialise() {
+	_init
+	remove_files
+
+	mkdir "${ROOT:?}/apparmor.d/profiles"
+	mv "${ROOT:?}/apparmor.d/groups/"*/* "${ROOT:?}/apparmor.d/profiles/"
+	rm -rf "${ROOT:?}/apparmor.d/groups/"
+	for dir in profiles-a-l profiles-m-z; do
+		mv "${ROOT:?}/apparmor.d/$dir/"* "${ROOT:?}/apparmor.d/profiles/"
+		rm -rf "${ROOT:?}/apparmor.d/$dir"
+	done
+}
+
+# Generate the apparmor.d directory with profile from the manifest
+generate() {
+	echo "Generated apparmor.d directory: $ROOT"
+    while read -r profile; do
+        IFS=' ' read -r -a manifest <<< "$profile"
+        profile="${manifest[0]}" flags="${manifest[1]}"
+
+        [[ "$profile" =~ ^\# ]] && continue
+		path="${ROOT:?}/apparmor.d/profiles/$profile"
+        [[ -f "$path" ]] || _die "Profile $profile not found"
+
+		# If flags is set, overwrite profile flag
+        if [[ -n "$flags" ]]; then
+			# Remove all flags definition, then set manifest' flags
+			sed -e "s/flags=(.*)//" \
+			 	-e "s/ {$/ flags=(${flags//,/ }) {/" \
+				-i "$path"
+        fi
+
+        mv "$path" "${ROOT:?}/apparmor.d/"
+
+    done <profiles.manifest
+
+    rm -rf "${ROOT:?}/apparmor.d/profiles"
+}
+
+# Print help message
+cmd_help() {
+	cat <<-_EOF
+	./configure [options] - Configure the apparmor.d package
+
+	Options:
+	    --distribution=DIST Set the target Linux distribution (Archlinux, Debian)
+	    --flavor=FLAVOR     Special flavor specific configuration (desktop, server)
+	    --help              Print this help message and exit.
+	_EOF
+}
+
+main() {
+	local opts err
+	opts="$(getopt -o h -l distribution:,flavor:,groups:,help -n "$PROGRAM" -- "$@")"
+	err=$?
+	eval set -- "$opts"
+	while true; do case $1 in
+		--distribution) DISTRIBUTION="$2"; shift 2 ;;
+		--flavor) FLAVOR="$2"; shift 2 ;;
+		-h|--help) shift; cmd_help; exit 0 ;;
+		--) shift; break ;;
+	esac done
+
+	[[ $err -ne 0 ]] && { cmd_help; exit 1; }
+
+	configure
+	initialise
+	generate
+
+	exit 0
+}
+
+main "$@"