diff --git a/configure b/configure index 09aa5957..913517bf 100755 --- a/configure +++ b/configure @@ -5,7 +5,7 @@ set -eu -DISTRIBUTION="$(lsb_release --id --short)" +DISTRIBUTION="${DIST:-$(lsb_release --id --short)}" readonly DISTRIBUTION="${DISTRIBUTION,,}" readonly ROOT=.build @@ -63,15 +63,13 @@ configure() { ;; - debian|ubuntu) - if [[ "$DISTRIBUTION" == "debian" ]]; then - _msg "$DISTRIBUTION does not have etc tunable." - sed -i -e '/etc/d' "$ROOT/apparmor.d/tunables/global" - + debian|ubuntu|whonix) + if [[ "$DISTRIBUTION" != "ubuntu" ]]; then _msg "$DISTRIBUTION does not support abi 3.0 yet." find "$ROOT/apparmor.d" -type f -exec sed -e '/abi /d' -i {} \; cp -a dists/debian/abstractions/* $ROOT/apparmor.d/abstractions + cp -a dists/debian/tunables/* $ROOT/apparmor.d/tunables fi _msg "Configure libexec." diff --git a/dists/debian/tunables/etc b/dists/debian/tunables/etc new file mode 100644 index 00000000..8cfbdd40 --- /dev/null +++ b/dists/debian/tunables/etc @@ -0,0 +1,25 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# @{etc_ro} contains a space-separated list of the system configuration directories. +# Traditionally this means /etc/, but when using a read-only / filesystem and/or +# with the goal of having only user-modified config files in /etc/, directories +# like /usr/etc/ get introduced for storing the default config. + +# @{etc_ro} contains read-only directories with configuration files. +# Do not use @{etc_ro} in rules that allow write access. +@{etc_ro}=/etc/ /usr/etc/ + +# @{etc_rw} contains directories where writing to configuration files is allowed. +@{etc_rw}=/etc/ + +# Also, include files in tunables/etc.d/ for site-specific adjustments to +# @{etc_ro} and @{etc_rw}. +include if exists \ No newline at end of file