mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 07:54:17 +01:00
build: remove configure for prebuild.
This commit is contained in:
parent
ec733d30ac
commit
5af9bab04b
@ -23,7 +23,7 @@ bash:
|
|||||||
image: koalaman/shellcheck-alpine
|
image: koalaman/shellcheck-alpine
|
||||||
script:
|
script:
|
||||||
- shellcheck --shell=bash
|
- shellcheck --shell=bash
|
||||||
PKGBUILD configure dists/build.sh
|
PKGBUILD dists/build.sh
|
||||||
tests/packer/src/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh
|
tests/packer/src/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh
|
||||||
debian/apparmor.d.postinst debian/apparmor.d.postrm
|
debian/apparmor.d.postinst debian/apparmor.d.postrm
|
||||||
|
|
||||||
@ -129,8 +129,7 @@ preprocess-opensuse:
|
|||||||
stage: preprocess
|
stage: preprocess
|
||||||
image: opensuse/tumbleweed
|
image: opensuse/tumbleweed
|
||||||
script:
|
script:
|
||||||
- zypper install -y apparmor-profiles go git rsync lsb-release util-linux findutils make
|
- zypper install -y apparmor-profiles go git rsync util-linux findutils make
|
||||||
- ./configure --complain
|
|
||||||
- make
|
- make
|
||||||
- make install
|
- make install
|
||||||
- apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null
|
- apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null
|
||||||
|
3
Makefile
3
Makefile
@ -12,9 +12,11 @@ P = $(notdir $(wildcard ${BUILD}/apparmor.d/*))
|
|||||||
.PHONY: all build enforce full install local $(P) pkg dpkg rpm lint clean
|
.PHONY: all build enforce full install local $(P) pkg dpkg rpm lint clean
|
||||||
|
|
||||||
all: build
|
all: build
|
||||||
|
@./${BUILD}/prebuild --complain
|
||||||
|
|
||||||
build:
|
build:
|
||||||
@go build -o ${BUILD}/ ./cmd/aa-log
|
@go build -o ${BUILD}/ ./cmd/aa-log
|
||||||
|
@go build -o ${BUILD}/ ./cmd/prebuild
|
||||||
|
|
||||||
enforce: build
|
enforce: build
|
||||||
@./${BUILD}/prebuild
|
@./${BUILD}/prebuild
|
||||||
@ -42,7 +44,6 @@ install:
|
|||||||
done
|
done
|
||||||
|
|
||||||
local:
|
local:
|
||||||
@./configure --complain
|
|
||||||
@make
|
@make
|
||||||
@sudo make install
|
@sudo make install
|
||||||
@sudo systemctl restart apparmor || sudo systemctl status apparmor
|
@sudo systemctl restart apparmor || sudo systemctl status apparmor
|
||||||
|
2
PKGBUILD
2
PKGBUILD
@ -22,8 +22,6 @@ pkgver() {
|
|||||||
|
|
||||||
prepare() {
|
prepare() {
|
||||||
rsync -a --delete "$startdir" "$srcdir"
|
rsync -a --delete "$startdir" "$srcdir"
|
||||||
cd "$srcdir/$pkgname"
|
|
||||||
./configure --complain
|
|
||||||
}
|
}
|
||||||
|
|
||||||
build() {
|
build() {
|
||||||
|
272
configure
vendored
272
configure
vendored
@ -1,272 +0,0 @@
|
|||||||
#!/usr/bin/env bash
|
|
||||||
# Configure the apparmor.d package
|
|
||||||
# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
|
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
|
||||||
|
|
||||||
set -eu
|
|
||||||
|
|
||||||
DISTRIBUTION="${DIST:-$(lsb_release --id --short)}"
|
|
||||||
readonly DISTRIBUTION="${DISTRIBUTION,,}"
|
|
||||||
readonly ROOT=.build
|
|
||||||
|
|
||||||
_die() { printf 'Error: %s\n' "$*" >&2 && exit 1; }
|
|
||||||
_warning() { printf ' Warning: %s\n' "$*" >&2; }
|
|
||||||
_title() { printf '%s\n' "$*" >&2; }
|
|
||||||
_msg() { printf ' - %s\n' "$*" >&2; }
|
|
||||||
|
|
||||||
# Process management function to run a function over all the profile files
|
|
||||||
# $1 The function to run
|
|
||||||
# $2 Usage message to print
|
|
||||||
process() {
|
|
||||||
local len nprof nproc fct="$1" msg="$2"
|
|
||||||
_msg "$msg"
|
|
||||||
mapfile -t files < <(find "${ROOT:?}/apparmor.d" -type f)
|
|
||||||
len="${#files[@]}"
|
|
||||||
nproc=$(nproc)
|
|
||||||
((nprof = len / nproc + 1))
|
|
||||||
start=0
|
|
||||||
end=$nprof
|
|
||||||
for ((ii = 0; ii < nproc; ii++)); do
|
|
||||||
$fct $start $end "${files[@]}" &
|
|
||||||
((start = end + 1))
|
|
||||||
((end = end + nprof))
|
|
||||||
done
|
|
||||||
wait
|
|
||||||
}
|
|
||||||
|
|
||||||
# Initialize a new clean apparmor.d build directory
|
|
||||||
initialize() {
|
|
||||||
rm -rf "${ROOT:?}"
|
|
||||||
rsync -a ./apparmor.d "$ROOT"
|
|
||||||
rsync -a ./root "$ROOT"
|
|
||||||
}
|
|
||||||
|
|
||||||
# Ignore profiles and files as defined in dists/ignore/
|
|
||||||
ignore() {
|
|
||||||
for name in main.ignore "$DISTRIBUTION.ignore"; do
|
|
||||||
[[ -f "dists/ignore/$name" ]] || continue
|
|
||||||
_msg "Ignore profiles/files in dists/ignore/$name"
|
|
||||||
while read -r profile; do
|
|
||||||
[[ "$profile" =~ ^\# ]] && continue
|
|
||||||
[[ -z "$profile" ]] && continue
|
|
||||||
if [[ -e "${ROOT:?}/$profile" ]]; then
|
|
||||||
rm -r "${ROOT:?}/$profile"
|
|
||||||
else
|
|
||||||
find "$ROOT/apparmor.d" -iname "$profile" -type f -exec rm {} \;
|
|
||||||
fi
|
|
||||||
done <"dists/ignore/$name"
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
# Synchronise all profiles in a new apparmor.d directory.
|
|
||||||
synchronise() {
|
|
||||||
_msg "Synchronise all profiles."
|
|
||||||
mv "${ROOT:?}/apparmor.d/groups/"*/* "${ROOT:?}/apparmor.d/"
|
|
||||||
rm -rf "${ROOT:?}/apparmor.d/groups/"
|
|
||||||
mv "${ROOT:?}/apparmor.d/profiles-"*-*/* "${ROOT:?}/apparmor.d/"
|
|
||||||
rm -rf "${ROOT:?}/apparmor.d/profiles-"*
|
|
||||||
}
|
|
||||||
|
|
||||||
# Set the distribution specificities
|
|
||||||
configure() {
|
|
||||||
case "$DISTRIBUTION" in
|
|
||||||
arch | endeavouros | cachyos | manjarolinux)
|
|
||||||
_msg "Configure libexec."
|
|
||||||
LIBEXEC="/{usr/,}lib"
|
|
||||||
sed -i -e '/Debian/d' "$ROOT/apparmor.d/tunables/etc.d/apparmor.d"
|
|
||||||
;;
|
|
||||||
|
|
||||||
debian | ubuntu | whonix | core)
|
|
||||||
mv "$ROOT/apparmor.d/abstractions/trash.d/complete" "$ROOT/apparmor.d/abstractions/trash"
|
|
||||||
case "$DISTRIBUTION" in
|
|
||||||
core)
|
|
||||||
mkdir -p $ROOT/root/usr/lib/systemd/system/systemd-udevd.service.d/
|
|
||||||
cp -a dists/core/systemd-udevd.service $ROOT/root/usr/lib/systemd/system/systemd-udevd.service.d/apparmor.conf
|
|
||||||
cp -a apparmor.d/groups/_full/systemd $ROOT/apparmor.d/systemd ;;
|
|
||||||
debian | whonix)
|
|
||||||
_msg "$DISTRIBUTION does not support abi 3.0 yet."
|
|
||||||
find "$ROOT/apparmor.d" -type f -exec sed -e '/abi /d' -i {} \;
|
|
||||||
cp -a dists/debian/abstractions/* $ROOT/apparmor.d/abstractions
|
|
||||||
cp -a dists/debian/tunables/* $ROOT/apparmor.d/tunables ;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
_msg "Configure libexec."
|
|
||||||
LIBEXEC="/{usr/,}libexec"
|
|
||||||
sed -i -e '/Archlinux/d' "$ROOT/apparmor.d/tunables/etc.d/apparmor.d"
|
|
||||||
;;
|
|
||||||
|
|
||||||
opensuse)
|
|
||||||
LIBEXEC="/{usr/,}libexec"
|
|
||||||
sed -i -e '/Archlinux/d' "$ROOT/apparmor.d/tunables/etc.d/apparmor.d"
|
|
||||||
;;
|
|
||||||
|
|
||||||
*) _die "$DISTRIBUTION is not a supported distribution." ;;
|
|
||||||
esac
|
|
||||||
}
|
|
||||||
|
|
||||||
# Set flags on some profile
|
|
||||||
flags() {
|
|
||||||
for name in main.flags "$DISTRIBUTION.flags"; do
|
|
||||||
_msg "Set profiles flags from dists/flags/$name"
|
|
||||||
|
|
||||||
while read -r profile; do
|
|
||||||
IFS=' ' read -r -a manifest <<<"$profile"
|
|
||||||
profile="${manifest[0]:-}" flags="${manifest[1]:-}"
|
|
||||||
|
|
||||||
[[ "$profile" =~ ^\# || -z "$profile" ]] && continue
|
|
||||||
path="${ROOT:?}/apparmor.d/$profile"
|
|
||||||
if [[ ! -f "$path" ]]; then
|
|
||||||
_warning "Profile $profile not found"
|
|
||||||
continue
|
|
||||||
fi
|
|
||||||
|
|
||||||
# If flags is set, overwrite profile flag
|
|
||||||
if [[ -n "$flags" ]]; then
|
|
||||||
# Remove all flags definition, then set manifest' flags
|
|
||||||
sed -e "s/flags=(.*)//" \
|
|
||||||
-e "s/ {$/ flags=(${flags//,/ }) {/" \
|
|
||||||
-i "$path"
|
|
||||||
fi
|
|
||||||
|
|
||||||
done <"dists/flags/$name"
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
# Resolve the variables in the profile attachments
|
|
||||||
_resolve_attachments() {
|
|
||||||
local path="$1"
|
|
||||||
declare -A variables
|
|
||||||
|
|
||||||
# Parse the variables in the profile hearder
|
|
||||||
variables=(
|
|
||||||
[libexec]="$LIBEXEC" [multiarch]="*-linux-gnu*"
|
|
||||||
[user_share_dirs]="/home/*/.local/share" [etc_ro]="/{usr/,}etc/"
|
|
||||||
)
|
|
||||||
mapfile -t lines < <(grep '^@{.*}[ ]*[+=][ ]*.*$' "$path")
|
|
||||||
for line in "${lines[@]}"; do
|
|
||||||
value="${line##*=}"
|
|
||||||
key="${line#^@{}"
|
|
||||||
key="${key%%\}*}"
|
|
||||||
key="${key/@{/}"
|
|
||||||
variables[$key]+="${value}"
|
|
||||||
done
|
|
||||||
[ -z ${variables[exec_path]+x} ] && return
|
|
||||||
|
|
||||||
# Resolve variable in profile attachments
|
|
||||||
entrypoint="${variables[exec_path]}"
|
|
||||||
while [[ "$entrypoint" =~ "@{".*"}" ]]; do
|
|
||||||
name=${entrypoint#*@\{}
|
|
||||||
name="${name%%\}*}"
|
|
||||||
value="${variables[$name]# }"
|
|
||||||
entrypoint="${entrypoint//@{${name}\}/${value}}"
|
|
||||||
done
|
|
||||||
entrypoint="${entrypoint# }"
|
|
||||||
|
|
||||||
# If needed nest the attachments
|
|
||||||
IFS=" " read -r -a attachments <<<"$entrypoint"
|
|
||||||
if [[ "${#attachments[@]}" -ge 2 ]]; then
|
|
||||||
res="/{"
|
|
||||||
for aare in "${attachments[@]}"; do
|
|
||||||
res+="${aare#/},"
|
|
||||||
done
|
|
||||||
entrypoint="${res%,}}"
|
|
||||||
fi
|
|
||||||
echo "$entrypoint"
|
|
||||||
}
|
|
||||||
|
|
||||||
# Remove variables in profile attachment to bypass userspace tools restriction
|
|
||||||
_userspace() {
|
|
||||||
local start="$1" end="$2"; shift 2
|
|
||||||
files=("$@")
|
|
||||||
ii="$start"
|
|
||||||
while [[ $ii -le $end && $ii -lt $len ]]; do
|
|
||||||
path="${files[$ii]}"
|
|
||||||
((ii = ii + 1))
|
|
||||||
[[ -f "$path" ]] || continue
|
|
||||||
entrypoint="$(_resolve_attachments "$path")"
|
|
||||||
[[ -z "$entrypoint" ]] && continue
|
|
||||||
name="$(basename "$path")"
|
|
||||||
sed -e "s;profile $name @{exec_path};profile $name ${entrypoint[*]};g" \
|
|
||||||
-i "$path"
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
# Set complain flag on all profiles
|
|
||||||
_complain() {
|
|
||||||
local start="$1" end="$2"; shift 2
|
|
||||||
files=("$@")
|
|
||||||
ii="$start"
|
|
||||||
while [[ $ii -le $end && $ii -lt $len ]]; do
|
|
||||||
path="${files[$ii]}"
|
|
||||||
((ii = ii + 1))
|
|
||||||
[[ -f "$path" ]] || continue
|
|
||||||
mapfile -t flags < <(grep -o -m 1 'flags=(.*)' "$path" | cut -d '(' -f2 | cut -d ')' -f1)
|
|
||||||
[[ "${flags[*]}" =~ complain ]] && continue
|
|
||||||
flags+=(complain)
|
|
||||||
sed -e "s/flags=(.*)//" \
|
|
||||||
-e "s/ {$/ flags=(${flags[*]}) {/" \
|
|
||||||
-i "$path"
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
# Set AppArmor for full system policy
|
|
||||||
# See https://gitlab.com/apparmor/apparmor/-/wikis/FullSystemPolicy
|
|
||||||
full() {
|
|
||||||
_msg "Configure AppArmor for full system policy"
|
|
||||||
cp -a apparmor.d/groups/_full/init "$ROOT/apparmor.d/"
|
|
||||||
cp -a apparmor.d/groups/_full/systemd "$ROOT/apparmor.d/"
|
|
||||||
case "$DISTRIBUTION" in
|
|
||||||
arch | endeavouros | cachyos | manjarolinux)
|
|
||||||
cp -r root/usr/lib/initcpio root/usr/lib/systemd/ "$ROOT/root/usr/lib/"
|
|
||||||
;;
|
|
||||||
|
|
||||||
debian | ubuntu | whonix | core)
|
|
||||||
cp -r root/usr/share/initramfs-tools "$ROOT/root/usr/share/"
|
|
||||||
;;
|
|
||||||
|
|
||||||
*) _die "$DISTRIBUTION is not a supported distribution." ;;
|
|
||||||
esac
|
|
||||||
}
|
|
||||||
|
|
||||||
# Print help message
|
|
||||||
cmd_help() {
|
|
||||||
cat <<-_EOF
|
|
||||||
./configure [options] - Configure the apparmor.d package
|
|
||||||
|
|
||||||
Options:
|
|
||||||
-f, --full Set AppArmor for full system policy
|
|
||||||
-c, --complain Set complain flag on all profiles
|
|
||||||
-h, --help Print this help message and exit
|
|
||||||
_EOF
|
|
||||||
}
|
|
||||||
|
|
||||||
main() {
|
|
||||||
local opts err
|
|
||||||
FULL=0
|
|
||||||
COMPLAIN=0
|
|
||||||
small_arg="cfh"
|
|
||||||
long_arg="complain,full,help"
|
|
||||||
opts="$(getopt -o $small_arg -l $long_arg -n "configure" -- "$@")"
|
|
||||||
err=$?
|
|
||||||
eval set -- "$opts"
|
|
||||||
while true; do case $1 in
|
|
||||||
-f|--full) FULL=1; shift ;;
|
|
||||||
-c|--complain) COMPLAIN=1; shift ;;
|
|
||||||
-h|--help) shift; cmd_help; exit 0 ;;
|
|
||||||
--) shift; break ;;
|
|
||||||
esac done
|
|
||||||
[[ $err -ne 0 ]] && { cmd_help; exit 1; }
|
|
||||||
|
|
||||||
_title "Set the configuration for $DISTRIBUTION."
|
|
||||||
initialize || _die "initializing build directory"
|
|
||||||
ignore || _die "removing ignored profiles"
|
|
||||||
synchronise || _die "merging profiles"
|
|
||||||
configure || _die "configuring distribution"
|
|
||||||
process _userspace 'Bypass userspace tools restriction' || _die "bypassing userspace"
|
|
||||||
flags || _die "settings flags"
|
|
||||||
[[ "$COMPLAIN" == 1 ]] && process _complain 'Set complain flag on all profiles'
|
|
||||||
[[ "$FULL" == 1 ]] && full
|
|
||||||
return 0
|
|
||||||
}
|
|
||||||
|
|
||||||
main "$@"
|
|
3
debian/rules
vendored
3
debian/rules
vendored
@ -5,6 +5,3 @@
|
|||||||
|
|
||||||
%:
|
%:
|
||||||
dh $@ --with=config-package
|
dh $@ --with=config-package
|
||||||
|
|
||||||
override_dh_auto_configure:
|
|
||||||
./configure --complain
|
|
||||||
|
Loading…
Reference in New Issue
Block a user