mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-14 23:43:56 +01:00
build: bypass userspace tools restriction.
By removing variables in profile attachment. Fix 76, 87
This commit is contained in:
Alexandre Pujol
parent
b7299cecbb
commit
603491a02e
68
configure
vendored
68
configure
vendored
@ -50,6 +50,7 @@ initialize() {
|
||||
# Ignore profiles and files as defined in dists/ignore/
|
||||
ignore() {
|
||||
for name in main.ignore "$DISTRIBUTION.ignore"; do
|
||||
[[ -f "dists/ignore/$name" ]] || continue
|
||||
_msg "Ignore profiles/files in dists/ignore/$name"
|
||||
while read -r profile; do
|
||||
[[ "$profile" =~ ^\# ]] && continue
|
||||
@ -77,6 +78,7 @@ configure() {
|
||||
case "$DISTRIBUTION" in
|
||||
arch|endeavouros|cachyos|manjarolinux)
|
||||
_msg "Configure libexec."
|
||||
LIBEXEC="/{usr/,}lib"
|
||||
sed -i -e '/Debian/d' "$ROOT/apparmor.d/tunables/extend"
|
||||
|
||||
;;
|
||||
@ -91,6 +93,7 @@ configure() {
|
||||
fi
|
||||
|
||||
_msg "Configure libexec."
|
||||
LIBEXEC="/{usr/,}libexec"
|
||||
sed -i -e '/Archlinux/d' "$ROOT/apparmor.d/tunables/extend"
|
||||
|
||||
_msg "Displace overwritten files."
|
||||
@ -131,6 +134,70 @@ flags() {
|
||||
done
|
||||
}
|
||||
|
||||
# Resolve the variables in the profile attachments
|
||||
_resolve_attachments() {
|
||||
local path="$1"
|
||||
declare -A variables
|
||||
|
||||
# Parse the variables in the profile hearder
|
||||
variables=(
|
||||
[libexec]="$LIBEXEC" [multiarch]="*-linux-gnu*"
|
||||
[user_share_dirs]="/home/*/.local/share"
|
||||
)
|
||||
mapfile -t lines < <(grep '^@{.*}[ ]*[+=][ ]*.*$' "$path")
|
||||
for line in "${lines[@]}"; do
|
||||
value="${line##*=}"
|
||||
key="${line#^@{}"
|
||||
key="${key%%\}*}"
|
||||
key="${key/@{/}"
|
||||
variables[$key]+="${value}"
|
||||
done
|
||||
[ -z ${variables[exec_path]+x} ] && return
|
||||
|
||||
# Resolve variable in profile attachments
|
||||
entrypoint="${variables[exec_path]}"
|
||||
while [[ "$entrypoint" =~ "@{".*"}" ]]; do
|
||||
name=${entrypoint#*@\{}
|
||||
name="${name%%\}*}"
|
||||
value="${variables[$name]# }"
|
||||
entrypoint="${entrypoint//@{${name}\}/${value}}"
|
||||
done
|
||||
entrypoint="${entrypoint# }"
|
||||
|
||||
# If needed nest the attachments
|
||||
IFS=" " read -r -a attachments <<< "$entrypoint"
|
||||
if [[ "${#attachments[@]}" -ge 2 ]]; then
|
||||
res="/{"
|
||||
for aare in "${attachments[@]}"; do
|
||||
res+="${aare#/},"
|
||||
done
|
||||
entrypoint="${res%,}}"
|
||||
fi
|
||||
echo "$entrypoint"
|
||||
}
|
||||
|
||||
# Internal userspace process
|
||||
_userspace() {
|
||||
files=("$@")
|
||||
ii="$start"
|
||||
while [[ $ii -le $end && $ii -lt $len ]]; do
|
||||
path="${files[$ii]}"
|
||||
(( ii = ii + 1 ))
|
||||
[[ -f "$path" ]] || continue
|
||||
entrypoint="$(_resolve_attachments "$path")"
|
||||
[[ -z "$entrypoint" ]] && continue
|
||||
name="$(basename "$path")"
|
||||
sed -e "s;profile $name @{exec_path};profile $name ${entrypoint[*]};g" \
|
||||
-i "$path"
|
||||
done
|
||||
}
|
||||
|
||||
# Remove variables in profile attachment to bypass userspace tools restriction
|
||||
userspace() {
|
||||
_msg "Bypass userspace tools restriction"
|
||||
_process _userspace
|
||||
}
|
||||
|
||||
# Internal complain process
|
||||
_complain() {
|
||||
local start="$1" end="$2"; shift 2
|
||||
@ -207,6 +274,7 @@ main() {
|
||||
ignore || _die "removing ignored profiles"
|
||||
synchronise || _die "merging profiles"
|
||||
configure || _die "configuring distribution"
|
||||
userspace || _die "bypassing userspace"
|
||||
flags || _die "settings flags"
|
||||
[[ "$COMPLAIN" == 1 ]] && complain
|
||||
[[ "$FULL" == 1 ]] && full
|
||||
|
||||
Loading…
Reference in New Issue
Block a user