diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/org.bluez index 780a4728..2417fb4e 100644 --- a/apparmor.d/abstractions/bus/org.bluez +++ b/apparmor.d/abstractions/bus/org.bluez @@ -5,21 +5,21 @@ dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=InterfacesRemoved - peer=(name=:*, label=bluetoothd), + peer=(name="{:*,org.bluez}", label=bluetoothd), dbus receive bus=system path=/org/bluez/hci@{int}{,/**} interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=bluetoothd), + peer=(name="{:*,org.bluez}", label=bluetoothd), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=bluetoothd), + peer=(name="{:*,org.bluez}", label=bluetoothd), dbus send bus=system path=/org/bluez interface=org.bluez.AgentManager@{int} - member=UnregisterAgent + member={RegisterAgent,RequestDefaultAgent,UnregisterAgent} peer=(name=org.bluez, label=bluetoothd), dbus send bus=system path=/org/bluez @@ -27,6 +27,11 @@ member=RegisterProfile peer=(name=org.bluez, label=bluetoothd), + dbus send bus=system path=/org/bluez/hci@{int} + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name="{:*,org.bluez}", label=bluetoothd), + dbus send bus=system path=/org/bluez/hci@{int} interface=org.bluez.BatteryProviderManager@{int} member=RegisterProfile diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager index f6fbb547..d37f276b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager @@ -67,4 +67,9 @@ member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged} peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + dbus receive bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} + interface=org.freedesktop.NetworkManager.Settings.Connection + member=Updated + peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager), + include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index 93c1aefb..3d0963ae 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -31,6 +31,11 @@ member=Introspect peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), + dbus receive bus=system path=/org/freedesktop/UPower + interface=org.freedesktop.UPower + member=DeviceAdded + peer=(name="{:*,org.freedesktop.UPower}", label=upowerd), + dbus receive bus=system path=/org/freedesktop/UPower/devices/* interface=org.freedesktop.DBus.Properties member=PropertiesChanged diff --git a/apparmor.d/groups/_full/bwrap b/apparmor.d/groups/_full/bwrap index cf3ea112..b470033f 100644 --- a/apparmor.d/groups/_full/bwrap +++ b/apparmor.d/groups/_full/bwrap @@ -14,6 +14,7 @@ profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include capability dac_override, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index ceea47f3..038b4059 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -62,9 +62,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{bin}/nautilus rPx, @{bin}/snap rPUx, - @{bin}/kreadconfig5 rPx, - @{lib}/xdg-desktop-portal-validate-icon rPUx, - @{open_path} rPx -> child-open, + @{bin}/kreadconfig5 rPx, + @{lib}/xdg-desktop-portal-validate-icon rPUx, + @{open_path} rPx -> child-open, / r, /.flatpak-info r, diff --git a/apparmor.d/groups/kde/kauth-kded-smart-helper b/apparmor.d/groups/kde/kauth-kded-smart-helper index 2bef6ae7..5ba9ef54 100644 --- a/apparmor.d/groups/kde/kauth-kded-smart-helper +++ b/apparmor.d/groups/kde/kauth-kded-smart-helper @@ -9,8 +9,17 @@ include @{exec_path} = @{lib}/{,kf6/}kauth/{,libexec/}kded-smart-helper profile kauth-kded-smart-helper @{exec_path} { include + include + include include + # dbus: own bus=system name=org.kde.kded.smart + + dbus send bus=system path=/ + interface=org.kde.kf5auth + member=remoteSignal + peer=(name=org.freedesktop.DBus, label=kded5), + @{exec_path} mr, @{bin}/smartctl rPx, @@ -18,4 +27,4 @@ profile kauth-kded-smart-helper @{exec_path} { /usr/share/icu/@{int}.@{int}/*.dat r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 76330e00..c266a925 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -34,14 +34,11 @@ profile kded @{exec_path} { signal (send) set=hup peer=xsettingsd, - dbus receive bus=system path=/org/freedesktop/NetworkManager/SecretAgent - interface=org.freedesktop.NetworkManager.SecretAgent - member=CancelGetSecrets - peer=(label=NetworkManager), + # dbus: own bus=system name=com.redhat.NewPrinterNotification dbus receive bus=system path=/org/freedesktop/NetworkManager/SecretAgent interface=org.freedesktop.NetworkManager.SecretAgent - member=CancelGetSecrets + member={GetSecrets,CancelGetSecrets} peer=(label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager/AccessPoint/@{int} @@ -58,6 +55,30 @@ profile kded @{exec_path} { interface=org.freedesktop.NetworkManager.AgentManager peer=(label=NetworkManager), + dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager + interface=org.freedesktop.NetworkManager.AgentManager + peer=(label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/bolt + interface=org.freedesktop.bolt1.Manager + member=ListDevices + peer=(name="{:*,org.freedesktop.bolt}", label=boltd), + + dbus send bus=system path=/org/freedesktop/bolt{,/**} + interface=org.freedesktop.DBus.Properties + member=Get, + peer=(name="{:*,org.freedesktop.bolt}", label=boltd), + + dbus receive bus=system path=/ + interface=org.kde.kf5auth + member=remoteSignal, + peer=(name=:*, label=kauth-kded-smart-helper), + + dbus send bus=system path=/ + interface=org.kde.kf5auth + member=performAction, + peer=(name="{:*,org.kde.kded.smart}", label=kauth-kded-smart-helper), + @{exec_path} mrix, @{bin}/kcminit rPx, @@ -139,7 +160,7 @@ profile kded @{exec_path} { owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl, owner @{user_config_dirs}/xsettingsd/{,**} rw, - @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int}, + owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int}, owner @{user_share_dirs}/icc/{,edid-*} r, owner @{user_share_dirs}/kcookiejar/#@{int} rw, owner @{user_share_dirs}/kcookiejar/cookies.lock rwk, @@ -200,3 +221,10 @@ profile kded @{exec_path} { include if exists } + +ALLOWED kded5 open owner @{user_cache_dirs}/update-manager-core/meta-release-lts comm=python3 requested_mask=r denied_mask=r +ALLOWED kded5 open owner @{user_config_dirs}/kcmfonts comm=kded5 requested_mask=r denied_mask=r +ALLOWED kded5 open owner @{user_config_dirs}/plasmavaultrc comm=kded5 requested_mask=r denied_mask=r +ALLOWED kded5 open owner @{user_config_dirs}/touchpadxlibinputrc comm=kded5 requested_mask=r denied_mask=r +ALLOWED kded5 open owner @{user_lib_dirs}/python3.10/site-packages/ comm=python3 requested_mask=r denied_mask=r +ALLOWED kded5 open owner /tmp/#@{int} comm=python3 requested_mask=wr denied_mask=wr diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 4ae409ec..a1981e28 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -18,6 +18,8 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal (send) set=(usr1,term) peer=kscreenlocker-greet, + ptrace (read) peer=kbuildsycoca5, + unix (send, receive) type=stream peer=(label="kscreenlocker-greet",addr=none), @{exec_path} mr, @@ -36,10 +38,10 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes{5,6}/{,**} r, - /etc/xdg/menus/applications-merged/ r, + /etc/xdg/menus/applications-merged/{,*} r, /etc/machine-id r, /etc/xdg/kscreenlockerrc r, - /etc/xdg/menus/ r, + /etc/xdg/menus/{,*} r, /var/lib/flatpak/exports/share/mime/ r, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 9e1cf1a1..4afb95b0 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -47,6 +47,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{lib}/libheif/ r, @{lib}/libheif/{,**} mr, @{lib}/kf5/kioslave5 rPx, + @{lib}/kf6/kioworker rPx, @{lib}/kf5/kdesu{,d} rix, @{bin}/dolphin rPUx, # TODO: rPx, @{bin}/ksysguardd rix, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index ad436e52..478dabbd 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/systemsettings profile systemsettings @{exec_path} { include + include include include include @@ -20,6 +21,8 @@ profile systemsettings @{exec_path} { @{bin}/kcminit rPx, + /usr/share/kglobalaccel/org.kde.krunner.desktop r, + /usr/share/kcmkeys/{,*.kksrc} r, /usr/share/kcm_networkmanagement/{,**} r, /usr/share/kinfocenter/{,**} r, /usr/share/kpackage/{,**} r, @@ -29,10 +32,14 @@ profile systemsettings @{exec_path} { /usr/share/plasma/{,**} r, /usr/share/sddm/themes/{,**} r, /usr/share/systemsettings/{,**} r, + /usr/share/kinfocenter/{,**} r, + /usr/share/sddm/themes/{,**} r, + + /var/lib/flatpak/exports/share/mime/ r, /etc/fstab r, /etc/machine-id r, - /etc/xdg/menus/ r, + /etc/xdg/menus/{,applications-merged/} r, /etc/xdg/ui/ui_standards.rc r, /var/lib/dbus/machine-id r, @@ -48,12 +55,16 @@ profile systemsettings @{exec_path} { owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**, owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/khotkeysrc r, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/plasmarc r, owner @{user_config_dirs}/kde.org/{,**} rwlk, owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kinfocenterrc* rwlk, owner @{user_config_dirs}/systemsettingsrc.lock rwk, owner @{user_config_dirs}/systemsettingsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_share_dirs}/kservices5/{,ServiceMenus/} r, owner @{user_share_dirs}/kactivitymanagerd/resources/database rk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw, diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app index 1561e82c..fbdd9e74 100644 --- a/apparmor.d/profiles-a-f/flatpak-app +++ b/apparmor.d/profiles-a-f/flatpak-app @@ -45,6 +45,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { signal (receive) set=(int) peer=flatpak-portal, @{bin}/** rmix, + #aa:exec kioworker @{lib}/** rmix, /app/** rmix, /var/lib/flatpak/app/*/**/@{bin}/** rmix, diff --git a/debian/changelog b/debian/changelog index 4ba7f268..d9c267e7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +apparmor.d (0.1941-1) stable; urgency=medium + + * Release 0.1941-1 + + -- Alexandre Pujol Sat, 02 Mar 2024 17:48:31 +0100 + +apparmor.d (0.1941-1) stable; urgency=medium + + * Release 0.1941-1 + + -- Alexandre Pujol Sat, 02 Mar 2024 17:45:31 +0100 + apparmor.d (0.001-1) stable; urgency=medium * Release 0.001-1 diff --git a/pkg/prebuild/prepare.go b/pkg/prebuild/prepare.go deleted file mode 100644 index 0b005802..00000000 --- a/pkg/prebuild/prepare.go +++ /dev/null @@ -1,249 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package prebuild - -import ( - "fmt" - "os" - "path/filepath" - "strings" - - "github.com/arduino/go-paths-helper" - "github.com/roddhjav/apparmor.d/pkg/logging" - "github.com/roddhjav/apparmor.d/pkg/util" -) - -// Prepare the build directory with the following tasks -var ( - Prepares = []PrepareFunc{ - Synchronise, - Ignore, - Merge, - Configure, - SetFlags, - SetProfileSystemd, - } - PrepareMsg = map[string]string{ - "Synchronise": "Initialize a new clean apparmor.d build directory", - "Ignore": "Ignore profiles and files from:", - "Merge": "Merge all profiles", - "Configure": "Set distribution specificities", - "SetFlags": "Set flags on some profiles", - "SetProfileSystemd": "Use the systemd unit file to set a profile for a given unit", - "SetEarlySystemd": "Set systemd unit drop in files to ensure some service start after apparmor", - "SetFullSystemPolicy": "Configure AppArmor for full system policy", - } -) - -type PrepareFunc func() ([]string, error) - -// Initialize a new clean apparmor.d build directory -func Synchronise() ([]string, error) { - res := []string{} - dirs := paths.PathList{RootApparmord, Root.Join("root"), Root.Join("systemd")} - for _, dir := range dirs { - if err := dir.RemoveAll(); err != nil { - return res, err - } - } - for _, name := range []string{"apparmor.d", "root"} { - if err := copyTo(paths.New(name), Root.Join(name)); err != nil { - return res, err - } - } - return res, nil -} - -// Ignore profiles and files as defined in dists/ignore/ -func Ignore() ([]string, error) { - res := []string{} - for _, name := range []string{"main.ignore", Distribution + ".ignore"} { - path := DistDir.Join("ignore", name) - if !path.Exist() { - continue - } - lines, _ := path.ReadFileAsLines() - for _, line := range lines { - if strings.HasPrefix(line, "#") || line == "" { - continue - } - profile := Root.Join(line) - if profile.NotExist() { - files, err := RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterNames(line)) - if err != nil { - return res, err - } - for _, path := range files { - if err := path.RemoveAll(); err != nil { - return res, err - } - } - } else { - if err := profile.RemoveAll(); err != nil { - return res, err - } - } - } - res = append(res, path.String()) - } - return res, nil -} - -// Merge all profiles in a new apparmor.d directory -func Merge() ([]string, error) { - res := []string{} - dirToMerge := []string{ - "groups/*/*", "groups", - "profiles-*-*/*", "profiles-*", - } - - idx := 0 - for idx < len(dirToMerge)-1 { - dirMoved, dirRemoved := dirToMerge[idx], dirToMerge[idx+1] - files, err := filepath.Glob(RootApparmord.Join(dirMoved).String()) - if err != nil { - return res, err - } - for _, file := range files { - err := os.Rename(file, RootApparmord.Join(filepath.Base(file)).String()) - if err != nil { - return res, err - } - } - - files, err = filepath.Glob(RootApparmord.Join(dirRemoved).String()) - if err != nil { - return []string{}, err - } - for _, file := range files { - if err := paths.New(file).RemoveAll(); err != nil { - return res, err - } - } - idx = idx + 2 - } - return res, nil -} - -// Set the distribution specificities -func Configure() ([]string, error) { - res := []string{} - switch Distribution { - case "arch", "opensuse": - - case "ubuntu", "neon": - debianOverwriteClean() - if overwrite { - profiles := getOverwriteProfiles() - debianOverwrite(profiles) - } else { - if err := copyTo(DistDir.Join("ubuntu"), RootApparmord); err != nil { - return res, err - } - } - case "debian", "whonix": - debianOverwriteClean() - - // Copy Debian specific abstractions - if err := copyTo(DistDir.Join("ubuntu"), RootApparmord); err != nil { - return res, err - } - - default: - return []string{}, fmt.Errorf("%s is not a supported distribution", Distribution) - - } - return res, nil -} - -// Set flags on some profiles according to manifest defined in `dists/flags/` -func SetFlags() ([]string, error) { - res := []string{} - for _, name := range []string{"main.flags", Distribution + ".flags"} { - path := FlagDir.Join(name) - if !path.Exist() { - continue - } - lines, _ := path.ReadFileAsLines() - for _, line := range lines { - if strings.HasPrefix(line, "#") || line == "" { - continue - } - manifest := strings.Split(line, " ") - profile := manifest[0] - file := RootApparmord.Join(profile) - if !file.Exist() { - logging.Warning("Profile %s not found", profile) - continue - } - - // If flags is set, overwrite profile flag - if len(manifest) > 1 { - flags := " flags=(" + manifest[1] + ") {" - content, err := file.ReadFile() - if err != nil { - return res, err - } - - // Remove all flags definition, then set manifest' flags - out := regFlags.ReplaceAllLiteralString(string(content), "") - out = regProfileHeader.ReplaceAllLiteralString(out, flags) - if err := file.WriteFile([]byte(out)); err != nil { - return res, err - } - } - } - res = append(res, path.String()) - } - return res, nil -} - -// Use the systemd unit file to set a profile for a given unit -func SetProfileSystemd() ([]string, error) { - return []string{}, copyTo(paths.New("systemd/default/"), Root.Join("systemd")) -} - -// Set systemd unit drop in files to ensure some service start after apparmor -func SetEarlySystemd() ([]string, error) { - return []string{}, copyTo(paths.New("systemd/early/"), Root.Join("systemd")) -} - -// Set AppArmor for (experimental) full system policy. -// See https://apparmor.pujol.io/full-system-policy/ -func SetFullSystemPolicy() ([]string, error) { - res := []string{} - // Install full system policy profiles - if err := copyTo(paths.New("apparmor.d/groups/_full/"), Root.Join("apparmor.d")); err != nil { - return res, err - } - - // Set systemd profile name - path := RootApparmord.Join("tunables/multiarch.d/system") - content, err := path.ReadFile() - if err != nil { - return res, err - } - out := strings.Replace(string(content), "@{systemd}=unconfined", "@{systemd}=systemd", -1) - out = strings.Replace(out, "@{systemd_user}=unconfined", "@{systemd_user}=systemd-user", -1) - if err := path.WriteFile([]byte(out)); err != nil { - return res, err - } - - // Fix conflicting x modifiers in abstractions - FIXME: Temporary solution - path = RootApparmord.Join("abstractions/gstreamer") - content, err = path.ReadFile() - if err != nil { - return res, err - } - out = string(content) - regFixConflictX := util.ToRegexRepl([]string{`.*gst-plugin-scanner.*`, ``}) - out = regFixConflictX.Replace(out) - if err := path.WriteFile([]byte(out)); err != nil { - return res, err - } - - // Set systemd unit drop-in files - return res, copyTo(paths.New("systemd/full/"), Root.Join("systemd")) -} diff --git a/pkg/prebuild/tools.go b/pkg/prebuild/tools.go deleted file mode 100644 index 5550e73f..00000000 --- a/pkg/prebuild/tools.go +++ /dev/null @@ -1,145 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package prebuild - -import ( - "os" - "strings" - - "github.com/arduino/go-paths-helper" - "golang.org/x/exp/slices" -) - -var ( - osReleaseFile = "/etc/os-release" - supportedDists = map[string][]string{ - "arch": {}, - "debian": {}, - "ubuntu": {"ubuntu", "neon"}, - "opensuse": {"suse", "opensuse-tumbleweed"}, - "whonix": {}, - } -) - -func NewOSRelease() map[string]string { - var lines []string - var err error - for _, name := range []string{osReleaseFile, "/usr/lib/os-release"} { - path := paths.New(name) - if path.Exist() { - lines, err = path.ReadFileAsLines() - if err != nil { - panic(err) - } - break - } - } - os := map[string]string{} - for _, line := range lines { - item := strings.Split(line, "=") - if len(item) == 2 { - os[item[0]] = strings.Trim(item[1], "\"") - } - } - return os -} - -func getSupportedDistribution() string { - dist, present := os.LookupEnv("DISTRIBUTION") - if present { - return dist - } - - os := NewOSRelease() - id := os["ID"] - if id == "ubuntu" { - return id - } - if id == "neon" { - return "ubuntu" - } - id_like := os["ID_LIKE"] - for main, based := range supportedDists { - if main == id || main == id_like { - return main - } else if slices.Contains(based, id) { - return main - } else if slices.Contains(based, id_like) { - return main - } - } - return id -} - -func copyTo(src *paths.Path, dst *paths.Path) error { - files, err := src.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories(), paths.FilterOutNames("README.md")) - if err != nil { - return err - } - for _, file := range files { - destination, err := file.RelFrom(src) - if err != nil { - return err - } - destination = dst.JoinPath(destination) - if err := destination.Parent().MkdirAll(); err != nil { - return err - } - if err := file.CopyTo(destination); err != nil { - return err - } - } - return nil -} - -// Overwrite upstream profile: rename our profile & hide upstream -func debianOverwrite(files []string) { - const ext = ".apparmor.d" - file, err := paths.New("debian/apparmor.d.hide").Append() - if err != nil { - panic(err) - } - for _, name := range files { - origin := RootApparmord.Join(name) - dest := RootApparmord.Join(name + ext) - if err := origin.Rename(dest); err != nil { - panic(err) - } - if _, err := file.WriteString("/etc/apparmor.d/" + name + "\n"); err != nil { - panic(err) - } - } -} - -// Clean the debian/apparmor.d.hide file -func debianOverwriteClean() { - const debianHide = `# This file is generated by "make", all edit will be lost. - -/etc/apparmor.d/usr.bin.firefox -/etc/apparmor.d/usr.sbin.cups-browsed -/etc/apparmor.d/usr.sbin.cupsd -/etc/apparmor.d/usr.sbin.rsyslogd -` - path := paths.New("debian/apparmor.d.hide") - if err := path.WriteFile([]byte(debianHide)); err != nil { - panic(err) - } -} - -// Get the list of upstream profiles to overwrite from dist/overwrite -func getOverwriteProfiles() []string { - res := []string{} - lines, err := DistDir.Join("overwrite").ReadFileAsLines() - if err != nil { - panic(err) - } - for _, line := range lines { - if strings.HasPrefix(line, "#") || line == "" { - continue - } - res = append(res, line) - } - return res -}