Improve Debian support.

This commit is contained in:
Alexandre Pujol 2021-09-19 20:39:13 +01:00
parent 723695c626
commit 937171d40c
Failed to generate hash of commit
5 changed files with 60 additions and 44 deletions

90
configure vendored
View file

@ -4,52 +4,28 @@
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
readonly ROOT=.build readonly ROOT=.build
declare -a REMOVE_LIST
_die() { printf '%s\n' "$*" >&2 && exit 1; } _die() { printf '%s\n' "$*" >&2 && exit 1; }
_warning() { printf 'Warning: %s\n' "$*" >&2; } _warning() { printf ' Warning: %s\n' "$*" >&2; }
_init() { rm -rf "${ROOT:?}" && rsync -a --exclude=.git . "$ROOT"; }
# Remove files or directories in the package # Displace files in the package sources
remove_files() { # $@ List of files to displace
msg="Remove unneeded profiles/resources:" _displace_files() {
for path in "${REMOVE_LIST[@]}"; do for path in "$@"; do
[[ ! -e "${ROOT:?}/$path" ]] && continue mv "${ROOT:?}/$path" "${ROOT:?}/$path.apparmor.d"
msg+=$'\n'" $(stat -c '%A %u:%g' "${ROOT:?}/$path") $path"
done
echo "$msg"
for path in "${REMOVE_LIST[@]}"; do
rm -rf "${ROOT:?}/$path"
done done
} }
# Set the distribution, flavor & groups # Initialise a new clean apparmor.d build directory
initialise() {
rm -rf "${ROOT:?}" && rsync -a --exclude=.git . "$ROOT"
}
# Set the distribution specificities
configure() { configure() {
echo "Set the configuration for $DISTRIBUTION." echo "Set the configuration for $DISTRIBUTION."
if [[ "$DISTRIBUTION" == archlinux ]]; then
REMOVE_LIST+=(
apparmor.d/abstractions/apt-common
apparmor.d/groups/apt
apparmor.d/groups/cron
)
elif [[ "$DISTRIBUTION" == debian ]]; then echo " Ignore profiles in profiles.ignore."
REMOVE_LIST+=(
apparmor.d/groups/pacman
root/usr/share/libalpm/hooks/apparmor.hook
)
fi
}
# Initialise the apparmor.d with the selected configuration.
initialise() {
_init
remove_files
echo "Ignore profiles in profiles.ignore."
while read -r profile; do while read -r profile; do
[[ "$profile" =~ ^\# ]] && continue [[ "$profile" =~ ^\# ]] && continue
if [[ "$profile" == */ ]]; then if [[ "$profile" == */ ]]; then
@ -59,6 +35,39 @@ initialise() {
fi fi
done <profiles.ignore done <profiles.ignore
case "$DISTRIBUTION" in
archlinux)
echo " Ignore non Archlinux profiles."
rm -rf \
"${ROOT:?}"/apparmor.d/abstractions/apt-common \
"${ROOT:?}"/apparmor.d/groups/apt \
"${ROOT:?}"/apparmor.d/groups/cron
;;
debian)
echo " Ignore non Debian profiles."
rm -rf \
"${ROOT:?}"/apparmor.d/groups/pacman \
"${ROOT:?}"/root/usr/share/libalpm/hooks/apparmor.hook
echo " Debian does not support abi 3.0 yet."
find "$ROOT/apparmor.d" -type f -exec sed -i -e "s;abi <abi/3.0>,;;" {} \;
echo " Debian does not have etc tunable."
sed -i -e '/etc/d' "$ROOT/apparmor.d/tunables/global"
echo " Displace overwritten files."
_displace_files apparmor.d/tunables/global apparmor.d/tunables/xdg-user-dirs
;;
*) _die "$DISTRIBUTION is not a supported distribution." ;;
esac
}
# Synchronise all profile in a new apparmor.d directory.
synchronise() {
echo "Synchronise all profiles." echo "Synchronise all profiles."
mv "${ROOT:?}/apparmor.d/groups/"*/* "${ROOT:?}/apparmor.d/" mv "${ROOT:?}/apparmor.d/groups/"*/* "${ROOT:?}/apparmor.d/"
rm -rf "${ROOT:?}/apparmor.d/groups/" rm -rf "${ROOT:?}/apparmor.d/groups/"
@ -75,7 +84,7 @@ setflags() {
IFS=' ' read -r -a manifest <<< "$profile" IFS=' ' read -r -a manifest <<< "$profile"
profile="${manifest[0]}" flags="${manifest[1]}" profile="${manifest[0]}" flags="${manifest[1]}"
[[ "$profile" =~ ^\# ]] && continue [[ "$profile" =~ ^\# || -z "$profile" ]] && continue
path="${ROOT:?}/apparmor.d/$profile" path="${ROOT:?}/apparmor.d/$profile"
if [[ ! -f "$path" ]]; then if [[ ! -f "$path" ]]; then
_warning "Profile $profile not found" _warning "Profile $profile not found"
@ -99,7 +108,7 @@ cmd_help() {
./configure [options] - Configure the apparmor.d package ./configure [options] - Configure the apparmor.d package
Options: Options:
--distribution=DIST Set the target Linux distribution (Archlinux, Debian) --distribution=DIST Set the target Linux distribution: archlinux, debian
--help Print this help message and exit. --help Print this help message and exit.
_EOF _EOF
} }
@ -117,8 +126,9 @@ main() {
[[ $err -ne 0 ]] && { cmd_help; exit 1; } [[ $err -ne 0 ]] && { cmd_help; exit 1; }
configure
initialise initialise
configure
synchronise
setflags setflags
exit 0 exit 0

5
debian/apparmor.d.displace vendored Normal file
View file

@ -0,0 +1,5 @@
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
/etc/apparmor.d/tunables/global.apparmor.d
/etc/apparmor.d/tunables/xdg-user-dirs.apparmor.d

1
debian/apparmor.d.displace-extension vendored Normal file
View file

@ -0,0 +1 @@
.apparmor.d

View file

@ -3,8 +3,8 @@
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
systemctl reload apparmor.service >/dev/null 2>&1 || true
#DEBHELPER# #DEBHELPER#
systemctl reload apparmor.service >/dev/null 2>&1 || true
exit 0 exit 0

View file

@ -3,8 +3,8 @@
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
systemctl reload apparmor.service >/dev/null 2>&1 || true
#DEBHELPER# #DEBHELPER#
systemctl reload apparmor.service >/dev/null 2>&1 || true
exit 0 exit 0