diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 43976218..36cf3e85 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -22,7 +22,7 @@ bash: image: koalaman/shellcheck-alpine script: - shellcheck --shell=bash - PKGBUILD + PKGBUILD configure pick debian/apparmor.d.postinst debian/apparmor.d.postrm golangci-lint: diff --git a/README.md b/README.md index b5cd3e8f..1e7fefa5 100644 --- a/README.md +++ b/README.md @@ -62,6 +62,14 @@ dpkg-buildpackage -b -d --no-sign sudo dpkg --install ../apparmor.d_*_all.deb ``` +**Partial install** + +For test purpose, you can install a specific profile with the following commands. The tool will also install required abstractions and tunables: +``` +sudo ./pick +``` + + ## Usage **Enabled profiles** diff --git a/pick b/pick new file mode 100755 index 00000000..6cda61bd --- /dev/null +++ b/pick @@ -0,0 +1,80 @@ +#!/usr/bin/env bash +# pick - Install some AppArmor profile(s) +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +_set_complain() { + local path="$1" + [[ -d "$path" ]] && return + flags="$(grep -o -m 1 'flags=(.*)' "$path" | cut -d '(' -f2 | cut -d ')' -f1)" + [[ "$flags" =~ complain ]] && return + sed -e "s/flags=(.*)//" \ + -e "s/ {$/ flags=(complain $flags) {/" \ + -i "$path" +} + +_install_abstractions() { + mapfile -t abstractions < <(find apparmor.d/abstractions/ -type f -printf "%P\n") + for file in "${abstractions[@]}"; do + install -Dm0644 "apparmor.d/abstractions/$file" \ + "/etc/apparmor.d/abstractions/$file" + done +} + +_install_tunables() { + for path in apparmor.d/tunables/*; do + install -Dm0644 "$path" "/etc/apparmor.d/tunables/$(basename "$path")" + done +} + +_reload_apparmor() { + systemctl restart apparmor || true + systemctl status apparmor + return $? +} + +pick() { + for profile in "$@"; do + path="$(find apparmor.d -iname "$profile" -type f)" + if [[ -f "$path" ]]; then + install -Dm0644 "$path" "/etc/apparmor.d/$profile" + [[ "$COMPLAIN" == 1 ]] && _set_complain "/etc/apparmor.d/$profile" + fi + done + return $? +} + +# Print help message +cmd_help() { + cat <<-_EOF + ./pick [options] - Install some AppArmor profile(s) + + Options: + -c, --complain Set profile on complain mode + -h, --help Print this help message and exit + _EOF +} + +main() { + local opts err + + small_arg="ch" + long_arg="complain,help" + opts="$(getopt -o $small_arg -l $long_arg -n "$PROGRAM" -- "$@")" + err=$? + eval set -- "$opts" + while true; do case $1 in + -c|--complain) COMPLAIN=1; shift ;; + -h|--help) shift; cmd_help; exit 0 ;; + --) shift; break ;; + esac done + [[ $err -ne 0 ]] && { cmd_help; exit 1; } + + _install_abstractions + _install_tunables + pick "$@" && _reload_apparmor + return $? +} + +COMPLAIN=0 +main "$@"