diff --git a/Makefile b/Makefile index 3f4e9d1a..14190198 100644 --- a/Makefile +++ b/Makefile @@ -6,9 +6,11 @@ DESTDIR ?= / BUILD := .build PKGNAME := apparmor.d +DISTRIBUTION := $(shell lsb_release --id --short) +VERSION := 0.$(shell git rev-list --count HEAD)-1 P = $(notdir $(wildcard ${BUILD}/apparmor.d/*)) -.PHONY: all install $(P) lint archlinux debian ubuntu whonix clean +.PHONY: all install auto local $(P) lint archlinux debian ubuntu whonix clean all: @go build -o ${BUILD}/ ./cmd/aa-log @@ -32,17 +34,27 @@ install: install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \ done + +local: + @./configure --complain + @make + @sudo make install + @sudo systemctl restart apparmor || sudo systemctl status apparmor + ABSTRACTIONS = $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n") TUNABLES = $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n") $(P): - @[[ -f ${BUILD}/aa-log ]] || exit 0; install -Dm755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log + @[ -f ${BUILD}/aa-log ] || exit 0; install -Dm755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log @for file in ${ABSTRACTIONS}; do \ install -Dm0644 "${BUILD}/apparmor.d/abstractions/$${file}" "${DESTDIR}/etc/apparmor.d/abstractions/$${file}"; \ done; @for file in ${TUNABLES}; do \ install -Dm0644 "${BUILD}/apparmor.d/tunables/$${file}" "${DESTDIR}/etc/apparmor.d/tunables/$${file}"; \ done; + @echo "Warning: profile dependencies fallback to unconfined." @for file in ${@}; do \ + grep 'rPx' "${BUILD}/apparmor.d/$${file}"; \ + sed -i -e "s/rPx/rPUx/g" "${BUILD}/apparmor.d/$${file}"; \ install -Dvm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ done; @systemctl restart apparmor || systemctl status apparmor diff --git a/docs/install.md b/docs/install.md index 0fbf1ec5..e639902e 100644 --- a/docs/install.md +++ b/docs/install.md @@ -84,14 +84,7 @@ sudo systemctl restart apparmor ## Partial install -!!! warning - - Partial installation is discouraged because profile dependencies are - not fetched. You may need to either switch desired `rPx` rules to `rPUx` - (fallback to unconfined) or install these related profiles. - (PR is welcome see [#77](https://github.com/roddhjav/apparmor.d/issues/77)) - -For test purposes, you can install a specific profile with the following commands. +For test purposes, you can install specific profiles with the following commands. Abstractions, tunables, and most of the OS dependent post-processing is managed. ```sh @@ -100,6 +93,23 @@ make sudo make profile-names... ``` +!!! warning + + Partial installation is discouraged because profile dependencies are not fetched. To prevent some apparmor issues, the dependencies are automatically switched to unconfined (`rPx` -> `rPUx`). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see [#77](https://github.com/roddhjav/apparmor.d/issues/77)) + + For instance, `sudo make pass` gives: + ```sh + Warning: profile dependencies fallback to unconfined. + /{usr/,}bin/wl-{copy,paste} rPx, + /{usr/,}bin/xclip rPx, + /{usr/,}bin/python3.[0-9]* rPx -> pass-import, # pass-import + /{usr/,}bin/pager rPx -> child-pager, + /{usr/,}bin/less rPx -> child-pager, + /{usr/,}bin/more rPx -> child-pager, + '.build/apparmor.d/pass' -> '/etc/apparmor.d/pass' + ``` + So, you can install the additional profiles `wl-copy`, `xclip`, `pass-import`, and `child-pager` if desired. + [aur]: https://aur.archlinux.org/packages/apparmor.d-git [repo]: https://repo.pujol.io/ [keys]: https://repo.pujol.io/gpgkey