build: improve install process.

- Add make local
- Warn on local partial install regarding missing deps.
This commit is contained in:
Alexandre Pujol 2023-02-11 18:59:08 +00:00
parent ef4ed8ba95
commit f40a2ef457
Failed to generate hash of commit
2 changed files with 32 additions and 10 deletions

View file

@ -6,9 +6,11 @@
DESTDIR ?= / DESTDIR ?= /
BUILD := .build BUILD := .build
PKGNAME := apparmor.d PKGNAME := apparmor.d
DISTRIBUTION := $(shell lsb_release --id --short)
VERSION := 0.$(shell git rev-list --count HEAD)-1
P = $(notdir $(wildcard ${BUILD}/apparmor.d/*)) P = $(notdir $(wildcard ${BUILD}/apparmor.d/*))
.PHONY: all install $(P) lint archlinux debian ubuntu whonix clean .PHONY: all install auto local $(P) lint archlinux debian ubuntu whonix clean
all: all:
@go build -o ${BUILD}/ ./cmd/aa-log @go build -o ${BUILD}/ ./cmd/aa-log
@ -32,17 +34,27 @@ install:
install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \ install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \
done done
local:
@./configure --complain
@make
@sudo make install
@sudo systemctl restart apparmor || sudo systemctl status apparmor
ABSTRACTIONS = $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n") ABSTRACTIONS = $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n")
TUNABLES = $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n") TUNABLES = $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n")
$(P): $(P):
@[[ -f ${BUILD}/aa-log ]] || exit 0; install -Dm755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log @[ -f ${BUILD}/aa-log ] || exit 0; install -Dm755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log
@for file in ${ABSTRACTIONS}; do \ @for file in ${ABSTRACTIONS}; do \
install -Dm0644 "${BUILD}/apparmor.d/abstractions/$${file}" "${DESTDIR}/etc/apparmor.d/abstractions/$${file}"; \ install -Dm0644 "${BUILD}/apparmor.d/abstractions/$${file}" "${DESTDIR}/etc/apparmor.d/abstractions/$${file}"; \
done; done;
@for file in ${TUNABLES}; do \ @for file in ${TUNABLES}; do \
install -Dm0644 "${BUILD}/apparmor.d/tunables/$${file}" "${DESTDIR}/etc/apparmor.d/tunables/$${file}"; \ install -Dm0644 "${BUILD}/apparmor.d/tunables/$${file}" "${DESTDIR}/etc/apparmor.d/tunables/$${file}"; \
done; done;
@echo "Warning: profile dependencies fallback to unconfined."
@for file in ${@}; do \ @for file in ${@}; do \
grep 'rPx' "${BUILD}/apparmor.d/$${file}"; \
sed -i -e "s/rPx/rPUx/g" "${BUILD}/apparmor.d/$${file}"; \
install -Dvm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ install -Dvm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
done; done;
@systemctl restart apparmor || systemctl status apparmor @systemctl restart apparmor || systemctl status apparmor

View file

@ -84,14 +84,7 @@ sudo systemctl restart apparmor
## Partial install ## Partial install
!!! warning For test purposes, you can install specific profiles with the following commands.
Partial installation is discouraged because profile dependencies are
not fetched. You may need to either switch desired `rPx` rules to `rPUx`
(fallback to unconfined) or install these related profiles.
(PR is welcome see [#77](https://github.com/roddhjav/apparmor.d/issues/77))
For test purposes, you can install a specific profile with the following commands.
Abstractions, tunables, and most of the OS dependent post-processing is managed. Abstractions, tunables, and most of the OS dependent post-processing is managed.
```sh ```sh
@ -100,6 +93,23 @@ make
sudo make profile-names... sudo make profile-names...
``` ```
!!! warning
Partial installation is discouraged because profile dependencies are not fetched. To prevent some apparmor issues, the dependencies are automatically switched to unconfined (`rPx` -> `rPUx`). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see [#77](https://github.com/roddhjav/apparmor.d/issues/77))
For instance, `sudo make pass` gives:
```sh
Warning: profile dependencies fallback to unconfined.
/{usr/,}bin/wl-{copy,paste} rPx,
/{usr/,}bin/xclip rPx,
/{usr/,}bin/python3.[0-9]* rPx -> pass-import, # pass-import
/{usr/,}bin/pager rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
'.build/apparmor.d/pass' -> '/etc/apparmor.d/pass'
```
So, you can install the additional profiles `wl-copy`, `xclip`, `pass-import`, and `child-pager` if desired.
[aur]: https://aur.archlinux.org/packages/apparmor.d-git [aur]: https://aur.archlinux.org/packages/apparmor.d-git
[repo]: https://repo.pujol.io/ [repo]: https://repo.pujol.io/
[keys]: https://repo.pujol.io/gpgkey [keys]: https://repo.pujol.io/gpgkey