// apparmor.d - Full set of apparmor profiles // Copyright (C) 2021-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only package cfg import ( "fmt" "os" "strings" "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/util" ) // Default content of debian/apparmor.d.hide. Whonix has special addition. var Hide = `# This file is generated by "make", all edit will be lost. /etc/apparmor.d/usr.bin.firefox /etc/apparmor.d/usr.sbin.cups-browsed /etc/apparmor.d/usr.sbin.cupsd /etc/apparmor.d/usr.sbin.rsyslogd ` type Flagger struct{} func (f Flagger) Read(name string) map[string][]string { res := map[string][]string{} path := FlagDir.Join(name + ".flags") if !path.Exist() { return res } lines := util.MustReadFileAsLines(path) for _, line := range lines { manifest := strings.Split(line, " ") profile := manifest[0] flags := []string{} if len(manifest) > 1 { flags = strings.Split(manifest[1], ",") } res[profile] = flags } return res } type Ignorer struct{} func (i Ignorer) Read(name string) []string { path := IgnoreDir.Join(name + ".ignore") if !path.Exist() { return []string{} } return util.MustReadFileAsLines(path) } type Overwriter bool // Overwrite upstream profile: disable upstream & rename ours func (o Overwriter) Apply() error { const ext = ".apparmor.d" disableDir := RootApparmord.Join("disable") if err := disableDir.Mkdir(); err != nil { return err } path := DistDir.Join("overwrite") if !path.Exist() { return fmt.Errorf("%s not found", path) } for _, name := range util.MustReadFileAsLines(path) { origin := RootApparmord.Join(name) dest := RootApparmord.Join(name + ext) if err := origin.Rename(dest); err != nil { return err } originRel, err := origin.RelFrom(dest) if err != nil { return err } if err := os.Symlink(originRel.String(), disableDir.Join(name).String()); err != nil { return err } } return nil } type DebianHider struct { path *paths.Path } // Initialize the file with content from Hide func (d DebianHider) Init() error { return d.path.WriteFile([]byte(Hide)) }