name: Ubuntu on: [push, pull_request, workflow_dispatch] jobs: check: runs-on: ubuntu-24.04 steps: - name: Check out repository code uses: actions/checkout@v4 - name: Run basic profile linter check run: | make check build: runs-on: ${{ matrix.os }} needs: check strategy: matrix: os: - ubuntu-24.04 - ubuntu-22.04 mode: - default - full-system-policy steps: - name: Check out repository code uses: actions/checkout@v4 - name: Install Build dependencies run: | sudo apt-get update -q sudo apt-get install -y \ devscripts debhelper config-package-dev \ auditd apparmor-profiles apparmor-utils sudo rm /etc/apparmor.d/usr.lib.snapd.snap-confine.real - name: Build the apparmor.d package run: | if [[ ${{ matrix.mode }} == full-system-policy ]]; then echo -e "\noverride_dh_auto_build:\n\tmake full" >> debian/rules fi bash dists/build.sh dpkg - name: Install apparmor.d run: sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true - name: Reload AppArmor run: | sudo systemctl restart apparmor.service || true sudo systemctl status apparmor.service - name: Ensure compatibility with some AppArmor userspace tools if: matrix.os != 'ubuntu-24.04' run: | sudo aa-enforce /etc/apparmor.d/aa-notify - name: Show AppArmor log and rules run: | sudo aa-log sudo aa-log -s sudo aa-log -r - name: Show Number of loaded profile run: sudo aa-status --profiled - name: Cache the build package if: matrix.mode == 'default' && matrix.os == 'ubuntu-24.04' uses: actions/cache/save@v4 with: path: .pkg/apparmor.d_*_amd64.deb key: ${{ matrix.os }}-${{ matrix.mode }}-${{ hashFiles('.pkg/apparmor.d_*_amd64.deb') }} tests: runs-on: ubuntu-24.04 needs: build steps: - name: Check out repository code uses: actions/checkout@v4 - name: Restore the cached build package uses: actions/cache/restore@v4 with: fail-on-cache-miss: true path: .pkg/apparmor.d_*_amd64.deb key: ubuntu-24.04-default-${{ hashFiles('.pkg/apparmor.d_*_amd64.deb') }} restore-keys: | ubuntu-24.04-default- - name: Install Tests dependencies run: | sudo apt-get update -q sudo apt-get install -y \ apparmor-profiles apparmor-utils \ bats bats-support sudo install -Dm0644 .github/local/needrestart /etc/apparmor.d/local/needrestart - name: Install apparmor.d run: | sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true sudo systemctl restart apparmor.service - name: Restart some services to ensure they are confined run: | services=( containerd cron dbus docker ModemManager multipathd networkd-dispatcher packagekit polkit snapd systemd-journald systemd-hostnamed systemd-logind systemd-networkd systemd-resolved systemd-udevd udisks2 ) sudo systemctl daemon-reload for service in "${services[@]}"; do sudo systemctl restart "$service" || systemctl status "$service.service" || true done sudo ps auxZ | grep -v '\[.*\]' sudo aa-log -s --raw - name: Install integration dependencies run: | bash tests/requirements.sh - name: Run the bats integration tests run: | make bats - name: Show final AppArmor logs if: always() run: | sudo aa-log -s --raw - name: Show final processes security context if: always() run: | sudo ps auxZ | grep -v '\[.*\]'