#!/usr/bin/env bash # Configure the apparmor.d package # Copyright (C) 2021 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only set -eu DISTRIBUTION="$(lsb_release --id --short)" readonly DISTRIBUTION="${DISTRIBUTION,,}" readonly ROOT=.build _die() { printf 'Error: %s\n' "$*" >&2 && exit 1; } _warning() { printf ' Warning: %s\n' "$*" >&2; } _title() { printf '%s\n' "$*" >&2; } _msg() { printf ' - %s\n' "$*" >&2; } # Displace files in the package sources # $@ List of files to displace _displace_files() { for path in "$@"; do mv "${ROOT:?}/$path" "${ROOT:?}/$path.apparmor.d" done } # Initialize a new clean apparmor.d build directory initialize() { rm -rf "${ROOT:?}" rsync -a ./apparmor.d "$ROOT" rsync -a ./root "$ROOT" } # Ignore profiles and files as defined in dists/ignore/ ignore() { for name in main.ignore "$DISTRIBUTION.ignore"; do _msg "Ignore profiles/files in dists/ignore/$name" while read -r profile; do [[ "$profile" =~ ^\# ]] && continue [[ -z "$profile" ]] && continue if [[ -e "${ROOT:?}/$profile" ]]; then rm -r "${ROOT:?}/$profile" else find "$ROOT/apparmor.d" -iname "$profile" -type f -exec rm {} \; fi done <"dists/ignore/$name" done } # Synchronise all profiles in a new apparmor.d directory. synchronise() { _msg "Synchronise all profiles." mv "${ROOT:?}/apparmor.d/groups/"*/* "${ROOT:?}/apparmor.d/" rm -rf "${ROOT:?}/apparmor.d/groups/" mv "${ROOT:?}/apparmor.d/profiles-"*-*/* "${ROOT:?}/apparmor.d/" rm -rf "${ROOT:?}/apparmor.d/profiles-"* } # Set the distribution specificities configure() { case "$DISTRIBUTION" in arch) _msg "Configure libexec." sed -i -e '/Debian/d' "$ROOT/apparmor.d/tunables/extend" ;; debian|ubuntu) _msg "Configure libexec." sed -i -e '/Archlinux/d' "$ROOT/apparmor.d/tunables/extend" _msg "$DISTRIBUTION does not support abi 3.0 yet." find "$ROOT/apparmor.d" -type f -exec sed -e '/abi /d' -i {} \; _msg "$DISTRIBUTION does not have etc tunable." sed -i -e '/etc/d' "$ROOT/apparmor.d/tunables/global" _msg "Displace overwritten files." _displace_files apparmor.d/tunables/global apparmor.d/tunables/xdg-user-dirs if [[ "$DISTRIBUTION" == "ubuntu" ]]; then _msg "Ubuntu LTS compatibility." echo "@{run}=/run/ /var/run/" > "$ROOT/apparmor.d/tunables/run" sed -i -e '/capability bpf/d' -e '/capability perfmon/d' \ "$ROOT/apparmor.d/libvirtd" cp -a dists/ubuntu/abstractions/* $ROOT/apparmor.d/abstractions fi ;; *) _die "$DISTRIBUTION is not a supported distribution." ;; esac } # Set flags on some profile flags() { for name in main.flags "$DISTRIBUTION.flags"; do _msg "Set profiles flags from dists/flags/$name" while read -r profile; do IFS=' ' read -r -a manifest <<<"$profile" profile="${manifest[0]:-}" flags="${manifest[1]:-}" [[ "$profile" =~ ^\# || -z "$profile" ]] && continue path="${ROOT:?}/apparmor.d/$profile" if [[ ! -f "$path" ]]; then _warning "Profile $profile not found" continue fi # If flags is set, overwrite profile flag if [[ -n "$flags" ]]; then # Remove all flags definition, then set manifest' flags sed -e "s/flags=(.*)//" \ -e "s/ {$/ flags=(${flags//,/ }) {/" \ -i "$path" fi done <"dists/flags/$name" done } # Set complain flag on all profile (Dev only) complain() { _msg "Set complain flag on all profiles" for path in "${ROOT:?}/apparmor.d/"*; do [[ -d "$path" ]] && continue flags="$(grep -o -m 1 'flags=(.*)' "$path" | cut -d '(' -f2 | cut -d ')' -f1)" [[ "$flags" =~ complain ]] && continue echo -n . sed -e "s/flags=(.*)//" \ -e "s/ {$/ flags=(complain $flags) {/" \ -i "$path" done echo } # Set AppArmor for full system policy # See https://gitlab.com/apparmor/apparmor/-/wikis/FullSystemPolicy full() { cp -a apparmor.d/groups/_full/* "$ROOT/apparmor.d/" } # Print help message cmd_help() { cat <<-_EOF ./configure [options] - Configure the apparmor.d package Options: -f, --full Set AppArmor for full system policy -c, --complain Set complain flag on all profiles -h, --help Print this help message and exit _EOF } main() { local opts err FULL=0 COMPLAIN=0 small_arg="cfh" long_arg="complain,full,help" opts="$(getopt -o $small_arg -l $long_arg -n "configure" -- "$@")" err=$? eval set -- "$opts" while true; do case $1 in -f|--full) FULL=1; shift ;; -c|--complain) COMPLAIN=1; shift ;; -h|--help) shift; cmd_help; exit 0 ;; --) shift; break ;; esac done [[ $err -ne 0 ]] && { cmd_help; exit 1; } _title "Set the configuration for $DISTRIBUTION." initialize || _die "initializing build directory" ignore || _die "removing ignored profiles" synchronise || _die "merging profiles" configure || _die "configuring distributaion" flags || _die "settings flags" [[ "$COMPLAIN" == 1 ]] && complain [[ "$FULL" == 1 ]] && full return 0 } main "$@"