mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-15 07:54:17 +01:00
169 lines
4.2 KiB
Bash
Executable File
169 lines
4.2 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Configure the apparmor.d package
|
|
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
readonly ROOT=.build
|
|
|
|
_die() { printf '%s\n' "$*" >&2 && exit 1; }
|
|
_warning() { printf ' Warning: %s\n' "$*" >&2; }
|
|
|
|
has_option() {
|
|
local item option="$1";
|
|
for item in "${OPTIONS[@]}"; do
|
|
[[ "$item" == "$option" ]] && return 0
|
|
done
|
|
return 1
|
|
}
|
|
|
|
# Displace files in the package sources
|
|
# $@ List of files to displace
|
|
_displace_files() {
|
|
for path in "$@"; do
|
|
mv "${ROOT:?}/$path" "${ROOT:?}/$path.apparmor.d"
|
|
done
|
|
}
|
|
|
|
# Initialise a new clean apparmor.d build directory
|
|
initialise() {
|
|
rm -rf "${ROOT:?}" && rsync -a --exclude=.git . "$ROOT"
|
|
}
|
|
|
|
# Set the distribution specificities
|
|
configure() {
|
|
echo "Set the configuration for $DISTRIBUTION."
|
|
|
|
echo " Ignore profiles in profiles.ignore."
|
|
while read -r profile; do
|
|
[[ "$profile" =~ ^\# ]] && continue
|
|
if [[ "$profile" == */ ]]; then
|
|
find "$ROOT/apparmor.d" -iname "${profile////}" -type d -exec rm -r {} \;
|
|
else
|
|
find "$ROOT/apparmor.d" -iname "$profile" -type f -exec rm {} \;
|
|
fi
|
|
done <profiles.ignore
|
|
|
|
case "$DISTRIBUTION" in
|
|
archlinux)
|
|
echo " Ignore non Archlinux profiles."
|
|
rm -rf \
|
|
"${ROOT:?}"/apparmor.d/abstractions/apt-common \
|
|
"${ROOT:?}"/apparmor.d/groups/apt \
|
|
"${ROOT:?}"/apparmor.d/groups/cron
|
|
|
|
;;
|
|
|
|
debian)
|
|
echo " Ignore non Debian profiles."
|
|
rm -rf \
|
|
"${ROOT:?}"/apparmor.d/groups/pacman \
|
|
"${ROOT:?}"/root/usr/share/libalpm/hooks/apparmor.hook
|
|
|
|
echo " Debian does not support abi 3.0 yet."
|
|
find "$ROOT/apparmor.d" -type f -exec sed -e '/abi /d' -i {} \;
|
|
|
|
echo " Debian does not have etc tunable."
|
|
sed -i -e '/etc/d' "$ROOT/apparmor.d/tunables/global"
|
|
|
|
echo " Displace overwritten files."
|
|
_displace_files apparmor.d/tunables/global apparmor.d/tunables/xdg-user-dirs
|
|
|
|
;;
|
|
|
|
*) _die "$DISTRIBUTION is not a supported distribution." ;;
|
|
esac
|
|
}
|
|
|
|
# Synchronise all profile in a new apparmor.d directory.
|
|
synchronise() {
|
|
echo "Synchronise all profiles."
|
|
mv "${ROOT:?}/apparmor.d/groups/"*/* "${ROOT:?}/apparmor.d/"
|
|
rm -rf "${ROOT:?}/apparmor.d/groups/"
|
|
for dir in profiles-a-f profiles-g-l profiles-m-r profiles-s-z; do
|
|
mv "${ROOT:?}/apparmor.d/$dir/"* "${ROOT:?}/apparmor.d/"
|
|
rm -rf "${ROOT:?}/apparmor.d/$dir"
|
|
done
|
|
}
|
|
|
|
# Set flags on some profile
|
|
setflags() {
|
|
echo "Set apparmor flags from profiles.flags"
|
|
while read -r profile; do
|
|
IFS=' ' read -r -a manifest <<< "$profile"
|
|
profile="${manifest[0]}" flags="${manifest[1]}"
|
|
|
|
[[ "$profile" =~ ^\# || -z "$profile" ]] && continue
|
|
path="${ROOT:?}/apparmor.d/$profile"
|
|
if [[ ! -f "$path" ]]; then
|
|
_warning "Profile $profile not found"
|
|
continue
|
|
fi
|
|
|
|
# If flags is set, overwrite profile flag
|
|
if [[ -n "$flags" ]]; then
|
|
# Remove all flags definition, then set manifest' flags
|
|
sed -e "s/flags=(.*)//" \
|
|
-e "s/ {$/ flags=(${flags//,/ }) {/" \
|
|
-i "$path"
|
|
fi
|
|
|
|
done <profiles.flags
|
|
|
|
if has_option complain; then
|
|
setflag_complain
|
|
fi
|
|
}
|
|
|
|
# Set complain flag on all profile (Dev only)
|
|
setflag_complain() {
|
|
echo "Set complain flag on all profile"
|
|
for path in "${ROOT:?}/apparmor.d/"*; do
|
|
[[ -d "$path" ]] && continue
|
|
flags="$(grep -o -m 1 'flags=(.*)' "$path" | cut -d '(' -f2 | cut -d ')' -f1)"
|
|
[[ "$flags" =~ complain ]] && continue
|
|
echo -n .
|
|
sed -e "s/flags=(.*)//" \
|
|
-e "s/ {$/ flags=(complain $flags) {/" \
|
|
-i "$path"
|
|
done
|
|
echo
|
|
}
|
|
|
|
# Print help message
|
|
cmd_help() {
|
|
cat <<-_EOF
|
|
./configure [options] - Configure the apparmor.d package
|
|
|
|
Options:
|
|
--distribution=DIST Set the target Linux distribution: archlinux, debian
|
|
--options=OPT Set prefefined build options.
|
|
--help Print this help message and exit.
|
|
_EOF
|
|
}
|
|
|
|
main() {
|
|
local opts err
|
|
opts="$(getopt -o h -l distribution:,options:,help -n "$PROGRAM" -- "$@")"
|
|
err=$?
|
|
eval set -- "$opts"
|
|
while true; do case $1 in
|
|
--distribution) DISTRIBUTION="$2"; shift 2 ;;
|
|
--options)
|
|
# shellcheck disable=SC2206
|
|
OPTIONS=(${2//,/ }); shift 2 ;;
|
|
-h|--help) shift; cmd_help; exit 0 ;;
|
|
--) shift; break ;;
|
|
esac done
|
|
|
|
[[ $err -ne 0 ]] && { cmd_help; exit 1; }
|
|
|
|
initialise
|
|
configure
|
|
synchronise
|
|
setflags
|
|
|
|
exit 0
|
|
}
|
|
|
|
main "$@"
|