From adf19138d5a1b197b2ae526e6ca895c2266cc6df Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Sun, 20 Aug 2023 11:44:17 +0200 Subject: [PATCH] Don't create local/* profile sniplets by default ... and document how to create them if you still want them. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/337 --- README.md | 3 +++ profiles/Makefile | 8 ++++---- profiles/apparmor.d/local/README | 7 +++++-- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index b7555f990..e86c6383d 100644 --- a/README.md +++ b/README.md @@ -181,6 +181,9 @@ $ make check # depends on the parser having been built first $ make install ``` +Note that the empty local/* profile sniplets no longer get created by default. +If you want them, run `make local` before running `make check`. + [Note that for the parser, binutils, and utils, if you only wish to build/use some of the locale languages, you can override the default by passing the LANGS arguments to make; e.g. make all install "LANGS=en_US fr".] diff --git a/profiles/Makefile b/profiles/Makefile index f6814288e..4beecb586 100644 --- a/profiles/Makefile +++ b/profiles/Makefile @@ -20,7 +20,7 @@ # Makefile for LSM-based AppArmor profiles NAME=apparmor-profiles -all: local docs +all: docs COMMONDIR=../common/ include $(COMMONDIR)/Make.rules @@ -86,7 +86,7 @@ local: done .PHONY: install -install: local +install: install -m 755 -d ${PROFILES_DEST} install -m 755 -d ${PROFILES_DEST}/disable for dir in ${SUBDIRS} ; do \ @@ -122,7 +122,7 @@ CHECK_ABSTRACTIONS=$(shell find ${ABSTRACTIONS_SOURCE} -type f -print) check: check-parser check-logprof check-abstractions.d check-tunables.d check-extras .PHONY: check-parser -check-parser: test-dependencies local +check-parser: test-dependencies @echo "*** Checking profiles from ${PROFILES_SOURCE} and ${EXTRAS_SOURCE} against apparmor_parser" $(Q)for profile in ${CHECK_PROFILES} ; do \ [ -n "${VERBOSE}" ] && echo "Testing $${profile}" ; \ @@ -138,7 +138,7 @@ check-parser: test-dependencies local done .PHONY: check-logprof -check-logprof: test-dependencies local +check-logprof: test-dependencies @echo "*** Checking profiles from ${PROFILES_SOURCE} against logprof" $(Q)${LOGPROF} -d ${PROFILES_SOURCE} -f /dev/null || exit 1 diff --git a/profiles/apparmor.d/local/README b/profiles/apparmor.d/local/README index b2db5c186..688ed4234 100644 --- a/profiles/apparmor.d/local/README +++ b/profiles/apparmor.d/local/README @@ -13,9 +13,12 @@ # # For example, if the shipped /etc/apparmor.d/usr.sbin.smbd profile has: # include +# or +# include if exists # -# then an administrator can adjust /etc/apparmor.d/local/usr.sbin.smbd to -# contain any additional paths to be allowed, such as: +# then an administrator can adjust /etc/apparmor.d/local/usr.sbin.smbd +# (create the file if it doesn't exist yet) to contain any additional paths +# to be allowed, such as: # # /var/exports/** lrwk, #