mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

profiles/Makefile: Clean up rules to better support extra profiles

Browse source 
Rename the "check-extras" target to "check-local" as it is no longer
limited to the extra profiles, and also fix a local include in the
sbuild-shell profile so that it passes the newly-applied CI check.
This commit is contained in:
Daniel Richard G 2024-04-12 21:25:43 -04:00
parent 678d6294d7
commit e4a395b620
3 changed files with 54 additions and 44 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.gitlab-ci.yml
View file

@ -104,7 +104,7 @@ test-profiles:
script: script:
- make -C profiles check-parser - make -C profiles check-parser
- make -C profiles check-abstractions.d - make -C profiles check-abstractions.d
- make -C profiles check-extras - make -C profiles check-local
shellcheck: shellcheck:
stage: test stage: test

94
profiles/Makefile
View file

@ -27,13 +27,11 @@ include $(COMMONDIR)/Make.rules
DESTDIR=/ DESTDIR=/
PROFILES_DEST=${DESTDIR}/etc/apparmor.d PROFILES_DEST=${DESTDIR}/etc/apparmor.d
EXTRAS_DEST=${DESTDIR}/usr/share/apparmor/extra-profiles/ EXTRAS_DEST=${DESTDIR}/usr/share/apparmor/extra-profiles
PROFILES_SOURCE=./apparmor.d PROFILES_SOURCE=./apparmor.d
ABSTRACTIONS_SOURCE=./apparmor.d/abstractions ABSTRACTIONS_SOURCE=./apparmor.d/abstractions
EXTRAS_SOURCE=./apparmor/profiles/extras/ EXTRAS_SOURCE=./apparmor/profiles/extras
EXTRAS_ABSTRACTIONS_SOURCE=./apparmor/profiles/extras/abstractions
SUBDIRS=$(shell find ${PROFILES_SOURCE} -type d -print)
TOPLEVEL_PROFILES=$(filter-out ${SUBDIRS}, $(wildcard ${PROFILES_SOURCE}/*))
ifdef USE_SYSTEM ifdef USE_SYSTEM
PYTHONPATH= PYTHONPATH=
@ -79,7 +77,7 @@ ifndef USE_SYSTEM
endif endif
local: local:
for profile in ${TOPLEVEL_PROFILES}; do \ for profile in $$(find ${PROFILES_SOURCE} -maxdepth 1 -type f) ; do \
fn=$$(basename $$profile); \ fn=$$(basename $$profile); \
echo "# Site-specific additions and overrides for '$$fn'" > ${PROFILES_SOURCE}/local/$$fn; \ echo "# Site-specific additions and overrides for '$$fn'" > ${PROFILES_SOURCE}/local/$$fn; \
grep "include[[:space:]]\\+if[[:space:]]\\+exists[[:space:]]\\+<local/$$fn>" "$$profile" >/dev/null || { echo "$$profile doesn't contain include if exists <local/$$fn>" ; exit 1; } ; \ grep "include[[:space:]]\\+if[[:space:]]\\+exists[[:space:]]\\+<local/$$fn>" "$$profile" >/dev/null || { echo "$$profile doesn't contain include if exists <local/$$fn>" ; exit 1; } ; \
@ -89,14 +87,17 @@ local:
install: install:
install -m 755 -d ${PROFILES_DEST} install -m 755 -d ${PROFILES_DEST}
install -m 755 -d ${PROFILES_DEST}/disable install -m 755 -d ${PROFILES_DEST}/disable
for dir in ${SUBDIRS} ; do \ for dir in $$(cd ${PROFILES_SOURCE} && find . -type d -printf '%P\n') ; do \
install -m 755 -d "${PROFILES_DEST}/$${dir#${PROFILES_SOURCE}}" ; \ install -m 755 -d "${PROFILES_DEST}/$${dir}" ; \
done done
for file in $$(find ${PROFILES_SOURCE} -type f -print) ; do \ for file in $$(cd ${PROFILES_SOURCE} && find . -type f -printf '%P\n') ; do \
install -m 644 "$${file}" "${PROFILES_DEST}/$$(dirname $${file#${PROFILES_SOURCE}})" ; \ install -m 644 "${PROFILES_SOURCE}/$${file}" "${PROFILES_DEST}/$$(dirname $${file})" ; \
done done
install -m 755 -d ${EXTRAS_DEST} install -m 755 -d ${EXTRAS_DEST}
install -m 644 ${EXTRAS_SOURCE}/* ${EXTRAS_DEST} install -m 755 -d ${EXTRAS_DEST}/abstractions
for file in $$(cd ${EXTRAS_SOURCE} && find . -type f -printf '%P\n') ; do \
install -m 644 "${EXTRAS_SOURCE}/$${file}" "${EXTRAS_DEST}/$$(dirname $${file})" ; \
done
LOCAL_ADDITIONS=$(filter-out ${PROFILES_SOURCE}/local/README, $(wildcard ${PROFILES_SOURCE}/local/*)) LOCAL_ADDITIONS=$(filter-out ${PROFILES_SOURCE}/local/README, $(wildcard ${PROFILES_SOURCE}/local/*))
.PHONY: clean .PHONY: clean
@ -113,27 +114,36 @@ endif
# docs: should we have some here? # docs: should we have some here?
docs: docs:
IGNORE_FILES=${EXTRAS_SOURCE}/README
CHECK_PROFILES=$(filter-out ${IGNORE_FILES} ${SUBDIRS}, $(wildcard ${PROFILES_SOURCE}/*) $(wildcard ${EXTRAS_SOURCE}/*))
# use find because Make wildcard is not recursive:
CHECK_ABSTRACTIONS=$(shell find ${ABSTRACTIONS_SOURCE} -type f -print)
.PHONY: check .PHONY: check
check: check-parser check-logprof check-abstractions.d check-tunables.d check-extras check: check-parser check-logprof check-abstractions.d check-tunables.d check-local
.PHONY: check-parser .PHONY: check-parser
check-parser: test-dependencies check-parser: test-dependencies
@echo "*** Checking profiles from ${PROFILES_SOURCE} and ${EXTRAS_SOURCE} against apparmor_parser" @echo "*** Checking profiles from ${PROFILES_SOURCE} against apparmor_parser"
$(Q)for profile in ${CHECK_PROFILES} ; do \ $(Q)for profile in $$(find ${PROFILES_SOURCE} -maxdepth 1 -type f) ; do \
[ -n "${VERBOSE}" ] && echo "Testing $${profile}" ; \ [ -n "${VERBOSE}" ] && echo "Testing $${profile}" ; \
${PARSER} --config-file=../parser/tst/parser.conf -S -b ${PWD}/apparmor.d $${profile} > /dev/null || exit 1; \ ${PARSER} --config-file=../parser/tst/parser.conf -S -b ${PROFILES_SOURCE} $${profile} > /dev/null || exit 1; \
done
@echo "*** Checking profiles from ${EXTRAS_SOURCE} against apparmor_parser"
$(Q)for profile in $$(find ${EXTRAS_SOURCE} -maxdepth 1 -type f -not -name README) ; do \
[ -n "${VERBOSE}" ] && echo "Testing $${profile}" ; \
${PARSER} --config-file=../parser/tst/parser.conf -S -b ${EXTRAS_SOURCE} -I ${PROFILES_SOURCE} $${profile} > /dev/null || exit 1; \
done done
@echo "*** Checking abstractions from ${ABSTRACTIONS_SOURCE} against apparmor_parser" @echo "*** Checking abstractions from ${ABSTRACTIONS_SOURCE} against apparmor_parser"
$(Q)for abstraction in ${CHECK_ABSTRACTIONS} ; do \ $(Q)for abstraction in $$(find ${ABSTRACTIONS_SOURCE} -maxdepth 1 -type f -printf '%P\n') ; do \
[ -n "${VERBOSE}" ] && echo "Testing $${abstraction}" ; \ [ -n "${VERBOSE}" ] && echo "Testing ${ABSTRACTIONS_SOURCE}/$${abstraction}" ; \
echo "abi <abi/4.0>, #include <tunables/global> profile test { #include <$${abstraction}> }" \ echo "abi <abi/4.0>, include <tunables/global> profile test { include <abstractions/$${abstraction}> }" \
| ${PARSER} --config-file=../parser/tst/parser.conf -S -b ${PWD}/apparmor.d -I ${PWD} > /dev/null \ | ${PARSER} --config-file=../parser/tst/parser.conf -S -b ${PROFILES_SOURCE} > /dev/null \
|| exit 1; \
done
@echo "*** Checking abstractions from ${EXTRAS_ABSTRACTIONS_SOURCE} against apparmor_parser"
$(Q)for abstraction in $$(find ${EXTRAS_ABSTRACTIONS_SOURCE} -maxdepth 1 -type f -printf '%P\n') ; do \
[ -n "${VERBOSE}" ] && echo "Testing ${EXTRAS_ABSTRACTIONS_SOURCE}/$${abstraction}" ; \
echo "abi <abi/4.0>, include <tunables/global> profile test { include <abstractions/$${abstraction}> }" \
| ${PARSER} --config-file=../parser/tst/parser.conf -S -b ${PROFILES_SOURCE} -I ${EXTRAS_SOURCE} > /dev/null \
|| exit 1; \ || exit 1; \
done done
@ -144,27 +154,27 @@ check-logprof: test-dependencies
.PHONY: check-abstractions.d .PHONY: check-abstractions.d
check-abstractions.d: check-abstractions.d:
@echo "*** Checking if all abstractions (with a few exceptions) contain include if exists <abstractions/*.d>" @echo "*** Checking if all abstractions (with a few exceptions) contain 'include if exists <abstractions/*.d>'"
$(Q)cd apparmor.d/abstractions && for file in * ; do \ $(Q)for file in $$(find ${ABSTRACTIONS_SOURCE} ${EXTRAS_ABSTRACTIONS_SOURCE} -maxdepth 1 -type f) ; do \
test -d "$$file" && continue ; \ case "$${file}" in */ubuntu-browsers | */ubuntu-helpers) continue ;; esac ; \
test "$$file" = 'ubuntu-browsers' && continue ; \ include="include if exists <abstractions/$$(basename $${file}).d>" ; \
test "$$file" = 'ubuntu-helpers' && continue ; \ grep -q "^ $${include}\$$" $${file} || { echo "$${file} does not contain '$${include}'"; exit 1; } ; \
grep -q "^ include if exists <abstractions/$${file}.d>$$" $$file || { echo "$$file does not contain 'include if exists <abstractions/$${file}.d>'"; exit 1; } ; \
done done
.PHONY: check-tunables.d .PHONY: check-tunables.d
check-tunables.d: check-tunables.d:
@echo "*** Checking if all tunables (with a few exceptions) contain include if exists <tunables/*.d>" @echo "*** Checking if all tunables (with a few exceptions) contain 'include if exists <tunables/*.d>'"
$(Q)cd apparmor.d/tunables && for file in * ; do \ $(Q)for file in $$(find ${PROFILES_SOURCE}/tunables -maxdepth 1 -type f) ; do \
test -d "$$file" && continue ; \ case "$${file}" in */sys) continue ;; esac ; \
test "$$file" = 'sys' && continue ; \ include="include if exists <tunables/$$(basename $${file}).d>" ; \
grep -q "^include if exists <tunables/$${file}.d>$$" $$file || { echo "$$file does not contain 'include if exists <tunables/$${file}.d>'"; exit 1; } ; \ grep -q "^$${include}\$$" $${file} || { echo "$${file} does not contain '$${include}'"; exit 1; } ; \
done done
.PHONY: check-extras .PHONY: check-local
check-extras: check-local:
@echo "*** Checking if all extra profiles contain include if exists <local/*>" @echo "*** Checking if all profiles contain 'include if exists <local/*>'"
$(Q)cd ${EXTRAS_SOURCE} && for file in * ; do \ $(Q)for file in $$(find ${PROFILES_SOURCE} ${EXTRAS_SOURCE} -maxdepth 1 -type f) ; do \
test "$$file" = 'README' && continue ; \ case "$${file}" in */README) continue ;; esac ; \
grep -q "^ include if exists <local/$${file}>$$" $$file || { echo "$$file does not contain 'include if exists <local/$${file}>'"; exit 1; } ; \ include="include if exists <local/$$(basename $${file})>" ; \
grep -q "^ *$${include}\$$" $${file} || { echo "$${file} does not contain '$${include}'"; exit 1; } ; \
done done

2
profiles/apparmor.d/sbuild-shell
View file

@ -8,5 +8,5 @@ profile sbuild-shell /usr/bin/sbuild-shell flags=(unconfined) {
userns, userns,
# Site-specific additions and overrides. See local/README for details. # Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.bin.sbuild-shell> include if exists <local/sbuild-shell>
} }