felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

build: reorganise build: abi4, fallback, prebuild cli

Browse source 
- ABI4 by default, fallback to abi 3.
- aa-prebuild cli that can be used by other project shipping profiles.
- --file option to cli to only build one dev profile.
- add abi version filter to only & exclude directives.
This commit is contained in:
Alexandre Pujol 2024-10-02 16:22:46 +01:00
parent d6b7bef89e
commit 59ac54e2fc
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
39 changed files with 473 additions and 440 deletions
Download patch file Download diff file Expand all files Collapse all files

120
cmd/prebuild/main.go
View file

@ -5,92 +5,66 @@
package main
import (
"flag"
"fmt"
"os"
"slices"
"github.com/roddhjav/apparmor.d/pkg/logging"
"github.com/roddhjav/apparmor.d/pkg/prebuild"
"github.com/roddhjav/apparmor.d/pkg/prebuild/builder"
"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
"github.com/roddhjav/apparmor.d/pkg/prebuild/directive"
"github.com/roddhjav/apparmor.d/pkg/prebuild/cli"
"github.com/roddhjav/apparmor.d/pkg/prebuild/prepare"
)
const usage = `prebuild [-h] [--full] [--complain | --enforce]
Prebuild apparmor.d profiles for a given distribution and apply
internal built-in directives.
Options:
-h, --help Show this help message and exit.
-f, --full Set AppArmor for full system policy.
-c, --complain Set complain flag on all profiles.
-e, --enforce Set enforce flag on all profiles.
--abi4 Convert the profiles to Apparmor abi/4.0.
`
var (
help bool
full bool
complain bool
enforce bool
abi4 bool
)
func init() {
flag.BoolVar(&help, "h", false, "Show this help message and exit.")
flag.BoolVar(&help, "help", false, "Show this help message and exit.")
flag.BoolVar(&full, "f", false, "Set AppArmor for full system policy.")
flag.BoolVar(&full, "full", false, "Set AppArmor for full system policy.")
flag.BoolVar(&complain, "c", false, "Set complain flag on all profiles.")
flag.BoolVar(&complain, "complain", false, "Set complain flag on all profiles.")
flag.BoolVar(&enforce, "e", false, "Set enforce flag on all profiles.")
flag.BoolVar(&enforce, "enforce", false, "Set enforce flag on all profiles.")
flag.BoolVar(&abi4, "abi4", false, "Convert the profiles to Apparmor abi/4.0.")
}
// Define the tasks applied by default
prepare.Register(
"synchronise",
"ignore",
"merge",
"configure",
"setflags",
"systemd-default",
)
func aaPrebuild() error {
logging.Step("Building apparmor.d profiles for %s.", cfg.Distribution)
// Build tasks applied by default
builder.Register(
"userspace", // Resolve variable in the userspace profile
"dev", // Temporary fix for #74, #80 & #235
)
if full {
prepare.Register("fsp")
builder.Register("fsp")
} else {
prepare.Register("systemd-early")
// Compatibility with AppArmor 3
switch prebuild.Distribution {
case "arch":
prebuild.ABI = 3
case "ubuntu":
if !slices.Contains([]string{"noble"}, prebuild.Release["VERSION_CODENAME"]) {
prebuild.ABI = 3
}
case "debian":
prebuild.ABI = 3
case "whonix":
prebuild.ABI = 3
// Hide rewrittem Whonix profiles
prebuild.Hide += `/etc/apparmor.d/abstractions/base.d/kicksecure
/etc/apparmor.d/home.tor-browser.firefox
/etc/apparmor.d/tunables/homsanitycheck
/etc/apparmor.d/usr.bin.url_e.d/anondist
/etc/apparmor.d/tunables/home.d/live-mode
/etc/apparmor.d/tunables/home.d/qubes-whonix-anondist
/etc/apparmor.d/usr.bin.hexchat
/etc/apparmor.d/usr.bin.sdwdate
/etc/apparmor.d/usr.bin.systemcheck
/etc/apparmor.d/usr.bin.timeto_unixtime
/etc/apparmor.d/whonix-firewall
`
}
if complain {
builder.Register("complain")
} else if enforce {
builder.Register("enforce")
}
if abi4 {
if prebuild.ABI == 3 {
builder.Register("abi3")
}
if err := prebuild.Prepare(); err != nil {
return err
}
return prebuild.Build()
}
func main() {
flag.Usage = func() {
fmt.Printf("%s%s\n%s\n%s", usage,
cfg.Help("Prepare", prepare.Tasks),
cfg.Help("Build", builder.Builders),
cfg.Usage("Directives", directive.Directives),
)
}
flag.Parse()
if help {
flag.Usage()
os.Exit(0)
}
if err := aaPrebuild(); err != nil {
logging.Fatal("%s", err.Error())
}
cli.Prebuild()
}

61
cmd/prebuild/main_test.go
View file

@ -9,9 +9,7 @@ import (
"os/exec"
"testing"
"github.com/roddhjav/apparmor.d/pkg/prebuild/builder"
"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
"github.com/roddhjav/apparmor.d/pkg/prebuild/prepare"
"github.com/roddhjav/apparmor.d/pkg/prebuild"
)
func chdirGitRoot() {
@ -26,64 +24,33 @@ func chdirGitRoot() {
}
}
func Test_AAPrebuild(t *testing.T) {
func Test_main(t *testing.T) {
tests := []struct {
name string
wantErr bool
full bool
complain bool
dist string
name string
dist string
}{
{
name: "Build for Archlinux",
wantErr: false,
full: false,
complain: true,
dist: "arch",
name: "Build for Archlinux",
dist: "arch",
},
{
name: "Build for Ubuntu",
wantErr: false,
full: true,
complain: false,
dist: "ubuntu",
name: "Build for Ubuntu",
dist: "ubuntu",
},
{
name: "Build for Debian",
wantErr: false,
full: true,
complain: false,
dist: "debian",
name: "Build for Debian",
dist: "debian",
},
{
name: "Build for OpenSUSE Tumbleweed",
wantErr: false,
full: true,
complain: true,
dist: "opensuse",
name: "Build for OpenSUSE Tumbleweed",
dist: "opensuse",
},
// {
// name: "Build for Fedora",
// wantErr: true,
// full: false,
// complain: false,
// dist: "fedora",
// },
}
chdirGitRoot()
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
cfg.Distribution = tt.dist
if tt.full {
prepare.Register("fsp")
builder.Register("fsp")
}
if tt.complain {
builder.Register("complain")
}
if err := aaPrebuild(); (err != nil) != tt.wantErr {
t.Errorf("aaPrebuild() error = %v, wantErr %v", err, tt.wantErr)
}
prebuild.Distribution = tt.dist
main()
})
}
}