felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

build(fsp): set stacked variables.

Browse source
This commit is contained in:
Alexandre Pujol 2025-05-26 00:57:37 +02:00
parent d9430c68c1
commit 780ca65953
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
1 changed files with 59 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

75
pkg/prebuild/prepare/fsp.go
View file

@ -5,11 +5,60 @@
package prepare package prepare
import ( import (
"strings" "regexp"
"github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/paths"
"github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/prebuild"
"github.com/roddhjav/apparmor.d/pkg/util" )
var (
tunables = map[string]string{
// Set systemd profiles name
"sd": "sd",
"sdu": "sdu",
"systemd_user": "systemd-user",
"systemd": "systemd",
// With FSP on apparmor 4.1+, the dbus profiles don't get stacked as they
"dbus_system": "dbus-system",
"dbus_session": "dbus-session",
// Update name of stacked profiles
"apt_news": "",
"colord": "",
"e2scrub_all": "",
"e2scrub": "",
"fprintd": "",
"fwupd": "",
"fwupdmgr": "",
"geoclue": "",
"irqbalance": "",
"logrotate": "",
"ModemManager": "",
"nm_priv_helper": "",
"pcscd": "",
"polkitd": "",
"power_profiles_daemon": "",
"rsyslogd": "",
"systemd_coredump": "",
"systemd_homed": "",
"systemd_hostnamed": "",
"systemd_importd": "",
"systemd_initctl": "",
"systemd_journal_remote": "",
"systemd_journald": "",
"systemd_localed": "",
"systemd_logind": "",
"systemd_machined": "",
"systemd_networkd": "",
"systemd_oomd": "",
"systemd_resolved": "",
"systemd_rfkill": "",
"systemd_timedated": "",
"systemd_timesyncd": "",
"systemd_userdbd": "",
"upowerd": "",
}
) )
type FullSystemPolicy struct { type FullSystemPolicy struct {
@ -33,28 +82,20 @@ func (p FullSystemPolicy) Apply() ([]string, error) {
return res, err return res, err
} }
// Set systemd profile name // Set profile name for FSP
path := prebuild.RootApparmord.Join("tunables/multiarch.d/profiles") path := prebuild.RootApparmord.Join("tunables/multiarch.d/profiles")
out, err := path.ReadFileAsString() out, err := path.ReadFileAsString()
if err != nil { if err != nil {
return res, err return res, err
} }
out = strings.ReplaceAll(out, "@{p_systemd}=unconfined", "@{p_systemd}=systemd") for varname, profile := range tunables {
out = strings.ReplaceAll(out, "@{p_systemd_executor}=unconfined", "@{p_systemd_executor}=systemd-executor") pattern := regexp.MustCompile(`(@\{p_` + varname + `}=)([^\s]+)`)
out = strings.ReplaceAll(out, "@{p_systemd_user}=unconfined", "@{p_systemd_user}=systemd-user") if profile == "" {
out = strings.ReplaceAll(out, "@{p_systemd_user_executor}=unconfined", "@{p_systemd_user_executor}=systemd-user-executor") out = pattern.ReplaceAllString(out, `@{p_`+varname+`}={$2,sd//&$2,$2//&sd}`)
if err := path.WriteFile([]byte(out)); err != nil { } else {
return res, err out = pattern.ReplaceAllString(out, `@{p_`+varname+`}=`+profile)
} }
// Fix conflicting x modifiers in abstractions - FIXME: Temporary solution
path = prebuild.RootApparmord.Join("abstractions/gstreamer")
out, err = path.ReadFileAsString()
if err != nil {
return res, err
} }
regFixConflictX := util.ToRegexRepl([]string{`.*gst-plugin-scanner.*`, ``})
out = regFixConflictX.Replace(out)
if err := path.WriteFile([]byte(out)); err != nil { if err := path.WriteFile([]byte(out)); err != nil {
return res, err return res, err
} }