felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

build: fully replace make by just.

Browse source
This commit is contained in:
Alexandre Pujol 2025-07-22 23:18:00 +02:00 committed by Alex
parent 4a3a98c77d
commit 7d2229cd05
22 changed files with 113 additions and 182 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/development/build.md
View file

@ -2,7 +2,7 @@
title: Building the profiles
---
The profiles in `apparmor.d` must not be used directly. They need to be prebuilt (by running `make`). This page documents all possibles prebuild tasks. It is not intended to be read by end user, and it is only targeted at developers and maintainers.
The profiles in `apparmor.d` must not be used directly. They need to be prebuilt (by running `just complain`). This page documents all possibles prebuild tasks. It is not intended to be read by end user, and it is only targeted at developers and maintainers.
The build system is fully configurable, general usage can be seen with:
```sh

2
docs/development/roadmap.md
View file

@ -29,7 +29,7 @@ This is the current list of features that must be implemented to get to a stable
- [ ] Provide packages repo for ubuntu/debian
- [ ] Provide complain/enforced packages version
- [x] Add a `just` target to install the profiles in the right place
- [ ] Fully drop the Makefile in favor of `just`
- [x] Fully drop the Makefile in favor of `just`
## Next features

6
docs/development/tests.md
View file

@ -6,12 +6,12 @@ Misconfigured AppArmor profiles is one of the most effective ways to break someo
**Current**
- [x] **[Build:](https://gitlab.com/roddhjav/apparmor.d/-/pipelines)** `make`
- [x] **[Build:](https://gitlab.com/roddhjav/apparmor.d/-/pipelines)** `just complain`
- Build the profiles for all supported distributions.
- All CI jobs validate the profiles syntax and ensure they can be safely loaded into a kernel.
- Ensure the profile entry point (`@{exec_path}`) is defined.
- [x] **[Checks:](https://github.com/roddhjav/apparmor.d/blob/main/tests/check.sh)** `make check` checks basic style of profiles:
- [x] **[Checks:](https://github.com/roddhjav/apparmor.d/blob/main/tests/check.sh)** `just check` checks basic style of profiles:
- Ensure apparmor.d header & licence
- Ensure 2 spaces indentation
- Ensure local include for profile and subprofiles
@ -19,7 +19,7 @@ Misconfigured AppArmor profiles is one of the most effective ways to break someo
- Ensure modern profile naming
- Ensure `vim:syntax=apparmor`
- [x] **[Integration Tests:](integration.md)** `just integration <dist> <flavor>`
- [x] **[Integration Tests:](integration.md)** `just test-run <dist> <flavor>`
- Run simple CLI commands to ensure no logs are raised.
- Uses the [bats](https://github.com/bats-core/bats-core) test system.
- Run in the Github Action as well as in all local [test VM](vm.md).

14
docs/development/workflow.md
View file

@ -57,7 +57,7 @@ profile foo @{exec_path} {
## Development Install
It is not recommended installing the full project *"manually"* (with `make`, `sudo make install`). The distribution specific packages are intended to be used in development as they include additional rule to ensure compatibility with upstream (see `debian/`, `PKGBUILD` and `dists/apparmor.d.spec`).
It is not recommended installing the full project *"manually"* (with `just complain`, `sudo just install`). The distribution specific packages are intended to be used in development as they include additional rule to ensure compatibility with upstream (see `debian/`, `PKGBUILD` and `dists/apparmor.d.spec`).
Instead, install an individual profile or the development package, the following way.
@ -66,25 +66,25 @@ Instead, install an individual profile or the development package, the following
=== ":material-arch: Archlinux"
```sh
make pkg
just pkg
```
=== ":material-ubuntu: Ubuntu"
```sh
make dpkg
just dpkg
```
=== ":material-debian: Debian"
```sh
make dpkg
just dpkg
```
=== ":simple-suse: openSUSE"
```sh
make rpm
just rpm
```
=== ":material-docker: Docker"
@ -102,7 +102,7 @@ Instead, install an individual profile or the development package, the following
**Format**
```sh
make dev name=<profile-name>
just dev <profile-name>
```
**Exampe**
@ -110,7 +110,7 @@ make dev name=<profile-name>
: Testing the profile `pass`
```
make dev name=pass
just dev pass
```
This:

44
docs/enforce.md
View file

@ -13,50 +13,56 @@ The default package configuration installs all profiles in *complain* mode. This
=== ":material-arch: Archlinux"
In the `PKGBUILD`, replace `make` by `make enforce`:
In the `PKGBUILD`, replace `just complain` by `just enforce`:
```diff
- make DISTRIBUTION=arch
+ make enforce DISTRIBUTION=arch
- just complain
+ just enforce
```
Then, build the package with: `make pkg`
Then, build the package with: `just pkg`
=== ":material-ubuntu: Ubuntu"
In `debian/rules`, add the following lines:
In `debian/rules`, replace `just complain` by `just enforce`:
```make
override_dh_auto_build:
make enforce
```diff
override_dh_auto_build:
- just complain
override_dh_auto_build:
+ just enforce
```
Then, build the package with: `make dpkg`
Then, build the package with: `just dpkg`
=== ":material-debian: Debian"
In `debian/rules`, add the following lines:
In `debian/rules`, replace `just complain` by `just enforce`:
```make
override_dh_auto_build:
make enforce
```diff
override_dh_auto_build:
- just complain
override_dh_auto_build:
+ just enforce
```
Then, build the package with: `make dpkg`
Then, build the package with: `just dpkg`
=== ":simple-suse: openSUSE"
In `dists/apparmor.d.spec`, replace `%make_build` by `%make_build enforce`
In `dists/apparmor.d.spec`, replace `just complain` by `just enforce`:
```diff
- %make_build
+ %make_build enforce
%build
- just complain
%build
+ just enforce
```
Then, build the package with: `make rpm`
Then, build the package with: `just rpm`
=== ":material-home: Partial Install"
Use the `make enforce` command to build instead of `make`
Use the `just enforce` command to build instead of `just complain`
[aur]: https://aur.archlinux.org/packages/apparmor.d-git

42
docs/full-system-policy.md
View file

@ -35,7 +35,7 @@ Particularly:
## Installation
This feature is only enabled when the project is built with `make full`. [Early policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads) load **must** also be enabled. Once `apparmor.d` has been installed in FSP mode, it is required to reboot to apply the changes.
This feature is only enabled when the project is built with `just fsp`. [Early policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads) load **must** also be enabled. Once `apparmor.d` has been installed in FSP mode, it is required to reboot to apply the changes.
In `/etc/apparmor/parser.conf` ensure you have:
```
@ -46,51 +46,57 @@ Optimize=compress-fast
=== ":material-arch: Archlinux"
In `PKGBUILD`, replace `make` by `make fsp`:
In `PKGBUILD`, replace `just complain` by `just fsp-complain`:
```diff
- make
+ make fsp
- just complain
+ just fsp-complain
```
Then, build the package with: `make pkg`
Then, build the package with: `just pkg`
=== ":material-ubuntu: Ubuntu"
In `debian/rules`, add the following lines:
In `debian/rules`, replace `just complain` by `just fsp-complain`:
```make
override_dh_auto_build:
make fsp
override_dh_auto_build:
- just complain
override_dh_auto_build:
+ just fsp-complain
```
Then, build the package with: `make dpkg`
Then, build the package with: `just dpkg`
=== ":material-debian: Debian"
In `debian/rules`, add the following lines:
In `debian/rules`, replace `just complain` by `just fsp-complain`:
```make
override_dh_auto_build:
make fsp
override_dh_auto_build:
- just complain
override_dh_auto_build:
+ just fsp-complain
```
Then, build the package with: `make dpkg`
Then, build the package with: `just dpkg`
=== ":simple-suse: openSUSE"
In `dists/apparmor.d.spec`, replace `%make_build` by `%make_build fsp`
In `dists/apparmor.d.spec`, replace `just complain` by `just fsp-complain`:
```diff
- %make_build
+ %make_build fsp
%build
- just complain
%build
+ just fsp-complain
```
Then, build the package with: `make rpm`
Then, build the package with: `just rpm`
=== ":material-home: Partial Install"
Use the `make fsp` command to build instead of `make`
Use the `just fsp-complain` command to build instead of `just complain`
## Structure

19
docs/install.md
View file

@ -84,7 +84,7 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf
If you have `devscripts` installed, you can use the one liner:
```sh
make dpkg
just dpkg
```
!!! warning
@ -110,19 +110,26 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf
If you have `devscripts` installed, you can use the one liner:
```sh
make dpkg
just dpkg
```
!!! note
You may need golang from the backports repository to build:
**Debian 12 user will need to:**
1. Install Golang from the backports repository:
```sh
echo 'deb http://deb.debian.org/debian bookworm-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list
sudo apt update
sudo apt install -t bookworm-backports golang-go
```
2. Install [just](https://github.com/casey/just) locally, and ignore the dependence. E.g:
```sh
pipx install rust-just
sed '/just/d' -i debian/control
```
!!! warning
**Beware**: do not install a `.deb` made for Ubuntu on Debian as the packages are different.
@ -144,15 +151,15 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf
For test purposes, you can install specific profiles with the following commands. Abstractions, tunable, and most of the OS dependent post-processing is managed.
```sh
make
sudo make profile-names...
just complain
sudo just local profile-names...
```
!!! warning
Partial installation is discouraged because profile dependencies are not fetched. To prevent some AppArmor issues, the dependencies are automatically switched to unconfined (`rPx` -> `rPUx`). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see [#77](https://github.com/roddhjav/apparmor.d/issues/77))
For instance, `sudo make pass` gives:
For instance, `sudo just local pass` gives:
```sh
Warning: profile dependencies fallback to unconfined.
@{bin}/wl-{copy,paste} rPx,