felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

build: fully replace make by just.

Browse source
This commit is contained in:
Alexandre Pujol 2025-07-22 23:18:00 +02:00 committed by Alex
parent 4a3a98c77d
commit 7d2229cd05
22 changed files with 113 additions and 182 deletions
Download patch file Download diff file Expand all files Collapse all files

17
.github/workflows/main.yml vendored
View file

@ -9,9 +9,14 @@ jobs:
- name: Check out repository code
uses: actions/checkout@v4
- name: Install linter dependencies
run: |
sudo apt-get update -q
sudo apt-get install -y just
- name: Run basic profile linter check
run: |
make check
just check
build:
runs-on: ${{ matrix.os }}
@ -32,13 +37,13 @@ jobs:
sudo apt-get update -q
sudo apt-get install -y \
devscripts debhelper config-package-dev \
auditd apparmor-profiles apparmor-utils
auditd apparmor-profiles apparmor-utils just
sudo rm /etc/apparmor.d/usr.lib.snapd.snap-confine.real
- name: Build the apparmor.d package
run: |
if [[ ${{ matrix.mode }} == full-system-policy ]]; then
echo -e "\noverride_dh_auto_build:\n\tmake fsp" >> debian/rules
sed -e "s/just complain/just fsp-complain/" -i debian/rules
fi
if [[ ${{ matrix.os }} == ubuntu-24.04 ]] && [[ ${{ matrix.mode }} == default ]]; then
# Test with Re-attach disconnected path
@ -95,7 +100,7 @@ jobs:
sudo apt-get update -q
sudo apt-get install -y \
apparmor-profiles apparmor-utils \
bats bats-support
bats bats-support just
- name: Install apparmor.d
run: |
@ -127,12 +132,12 @@ jobs:
- name: Install integration dependencies
run: |
bash tests/requirements.sh
just init
find /usr/sbin/ -type f
- name: Run the integration tests
run: |
make integration
just integration
- name: Show final AppArmor logs
if: always()

11
.gitlab-ci.yml
View file

@ -66,7 +66,7 @@ check:
stage: test
image: registry.gitlab.com/roddhjav/builders/archlinux
script:
- make check
- just check
# Package Build
# -------------
@ -84,13 +84,12 @@ archlinux:
debian:
stage: build
image: registry.gitlab.com/roddhjav/builders/debian:12
image: registry.gitlab.com/roddhjav/builders/debian:trixie
script:
- sudo chown -R build:build /builds/
- git config --global --add safe.directory $CI_PROJECT_DIR
- mkdir -p "$PKGDEST"
- sudo apt-get update -q && sudo apt-get install -y config-package-dev lsb-release
- sudo apt-get install -y -t bookworm-backports golang-go
- sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl
- bash dists/build.sh dpkg
artifacts:
expire_in: 1 day
@ -105,7 +104,7 @@ ubuntu:
script:
- git config --global --add safe.directory $CI_PROJECT_DIR
- mkdir -p "$PKGDEST"
- sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release
- sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl
- bash dists/build.sh dpkg
artifacts:
expire_in: 1 day
@ -117,7 +116,7 @@ whonix:
variables:
DISTRIBUTION: whonix
before_script:
- echo "\noverride_dh_auto_build:\n\tmake fsp" >> debian/rules
- sed -e "s/just complain/just fsp-complain/" -i debian/rules
opensuse:
stage: build

6
Justfile
View file

@ -157,7 +157,7 @@ dpkg:
[doc('Build & install apparmor.d on OpenSUSE based systems')]
rpm:
@bash dists/build.sh rpm
@sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm
@sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm
[group('tests')]
[doc('Run the unit tests')]
@ -213,8 +213,8 @@ package dist:
if [[ $dist =~ ubuntu([0-9]+) ]]; then
version="${BASH_REMATCH[1]}.04"
dist="ubuntu"
elif [[ $dist =~ debian([0-9]+) ]]; then
version="${BASH_REMATCH[1]}"
elif [[ $dist == debian ]]; then
version="trixie"
dist="debian"
fi
bash dists/docker.sh $dist $version

100
Makefile
View file

@ -1,100 +0,0 @@
#!/usr/bin/make -f
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
DESTDIR ?= /
BUILD ?= .build
PKGDEST ?= ${PWD}/.pkg
PKGNAME := apparmor.d
PROFILES = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*)))
.PHONY: all
all: build
@./${BUILD}/prebuild --complain
.PHONY: build
build:
@go build -o ${BUILD}/ ./cmd/aa-log
@go build -o ${BUILD}/ ./cmd/prebuild
.PHONY: enforce
enforce: build
@./${BUILD}/prebuild
.PHONY: fsp
fsp: build
@./${BUILD}/prebuild --full
.PHONY: fsp-complain
fsp-complain: build
@./${BUILD}/prebuild --complain --full
.PHONY: install
install:
@install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log
@for file in $(shell find "${BUILD}/share" -type f -not -name "*.md" -printf "%P\n"); do \
install -Dm0644 "${BUILD}/share/$${file}" "${DESTDIR}/usr/share/$${file}"; \
done;
@for file in $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n"); do \
install -Dm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
done;
@for file in $(shell find "${BUILD}/apparmor.d" -type l -printf "%P\n"); do \
mkdir -p "${DESTDIR}/etc/apparmor.d/disable"; \
cp -d "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
done;
@for file in ${BUILD}/systemd/system/*; do \
service="$$(basename "$$file")"; \
install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/system/$${service}.d/apparmor.conf"; \
done;
@for file in ${BUILD}/systemd/user/*; do \
service="$$(basename "$$file")"; \
install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \
done
.PHONY: $(PROFILES)
$(PROFILES):
@install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log
@for file in $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n"); do \
install -Dm0644 "${BUILD}/apparmor.d/abstractions/$${file}" "${DESTDIR}/etc/apparmor.d/abstractions/$${file}"; \
done;
@for file in $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n"); do \
install -Dm0644 "${BUILD}/apparmor.d/tunables/$${file}" "${DESTDIR}/etc/apparmor.d/tunables/$${file}"; \
done;
@echo "Warning: profile dependencies fallback to unconfined."
@for file in ${@}; do \
grep 'rPx' "${BUILD}/apparmor.d/$${file}"; \
sed -i -e "s/rPx/rPUx/g" "${BUILD}/apparmor.d/$${file}"; \
install -Dvm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
done;
@systemctl restart apparmor || sudo journalctl -xeu apparmor.service
.PHONY: dev
name ?=
dev:
@go run ./cmd/prebuild --complain --file $(shell find apparmor.d -iname ${name})
@sudo install -Dm644 ${BUILD}/apparmor.d/${name} /etc/apparmor.d/${name}
@sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service
.PHONY: pkg
pkg:
@makepkg --syncdeps --install --cleanbuild --force --noconfirm
.PHONY: dpkg
dpkg:
@bash dists/build.sh dpkg
@sudo dpkg -i ${PKGDEST}/${PKGNAME}_*.deb
.PHONY: rpm
rpm:
@bash dists/build.sh rpm
@sudo rpm -ivh --force ${PKGDEST}/${PKGNAME}-*.rpm
.PHONY: check
check:
@bash tests/check.sh
.PHONY: integration
integration:
@bats --recursive --timing --print-output-on-failure tests/integration/

2
debian/apparmor.d.hide vendored
View file

@ -1 +1 @@
# This file is generated by "make", all edit will be lost.
# This file is generated by "just", all edit will be lost.

1
debian/control vendored
View file

@ -6,6 +6,7 @@ Build-Depends: debhelper (>= 13.4),
debhelper-compat (= 13),
golang-any,
config-package-dev,
just,
Homepage: https://github.com/roddhjav/apparmor.d
Vcs-Browser: https://github.com/roddhjav/apparmor.d
Vcs-Git: https://github.com/roddhjav/apparmor.d.git

8
debian/rules vendored
View file

@ -9,5 +9,9 @@
# golang/1.19 compresses debug symbols itself.
override_dh_dwz:
# do not run 'make check' by default as it can be long for dev package
override_dh_auto_test:
override_dh_auto_build:
just complain
override_dh_auto_install:
just destdir="${CURDIR}/debian/apparmor.d" install

5
dists/apparmor.d.spec
View file

@ -15,6 +15,7 @@ URL: https://github.com/roddhjav/apparmor.d
Source0: %{name}-%{version}.tar.gz
Requires: apparmor-profiles
BuildRequires: distribution-release
BuildRequires: just
BuildRequires: golang-packaging
BuildRequires: apparmor-profiles
@ -25,10 +26,10 @@ AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most
%autosetup
%build
%make_build
just complain
%install
%make_install
just destdir="%{buildroot}" install
%posttrans
rm -f /var/cache/apparmor/* 2>/dev/null

2
dists/build.sh
View file

@ -3,7 +3,7 @@
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Usage: make [ dpkg | pkg | rpm ]
# Usage: just [ dpkg | pkg | rpm ]
set -eu -o pipefail

2
dists/ignore/main.ignore
View file

@ -2,7 +2,7 @@
# File format: one ignore by line, it can be a profile name or a directory to ignore
# Contains profiles and configuration for full system confinement, only included
# when built with 'make full'
# when built with 'just fsp'
apparmor.d/groups/_full
# Provided by other packages

2
docs/development/build.md
View file

@ -2,7 +2,7 @@
title: Building the profiles
---
The profiles in `apparmor.d` must not be used directly. They need to be prebuilt (by running `make`). This page documents all possibles prebuild tasks. It is not intended to be read by end user, and it is only targeted at developers and maintainers.
The profiles in `apparmor.d` must not be used directly. They need to be prebuilt (by running `just complain`). This page documents all possibles prebuild tasks. It is not intended to be read by end user, and it is only targeted at developers and maintainers.
The build system is fully configurable, general usage can be seen with:
```sh

2
docs/development/roadmap.md
View file

@ -29,7 +29,7 @@ This is the current list of features that must be implemented to get to a stable
- [ ] Provide packages repo for ubuntu/debian
- [ ] Provide complain/enforced packages version
- [x] Add a `just` target to install the profiles in the right place
- [ ] Fully drop the Makefile in favor of `just`
- [x] Fully drop the Makefile in favor of `just`
## Next features

6
docs/development/tests.md
View file

@ -6,12 +6,12 @@ Misconfigured AppArmor profiles is one of the most effective ways to break someo
**Current**
- [x] **[Build:](https://gitlab.com/roddhjav/apparmor.d/-/pipelines)** `make`
- [x] **[Build:](https://gitlab.com/roddhjav/apparmor.d/-/pipelines)** `just complain`
- Build the profiles for all supported distributions.
- All CI jobs validate the profiles syntax and ensure they can be safely loaded into a kernel.
- Ensure the profile entry point (`@{exec_path}`) is defined.
- [x] **[Checks:](https://github.com/roddhjav/apparmor.d/blob/main/tests/check.sh)** `make check` checks basic style of profiles:
- [x] **[Checks:](https://github.com/roddhjav/apparmor.d/blob/main/tests/check.sh)** `just check` checks basic style of profiles:
- Ensure apparmor.d header & licence
- Ensure 2 spaces indentation
- Ensure local include for profile and subprofiles
@ -19,7 +19,7 @@ Misconfigured AppArmor profiles is one of the most effective ways to break someo
- Ensure modern profile naming
- Ensure `vim:syntax=apparmor`
- [x] **[Integration Tests:](integration.md)** `just integration <dist> <flavor>`
- [x] **[Integration Tests:](integration.md)** `just test-run <dist> <flavor>`
- Run simple CLI commands to ensure no logs are raised.
- Uses the [bats](https://github.com/bats-core/bats-core) test system.
- Run in the Github Action as well as in all local [test VM](vm.md).

14
docs/development/workflow.md
View file

@ -57,7 +57,7 @@ profile foo @{exec_path} {
## Development Install
It is not recommended installing the full project *"manually"* (with `make`, `sudo make install`). The distribution specific packages are intended to be used in development as they include additional rule to ensure compatibility with upstream (see `debian/`, `PKGBUILD` and `dists/apparmor.d.spec`).
It is not recommended installing the full project *"manually"* (with `just complain`, `sudo just install`). The distribution specific packages are intended to be used in development as they include additional rule to ensure compatibility with upstream (see `debian/`, `PKGBUILD` and `dists/apparmor.d.spec`).
Instead, install an individual profile or the development package, the following way.
@ -66,25 +66,25 @@ Instead, install an individual profile or the development package, the following
=== ":material-arch: Archlinux"
```sh
make pkg
just pkg
```
=== ":material-ubuntu: Ubuntu"
```sh
make dpkg
just dpkg
```
=== ":material-debian: Debian"
```sh
make dpkg
just dpkg
```
=== ":simple-suse: openSUSE"
```sh
make rpm
just rpm
```
=== ":material-docker: Docker"
@ -102,7 +102,7 @@ Instead, install an individual profile or the development package, the following
**Format**
```sh
make dev name=<profile-name>
just dev <profile-name>
```
**Exampe**
@ -110,7 +110,7 @@ make dev name=<profile-name>
: Testing the profile `pass`
```
make dev name=pass
just dev pass
```
This:

44
docs/enforce.md
View file

@ -13,50 +13,56 @@ The default package configuration installs all profiles in *complain* mode. This
=== ":material-arch: Archlinux"
In the `PKGBUILD`, replace `make` by `make enforce`:
In the `PKGBUILD`, replace `just complain` by `just enforce`:
```diff
- make DISTRIBUTION=arch
+ make enforce DISTRIBUTION=arch
- just complain
+ just enforce
```
Then, build the package with: `make pkg`
Then, build the package with: `just pkg`
=== ":material-ubuntu: Ubuntu"
In `debian/rules`, add the following lines:
In `debian/rules`, replace `just complain` by `just enforce`:
```make
override_dh_auto_build:
make enforce
```diff
override_dh_auto_build:
- just complain
override_dh_auto_build:
+ just enforce
```
Then, build the package with: `make dpkg`
Then, build the package with: `just dpkg`
=== ":material-debian: Debian"
In `debian/rules`, add the following lines:
In `debian/rules`, replace `just complain` by `just enforce`:
```make
override_dh_auto_build:
make enforce
```diff
override_dh_auto_build:
- just complain
override_dh_auto_build:
+ just enforce
```
Then, build the package with: `make dpkg`
Then, build the package with: `just dpkg`
=== ":simple-suse: openSUSE"
In `dists/apparmor.d.spec`, replace `%make_build` by `%make_build enforce`
In `dists/apparmor.d.spec`, replace `just complain` by `just enforce`:
```diff
- %make_build
+ %make_build enforce
%build
- just complain
%build
+ just enforce
```
Then, build the package with: `make rpm`
Then, build the package with: `just rpm`
=== ":material-home: Partial Install"
Use the `make enforce` command to build instead of `make`
Use the `just enforce` command to build instead of `just complain`
[aur]: https://aur.archlinux.org/packages/apparmor.d-git

42
docs/full-system-policy.md
View file

@ -35,7 +35,7 @@ Particularly:
## Installation
This feature is only enabled when the project is built with `make full`. [Early policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads) load **must** also be enabled. Once `apparmor.d` has been installed in FSP mode, it is required to reboot to apply the changes.
This feature is only enabled when the project is built with `just fsp`. [Early policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads) load **must** also be enabled. Once `apparmor.d` has been installed in FSP mode, it is required to reboot to apply the changes.
In `/etc/apparmor/parser.conf` ensure you have:
```
@ -46,51 +46,57 @@ Optimize=compress-fast
=== ":material-arch: Archlinux"
In `PKGBUILD`, replace `make` by `make fsp`:
In `PKGBUILD`, replace `just complain` by `just fsp-complain`:
```diff
- make
+ make fsp
- just complain
+ just fsp-complain
```
Then, build the package with: `make pkg`
Then, build the package with: `just pkg`
=== ":material-ubuntu: Ubuntu"
In `debian/rules`, add the following lines:
In `debian/rules`, replace `just complain` by `just fsp-complain`:
```make
override_dh_auto_build:
make fsp
override_dh_auto_build:
- just complain
override_dh_auto_build:
+ just fsp-complain
```
Then, build the package with: `make dpkg`
Then, build the package with: `just dpkg`
=== ":material-debian: Debian"
In `debian/rules`, add the following lines:
In `debian/rules`, replace `just complain` by `just fsp-complain`:
```make
override_dh_auto_build:
make fsp
override_dh_auto_build:
- just complain
override_dh_auto_build:
+ just fsp-complain
```
Then, build the package with: `make dpkg`
Then, build the package with: `just dpkg`
=== ":simple-suse: openSUSE"
In `dists/apparmor.d.spec`, replace `%make_build` by `%make_build fsp`
In `dists/apparmor.d.spec`, replace `just complain` by `just fsp-complain`:
```diff
- %make_build
+ %make_build fsp
%build
- just complain
%build
+ just fsp-complain
```
Then, build the package with: `make rpm`
Then, build the package with: `just rpm`
=== ":material-home: Partial Install"
Use the `make fsp` command to build instead of `make`
Use the `just fsp-complain` command to build instead of `just complain`
## Structure

19
docs/install.md
View file

@ -84,7 +84,7 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf
If you have `devscripts` installed, you can use the one liner:
```sh
make dpkg
just dpkg
```
!!! warning
@ -110,19 +110,26 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf
If you have `devscripts` installed, you can use the one liner:
```sh
make dpkg
just dpkg
```
!!! note
You may need golang from the backports repository to build:
**Debian 12 user will need to:**
1. Install Golang from the backports repository:
```sh
echo 'deb http://deb.debian.org/debian bookworm-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list
sudo apt update
sudo apt install -t bookworm-backports golang-go
```
2. Install [just](https://github.com/casey/just) locally, and ignore the dependence. E.g:
```sh
pipx install rust-just
sed '/just/d' -i debian/control
```
!!! warning
**Beware**: do not install a `.deb` made for Ubuntu on Debian as the packages are different.
@ -144,15 +151,15 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf
For test purposes, you can install specific profiles with the following commands. Abstractions, tunable, and most of the OS dependent post-processing is managed.
```sh
make
sudo make profile-names...
just complain
sudo just local profile-names...
```
!!! warning
Partial installation is discouraged because profile dependencies are not fetched. To prevent some AppArmor issues, the dependencies are automatically switched to unconfined (`rPx` -> `rPUx`). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see [#77](https://github.com/roddhjav/apparmor.d/issues/77))
For instance, `sudo make pass` gives:
For instance, `sudo just local pass` gives:
```sh
Warning: profile dependencies fallback to unconfined.
@{bin}/wl-{copy,paste} rPx,

2
tests/check.sh
View file

@ -3,7 +3,7 @@
# Copyright (C) 2024-2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Usage: make check
# Usage: just check
# shellcheck disable=SC2044
set -eu -o pipefail

1
tests/cloud-init/archlinux-cosmic.user-data.yml
View file

@ -10,6 +10,7 @@ packages:
# Install usefull core packages
- bash-completion
- just
- git
- htop
- man

1
tests/cloud-init/archlinux-xfce.user-data.yml
View file

@ -11,6 +11,7 @@ packages:
# Install usefull core packages
- bash-completion
- git
- just
- htop
- man
- pass

2
tests/cloud-init/opensuse.yml
View file

@ -9,7 +9,7 @@ core-packages: &core-packages
- go
- golang-packaging
- htop
- make
- just
- rpmbuild
- rsync
- vim

6
tests/packer/src/aa-update
View file

@ -13,15 +13,15 @@ DISTRIBUTION="$(_lsb_release)"
cd "$HOME/Projects/apparmor.d"
case "$DISTRIBUTION" in
arch)
make pkg
just pkg
;;
debian | ubuntu | whonix)
sudo rm -rf debian/.debhelper/
make dpkg
just dpkg
sudo rm -rf debian/.debhelper/
;;
opensuse*)
make rpm
just rpm
;;
*) ;;
esac