felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

build: add early support for server version of the package.

Browse source
This commit is contained in:
Alexandre Pujol 2025-09-06 22:16:40 +02:00
parent 2aead7e93b
commit ab7cba2da6
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
2 changed files with 54 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

44
docs/development/build.md
View file

@ -10,18 +10,22 @@ go run ./cmd/prebuild -h
```
```
aa-prebuild [-h] [--complain | --enforce] [--full] [--abi 3|4]
aa-prebuild [-h] [--complain | --enforce] [--full] [--server] [--abi 3|4] [--version V] [--file FILE]
Prebuild apparmor.d profiles for a given distribution and apply
internal built-in directives.
Options:
-h, --help Show this help message and exit.
-c, --complain Set complain flag on all profiles.
-e, --enforce Set enforce flag on all profiles.
-a, --abi ABI Target apparmor ABI.
-f, --full Set AppArmor for full system policy.
-F, --file Only prebuild a given file.
-h, --help Show this help message and exit.
-c, --complain Set complain flag on all profiles.
-e, --enforce Set enforce flag on all profiles.
-a, --abi ABI Target apparmor ABI.
-v, --version V Target apparmor version.
-f, --full Set AppArmor for full system policy.
-s, --server Set AppArmor for server.
-b, --buildir DIR Root build directory.
-F, --file Only prebuild a given file.
--debug Enable debug mode.
Prepare tasks:
configure - Set distribution specificities
@ -31,21 +35,27 @@ Prepare tasks:
overwrite - Overwrite dummy upstream profiles
synchronise - Initialize a new clean apparmor.d build directory
ignore - Ignore profiles and files from:
server - Configure AppArmor for server
systemd-default - Configure systemd unit drop in files to a profile for some units
systemd-early - Configure systemd unit drop in files to ensure some service start after apparmor
attach - Configure tunable for re-attached path
Build tasks:
abi3 - Convert all profiles from abi 4.0 to abi 3.0
attach - Re-attach disconnected path
complain - Set complain flag on all profiles
enforce - All profiles have been enforced
fsp - Prevent unconfined transitions in profile rules
hotfix - Temporary fix for #74, #80 & #235
userspace - Resolve variable in profile attachments
userspace - Fix: resolve variable in profile attachments
abi3 - Build: convert all profiles from abi 4.0 to abi 3.0
attach - Feat: re-attach disconnected path
base-strict - Feat: use 'base-strict' as base abstraction
complain - Build: set complain flag on all profiles
debug - Build: debug mode enabled
enforce - Build: all profiles have been enforced
fsp - Feat: prevent unconfined transitions in profile rules
hotfix - Fix: temporary solution for #74, #80 & #235
stacked-dbus - Fix: resolve peer label variable in dbus rules
Directive:
#aa:dbus own bus=<bus> name=<name> [interface=AARE] [path=AARE]
#aa:dbus talk bus=<bus> name=<name> label=<profile> [interface=AARE] [path=AARE]
#aa:dbus common bus=<bus> name=<name> label=<profile>
#aa:exec [P|U|p|u|PU|pu|] profiles...
#aa:only filters...
#aa:exclude filters...
@ -66,6 +76,12 @@ Ignore profiles and files as defined in the `dist/ignore` directory. See [workfl
*Enabled by default. Can be disabled in `cmd/prebuild/main.go`*
### **`server`**
Configure AppArmor for server. Desktop related groups and profiles that use desktop abstraction are not included. [hotfix](#hotfix) is also disabled, as it is only needed on desktop system. It is mostly intended to be used on server with FSP enabled. E.g: [the play machine](https://github.com/roddhjav/play).
*Enable with the `--server` option in the prebuild command.*
### **`merge`**
Merge profiles from `apparmor.d/group/`, `apparmor.d/profiles-*-*/` to a unified directory in `.build/apparmor.d` that AppArmor can parse.