felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

build: add early support for server version of the package.

Browse source
This commit is contained in:
Alexandre Pujol 2025-09-06 22:16:40 +02:00
parent 2aead7e93b
commit ab7cba2da6
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
2 changed files with 54 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

44
docs/development/build.md
View file

@ -10,18 +10,22 @@ go run ./cmd/prebuild -h
``` ```
``` ```
aa-prebuild [-h] [--complain | --enforce] [--full] [--abi 3|4] aa-prebuild [-h] [--complain | --enforce] [--full] [--server] [--abi 3|4] [--version V] [--file FILE]
Prebuild apparmor.d profiles for a given distribution and apply Prebuild apparmor.d profiles for a given distribution and apply
internal built-in directives. internal built-in directives.
Options: Options:
-h, --help Show this help message and exit. -h, --help Show this help message and exit.
-c, --complain Set complain flag on all profiles. -c, --complain Set complain flag on all profiles.
-e, --enforce Set enforce flag on all profiles. -e, --enforce Set enforce flag on all profiles.
-a, --abi ABI Target apparmor ABI. -a, --abi ABI Target apparmor ABI.
-f, --full Set AppArmor for full system policy. -v, --version V Target apparmor version.
-F, --file Only prebuild a given file. -f, --full Set AppArmor for full system policy.
-s, --server Set AppArmor for server.
-b, --buildir DIR Root build directory.
-F, --file Only prebuild a given file.
--debug Enable debug mode.
Prepare tasks: Prepare tasks:
configure - Set distribution specificities configure - Set distribution specificities
@ -31,21 +35,27 @@ Prepare tasks:
overwrite - Overwrite dummy upstream profiles overwrite - Overwrite dummy upstream profiles
synchronise - Initialize a new clean apparmor.d build directory synchronise - Initialize a new clean apparmor.d build directory
ignore - Ignore profiles and files from: ignore - Ignore profiles and files from:
server - Configure AppArmor for server
systemd-default - Configure systemd unit drop in files to a profile for some units systemd-default - Configure systemd unit drop in files to a profile for some units
systemd-early - Configure systemd unit drop in files to ensure some service start after apparmor systemd-early - Configure systemd unit drop in files to ensure some service start after apparmor
attach - Configure tunable for re-attached path
Build tasks: Build tasks:
abi3 - Convert all profiles from abi 4.0 to abi 3.0 userspace - Fix: resolve variable in profile attachments
attach - Re-attach disconnected path abi3 - Build: convert all profiles from abi 4.0 to abi 3.0
complain - Set complain flag on all profiles attach - Feat: re-attach disconnected path
enforce - All profiles have been enforced base-strict - Feat: use 'base-strict' as base abstraction
fsp - Prevent unconfined transitions in profile rules complain - Build: set complain flag on all profiles
hotfix - Temporary fix for #74, #80 & #235 debug - Build: debug mode enabled
userspace - Resolve variable in profile attachments enforce - Build: all profiles have been enforced
fsp - Feat: prevent unconfined transitions in profile rules
hotfix - Fix: temporary solution for #74, #80 & #235
stacked-dbus - Fix: resolve peer label variable in dbus rules
Directive: Directive:
#aa:dbus own bus=<bus> name=<name> [interface=AARE] [path=AARE] #aa:dbus own bus=<bus> name=<name> [interface=AARE] [path=AARE]
#aa:dbus talk bus=<bus> name=<name> label=<profile> [interface=AARE] [path=AARE] #aa:dbus talk bus=<bus> name=<name> label=<profile> [interface=AARE] [path=AARE]
#aa:dbus common bus=<bus> name=<name> label=<profile>
#aa:exec [P|U|p|u|PU|pu|] profiles... #aa:exec [P|U|p|u|PU|pu|] profiles...
#aa:only filters... #aa:only filters...
#aa:exclude filters... #aa:exclude filters...
@ -66,6 +76,12 @@ Ignore profiles and files as defined in the `dist/ignore` directory. See [workfl
*Enabled by default. Can be disabled in `cmd/prebuild/main.go`* *Enabled by default. Can be disabled in `cmd/prebuild/main.go`*
### **`server`**
Configure AppArmor for server. Desktop related groups and profiles that use desktop abstraction are not included. [hotfix](#hotfix) is also disabled, as it is only needed on desktop system. It is mostly intended to be used on server with FSP enabled. E.g: [the play machine](https://github.com/roddhjav/play).
*Enable with the `--server` option in the prebuild command.*
### **`merge`** ### **`merge`**
Merge profiles from `apparmor.d/group/`, `apparmor.d/profiles-*-*/` to a unified directory in `.build/apparmor.d` that AppArmor can parse. Merge profiles from `apparmor.d/group/`, `apparmor.d/profiles-*-*/` to a unified directory in `.build/apparmor.d` that AppArmor can parse.

27
pkg/prebuild/cli/cli.go
View file

@ -7,6 +7,8 @@ package cli
import ( import (
"flag" "flag"
"fmt" "fmt"
"os"
"slices"
"strings" "strings"
"github.com/roddhjav/apparmor.d/pkg/logging" "github.com/roddhjav/apparmor.d/pkg/logging"
@ -20,7 +22,7 @@ import (
const ( const (
nilABI = 0 nilABI = 0
nilVer = 0.0 nilVer = 0.0
usage = `aa-prebuild [-h] [--complain | --enforce] [--full] [--abi 3|4] [--version V] [--file FILE] usage = `aa-prebuild [-h] [--complain | --enforce] [--full] [--server] [--abi 3|4] [--version V] [--file FILE]
Prebuild apparmor.d profiles for a given distribution and apply Prebuild apparmor.d profiles for a given distribution and apply
internal built-in directives. internal built-in directives.
@ -32,7 +34,8 @@ Options:
-a, --abi ABI Target apparmor ABI. -a, --abi ABI Target apparmor ABI.
-v, --version V Target apparmor version. -v, --version V Target apparmor version.
-f, --full Set AppArmor for full system policy. -f, --full Set AppArmor for full system policy.
-b, --buildir DIR Root build directory. -s, --server Set AppArmor for server.
-b, --buildir DIR Root build directory.
-F, --file Only prebuild a given file. -F, --file Only prebuild a given file.
--debug Enable debug mode. --debug Enable debug mode.
` `
@ -43,6 +46,7 @@ var (
complain bool complain bool
enforce bool enforce bool
full bool full bool
server bool
debug bool debug bool
abi int abi int
version float64 version float64
@ -55,6 +59,8 @@ func init() {
flag.BoolVar(&help, "help", false, "Show this help message and exit.") flag.BoolVar(&help, "help", false, "Show this help message and exit.")
flag.BoolVar(&full, "f", false, "Set AppArmor for full system policy.") flag.BoolVar(&full, "f", false, "Set AppArmor for full system policy.")
flag.BoolVar(&full, "full", false, "Set AppArmor for full system policy.") flag.BoolVar(&full, "full", false, "Set AppArmor for full system policy.")
flag.BoolVar(&server, "s", false, "Set AppArmor for server.")
flag.BoolVar(&server, "server", false, "Set AppArmor for server.")
flag.BoolVar(&complain, "c", false, "Set complain flag on all profiles.") flag.BoolVar(&complain, "c", false, "Set complain flag on all profiles.")
flag.BoolVar(&complain, "complain", false, "Set complain flag on all profiles.") flag.BoolVar(&complain, "complain", false, "Set complain flag on all profiles.")
flag.BoolVar(&enforce, "e", false, "Set enforce flag on all profiles.") flag.BoolVar(&enforce, "e", false, "Set enforce flag on all profiles.")
@ -81,7 +87,22 @@ func Configure() {
flag.Parse() flag.Parse()
if help { if help {
flag.Usage() flag.Usage()
return os.Exit(0)
}
if server {
idx := slices.Index(prepare.Prepares, prepare.Tasks["merge"])
if idx == -1 {
prepare.Register("server")
} else {
prepare.Prepares = slices.Insert(prepare.Prepares, idx, prepare.Tasks["server"])
}
// Remove hotfix task as it is not needed on server
idx = slices.Index(prepare.Prepares, prepare.Tasks["hotfix"])
if idx != -1 {
prepare.Prepares = slices.Delete(prepare.Prepares, idx, idx+1)
}
} }
if full && paths.New("apparmor.d/groups/_full").Exist() { if full && paths.New("apparmor.d/groups/_full").Exist() {