build: add support for apparmor 4.1
Enabled when prebuild is run with the --version 4.1 argument
This commit is contained in:
Alexandre Pujol
parent
ebc8b29b1d
commit
e4a7e16ec0
5 changed files with 37 additions and 3 deletions
|
|
@ -12,15 +12,22 @@ firefox
|
||||||
flatpak
|
flatpak
|
||||||
foliate
|
foliate
|
||||||
loupe
|
loupe
|
||||||
|
lsblk
|
||||||
|
lsusb
|
||||||
msedge
|
msedge
|
||||||
mullvad
|
mullvad
|
||||||
nautilus
|
nautilus
|
||||||
|
openvpn
|
||||||
opera
|
opera
|
||||||
|
os-prober
|
||||||
plasmashell
|
plasmashell
|
||||||
|
remmina
|
||||||
signal-desktop
|
signal-desktop
|
||||||
slirp4netns
|
slirp4netns
|
||||||
|
steam
|
||||||
systemd-coredump
|
systemd-coredump
|
||||||
thunderbird
|
thunderbird
|
||||||
transmission
|
transmission
|
||||||
unix-chkpwd
|
unix-chkpwd
|
||||||
virtiofsd
|
virtiofsd
|
||||||
|
wg-quick
|
||||||
|
|
|
||||||
|
|
@ -23,7 +23,7 @@ func init() {
|
||||||
RegisterBuilder(&ReAttach{
|
RegisterBuilder(&ReAttach{
|
||||||
Base: prebuild.Base{
|
Base: prebuild.Base{
|
||||||
Keyword: "attach",
|
Keyword: "attach",
|
||||||
Msg: "Re-attach disconnect path",
|
Msg: "Re-attach disconnected path",
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -19,7 +19,8 @@ import (
|
||||||
|
|
||||||
const (
|
const (
|
||||||
nilABI uint = 0
|
nilABI uint = 0
|
||||||
usage = `aa-prebuild [-h] [--complain | --enforce] [--full] [--abi 3|4]
|
nilVer = "4.0"
|
||||||
|
usage = `aa-prebuild [-h] [--complain | --enforce] [--full] [--abi 3|4] [--version V] [--file FILE]
|
||||||
|
|
||||||
Prebuild apparmor.d profiles for a given distribution and apply
|
Prebuild apparmor.d profiles for a given distribution and apply
|
||||||
internal built-in directives.
|
internal built-in directives.
|
||||||
|
|
@ -29,6 +30,7 @@ Options:
|
||||||
-c, --complain Set complain flag on all profiles.
|
-c, --complain Set complain flag on all profiles.
|
||||||
-e, --enforce Set enforce flag on all profiles.
|
-e, --enforce Set enforce flag on all profiles.
|
||||||
-a, --abi ABI Target apparmor ABI.
|
-a, --abi ABI Target apparmor ABI.
|
||||||
|
-v, --version V Target apparmor version.
|
||||||
-f, --full Set AppArmor for full system policy.
|
-f, --full Set AppArmor for full system policy.
|
||||||
-F, --file Only prebuild a given file.
|
-F, --file Only prebuild a given file.
|
||||||
`
|
`
|
||||||
|
|
@ -40,6 +42,7 @@ var (
|
||||||
enforce bool
|
enforce bool
|
||||||
full bool
|
full bool
|
||||||
abi uint
|
abi uint
|
||||||
|
version string
|
||||||
file string
|
file string
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
@ -54,6 +57,8 @@ func init() {
|
||||||
flag.BoolVar(&enforce, "enforce", false, "Set enforce flag on all profiles.")
|
flag.BoolVar(&enforce, "enforce", false, "Set enforce flag on all profiles.")
|
||||||
flag.UintVar(&abi, "a", nilABI, "Target apparmor ABI.")
|
flag.UintVar(&abi, "a", nilABI, "Target apparmor ABI.")
|
||||||
flag.UintVar(&abi, "abi", nilABI, "Target apparmor ABI.")
|
flag.UintVar(&abi, "abi", nilABI, "Target apparmor ABI.")
|
||||||
|
flag.StringVar(&version, "v", nilVer, "Target apparmor version.")
|
||||||
|
flag.StringVar(&version, "version", nilVer, "Target apparmor version.")
|
||||||
flag.StringVar(&file, "F", "", "Only prebuild a given file.")
|
flag.StringVar(&file, "F", "", "Only prebuild a given file.")
|
||||||
flag.StringVar(&file, "file", "", "Only prebuild a given file.")
|
flag.StringVar(&file, "file", "", "Only prebuild a given file.")
|
||||||
}
|
}
|
||||||
|
|
@ -92,11 +97,14 @@ func Configure() {
|
||||||
case 3:
|
case 3:
|
||||||
builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0
|
builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0
|
||||||
case 4:
|
case 4:
|
||||||
// builder.Register("attach") // Re-attach disconnect path
|
// builder.Register("attach") // Re-attach disconnected path
|
||||||
default:
|
default:
|
||||||
logging.Fatal("Invalid ABI version: %d", prebuild.ABI)
|
logging.Fatal("Invalid ABI version: %d", prebuild.ABI)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if version != nilVer {
|
||||||
|
prebuild.Version = version
|
||||||
|
}
|
||||||
if file != "" {
|
if file != "" {
|
||||||
sync, _ := prepare.Tasks["synchronise"].(*prepare.Synchronise)
|
sync, _ := prepare.Tasks["synchronise"].(*prepare.Synchronise)
|
||||||
sync.Paths = []string{file}
|
sync.Paths = []string{file}
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,9 @@ var (
|
||||||
// AppArmor ABI version
|
// AppArmor ABI version
|
||||||
ABI uint = 0
|
ABI uint = 0
|
||||||
|
|
||||||
|
// AppArmor version
|
||||||
|
Version string = "4.0"
|
||||||
|
|
||||||
// Pkgname is the name of the package
|
// Pkgname is the name of the package
|
||||||
Pkgname string = "apparmor.d"
|
Pkgname string = "apparmor.d"
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -55,5 +55,21 @@ func (p Configure) Apply() ([]string, error) {
|
||||||
return []string{}, fmt.Errorf("%s is not a supported distribution", prebuild.Distribution)
|
return []string{}, fmt.Errorf("%s is not a supported distribution", prebuild.Distribution)
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if prebuild.Version == "4.1" {
|
||||||
|
// Remove files upstreamed in 4.1
|
||||||
|
remove := []string{
|
||||||
|
"abstractions/devices-usb-read",
|
||||||
|
"abstractions/devices-usb",
|
||||||
|
"abstractions/nameservice-strict",
|
||||||
|
"tunables/multiarch.d/base",
|
||||||
|
"wg", // Upstream version is identical
|
||||||
|
}
|
||||||
|
for _, name := range remove {
|
||||||
|
if err := prebuild.RootApparmord.Join(name).RemoveAll(); err != nil {
|
||||||
|
return res, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
return res, nil
|
return res, nil
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue