felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'roddhjav:main' into main

Browse source
This commit is contained in:
Besanon 2024-10-22 20:16:24 +02:00 committed by GitHub
commit e886831b91
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 57 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

47
Makefile
View file

@ -7,35 +7,35 @@ DESTDIR ?= /
BUILD ?= .build BUILD ?= .build
PKGDEST ?= ${PWD}/.pkg PKGDEST ?= ${PWD}/.pkg
PKGNAME := apparmor.d PKGNAME := apparmor.d
P = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*))) PROFILES = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*)))
.PHONY: all build enforce full install local $(P) dev package pkg dpkg rpm tests lint check manual docs serve clean
.PHONY: all
all: build all: build
@./${BUILD}/prebuild --complain @./${BUILD}/prebuild --complain
.PHONY: build
build: build:
@go build -o ${BUILD}/ ./cmd/aa-log @go build -o ${BUILD}/ ./cmd/aa-log
@go build -o ${BUILD}/ ./cmd/prebuild @go build -o ${BUILD}/ ./cmd/prebuild
.PHONY: enforce
enforce: build enforce: build
@./${BUILD}/prebuild @./${BUILD}/prebuild
.PHONY: full
full: build full: build
@./${BUILD}/prebuild --complain --full @./${BUILD}/prebuild --complain --full
SHARE = $(shell find "${BUILD}/share" -type f -not -name "*.md" -printf "%P\n") .PHONY: install
PROFILES = $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n")
DISABLES = $(shell find "${BUILD}/apparmor.d" -type l -printf "%P\n")
install: install:
@install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log @install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log
@for file in ${SHARE}; do \ @for file in $(shell find "${BUILD}/share" -type f -not -name "*.md" -printf "%P\n"); do \
install -Dm0644 "${BUILD}/share/$${file}" "${DESTDIR}/usr/share/$${file}"; \ install -Dm0644 "${BUILD}/share/$${file}" "${DESTDIR}/usr/share/$${file}"; \
done; done;
@for file in ${PROFILES}; do \ @for file in $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n"); do \
install -Dm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ install -Dm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
done; done;
@for file in ${DISABLES}; do \ @for file in $(shell find "${BUILD}/apparmor.d" -type l -printf "%P\n"); do \
mkdir -p "${DESTDIR}/etc/apparmor.d/disable"; \ mkdir -p "${DESTDIR}/etc/apparmor.d/disable"; \
cp -d "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ cp -d "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
done; done;
@ -48,19 +48,14 @@ install:
install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \ install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \
done done
local:
@make
@sudo make install
@sudo systemctl restart apparmor || sudo systemctl status apparmor
ABSTRACTIONS = $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n") .PHONY: $(PROFILES)
TUNABLES = $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n") $(PROFILES):
$(P):
@install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log @install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log
@for file in ${ABSTRACTIONS}; do \ @for file in $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n"); do \
install -Dm0644 "${BUILD}/apparmor.d/abstractions/$${file}" "${DESTDIR}/etc/apparmor.d/abstractions/$${file}"; \ install -Dm0644 "${BUILD}/apparmor.d/abstractions/$${file}" "${DESTDIR}/etc/apparmor.d/abstractions/$${file}"; \
done; done;
@for file in ${TUNABLES}; do \ @for file in $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n"); do \
install -Dm0644 "${BUILD}/apparmor.d/tunables/$${file}" "${DESTDIR}/etc/apparmor.d/tunables/$${file}"; \ install -Dm0644 "${BUILD}/apparmor.d/tunables/$${file}" "${DESTDIR}/etc/apparmor.d/tunables/$${file}"; \
done; done;
@echo "Warning: profile dependencies fallback to unconfined." @echo "Warning: profile dependencies fallback to unconfined."
@ -69,34 +64,41 @@ $(P):
sed -i -e "s/rPx/rPUx/g" "${BUILD}/apparmor.d/$${file}"; \ sed -i -e "s/rPx/rPUx/g" "${BUILD}/apparmor.d/$${file}"; \
install -Dvm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ install -Dvm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
done; done;
@systemctl restart apparmor || systemctl status apparmor @systemctl restart apparmor || sudo journalctl -xeu apparmor.service
.PHONY: dev
name ?= name ?=
dev: dev:
@go run ./cmd/prebuild --complain --file $(shell find apparmor.d -iname ${name}) @go run ./cmd/prebuild --complain --file $(shell find apparmor.d -iname ${name})
@sudo install -Dm644 ${BUILD}/apparmor.d/${name} /etc/apparmor.d/${name} @sudo install -Dm644 ${BUILD}/apparmor.d/${name} /etc/apparmor.d/${name}
@sudo systemctl restart apparmor || systemctl status apparmor @sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service
.PHONY: package
dist ?= archlinux dist ?= archlinux
package: package:
@bash dists/docker.sh ${dist} @bash dists/docker.sh ${dist}
.PHONY: pkg
pkg: pkg:
@makepkg --syncdeps --install --cleanbuild --force --noconfirm @makepkg --syncdeps --install --cleanbuild --force --noconfirm
.PHONY: dpkg
dpkg: dpkg:
@bash dists/build.sh dpkg @bash dists/build.sh dpkg
@sudo dpkg -i ${PKGDEST}/${PKGNAME}_*.deb @sudo dpkg -i ${PKGDEST}/${PKGNAME}_*.deb
.PHONY: rpm
rpm: rpm:
@bash dists/build.sh rpm @bash dists/build.sh rpm
@sudo rpm -ivh --force ${PKGDEST}/${PKGNAME}-*.rpm @sudo rpm -ivh --force ${PKGDEST}/${PKGNAME}-*.rpm
.PHONY: tests
tests: tests:
@go test ./cmd/... -v -cover -coverprofile=coverage.out @go test ./cmd/... -v -cover -coverprofile=coverage.out
@go test ./pkg/... -v -cover -coverprofile=coverage.out @go test ./pkg/... -v -cover -coverprofile=coverage.out
@go tool cover -func=coverage.out @go tool cover -func=coverage.out
.PHONY: lint
lint: lint:
@golangci-lint run @golangci-lint run
@make --directory=tests lint @make --directory=tests lint
@ -105,6 +107,7 @@ lint:
tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh \ tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh \
debian/${PKGNAME}.postinst debian/${PKGNAME}.postrm debian/${PKGNAME}.postinst debian/${PKGNAME}.postrm
.PHONY: check
check: check:
@bash tests/check.sh @bash tests/check.sh
@ -112,15 +115,19 @@ check:
bats: bats:
@bats --print-output-on-failure tests/bats/ @bats --print-output-on-failure tests/bats/
.PHONY: manual
manual: manual:
@pandoc -t man -s -o root/usr/share/man/man8/aa-log.8 root/usr/share/man/man8/aa-log.md @pandoc -t man -s -o root/usr/share/man/man8/aa-log.8 root/usr/share/man/man8/aa-log.md
.PHONY: docs
docs: docs:
@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict
.PHONY: serve
serve: serve:
@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve
.PHONY: clean
clean: clean:
@rm -rf \ @rm -rf \
debian/.debhelper debian/debhelper* debian/*.debhelper debian/${PKGNAME} \ debian/.debhelper debian/debhelper* debian/*.debhelper debian/${PKGNAME} \

30
apparmor.d/groups/hyprland/pypr Normal file
View file

@ -0,0 +1,30 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 odomingao
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/pypr
profile pypr @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/app-launcher-user>
include <abstractions/consoles>
signal send set=(term kill),
ptrace read,
@{exec_path} mr,
owner @{user_config_dirs}/hypr/pyprland.toml r,
owner @{run}/user/@{uid}/hypr/*/.pyprland.sock rw,
owner /dev/tty@{int} rw, # file_inherit
include if exists <local/pypr>
}
# vim:syntax=apparmor