// apparmor.d - Full set of apparmor profiles // Copyright (C) 2021-2024 Alexandre Pujol // SPDX-License-Identifier: GPL-2.0-only package prepare import ( "fmt" "strings" "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" ) var ( serverIgnorePatterns = []string{ "include ", "include ", "include ", "include ", "include ", "include ", "include ", "include ", "include ", "include ", "include ", "include ", "include ", "include ", } serverIgnoreGroups = []string{ "akonadi", "avahi", "bluetooth", "browsers", "cosmic", "cups", "display-manager", "flatpak", "freedesktop", "gnome", "gvfs", "hyprland", "kde", "lxqt", "steam", "xfce", "zed", } ) type Server struct { prebuild.Base } func init() { RegisterTask(&Server{ Base: prebuild.Base{ Keyword: "server", Msg: "Configure AppArmor for server", }, }) } func (p Server) Apply() ([]string, error) { res := []string{} // Ignore desktop related groups groupNb := 0 for _, group := range serverIgnoreGroups { path := prebuild.RootApparmord.Join("groups", group) if path.IsDir() { if err := path.RemoveAll(); err != nil { return res, err } groupNb++ } else { res = append(res, fmt.Sprintf("Group %s not found, ignoring", path)) } } // Ignore profiles using a desktop related abstraction fileNb := 0 files, _ := prebuild.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) for _, file := range files { if !file.Exist() { continue } profile, err := file.ReadFileAsString() if err != nil { return res, err } for _, pattern := range serverIgnorePatterns { if strings.Contains(profile, pattern) { if err := file.RemoveAll(); err != nil { return res, err } fileNb++ break } } } res = append(res, fmt.Sprintf("%d groups ignored", groupNb)) res = append(res, fmt.Sprintf("%d profiles ignored", fileNb)) return res, nil }