build: add support for two full system policy setup.

roddhjav · Nov 11, 2023 · d09ac21 · d09ac21
1 parent 5760c01
commit d09ac21
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 6 deletions.
diff --git a/Makefile b/Makefile
@@ -8,7 +8,7 @@ BUILD := .build
 PKGNAME := apparmor.d
 P = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*)))
 
-.PHONY: all build enforce full install local $(P) pkg dpkg rpm tests lint clean
+.PHONY: all build enforce full experimental install local $(P) pkg dpkg rpm tests lint clean
 
 all: build
 	@./${BUILD}/prebuild --complain	
@@ -23,6 +23,9 @@ enforce: build
 full: build
 	@./${BUILD}/prebuild --complain --full
 
+experimental: build
+	@./${BUILD}/prebuild --complain --exp
+
 ROOT = $(shell find "${BUILD}/root" -type f -printf "%P\n")
 PROFILES = $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n")
 install:

diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go
@@ -20,13 +20,15 @@ const usage = `prebuild [-h] [--full] [--complain | --enforce]
 Options:
     -h, --help      Show this help message and exit.
     -f, --full      Set AppArmor for full system policy.
+    -E, --exp       Set AppArmor for (experimental) full system policy.
     -c, --complain  Set complain flag on all profiles.
     -e, --enforce   Set enforce flag on all profiles.
 `
 
 var (
 	help     bool
 	full     bool
+	exp      bool
 	complain bool
 	enforce  bool
 )
@@ -36,6 +38,8 @@ func init() {
 	flag.BoolVar(&help, "help", false, "Show this help message and exit.")
 	flag.BoolVar(&full, "f", false, "Set AppArmor for full system policy.")
 	flag.BoolVar(&full, "full", false, "Set AppArmor for full system policy.")
+	flag.BoolVar(&exp, "E", false, "Set AppArmor for (experimental) full system policy.")
+	flag.BoolVar(&exp, "exp", false, "Set AppArmor for (experimental) full system policy.")
 	flag.BoolVar(&complain, "c", false, "Set complain flag on all profiles.")
 	flag.BoolVar(&complain, "complain", false, "Set complain flag on all profiles.")
 	flag.BoolVar(&enforce, "e", false, "Set enforce flag on all profiles.")
@@ -47,6 +51,8 @@ func aaPrebuild() error {
 
 	if full {
 		prebuild.Prepares = append(prebuild.Prepares, prebuild.SetFullSystemPolicy)
+	} else if exp {
+		prebuild.Prepares = append(prebuild.Prepares, prebuild.SetExperimentalPolicy)
 	}
 	if complain {
 		prebuild.Builds = append(prebuild.Builds, prebuild.BuildComplain)

diff --git a/cmd/prebuild/main_test.go b/cmd/prebuild/main_test.go
@@ -73,7 +73,7 @@ func Test_AAPrebuild(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			prebuild.Distribution = tt.dist
 			if tt.full {
-				prebuild.Prepares = append(prebuild.Prepares, prebuild.SetFullSystemPolicy)
+				prebuild.Prepares = append(prebuild.Prepares, prebuild.SetExperimentalPolicy)
 			}
 			if tt.complain {
 				prebuild.Builds = append(prebuild.Builds, prebuild.BuildComplain)

diff --git a/pkg/prebuild/prepare.go b/pkg/prebuild/prepare.go
@@ -174,15 +174,26 @@ func SetFlags() error {
 }
 
 // Set AppArmor for full system policy
-// See https://gitlab.com/apparmor/apparmor/-/wikis/FullSystemPolicy
-// https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads
+// See https://apparmor.pujol.io/development/structure/#full-system-policy
 func SetFullSystemPolicy() error {
-	for _, name := range []string{"init", "systemd"} {
+	name := "full-policy"
+	err := paths.New("apparmor.d/groups/_full/" + name).CopyTo(RootApparmord.Join("systemd"))
+	if err != nil {
+		return err
+	}
+	logging.Success("Configure AppArmor for full system policy")
+	return nil
+}
+
+// Set AppArmor for (experimental) full system policy.
+// See https://apparmor.pujol.io/development/structure/#full-system-policy
+func SetExperimentalPolicy() error {
+	for _, name := range []string{"systemd", "systemd-user"} {
 		err := paths.New("apparmor.d/groups/_full/" + name).CopyTo(RootApparmord.Join(name))
 		if err != nil {
 			return err
 		}
 	}
-	logging.Success("Configure AppArmor for full system policy")
+	logging.Success("Configure AppArmor for (experimental) full system policy")
 	return nil
 }