[PACKAGING] Provides a dedicated AppArmor profile

HorlogeSkynet · Sep 25, 2022 · 90d62ac · 90d62ac
1 parent 3b261e9
commit 90d62ac
Show file tree

Hide file tree

Showing 2 changed files with 88 additions and 0 deletions.
diff --git a/apparmor.profile b/apparmor.profile
@@ -0,0 +1,83 @@
+# Archey4 AppArmor profile
+# Copyright (C) 2022 - Samuel Forestier <[email protected]>
+
+# /!\ DO NOT MODIFY THIS FILE /!\
+# Please create yours as [/etc/apparmor.d/]local/archey4
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /usr/{,local/}bin/archey{,4}
+profile archey4 @{exec_path} {
+	include <abstractions/base>
+	include <abstractions/consoles>
+	include <abstractions/python>
+
+	/{usr/,}bin/python3.[0-9]* r,
+
+	# user own configuration file
+	owner @{HOME}/.config/archey4/*.json r,
+
+	# allow running processes listing through ps
+	/{,usr/}bin/ps PUx,
+
+	# [CPU] entry
+	/{,usr/}bin/lscpu PUx,
+
+	# [Disk] entry
+	/{,usr/}bin/df PUx,
+
+	# [GPU] entry
+	/{,usr/}bin/lspci PUx,
+
+	# [Hostname] entry
+	/etc/hostname r,
+
+	# [Model] entry
+	@{sys}/devices/virtual/dmi/id/* r,
+	/{,usr/}bin/systemd-detect-virt PUx,
+	/{,usr/}sbin/virt-what PUx,
+	/{,usr/}bin/getprop PUx,
+
+	# [Packages] entry
+	/{,usr/}bin/ls PUx,
+	/{,usr/}bin/apk PUx,
+	/{,usr/}bin/dnf PUx,
+	/{,usr/}bin/dpkg PUx,
+	/{,usr/}bin/emerge PUx,
+	/{,usr/}bin/nix-env PUx,
+	/{,usr/}bin/pacman PUx,
+	/{,usr/}bin/pacstall PUx,
+	/{,usr/}bin/port PUx,
+	/{,usr/}bin/yum PUx,
+	/{,usr/}bin/zypper PUx,
+
+	# [RAM] entry
+	/{,usr/}bin/free PUx,
+
+	# [Temperature] entry
+	@{sys}/devices/thermal/thermal_zone*/temp r,
+	/{,usr/}bin/sensors PUx,
+	/opt/vc/bin/vcgencmd PUx,
+
+	# [Uptime] entry
+	@{PROC}/uptime r,
+	/{,usr/}bin/uptime PUx,
+
+	# [User] entry
+	/{,usr/}bin/getent PUx,
+
+	# [WAN IP] entry (and potentially [Kernel])
+	/{,usr/}bin/dig PUx,
+	network inet  dgram,   # dig (UDP/IP)
+	network inet6 dgram,   # dig (UDP/IPv6)
+	network inet  stream,  # urllib (HTTP/IP)
+	network inet6 stream,  # urllib (HTTP/IPv6)
+
+	# [Window Manager] entry
+	/{,usr/}bin/wmctrl PUx,
+
+	# allow profile extension (e.g. for user-defined [CUSTOM] entries)
+	include if exists <local/archey4>
+}
diff --git a/packaging/build.sh b/packaging/build.sh
@@ -54,6 +54,8 @@ FPM_COMMON_ARGS=(
 	--provides 'archey4' \
 	--config-files "etc/archey4/" \
 	--config-files "etc/archey4/config.json" \
+	--config-files "etc/apparmor.d/" \
+	--config-files "etc/apparmor.d/usr.bin.archey4" \
 	--architecture "$ARCHITECTURE" \
 	--maintainer "${AUTHOR} <${AUTHOR_EMAIL}>" \
 	--after-install ./packaging/after_install \
@@ -73,6 +75,9 @@ echo ">>> Packages generation for ${NAME}_v${VERSION}-${REVISION} <<<"
 # Prepare the configuration file under a regular `etc/` directory.
 mkdir -p etc/archey4/ && \
 	cp config.json etc/archey4/config.json
+# Prepare the AppArmor profile.
+mkdir -p etc/apparmor.d/ && \
+	cp apparmor.profile etc/apparmor.d/usr.bin.archey4
 # Prepare and compress the manual page.
 sed -e "s/\${DATE}/$(date +'%B %Y')/1" -e "s/\${VERSION}/${VERSION}/1" archey.1 | \
 	gzip -c --best - > "${DIST_OUTPUT}/archey.1.gz"