diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index c058963d..230b5287 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -25,6 +25,7 @@ assignees: '' - Operating system and version : - Graphical environment name and version : - Connectivity (off-line, LAN only, Internet access) : + - AppArmor profile loaded (yes/no, check `aa-status`) : **Additional context** diff --git a/apparmor.profile b/apparmor.profile new file mode 100644 index 00000000..d7f54776 --- /dev/null +++ b/apparmor.profile @@ -0,0 +1,89 @@ +# Archey4 AppArmor profile +# Copyright (C) 2022-2023 - Samuel Forestier + +# /!\ DO NOT MODIFY THIS FILE /!\ +# Please edit local extension (/etc/apparmor.d/local/usr.bin.archey4). + +abi , + +include + +profile archey4 /usr/{,local/}bin/archey{,4} { + include + include + include + include + + /usr/{,local/}bin/archey{,4} r, + + # configuration files + owner @{HOME}/.config/archey4/*.json r, + /etc/archey4/*.json r, + + # required in order to kill sub-processes in timeout + capability kill, + signal (send), + + # allow running processes listing through ps + /{,usr/}bin/ps PUx, + + # [CPU] entry + /{,usr/}bin/lscpu PUx, + + # [Disk] entry + /{,usr/}bin/df PUx, + + # [GPU] entry + /{,usr/}bin/lspci PUx, + + # [Hostname] entry + /etc/hostname r, + + # [Load Average] entry + @{PROC}/loadavg r, + + # [Model] entry + @{sys}/devices/virtual/dmi/id/* r, + /{,usr/}bin/systemd-detect-virt PUx, + /{,usr/}{,s}bin/virt-what PUx, + /{,usr/}bin/getprop PUx, + + # [Packages] entry + /{,usr/}bin/ls rix, + /{,usr/}bin/apk PUx, + /{,usr/}bin/dnf PUx, + /{,usr/}bin/dpkg PUx, + /{,usr/}bin/emerge PUx, + /{,usr/}bin/nix-env PUx, + /{,usr/}bin/pacman PUx, + /{,usr/}bin/pacstall PUx, + /{,usr/}bin/port PUx, + /{,usr/}bin/yum PUx, + /{,usr/}bin/zypper PUx, + + # [RAM] entry + /{,usr/}bin/free rix, + + # [Temperature] entry + @{sys}/devices/thermal/thermal_zone[0-9]*/temp r, + /{,usr/}bin/sensors PUx, + /{,opt/vc/,usr/}bin/vcgencmd PUx, + + # [Uptime] entry + @{PROC}/uptime r, + /{,usr/}bin/uptime rix, + + # [User] entry + /{,usr/}bin/getent rix, + + # [WAN IP] entry (and potentially [Kernel]) + /{,usr/}bin/dig PUx, + network inet stream, # urllib (HTTP/IP) + network inet6 stream, # urllib (HTTP/IPv6) + + # [Window Manager] entry + /{,usr/}bin/wmctrl PUx, + + # allow profile extension (e.g. for user-defined [Custom] entries) + include if exists +} diff --git a/packaging/after_install b/packaging/after_install index 50795a02..3cb028e8 100644 --- a/packaging/after_install +++ b/packaging/after_install @@ -3,5 +3,22 @@ set -e +# Handle AppArmor profile (see dh_apparmor). +APP_PROFILE="/etc/apparmor.d/usr.bin.archey4" +if [ -f "$APP_PROFILE" ]; then + # Add the local/ include + LOCAL_APP_PROFILE="/etc/apparmor.d/local/usr.bin.archey4" + + test -e "$LOCAL_APP_PROFILE" || { + mkdir -p "$(dirname "$LOCAL_APP_PROFILE")" + install --mode 644 /dev/null "$LOCAL_APP_PROFILE" + } + + # Reload the profile, including any abstraction updates + if aa-enabled --quiet 2>/dev/null; then + apparmor_parser -r -T -W "$APP_PROFILE" || true + fi +fi + # Creates a symbolic link providing `archey4` command alias. ln -s -f /usr/bin/archey /usr/bin/archey4 diff --git a/packaging/after_remove b/packaging/after_remove new file mode 100644 index 00000000..3b9c5a39 --- /dev/null +++ b/packaging/after_remove @@ -0,0 +1,15 @@ +#!/bin/sh + +set -e + + +# Handle AppArmor profile (see dh_apparmor). +if ! [ -e /etc/apparmor.d/usr.bin.archey4 ] ; then + rm -f /etc/apparmor.d/disable/usr.bin.archey4 || true + rm -f /etc/apparmor.d/force-complain/usr.bin.archey4 || true + rm -f /etc/apparmor.d/local/usr.bin.archey4 || true + rm -f /var/cache/apparmor/*/usr.bin.archey4 || true + rmdir /etc/apparmor.d/disable 2>/dev/null || true + rmdir /etc/apparmor.d/local 2>/dev/null || true + rmdir /etc/apparmor.d 2>/dev/null || true +fi diff --git a/packaging/before_remove b/packaging/before_remove index 3286f981..f567fb50 100644 --- a/packaging/before_remove +++ b/packaging/before_remove @@ -8,7 +8,6 @@ if [ -L /usr/bin/archey4 ]; then rm /usr/bin/archey4 fi - # Removes any byte-code file that may have been generated by Archey. # Wild-cards are being used to match all supported distribution layouts. find /usr/lib/python3*/*-packages/archey \ diff --git a/packaging/build.sh b/packaging/build.sh index fdbedbaf..46732ed6 100644 --- a/packaging/build.sh +++ b/packaging/build.sh @@ -58,6 +58,7 @@ FPM_COMMON_ARGS=( --maintainer "${AUTHOR} <${AUTHOR_EMAIL}>" \ --after-install ./packaging/after_install \ --after-upgrade ./packaging/after_install \ + --after-remove ./packaging/after_remove \ --before-remove ./packaging/before_remove \ --python-bin python3 \ --python-install-bin 'usr/bin/' \ @@ -73,6 +74,9 @@ echo ">>> Packages generation for ${NAME}_v${VERSION}-${REVISION} <<<" # Prepare the configuration file under a regular `etc/` directory. mkdir -p etc/archey4/ && \ cp config.json etc/archey4/config.json +# Prepare the AppArmor profile (without `abi` directive, unsupported by Debian). +mkdir -p etc/apparmor.d/ && \ + sed '/^abi.*,$/d' apparmor.profile > etc/apparmor.d/usr.bin.archey4 # Prepare and compress the manual page. sed -e "s/\${DATE}/$(date +'%B %Y')/1" -e "s/\${VERSION}/${VERSION}/1" archey.1 | \ gzip -c --best - > "${DIST_OUTPUT}/archey.1.gz" @@ -92,6 +96,8 @@ export PYTHONDONTWRITEBYTECODE=1 echo 'Now generating Debian package...' fpm \ "${FPM_COMMON_ARGS[@]}" \ + --config-files "etc/apparmor.d/" \ + --config-files "etc/apparmor.d/usr.bin.archey4" \ --output-type deb \ --package "${DIST_OUTPUT}/${NAME}_${VERSION}-${REVISION}_${ARCHITECTURE}.deb" \ --depends 'python3 >= 3.6' \ @@ -100,7 +106,7 @@ fpm \ --python-install-lib 'usr/lib/python3/dist-packages/' \ --deb-priority 'optional' \ --deb-field 'Recommends: procps' \ - --deb-field 'Suggests: dnsutils, lm-sensors, pciutils, virt-what, wmctrl' \ + --deb-field 'Suggests: apparmor, dnsutils, lm-sensors, pciutils, virt-what, wmctrl' \ --deb-no-default-config-files \ setup.py @@ -157,9 +163,11 @@ done # setup.py -# Remove the fake `etc/archey4/` tree. +# Remove the fake `etc/archey4/` & `etc/apparmor.d/` trees. rm etc/archey4/config.json && \ rmdir --ignore-fail-on-non-empty -p etc/archey4/ +rm etc/apparmor.d/usr.bin.archey4 && \ + rmdir --ignore-fail-on-non-empty -p etc/apparmor.d/ # Silence some Setuptools warnings by re-enabling byte-code generation.