Skip to content

Commit

Permalink
[PACKAGING] Provides a dedicated AppArmor profile (#119)
Browse files Browse the repository at this point in the history
Co-authored-by: Alexandre Pujol <[email protected]>
Co-authored-by: Michael Bromilow <[email protected]>
  • Loading branch information
3 people authored Apr 13, 2024
1 parent ac4285a commit d4a6b16
Show file tree
Hide file tree
Showing 8 changed files with 165 additions and 2 deletions.
1 change: 1 addition & 0 deletions .github/ISSUE_TEMPLATE/bug_report.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ assignees: ''
- Operating system and version :
- Graphical environment name and version :
- Connectivity (off-line, LAN only, Internet access) :
- AppArmor profile loaded (yes/no, check `aa-status`) :

**Additional context**
<!-- If applicable, add any other context about the problem here. -->
Expand Down
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project (partially) adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [Unreleased]
### Added
- AppArmor confinement profile (included in Debian and AUR packages)

## [v4.14.3.0] - 2024-04-06
### Added
Expand Down
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -446,6 +446,7 @@ Below stand further descriptions for each available (default) option :
"name": "GPU",
"icon": "\ue735",
// The custom shell command to execute.
// /!\ If you're running AppArmor, don't forget to extend Archey profile through /etc/apparmor.d/local/usr.bin.archey4 !
"shell": true,
"command": "lshw -C display 2> /dev/null | rg product | cut -d ':' -f 2",
// A custom program and its arguments to execute.
Expand Down
113 changes: 113 additions & 0 deletions apparmor.profile
Original file line number Diff line number Diff line change
@@ -0,0 +1,113 @@
# Archey4 AppArmor profile
# Copyright (C) 2023-2024 - Michael Bromilow
# Copyright (C) 2023-2024 - Samuel Forestier <[email protected]>

# /!\ DO NOT MODIFY THIS FILE /!\
# Please edit local profile extension (/etc/apparmor.d/local/usr.bin.archey4).

abi <abi/3.0>,

include <tunables/global>

profile archey4 /usr/{,local/}bin/archey{,4} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice>
include <abstractions/openssl>
include <abstractions/python>
include <abstractions/ssl_certs>

/usr/bin/ r,
/usr/{,local/}bin/archey{,4} r,

# configuration files
owner @{HOME}/.config/archey4/*.json r,
/etc/archey4/*.json r,

# required in order to kill sub-processes in timeout
capability kill,
signal (send),

# allow running processes listing through ps
/{,usr/}bin/ps PUx,

# allow distro to parse system data sources
/usr/lib/os-release r,
/etc/*[-_]{release,version} r,
/{,usr/}bin/lsb_release PUx,
/{,usr/}bin/uname PUx,

# allow screenshot tools execution
/{,usr/}bin/escrotum PUx,
/{,usr/}bin/flameshot PUx,
/{,usr/}bin/gnome-screenshot PUx,
/{,usr/}bin/grim PUx,
/{,usr/}bin/import-im6.q16{,hdri} PUx,
/{,usr/}bin/maim PUx,
/{,usr/}bin/scrot PUx,
/{,usr/}bin/shutter PUx,
/{,usr/}bin/spectacle PUx,
/{,usr/}bin/xfce4-screenshoter PUx,

# [CPU] entry
/{,usr/}bin/lscpu PUx,

# [Disk] entry
/{,usr/}bin/df PUx,

# [GPU] entry
/{,usr/}bin/lspci PUx,

# [Hostname] entry
/etc/hostname r,

# [Load Average] entry
@{PROC}/loadavg r,

# [Model] entry
@{sys}/devices/virtual/dmi/id/* r,
/{,usr/}bin/systemd-detect-virt PUx,
/{,usr/}{,s}bin/virt-what PUx,
/{,usr/}bin/getprop PUx,

# [Packages] entry
/{,usr/}bin/ls rix,
/{,usr/}bin/apk PUx,
/{,usr/}bin/dnf PUx,
/{,usr/}bin/dpkg PUx,
/{,usr/}bin/emerge PUx,
/{,usr/}bin/nix-env PUx,
/{,usr/}bin/pacman PUx,
/{,usr/}bin/pacstall PUx,
/{,usr/}bin/pkgin PUx,
/{,usr/}bin/port PUx,
/{,usr/}bin/rpm PUx,
/{,usr/}bin/yum PUx,
/{,usr/}bin/zypper PUx,

# [RAM] entry
/{,usr/}bin/free rix,

# [Temperature] entry
@{sys}/devices/thermal/thermal_zone[0-9]*/temp r,
/{,usr/}bin/sensors PUx,
/{,opt/vc/,usr/}bin/vcgencmd PUx,

# [Uptime] entry
@{PROC}/uptime r,
/{,usr/}bin/uptime rix,

# [User] & [Shell] entries
/{,usr/}bin/getent rix,

# [WAN IP] entry (and potentially [Kernel])
/{,usr/}bin/dig PUx,
network inet stream, # urllib (HTTP/IP)
network inet6 stream, # urllib (HTTP/IPv6)

# [Window Manager] entry
/{,usr/}bin/wmctrl PUx,

# allow profile extension (e.g. for user-defined [Custom] entries)
include if exists <local/usr.bin.archey4>
}
17 changes: 17 additions & 0 deletions packaging/after_install
Original file line number Diff line number Diff line change
Expand Up @@ -3,5 +3,22 @@
set -e


# Handles AppArmor profile (see dh_apparmor).
APP_PROFILE="/etc/apparmor.d/usr.bin.archey4"
if [ -f "$APP_PROFILE" ]; then
# Add the local/ include
LOCAL_APP_PROFILE="/etc/apparmor.d/local/usr.bin.archey4"

test -e "$LOCAL_APP_PROFILE" || {
mkdir -p "$(dirname "$LOCAL_APP_PROFILE")"
install --mode 644 /dev/null "$LOCAL_APP_PROFILE"
}

# Reload the profile, including any abstraction updates
if aa-enabled --quiet 2>/dev/null; then
apparmor_parser -r -T -W "$APP_PROFILE" || true
fi
fi

# Creates a symbolic link providing `archey4` command alias.
ln -s -f /usr/bin/archey /usr/bin/archey4
15 changes: 15 additions & 0 deletions packaging/after_remove
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
#!/bin/sh

set -e


# Handles AppArmor profile (see dh_apparmor).
if ! [ -e /etc/apparmor.d/usr.bin.archey4 ] ; then
rm -f /etc/apparmor.d/disable/usr.bin.archey4 || true
rm -f /etc/apparmor.d/force-complain/usr.bin.archey4 || true
rm -f /etc/apparmor.d/local/usr.bin.archey4 || true
rm -f /var/cache/apparmor/*/usr.bin.archey4 || true
rmdir /etc/apparmor.d/disable 2>/dev/null || true
rmdir /etc/apparmor.d/local 2>/dev/null || true
rmdir /etc/apparmor.d 2>/dev/null || true
fi
6 changes: 6 additions & 0 deletions packaging/before_remove
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,9 @@ find /usr/lib/python3*/*-packages/archey \
-name __pycache__ \
-exec \
rm -r {} +

# Removes the AppArmor definition from kernel.
APP_PROFILE="/etc/apparmor.d/usr.bin.archey4"
if aa-enabled --quiet 2>/dev/null; then
apparmor_parser -R "$APP_PROFILE" || true
fi
12 changes: 10 additions & 2 deletions packaging/build.sh
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ FPM_COMMON_ARGS=(
--maintainer "${AUTHOR} <${AUTHOR_EMAIL}>" \
--after-install ./packaging/after_install \
--after-upgrade ./packaging/after_install \
--after-remove ./packaging/after_remove \
--before-remove ./packaging/before_remove \
--python-bin python3 \
--python-install-bin 'usr/bin/' \
Expand All @@ -73,6 +74,9 @@ echo ">>> Packages generation for ${NAME}_v${VERSION}-${REVISION} <<<"
# Prepare the configuration file under a regular `etc/` directory.
mkdir -p etc/archey4/ && \
cp config.json etc/archey4/config.json
# Prepare the AppArmor profile (without `abi` directive, unsupported by Debian).
mkdir -p etc/apparmor.d/ && \
sed '/^abi.*,$/d' apparmor.profile > etc/apparmor.d/usr.bin.archey4
# Prepare and compress the manual page.
sed -e "s/\${DATE}/$(date +'%B %Y')/1" -e "s/\${VERSION}/${VERSION}/1" archey.1 | \
gzip -c --best - > "${DIST_OUTPUT}/archey.1.gz"
Expand All @@ -92,6 +96,8 @@ export PYTHONDONTWRITEBYTECODE=1
echo 'Now generating Debian package...'
fpm \
"${FPM_COMMON_ARGS[@]}" \
--config-files "etc/apparmor.d/" \
--config-files "etc/apparmor.d/usr.bin.archey4" \
--output-type deb \
--package "${DIST_OUTPUT}/${NAME}_${VERSION}-${REVISION}_${ARCHITECTURE}.deb" \
--depends 'python3 >= 3.6' \
Expand All @@ -100,7 +106,7 @@ fpm \
--python-install-lib 'usr/lib/python3/dist-packages/' \
--deb-priority 'optional' \
--deb-field 'Recommends: procps' \
--deb-field 'Suggests: dnsutils, lm-sensors, pciutils, virt-what, wmctrl' \
--deb-field 'Suggests: apparmor, dnsutils, lm-sensors, pciutils, virt-what, wmctrl' \
--deb-no-default-config-files \
setup.py

Expand Down Expand Up @@ -157,9 +163,11 @@ done
# setup.py


# Remove the fake `etc/archey4/` tree.
# Remove the fake `etc/archey4/` & `etc/apparmor.d/` trees.
rm etc/archey4/config.json && \
rmdir --ignore-fail-on-non-empty -p etc/archey4/
rm etc/apparmor.d/usr.bin.archey4 && \
rmdir --ignore-fail-on-non-empty -p etc/apparmor.d/


# Silence some Setuptools warnings by re-enabling byte-code generation.
Expand Down

0 comments on commit d4a6b16

Please sign in to comment.