File smar-apparmor-profiles.spec.in of Package smar-apparmor-profiles
#
# spec file for package smar-apparmor-profiles
# TODO: Add postinst script for common package to reload apparmor to get installed/updated profiles loaded.
# Unless there is a better way how SUSE expects me to do.
Name: smar-apparmor-profiles
Version: 1.0.0-pre
Release: 0
Summary: Per-package apparmor-profiles
License: ISC
Group: Productivity/Security
Url: https://git.sr.ht/~smar/smar-apparmor-profiles
Source0: %{name}-%{version}.tar.xz
Source1: rpmlintrc
Source2: systemd_overrides.tar.xz
BuildRoot: %{_tmppath}/%{name}-%{version}-build
# To automatically set current perl version.
BuildRequires: /usr/bin/perl
# This allows us not to need to own /etc/apparmor.d
BuildRequires: apparmor-profiles
# Used for adding overrides to certain systemd services.
BuildRequires: systemd-rpm-macros
%description
This project aims to have per-package AppArmor profiles, so that they can be automatically pulled
when relevant package is installed to a system. This allows cluttering AppArmor with unnecessary profiles,
and also allows easy blacklisting profiles one does not want.
A profile could still be temporary disabled with a symlink in /etc/apparmor.d/disable directory.
%prep
%setup -q
tar xf %{S:2}
%build
perl_version="$(perl -e 'use warnings; use strict; print substr $^V, 1;')"
sed -i "s|@{arch}=CPU_ARCHITECTURE|@{arch}=%{_target_cpu}|" tunables/hardware
sed -i "s|@{perl_current_version}=CURRENT_PERL_VERSION|@{perl_current_version}=${perl_version}|" tunables/perl
sed -i "s|@{system_libdir}=ESSENTIAL_SYSTEM_LIBDIR|@{system_libdir}=/%{_lib}|" tunables/system.d/arch-specific
sed -i "s|@{libdir}=SYSTEM_LIBDIR|@{libdir}=%{_libdir}|" tunables/system.d/arch-specific
%install
mkdir -p %{buildroot}%{_bindir}
mkdir -p %{buildroot}%{_sysconfdir}/apparmor.d/abstractions
mkdir -p %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/audio.d
mkdir -p %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/consoles.d
mkdir -p %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/dri-common.d
mkdir -p %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/private-files-strict.d
mkdir -p %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/qt5.d
mkdir -p %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/system-daemon.d
mkdir %{buildroot}%{_sysconfdir}/apparmor.d/lib
mkdir %{buildroot}%{_sysconfdir}/apparmor.d/local
mkdir %{buildroot}%{_sysconfdir}/apparmor.d/local/abstractions
mkdir %{buildroot}%{_sysconfdir}/apparmor.d/local/cli
mkdir %{buildroot}%{_sysconfdir}/apparmor.d/tunables
mkdir %{buildroot}%{_sysconfdir}/apparmor.d/tunables/system.d
mkdir %{buildroot}%{_sysconfdir}/apparmor.d/namespaces.d
mv profiles/server/dovecot/* %{buildroot}%{_sysconfdir}/apparmor.d
mv abstractions/smar-base %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/smar %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/smar-strict %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/akonadi %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/audio.d/smar-additions %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/audio.d/
mv abstractions/cli %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/consoles.d/smar-additions %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/consoles.d/
mv abstractions/discrete-transition-all %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/dns %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/dri-common.d/smar-additions %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/dri-common.d/
mv abstractions/drkonqi %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/fish %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/katepart %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/kde_file_dialog %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/kde-common %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/less %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/passwd %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/plasma %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/private-files-strict.d/smar-additions %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/private-files-strict.d/
mv abstractions/qt5.d/smar-additions %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/qt5.d/
mv abstractions/qt6 %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/qtwebengine %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/sddm %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/shells %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/smar_kde %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/smar_perl %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/smar_python %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/smar_ruby %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/system-daemon %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/system-daemon.d/unconfined-systemd %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/system-daemon.d/
mv abstractions/systemd %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/unconfined-steam %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/user-daemon %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/videocard %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/vim-inline-editor %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/Xorg %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
# Local files for abstractions.
mv abstractions/local/smar_kde %{buildroot}%{_sysconfdir}/apparmor.d/local/abstractions/
mv abstractions/local/Xorg %{buildroot}%{_sysconfdir}/apparmor.d/local/abstractions/
mv lib/allow-ptraces %{buildroot}%{_sysconfdir}/apparmor.d/lib/
mv tunables/hardware %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
mv tunables/kde %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
mv tunables/krb5 %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
mv tunables/numeric %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
mv tunables/textual %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
mv tunables/obs %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
mv tunables/perl %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
mv tunables/python %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
mv tunables/ruby %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
mv tunables/smar %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
mv tunables/sysdevices %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
mv tunables/system %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
mv tunables/system.d/arch-specific %{buildroot}%{_sysconfdir}/apparmor.d/tunables/system.d/
mv tunables/system.d/os-specific %{buildroot}%{_sysconfdir}/apparmor.d/tunables/system.d/
mv tunables/system.d/system-specific %{buildroot}%{_sysconfdir}/apparmor.d/tunables/system.d/
mv tunables/system.d/x86 %{buildroot}%{_sysconfdir}/apparmor.d/tunables/system.d/
mv tunables/user %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
# Namespace definitions.
mv namespaces/kde_file_dialog %{buildroot}%{_sysconfdir}/apparmor.d/namespaces.d/
#mv namespaces/kde_file_dialog %%{buildroot}%%{_sysconfdir}/apparmor.d/
# A profile in the git repository can be a symlink, to
# avoid unnecessary profile copies.
# Since combining profiles still is not possible.
#
# Let’s mangle the symlinks to have correct end result.
#
# For now these symlinks only exists for rpm-scriptlets.
pushd namespaces/rpm-scriptlets.d
# First add normal files to package list.
find . -type f -exec sh -c '
package_path="${1}"
package_name="$(basename "${package_path}")"
buildroot_profile_file="%{_sysconfdir}/apparmor.d/namespaces.d/rpm-scriptlets.d/${package_name}"
echo "${buildroot_profile_file}" >> "%{_builddir}/%{name}-%{version}/namespace_files.rpm"
' sh {} \;
# Then process the links.
find . -type l -exec sh -c '
package_path="${1}"
package_name="$(basename "${package_path}")"
#echo "readlink ${1}: $(readlink "${package_path}")"
ln -sfn ../../"${package_name}" "${package_path}"
buildroot_profile_link="%{_sysconfdir}/apparmor.d/namespaces.d/rpm-scriptlets.d/${package_name}"
echo "${buildroot_profile_link}" >> "%{_builddir}/%{name}-%{version}/namespace_files.rpm"
' sh {} \;
popd
___INSTALL_RULES_HERE___
# Common files.
%package common
Summary: Common files Smar’s AppArmor profiles
Requires: %{name}-sddm-abstractions
BuildArch: noarch
%description common
Common files Smar’s AppArmor profiles.
Contains things like tunables helpful with /sys/devices/** rules.
%files common
%dir %{_sysconfdir}/apparmor.d/abstractions/audio.d
%dir %{_sysconfdir}/apparmor.d/abstractions/consoles.d
%dir %{_sysconfdir}/apparmor.d/abstractions/dri-common.d
%dir %{_sysconfdir}/apparmor.d/abstractions/private-files-strict.d
%dir %{_sysconfdir}/apparmor.d/abstractions/qt5.d
%dir %{_sysconfdir}/apparmor.d/abstractions/system-daemon.d
%dir %{_sysconfdir}/apparmor.d/extra
%dir %{_sysconfdir}/apparmor.d/lib
%dir %{_sysconfdir}/apparmor.d/local/abstractions
%dir %{_sysconfdir}/apparmor.d/local/cli
%dir %{_sysconfdir}/apparmor.d/namespaces.d
%dir %{_sysconfdir}/apparmor.d/tunables/system.d
%config %{_sysconfdir}/apparmor.d/abstractions/audio.d/smar-additions
%config %{_sysconfdir}/apparmor.d/abstractions/cli
%config %{_sysconfdir}/apparmor.d/abstractions/consoles.d/smar-additions
%config %{_sysconfdir}/apparmor.d/abstractions/discrete-transition-all
%config %{_sysconfdir}/apparmor.d/abstractions/dns
%config %{_sysconfdir}/apparmor.d/abstractions/dri-common.d/smar-additions
%config %{_sysconfdir}/apparmor.d/abstractions/fish
%config %{_sysconfdir}/apparmor.d/abstractions/kde-common
%config %{_sysconfdir}/apparmor.d/abstractions/passwd
%config %{_sysconfdir}/apparmor.d/abstractions/private-files-strict.d/smar-additions
%config %{_sysconfdir}/apparmor.d/abstractions/qt5.d/smar-additions
%config %{_sysconfdir}/apparmor.d/abstractions/qt6
%config %{_sysconfdir}/apparmor.d/abstractions/qtwebengine
%config %{_sysconfdir}/apparmor.d/abstractions/shells
%config %{_sysconfdir}/apparmor.d/abstractions/smar
%config %{_sysconfdir}/apparmor.d/abstractions/smar-base
%config %{_sysconfdir}/apparmor.d/abstractions/smar_perl
%config %{_sysconfdir}/apparmor.d/abstractions/smar_python
%config %{_sysconfdir}/apparmor.d/abstractions/smar-strict
%config %{_sysconfdir}/apparmor.d/abstractions/system-daemon
%config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/system-daemon.d/unconfined-systemd
%config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/unconfined-steam
%config %{_sysconfdir}/apparmor.d/abstractions/user-daemon
%config %{_sysconfdir}/apparmor.d/lib/allow-ptraces
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/hardware
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/kde
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/krb5
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/numeric
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/textual
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/obs
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/perl
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/python
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/ruby
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/smar
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/sysdevices
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/system
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/system.d/arch-specific
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/system.d/os-specific
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/system.d/system-specific
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/system.d/x86
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/user
# kde/smar_kde
%package kde-abstractions
Summary: Abstractions for KDE AppArmor profiles
Requires: %{name}-sddm-abstractions
Requires: %{name}-xorg-abstractions
BuildArch: noarch
#
# For tunables/sssd. Only useful if Kerberos 5 authentication
# is used via SSSD, I suppose.
Suggests: sssd-profiles
%description kde-abstractions
KDE abstractions from project smar-apparmor-profiles.
These abstractions have some convenience definitions for KDE profiles.
%files kde-abstractions
%config %{_sysconfdir}/apparmor.d/abstractions/akonadi
%config %{_sysconfdir}/apparmor.d/abstractions/drkonqi
%config %{_sysconfdir}/apparmor.d/abstractions/katepart
%config %{_sysconfdir}/apparmor.d/abstractions/kde_file_dialog
%config %{_sysconfdir}/apparmor.d/abstractions/plasma
%config %{_sysconfdir}/apparmor.d/abstractions/smar_kde
%config %{_sysconfdir}/apparmor.d/namespaces.d/kde_file_dialog
#%%config %%{_sysconfdir}/apparmor.d/kde_file_dialog
%config %{_sysconfdir}/apparmor.d/local/abstractions/smar_kde
%dir %{_sysconfdir}/apparmor.d/local/kde
# Programs writing to sddm user log.
%package sddm-abstractions
Summary: Abstractions for profiles utilizing SDDM in a way or other
Supplements: sddm
BuildArch: noarch
%description sddm-abstractions
SDDM abstractions from project smar-apparmor-profiles.
These abstractions allows writing SDDM’s user log, akin to old
Xsession-errors.
%files sddm-abstractions
%config %{_sysconfdir}/apparmor.d/abstractions/sddm
# X.org abstractions.
%package xorg-abstractions
Summary: Abstractions for profiles utilizing X in a way or other
BuildArch: noarch
%description xorg-abstractions
AppArmor abstraction files for Xorg from project smar-apparmor-profiles.
Pulled and used by *-profiles packages.
%files xorg-abstractions
%config %{_sysconfdir}/apparmor.d/abstractions/Xorg
%config %{_sysconfdir}/apparmor.d/abstractions/videocard
%config %{_sysconfdir}/apparmor.d/local/abstractions/Xorg
# systemd abstractions.
%package systemd-abstractions
Summary: Abstractions for profiles utilizing systemd in a way or other
BuildArch: noarch
%description systemd-abstractions
AppArmor abstraction files for systemd from project smar-apparmor-profiles.
Pulled and used by *-profiles packages.
%files systemd-abstractions
%config %{_sysconfdir}/apparmor.d/abstractions/systemd
# All programs that uses less
%package less-abstractions
Summary: Abstractions for AppArmor profiles that uses less
BuildArch: noarch
%description less-abstractions
Less abstractions from project smar-apparmor-profiles.
These abstractions provides rules for applications using less in a way or another.
%files less-abstractions
%config %{_sysconfdir}/apparmor.d/abstractions/less
# All programs that uses Ruby
%package ruby-abstractions
Summary: Abstractions for AppArmor profiles that uses Ruby
Supplements: ruby
BuildArch: noarch
%description ruby-abstractions
Ruby abstractions from project smar-apparmor-profiles.
These abstractions provides rules for applications using Ruby in a way or another.
%files ruby-abstractions
%config %{_sysconfdir}/apparmor.d/abstractions/smar_ruby
# All programs that uses vim
%package vim-abstractions
Summary: Abstractions for AppArmor profiles that uses vim
BuildArch: noarch
%description vim-abstractions
Vim abstractions from project smar-apparmor-profiles.
These abstractions provides rules for applications using Vim in a way or another.
%files vim-abstractions
%config %{_sysconfdir}/apparmor.d/abstractions/vim-inline-editor
# Dovecot
%package -n dovecot-profiles
Summary: AppArmor profiles for Dovecot
Supplements: dovecot
BuildArch: noarch
%description -n dovecot-profiles
AppArmor profiles for Dovecot from project smar-apparmor-profiles.
%files -n dovecot-profiles
%config %{_sysconfdir}/apparmor.d/dovecot
%config %{_sysconfdir}/apparmor.d/dovecot.anvil
%config %{_sysconfdir}/apparmor.d/dovecot.auth
%config %{_sysconfdir}/apparmor.d/dovecot.config
%config %{_sysconfdir}/apparmor.d/dovecot.deliver
%config %{_sysconfdir}/apparmor.d/dovecot.dict
%config %{_sysconfdir}/apparmor.d/dovecot.dovecot-auth
%config %{_sysconfdir}/apparmor.d/dovecot.dovecot-lda
%config %{_sysconfdir}/apparmor.d/dovecot.imap
%config %{_sysconfdir}/apparmor.d/dovecot.imap-login
%config %{_sysconfdir}/apparmor.d/dovecot.lmtp
%config %{_sysconfdir}/apparmor.d/dovecot.log
%config %{_sysconfdir}/apparmor.d/dovecot.managesieve
%config %{_sysconfdir}/apparmor.d/dovecot.managesieve-login
%config %{_sysconfdir}/apparmor.d/dovecot.pop3
%config %{_sysconfdir}/apparmor.d/dovecot.pop3-login
%config %{_sysconfdir}/apparmor.d/dovecot.ssl-params
%config %{_sysconfdir}/apparmor.d/dovecot.stats
___PACKAGES_HERE___
%changelog
# kate: syntax RPM Spec
