File smar-apparmor-profiles.spec.in of Package smar-apparmor-profiles

Overview Repositories Revisions Requests Users Attributes Meta

File smar-apparmor-profiles.spec.in of Package smar-apparmor-profiles

#
# spec file for package smar-apparmor-profiles

# TODO: Add postinst script for common package to reload apparmor to get installed/updated profiles loaded.
# Unless there is a better way how SUSE expects me to do.

Name:           smar-apparmor-profiles
Version:        1.0.0-pre
Release:        0
Summary:        Per-package apparmor-profiles
License:        ISC
Group:          Productivity/Security
Url:            https://git.sr.ht/~smar/smar-apparmor-profiles
Source0:        %{name}-%{version}.tar.xz
Source1:        rpmlintrc
Source2:        systemd_overrides.tar.xz
BuildRoot:      %{_tmppath}/%{name}-%{version}-build
# This allows us not to need to own /etc/apparmor.d
BuildRequires:  apparmor-profiles
# Used for adding overrides to certain systemd services.
BuildRequires:  systemd-rpm-macros

%description
This project aims to have per-package AppArmor profiles, so that they can be automatically pulled
when relevant package is installed to a system. This allows cluttering AppArmor with unnecessary profiles,
and also allows easy blacklisting profiles one does not want.

A profile could still be temporary disabled with a symlink in /etc/apparmor.d/disable directory.

%prep
%setup -q

tar xf %{S:2}

%build
sed -i "s|@{arch}=CPU_ARCHITECTURE|@{arch}=%{_target_cpu}|" tunables/hardware
sed -i "s|@{system_libdir}=ESSENTIAL_SYSTEM_LIBDIR|@{system_libdir}=/%{_lib}|" tunables/system
sed -i "s|@{libdir}=SYSTEM_LIBDIR|@{libdir}=%{_libdir}|" tunables/system

%if 0%{sle_version} < 150300
cd profiles

# perfmon capability was introduced in 15.3, so it needs to be disabled for earlier installations.
for profile in "$(grep -R -l "capability perfmon" * 2> /dev/null)"; do
    sed -i 's/capability perfmon/#capability perfmon/g' "$profile"
done
# bpf capability was introduced in 15.3, so it needs to be disabled for earlier installations.
for profile in "$(grep -R -l "capability perfmon" * 2> /dev/null)"; do
    sed -i 's/capability bpf/#capability bpf/g' "$profile"
done

cd -
%endif

%install
mkdir -p %{buildroot}%{_bindir}
mkdir -p %{buildroot}%{_sysconfdir}/apparmor.d/abstractions
mkdir -p %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/audio.d
mkdir -p %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/dri-common.d
mkdir -p %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/private-files-strict.d
mkdir -p %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/system-daemon.d
mkdir %{buildroot}%{_sysconfdir}/apparmor.d/local
mkdir %{buildroot}%{_sysconfdir}/apparmor.d/local/abstractions
mkdir %{buildroot}%{_sysconfdir}/apparmor.d/local/cli
mkdir %{buildroot}%{_sysconfdir}/apparmor.d/tunables
mkdir %{buildroot}%{_sysconfdir}/apparmor.d/namespaces.d

mv profiles/server/dovecot/* %{buildroot}%{_sysconfdir}/apparmor.d

mv abstractions/smar-base %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/smar %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/smar-strict %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/akonadi %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/audio.d/smar-additions %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/audio.d/
mv abstractions/cli %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/dns %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/dri-common.d/smar-additions %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/dri-common.d/
mv abstractions/drkonqi %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/fish %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/katepart %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/kde_file_dialog %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/kde-common %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/less %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/passwd %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/plasma %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/private-files-strict.d/smar-additions %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/private-files-strict.d/
mv abstractions/qtwebengine %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/sddm %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/shells %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/smar_kde %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/smar_perl %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/smar_python %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/smar_ruby %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/system-daemon %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/system-daemon.d/unconfined-systemd %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/system-daemon.d/
mv abstractions/systemd %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/unconfined-steam %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/user-daemon %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/videocard %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/vim-inline-editor %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
mv abstractions/Xorg %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/

# Local files for abstractions.
mv abstractions/local/smar_kde %{buildroot}%{_sysconfdir}/apparmor.d/local/abstractions/
mv abstractions/local/Xorg %{buildroot}%{_sysconfdir}/apparmor.d/local/abstractions/

mv tunables/hardware %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
mv tunables/kde %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
mv tunables/numeric %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
mv tunables/textual %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
mv tunables/obs %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
mv tunables/perl %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
mv tunables/python %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
mv tunables/ruby %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
mv tunables/smar %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
mv tunables/sysdevices %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
mv tunables/system %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
mv tunables/user %{buildroot}%{_sysconfdir}/apparmor.d/tunables/

# Namespace definitions.
mv namespaces/kde_file_dialog %{buildroot}%{_sysconfdir}/apparmor.d/namespaces.d/
#mv namespaces/kde_file_dialog %%{buildroot}%%{_sysconfdir}/apparmor.d/

# A profile in the git repository can be a symlink, to
# avoid unnecessary profile copies.
# Since combining profiles still is not possible.
#
# Let’s mangle the symlinks to have correct end result.
#
# For now these symlinks only exists for rpm-scriptlets.
pushd namespaces/rpm-scriptlets.d

# First add normal files to package list.
find . -type f -exec sh -c '
  package_path="${1}"
  package_name="$(basename "${package_path}")"

buildroot_profile_file="%{_sysconfdir}/apparmor.d/namespaces.d/rpm-scriptlets.d/${package_name}"
  echo "${buildroot_profile_file}" >> "%{_builddir}/%{name}-%{version}/namespace_files.rpm"
  ' sh {} \;

# Then process the links.
find . -type l -exec sh -c '
    package_path="${1}"
    package_name="$(basename "${package_path}")"
    #echo "readlink ${1}: $(readlink "${package_path}")"
    ln -sfn ../../"${package_name}" "${package_path}"

buildroot_profile_link="%{_sysconfdir}/apparmor.d/namespaces.d/rpm-scriptlets.d/${package_name}"
    echo "${buildroot_profile_link}" >> "%{_builddir}/%{name}-%{version}/namespace_files.rpm"
  ' sh {} \;
popd

___INSTALL_RULES_HERE___

# Common files.
%package common
Summary:        Common files Smar’s AppArmor profiles
Requires:       %{name}-sddm-abstractions
BuildArch:      noarch

%description common
Common files Smar’s AppArmor profiles.

Contains things like tunables helpful with /sys/devices/** rules.

%files common
%dir %{_sysconfdir}/apparmor.d/abstractions/audio.d
%dir %{_sysconfdir}/apparmor.d/abstractions/dri-common.d
%dir %{_sysconfdir}/apparmor.d/abstractions/private-files-strict.d
%dir %{_sysconfdir}/apparmor.d/abstractions/system-daemon.d
%dir %{_sysconfdir}/apparmor.d/extra
%dir %{_sysconfdir}/apparmor.d/lib
%dir %{_sysconfdir}/apparmor.d/local/abstractions
%dir %{_sysconfdir}/apparmor.d/local/cli
%dir %{_sysconfdir}/apparmor.d/namespaces.d

%config %{_sysconfdir}/apparmor.d/abstractions/audio.d/smar-additions
%config %{_sysconfdir}/apparmor.d/abstractions/cli
%config %{_sysconfdir}/apparmor.d/abstractions/dns
%config %{_sysconfdir}/apparmor.d/abstractions/dri-common.d/smar-additions
%config %{_sysconfdir}/apparmor.d/abstractions/fish
%config %{_sysconfdir}/apparmor.d/abstractions/kde-common
%config %{_sysconfdir}/apparmor.d/abstractions/passwd
%config %{_sysconfdir}/apparmor.d/abstractions/private-files-strict.d/smar-additions
%config %{_sysconfdir}/apparmor.d/abstractions/qtwebengine
%config %{_sysconfdir}/apparmor.d/abstractions/shells
%config %{_sysconfdir}/apparmor.d/abstractions/smar
%config %{_sysconfdir}/apparmor.d/abstractions/smar-base
%config %{_sysconfdir}/apparmor.d/abstractions/smar_perl
%config %{_sysconfdir}/apparmor.d/abstractions/smar_python
%config %{_sysconfdir}/apparmor.d/abstractions/smar-strict
%config %{_sysconfdir}/apparmor.d/abstractions/system-daemon
%config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/system-daemon.d/unconfined-systemd
%config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/unconfined-steam
%config %{_sysconfdir}/apparmor.d/abstractions/user-daemon

%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/hardware
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/kde
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/numeric
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/textual
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/obs
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/perl
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/python
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/ruby
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/smar
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/sysdevices
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/system
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/user

# kde/smar_kde
%package kde-abstractions
Summary:        Abstractions for KDE AppArmor profiles
Requires:       %{name}-sddm-abstractions
Requires:       %{name}-xorg-abstractions
BuildArch:      noarch
#
# For tunables/sssd. Only useful if Kerberos 5 authentication
# is used via SSSD, I suppose.
Suggests:       sssd-profiles

%description kde-abstractions
KDE abstractions from project smar-apparmor-profiles.

These abstractions have some convenience definitions for KDE profiles.

%files kde-abstractions
%config %{_sysconfdir}/apparmor.d/abstractions/akonadi
%config %{_sysconfdir}/apparmor.d/abstractions/drkonqi
%config %{_sysconfdir}/apparmor.d/abstractions/katepart
%config %{_sysconfdir}/apparmor.d/abstractions/kde_file_dialog
%config %{_sysconfdir}/apparmor.d/abstractions/plasma
%config %{_sysconfdir}/apparmor.d/abstractions/smar_kde
%config %{_sysconfdir}/apparmor.d/namespaces.d/kde_file_dialog
#%%config %%{_sysconfdir}/apparmor.d/kde_file_dialog
%config %{_sysconfdir}/apparmor.d/local/abstractions/smar_kde
%dir %{_sysconfdir}/apparmor.d/local/kde

# Programs writing to sddm user log.
%package sddm-abstractions
Summary:        Abstractions for profiles utilizing SDDM in a way or other
Supplements:    sddm
BuildArch:      noarch

%description sddm-abstractions
SDDM abstractions from project smar-apparmor-profiles.

These abstractions allows writing SDDM’s user log, akin to old
Xsession-errors.

%files sddm-abstractions
%config %{_sysconfdir}/apparmor.d/abstractions/sddm

# X.org abstractions.
%package xorg-abstractions
Summary:        Abstractions for profiles utilizing X in a way or other
BuildArch:      noarch

%description xorg-abstractions
AppArmor abstraction files for Xorg from project smar-apparmor-profiles.

Pulled and used by *-profiles packages.

%files xorg-abstractions
%config %{_sysconfdir}/apparmor.d/abstractions/Xorg
%config %{_sysconfdir}/apparmor.d/abstractions/videocard
%config %{_sysconfdir}/apparmor.d/local/abstractions/Xorg

# systemd abstractions.
%package systemd-abstractions
Summary:        Abstractions for profiles utilizing systemd in a way or other
BuildArch:      noarch

%description systemd-abstractions
AppArmor abstraction files for systemd from project smar-apparmor-profiles.

Pulled and used by *-profiles packages.

%files systemd-abstractions
%config %{_sysconfdir}/apparmor.d/abstractions/systemd

# All programs that uses less
%package less-abstractions
Summary:        Abstractions for AppArmor profiles that uses less
BuildArch:      noarch

%description less-abstractions
Less abstractions from project smar-apparmor-profiles.

These abstractions provides rules for applications using less in a way or another.

%files less-abstractions
%config %{_sysconfdir}/apparmor.d/abstractions/less

# All programs that uses Ruby
%package ruby-abstractions
Summary:        Abstractions for AppArmor profiles that uses Ruby
Supplements:    ruby
BuildArch:      noarch

%description ruby-abstractions
Ruby abstractions from project smar-apparmor-profiles.

These abstractions provides rules for applications using Ruby in a way or another.

%files ruby-abstractions
%config %{_sysconfdir}/apparmor.d/abstractions/smar_ruby

# All programs that uses vim
%package vim-abstractions
Summary:        Abstractions for AppArmor profiles that uses vim
BuildArch:      noarch

%description vim-abstractions
Vim abstractions from project smar-apparmor-profiles.

These abstractions provides rules for applications using Vim in a way or another.

%files vim-abstractions
%config %{_sysconfdir}/apparmor.d/abstractions/vim-inline-editor

# Dovecot
%package -n dovecot-profiles
Summary:        AppArmor profiles for Dovecot
Supplements:    dovecot
BuildArch:      noarch

%description -n dovecot-profiles
AppArmor profiles for Dovecot from project smar-apparmor-profiles.

%files -n dovecot-profiles
%config %{_sysconfdir}/apparmor.d/dovecot
%config %{_sysconfdir}/apparmor.d/dovecot.anvil
%config %{_sysconfdir}/apparmor.d/dovecot.auth
%config %{_sysconfdir}/apparmor.d/dovecot.config
%config %{_sysconfdir}/apparmor.d/dovecot.deliver
%config %{_sysconfdir}/apparmor.d/dovecot.dict
%config %{_sysconfdir}/apparmor.d/dovecot.dovecot-auth
%config %{_sysconfdir}/apparmor.d/dovecot.dovecot-lda
%config %{_sysconfdir}/apparmor.d/dovecot.imap
%config %{_sysconfdir}/apparmor.d/dovecot.imap-login
%config %{_sysconfdir}/apparmor.d/dovecot.lmtp
%config %{_sysconfdir}/apparmor.d/dovecot.log
%config %{_sysconfdir}/apparmor.d/dovecot.managesieve
%config %{_sysconfdir}/apparmor.d/dovecot.managesieve-login
%config %{_sysconfdir}/apparmor.d/dovecot.pop3
%config %{_sysconfdir}/apparmor.d/dovecot.pop3-login
%config %{_sysconfdir}/apparmor.d/dovecot.ssl-params
%config %{_sysconfdir}/apparmor.d/dovecot.stats

___PACKAGES_HERE___

%changelog

# kate: syntax RPM Spec

Places

File smar-apparmor-profiles.spec.in of Package smar-apparmor-profiles

Places