File smar-apparmor-profiles.spec.in of Package smar-apparmor-profiles (Revision 64466972f10dc962316dc5aa7dcd55a1)
Currently displaying revision 64466972f10dc962316dc5aa7dcd55a1 , Show latest
xxxxxxxxxx
1
#
2
# spec file for package smar-apparmor-profiles
3
4
# TODO: Add postinst script for common package to reload apparmor to get installed/updated profiles loaded.
5
# Unless there is a better way how SUSE expects me to do.
6
7
Name: smar-apparmor-profiles
8
Version: 1.0.0-pre
9
Release: 0
10
Summary: Per-package apparmor-profiles
11
License: ISC
12
Group: Productivity/Security
13
Url: https://git.sr.ht/~smar/smar-apparmor-profiles
14
Source0: %{name}-%{version}.tar.xz
15
Source1: rpmlintrc
16
Source2: systemd_overrides.tar.xz
17
BuildRoot: %{_tmppath}/%{name}-%{version}-build
18
# This allows us not to need to own /etc/apparmor.d
19
BuildRequires: apparmor-profiles
20
# Used for adding overrides to certain systemd services.
21
BuildRequires: systemd-rpm-macros
22
23
%description
24
This project aims to have per-package AppArmor profiles, so that they can be automatically pulled
25
when relevant package is installed to a system. This allows cluttering AppArmor with unnecessary profiles,
26
and also allows easy blacklisting profiles one does not want.
27
28
A profile could still be temporary disabled with a symlink in /etc/apparmor.d/disable directory.
29
30
%prep
31
%setup -q
32
33
tar xf %{S:2}
34
35
%build
36
sed -i "s|@{arch}=CPU_ARCHITECTURE|@{arch}=%{_target_cpu}|" tunables/hardware
37
sed -i "s|@{system_libdir}=ESSENTIAL_SYSTEM_LIBDIR|@{system_libdir}=/%{_lib}|" tunables/system
38
sed -i "s|@{libdir}=SYSTEM_LIBDIR|@{libdir}=%{_libdir}|" tunables/system
39
40
%if 0%{sle_version} < 150300
41
cd profiles
42
43
# perfmon capability was introduced in 15.3, so it needs to be disabled for earlier installations.
44
for profile in "$(grep -R -l "capability perfmon" * 2> /dev/null)"; do
45
sed -i 's/capability perfmon/#capability perfmon/g' "$profile"
46
done
47
# bpf capability was introduced in 15.3, so it needs to be disabled for earlier installations.
48
for profile in "$(grep -R -l "capability perfmon" * 2> /dev/null)"; do
49
sed -i 's/capability bpf/#capability bpf/g' "$profile"
50
done
51
52
cd -
53
%endif
54
55
%install
56
mkdir -p %{buildroot}%{_bindir}
57
mkdir -p %{buildroot}%{_sysconfdir}/apparmor.d/abstractions
58
mkdir -p %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/audio.d
59
mkdir -p %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/dri-common.d
60
mkdir -p %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/private-files-strict.d
61
mkdir -p %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/system-daemon.d
62
mkdir %{buildroot}%{_sysconfdir}/apparmor.d/local
63
mkdir %{buildroot}%{_sysconfdir}/apparmor.d/local/abstractions
64
mkdir %{buildroot}%{_sysconfdir}/apparmor.d/local/cli
65
mkdir %{buildroot}%{_sysconfdir}/apparmor.d/tunables
66
mkdir %{buildroot}%{_sysconfdir}/apparmor.d/namespaces.d
67
68
mv profiles/server/dovecot/* %{buildroot}%{_sysconfdir}/apparmor.d
69
70
mv abstractions/smar-base %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
71
mv abstractions/smar %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
72
mv abstractions/smar-strict %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
73
mv abstractions/akonadi %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
74
mv abstractions/audio.d/smar-additions %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/audio.d/
75
mv abstractions/cli %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
76
mv abstractions/dns %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
77
mv abstractions/dri-common.d/smar-additions %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/dri-common.d/
78
mv abstractions/drkonqi %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
79
mv abstractions/fish %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
80
mv abstractions/katepart %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
81
mv abstractions/kde_file_dialog %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
82
mv abstractions/kde-common %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
83
mv abstractions/less %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
84
mv abstractions/passwd %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
85
mv abstractions/plasma %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
86
mv abstractions/private-files-strict.d/smar-additions %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/private-files-strict.d/
87
mv abstractions/qtwebengine %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
88
mv abstractions/sddm %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
89
mv abstractions/shells %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
90
mv abstractions/smar_kde %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
91
mv abstractions/smar_perl %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
92
mv abstractions/smar_python %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
93
mv abstractions/smar_ruby %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
94
mv abstractions/system-daemon %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
95
mv abstractions/system-daemon.d/unconfined-systemd %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/system-daemon.d/
96
mv abstractions/systemd %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
97
mv abstractions/unconfined-steam %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
98
mv abstractions/user-daemon %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
99
mv abstractions/videocard %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
100
mv abstractions/vim-inline-editor %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
101
mv abstractions/Xorg %{buildroot}%{_sysconfdir}/apparmor.d/abstractions/
102
103
# Local files for abstractions.
104
mv abstractions/local/smar_kde %{buildroot}%{_sysconfdir}/apparmor.d/local/abstractions/
105
mv abstractions/local/Xorg %{buildroot}%{_sysconfdir}/apparmor.d/local/abstractions/
106
107
mv tunables/hardware %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
108
mv tunables/kde %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
109
mv tunables/numeric %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
110
mv tunables/textual %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
111
mv tunables/obs %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
112
mv tunables/perl %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
113
mv tunables/python %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
114
mv tunables/ruby %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
115
mv tunables/smar %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
116
mv tunables/sysdevices %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
117
mv tunables/system %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
118
mv tunables/user %{buildroot}%{_sysconfdir}/apparmor.d/tunables/
119
120
# Namespace definitions.
121
mv namespaces/kde_file_dialog %{buildroot}%{_sysconfdir}/apparmor.d/namespaces.d/
122
#mv namespaces/kde_file_dialog %%{buildroot}%%{_sysconfdir}/apparmor.d/
123
124
# A profile in the git repository can be a symlink, to
125
# avoid unnecessary profile copies.
126
# Since combining profiles still is not possible.
127
#
128
# Let’s mangle the symlinks to have correct end result.
129
#
130
# For now these symlinks only exists for rpm-scriptlets.
131
pushd namespaces/rpm-scriptlets.d
132
133
# First add normal files to package list.
134
find . -type f -exec sh -c '
135
package_path="${1}"
136
package_name="$(basename "${package_path}")"
137
138
buildroot_profile_file="%{_sysconfdir}/apparmor.d/namespaces.d/rpm-scriptlets.d/${package_name}"
139
echo "${buildroot_profile_file}" >> "%{_builddir}/%{name}-%{version}/namespace_files.rpm"
140
' sh {} \;
141
142
# Then process the links.
143
find . -type l -exec sh -c '
144
package_path="${1}"
145
package_name="$(basename "${package_path}")"
146
#echo "readlink ${1}: $(readlink "${package_path}")"
147
ln -sfn ../../"${package_name}" "${package_path}"
148
149
buildroot_profile_link="%{_sysconfdir}/apparmor.d/namespaces.d/rpm-scriptlets.d/${package_name}"
150
echo "${buildroot_profile_link}" >> "%{_builddir}/%{name}-%{version}/namespace_files.rpm"
151
' sh {} \;
152
popd
153
154
___INSTALL_RULES_HERE___
155
156
# Common files.
157
%package common
158
Summary: Common files Smar’s AppArmor profiles
159
Requires: %{name}-sddm-abstractions
160
BuildArch: noarch
161
162
%description common
163
Common files Smar’s AppArmor profiles.
164
165
Contains things like tunables helpful with /sys/devices/** rules.
166
167
%files common
168
%dir %{_sysconfdir}/apparmor.d/abstractions/audio.d
169
%dir %{_sysconfdir}/apparmor.d/abstractions/dri-common.d
170
%dir %{_sysconfdir}/apparmor.d/abstractions/private-files-strict.d
171
%dir %{_sysconfdir}/apparmor.d/abstractions/system-daemon.d
172
%dir %{_sysconfdir}/apparmor.d/extra
173
%dir %{_sysconfdir}/apparmor.d/lib
174
%dir %{_sysconfdir}/apparmor.d/local/abstractions
175
%dir %{_sysconfdir}/apparmor.d/local/cli
176
%dir %{_sysconfdir}/apparmor.d/namespaces.d
177
178
%config %{_sysconfdir}/apparmor.d/abstractions/audio.d/smar-additions
179
%config %{_sysconfdir}/apparmor.d/abstractions/cli
180
%config %{_sysconfdir}/apparmor.d/abstractions/dns
181
%config %{_sysconfdir}/apparmor.d/abstractions/dri-common.d/smar-additions
182
%config %{_sysconfdir}/apparmor.d/abstractions/fish
183
%config %{_sysconfdir}/apparmor.d/abstractions/kde-common
184
%config %{_sysconfdir}/apparmor.d/abstractions/passwd
185
%config %{_sysconfdir}/apparmor.d/abstractions/private-files-strict.d/smar-additions
186
%config %{_sysconfdir}/apparmor.d/abstractions/qtwebengine
187
%config %{_sysconfdir}/apparmor.d/abstractions/shells
188
%config %{_sysconfdir}/apparmor.d/abstractions/smar
189
%config %{_sysconfdir}/apparmor.d/abstractions/smar-base
190
%config %{_sysconfdir}/apparmor.d/abstractions/smar_perl
191
%config %{_sysconfdir}/apparmor.d/abstractions/smar_python
192
%config %{_sysconfdir}/apparmor.d/abstractions/smar-strict
193
%config %{_sysconfdir}/apparmor.d/abstractions/system-daemon
194
%config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/system-daemon.d/unconfined-systemd
195
%config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/unconfined-steam
196
%config %{_sysconfdir}/apparmor.d/abstractions/user-daemon
197
198
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/hardware
199
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/kde
200
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/numeric
201
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/textual
202
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/obs
203
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/perl
204
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/python
205
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/ruby
206
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/smar
207
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/sysdevices
208
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/system
209
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/user
210
211
# kde/smar_kde
212
%package kde-abstractions
213
Summary: Abstractions for KDE AppArmor profiles
214
Requires: %{name}-sddm-abstractions
215
Requires: %{name}-xorg-abstractions
216
BuildArch: noarch
217
#
218
# For tunables/sssd. Only useful if Kerberos 5 authentication
219
# is used via SSSD, I suppose.
220
Suggests: sssd-profiles
221
222
%description kde-abstractions
223
KDE abstractions from project smar-apparmor-profiles.
224
225
These abstractions have some convenience definitions for KDE profiles.
226
227
%files kde-abstractions
228
%config %{_sysconfdir}/apparmor.d/abstractions/akonadi
229
%config %{_sysconfdir}/apparmor.d/abstractions/drkonqi
230
%config %{_sysconfdir}/apparmor.d/abstractions/katepart
231
%config %{_sysconfdir}/apparmor.d/abstractions/kde_file_dialog
232
%config %{_sysconfdir}/apparmor.d/abstractions/plasma
233
%config %{_sysconfdir}/apparmor.d/abstractions/smar_kde
234
%config %{_sysconfdir}/apparmor.d/namespaces.d/kde_file_dialog
235
#%%config %%{_sysconfdir}/apparmor.d/kde_file_dialog
236
%config %{_sysconfdir}/apparmor.d/local/abstractions/smar_kde
237
%dir %{_sysconfdir}/apparmor.d/local/kde
238
239
# Programs writing to sddm user log.
240
%package sddm-abstractions
241
Summary: Abstractions for profiles utilizing SDDM in a way or other
242
Supplements: sddm
243
BuildArch: noarch
244
245
%description sddm-abstractions
246
SDDM abstractions from project smar-apparmor-profiles.
247
248
These abstractions allows writing SDDM’s user log, akin to old
249
Xsession-errors.
250
251
%files sddm-abstractions
252
%config %{_sysconfdir}/apparmor.d/abstractions/sddm
253
254
# X.org abstractions.
255
%package xorg-abstractions
256
Summary: Abstractions for profiles utilizing X in a way or other
257
BuildArch: noarch
258
259
%description xorg-abstractions
260
AppArmor abstraction files for Xorg from project smar-apparmor-profiles.
261
262
Pulled and used by *-profiles packages.
263
264
%files xorg-abstractions
265
%config %{_sysconfdir}/apparmor.d/abstractions/Xorg
266
%config %{_sysconfdir}/apparmor.d/abstractions/videocard
267
%config %{_sysconfdir}/apparmor.d/local/abstractions/Xorg
268
269
# systemd abstractions.
270
%package systemd-abstractions
271
Summary: Abstractions for profiles utilizing systemd in a way or other
272
BuildArch: noarch
273
274
%description systemd-abstractions
275
AppArmor abstraction files for systemd from project smar-apparmor-profiles.
276
277
Pulled and used by *-profiles packages.
278
279
%files systemd-abstractions
280
%config %{_sysconfdir}/apparmor.d/abstractions/systemd
281
282
# All programs that uses less
283
%package less-abstractions
284
Summary: Abstractions for AppArmor profiles that uses less
285
BuildArch: noarch
286
287
%description less-abstractions
288
Less abstractions from project smar-apparmor-profiles.
289
290
These abstractions provides rules for applications using less in a way or another.
291
292
%files less-abstractions
293
%config %{_sysconfdir}/apparmor.d/abstractions/less
294
295
# All programs that uses Ruby
296
%package ruby-abstractions
297
Summary: Abstractions for AppArmor profiles that uses Ruby
298
Supplements: ruby
299
BuildArch: noarch
300
301
%description ruby-abstractions
302
Ruby abstractions from project smar-apparmor-profiles.
303
304
These abstractions provides rules for applications using Ruby in a way or another.
305
306
%files ruby-abstractions
307
%config %{_sysconfdir}/apparmor.d/abstractions/smar_ruby
308
309
# All programs that uses vim
310
%package vim-abstractions
311
Summary: Abstractions for AppArmor profiles that uses vim
312
BuildArch: noarch
313
314
%description vim-abstractions
315
Vim abstractions from project smar-apparmor-profiles.
316
317
These abstractions provides rules for applications using Vim in a way or another.
318
319
%files vim-abstractions
320
%config %{_sysconfdir}/apparmor.d/abstractions/vim-inline-editor
321
322
# Dovecot
323
%package -n dovecot-profiles
324
Summary: AppArmor profiles for Dovecot
325
Supplements: dovecot
326
BuildArch: noarch
327
328
%description -n dovecot-profiles
329
AppArmor profiles for Dovecot from project smar-apparmor-profiles.
330
331
%files -n dovecot-profiles
332
%config %{_sysconfdir}/apparmor.d/dovecot
333
%config %{_sysconfdir}/apparmor.d/dovecot.anvil
334
%config %{_sysconfdir}/apparmor.d/dovecot.auth
335
%config %{_sysconfdir}/apparmor.d/dovecot.config
336
%config %{_sysconfdir}/apparmor.d/dovecot.deliver
337
%config %{_sysconfdir}/apparmor.d/dovecot.dict
338
%config %{_sysconfdir}/apparmor.d/dovecot.dovecot-auth
339
%config %{_sysconfdir}/apparmor.d/dovecot.dovecot-lda
340
%config %{_sysconfdir}/apparmor.d/dovecot.imap
341
%config %{_sysconfdir}/apparmor.d/dovecot.imap-login
342
%config %{_sysconfdir}/apparmor.d/dovecot.lmtp
343
%config %{_sysconfdir}/apparmor.d/dovecot.log
344
%config %{_sysconfdir}/apparmor.d/dovecot.managesieve
345
%config %{_sysconfdir}/apparmor.d/dovecot.managesieve-login
346
%config %{_sysconfdir}/apparmor.d/dovecot.pop3
347
%config %{_sysconfdir}/apparmor.d/dovecot.pop3-login
348
%config %{_sysconfdir}/apparmor.d/dovecot.ssl-params
349
%config %{_sysconfdir}/apparmor.d/dovecot.stats
350
351
352
___PACKAGES_HERE___
353
354
%changelog
355
356
# kate: syntax RPM Spec