[PACKAGING] Provides a dedicated AppArmor profile

HorlogeSkynet · Oct 27, 2022 · 42940ab · 42940ab
1 parent 3b261e9
commit 42940ab
Show file tree

Hide file tree

Showing 3 changed files with 101 additions and 2 deletions.
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -25,6 +25,7 @@ assignees: ''
  - Operating system and version : 
  - Graphical environment name and version : 
  - Connectivity (off-line, LAN only, Internet access) : 
+ - AppArmor profile loaded (yes/no, check `aa-status`) : 
 
 **Additional context**
 <!-- If applicable, add any other context about the problem here. -->

diff --git a/apparmor.profile b/apparmor.profile
@@ -0,0 +1,89 @@
+# Archey4 AppArmor profile
+# Copyright (C) 2022 - Samuel Forestier <dev+archey@samuel.domains>
+
+# /!\ DO NOT MODIFY THIS FILE /!\
+# Please create yours as [/etc/apparmor.d/]local/archey4
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /usr/{,local/}bin/archey{,4}
+profile archey4 @{exec_path} {
+	include <abstractions/base>
+	include <abstractions/consoles>
+	include <abstractions/python>
+
+	@{exec_path} r,
+
+	# configuration files
+	owner @{HOME}/.config/archey4/*.json r,
+	/etc/archey4/*.json r,
+
+	# required in order to kill sub-processes in timeout
+	capability kill,
+	signal (send),
+
+	# allow running processes listing through ps
+	/{,usr/}bin/ps PUx,
+
+	# [CPU] entry
+	/{,usr/}bin/lscpu PUx,
+
+	# [Disk] entry
+	/{,usr/}bin/df PUx,
+
+	# [GPU] entry
+	/{,usr/}bin/lspci PUx,
+
+	# [Hostname] entry
+	/etc/hostname r,
+
+	# [Load Average] entry
+	@{PROC}/loadavg r,
+
+	# [Model] entry
+	@{sys}/devices/virtual/dmi/id/* r,
+	/{,usr/}bin/systemd-detect-virt PUx,
+	/{,usr/}sbin/virt-what PUx,
+	/{,usr/}bin/getprop PUx,
+
+	# [Packages] entry
+	/{,usr/}bin/ls PUx,
+	/{,usr/}bin/apk PUx,
+	/{,usr/}bin/dnf PUx,
+	/{,usr/}bin/dpkg PUx,
+	/{,usr/}bin/emerge PUx,
+	/{,usr/}bin/nix-env PUx,
+	/{,usr/}bin/pacman PUx,
+	/{,usr/}bin/pacstall PUx,
+	/{,usr/}bin/port PUx,
+	/{,usr/}bin/yum PUx,
+	/{,usr/}bin/zypper PUx,
+
+	# [RAM] entry
+	/{,usr/}bin/free PUx,
+
+	# [Temperature] entry
+	@{sys}/devices/thermal/thermal_zone[0-9]*/temp r,
+	/{,usr/}bin/sensors PUx,
+	/opt/vc/bin/vcgencmd PUx,
+
+	# [Uptime] entry
+	@{PROC}/uptime r,
+	/{,usr/}bin/uptime PUx,
+
+	# [User] entry
+	/{,usr/}bin/getent PUx,
+
+	# [WAN IP] entry (and potentially [Kernel])
+	/{,usr/}bin/dig PUx,
+	network inet  stream,  # urllib (HTTP/IP)
+	network inet6 stream,  # urllib (HTTP/IPv6)
+
+	# [Window Manager] entry
+	/{,usr/}bin/wmctrl PUx,
+
+	# allow profile extension (e.g. for user-defined [Custom] entries)
+	include if exists <local/archey4>
+}
diff --git a/packaging/build.sh b/packaging/build.sh
@@ -73,6 +73,9 @@ echo ">>> Packages generation for ${NAME}_v${VERSION}-${REVISION} <<<"
 # Prepare the configuration file under a regular `etc/` directory.
 mkdir -p etc/archey4/ && \
 	cp config.json etc/archey4/config.json
+# Prepare the AppArmor profile.
+mkdir -p etc/apparmor.d/ && \
+	cp apparmor.profile etc/apparmor.d/usr.bin.archey4
 # Prepare and compress the manual page.
 sed -e "s/\${DATE}/$(date +'%B %Y')/1" -e "s/\${VERSION}/${VERSION}/1" archey.1 | \
 	gzip -c --best - > "${DIST_OUTPUT}/archey.1.gz"
@@ -92,16 +95,20 @@ export PYTHONDONTWRITEBYTECODE=1
 echo 'Now generating Debian package...'
 fpm \
 	"${FPM_COMMON_ARGS[@]}" \
+	--config-files "etc/apparmor.d/" \
+	--config-files "etc/apparmor.d/usr.bin.archey4" \
 	--output-type deb \
 	--package "${DIST_OUTPUT}/${NAME}_${VERSION}-${REVISION}_${ARCHITECTURE}.deb" \
 	--depends 'python3 >= 3.6' \
 	--depends 'python3-distro' \
 	--depends 'python3-netifaces' \
 	--python-install-lib 'usr/lib/python3/dist-packages/' \
 	--deb-priority 'optional' \
+	--deb-build-depends dh_apparmor \
 	--deb-field 'Recommends: procps' \
-	--deb-field 'Suggests: dnsutils, lm-sensors, pciutils, virt-what, wmctrl' \
+	--deb-field 'Suggests: apparmor, dnsutils, lm-sensors, pciutils, virt-what, wmctrl' \
 	--deb-no-default-config-files \
+	--no-deb-auto-config-files \
 	setup.py
 
 # Sign the resulting Debian package if a GPG identity has been provided.
@@ -157,9 +164,11 @@ done
 # 	setup.py
 
 
-# Remove the fake `etc/archey4/` tree.
+# Remove the fake `etc/archey4/` & `etc/apparmor.d/` trees.
 rm etc/archey4/config.json && \
 	rmdir --ignore-fail-on-non-empty -p etc/archey4/
+rm etc/apparmor.d/usr.bin.archey4 && \
+	rmdir --ignore-fail-on-non-empty -p etc/apparmor.d/
 
 
 # Silence some Setuptools warnings by re-enabling byte-code generation.