diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index c058963d..230b5287 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -25,6 +25,7 @@ assignees: '' - Operating system and version : - Graphical environment name and version : - Connectivity (off-line, LAN only, Internet access) : + - AppArmor profile loaded (yes/no, check `aa-status`) : **Additional context** diff --git a/apparmor.profile b/apparmor.profile new file mode 100644 index 00000000..8b57e301 --- /dev/null +++ b/apparmor.profile @@ -0,0 +1,89 @@ +# Archey4 AppArmor profile +# Copyright (C) 2022 - Samuel Forestier + +# /!\ DO NOT MODIFY THIS FILE /!\ +# Please create yours as [/etc/apparmor.d/]local/archey4 + +abi , + +include + +@{exec_path} = /usr/{,local/}bin/archey{,4} +profile archey4 @{exec_path} { + include + include + include + + @{exec_path} r, + + # configuration files + owner @{HOME}/.config/archey4/*.json r, + /etc/archey4/*.json r, + + # required in order to kill sub-processes in timeout + capability kill, + signal (send), + + # allow running processes listing through ps + /{,usr/}bin/ps PUx, + + # [CPU] entry + /{,usr/}bin/lscpu PUx, + + # [Disk] entry + /{,usr/}bin/df PUx, + + # [GPU] entry + /{,usr/}bin/lspci PUx, + + # [Hostname] entry + /etc/hostname r, + + # [Load Average] entry + @{PROC}/loadavg r, + + # [Model] entry + @{sys}/devices/virtual/dmi/id/* r, + /{,usr/}bin/systemd-detect-virt PUx, + /{,usr/}sbin/virt-what PUx, + /{,usr/}bin/getprop PUx, + + # [Packages] entry + /{,usr/}bin/ls PUx, + /{,usr/}bin/apk PUx, + /{,usr/}bin/dnf PUx, + /{,usr/}bin/dpkg PUx, + /{,usr/}bin/emerge PUx, + /{,usr/}bin/nix-env PUx, + /{,usr/}bin/pacman PUx, + /{,usr/}bin/pacstall PUx, + /{,usr/}bin/port PUx, + /{,usr/}bin/yum PUx, + /{,usr/}bin/zypper PUx, + + # [RAM] entry + /{,usr/}bin/free PUx, + + # [Temperature] entry + @{sys}/devices/thermal/thermal_zone[0-9]*/temp r, + /{,usr/}bin/sensors PUx, + /opt/vc/bin/vcgencmd PUx, + + # [Uptime] entry + @{PROC}/uptime r, + /{,usr/}bin/uptime PUx, + + # [User] entry + /{,usr/}bin/getent PUx, + + # [WAN IP] entry (and potentially [Kernel]) + /{,usr/}bin/dig PUx, + network inet stream, # urllib (HTTP/IP) + network inet6 stream, # urllib (HTTP/IPv6) + + # [Window Manager] entry + /{,usr/}bin/wmctrl PUx, + + # allow profile extension (e.g. for user-defined [Custom] entries) + include if exists +} diff --git a/packaging/build.sh b/packaging/build.sh index fdbedbaf..9e63e6db 100644 --- a/packaging/build.sh +++ b/packaging/build.sh @@ -73,6 +73,9 @@ echo ">>> Packages generation for ${NAME}_v${VERSION}-${REVISION} <<<" # Prepare the configuration file under a regular `etc/` directory. mkdir -p etc/archey4/ && \ cp config.json etc/archey4/config.json +# Prepare the AppArmor profile. +mkdir -p etc/apparmor.d/ && \ + cp apparmor.profile etc/apparmor.d/usr.bin.archey4 # Prepare and compress the manual page. sed -e "s/\${DATE}/$(date +'%B %Y')/1" -e "s/\${VERSION}/${VERSION}/1" archey.1 | \ gzip -c --best - > "${DIST_OUTPUT}/archey.1.gz" @@ -92,6 +95,8 @@ export PYTHONDONTWRITEBYTECODE=1 echo 'Now generating Debian package...' fpm \ "${FPM_COMMON_ARGS[@]}" \ + --config-files "etc/apparmor.d/" \ + --config-files "etc/apparmor.d/usr.bin.archey4" \ --output-type deb \ --package "${DIST_OUTPUT}/${NAME}_${VERSION}-${REVISION}_${ARCHITECTURE}.deb" \ --depends 'python3 >= 3.6' \ @@ -99,9 +104,11 @@ fpm \ --depends 'python3-netifaces' \ --python-install-lib 'usr/lib/python3/dist-packages/' \ --deb-priority 'optional' \ + --deb-build-depends dh_apparmor \ --deb-field 'Recommends: procps' \ - --deb-field 'Suggests: dnsutils, lm-sensors, pciutils, virt-what, wmctrl' \ + --deb-field 'Suggests: apparmor, dnsutils, lm-sensors, pciutils, virt-what, wmctrl' \ --deb-no-default-config-files \ + --no-deb-auto-config-files \ setup.py # Sign the resulting Debian package if a GPG identity has been provided. @@ -157,9 +164,11 @@ done # setup.py -# Remove the fake `etc/archey4/` tree. +# Remove the fake `etc/archey4/` & `etc/apparmor.d/` trees. rm etc/archey4/config.json && \ rmdir --ignore-fail-on-non-empty -p etc/archey4/ +rm etc/apparmor.d/usr.bin.archey4 && \ + rmdir --ignore-fail-on-non-empty -p etc/apparmor.d/ # Silence some Setuptools warnings by re-enabling byte-code generation.