[PACKAGING] Provides a dedicated AppArmor profile

.github/ISSUE_TEMPLATE/bug_report.md

@@ -25,6 +25,7 @@ assignees: ''
  - Operating system and version : 
  - Graphical environment name and version : 
  - Connectivity (off-line, LAN only, Internet access) : 
+ - AppArmor profile loaded (yes/no, check `aa-status`) : 
 
 **Additional context**
 <!-- If applicable, add any other context about the problem here. -->

CHANGELOG.md

@@ -6,6 +6,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project (partially) adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Added
+- AppArmor confinement profile (included in Debian and AUR packages)
 
 ## [v4.14.3.0] - 2024-04-06
 ### Added

README.md

@@ -446,6 +446,7 @@ Below stand further descriptions for each available (default) option :
 			"name": "GPU",
 			"icon": "\ue735",
 			// The custom shell command to execute.
+			// /!\ If you're running AppArmor, don't forget to extend Archey profile through /etc/apparmor.d/local/usr.bin.archey4 !
 			"shell": true,
 			"command": "lshw -C display 2> /dev/null | rg product | cut -d ':' -f 2",
 			// A custom program and its arguments to execute.

apparmor.profile

@@ -0,0 +1,113 @@
+# Archey4 AppArmor profile
+# Copyright (C) 2023-2024 - Michael Bromilow
+# Copyright (C) 2023-2024 - Samuel Forestier <samuel+dev@forestier.app>
+
+# /!\ DO NOT MODIFY THIS FILE /!\
+# Please edit local profile extension (/etc/apparmor.d/local/usr.bin.archey4).
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile archey4 /usr/{,local/}bin/archey{,4} {
+	include <abstractions/base>
+	include <abstractions/consoles>
+	include <abstractions/nameservice>
+	include <abstractions/openssl>
+	include <abstractions/python>
+	include <abstractions/ssl_certs>
+
+	/usr/bin/ r,
+	/usr/{,local/}bin/archey{,4} r,
+
+	# configuration files
+	owner @{HOME}/.config/archey4/*.json r,
+	/etc/archey4/*.json r,
+
+	# required in order to kill sub-processes in timeout
+	capability kill,
+	signal (send),
+
+	# allow running processes listing through ps
+	/{,usr/}bin/ps PUx,
+
+	# allow distro to parse system data sources
+	/usr/lib/os-release r,
+	/etc/*[-_]{release,version} r,
+	/{,usr/}bin/lsb_release PUx,
+	/{,usr/}bin/uname PUx,
+
+	# allow screenshot tools execution
+	/{,usr/}bin/escrotum PUx,
+	/{,usr/}bin/flameshot PUx,
+	/{,usr/}bin/gnome-screenshot PUx,
+	/{,usr/}bin/grim PUx,
+	/{,usr/}bin/import-im6.q16{,hdri} PUx,
+	/{,usr/}bin/maim PUx,
+	/{,usr/}bin/scrot PUx,
+	/{,usr/}bin/shutter PUx,
+	/{,usr/}bin/spectacle PUx,
+	/{,usr/}bin/xfce4-screenshoter PUx,
+
+	# [CPU] entry
+	/{,usr/}bin/lscpu PUx,
+
+	# [Disk] entry
+	/{,usr/}bin/df PUx,
+
+	# [GPU] entry
+	/{,usr/}bin/lspci PUx,
+
+	# [Hostname] entry
+	/etc/hostname r,
+
+	# [Load Average] entry
+	@{PROC}/loadavg r,
+
+	# [Model] entry
+	@{sys}/devices/virtual/dmi/id/* r,
+	/{,usr/}bin/systemd-detect-virt PUx,
+	/{,usr/}{,s}bin/virt-what PUx,
+	/{,usr/}bin/getprop PUx,
+
+	# [Packages] entry
+	/{,usr/}bin/ls rix,
+	/{,usr/}bin/apk PUx,
+	/{,usr/}bin/dnf PUx,
+	/{,usr/}bin/dpkg PUx,
+	/{,usr/}bin/emerge PUx,
+	/{,usr/}bin/nix-env PUx,
+	/{,usr/}bin/pacman PUx,
+	/{,usr/}bin/pacstall PUx,
+	/{,usr/}bin/pkgin PUx,
+	/{,usr/}bin/port PUx,
+	/{,usr/}bin/rpm PUx,
+	/{,usr/}bin/yum PUx,
+	/{,usr/}bin/zypper PUx,
+
+	# [RAM] entry
+	/{,usr/}bin/free rix,
+
+	# [Temperature] entry
+	@{sys}/devices/thermal/thermal_zone[0-9]*/temp r,
+	/{,usr/}bin/sensors PUx,
+	/{,opt/vc/,usr/}bin/vcgencmd PUx,
+
+	# [Uptime] entry
+	@{PROC}/uptime r,
+	/{,usr/}bin/uptime rix,
+
+	# [User] & [Shell] entries
+	/{,usr/}bin/getent rix,
+
+	# [WAN IP] entry (and potentially [Kernel])
+	/{,usr/}bin/dig PUx,
+	network inet stream,  # urllib (HTTP/IP)
+	network inet6 stream,  # urllib (HTTP/IPv6)
+
+	# [Window Manager] entry
+	/{,usr/}bin/wmctrl PUx,
+
+	# allow profile extension (e.g. for user-defined [Custom] entries)
+	include if exists <local/usr.bin.archey4>
+}

packaging/after_install

@@ -3,5 +3,22 @@
 set -e
 
 
+# Handles AppArmor profile (see dh_apparmor).
+APP_PROFILE="/etc/apparmor.d/usr.bin.archey4"
+if [ -f "$APP_PROFILE" ]; then
+	# Add the local/ include
+	LOCAL_APP_PROFILE="/etc/apparmor.d/local/usr.bin.archey4"
+
+	test -e "$LOCAL_APP_PROFILE" || {
+		mkdir -p "$(dirname "$LOCAL_APP_PROFILE")"
+		install --mode 644 /dev/null "$LOCAL_APP_PROFILE"
+	}
+
+	# Reload the profile, including any abstraction updates
+	if aa-enabled --quiet 2>/dev/null; then
+		apparmor_parser -r -T -W "$APP_PROFILE" || true
+	fi
+fi
+
 # Creates a symbolic link providing `archey4` command alias.
 ln -s -f /usr/bin/archey /usr/bin/archey4

packaging/after_remove

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+set -e
+
+
+# Handles AppArmor profile (see dh_apparmor).
+if ! [ -e /etc/apparmor.d/usr.bin.archey4 ] ; then
+	rm -f /etc/apparmor.d/disable/usr.bin.archey4 || true
+	rm -f /etc/apparmor.d/force-complain/usr.bin.archey4 || true
+	rm -f /etc/apparmor.d/local/usr.bin.archey4 || true
+	rm -f /var/cache/apparmor/*/usr.bin.archey4 || true
+	rmdir /etc/apparmor.d/disable 2>/dev/null || true
+	rmdir /etc/apparmor.d/local   2>/dev/null || true
+	rmdir /etc/apparmor.d         2>/dev/null || true
+fi

packaging/before_remove

@@ -16,3 +16,9 @@ find /usr/lib/python3*/*-packages/archey \
 	-name __pycache__ \
 	-exec \
 		rm -r {} +
+
+# Removes the AppArmor definition from kernel.
+APP_PROFILE="/etc/apparmor.d/usr.bin.archey4"
+if aa-enabled --quiet 2>/dev/null; then
+	apparmor_parser -R "$APP_PROFILE" || true
+fi

packaging/build.sh

@@ -58,6 +58,7 @@ FPM_COMMON_ARGS=(
 	--maintainer "${AUTHOR} <${AUTHOR_EMAIL}>" \
 	--after-install ./packaging/after_install \
 	--after-upgrade ./packaging/after_install \
+	--after-remove ./packaging/after_remove \
 	--before-remove ./packaging/before_remove \
 	--python-bin python3 \
 	--python-install-bin 'usr/bin/' \
@@ -73,6 +74,9 @@ echo ">>> Packages generation for ${NAME}_v${VERSION}-${REVISION} <<<"
 # Prepare the configuration file under a regular `etc/` directory.
 mkdir -p etc/archey4/ && \
 	cp config.json etc/archey4/config.json
+# Prepare the AppArmor profile (without `abi` directive, unsupported by Debian).
+mkdir -p etc/apparmor.d/ && \
+	sed '/^abi.*,$/d' apparmor.profile > etc/apparmor.d/usr.bin.archey4
 # Prepare and compress the manual page.
 sed -e "s/\${DATE}/$(date +'%B %Y')/1" -e "s/\${VERSION}/${VERSION}/1" archey.1 | \
 	gzip -c --best - > "${DIST_OUTPUT}/archey.1.gz"
@@ -92,6 +96,8 @@ export PYTHONDONTWRITEBYTECODE=1
 echo 'Now generating Debian package...'
 fpm \
 	"${FPM_COMMON_ARGS[@]}" \
+	--config-files "etc/apparmor.d/" \
+	--config-files "etc/apparmor.d/usr.bin.archey4" \
 	--output-type deb \
 	--package "${DIST_OUTPUT}/${NAME}_${VERSION}-${REVISION}_${ARCHITECTURE}.deb" \
 	--depends 'python3 >= 3.6' \
@@ -100,7 +106,7 @@ fpm \
 	--python-install-lib 'usr/lib/python3/dist-packages/' \
 	--deb-priority 'optional' \
 	--deb-field 'Recommends: procps' \
-	--deb-field 'Suggests: dnsutils, lm-sensors, pciutils, virt-what, wmctrl' \
+	--deb-field 'Suggests: apparmor, dnsutils, lm-sensors, pciutils, virt-what, wmctrl' \
 	--deb-no-default-config-files \
 	setup.py
 
@@ -157,9 +163,11 @@ done
 # 	setup.py
 
 
-# Remove the fake `etc/archey4/` tree.
+# Remove the fake `etc/archey4/` & `etc/apparmor.d/` trees.
 rm etc/archey4/config.json && \
 	rmdir --ignore-fail-on-non-empty -p etc/archey4/
+rm etc/apparmor.d/usr.bin.archey4 && \
+	rmdir --ignore-fail-on-non-empty -p etc/apparmor.d/
 
 
 # Silence some Setuptools warnings by re-enabling byte-code generation.