File apparmor.d.spec of Package apparmor.d

Overview Repositories Revisions Requests Users Attributes Meta

File apparmor.d.spec of Package apparmor.d

#
# spec file for package apparmor.d
#
# Copyright (c) 2023 SUSE LLC
# Copyright (c) 2023 Christian Boltz
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via https://bugs.opensuse.org/
#

# defined in home:cboltz:aa4 to enable abi/4.0
%bcond_with aa4

Name:           apparmor.d
Version:        0.0.git.1714684322.3f69b9fe
Release:        0
Summary:        Set of over 1500 AppArmor profiles
License:        GPL-2.0-only
URL:            https://github.com/roddhjav/apparmor.d
Source:         %{name}-%{version}.tar.xz
Source1:        vendor.tar.gz
# BuildRequires:  git-core # not needed for openSUSE, see https://github.com/roddhjav/apparmor.d/issues/132
BuildRequires:  distribution-release
BuildRequires:  golang-packaging
BuildRequires:  rsync
# for /etc/apparmor.d/disable symlink targets
BuildRequires:  apparmor-profiles
Requires:       apparmor-profiles

%description
AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes.

For now, all profiles are packaged in complain mode.

%prep
%autosetup -p1 -a1

%build
# complain mode is default - use "make enforce" for enforce mode.
# Note: some profiles not considered stable yet will still be packaged in complain mode.
%make_build build

%if %{with aa4}
echo "=== building with abi/4.0 ==="
./.build/prebuild --complain --abi4
%else
echo "=== building with abi/3.0 ==="
./.build/prebuild --complain
%endif

%install
%make_install

# AppArmor 4.0 contains several profiles that allow userns and are otherwise unconfined.
# Rename their (better) apparmor.d counterpart, and disable those from AppArmor.
mkdir %{buildroot}/etc/apparmor.d/disable/
rpm -q apparmor-profiles | grep apparmor-profiles-3 || \
for profile in brave chrome element-desktop epiphany firefox flatpak loupe msedge nautilus opera plasmashell slirp4netns systemd-coredump thunderbird virtiofsd ; do
	mv -vi %{buildroot}/etc/apparmor.d/$profile %{buildroot}/etc/apparmor.d/${profile}-apparmor.d
	( cd %{buildroot}/etc/apparmor.d/disable/ && ln -sv ../$profile )
done

%posttrans
# workaround for bnc#904620#c8 / lp#1392042
# cache location starting with 2.13
rm -f /var/cache/apparmor/* 2>/dev/null
#restart_on_update apparmor - but non-broken (bnc#853019)
systemctl is-active -q apparmor && systemctl reload apparmor ||:

%files
%license LICENSE
%doc README.md

# libvirtd and virt-aa-helper conflict with the profiles shipped in libvirt-daemon-common
%exclude /etc/apparmor.d/libvirtd
%exclude /etc/apparmor.d/virt-aa-helper
# unix-chkpwd (based on, but not idendical to the apparmor.d profile) is now part of the apparmor-profiles package
%exclude /etc/apparmor.d/unix-chkpwd
# hostapd is part of the hostapd package
%exclude /etc/apparmor.d/hostapd

%config(noreplace) /etc/apparmor.d/

/usr/bin/aa-log

%dir /usr/lib/systemd/system/*.service.d
/usr/lib/systemd/system/*.service.d/apparmor.conf
%dir /usr/lib/systemd/user/*.service.d
/usr/lib/systemd/user/*.service.d/apparmor.conf

/usr/share/bash-completion/completions/aa-log

%dir /usr/share/zsh
%dir /usr/share/zsh/site-functions
/usr/share/zsh/site-functions/_aa-log.zsh

%changelog

Places

File apparmor.d.spec of Package apparmor.d

Places