-
Notifications
You must be signed in to change notification settings - Fork 32
hooks: add script to remove unneeded apparmor profiles #181
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| #!/bin/bash -e | ||
| set -x | ||
| APPARMOR_PROF_D="etc/apparmor.d" | ||
|
|
||
| declare -A allowed_profs | ||
|
|
||
| num_prof=0 | ||
|
|
||
| for profile in "$APPARMOR_PROF_D"/*; do | ||
| # Skip if it is a directory | ||
| if [ -d "$profile" ]; then | ||
| continue | ||
| fi | ||
| # Skip if not a regular file | ||
| if [ ! -f "$profile" ]; then | ||
| continue | ||
| fi | ||
| num_prof=$((num_prof + 1)) | ||
|
|
||
| filename=$(basename "$profile") | ||
| if ! [[ -v allowed_profs["$filename"] ]]; then | ||
| printf "Apparmor profile %s is not allowed\n" "$filename" | ||
| exit 1 | ||
| fi | ||
| done | ||
|
|
||
| if [ "$num_prof" -ne "${#allowed_profs[@]}" ]; then | ||
| # If there were more we would have failed in the loop | ||
| printf "Less number of apparmor profiles than expected\n" | ||
| exit 1 | ||
| fi | ||
| Original file line number | Diff line number | Diff line change | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,54 @@ | ||||||||||
| #!/bin/bash -ex | ||||||||||
|
|
||||||||||
| # Check profiles in /etc/apparmor.d/ and removes them if no matching binary | ||||||||||
| # exists. | ||||||||||
|
|
||||||||||
| APPARMOR_PROF_D="/etc/apparmor.d" | ||||||||||
|
|
||||||||||
| # The list of directories to check for binaries | ||||||||||
| SEARCH_DIRS=( | ||||||||||
| "/usr/bin" | ||||||||||
| "/usr/sbin" | ||||||||||
| "/usr/lib/systemd" | ||||||||||
| "/usr/lib/snapd" | ||||||||||
| "/usr/lib/cargo/bin" | ||||||||||
| ) | ||||||||||
|
|
||||||||||
| echo "Starting AppArmor profile cleanup..." | ||||||||||
|
|
||||||||||
| # Iterate through files in /etc/apparmor.d/ | ||||||||||
| for profile in "$APPARMOR_PROF_D"/*; do | ||||||||||
|
||||||||||
| # Skip if it is a directory | ||||||||||
| if [ -d "$profile" ]; then | ||||||||||
| continue | ||||||||||
| fi | ||||||||||
| # Skip if not a regular file | ||||||||||
| if [ ! -f "$profile" ]; then | ||||||||||
| continue | ||||||||||
| fi | ||||||||||
|
|
||||||||||
| filename=$(basename "$profile") | ||||||||||
|
|
||||||||||
| # unix-chkpwd profile is actually for unix_chkpwd, fix this naming issue here | ||||||||||
| if [ "$filename" = unix-chkpwd ] | ||||||||||
| then filename=unix_chkpwd | ||||||||||
|
Comment on lines
+33
to
+34
|
||||||||||
| if [ "$filename" = unix-chkpwd ] | |
| then filename=unix_chkpwd | |
| if [ "$filename" = "unix-chkpwd" ]; then | |
| filename=unix_chkpwd |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The allowed_profs associative array is intentionally empty to indicate that no AppArmor profiles are expected in core20. Consider adding a comment here to make this explicit, such as:
# Core20 expects no AppArmor profiles to remain after cleanup. This would improve code clarity for future maintainers.