Bug 41243: Add apparmor profile to deb package

6d8e1d6f · boklm · 7e3a10f5 · 6d8e1d6f · 6d8e1d6f · 6d8e1d6f
Unverified Commit 6d8e1d6f authored 11 months ago by boklm
--- a/projects/linux-packages/config
+++ b/projects/linux-packages/config
@@ -36,6 +36,7 @@ targets:
        - dpkg-dev
        - debhelper
        - dh-exec
+        - dh-apparmor
        # Packages needed to generate dependencies for the deb package
        - linux-libc-dev
        - libasound2-dev
@@ -148,6 +149,10 @@ input_files:
    enable: '[% c("var/build_deb_pkg") || c("var/build_rpm_pkg") %]'

  # Debian Package
+  - filename: debian/apparmor
+    content: "[% INCLUDE 'debian/apparmor.in' %]"
+    refresh_input: 1
+    enable: '[% c("var/build_deb_pkg") %]'
  - filename: debian/changelog
    content: "[% INCLUDE 'debian/changelog.in' %]"
    refresh_input: 1

--- a/projects/linux-packages/debian/apparmor.in
+++ b/projects/linux-packages/debian/apparmor.in
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# AppArmor policy for [% c("var/system_pkg/pkg_name") %]
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile [% c("var/system_pkg/pkg_name") %] /[% c('var/system_pkg/install_path') %]/[% c("var/projectname") %].real flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/[% c("var/system_pkg/pkg_name") %]>
+}
--- a/projects/linux-packages/debian/control.in
+++ b/projects/linux-packages/debian/control.in
@@ -2,7 +2,7 @@ Source: [% c("var/system_pkg/pkg_name") %]
 Maintainer: [% c("var/Project_Name") %] Developers <torbrowser@torproject.org>
 Priority: optional
 Section: web
-Build-Depends: debhelper (>= 9)
+Build-Depends: debhelper (>= 9), dh-apparmor

 Package: [% c("var/system_pkg/pkg_name") %]
 Architecture: [% c("var_p/system_pkg/deb_archs").join(" ") %]

--- a/projects/linux-packages/debian/rules.in
+++ b/projects/linux-packages/debian/rules.in
@@ -12,3 +12,8 @@ override_dh_strip:

 override_dh_shlibdeps:
 	dh_shlibdeps -Xabicheck[% IF c("var/tor-browser") %] -l$(CURDIR)/debian/[% c("var/system_pkg/pkg_name") %]/[% c('var/system_pkg/install_path') %]/TorBrowser/Tor[% END %]
+
+override_dh_install:
+	mkdir -p debian/[% c("var/system_pkg/pkg_name") %]/etc/apparmor.d
+	cp debian/apparmor debian/[% c("var/system_pkg/pkg_name") %]/etc/apparmor.d/[% c("var/system_pkg/pkg_name") %]
+	dh_apparmor --profile-name=[% c("var/system_pkg/pkg_name") %] -p[% c("var/system_pkg/pkg_name") %]