ospack: Switch AppArmor profiles to complain mode

After the rebase to Buster, some AppArmor profiles have become
problematic and prevent the components from working.

In particular, the logind, Canterbury and Ribchester profiles prevent
the Mildenhall HMI from appearing on the screen.

Until they get updated, switch them to complain mode rather
than enforcing.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

apertis-ospack-basesdk.yaml

@@ -546,6 +546,11 @@ actions:
     chroot: true
     script: scripts/generate_locales.sh
 
+  - action: run
+    description: Switch the logind AppArmor profile to complain mode
+    chroot: false
+    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/lib.systemd.systemd-logind
+
   # work around the Debos isssue in https://phabricator.apertis.org/T4308
   - action: run
     chroot: false

apertis-ospack-minimal.yaml

@@ -156,6 +156,23 @@ actions:
     chroot: true
     script: scripts/generate_locales.sh
 
+  - action: run
+    description: Switch the logind AppArmor profile to complain mode
+    chroot: false
+    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/lib.systemd.systemd-logind
+
+  {{ if eq $ivitools "enabled" }}
+  - action: run
+    description: Switch the Canterbury AppArmor profile to complain mode
+    chroot: false
+    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.*.canterbury*
+
+  - action: run
+    description: Switch the Ribchester AppArmor profile to complain mode
+    chroot: false
+    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.*.ribchester*
+  {{ end }}
+
   # work around the Debos isssue in https://phabricator.apertis.org/T4308
   - action: run
     chroot: false

apertis-ospack-sdk.yaml

@@ -742,6 +742,21 @@ actions:
     chroot: true
     script: scripts/generate_locales.sh
 
+  - action: run
+    description: Switch the logind AppArmor profile to complain mode
+    chroot: false
+    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/lib.systemd.systemd-logind
+
+  - action: run
+    description: Switch the Canterbury AppArmor profile to complain mode
+    chroot: false
+    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.*.canterbury*
+
+  - action: run
+    description: Switch the Ribchester AppArmor profile to complain mode
+    chroot: false
+    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.*.ribchester*
+
   # work around the Debos isssue in https://phabricator.apertis.org/T4308
   - action: run
     chroot: false

apertis-ospack-target.yaml

@@ -260,6 +260,23 @@ actions:
     chroot: true
     script: scripts/generate_locales.sh
 
+  - action: run
+    description: Switch the logind AppArmor profile to complain mode
+    chroot: false
+    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/lib.systemd.systemd-logind
+
+  {{ if eq $ivitools "enabled" }}
+  - action: run
+    description: Switch the Canterbury AppArmor profile to complain mode
+    chroot: false
+    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.*.canterbury*
+
+  - action: run
+    description: Switch the Ribchester AppArmor profile to complain mode
+    chroot: false
+    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.*.ribchester*
+  {{ end }}
+
   # work around the Debos isssue in https://phabricator.apertis.org/T4308
   - action: run
     chroot: false

scripts/apparmor-profile-switch-to-complain.sh

+#!/bin/sh
+
+set -eu
+
+for ARG in "$@"
+do
+    PROFILE=$(basename "$ARG")
+    "AppArmor: forcing profile $PROFILE in complain mode"
+    ln -s "../$PROFILE" "${ROOTDIR}/etc/apparmor.d/force-complain/"
+done