ospack: Switch AppArmor profiles back to enforce mode

This reverts commit fffab36d, "ospack: Switch AppArmor profiles to complain mode". After the rebase to Buster, some AppArmor profiles have become problematic and prevent the components from working. In particular, the logind, Canterbury and Ribchester profiles prevent the Mildenhall HMI from appearing on the screen so they were forced into complain mode rather than enforce mode. Now the underlying issue has been fixed in APERTIS-5840 the profiles can be restored to their enforcing mode. Fixes: https://phabricator.apertis.org/T6010 Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

ospack: Switch AppArmor profiles back to enforce mode
This reverts commit fffab36d, "ospack: Switch AppArmor profiles to complain mode". After the rebase to Buster, some AppArmor profiles have become problematic and prevent the components from working. In particular, the logind, Canterbury and Ribchester profiles prevent the Mildenhall HMI from appearing on the screen so they were forced into complain mode rather than enforce mode. Now the underlying issue has been fixed in APERTIS-5840 the profiles can be restored to their enforcing mode. Fixes: https://phabricator.apertis.org/T6010 Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>
69c4a7d9 · Emanuele Aina · 9801313d · 69c4a7d9 · 69c4a7d9 · 69c4a7d9
Commit 69c4a7d9 authored 5 years ago by Emanuele Aina
--- a/apertis-ospack-basesdk.yaml
+++ b/apertis-ospack-basesdk.yaml
@@ -570,16 +570,6 @@ actions:
    chroot: true
    script: scripts/generate_locales.sh
-  - action: run
-    description: Switch the logind AppArmor profile to complain mode
-    chroot: false
-    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/lib.systemd.systemd-logind
-  - action: run
-    description: Switch the Tracker AppArmor profile to complain mode
-    chroot: false
-    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.lib.tracker
  # work around the Debos isssue in https://phabricator.apertis.org/T4308
  - action: run
    chroot: false

--- a/apertis-ospack-minimal.yaml
+++ b/apertis-ospack-minimal.yaml
@@ -171,26 +171,6 @@ actions:
    chroot: true
    script: scripts/generate_locales.sh
-  - action: run
-    description: Switch the logind AppArmor profile to complain mode
-    chroot: false
-    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/lib.systemd.systemd-logind
-  - action: run
-    description: Switch the Canterbury AppArmor profile to complain mode
-    chroot: false
-    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.*.canterbury*
-  - action: run
-    description: Switch the Ribchester AppArmor profile to complain mode
-    chroot: false
-    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.*.ribchester*
-  - action: run
-    description: Switch the Newport AppArmor profile to complain mode
-    chroot: false
-    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.bin.newport
  # work around the Debos isssue in https://phabricator.apertis.org/T4308
  - action: run
    chroot: false

--- a/apertis-ospack-sdk.yaml
+++ b/apertis-ospack-sdk.yaml
@@ -748,41 +748,6 @@ actions:
    chroot: true
    script: scripts/generate_locales.sh
-  - action: run
-    description: Switch the logind AppArmor profile to complain mode
-    chroot: false
-    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/lib.systemd.systemd-logind
-  - action: run
-    description: Switch the Canterbury AppArmor profile to complain mode
-    chroot: false
-    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.*.canterbury*
-  - action: run
-    description: Switch the Ribchester AppArmor profile to complain mode
-    chroot: false
-    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.*.ribchester*
-  - action: run
-    description: Switch the Newport AppArmor profile to complain mode
-    chroot: false
-    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.bin.newport
-  - action: run
-    description: Switch the Rhosydd AppArmor profile to complain mode
-    chroot: false
-    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.bin.rhosydd
-  - action: run
-    description: Switch the Tracker AppArmor profile to complain mode
-    chroot: false
-    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.lib.tracker
-  - action: run
-    description: Switch the Frome AppArmor profile to complain mode
-    chroot: false
-    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.bin.frome
  # work around the Debos isssue in https://phabricator.apertis.org/T4308
  - action: run
    chroot: false

--- a/apertis-ospack-target.yaml
+++ b/apertis-ospack-target.yaml
@@ -286,43 +286,6 @@ actions:
    chroot: true
    script: scripts/generate_locales.sh
-  - action: run
-    description: Switch the logind AppArmor profile to complain mode
-    chroot: false
-    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/lib.systemd.systemd-logind
-  {{ if eq $ivitools "enabled" }}
-  - action: run
-    description: Switch the Canterbury AppArmor profile to complain mode
-    chroot: false
-    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.*.canterbury*
-  - action: run
-    description: Switch the Ribchester AppArmor profile to complain mode
-    chroot: false
-    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.*.ribchester*
-  - action: run
-    description: Switch the Newport AppArmor profile to complain mode
-    chroot: false
-    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.bin.newport
-  - action: run
-    description: Switch the Rhosydd AppArmor profile to complain mode
-    chroot: false
-    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.bin.rhosydd
-  {{ end }}
-  - action: run
-    description: Switch the Tracker AppArmor profile to complain mode
-    chroot: false
-    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.lib.tracker
-  - action: run
-    description: Switch the Frome AppArmor profile to complain mode
-    chroot: false
-    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.bin.frome
  # work around the Debos isssue in https://phabricator.apertis.org/T4308
  - action: run
    chroot: false

--- a/scripts/apparmor-profile-switch-to-complain.sh
+++ b/scripts/apparmor-profile-switch-to-complain.sh
-#!/bin/sh
-set -eu
-for ARG in "$@"
-do
-    PROFILE=$(basename "$ARG")
-    echo "AppArmor: forcing profile $PROFILE in complain mode"
-    ln -s "../$PROFILE" "${ROOTDIR}/etc/apparmor.d/force-complain/"
-done