From fffab36dec195a9a1ee594a05805c35ca97e63ad Mon Sep 17 00:00:00 2001
From: Emanuele Aina <emanuele.aina@collabora.com>
Date: Sun, 24 Mar 2019 00:55:15 +0100
Subject: [PATCH] ospack: Switch AppArmor profiles to complain mode

After the rebase to Buster, some AppArmor profiles have become
problematic and prevent the components from working.

In particular, the logind, Canterbury and Ribchester profiles prevent
the Mildenhall HMI from appearing on the screen.

Until they get updated, switch them to complain mode rather
than enforcing.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>
---
 apertis-ospack-basesdk.yaml                    |  5 +++++
 apertis-ospack-minimal.yaml                    | 15 +++++++++++++++
 apertis-ospack-sdk.yaml                        | 15 +++++++++++++++
 apertis-ospack-target.yaml                     | 17 +++++++++++++++++
 scripts/apparmor-profile-switch-to-complain.sh | 10 ++++++++++
 5 files changed, 62 insertions(+)
 create mode 100755 scripts/apparmor-profile-switch-to-complain.sh

diff --git a/apertis-ospack-basesdk.yaml b/apertis-ospack-basesdk.yaml
index 7f4ceae1..12afe1c0 100644
--- a/apertis-ospack-basesdk.yaml
+++ b/apertis-ospack-basesdk.yaml
@@ -546,6 +546,11 @@ actions:
     chroot: true
     script: scripts/generate_locales.sh
 
+  - action: run
+    description: Switch the logind AppArmor profile to complain mode
+    chroot: false
+    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/lib.systemd.systemd-logind
+
   # work around the Debos isssue in https://phabricator.apertis.org/T4308
   - action: run
     chroot: false
diff --git a/apertis-ospack-minimal.yaml b/apertis-ospack-minimal.yaml
index dd2da34a..ba947f4e 100644
--- a/apertis-ospack-minimal.yaml
+++ b/apertis-ospack-minimal.yaml
@@ -153,6 +153,21 @@ actions:
     chroot: true
     script: scripts/generate_locales.sh
 
+  - action: run
+    description: Switch the logind AppArmor profile to complain mode
+    chroot: false
+    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/lib.systemd.systemd-logind
+
+  - action: run
+    description: Switch the Canterbury AppArmor profile to complain mode
+    chroot: false
+    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.*.canterbury*
+
+  - action: run
+    description: Switch the Ribchester AppArmor profile to complain mode
+    chroot: false
+    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.*.ribchester*
+
   # work around the Debos isssue in https://phabricator.apertis.org/T4308
   - action: run
     chroot: false
diff --git a/apertis-ospack-sdk.yaml b/apertis-ospack-sdk.yaml
index 9095c51f..229ab91c 100644
--- a/apertis-ospack-sdk.yaml
+++ b/apertis-ospack-sdk.yaml
@@ -742,6 +742,21 @@ actions:
     chroot: true
     script: scripts/generate_locales.sh
 
+  - action: run
+    description: Switch the logind AppArmor profile to complain mode
+    chroot: false
+    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/lib.systemd.systemd-logind
+
+  - action: run
+    description: Switch the Canterbury AppArmor profile to complain mode
+    chroot: false
+    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.*.canterbury*
+
+  - action: run
+    description: Switch the Ribchester AppArmor profile to complain mode
+    chroot: false
+    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.*.ribchester*
+
   # work around the Debos isssue in https://phabricator.apertis.org/T4308
   - action: run
     chroot: false
diff --git a/apertis-ospack-target.yaml b/apertis-ospack-target.yaml
index b8c3e295..b388738d 100644
--- a/apertis-ospack-target.yaml
+++ b/apertis-ospack-target.yaml
@@ -260,6 +260,23 @@ actions:
     chroot: true
     script: scripts/generate_locales.sh
 
+  - action: run
+    description: Switch the logind AppArmor profile to complain mode
+    chroot: false
+    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/lib.systemd.systemd-logind
+
+  {{ if eq $ivitools "enabled" }}
+  - action: run
+    description: Switch the Canterbury AppArmor profile to complain mode
+    chroot: false
+    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.*.canterbury*
+
+  - action: run
+    description: Switch the Ribchester AppArmor profile to complain mode
+    chroot: false
+    script: scripts/apparmor-profile-switch-to-complain.sh ${ROOTDIR}/etc/apparmor.d/usr.*.ribchester*
+  {{ end }}
+
   # work around the Debos isssue in https://phabricator.apertis.org/T4308
   - action: run
     chroot: false
diff --git a/scripts/apparmor-profile-switch-to-complain.sh b/scripts/apparmor-profile-switch-to-complain.sh
new file mode 100755
index 00000000..8c8ad080
--- /dev/null
+++ b/scripts/apparmor-profile-switch-to-complain.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -eu
+
+for ARG in "$@"
+do
+    PROFILE=$(basename "$ARG")
+    echo "AppArmor: forcing profile $PROFILE in complain mode"
+    ln -s "../$PROFILE" "${ROOTDIR}/etc/apparmor.d/force-complain/"
+done
-- 
GitLab