From 12b37e696c7f7ad77cfddc92205801397010a256 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Tue, 5 Feb 2019 02:26:09 +0000 Subject: Retain local apparmor customizations This fixes https://github.com/netblue30/firejail/issues/2388. --- Makefile.in | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in index 4e87d4ae0..0cbbb374c 100644 --- a/Makefile.in +++ b/Makefile.in @@ -134,7 +134,8 @@ ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR) sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;" install -c -m 0644 etc/firejail-default $(DESTDIR)/$(sysconfdir)/apparmor.d/. sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;" - install -c -m 0644 etc/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/. + # install apparmor profile customization file + sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-local ]; then install -c -m 0644 etc/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/.; fi;" endif # man pages install -m 0755 -d $(DESTDIR)/$(mandir)/man1 -- cgit v1.2.3-54-g00ecf From 83f7c7199abcb7d2e643d04b0e4831628b6d91e4 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Tue, 5 Feb 2019 08:47:47 +0000 Subject: Stress apparmor local overrides As per discussion on https://github.com/netblue30/firejail/pull/2390, we better use slightly stronger/less optional wording when it comes to where local apparmor overrides need to be done. --- src/man/firejail.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 16004193d..052aeb56b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -2527,7 +2527,7 @@ AppArmor support is disabled by default at compile time. Use --enable-apparmor c .br $ ./configure --prefix=/usr --enable-apparmor .TP -During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The local customizations can be placed in /etc/apparmor.d/local/firejail-local. The profile needs to be loaded into the kernel by reloading apparmor.service, rebooting the system or running the following command as root: +During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The local customizations must be placed in /etc/apparmor.d/local/firejail-local. The profile needs to be loaded into the kernel by reloading apparmor.service, rebooting the system or running the following command as root: .br .br -- cgit v1.2.3-54-g00ecf From 96e4715421b3a1aecd4ca728db98587611ba0d77 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Tue, 5 Feb 2019 08:53:28 +0000 Subject: Update firejail-local --- etc/firejail-local | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/firejail-local b/etc/firejail-local index cddf44f13..f086653f8 100644 --- a/etc/firejail-local +++ b/etc/firejail-local @@ -1 +1,2 @@ -# Site-specific additions and overrides for 'firejail-default' +# Site-specific additions and overrides for 'firejail-default'. +# For more details, please see /etc/apparmor.d/local/README. -- cgit v1.2.3-54-g00ecf