/snap-confine

Move apparmor profile for snap-confine to src/ #98

Merged
merged 2 commits into from Aug 11, 2016
Commits
Jump to file or symbol
Failed to load files and symbols.
+15 −7
Split
View
2 debian/rules
@@ -25,5 +25,5 @@ override_dh_fixperms:
dh_fixperms -Xusr/lib/snapd/snap-confine
override_dh_installdeb:
- dh_apparmor --profile-name=usr.bin.snap-confine -psnap-confine
+ dh_apparmor --profile-name=usr.lib.snapd.snap-confine -psnap-confine
dh_installdeb
View
2 debian/snap-confine.install
@@ -1,3 +1,3 @@
-debian/usr.bin.snap-confine etc/apparmor.d
+etc/apparmor.d/*.snap-confine
lib/*
usr/lib/snapd/*
View
14 src/Makefile.am
@@ -85,15 +85,23 @@ fmt:
indent -linux "$$f"; \
done;
-EXTRA_DIST = 80-snappy-assign.rules snappy-app-dev
+EXTRA_DIST = 80-snappy-assign.rules snappy-app-dev snap-confine.apparmor.in
+
+snap-confine.apparmor: snap-confine.apparmor.in Makefile
+ sed -e 's,[@]LIBEXECDIR[@],$(libexecdir),g' <$< >$@
# NOTE: This makes distcheck fail but it is required for udev, so go figure.
# http://www.gnu.org/software/automake/manual/automake.html#Hard_002dCoded-Install-Paths
#
-# Install udev rules
-install-data-local:
+# Install udev rules and the apparmor profile
+#
+# NOTE: the funky make functions here just convert /foo/bar/froz into foo.bar.froz
+# The inner subst replaces slashes with dots and the outer patsubst strips the leading dot
+install-data-local: snap-confine.apparmor
install -d -m 755 $(DESTDIR)$(shell pkg-config udev --variable=udevdir)/rules.d
install -m 644 $(srcdir)/80-snappy-assign.rules $(DESTDIR)$(shell pkg-config udev --variable=udevdir)/rules.d
+ install -d -m 755 $(DESTDIR)/etc/apparmor.d/
+ install -m 644 snap-confine.apparmor $(DESTDIR)/etc/apparmor.d/$(patsubst .%,%,$(subst /,.,$(libexecdir))).snap-confine
# Install support script for udev rules
install-exec-local:
View
0 src/snap-confine.apparmor
No changes.
View
4 debian/usr.bin.snap-confine → src/snap-confine.apparmor.in
@@ -1,7 +1,7 @@
# Author: Jamie Strandboge <jamie@canonical.com>
#include <tunables/global>
-/usr/lib/snapd/snap-confine (attach_disconnected) {
+@LIBEXECDIR@/snap-confine (attach_disconnected) {
# We run privileged, so be fanatical about what we include and don't use
# any abstractions
/etc/ld.so.cache r,
@@ -17,7 +17,7 @@
/usr/lib/@{multiarch}/libseccomp.so* mr,
/lib/@{multiarch}/libseccomp.so* mr,
- /usr/lib/snapd/snap-confine r,
+ @LIBEXECDIR@/snap-confine r,
/dev/null rw,
/dev/full rw,