[pull] main from roddhjav:main

.github/workflows/main.yml

@@ -9,9 +9,14 @@ jobs:
       - name: Check out repository code
         uses: actions/checkout@v4
 
+      - name: Install linter dependencies
+        run: |
+          pipx install rust-just
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
+
       - name: Run basic profile linter check
         run: |
-          make check
+          just check
 
   build:
     runs-on: ${{ matrix.os }}
@@ -21,10 +26,6 @@ jobs:
         include:
           - os: ubuntu-24.04
             mode: default
-          - os: ubuntu-24.04
-            mode: full-system-policy
-          - os: ubuntu-22.04
-            mode: default
     steps:
       - name: Check out repository code
         uses: actions/checkout@v4
@@ -35,32 +36,23 @@ jobs:
           sudo apt-get install -y \
             devscripts debhelper config-package-dev \
             auditd apparmor-profiles apparmor-utils
+          pipx install rust-just
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
           sudo rm /etc/apparmor.d/usr.lib.snapd.snap-confine.real
 
       - name: Build the apparmor.d package
         run: |
-          if [[ ${{ matrix.mode }} == full-system-policy ]]; then
-            echo -e "\noverride_dh_auto_build:\n\tmake full" >> debian/rules
-          fi
-          if [[ ${{ matrix.os }} == ubuntu-24.04 ]] && [[ ${{ matrix.mode }} == default ]]; then
-            # Test with Re-attach disconnected path
-            sed -e 's;// builder.Register("attach");builder.Register("attach");' -i pkg/prebuild/cli/cli.go
-            sed -e '/@{att}/d' -i apparmor.d/tunables/multiarch.d/system
-          fi
-          bash dists/build.sh dpkg
+          just build-dpkg
 
       - name: Install apparmor.d
         run: sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true
 
       - name: Reload AppArmor
         run: |
-          sudo systemctl restart apparmor.service || true
-          sudo systemctl status apparmor.service
-
-      - name: Ensure compatibility with some AppArmor userspace tools
-        if: matrix.os != 'ubuntu-24.04'
-        run: |
-          sudo aa-enforce /etc/apparmor.d/aa-notify
+            if ! sudo systemctl restart apparmor.service; then
+              sudo journalctl -xeu apparmor.service
+              exit 1
+            fi
 
       - name: Show AppArmor log and rules
         run: |
@@ -81,6 +73,7 @@ jobs:
   tests:
     runs-on: ubuntu-24.04
     needs: build
+    if: github.ref_name == 'dev' || github.event_name == 'workflow_dispatch'
     steps:
       - name: Check out repository code
         uses: actions/checkout@v4
@@ -100,7 +93,8 @@ jobs:
           sudo apt-get install -y \
             apparmor-profiles apparmor-utils \
             bats bats-support
-          sudo install -Dm0644 .github/local/needrestart /etc/apparmor.d/local/needrestart
+          pipx install rust-just
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
 
       - name: Install apparmor.d
         run: |
@@ -132,11 +126,12 @@ jobs:
 
       - name: Install integration dependencies
         run: |
-          bash tests/requirements.sh
+          just init
+          find /usr/sbin/ -type f
 
       - name: Run the integration tests
         run: |
-          make integration
+          just integration
 
       - name: Show final AppArmor logs
         if: always()

.gitignore

@@ -1,10 +1,17 @@
 # Build
 .build
 .logs
+.pkg
+.tree
+.snapd
+/snap
+snapd.backup
 tests/tldr
 tests/tldr.tar.gz
+tests/bats_dirty
 
 # mkdocs
+__pycache__
 .cache
 public
 site
@@ -13,11 +20,12 @@ site
 *.deb
 *.buildinfo
 *.changes
-debian/hardened
 debian/.debhelper
 debian/*.debhelper
 
 # Debian build packages
+debian/apparmor.d.*/
+debian/apparmor.d-*/
 debian/apparmor.d.displace
 debian/apparmor.d.substvars
 debian/apparmor.d/

.gitlab-ci.yml

@@ -1,9 +1,7 @@
 ---
 
-include:
-  - template: Security/SAST.gitlab-ci.yml
-
 variables:
+  PKGNAME: apparmor.d
   PKGDEST: $CI_PROJECT_DIR/.pkg
   PACKAGER: 'Alexandre Pujol <alexandre@pujol.io>'
 
@@ -23,8 +21,9 @@ bash:
   image: koalaman/shellcheck-alpine
   script:
     - shellcheck --shell=bash
-        PKGBUILD dists/build.sh dists/docker.sh tests/check.sh
-        tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh
+        PKGBUILD dists/*.sh tests/check.sh
+        tests/packer/*.sh tests/packer/src/aa-update
+        tests/autopkgtest/autopkgtest.sh debian/common.postinst debian/common.postrm
 
 golangci-lint:
   stage: lint
@@ -38,12 +37,8 @@ packer:
     name: hashicorp/packer:latest
     entrypoint: [""]
   script:
-    - cd tests &&
-      packer fmt --check packer/ &&
-      packer validate --syntax-only packer/
-
-sast:
-  stage: lint
+    - packer fmt tests/packer/
+    - packer validate --syntax-only tests/packer/
 
 
 # Code test
@@ -62,11 +57,13 @@ tests:
     - go test $(go list ./pkg/... | grep -v /pkg/paths) -v -cover -coverprofile=coverage.out
     - go tool cover -func=coverage.out
 
-check:
+# Disabled as it is long and we reach the limit of GitLab CI minutes
+# Enabled in Github Actions CI
+.check:
   stage: test
   image: registry.gitlab.com/roddhjav/builders/archlinux
   script:
-    - make check
+    - just check
 
 # Package Build
 # -------------
@@ -84,29 +81,28 @@ archlinux:
 
 debian:
   stage: build
-  image: registry.gitlab.com/roddhjav/builders/debian:12
+  image: registry.gitlab.com/roddhjav/builders/debian:13
   script:
     - sudo chown -R build:build /builds/
     - git config --global --add safe.directory $CI_PROJECT_DIR
     - mkdir -p "$PKGDEST"
-    - sudo apt-get update -q && sudo apt-get install -y config-package-dev lsb-release
-    - sudo apt-get install -y -t bookworm-backports golang-go
-    - bash dists/build.sh dpkg
+    - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl
+    - just build-dpkg
   artifacts:
     expire_in: 1 day
     paths:
       - $PKGDEST/*.deb
 
 ubuntu:
   stage: build
-  image: registry.gitlab.com/roddhjav/builders/ubuntu:24.04
+  image: registry.gitlab.com/roddhjav/builders/ubuntu:26.04
   variables:
     GOFLAGS: "-buildvcs=false"
   script:
     - git config --global --add safe.directory $CI_PROJECT_DIR
     - mkdir -p "$PKGDEST"
-    - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release
-    - bash dists/build.sh dpkg
+    - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl
+    - just build-dpkg
   artifacts:
     expire_in: 1 day
     paths:
@@ -117,15 +113,15 @@ whonix:
   variables:
     DISTRIBUTION: whonix
   before_script:
-    - echo "\noverride_dh_auto_build:\n\tmake full" >> debian/rules
+    - sed -e "s/just complain/just fsp-complain/" -i debian/rules
 
 opensuse:
   stage: build
   image: registry.gitlab.com/roddhjav/builders/opensuse
   script:
     - mkdir -p "$PKGDEST"
     - sudo zypper install -y distribution-release golang-packaging apparmor-profiles
-    - bash dists/build.sh rpm
+    - just build-rpm
   artifacts:
     expire_in: 1 day
     paths:
@@ -142,32 +138,32 @@ preprocess-archlinux:
     - archlinux
   script:
     - pacman -Syu --noconfirm --noprogressbar apparmor
-    - pacman -U --noconfirm --noprogressbar $PKGDEST/*
+    - pacman -U --noconfirm --noprogressbar $PKGDEST/${PKGNAME}-*
     - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null
 
 preprocess-debian:
   stage: preprocess
-  image: debian
+  image: debian:13
   dependencies:
     - debian
   script:
     - apt-get update -q
     - apt-get install -y apparmor apparmor-profiles
-    - dpkg --install $PKGDEST/*
+    - dpkg --install $PKGDEST/${PKGNAME}_*
     - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null
 
 preprocess-ubuntu:
   stage: preprocess
-  image: ubuntu
+  image: ubuntu:26.04
   dependencies:
     - ubuntu
   script:
     - apt-get update -q
     - apt-get install -y apparmor apparmor-profiles
-    - dpkg --install $PKGDEST/*
+    - dpkg --install $PKGDEST/${PKGNAME}_*
     - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null
 
-preprocess-whonix:
+.preprocess-whonix:
   extends: preprocess-debian
   dependencies:
     - whonix
@@ -183,7 +179,7 @@ preprocess-opensuse:
     - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null
 
 
-# Deploy the documentation 
+# Deploy the documentation
 # ------------------------
 
 pages:
@@ -195,7 +191,9 @@ pages:
     GIT_DEPTH: 0
   script:
     - pip install -r requirements.txt
-    - mkdocs build --site-dir public
+    - bash dists/docstring.sh
+    - zensical build --strict
+    - mv site public
   artifacts:
     paths:
       - public

.golangci.yaml

@@ -1,15 +1,27 @@
 ---
 
 version: "2"
+
 linters:
   settings:
+    errcheck:
+      exclude-functions:
+        - (*os.File).Close
+        - (*os.File).WriteString
+        - (*os.Process).Kill
+        - (*github.com/roddhjav/apparmor.d/pkg/paths.Process).Kill
+        - (*bufio.Writer).Flush
+        - (*bufio.Writer).WriteString
+        - (*github.com/roddhjav/apparmor.d/pkg/paths.Path).Chmod
+        - (*github.com/roddhjav/apparmor.d/pkg/paths.Path).Remove
+        - (*github.com/roddhjav/apparmor.d/pkg/paths.Path).RemoveAll
+        - (*github.com/roddhjav/apparmor.d/cmd/aa-flatpak.FileWatcher).Close
+        - os.Remove
+        - path/filepath.WalkDir
     staticcheck:
       checks:
         - all
-        - -SA1019
-        - -ST1000
   exclusions:
-      paths:
-      - pkg/paths
+    paths:
+      - internal/
       - tests/cmd/
-