From 9dbf1c0566891b271815e145f385b9a1680c4146 Mon Sep 17 00:00:00 2001
From: Ark74 <ark@switnet.org>
Date: Fri, 19 Sep 2025 03:57:40 -0600
Subject: [PATCH] casper: setup appamor live reload profiles

---
 helpers/DATA/casper/35apparmor_browsers       | 33 ----------
 helpers/DATA/casper/36apparmor_live           | 61 +++++++++++++++++++
 .../002-setup_apparmor_live_reload.patch      | 29 +++++++++
 helpers/make-casper                           |  8 +--
 4 files changed, 94 insertions(+), 37 deletions(-)
 delete mode 100644 helpers/DATA/casper/35apparmor_browsers
 create mode 100644 helpers/DATA/casper/36apparmor_live
 create mode 100644 helpers/DATA/casper/patch_changes/002-setup_apparmor_live_reload.patch

diff --git a/helpers/DATA/casper/35apparmor_browsers b/helpers/DATA/casper/35apparmor_browsers
deleted file mode 100644
index c3ac340..0000000
--- a/helpers/DATA/casper/35apparmor_browsers
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/bin/sh
-
-PREREQ=""
-DESCRIPTION="Enabling Abrowser apparmor profile..."
-
-prereqs()
-{
-       echo "$PREREQ"
-}
-
-case $1 in
-# get pre-requisites
-prereqs)
-       prereqs
-       exit 0
-       ;;
-esac
-
-. /scripts/casper-functions
-
-log_begin_msg "$DESCRIPTION"
-
-cat << 'EOF' > /root/etc/rc.local
-#!/bin/sh
-# Enable apparmor profile during live session to allow Abrowser to create user namespaces
-BROWSERS="abrowser icecat"
-for browser in $BROWSERS; do
-[ -d /rofs ] && apparmor_parser -a /etc/apparmor.d/$browser
-done
-EOF
-chmod 755 /root/etc/rc.local
-
-log_end_msg
diff --git a/helpers/DATA/casper/36apparmor_live b/helpers/DATA/casper/36apparmor_live
new file mode 100644
index 0000000..094a847
--- /dev/null
+++ b/helpers/DATA/casper/36apparmor_live
@@ -0,0 +1,61 @@
+#!/bin/sh
+
+PREREQ=""
+DESCRIPTION="Enabling Live apparmor profiles..."
+
+prereqs()
+{
+       echo "$PREREQ"
+}
+
+case $1 in
+# get pre-requisites
+prereqs)
+       prereqs
+       exit 0
+       ;;
+esac
+
+. /scripts/casper-functions
+
+log_begin_msg "$DESCRIPTION"
+
+RC_EXIST=0
+
+if [ ! -e /root/etc/rc.local ]; then
+  umask 022
+  mkdir -p /root/etc
+  cat << 'EOF' > /root/etc/rc.local
+#!/bin/sh
+exit 0
+EOF
+  chmod 755 /root/etc/rc.local
+  RC_EXIST=1
+fi
+
+if [ "$RC_EXIST" -eq 0 ]; then
+  head -n1 /root/etc/rc.local | grep -q '^#!' || sed -i '1s|^|#!/bin/sh\n|' /root/etc/rc.local
+  sed -i 's/\r$//' /root/etc/rc.local
+  chmod 755 /root/etc/rc.local
+fi
+
+if ! grep -q 'BEGIN trisquel-live-apparmor' /root/etc/rc.local 2>/dev/null; then
+  sed -i '/^exit 0$/d' /root/etc/rc.local
+  cat << 'EOF' >> /root/etc/rc.local
+# --- BEGIN trisquel-live-apparmor ---
+if [ -d /rofs ]; then
+  /usr/lib/casper/casper-apparmor-live || true
+fi
+# --- END trisquel-live-apparmor ---
+EOF
+  echo 'exit 0' >> /root/etc/rc.local
+fi
+
+mkdir -p /root/etc/apt/apt.conf.d
+cat << 'APT' > /root/etc/apt/apt.conf.d/99-apparmor-live-hook
+# /etc/apt/apt.conf.d/99-apparmor-live-hook
+DPkg::Post-Invoke { "sh -c '[ -d /rofs ] && /usr/lib/casper/casper-apparmor-live || true'"; };
+APT
+chmod 644 /root/etc/apt/apt.conf.d/99-apparmor-live-hook
+
+log_end_msg
diff --git a/helpers/DATA/casper/patch_changes/002-setup_apparmor_live_reload.patch b/helpers/DATA/casper/patch_changes/002-setup_apparmor_live_reload.patch
new file mode 100644
index 0000000..d78ec82
--- /dev/null
+++ b/helpers/DATA/casper/patch_changes/002-setup_apparmor_live_reload.patch
@@ -0,0 +1,29 @@
+diff --git a/debian/casper.install b/debian/casper.install
+index 5eb58de8..248d17d0 100644
+--- a/debian/casper.install
++++ b/debian/casper.install
+@@ -10,4 +10,5 @@ bin/casper-update-initramfs	usr/share/casper
+ hooks				usr/share/initramfs-tools
+ scripts				usr/share/initramfs-tools
+ casper-md5check/casper-md5check	usr/lib/casper
++extra/casper-apparmor-live	usr/lib/casper
+ casper.conf			etc
+diff --git a/extra/casper-apparmor-live b/extra/casper-apparmor-live
+new file mode 100755
+index 00000000..c11b80ad
+--- /dev/null
++++ b/extra/casper-apparmor-live
+@@ -0,0 +1,13 @@
++#!/bin/sh
++# /usr/lib/casper/casper-apparmor-live
++[ -d /rofs ] || exit 0
++find /etc/apparmor.d -type f \
++  ! -path "/etc/apparmor.d/abstractions/*" \
++  ! -path "/etc/apparmor.d/tunables/*" \
++  ! -path "/etc/apparmor.d/local/*" \
++  ! -path "/etc/apparmor.d/disable/*" \
++  ! -path "/etc/apparmor.d/rsyslog.d/*" \
++  ! -path "/etc/apparmor.d/force-complain/*" \
++  ! -path "/etc/apparmor.d/apache2.d/*" \
++  ! -path "/etc/apparmor.d/abi/*" \
++  -print0 | xargs -0 -r -n1 apparmor_parser -r -T -W || true
diff --git a/helpers/make-casper b/helpers/make-casper
index 57699f1..831c376 100644
--- a/helpers/make-casper
+++ b/helpers/make-casper
@@ -18,7 +18,7 @@
 #    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
 #
 
-VERSION=25
+VERSION=26
 
 . ./config
 
@@ -43,9 +43,9 @@ sed "s/head -n1/sed -n 1p/" -i scripts/casper-functions
 # Apply custom trisquel patches
 apply_patch_changes
 
-# Enable abrowser apparmor profile
-cp $DATA/35apparmor_browsers scripts/casper-bottom
-chmod 755 scripts/casper-bottom/35apparmor_browsers
+# Enable apparmor profiles for live even on installation
+cp $DATA/36apparmor_live scripts/casper-bottom
+chmod 755 scripts/casper-bottom/36apparmor_live
 
 changelog "Compiled and customized for Trisquel enviroment."