casper: setup appamor live reload profiles

helpers/DATA/casper/35apparmor_browsers

@@ -1,33 +0,0 @@
-#!/bin/sh
-
-PREREQ=""
-DESCRIPTION="Enabling Abrowser apparmor profile..."
-
-prereqs()
-{
-       echo "$PREREQ"
-}
-
-case $1 in
-# get pre-requisites
-prereqs)
-       prereqs
-       exit 0
-       ;;
-esac
-
-. /scripts/casper-functions
-
-log_begin_msg "$DESCRIPTION"
-
-cat << 'EOF' > /root/etc/rc.local
-#!/bin/sh
-# Enable apparmor profile during live session to allow Abrowser to create user namespaces
-BROWSERS="abrowser icecat"
-for browser in $BROWSERS; do
-[ -d /rofs ] && apparmor_parser -a /etc/apparmor.d/$browser
-done
-EOF
-chmod 755 /root/etc/rc.local
-
-log_end_msg

helpers/DATA/casper/36apparmor_live

@@ -0,0 +1,61 @@
+#!/bin/sh
+
+PREREQ=""
+DESCRIPTION="Enabling Live apparmor profiles..."
+
+prereqs()
+{
+       echo "$PREREQ"
+}
+
+case $1 in
+# get pre-requisites
+prereqs)
+       prereqs
+       exit 0
+       ;;
+esac
+
+. /scripts/casper-functions
+
+log_begin_msg "$DESCRIPTION"
+
+RC_EXIST=0
+
+if [ ! -e /root/etc/rc.local ]; then
+  umask 022
+  mkdir -p /root/etc
+  cat << 'EOF' > /root/etc/rc.local
+#!/bin/sh
+exit 0
+EOF
+  chmod 755 /root/etc/rc.local
+  RC_EXIST=1
+fi
+
+if [ "$RC_EXIST" -eq 0 ]; then
+  head -n1 /root/etc/rc.local | grep -q '^#!' || sed -i '1s|^|#!/bin/sh\n|' /root/etc/rc.local
+  sed -i 's/\r$//' /root/etc/rc.local
+  chmod 755 /root/etc/rc.local
+fi
+
+if ! grep -q 'BEGIN trisquel-live-apparmor' /root/etc/rc.local 2>/dev/null; then
+  sed -i '/^exit 0$/d' /root/etc/rc.local
+  cat << 'EOF' >> /root/etc/rc.local
+# --- BEGIN trisquel-live-apparmor ---
+if [ -d /rofs ]; then
+  /usr/lib/casper/casper-apparmor-live || true
+fi
+# --- END trisquel-live-apparmor ---
+EOF
+  echo 'exit 0' >> /root/etc/rc.local
+fi
+
+mkdir -p /root/etc/apt/apt.conf.d
+cat << 'APT' > /root/etc/apt/apt.conf.d/99-apparmor-live-hook
+# /etc/apt/apt.conf.d/99-apparmor-live-hook
+DPkg::Post-Invoke { "sh -c '[ -d /rofs ] && /usr/lib/casper/casper-apparmor-live || true'"; };
+APT
+chmod 644 /root/etc/apt/apt.conf.d/99-apparmor-live-hook
+
+log_end_msg

helpers/DATA/casper/patch_changes/002-setup_apparmor_live_reload.patch

@@ -0,0 +1,29 @@
+diff --git a/debian/casper.install b/debian/casper.install
+index 5eb58de8..248d17d0 100644
+--- a/debian/casper.install
++++ b/debian/casper.install
+@@ -10,4 +10,5 @@ bin/casper-update-initramfs	usr/share/casper
+ hooks				usr/share/initramfs-tools
+ scripts				usr/share/initramfs-tools
+ casper-md5check/casper-md5check	usr/lib/casper
++extra/casper-apparmor-live	usr/lib/casper
+ casper.conf			etc
+diff --git a/extra/casper-apparmor-live b/extra/casper-apparmor-live
+new file mode 100755
+index 00000000..c11b80ad
+--- /dev/null
++++ b/extra/casper-apparmor-live
+@@ -0,0 +1,13 @@
++#!/bin/sh
++# /usr/lib/casper/casper-apparmor-live
++[ -d /rofs ] || exit 0
++find /etc/apparmor.d -type f \
++  ! -path "/etc/apparmor.d/abstractions/*" \
++  ! -path "/etc/apparmor.d/tunables/*" \
++  ! -path "/etc/apparmor.d/local/*" \
++  ! -path "/etc/apparmor.d/disable/*" \
++  ! -path "/etc/apparmor.d/rsyslog.d/*" \
++  ! -path "/etc/apparmor.d/force-complain/*" \
++  ! -path "/etc/apparmor.d/apache2.d/*" \
++  ! -path "/etc/apparmor.d/abi/*" \
++  -print0 | xargs -0 -r -n1 apparmor_parser -r -T -W || true

helpers/make-casper

@@ -18,7 +18,7 @@
 #    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
 #
 
-VERSION=25
+VERSION=26
 
 . ./config
 
@@ -43,9 +43,9 @@ sed "s/head -n1/sed -n 1p/" -i scripts/casper-functions
 # Apply custom trisquel patches
 apply_patch_changes
 
-# Enable abrowser apparmor profile
+# Enable apparmor profiles for live even on installation
-cp $DATA/35apparmor_browsers scripts/casper-bottom
+cp $DATA/36apparmor_live scripts/casper-bottom
-chmod 755 scripts/casper-bottom/35apparmor_browsers
+chmod 755 scripts/casper-bottom/36apparmor_live
 
 changelog "Compiled and customized for Trisquel enviroment."