apparmor

setup

@@ -2,12 +2,10 @@
 set -euo pipefail
 
 # --- privilege keepalive ---
-# prompt once for sudo and keep alive in background
 if ! sudo -v; then
     echo "❌ sudo access required. aborting."
     exit 1
 fi
-# keep sudo alive until script ends
 while true; do sudo -n true; sleep 30; kill -0 "$$" || exit; done 2>/dev/null &
 
 # --- distro detection ---
@@ -33,31 +31,43 @@ as_user() { sudo -H -u "$UNAME" bash -lc "$*"; }
 
 # --- arch package install ---
 install_packages_arch() {
-    echo "📦 installing base packages..."
+    echo "📦 Installing and updating base system..."
     sudo pacman -Syu --noconfirm
 
     local PKGS=(
-        base-devel git cmake gcc neovim vim python-pip
+        # Core & dev
+        base-devel git cmake gcc openssl python-pip
+        neovim vim
+
+        # X11 & desktop environment
         xorg-server xorg-xinit xorg-xrandr xorg-xinput
         openbox obconf
         alacritty cmus flameshot pavucontrol
-        chromium thunderbird steam keepassxc
+
+        # Apps
+        firefox thunderbird steam keepassxc
         bluez bluez-tools blueman
+
+        # Utilities & security
         dmenu htop rsync unzip whois xclip xdotool xbindkeys
         efibootmgr grub nmap lynis rkhunter sbctl sudo
     )
     sudo pacman -S --noconfirm "${PKGS[@]}"
 
-    # yay
+    # yay (AUR helper)
     if ! command_exists yay; then
-        echo "📦 installing yay..."
+        echo "📦 Installing yay..."
         TMP=$(mktemp -d)
         git clone https://aur.archlinux.org/yay-bin.git "$TMP"
         as_user "cd $TMP && makepkg -si --noconfirm"
         rm -rf "$TMP"
     fi
 
-    as_user "yay -S --noconfirm keybase-bin ckb-next"
+    # AUR packages (optional)
+    echo "📦 Installing AUR packages..."
+    as_user "yay -S --noconfirm tripwire"
+
+    echo "✅ Base desktop packages installed successfully."
 }
 
 # --- ubuntu/debian ---
@@ -68,7 +78,7 @@ install_packages_ubuntu() {
         build-essential git cmake gcc neovim vim python3-pip \
         xorg openbox xinit x11-xserver-utils \
         alacritty cmus flameshot pavucontrol \
-        chromium-browser thunderbird steam-installer keepassxc \
+        firefox thunderbird steam-installer keepassxc \
         bluez bluez-tools blueman \
         dmenu htop rsync unzip whois xclip xdotool xbindkeys \
         efibootmgr grub nmap lynis rkhunter sudo
@@ -118,6 +128,41 @@ setup_security() {
     fi
 }
 
+# --- AppArmor setup ---
+setup_apparmor() {
+    echo "🛡️ Installing and enabling AppArmor..."
+
+    case "$DISTRO_ID" in
+        arch)
+            sudo pacman -S --noconfirm apparmor ;;
+        ubuntu|debian)
+            sudo apt install -y apparmor apparmor-utils ;;
+        *)
+            echo "⚠️ AppArmor not supported on this distro automatically."
+            return 0 ;;
+    esac
+
+    # Enable service
+    sudo systemctl enable --now apparmor.service || true
+
+    # Check if kernel param is active
+    if [[ "$(cat /sys/module/apparmor/parameters/enabled 2>/dev/null || echo N)" != "Y" ]]; then
+        echo "⚠️ AppArmor not fully active."
+        echo "👉 Add to GRUB_CMDLINE_LINUX_DEFAULT: apparmor=1 security=apparmor"
+        echo "Then run: sudo grub-mkconfig -o /boot/grub/grub.cfg && reboot"
+    else
+        echo "✅ AppArmor kernel module active."
+    fi
+
+    # Optional Firefox profile
+    if [[ -f /etc/apparmor.d/usr.bin.firefox ]]; then
+        sudo aa-enforce /etc/apparmor.d/usr.bin.firefox || true
+        echo "✅ Firefox AppArmor profile enforced."
+    else
+        echo "ℹ️ No Firefox profile found (optional)."
+    fi
+}
+
 # --- main flow ---
 case "$DISTRO_ID" in
     arch)
@@ -132,6 +177,7 @@ esac
 setup_rust
 install_fonts
 setup_security
+setup_apparmor
 
 echo "✅ setup complete! (sudo kept alive for duration)"