apparmor

2025-10-28 21:26:35 -04:00
parent 5e807f4fcc
commit aa6dc9b662
1 changed files with 55 additions and 9 deletions
--- a/64
+++ b/64
@ -2,12 +2,10 @@
 set -euo pipefail

 # --- privilege keepalive ---
-# prompt once for sudo and keep alive in background
 if ! sudo -v; then
    echo "❌ sudo access required. aborting."
    exit 1
 fi
-# keep sudo alive until script ends
 while true; do sudo -n true; sleep 30; kill -0 "$$" || exit; done 2>/dev/null &

 # --- distro detection ---
@ -33,31 +31,43 @@ as_user() { sudo -H -u "$UNAME" bash -lc "$*"; }

 # --- arch package install ---
 install_packages_arch() {
-    echo "📦 installing base packages..."
+    echo "📦 Installing and updating base system..."
    sudo pacman -Syu --noconfirm

    local PKGS=(
-        base-devel git cmake gcc neovim vim python-pip
+        # Core & dev
+        base-devel git cmake gcc openssl python-pip
+        neovim vim
+
+        # X11 & desktop environment
        xorg-server xorg-xinit xorg-xrandr xorg-xinput
        openbox obconf
        alacritty cmus flameshot pavucontrol
-        chromium thunderbird steam keepassxc
+
+        # Apps
+        firefox thunderbird steam keepassxc
        bluez bluez-tools blueman
+
+        # Utilities & security
        dmenu htop rsync unzip whois xclip xdotool xbindkeys
        efibootmgr grub nmap lynis rkhunter sbctl sudo
    )
    sudo pacman -S --noconfirm "${PKGS[@]}"

-    # yay
+    # yay (AUR helper)
    if ! command_exists yay; then
-        echo "📦 installing yay..."
+        echo "📦 Installing yay..."
        TMP=$(mktemp -d)
        git clone https://aur.archlinux.org/yay-bin.git "$TMP"
        as_user "cd $TMP && makepkg -si --noconfirm"
        rm -rf "$TMP"
    fi

-    as_user "yay -S --noconfirm keybase-bin ckb-next"
+    # AUR packages (optional)
+    echo "📦 Installing AUR packages..."
+    as_user "yay -S --noconfirm tripwire"
+
+    echo "✅ Base desktop packages installed successfully."
 }

 # --- ubuntu/debian ---
@ -68,7 +78,7 @@ install_packages_ubuntu() {
        build-essential git cmake gcc neovim vim python3-pip \
        xorg openbox xinit x11-xserver-utils \
        alacritty cmus flameshot pavucontrol \
-        chromium-browser thunderbird steam-installer keepassxc \
+        firefox thunderbird steam-installer keepassxc \
        bluez bluez-tools blueman \
        dmenu htop rsync unzip whois xclip xdotool xbindkeys \
        efibootmgr grub nmap lynis rkhunter sudo
@ -118,6 +128,41 @@ setup_security() {
    fi
 }

+# --- AppArmor setup ---
+setup_apparmor() {
+    echo "🛡️ Installing and enabling AppArmor..."
+
+    case "$DISTRO_ID" in
+        arch)
+            sudo pacman -S --noconfirm apparmor ;;
+        ubuntu|debian)
+            sudo apt install -y apparmor apparmor-utils ;;
+        *)
+            echo "⚠️ AppArmor not supported on this distro automatically."
+            return 0 ;;
+    esac
+
+    # Enable service
+    sudo systemctl enable --now apparmor.service || true
+
+    # Check if kernel param is active
+    if [[ "$(cat /sys/module/apparmor/parameters/enabled 2>/dev/null || echo N)" != "Y" ]]; then
+        echo "⚠️ AppArmor not fully active."
+        echo "👉 Add to GRUB_CMDLINE_LINUX_DEFAULT: apparmor=1 security=apparmor"
+        echo "Then run: sudo grub-mkconfig -o /boot/grub/grub.cfg && reboot"
+    else
+        echo "✅ AppArmor kernel module active."
+    fi
+
+    # Optional Firefox profile
+    if [[ -f /etc/apparmor.d/usr.bin.firefox ]]; then
+        sudo aa-enforce /etc/apparmor.d/usr.bin.firefox || true
+        echo "✅ Firefox AppArmor profile enforced."
+    else
+        echo "ℹ️ No Firefox profile found (optional)."
+    fi
+}
+
 # --- main flow ---
 case "$DISTRO_ID" in
    arch)
@ -132,6 +177,7 @@ esac
 setup_rust
 install_fonts
 setup_security
+setup_apparmor

 echo "✅ setup complete! (sudo kept alive for duration)"