Add AppArmor support to debian-forge

- Add debian-forge-apparmor package with AppArmor stage support - Create example AppArmor stage (org.osbuild.apparmor) - Update workflow to build 9 packages total - Add AppArmor manifest example for Debian Atomic - Update todo with complete package structure
2025-08-29 17:45:28 -07:00 · 2025-08-29 17:45:28 -07:00 · 132cbef123
commit 132cbef123
parent da8d01d82b
5 changed files with 236 additions and 6 deletions
--- a/test/data/manifests/debian/debian-atomic-with-apparmor.json
+++ b/test/data/manifests/debian/debian-atomic-with-apparmor.json
@ -0,0 +1,107 @@
+{
+  "name": "debian-atomic-with-apparmor",
+  "description": "Debian Atomic System with AppArmor Security",
+  "version": "1.0.0",
+  "distro": "debian-bookworm",
+  "arch": "amd64",
+  "packages": [
+    {
+      "name": "libsystemd0"
+    },
+    {
+      "name": "systemd"
+    },
+    {
+      "name": "libostree-1-1"
+    },
+    {
+      "name": "ostree"
+    },
+    {
+      "name": "apparmor-utils"
+    },
+    {
+      "name": "apparmor-profiles"
+    },
+    {
+      "name": "linux-image-amd64"
+    }
+  ],
+  "stages": [
+    {
+      "name": "org.osbuild.debootstrap",
+      "options": {
+        "suite": "bookworm",
+        "mirror": "http://deb.debian.org/debian"
+      }
+    },
+    {
+      "name": "org.osbuild.apt",
+      "options": {
+        "packages": [
+          "libsystemd0",
+          "systemd",
+          "libostree-1-1",
+          "ostree",
+          "apparmor-utils",
+          "apparmor-profiles",
+          "linux-image-amd64"
+        ]
+      }
+    },
+    {
+      "name": "org.osbuild.apparmor",
+      "options": {
+        "profiles": [
+          {
+            "name": "usr.bin.ssh",
+            "path": "/etc/apparmor.d/usr.bin.ssh",
+            "mode": "enforce"
+          },
+          {
+            "name": "usr.sbin.sshd",
+            "path": "/etc/apparmor.d/usr.sbin.sshd",
+            "mode": "enforce"
+          }
+        ],
+        "default_mode": "enforce",
+        "enable_boot_loading": true
+      }
+    },
+    {
+      "name": "org.osbuild.ostree.commit",
+      "options": {
+        "branch": "debian/atomic",
+        "subject": "Debian atomic commit with AppArmor security"
+      }
+    }
+  ],
+  "customizations": {
+    "user": [
+      {
+        "name": "debian",
+        "description": "Debian atomic user",
+        "password": "$6$rounds=656000$debian$atomic.system.user",
+        "home": "/home/debian",
+        "shell": "/bin/bash",
+        "groups": [
+          "wheel",
+          "sudo"
+        ],
+        "uid": 1000,
+        "gid": 1000
+      }
+    ],
+    "services": {
+      "enabled": [
+        "sshd",
+        "systemd-networkd",
+        "systemd-resolved",
+        "apparmor"
+      ]
+    },
+    "kernel": {
+      "append": "ostree=/ostree/boot.1/debian/bookworm/0 apparmor=1 security=apparmor"
+    }
+  }
+}