From 1510dbab5a1b7303c67766dc5aa1605cb5b1e621 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafa=C5=82=20Cie=C5=9Blak?= <rafal.cieslak@goteleport.com>
Date: Wed, 26 Jun 2024 17:28:56 +0200
Subject: [PATCH 1/2] Add apparmor profile for Connect

---
 .../build_resources/linux/after-install.tpl        | 14 ++++++++++++++
 .../build_resources/linux/after-remove.tpl         |  7 +++++++
 .../build_resources/linux/apparmor-profile         |  9 +++++++++
 web/packages/teleterm/electron-builder-config.js   |  4 ++++
 4 files changed, 34 insertions(+)
 create mode 100644 web/packages/teleterm/build_resources/linux/apparmor-profile

diff --git a/web/packages/teleterm/build_resources/linux/after-install.tpl b/web/packages/teleterm/build_resources/linux/after-install.tpl
index 2bacbf88428f7..53f188864fdc5 100644
--- a/web/packages/teleterm/build_resources/linux/after-install.tpl
+++ b/web/packages/teleterm/build_resources/linux/after-install.tpl
@@ -64,4 +64,18 @@ else
   fi
 fi
 
+APPARMOR_PROFILE_DEST="/etc/apparmor.d/teleport-connect"
+
+# Install apparmor profile.
+if [ -d "/etc/apparmor.d" ]; then
+  cp -f "$APP/resources/apparmor-profile" "$APPARMOR_PROFILE_DEST"
+
+  if hash apparmor_parser 2>/dev/null; then
+    # Extra flags taken from dh_apparmor:
+    # > By using '-W -T' we ensure that any abstraction updates are also pulled in.
+    # https://wiki.debian.org/AppArmor/Contribute/FirstTimeProfileImport
+    apparmor_parser --replace --write-cache --skip-read-cache "$APPARMOR_PROFILE_DEST"
+  fi
+fi
+
 # vim: syntax=sh
diff --git a/web/packages/teleterm/build_resources/linux/after-remove.tpl b/web/packages/teleterm/build_resources/linux/after-remove.tpl
index a5ecabeea0a08..d5738efdfc21d 100644
--- a/web/packages/teleterm/build_resources/linux/after-remove.tpl
+++ b/web/packages/teleterm/build_resources/linux/after-remove.tpl
@@ -46,4 +46,11 @@ if [ -L "$TSH_SYMLINK_TARGET" ] && [ ! -e "$TSH_SYMLINK_TARGET" ]; then
   rm -f "$TSH_SYMLINK_TARGET"
 fi
 
+APPARMOR_PROFILE_DEST="/etc/apparmor.d/teleport-connect"
+
+# Remove apparmor profile.
+if [ -f "$APPARMOR_PROFILE_DEST" ]; then
+  rm -f "$APPARMOR_PROFILE_DEST"
+fi
+
 # vim: syntax=sh
diff --git a/web/packages/teleterm/build_resources/linux/apparmor-profile b/web/packages/teleterm/build_resources/linux/apparmor-profile
new file mode 100644
index 0000000000000..4eaf8ec7e2d39
--- /dev/null
+++ b/web/packages/teleterm/build_resources/linux/apparmor-profile
@@ -0,0 +1,9 @@
+abi <abi/4.0>,
+include <tunables/global>
+
+profile teleport-connect /opt/Teleport\ Connect/teleport-connect flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/teleport-connect>
+}
diff --git a/web/packages/teleterm/electron-builder-config.js b/web/packages/teleterm/electron-builder-config.js
index 6d8f3977b9639..16246994a31a0 100644
--- a/web/packages/teleterm/electron-builder-config.js
+++ b/web/packages/teleterm/electron-builder-config.js
@@ -204,6 +204,10 @@ module.exports = {
         from: env.CONNECT_TSH_BIN_PATH,
         to: './bin/tsh',
       },
+      {
+        from: 'build_resources/linux/apparmor-profile',
+        to: './apparmor-profile',
+      },
     ].filter(Boolean),
   },
   directories: {

From 1a7241b1c07ea7617bafdd658a0dc89454b87528 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafa=C5=82=20Cie=C5=9Blak?= <rafal.cieslak@goteleport.com>
Date: Fri, 28 Jun 2024 15:20:54 +0200
Subject: [PATCH 2/2] Run profile through apparmor_parser before copying it

---
 .../build_resources/linux/after-install.tpl   | 30 ++++++++++++++-----
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/web/packages/teleterm/build_resources/linux/after-install.tpl b/web/packages/teleterm/build_resources/linux/after-install.tpl
index 53f188864fdc5..74e29dd5bf724 100644
--- a/web/packages/teleterm/build_resources/linux/after-install.tpl
+++ b/web/packages/teleterm/build_resources/linux/after-install.tpl
@@ -64,17 +64,31 @@ else
   fi
 fi
 
-APPARMOR_PROFILE_DEST="/etc/apparmor.d/teleport-connect"
+APPARMOR_PROFILE_SOURCE="$APP/resources/apparmor-profile"
+APPARMOR_PROFILE_TARGET="/etc/apparmor.d/teleport-connect"
 
 # Install apparmor profile.
-if [ -d "/etc/apparmor.d" ]; then
-  cp -f "$APP/resources/apparmor-profile" "$APPARMOR_PROFILE_DEST"
+# First check if the version of AppArmor running on the device supports our profile.
+# This is in order to keep backwards compatibility with Ubuntu 22.04 which does not support abi/4.0.
+# In that case, we just skip installing the profile since the app runs fine without it on 22.04.
+#
+# Those apparmor_parser flags are akin to performing a dry run of loading a profile.
+# https://wiki.debian.org/AppArmor/HowToUse#Dumping_profiles
+#
+# Unfortunately, at the moment AppArmor doesn't have a good story for backwards compatibility.
+# https://askubuntu.com/questions/1517272/writing-a-backwards-compatible-apparmor-profile
+if test -d "/etc/apparmor.d"; then
+  if apparmor_parser --skip-kernel-load --debug "$APPARMOR_PROFILE_SOURCE" > /dev/null 2>&1; then
+    cp -f "$APPARMOR_PROFILE_SOURCE" "$APPARMOR_PROFILE_TARGET"
 
-  if hash apparmor_parser 2>/dev/null; then
-    # Extra flags taken from dh_apparmor:
-    # > By using '-W -T' we ensure that any abstraction updates are also pulled in.
-    # https://wiki.debian.org/AppArmor/Contribute/FirstTimeProfileImport
-    apparmor_parser --replace --write-cache --skip-read-cache "$APPARMOR_PROFILE_DEST"
+    if hash apparmor_parser 2>/dev/null; then
+      # Extra flags taken from dh_apparmor:
+      # > By using '-W -T' we ensure that any abstraction updates are also pulled in.
+      # https://wiki.debian.org/AppArmor/Contribute/FirstTimeProfileImport
+      apparmor_parser --replace --write-cache --skip-read-cache "$APPARMOR_PROFILE_TARGET"
+    fi
+  else
+    echo "Skipping the installation of the AppArmor profile as this version of AppArmor does not seem to support the profile bundled with Teleport Connect."
   fi
 fi