Install AppArmor profile on Linux by default

action.yml

@@ -13,6 +13,10 @@ inputs:
     description: 'Directory where Brioche should be installed'
     required: false
     default: '$HOME/.local/bin'
+  install-apparmor:
+    description: "Install AppArmor profile for Brioche. Defaults to 'auto'"
+    required: false
+    default: 'auto'
 runs:
   using: 'composite'
   steps:
@@ -23,3 +27,4 @@ runs:
       env:
         install_dir: ${{ inputs.install-dir }}
         version: ${{ inputs.version }}
+        install_apparmor: ${{ inputs.install-apparmor }}

apparmor.d/brioche-gh-actions.tpl

@@ -0,0 +1,9 @@
+abi <abi/4.0>,
+include <tunables/global>
+
+# Enable unprivileged user namespaces for Brioche. See this Ubuntu blog post
+# for more context:
+# https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
+${BRIOCHE_INSTALL_PATH} flags=(default_allow) {
+  userns
+}

install-brioche.sh

@@ -5,16 +5,16 @@ set -euo pipefail
 # https://github.com/brioche-dev/brioche.dev/blob/main/public/install.sh
 
 # Validate environment variables
-if [ -z "${HOME:-}" ]; then
-    echo '::error::$HOME must be set'
+if [ -z "${GITHUB_PATH:-}" -o -z "${GITHUB_ACTION_PATH:-}" ]; then
+    echo '::error::$GITHUB_PATH or $GITHUB_ACTION_PATH not set! This script should be run in GitHub Actions'
     exit 1
 fi
-if [ -z "${install_dir:-}" -o -z "${version:-}" ]; then
-    echo '::error::$install_dir and $version must be set'
+if [ -z "${HOME:-}" ]; then
+    echo '::error::$HOME must be set'
     exit 1
 fi
-if [ -z "${GITHUB_PATH:-}" ]; then
-    echo '::error::$GITHUB_PATH not set! This script should be run in GitHub Actions'
+if [ -z "${install_dir:-}" -o -z "${version:-}" -o -z "${install_apparmor:-}" ]; then
+    echo '::error::$install_dir, $version, and $install_apparmor must be set'
     exit 1
 fi
 
@@ -46,7 +46,7 @@ case "$install_dir" in
         ;;
 esac
 
-# Get the URL based on the OS and architecture
+# Get the OS and architecture-specific config, such as download URL and AppArmor config
 case "$OSTYPE" in
     linux*)
         case "$(uname -m)" in
@@ -59,6 +59,27 @@ case "$OSTYPE" in
                 exit 1
                 ;;
         esac
+
+        case "$install_apparmor" in
+            auto)
+                # Detect if we should install an AppArmor profile. AppArmor 4.0
+                # introduced new features to restrict unprivileged user
+                # namespaces, which Ubuntu 23.10 enforces by default. The
+                # Brioche AppArmor policy is meant to lift this restriction
+                # for sandboxed builds, which we only need to do on AppArmor 4+.
+                # So, we only install the policy if AppArmor is enabled and
+                # we find the config file for AppArmor abi 4.0.
+                if type aa-enabled >/dev/null && aa-enabled -q && [ -e /etc/apparmor.d/abi/4.0 ]; then
+                    should_install_apparmor=1
+                fi
+                ;;
+            false)
+                should_install_apparmor=
+                ;;
+            *)
+                should_install_apparmor=1
+                ;;
+        esac
         ;;
     *)
         echo "::error::Sorry, Brioche isn't currently supported on your operating system"
@@ -98,3 +119,14 @@ for new_path in "${new_paths[@]}"; do
 done
 
 echo '::endgroup'
+
+
+if [ -n "$should_install_apparmor" ]; then
+    echo "::group::Installing AppArmor config"
+
+    export BRIOCHE_INSTALL_PATH="$install_dir/brioche"
+    cat "$GITHUB_ACTION_PATH/apparmor.d/brioche-gh-actions.tpl" | envsubst | sudo tee /etc/apparmor.d/brioche-gh-actions
+    sudo apparmor_parser -r /etc/apparmor.d/brioche-gh-actions
+
+    echo "::endgroup"
+fi