Add AppArmor profile to fix Brioche builds on Ubuntu 24.04

.github/workflows/test.yml

@@ -9,19 +9,29 @@ on:
       - main
 
 jobs:
-  setup-brioche:
-    runs-on: ubuntu-latest
+  test-setup-brioche:
+    strategy:
+      matrix:
+        runs-on:
+          - ubuntu-22.04
+          - ubuntu-24.04
+          - ubuntu-latest
+    runs-on: ${{ matrix.runs-on }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
       - name: Setup Brioche
         uses: ./ # Uses an action in the root directory
         with:
-          version: 'v0.1.3'  # Optional, defaults to v0.1.3
+          version: 'v0.1.3' # Optional, defaults to v0.1.3
 
       - name: Verify Brioche installation
         run: |
           brioche --version
           brioche install -r hello_world
           hello-world
+
+          WATERMARK="$(date -uIs)"
+          sed -i "s/\${WATERMARK}/${WATERMARK}/g" example-project/project.bri
+          brioche build -p example-project -o output

action.yml

@@ -13,6 +13,10 @@ inputs:
     description: 'Directory where Brioche should be installed'
     required: false
     default: '$HOME/.local/bin'
+  install-apparmor:
+    description: "Install AppArmor profile for Brioche. Defaults to 'auto'"
+    required: false
+    default: 'auto'
 runs:
   using: 'composite'
   steps:
@@ -23,3 +27,4 @@ runs:
       env:
         install_dir: ${{ inputs.install-dir }}
         version: ${{ inputs.version }}
+        install_apparmor: ${{ inputs.install-apparmor }}

apparmor.d/brioche-gh-actions.tpl

@@ -0,0 +1,9 @@
+abi <abi/4.0>,
+include <tunables/global>
+
+# Enable unprivileged user namespaces for Brioche. See this Ubuntu blog post
+# for more context:
+# https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
+${BRIOCHE_INSTALL_PATH} flags=(default_allow) {
+  userns,
+}

example-project/brioche.lock

@@ -0,0 +1,6 @@
+{
+  "dependencies": {
+    "hello_world": "c3fc0c4d755cd81cda36168337912de7dbb27cb8eb1d9d11c60fff613526fb44",
+    "std": "c61485184862a8ed1ec3fc12f3a6f5ea91c32b6f450cbe81cbc596c0c7e2a06d"
+  }
+}

example-project/project.bri

@@ -0,0 +1,13 @@
+import * as std from "std";
+import helloWorld from "hello_world";
+
+// Replaced with a timestamp to ensure the build can't be cached
+const WATERMARK_VALUE = "${WATERMARK}";
+
+export default function () {
+  return std.runBash`
+    hello-world | tee "$BRIOCHE_OUTPUT"
+  `
+    .env({ WATERMARK_VALUE })
+    .dependencies(helloWorld());
+}

install-brioche.sh

@@ -5,16 +5,16 @@ set -euo pipefail
 # https://github.com/brioche-dev/brioche.dev/blob/main/public/install.sh
 
 # Validate environment variables
-if [ -z "${HOME:-}" ]; then
-    echo '::error::$HOME must be set'
+if [ -z "${GITHUB_PATH:-}" -o -z "${GITHUB_ACTION_PATH:-}" ]; then
+    echo '::error::$GITHUB_PATH or $GITHUB_ACTION_PATH not set! This script should be run in GitHub Actions'
     exit 1
 fi
-if [ -z "${install_dir:-}" -o -z "${version:-}" ]; then
-    echo '::error::$install_dir and $version must be set'
+if [ -z "${HOME:-}" ]; then
+    echo '::error::$HOME must be set'
     exit 1
 fi
-if [ -z "${GITHUB_PATH:-}" ]; then
-    echo '::error::$GITHUB_PATH not set! This script should be run in GitHub Actions'
+if [ -z "${install_dir:-}" -o -z "${version:-}" -o -z "${install_apparmor:-}" ]; then
+    echo '::error::$install_dir, $version, and $install_apparmor must be set'
     exit 1
 fi
 
@@ -46,7 +46,7 @@ case "$install_dir" in
         ;;
 esac
 
-# Get the URL based on the OS and architecture
+# Get the OS and architecture-specific config, such as download URL and AppArmor config
 case "$OSTYPE" in
     linux*)
         case "$(uname -m)" in
@@ -59,6 +59,32 @@ case "$OSTYPE" in
                 exit 1
                 ;;
         esac
+
+        case "$install_apparmor" in
+            auto)
+                # Detect if we should install an AppArmor profile. AppArmor 4.0
+                # introduced new features to restrict unprivileged user
+                # namespaces, which Ubuntu 23.10 enforces by default. The
+                # Brioche AppArmor policy is meant to lift this restriction
+                # for sandboxed builds, which we only need to do on AppArmor 4+.
+                # So, we only install the policy if AppArmor is enabled and
+                # we find the config file for AppArmor abi 4.0.
+                if type aa-enabled >/dev/null && aa-enabled -q && [ -e /etc/apparmor.d/abi/4.0 ]; then
+                    should_install_apparmor=1
+                else
+                    should_install_apparmor=
+                fi
+                ;;
+            true)
+                should_install_apparmor=1
+                ;;
+            false)
+                should_install_apparmor=
+                ;;
+            *)
+                echo "::error::Invalid value for \$install_apparmor: $install_apparmor"
+                ;;
+        esac
         ;;
     *)
         echo "::error::Sorry, Brioche isn't currently supported on your operating system"
@@ -98,3 +124,14 @@ for new_path in "${new_paths[@]}"; do
 done
 
 echo '::endgroup'
+
+
+if [ -n "$should_install_apparmor" ]; then
+    echo "::group::Installing AppArmor config"
+
+    export BRIOCHE_INSTALL_PATH="$install_dir/brioche"
+    cat "$GITHUB_ACTION_PATH/apparmor.d/brioche-gh-actions.tpl" | envsubst | sudo tee /etc/apparmor.d/brioche-gh-actions
+    sudo apparmor_parser -r /etc/apparmor.d/brioche-gh-actions
+
+    echo "::endgroup"
+fi