diff options
author | Tom Rini <trini@konsulko.com> | 2017-07-11 08:36:29 -0400 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2017-08-13 08:26:14 -0700 |
commit | 25b8f02eeab60c01f3dc38c9d9b0ccbd2491ad8b (patch) | |
tree | 5a4dc036304688f75b4ac7f1231b3a2d19806588 | |
parent | aae40f506ab557b10b5642937881a12aa9d0414b (diff) | |
download | meta-security-25b8f02eeab60c01f3dc38c9d9b0ccbd2491ad8b.tar.gz |
apparmor: Additional runtime fixes
- We need various python3 modules and we can only really solve this
problem by including all python3-modules.
- aa-easyprof needs to have its shebang corrected, do so.
- The apparmor initscript depends on functions that LSB does not require
so we must provide them. In some cases it's using non-standard
function, so we just use more appropriate names.
- The apparmor sysvinit-style initscript assumes that
systemd-detect-virt will exist on the filesystem. Change this to
check that it does before trying to execute it.
[for aa-easyprof:]
Reported-by: Anders Montonen <Anders.Montonen@iki.fi>
Signed-off-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | recipes-security/AppArmor/apparmor_2.11.0.bb | 6 | ||||
-rw-r--r-- | recipes-security/AppArmor/files/apparmor | 30 |
2 files changed, 28 insertions, 8 deletions
diff --git a/recipes-security/AppArmor/apparmor_2.11.0.bb b/recipes-security/AppArmor/apparmor_2.11.0.bb index 647ab12..d9572e4 100644 --- a/recipes-security/AppArmor/apparmor_2.11.0.bb +++ b/recipes-security/AppArmor/apparmor_2.11.0.bb | |||
@@ -79,6 +79,10 @@ do_install () { | |||
79 | oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install | 79 | oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install |
80 | fi | 80 | fi |
81 | 81 | ||
82 | # aa-easyprof is installed by python-tools-setup.py, fix it up | ||
83 | sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof | ||
84 | chmod 0755 ${D}${bindir}/aa-easyprof | ||
85 | |||
82 | install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor | 86 | install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor |
83 | install ${WORKDIR}/functions ${D}/lib/apparmor | 87 | install ${WORKDIR}/functions ${D}/lib/apparmor |
84 | } | 88 | } |
@@ -124,6 +128,6 @@ FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR} | |||
124 | FILES_mod-${PN} = "${libdir}/apache2/modules/*" | 128 | FILES_mod-${PN} = "${libdir}/apache2/modules/*" |
125 | 129 | ||
126 | RDEPENDS_${PN} += "bash lsb" | 130 | RDEPENDS_${PN} += "bash lsb" |
127 | RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3 python3-argparse python3-json','', d)}" | 131 | RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3 python3-modules','', d)}" |
128 | RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" | 132 | RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" |
129 | RDEPENDS_${PN}-ptest += "coreutils dbus-lib" | 133 | RDEPENDS_${PN}-ptest += "coreutils dbus-lib" |
diff --git a/recipes-security/AppArmor/files/apparmor b/recipes-security/AppArmor/files/apparmor index c73c1ce..ac3ab9a 100644 --- a/recipes-security/AppArmor/files/apparmor +++ b/recipes-security/AppArmor/files/apparmor | |||
@@ -32,6 +32,20 @@ | |||
32 | # Description: AppArmor init script. This script loads all AppArmor profiles. | 32 | # Description: AppArmor init script. This script loads all AppArmor profiles. |
33 | ### END INIT INFO | 33 | ### END INIT INFO |
34 | 34 | ||
35 | log_daemon_msg() { | ||
36 | echo $* | ||
37 | } | ||
38 | |||
39 | log_end_msg () { | ||
40 | retval=$1 | ||
41 | if [ $retval -eq 0 ]; then | ||
42 | echo "." | ||
43 | else | ||
44 | echo " failed!" | ||
45 | fi | ||
46 | return $retval | ||
47 | } | ||
48 | |||
35 | . /lib/apparmor/functions | 49 | . /lib/apparmor/functions |
36 | . /lib/lsb/init-functions | 50 | . /lib/lsb/init-functions |
37 | 51 | ||
@@ -47,20 +61,19 @@ securityfs() { | |||
47 | # Need securityfs for any mode | 61 | # Need securityfs for any mode |
48 | if [ ! -d "${AA_SFS}" ]; then | 62 | if [ ! -d "${AA_SFS}" ]; then |
49 | if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then | 63 | if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then |
50 | log_action_msg "AppArmor not available as kernel LSM." | 64 | log_daemon_msg "AppArmor not available as kernel LSM." |
51 | log_end_msg 1 | 65 | log_end_msg 1 |
52 | exit 1 | 66 | exit 1 |
53 | else | 67 | else |
54 | log_action_begin_msg "Mounting securityfs on ${SECURITYFS}" | 68 | log_daemon_msg "Mounting securityfs on ${SECURITYFS}" |
55 | if ! mount -t securityfs none "${SECURITYFS}"; then | 69 | if ! mount -t securityfs none "${SECURITYFS}"; then |
56 | log_action_end_msg 1 | ||
57 | log_end_msg 1 | 70 | log_end_msg 1 |
58 | exit 1 | 71 | exit 1 |
59 | fi | 72 | fi |
60 | fi | 73 | fi |
61 | fi | 74 | fi |
62 | if [ ! -w "$AA_SFS"/.load ]; then | 75 | if [ ! -w "$AA_SFS"/.load ]; then |
63 | log_action_msg "Insufficient privileges to change profiles." | 76 | log_daemon_msg "Insufficient privileges to change profiles." |
64 | log_end_msg 1 | 77 | log_end_msg 1 |
65 | exit 1 | 78 | exit 1 |
66 | fi | 79 | fi |
@@ -127,7 +140,8 @@ test -d /rofs/etc/apparmor.d && exit 0 | |||
127 | rc=255 | 140 | rc=255 |
128 | case "$1" in | 141 | case "$1" in |
129 | start) | 142 | start) |
130 | if systemd-detect-virt --quiet --container && \ | 143 | if test -x /sbin/systemd-detect-virt && \ |
144 | systemd-detect-virt --quiet --container && \ | ||
131 | ! is_container_with_internal_policy; then | 145 | ! is_container_with_internal_policy; then |
132 | log_daemon_msg "Not starting AppArmor in container" | 146 | log_daemon_msg "Not starting AppArmor in container" |
133 | log_end_msg 0 | 147 | log_end_msg 0 |
@@ -161,7 +175,8 @@ with the 'teardown' option." | |||
161 | EOM | 175 | EOM |
162 | ;; | 176 | ;; |
163 | teardown) | 177 | teardown) |
164 | if systemd-detect-virt --quiet --container && \ | 178 | if test -x /sbin/systemd-detect-virt && \ |
179 | systemd-detect-virt --quiet --container && \ | ||
165 | ! is_container_with_internal_policy; then | 180 | ! is_container_with_internal_policy; then |
166 | log_daemon_msg "Not tearing down AppArmor in container" | 181 | log_daemon_msg "Not tearing down AppArmor in container" |
167 | log_end_msg 0 | 182 | log_end_msg 0 |
@@ -179,7 +194,8 @@ EOM | |||
179 | log_end_msg $rc | 194 | log_end_msg $rc |
180 | ;; | 195 | ;; |
181 | restart|reload|force-reload) | 196 | restart|reload|force-reload) |
182 | if systemd-detect-virt --quiet --container && \ | 197 | if test -x /sbin/systemd-detect-virt && \ |
198 | systemd-detect-virt --quiet --container && \ | ||
183 | ! is_container_with_internal_policy; then | 199 | ! is_container_with_internal_policy; then |
184 | log_daemon_msg "Not reloading AppArmor in container" | 200 | log_daemon_msg "Not reloading AppArmor in container" |
185 | log_end_msg 0 | 201 | log_end_msg 0 |