diff options
| author | Tom Rini <trini@konsulko.com> | 2017-07-11 08:36:29 -0400 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2017-08-13 08:26:14 -0700 |
| commit | 25b8f02eeab60c01f3dc38c9d9b0ccbd2491ad8b (patch) | |
| tree | 5a4dc036304688f75b4ac7f1231b3a2d19806588 /recipes-security/AppArmor | |
| parent | aae40f506ab557b10b5642937881a12aa9d0414b (diff) | |
| download | meta-security-25b8f02eeab60c01f3dc38c9d9b0ccbd2491ad8b.tar.gz | |
apparmor: Additional runtime fixes
- We need various python3 modules and we can only really solve this
problem by including all python3-modules.
- aa-easyprof needs to have its shebang corrected, do so.
- The apparmor initscript depends on functions that LSB does not require
so we must provide them. In some cases it's using non-standard
function, so we just use more appropriate names.
- The apparmor sysvinit-style initscript assumes that
systemd-detect-virt will exist on the filesystem. Change this to
check that it does before trying to execute it.
[for aa-easyprof:]
Reported-by: Anders Montonen <Anders.Montonen@iki.fi>
Signed-off-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'recipes-security/AppArmor')
| -rw-r--r-- | recipes-security/AppArmor/apparmor_2.11.0.bb | 6 | ||||
| -rw-r--r-- | recipes-security/AppArmor/files/apparmor | 30 |
2 files changed, 28 insertions, 8 deletions
diff --git a/recipes-security/AppArmor/apparmor_2.11.0.bb b/recipes-security/AppArmor/apparmor_2.11.0.bb index 647ab12..d9572e4 100644 --- a/recipes-security/AppArmor/apparmor_2.11.0.bb +++ b/recipes-security/AppArmor/apparmor_2.11.0.bb | |||
| @@ -79,6 +79,10 @@ do_install () { | |||
| 79 | oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install | 79 | oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install |
| 80 | fi | 80 | fi |
| 81 | 81 | ||
| 82 | # aa-easyprof is installed by python-tools-setup.py, fix it up | ||
| 83 | sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof | ||
| 84 | chmod 0755 ${D}${bindir}/aa-easyprof | ||
| 85 | |||
| 82 | install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor | 86 | install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor |
| 83 | install ${WORKDIR}/functions ${D}/lib/apparmor | 87 | install ${WORKDIR}/functions ${D}/lib/apparmor |
| 84 | } | 88 | } |
| @@ -124,6 +128,6 @@ FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR} | |||
| 124 | FILES_mod-${PN} = "${libdir}/apache2/modules/*" | 128 | FILES_mod-${PN} = "${libdir}/apache2/modules/*" |
| 125 | 129 | ||
| 126 | RDEPENDS_${PN} += "bash lsb" | 130 | RDEPENDS_${PN} += "bash lsb" |
| 127 | RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3 python3-argparse python3-json','', d)}" | 131 | RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3 python3-modules','', d)}" |
| 128 | RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" | 132 | RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" |
| 129 | RDEPENDS_${PN}-ptest += "coreutils dbus-lib" | 133 | RDEPENDS_${PN}-ptest += "coreutils dbus-lib" |
diff --git a/recipes-security/AppArmor/files/apparmor b/recipes-security/AppArmor/files/apparmor index c73c1ce..ac3ab9a 100644 --- a/recipes-security/AppArmor/files/apparmor +++ b/recipes-security/AppArmor/files/apparmor | |||
| @@ -32,6 +32,20 @@ | |||
| 32 | # Description: AppArmor init script. This script loads all AppArmor profiles. | 32 | # Description: AppArmor init script. This script loads all AppArmor profiles. |
| 33 | ### END INIT INFO | 33 | ### END INIT INFO |
| 34 | 34 | ||
| 35 | log_daemon_msg() { | ||
| 36 | echo $* | ||
| 37 | } | ||
| 38 | |||
| 39 | log_end_msg () { | ||
| 40 | retval=$1 | ||
| 41 | if [ $retval -eq 0 ]; then | ||
| 42 | echo "." | ||
| 43 | else | ||
| 44 | echo " failed!" | ||
| 45 | fi | ||
| 46 | return $retval | ||
| 47 | } | ||
| 48 | |||
| 35 | . /lib/apparmor/functions | 49 | . /lib/apparmor/functions |
| 36 | . /lib/lsb/init-functions | 50 | . /lib/lsb/init-functions |
| 37 | 51 | ||
| @@ -47,20 +61,19 @@ securityfs() { | |||
| 47 | # Need securityfs for any mode | 61 | # Need securityfs for any mode |
| 48 | if [ ! -d "${AA_SFS}" ]; then | 62 | if [ ! -d "${AA_SFS}" ]; then |
| 49 | if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then | 63 | if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then |
| 50 | log_action_msg "AppArmor not available as kernel LSM." | 64 | log_daemon_msg "AppArmor not available as kernel LSM." |
| 51 | log_end_msg 1 | 65 | log_end_msg 1 |
| 52 | exit 1 | 66 | exit 1 |
| 53 | else | 67 | else |
| 54 | log_action_begin_msg "Mounting securityfs on ${SECURITYFS}" | 68 | log_daemon_msg "Mounting securityfs on ${SECURITYFS}" |
| 55 | if ! mount -t securityfs none "${SECURITYFS}"; then | 69 | if ! mount -t securityfs none "${SECURITYFS}"; then |
| 56 | log_action_end_msg 1 | ||
| 57 | log_end_msg 1 | 70 | log_end_msg 1 |
| 58 | exit 1 | 71 | exit 1 |
| 59 | fi | 72 | fi |
| 60 | fi | 73 | fi |
| 61 | fi | 74 | fi |
| 62 | if [ ! -w "$AA_SFS"/.load ]; then | 75 | if [ ! -w "$AA_SFS"/.load ]; then |
| 63 | log_action_msg "Insufficient privileges to change profiles." | 76 | log_daemon_msg "Insufficient privileges to change profiles." |
| 64 | log_end_msg 1 | 77 | log_end_msg 1 |
| 65 | exit 1 | 78 | exit 1 |
| 66 | fi | 79 | fi |
| @@ -127,7 +140,8 @@ test -d /rofs/etc/apparmor.d && exit 0 | |||
| 127 | rc=255 | 140 | rc=255 |
| 128 | case "$1" in | 141 | case "$1" in |
| 129 | start) | 142 | start) |
| 130 | if systemd-detect-virt --quiet --container && \ | 143 | if test -x /sbin/systemd-detect-virt && \ |
| 144 | systemd-detect-virt --quiet --container && \ | ||
| 131 | ! is_container_with_internal_policy; then | 145 | ! is_container_with_internal_policy; then |
| 132 | log_daemon_msg "Not starting AppArmor in container" | 146 | log_daemon_msg "Not starting AppArmor in container" |
| 133 | log_end_msg 0 | 147 | log_end_msg 0 |
| @@ -161,7 +175,8 @@ with the 'teardown' option." | |||
| 161 | EOM | 175 | EOM |
| 162 | ;; | 176 | ;; |
| 163 | teardown) | 177 | teardown) |
| 164 | if systemd-detect-virt --quiet --container && \ | 178 | if test -x /sbin/systemd-detect-virt && \ |
| 179 | systemd-detect-virt --quiet --container && \ | ||
| 165 | ! is_container_with_internal_policy; then | 180 | ! is_container_with_internal_policy; then |
| 166 | log_daemon_msg "Not tearing down AppArmor in container" | 181 | log_daemon_msg "Not tearing down AppArmor in container" |
| 167 | log_end_msg 0 | 182 | log_end_msg 0 |
| @@ -179,7 +194,8 @@ EOM | |||
| 179 | log_end_msg $rc | 194 | log_end_msg $rc |
| 180 | ;; | 195 | ;; |
| 181 | restart|reload|force-reload) | 196 | restart|reload|force-reload) |
| 182 | if systemd-detect-virt --quiet --container && \ | 197 | if test -x /sbin/systemd-detect-virt && \ |
| 198 | systemd-detect-virt --quiet --container && \ | ||
| 183 | ! is_container_with_internal_policy; then | 199 | ! is_container_with_internal_policy; then |
| 184 | log_daemon_msg "Not reloading AppArmor in container" | 200 | log_daemon_msg "Not reloading AppArmor in container" |
| 185 | log_end_msg 0 | 201 | log_end_msg 0 |