diff options
-rw-r--r-- | recipes-security/AppArmor/apparmor_2.10.95.bb | 116 | ||||
-rw-r--r-- | recipes-security/AppArmor/files/apparmor | 211 | ||||
-rw-r--r-- | recipes-security/AppArmor/files/apparmor.rc | 98 | ||||
-rw-r--r-- | recipes-security/AppArmor/files/apparmor.service | 22 | ||||
-rw-r--r-- | recipes-security/AppArmor/files/disable_pdf.patch | 33 | ||||
-rw-r--r-- | recipes-security/AppArmor/files/functions | 271 |
6 files changed, 751 insertions, 0 deletions
diff --git a/recipes-security/AppArmor/apparmor_2.10.95.bb b/recipes-security/AppArmor/apparmor_2.10.95.bb new file mode 100644 index 0000000..de09e29 --- /dev/null +++ b/recipes-security/AppArmor/apparmor_2.10.95.bb | |||
@@ -0,0 +1,116 @@ | |||
1 | SUMMARY = "AppArmor another MAC control system" | ||
2 | DESCRIPTION = "user-space parser utility for AppArmor \ | ||
3 | This provides the system initialization scripts needed to use the \ | ||
4 | AppArmor Mandatory Access Control system, including the AppArmor Parser \ | ||
5 | which is required to convert AppArmor text profiles into machine-readable \ | ||
6 | policies that are loaded into the kernel for use with the AppArmor Linux \ | ||
7 | Security Module." | ||
8 | HOMEAPAGE = "http://apparmor.net/" | ||
9 | SECTION = "admin" | ||
10 | |||
11 | LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+" | ||
12 | LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0" | ||
13 | |||
14 | DEPENDS = "bison-native apr apache2" | ||
15 | |||
16 | SRC_URI = " \ | ||
17 | http://archive.ubuntu.com/ubuntu/pool/main/a/${BPN}/${BPN}_${PV}.orig.tar.gz \ | ||
18 | file://disable_pdf.patch \ | ||
19 | file://apparmor.rc \ | ||
20 | file://functions \ | ||
21 | file://apparmor \ | ||
22 | file://apparmor.service \ | ||
23 | " | ||
24 | |||
25 | SRC_URI[md5sum] = "71a13b9d6ae0bca4f5375984df1a51e7" | ||
26 | SRC_URI[sha256sum] = "3f659a599718f4a5e2a33140916715f574a5cb3634a6b9ed6d29f7b0617e4d1a" | ||
27 | |||
28 | PARALLEL_MAKE = "" | ||
29 | |||
30 | inherit pkgconfig autotools-brokensep update-rc.d python-dir ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)} | ||
31 | |||
32 | S = "${WORKDIR}/apparmor-${PV}" | ||
33 | |||
34 | PACKAGECONFIG ?="man" | ||
35 | PACKAGECONFIG[man] = "--enable-man-pages, --disable-man-pages" | ||
36 | |||
37 | PAMLIB="${@bb.utils.contains('DISTRO_FEATURES', 'pam', '1', '0', d)}" | ||
38 | |||
39 | do_configure() { | ||
40 | cd ${S}/libraries/libapparmor | ||
41 | autoconf --force | ||
42 | libtoolize --automake -c | ||
43 | automake -ac | ||
44 | ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} | ||
45 | sed -i -e 's#^YACC.*#YACC := bison#' ${S}/parser/Makefile | ||
46 | sed -i -e 's#^LEX.*#LEX := flex#' ${S}/parser/Makefile | ||
47 | } | ||
48 | |||
49 | do_compile () { | ||
50 | cd ${S}/libraries/libapparmor | ||
51 | oe_runmake | ||
52 | cd ${S}/binutils | ||
53 | oe_runmake | ||
54 | cd ${S}/utils | ||
55 | oe_runmake | ||
56 | cd ${S}/parser | ||
57 | oe_runmake | ||
58 | cd ${S}/profiles | ||
59 | oe_runmake | ||
60 | |||
61 | cd ${S}/changehat/mod_apparmor | ||
62 | oe_runmake | ||
63 | |||
64 | if test -z "${PAMLIB}" ; then | ||
65 | cd ${S}/changehat/pam_apparmor | ||
66 | oe_runmake | ||
67 | fi | ||
68 | } | ||
69 | |||
70 | do_install () { | ||
71 | install -d ${D}/${INIT_D_DIR} | ||
72 | install -d ${D}/lib/apparmor | ||
73 | |||
74 | cd ${S}/libraries/libapparmor | ||
75 | oe_runmake DESTDIR="${D}" install | ||
76 | |||
77 | cd ${S}/binutils | ||
78 | oe_runmake DESTDIR="${D}" install | ||
79 | |||
80 | cd ${S}/utils | ||
81 | oe_runmake DESTDIR="${D}" install | ||
82 | |||
83 | cd ${S}/parser | ||
84 | oe_runmake DESTDIR="${D}" install | ||
85 | |||
86 | cd ${S}/profiles | ||
87 | oe_runmake DESTDIR="${D}" install | ||
88 | |||
89 | cd ${S}/changehat/mod_apparmor | ||
90 | oe_runmake DESTDIR="${D}" install | ||
91 | |||
92 | if test -z "${PAMLIB}" ; then | ||
93 | cd ${S}/changehat/pam_apparmor | ||
94 | oe_runmake DESTDIR="${D}" install | ||
95 | fi | ||
96 | |||
97 | install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor | ||
98 | |||
99 | install ${WORKDIR}/functions ${D}/lib/apparmor | ||
100 | } | ||
101 | |||
102 | INITSCRIPT_PACKAGES = "${PN}" | ||
103 | INITSCRIPT_NAME = "apparmor" | ||
104 | INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." | ||
105 | |||
106 | SYSTEMD_PACKAGES = "${PN}" | ||
107 | SYSTEMD_SERVICE_${PN} = "apparmor.service" | ||
108 | SYSTEMD_AUTO_ENABLE = "disable" | ||
109 | |||
110 | PACKAGES += "python-${PN} mod-${PN}" | ||
111 | |||
112 | FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor" | ||
113 | FILES_mod-${PN} = "${libdir}/apache2/modules/*" | ||
114 | FILES_python-${PN} = "${PYTHON_SITEPACKAGES_DIR}" | ||
115 | |||
116 | RDEPENDS_${PN} += "bash perl" | ||
diff --git a/recipes-security/AppArmor/files/apparmor b/recipes-security/AppArmor/files/apparmor new file mode 100644 index 0000000..c73c1ce --- /dev/null +++ b/recipes-security/AppArmor/files/apparmor | |||
@@ -0,0 +1,211 @@ | |||
1 | #!/bin/sh | ||
2 | # ---------------------------------------------------------------------- | ||
3 | # Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 | ||
4 | # NOVELL (All rights reserved) | ||
5 | # Copyright (c) 2008, 2009 Canonical, Ltd. | ||
6 | # | ||
7 | # This program is free software; you can redistribute it and/or | ||
8 | # modify it under the terms of version 2 of the GNU General Public | ||
9 | # License published by the Free Software Foundation. | ||
10 | # | ||
11 | # This program is distributed in the hope that it will be useful, | ||
12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | # GNU General Public License for more details. | ||
15 | # | ||
16 | # You should have received a copy of the GNU General Public License | ||
17 | # along with this program; if not, contact Novell, Inc. | ||
18 | # ---------------------------------------------------------------------- | ||
19 | # Authors: | ||
20 | # Steve Beattie <steve.beattie@canonical.com> | ||
21 | # Kees Cook <kees@ubuntu.com> | ||
22 | # | ||
23 | # /etc/init.d/apparmor | ||
24 | # | ||
25 | ### BEGIN INIT INFO | ||
26 | # Provides: apparmor | ||
27 | # Required-Start: $local_fs | ||
28 | # Required-Stop: umountfs | ||
29 | # Default-Start: S | ||
30 | # Default-Stop: | ||
31 | # Short-Description: AppArmor initialization | ||
32 | # Description: AppArmor init script. This script loads all AppArmor profiles. | ||
33 | ### END INIT INFO | ||
34 | |||
35 | . /lib/apparmor/functions | ||
36 | . /lib/lsb/init-functions | ||
37 | |||
38 | usage() { | ||
39 | echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}" | ||
40 | } | ||
41 | |||
42 | test -x ${PARSER} || exit 0 # by debian policy | ||
43 | # LSM is built-in, so it is either there or not enabled for this boot | ||
44 | test -d /sys/module/apparmor || exit 0 | ||
45 | |||
46 | securityfs() { | ||
47 | # Need securityfs for any mode | ||
48 | if [ ! -d "${AA_SFS}" ]; then | ||
49 | if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then | ||
50 | log_action_msg "AppArmor not available as kernel LSM." | ||
51 | log_end_msg 1 | ||
52 | exit 1 | ||
53 | else | ||
54 | log_action_begin_msg "Mounting securityfs on ${SECURITYFS}" | ||
55 | if ! mount -t securityfs none "${SECURITYFS}"; then | ||
56 | log_action_end_msg 1 | ||
57 | log_end_msg 1 | ||
58 | exit 1 | ||
59 | fi | ||
60 | fi | ||
61 | fi | ||
62 | if [ ! -w "$AA_SFS"/.load ]; then | ||
63 | log_action_msg "Insufficient privileges to change profiles." | ||
64 | log_end_msg 1 | ||
65 | exit 1 | ||
66 | fi | ||
67 | } | ||
68 | |||
69 | handle_system_policy_package_updates() { | ||
70 | apparmor_was_updated=0 | ||
71 | |||
72 | if ! compare_previous_version ; then | ||
73 | # On snappy flavors, if the current and previous versions are | ||
74 | # different then clear the system cache. snappy will handle | ||
75 | # "$PROFILES_CACHE_VAR" itself (on Touch flavors | ||
76 | # compare_previous_version always returns '0' since snappy | ||
77 | # isn't available). | ||
78 | clear_cache_system | ||
79 | apparmor_was_updated=1 | ||
80 | elif ! compare_and_save_debsums apparmor ; then | ||
81 | # If the system policy has been updated since the last time we | ||
82 | # ran, clear the cache to prevent potentially stale binary | ||
83 | # cache files after an Ubuntu image based upgrade (LP: | ||
84 | # #1350673). This can be removed once all system image flavors | ||
85 | # move to snappy (on snappy systems compare_and_save_debsums | ||
86 | # always returns '0' since /var/lib/dpkg doesn't exist). | ||
87 | clear_cache | ||
88 | apparmor_was_updated=1 | ||
89 | fi | ||
90 | |||
91 | if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then | ||
92 | # If packages for system policy that affect click packages have | ||
93 | # been updated since the last time we ran, run aa-clickhook -f | ||
94 | force_clickhook=0 | ||
95 | force_profile_hook=0 | ||
96 | if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then | ||
97 | force_clickhook=1 | ||
98 | fi | ||
99 | if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then | ||
100 | force_clickhook=1 | ||
101 | fi | ||
102 | if ! compare_and_save_debsums click-apparmor ; then | ||
103 | force_clickhook=1 | ||
104 | force_profile_hook=1 | ||
105 | fi | ||
106 | if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then | ||
107 | aa-clickhook -f | ||
108 | fi | ||
109 | if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then | ||
110 | aa-profile-hook -f | ||
111 | fi | ||
112 | fi | ||
113 | } | ||
114 | |||
115 | # Allow "recache" even when running on the liveCD | ||
116 | if [ "$1" = "recache" ]; then | ||
117 | log_daemon_msg "Recaching AppArmor profiles" | ||
118 | recache_profiles | ||
119 | rc=$? | ||
120 | log_end_msg "$rc" | ||
121 | exit $rc | ||
122 | fi | ||
123 | |||
124 | # do not perform start/stop/reload actions when running from liveCD | ||
125 | test -d /rofs/etc/apparmor.d && exit 0 | ||
126 | |||
127 | rc=255 | ||
128 | case "$1" in | ||
129 | start) | ||
130 | if systemd-detect-virt --quiet --container && \ | ||
131 | ! is_container_with_internal_policy; then | ||
132 | log_daemon_msg "Not starting AppArmor in container" | ||
133 | log_end_msg 0 | ||
134 | exit 0 | ||
135 | fi | ||
136 | log_daemon_msg "Starting AppArmor profiles" | ||
137 | securityfs | ||
138 | # That is only useful for click, snappy and system images, | ||
139 | # i.e. not in Debian. And it reads and writes to /var, that | ||
140 | # can be remote-mounted, so it would prevent us from using | ||
141 | # Before=sysinit.target without possibly introducing dependency | ||
142 | # loops. | ||
143 | handle_system_policy_package_updates | ||
144 | load_configured_profiles | ||
145 | rc=$? | ||
146 | log_end_msg "$rc" | ||
147 | ;; | ||
148 | stop) | ||
149 | log_daemon_msg "Clearing AppArmor profiles cache" | ||
150 | clear_cache | ||
151 | rc=$? | ||
152 | log_end_msg "$rc" | ||
153 | cat >&2 <<EOM | ||
154 | All profile caches have been cleared, but no profiles have been unloaded. | ||
155 | Unloading profiles will leave already running processes permanently | ||
156 | unconfined, which can lead to unexpected situations. | ||
157 | |||
158 | To set a process to complain mode, use the command line tool | ||
159 | 'aa-complain'. To really tear down all profiles, run the init script | ||
160 | with the 'teardown' option." | ||
161 | EOM | ||
162 | ;; | ||
163 | teardown) | ||
164 | if systemd-detect-virt --quiet --container && \ | ||
165 | ! is_container_with_internal_policy; then | ||
166 | log_daemon_msg "Not tearing down AppArmor in container" | ||
167 | log_end_msg 0 | ||
168 | exit 0 | ||
169 | fi | ||
170 | log_daemon_msg "Unloading AppArmor profiles" | ||
171 | securityfs | ||
172 | running_profile_names | while read profile; do | ||
173 | if ! unload_profile "$profile" ; then | ||
174 | log_end_msg 1 | ||
175 | exit 1 | ||
176 | fi | ||
177 | done | ||
178 | rc=0 | ||
179 | log_end_msg $rc | ||
180 | ;; | ||
181 | restart|reload|force-reload) | ||
182 | if systemd-detect-virt --quiet --container && \ | ||
183 | ! is_container_with_internal_policy; then | ||
184 | log_daemon_msg "Not reloading AppArmor in container" | ||
185 | log_end_msg 0 | ||
186 | exit 0 | ||
187 | fi | ||
188 | log_daemon_msg "Reloading AppArmor profiles" | ||
189 | securityfs | ||
190 | clear_cache | ||
191 | load_configured_profiles | ||
192 | rc=$? | ||
193 | unload_obsolete_profiles | ||
194 | |||
195 | log_end_msg "$rc" | ||
196 | ;; | ||
197 | status) | ||
198 | securityfs | ||
199 | if [ -x /usr/sbin/aa-status ]; then | ||
200 | aa-status --verbose | ||
201 | else | ||
202 | cat "$AA_SFS"/profiles | ||
203 | fi | ||
204 | rc=$? | ||
205 | ;; | ||
206 | *) | ||
207 | usage | ||
208 | rc=1 | ||
209 | ;; | ||
210 | esac | ||
211 | exit $rc | ||
diff --git a/recipes-security/AppArmor/files/apparmor.rc b/recipes-security/AppArmor/files/apparmor.rc new file mode 100644 index 0000000..1507d7b --- /dev/null +++ b/recipes-security/AppArmor/files/apparmor.rc | |||
@@ -0,0 +1,98 @@ | |||
1 | description "Pre-cache and pre-load apparmor profiles" | ||
2 | author "Dimitri John Ledkov <xnox@ubuntu.com> and Jamie Strandboge <jamie@ubuntu.com>" | ||
3 | |||
4 | task | ||
5 | |||
6 | start on starting rc-sysinit | ||
7 | |||
8 | script | ||
9 | [ -d /rofs/etc/apparmor.d ] && exit 0 # do not load on liveCD | ||
10 | [ -d /sys/module/apparmor ] || exit 0 # do not load without AppArmor | ||
11 | [ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser | ||
12 | |||
13 | . /lib/apparmor/functions | ||
14 | |||
15 | systemd-detect-virt --quiet --container && ! is_container_with_internal_policy && exit 0 || true | ||
16 | |||
17 | # Need securityfs for any mode | ||
18 | if [ ! -d /sys/kernel/security/apparmor ]; then | ||
19 | if cut -d" " -f2,3 /proc/mounts | grep -q "^/sys/kernel/security securityfs"'$' ; then | ||
20 | exit 0 | ||
21 | else | ||
22 | mount -t securityfs none /sys/kernel/security || exit 0 | ||
23 | fi | ||
24 | fi | ||
25 | |||
26 | [ -w /sys/kernel/security/apparmor/.load ] || exit 0 | ||
27 | |||
28 | apparmor_was_updated=0 | ||
29 | if ! compare_previous_version ; then | ||
30 | # On snappy flavors, if the current and previous versions are | ||
31 | # different then clear the system cache. snappy will handle | ||
32 | # "$PROFILES_CACHE_VAR" itself (on Touch flavors | ||
33 | # compare_previous_version always returns '0' since snappy | ||
34 | # isn't available). | ||
35 | clear_cache_system | ||
36 | apparmor_was_updated=1 | ||
37 | elif ! compare_and_save_debsums apparmor ; then | ||
38 | # If the system policy has been updated since the last time we | ||
39 | # ran, clear the cache to prevent potentially stale binary | ||
40 | # cache files after an Ubuntu image based upgrade (LP: | ||
41 | # #1350673). This can be removed once all system image flavors | ||
42 | # move to snappy (on snappy systems compare_and_save_debsums | ||
43 | # always returns '0' since /var/lib/dpkg doesn't exist). | ||
44 | clear_cache | ||
45 | apparmor_was_updated=1 | ||
46 | fi | ||
47 | |||
48 | if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then | ||
49 | # If packages for system policy that affect click packages have | ||
50 | # been updated since the last time we ran, run aa-clickhook -f | ||
51 | force_clickhook=0 | ||
52 | force_profile_hook=0 | ||
53 | if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then | ||
54 | force_clickhook=1 | ||
55 | fi | ||
56 | if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then | ||
57 | force_clickhook=1 | ||
58 | fi | ||
59 | if ! compare_and_save_debsums click-apparmor ; then | ||
60 | force_clickhook=1 | ||
61 | force_profile_hook=1 | ||
62 | fi | ||
63 | if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then | ||
64 | aa-clickhook -f | ||
65 | fi | ||
66 | if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then | ||
67 | aa-profile-hook -f | ||
68 | fi | ||
69 | fi | ||
70 | |||
71 | if [ "$ACTION" = "teardown" ]; then | ||
72 | running_profile_names | while read profile; do | ||
73 | unload_profile "$profile" | ||
74 | done | ||
75 | exit 0 | ||
76 | fi | ||
77 | |||
78 | if [ "$ACTION" = "clear" ]; then | ||
79 | clear_cache | ||
80 | exit 0 | ||
81 | fi | ||
82 | |||
83 | if [ "$ACTION" = "reload" ] || [ "$ACTION" = "force-reload" ]; then | ||
84 | clear_cache | ||
85 | load_configured_profiles | ||
86 | unload_obsolete_profiles | ||
87 | exit 0 | ||
88 | fi | ||
89 | |||
90 | # Note: if apparmor-easyprof-ubuntu md5sums didn't match up above, | ||
91 | # aa-clickhook will have already compiled the policy, generated the cache | ||
92 | # files and loaded them into the kernel by this point, so reloading click | ||
93 | # policy from cache, while fairly fast (<2 seconds for 250 profiles on | ||
94 | # armhf), is redundant. Fixing this would complicate the logic quite a bit | ||
95 | # and it wouldn't improve the (by far) common case (ie, when | ||
96 | # 'aa-clickhook -f' is not run). | ||
97 | load_configured_profiles | ||
98 | end script | ||
diff --git a/recipes-security/AppArmor/files/apparmor.service b/recipes-security/AppArmor/files/apparmor.service new file mode 100644 index 0000000..e66afe4 --- /dev/null +++ b/recipes-security/AppArmor/files/apparmor.service | |||
@@ -0,0 +1,22 @@ | |||
1 | [Unit] | ||
2 | Description=AppArmor initialization | ||
3 | After=local-fs.target | ||
4 | Before=sysinit.target | ||
5 | AssertPathIsReadWrite=/sys/kernel/security/apparmor/.load | ||
6 | ConditionSecurity=apparmor | ||
7 | DefaultDependencies=no | ||
8 | Documentation=man:apparmor(7) | ||
9 | Documentation=http://wiki.apparmor.net/ | ||
10 | |||
11 | # Don't start this unit on the Ubuntu Live CD | ||
12 | ConditionPathExists=!/rofs/etc/apparmor.d | ||
13 | |||
14 | [Service] | ||
15 | Type=oneshot | ||
16 | RemainAfterExit=yes | ||
17 | ExecStart=/etc/init.d/apparmor start | ||
18 | ExecStop=/etc/init.d/apparmor stop | ||
19 | ExecReload=/etc/init.d/apparmor reload | ||
20 | |||
21 | [Install] | ||
22 | WantedBy=sysinit.target | ||
diff --git a/recipes-security/AppArmor/files/disable_pdf.patch b/recipes-security/AppArmor/files/disable_pdf.patch new file mode 100644 index 0000000..c6b4bdd --- /dev/null +++ b/recipes-security/AppArmor/files/disable_pdf.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | Index: apparmor-2.10.95/parser/Makefile | ||
2 | =================================================================== | ||
3 | --- apparmor-2.10.95.orig/parser/Makefile | ||
4 | +++ apparmor-2.10.95/parser/Makefile | ||
5 | @@ -139,17 +139,6 @@ export Q VERBOSE BUILD_OUTPUT | ||
6 | po/${NAME}.pot: ${SRCS} ${HDRS} | ||
7 | $(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}" | ||
8 | |||
9 | -techdoc.pdf: techdoc.tex | ||
10 | - timestamp=$(shell date --utc "+%Y%m%d%H%M%S%z" -r $< );\ | ||
11 | - while pdflatex "\def\fixedpdfdate{$$timestamp}\input $<" ${BUILD_OUTPUT} || exit 1 ; \ | ||
12 | - grep -q "Label(s) may have changed" techdoc.log; \ | ||
13 | - do :; done | ||
14 | - | ||
15 | -techdoc/index.html: techdoc.pdf | ||
16 | - latex2html -show_section_numbers -split 0 -noinfo -nonavigation -noaddress techdoc.tex ${BUILD_OUTPUT} | ||
17 | - | ||
18 | -techdoc.txt: techdoc/index.html | ||
19 | - w3m -dump $< > $@ | ||
20 | |||
21 | # targets arranged this way so that people who don't want full docs can | ||
22 | # pick specific targets they want. | ||
23 | @@ -159,9 +148,7 @@ manpages: $(MANPAGES) | ||
24 | |||
25 | htmlmanpages: $(HTMLMANPAGES) | ||
26 | |||
27 | -pdf: techdoc.pdf | ||
28 | - | ||
29 | -docs: manpages htmlmanpages pdf | ||
30 | +docs: manpages htmlmanpages | ||
31 | |||
32 | indep: docs | ||
33 | $(Q)$(MAKE) -C po all | ||
diff --git a/recipes-security/AppArmor/files/functions b/recipes-security/AppArmor/files/functions new file mode 100644 index 0000000..cef8cfe --- /dev/null +++ b/recipes-security/AppArmor/files/functions | |||
@@ -0,0 +1,271 @@ | |||
1 | # /lib/apparmor/functions for Debian -*- shell-script -*- | ||
2 | # ---------------------------------------------------------------------- | ||
3 | # Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 | ||
4 | # NOVELL (All rights reserved) | ||
5 | # Copyright (c) 2008-2010 Canonical, Ltd. | ||
6 | # | ||
7 | # This program is free software; you can redistribute it and/or | ||
8 | # modify it under the terms of version 2 of the GNU General Public | ||
9 | # License published by the Free Software Foundation. | ||
10 | # | ||
11 | # This program is distributed in the hope that it will be useful, | ||
12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | # GNU General Public License for more details. | ||
15 | # | ||
16 | # You should have received a copy of the GNU General Public License | ||
17 | # along with this program; if not, contact Novell, Inc. | ||
18 | # ---------------------------------------------------------------------- | ||
19 | # Authors: | ||
20 | # Kees Cook <kees@ubuntu.com> | ||
21 | |||
22 | PROFILES="/etc/apparmor.d" | ||
23 | PROFILES_CACHE="$PROFILES/cache" | ||
24 | PROFILES_VAR="/var/lib/apparmor/profiles" | ||
25 | PROFILES_SNAPPY="/var/lib/snapd/apparmor/profiles" | ||
26 | PROFILES_CACHE_VAR="/var/cache/apparmor" | ||
27 | PARSER="/sbin/apparmor_parser" | ||
28 | SECURITYFS="/sys/kernel/security" | ||
29 | export AA_SFS="$SECURITYFS/apparmor" | ||
30 | |||
31 | # Suppress warnings when booting in quiet mode | ||
32 | quiet_arg="" | ||
33 | [ "${QUIET:-no}" = yes ] && quiet_arg="-q" | ||
34 | [ "${quiet:-n}" = y ] && quiet_arg="-q" | ||
35 | |||
36 | foreach_configured_profile() { | ||
37 | rc_all="0" | ||
38 | for pdir in "$PROFILES" "$PROFILES_VAR" "$PROFILES_SNAPPY" ; do | ||
39 | if [ ! -d "$pdir" ]; then | ||
40 | continue | ||
41 | fi | ||
42 | num=`find "$pdir" -type f ! -name '*.md5sums' | wc -l` | ||
43 | if [ "$num" = "0" ]; then | ||
44 | continue | ||
45 | fi | ||
46 | |||
47 | cache_dir="$PROFILES_CACHE" | ||
48 | if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then | ||
49 | cache_dir="$PROFILES_CACHE_VAR" | ||
50 | fi | ||
51 | cache_args="--cache-loc=$cache_dir" | ||
52 | if [ ! -d "$cache_dir" ]; then | ||
53 | cache_args= | ||
54 | fi | ||
55 | |||
56 | # LP: #1383858 - expr tree simplification is too slow for | ||
57 | # Touch policy on ARM, so disable it for now | ||
58 | cache_extra_args= | ||
59 | if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then | ||
60 | cache_extra_args="-O no-expr-simplify" | ||
61 | fi | ||
62 | |||
63 | # If need to compile everything, then use -n1 with xargs to | ||
64 | # take advantage of -P. When cache files are in use, omit -n1 | ||
65 | # since it is considerably faster on moderately sized profile | ||
66 | # sets to give the parser all the profiles to load at once | ||
67 | n1_args= | ||
68 | num=`find "$cache_dir" -type f ! -name '.features' | wc -l` | ||
69 | if [ "$num" = "0" ]; then | ||
70 | n1_args="-n1" | ||
71 | fi | ||
72 | |||
73 | (ls -1 "$pdir" | egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \ | ||
74 | while read profile; do | ||
75 | if [ -f "$pdir"/"$profile" ]; then | ||
76 | echo "$pdir"/"$profile" | ||
77 | fi | ||
78 | done) | \ | ||
79 | xargs $n1_args -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || { | ||
80 | rc_all="$?" | ||
81 | # FIXME: when the parser properly handles broken | ||
82 | # profiles (LP: #1377338), remove this if statement. | ||
83 | # For now, if the xargs returns with error, just run | ||
84 | # through everything with -n1. (This could be broken | ||
85 | # out and refactored, but this is temporary so make it | ||
86 | # easy to understand and revert) | ||
87 | if [ "$rc_all" != "0" ]; then | ||
88 | (ls -1 "$pdir" | \ | ||
89 | egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \ | ||
90 | while read profile; do | ||
91 | if [ -f "$pdir"/"$profile" ]; then | ||
92 | echo "$pdir"/"$profile" | ||
93 | fi | ||
94 | done) | \ | ||
95 | xargs -n1 -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || { | ||
96 | rc_all="$?" | ||
97 | } | ||
98 | fi | ||
99 | } | ||
100 | done | ||
101 | return $rc_all | ||
102 | } | ||
103 | |||
104 | load_configured_profiles() { | ||
105 | clear_cache_if_outdated | ||
106 | foreach_configured_profile $quiet_arg --write-cache --replace | ||
107 | } | ||
108 | |||
109 | load_configured_profiles_without_caching() { | ||
110 | foreach_configured_profile $quiet_arg --replace | ||
111 | } | ||
112 | |||
113 | recache_profiles() { | ||
114 | clear_cache | ||
115 | foreach_configured_profile $quiet_arg --write-cache --skip-kernel-load | ||
116 | } | ||
117 | |||
118 | configured_profile_names() { | ||
119 | foreach_configured_profile $quiet_arg -N 2>/dev/null | LC_COLLATE=C sort | grep -v '//' | ||
120 | } | ||
121 | |||
122 | running_profile_names() { | ||
123 | # Output a sorted list of loaded profiles, skipping libvirt's | ||
124 | # dynamically generated files | ||
125 | cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | egrep -v '^libvirt-[0-9a-f\-]+$' | LC_COLLATE=C sort | grep -v '//' | ||
126 | } | ||
127 | |||
128 | unload_profile() { | ||
129 | echo -n "$1" > "$AA_SFS"/.remove | ||
130 | } | ||
131 | |||
132 | clear_cache() { | ||
133 | clear_cache_system | ||
134 | clear_cache_var | ||
135 | } | ||
136 | |||
137 | clear_cache_system() { | ||
138 | find "$PROFILES_CACHE" -maxdepth 1 -type f -print0 | xargs -0 rm -f -- | ||
139 | } | ||
140 | |||
141 | clear_cache_var() { | ||
142 | find "$PROFILES_CACHE_VAR" -maxdepth 1 -type f -print0 | xargs -0 rm -f -- | ||
143 | } | ||
144 | |||
145 | read_features_dir() | ||
146 | { | ||
147 | for f in `ls -AU "$1"` ; do | ||
148 | if [ -f "$1/$f" ] ; then | ||
149 | read -r KF < "$1/$f" || true | ||
150 | echo -n "$f {$KF } " | ||
151 | elif [ -d "$1/$f" ] ; then | ||
152 | echo -n "$f {" | ||
153 | KF=`read_features_dir "$1/$f"` || true | ||
154 | echo -n "$KF} " | ||
155 | fi | ||
156 | done | ||
157 | } | ||
158 | |||
159 | clear_cache_if_outdated() { | ||
160 | if [ -r "$PROFILES_CACHE"/.features ]; then | ||
161 | if [ -d "$AA_SFS"/features ]; then | ||
162 | KERN_FEATURES=`read_features_dir "$AA_SFS"/features` | ||
163 | else | ||
164 | read -r KERN_FEATURES < "$AA_SFS"/features | ||
165 | fi | ||
166 | CACHE_FEATURES=`tr '\n' ' ' < "$PROFILES_CACHE"/.features` | ||
167 | if [ "$KERN_FEATURES" != "$CACHE_FEATURES" ]; then | ||
168 | clear_cache | ||
169 | fi | ||
170 | fi | ||
171 | } | ||
172 | |||
173 | unload_obsolete_profiles() { | ||
174 | # Currently we must re-parse all the profiles to get policy names. :( | ||
175 | aa_configured=$(mktemp -t aa-XXXXXX) | ||
176 | configured_profile_names > "$aa_configured" || true | ||
177 | aa_loaded=$(mktemp -t aa-XXXXXX) | ||
178 | running_profile_names > "$aa_loaded" || true | ||
179 | LC_COLLATE=C comm -2 -3 "$aa_loaded" "$aa_configured" | while read profile ; do | ||
180 | unload_profile "$profile" | ||
181 | done | ||
182 | rm -f "$aa_configured" "$aa_loaded" | ||
183 | } | ||
184 | |||
185 | # If the system debsum differs from the saved debsum, the new system debsum is | ||
186 | # saved and non-zero is returned. Returns 0 if the two debsums matched or if | ||
187 | # the system debsum file does not exist. This can be removed when system image | ||
188 | # flavors all move to snappy. | ||
189 | compare_and_save_debsums() { | ||
190 | pkg="$1" | ||
191 | |||
192 | if [ -n $pkg ] && [ -d "$PROFILES_VAR" ]; then | ||
193 | sums="/var/lib/dpkg/info/${pkg}.md5sums" | ||
194 | # store saved md5sums in /var/lib/apparmor/profiles since | ||
195 | # /var/cache/apparmor might be cleared by apparmor | ||
196 | saved_sums="${PROFILES_VAR}/.${pkg}.md5sums" | ||
197 | |||
198 | if [ -f "$sums" ] && \ | ||
199 | ! diff -q "$sums" "$saved_sums" 2>&1 >/dev/null ; then | ||
200 | cp -f "$sums" "$saved_sums" | ||
201 | return 1 | ||
202 | fi | ||
203 | fi | ||
204 | |||
205 | return 0 | ||
206 | } | ||
207 | |||
208 | compare_previous_version() { | ||
209 | installed="/usr/share/snappy/security-policy-version" | ||
210 | previous="/var/lib/snappy/security-policy-version" | ||
211 | |||
212 | # When just $previous doesn't exist, assume this is a new system with | ||
213 | # no cache and don't do anything special. | ||
214 | if [ -f "$installed" ] && [ -f "$previous" ]; then | ||
215 | pv=`grep '^apparmor/' "$previous" | cut -d ' ' -f 2` | ||
216 | iv=`grep '^apparmor/' "$installed" | cut -d ' ' -f 2` | ||
217 | if [ -n "$iv" ] && [ -n "$pv" ] && [ "$iv" != "$pv" ]; then | ||
218 | # snappy updates $previous elsewhere, so just return | ||
219 | return 1 | ||
220 | fi | ||
221 | fi | ||
222 | |||
223 | return 0 | ||
224 | } | ||
225 | |||
226 | # Checks to see if the current container is capable of having internal AppArmor | ||
227 | # profiles that should be loaded. Callers of this function should have already | ||
228 | # verified that they're running inside of a container environment with | ||
229 | # something like `systemd-detect-virt --container`. | ||
230 | # | ||
231 | # The only known container environments capable of supporting internal policy | ||
232 | # are LXD and LXC environment. | ||
233 | # | ||
234 | # Returns 0 if the container environment is capable of having its own internal | ||
235 | # policy and non-zero otherwise. | ||
236 | # | ||
237 | # IMPORTANT: This function will return 0 in the case of a non-LXD/non-LXC | ||
238 | # system container technology being nested inside of a LXD/LXC container that | ||
239 | # utilized an AppArmor namespace and profile stacking. The reason 0 will be | ||
240 | # returned is because .ns_stacked will be "yes" and .ns_name will still match | ||
241 | # "lx[dc]-*" since the nested system container technology will not have set up | ||
242 | # a new AppArmor profile namespace. This will result in the nested system | ||
243 | # container's boot process to experience failed policy loads but the boot | ||
244 | # process should continue without any loss of functionality. This is an | ||
245 | # unsupported configuration that cannot be properly handled by this function. | ||
246 | is_container_with_internal_policy() { | ||
247 | local ns_stacked_path="${AA_SFS}/.ns_stacked" | ||
248 | local ns_name_path="${AA_SFS}/.ns_name" | ||
249 | local ns_stacked | ||
250 | local ns_name | ||
251 | |||
252 | if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then | ||
253 | return 1 | ||
254 | fi | ||
255 | |||
256 | read -r ns_stacked < "$ns_stacked_path" | ||
257 | if [ "$ns_stacked" != "yes" ]; then | ||
258 | return 1 | ||
259 | fi | ||
260 | |||
261 | # LXD and LXC set up AppArmor namespaces starting with "lxd-" and | ||
262 | # "lxc-", respectively. Return non-zero for all other namespace | ||
263 | # identifiers. | ||
264 | read -r ns_name < "$ns_name_path" | ||
265 | if [ "${ns_name#lxd-*}" = "$ns_name" ] && \ | ||
266 | [ "${ns_name#lxc-*}" = "$ns_name" ]; then | ||
267 | return 1 | ||
268 | fi | ||
269 | |||
270 | return 0 | ||
271 | } | ||