summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--recipes-security/AppArmor/apparmor_2.10.95.bb116
-rw-r--r--recipes-security/AppArmor/files/apparmor211
-rw-r--r--recipes-security/AppArmor/files/apparmor.rc98
-rw-r--r--recipes-security/AppArmor/files/apparmor.service22
-rw-r--r--recipes-security/AppArmor/files/disable_pdf.patch33
-rw-r--r--recipes-security/AppArmor/files/functions271
6 files changed, 751 insertions, 0 deletions
diff --git a/recipes-security/AppArmor/apparmor_2.10.95.bb b/recipes-security/AppArmor/apparmor_2.10.95.bb
new file mode 100644
index 0000000..de09e29
--- /dev/null
+++ b/recipes-security/AppArmor/apparmor_2.10.95.bb
@@ -0,0 +1,116 @@
1SUMMARY = "AppArmor another MAC control system"
2DESCRIPTION = "user-space parser utility for AppArmor \
3 This provides the system initialization scripts needed to use the \
4 AppArmor Mandatory Access Control system, including the AppArmor Parser \
5 which is required to convert AppArmor text profiles into machine-readable \
6 policies that are loaded into the kernel for use with the AppArmor Linux \
7 Security Module."
8HOMEAPAGE = "http://apparmor.net/"
9SECTION = "admin"
10
11LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+"
12LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0"
13
14DEPENDS = "bison-native apr apache2"
15
16SRC_URI = " \
17 http://archive.ubuntu.com/ubuntu/pool/main/a/${BPN}/${BPN}_${PV}.orig.tar.gz \
18 file://disable_pdf.patch \
19 file://apparmor.rc \
20 file://functions \
21 file://apparmor \
22 file://apparmor.service \
23 "
24
25SRC_URI[md5sum] = "71a13b9d6ae0bca4f5375984df1a51e7"
26SRC_URI[sha256sum] = "3f659a599718f4a5e2a33140916715f574a5cb3634a6b9ed6d29f7b0617e4d1a"
27
28PARALLEL_MAKE = ""
29
30inherit pkgconfig autotools-brokensep update-rc.d python-dir ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)}
31
32S = "${WORKDIR}/apparmor-${PV}"
33
34PACKAGECONFIG ?="man"
35PACKAGECONFIG[man] = "--enable-man-pages, --disable-man-pages"
36
37PAMLIB="${@bb.utils.contains('DISTRO_FEATURES', 'pam', '1', '0', d)}"
38
39do_configure() {
40 cd ${S}/libraries/libapparmor
41 autoconf --force
42 libtoolize --automake -c
43 automake -ac
44 ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF}
45 sed -i -e 's#^YACC.*#YACC := bison#' ${S}/parser/Makefile
46 sed -i -e 's#^LEX.*#LEX := flex#' ${S}/parser/Makefile
47}
48
49do_compile () {
50 cd ${S}/libraries/libapparmor
51 oe_runmake
52 cd ${S}/binutils
53 oe_runmake
54 cd ${S}/utils
55 oe_runmake
56 cd ${S}/parser
57 oe_runmake
58 cd ${S}/profiles
59 oe_runmake
60
61 cd ${S}/changehat/mod_apparmor
62 oe_runmake
63
64 if test -z "${PAMLIB}" ; then
65 cd ${S}/changehat/pam_apparmor
66 oe_runmake
67 fi
68}
69
70do_install () {
71 install -d ${D}/${INIT_D_DIR}
72 install -d ${D}/lib/apparmor
73
74 cd ${S}/libraries/libapparmor
75 oe_runmake DESTDIR="${D}" install
76
77 cd ${S}/binutils
78 oe_runmake DESTDIR="${D}" install
79
80 cd ${S}/utils
81 oe_runmake DESTDIR="${D}" install
82
83 cd ${S}/parser
84 oe_runmake DESTDIR="${D}" install
85
86 cd ${S}/profiles
87 oe_runmake DESTDIR="${D}" install
88
89 cd ${S}/changehat/mod_apparmor
90 oe_runmake DESTDIR="${D}" install
91
92 if test -z "${PAMLIB}" ; then
93 cd ${S}/changehat/pam_apparmor
94 oe_runmake DESTDIR="${D}" install
95 fi
96
97 install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor
98
99 install ${WORKDIR}/functions ${D}/lib/apparmor
100}
101
102INITSCRIPT_PACKAGES = "${PN}"
103INITSCRIPT_NAME = "apparmor"
104INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ."
105
106SYSTEMD_PACKAGES = "${PN}"
107SYSTEMD_SERVICE_${PN} = "apparmor.service"
108SYSTEMD_AUTO_ENABLE = "disable"
109
110PACKAGES += "python-${PN} mod-${PN}"
111
112FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor"
113FILES_mod-${PN} = "${libdir}/apache2/modules/*"
114FILES_python-${PN} = "${PYTHON_SITEPACKAGES_DIR}"
115
116RDEPENDS_${PN} += "bash perl"
diff --git a/recipes-security/AppArmor/files/apparmor b/recipes-security/AppArmor/files/apparmor
new file mode 100644
index 0000000..c73c1ce
--- /dev/null
+++ b/recipes-security/AppArmor/files/apparmor
@@ -0,0 +1,211 @@
1#!/bin/sh
2# ----------------------------------------------------------------------
3# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
4# NOVELL (All rights reserved)
5# Copyright (c) 2008, 2009 Canonical, Ltd.
6#
7# This program is free software; you can redistribute it and/or
8# modify it under the terms of version 2 of the GNU General Public
9# License published by the Free Software Foundation.
10#
11# This program is distributed in the hope that it will be useful,
12# but WITHOUT ANY WARRANTY; without even the implied warranty of
13# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14# GNU General Public License for more details.
15#
16# You should have received a copy of the GNU General Public License
17# along with this program; if not, contact Novell, Inc.
18# ----------------------------------------------------------------------
19# Authors:
20# Steve Beattie <steve.beattie@canonical.com>
21# Kees Cook <kees@ubuntu.com>
22#
23# /etc/init.d/apparmor
24#
25### BEGIN INIT INFO
26# Provides: apparmor
27# Required-Start: $local_fs
28# Required-Stop: umountfs
29# Default-Start: S
30# Default-Stop:
31# Short-Description: AppArmor initialization
32# Description: AppArmor init script. This script loads all AppArmor profiles.
33### END INIT INFO
34
35. /lib/apparmor/functions
36. /lib/lsb/init-functions
37
38usage() {
39 echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}"
40}
41
42test -x ${PARSER} || exit 0 # by debian policy
43# LSM is built-in, so it is either there or not enabled for this boot
44test -d /sys/module/apparmor || exit 0
45
46securityfs() {
47 # Need securityfs for any mode
48 if [ ! -d "${AA_SFS}" ]; then
49 if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then
50 log_action_msg "AppArmor not available as kernel LSM."
51 log_end_msg 1
52 exit 1
53 else
54 log_action_begin_msg "Mounting securityfs on ${SECURITYFS}"
55 if ! mount -t securityfs none "${SECURITYFS}"; then
56 log_action_end_msg 1
57 log_end_msg 1
58 exit 1
59 fi
60 fi
61 fi
62 if [ ! -w "$AA_SFS"/.load ]; then
63 log_action_msg "Insufficient privileges to change profiles."
64 log_end_msg 1
65 exit 1
66 fi
67}
68
69handle_system_policy_package_updates() {
70 apparmor_was_updated=0
71
72 if ! compare_previous_version ; then
73 # On snappy flavors, if the current and previous versions are
74 # different then clear the system cache. snappy will handle
75 # "$PROFILES_CACHE_VAR" itself (on Touch flavors
76 # compare_previous_version always returns '0' since snappy
77 # isn't available).
78 clear_cache_system
79 apparmor_was_updated=1
80 elif ! compare_and_save_debsums apparmor ; then
81 # If the system policy has been updated since the last time we
82 # ran, clear the cache to prevent potentially stale binary
83 # cache files after an Ubuntu image based upgrade (LP:
84 # #1350673). This can be removed once all system image flavors
85 # move to snappy (on snappy systems compare_and_save_debsums
86 # always returns '0' since /var/lib/dpkg doesn't exist).
87 clear_cache
88 apparmor_was_updated=1
89 fi
90
91 if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then
92 # If packages for system policy that affect click packages have
93 # been updated since the last time we ran, run aa-clickhook -f
94 force_clickhook=0
95 force_profile_hook=0
96 if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
97 force_clickhook=1
98 fi
99 if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
100 force_clickhook=1
101 fi
102 if ! compare_and_save_debsums click-apparmor ; then
103 force_clickhook=1
104 force_profile_hook=1
105 fi
106 if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
107 aa-clickhook -f
108 fi
109 if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
110 aa-profile-hook -f
111 fi
112 fi
113}
114
115# Allow "recache" even when running on the liveCD
116if [ "$1" = "recache" ]; then
117 log_daemon_msg "Recaching AppArmor profiles"
118 recache_profiles
119 rc=$?
120 log_end_msg "$rc"
121 exit $rc
122fi
123
124# do not perform start/stop/reload actions when running from liveCD
125test -d /rofs/etc/apparmor.d && exit 0
126
127rc=255
128case "$1" in
129 start)
130 if systemd-detect-virt --quiet --container && \
131 ! is_container_with_internal_policy; then
132 log_daemon_msg "Not starting AppArmor in container"
133 log_end_msg 0
134 exit 0
135 fi
136 log_daemon_msg "Starting AppArmor profiles"
137 securityfs
138 # That is only useful for click, snappy and system images,
139 # i.e. not in Debian. And it reads and writes to /var, that
140 # can be remote-mounted, so it would prevent us from using
141 # Before=sysinit.target without possibly introducing dependency
142 # loops.
143 handle_system_policy_package_updates
144 load_configured_profiles
145 rc=$?
146 log_end_msg "$rc"
147 ;;
148 stop)
149 log_daemon_msg "Clearing AppArmor profiles cache"
150 clear_cache
151 rc=$?
152 log_end_msg "$rc"
153 cat >&2 <<EOM
154All profile caches have been cleared, but no profiles have been unloaded.
155Unloading profiles will leave already running processes permanently
156unconfined, which can lead to unexpected situations.
157
158To set a process to complain mode, use the command line tool
159'aa-complain'. To really tear down all profiles, run the init script
160with the 'teardown' option."
161EOM
162 ;;
163 teardown)
164 if systemd-detect-virt --quiet --container && \
165 ! is_container_with_internal_policy; then
166 log_daemon_msg "Not tearing down AppArmor in container"
167 log_end_msg 0
168 exit 0
169 fi
170 log_daemon_msg "Unloading AppArmor profiles"
171 securityfs
172 running_profile_names | while read profile; do
173 if ! unload_profile "$profile" ; then
174 log_end_msg 1
175 exit 1
176 fi
177 done
178 rc=0
179 log_end_msg $rc
180 ;;
181 restart|reload|force-reload)
182 if systemd-detect-virt --quiet --container && \
183 ! is_container_with_internal_policy; then
184 log_daemon_msg "Not reloading AppArmor in container"
185 log_end_msg 0
186 exit 0
187 fi
188 log_daemon_msg "Reloading AppArmor profiles"
189 securityfs
190 clear_cache
191 load_configured_profiles
192 rc=$?
193 unload_obsolete_profiles
194
195 log_end_msg "$rc"
196 ;;
197 status)
198 securityfs
199 if [ -x /usr/sbin/aa-status ]; then
200 aa-status --verbose
201 else
202 cat "$AA_SFS"/profiles
203 fi
204 rc=$?
205 ;;
206 *)
207 usage
208 rc=1
209 ;;
210 esac
211exit $rc
diff --git a/recipes-security/AppArmor/files/apparmor.rc b/recipes-security/AppArmor/files/apparmor.rc
new file mode 100644
index 0000000..1507d7b
--- /dev/null
+++ b/recipes-security/AppArmor/files/apparmor.rc
@@ -0,0 +1,98 @@
1description "Pre-cache and pre-load apparmor profiles"
2author "Dimitri John Ledkov <xnox@ubuntu.com> and Jamie Strandboge <jamie@ubuntu.com>"
3
4task
5
6start on starting rc-sysinit
7
8script
9 [ -d /rofs/etc/apparmor.d ] && exit 0 # do not load on liveCD
10 [ -d /sys/module/apparmor ] || exit 0 # do not load without AppArmor
11 [ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser
12
13 . /lib/apparmor/functions
14
15 systemd-detect-virt --quiet --container && ! is_container_with_internal_policy && exit 0 || true
16
17 # Need securityfs for any mode
18 if [ ! -d /sys/kernel/security/apparmor ]; then
19 if cut -d" " -f2,3 /proc/mounts | grep -q "^/sys/kernel/security securityfs"'$' ; then
20 exit 0
21 else
22 mount -t securityfs none /sys/kernel/security || exit 0
23 fi
24 fi
25
26 [ -w /sys/kernel/security/apparmor/.load ] || exit 0
27
28 apparmor_was_updated=0
29 if ! compare_previous_version ; then
30 # On snappy flavors, if the current and previous versions are
31 # different then clear the system cache. snappy will handle
32 # "$PROFILES_CACHE_VAR" itself (on Touch flavors
33 # compare_previous_version always returns '0' since snappy
34 # isn't available).
35 clear_cache_system
36 apparmor_was_updated=1
37 elif ! compare_and_save_debsums apparmor ; then
38 # If the system policy has been updated since the last time we
39 # ran, clear the cache to prevent potentially stale binary
40 # cache files after an Ubuntu image based upgrade (LP:
41 # #1350673). This can be removed once all system image flavors
42 # move to snappy (on snappy systems compare_and_save_debsums
43 # always returns '0' since /var/lib/dpkg doesn't exist).
44 clear_cache
45 apparmor_was_updated=1
46 fi
47
48 if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then
49 # If packages for system policy that affect click packages have
50 # been updated since the last time we ran, run aa-clickhook -f
51 force_clickhook=0
52 force_profile_hook=0
53 if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
54 force_clickhook=1
55 fi
56 if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
57 force_clickhook=1
58 fi
59 if ! compare_and_save_debsums click-apparmor ; then
60 force_clickhook=1
61 force_profile_hook=1
62 fi
63 if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
64 aa-clickhook -f
65 fi
66 if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
67 aa-profile-hook -f
68 fi
69 fi
70
71 if [ "$ACTION" = "teardown" ]; then
72 running_profile_names | while read profile; do
73 unload_profile "$profile"
74 done
75 exit 0
76 fi
77
78 if [ "$ACTION" = "clear" ]; then
79 clear_cache
80 exit 0
81 fi
82
83 if [ "$ACTION" = "reload" ] || [ "$ACTION" = "force-reload" ]; then
84 clear_cache
85 load_configured_profiles
86 unload_obsolete_profiles
87 exit 0
88 fi
89
90 # Note: if apparmor-easyprof-ubuntu md5sums didn't match up above,
91 # aa-clickhook will have already compiled the policy, generated the cache
92 # files and loaded them into the kernel by this point, so reloading click
93 # policy from cache, while fairly fast (<2 seconds for 250 profiles on
94 # armhf), is redundant. Fixing this would complicate the logic quite a bit
95 # and it wouldn't improve the (by far) common case (ie, when
96 # 'aa-clickhook -f' is not run).
97 load_configured_profiles
98end script
diff --git a/recipes-security/AppArmor/files/apparmor.service b/recipes-security/AppArmor/files/apparmor.service
new file mode 100644
index 0000000..e66afe4
--- /dev/null
+++ b/recipes-security/AppArmor/files/apparmor.service
@@ -0,0 +1,22 @@
1[Unit]
2Description=AppArmor initialization
3After=local-fs.target
4Before=sysinit.target
5AssertPathIsReadWrite=/sys/kernel/security/apparmor/.load
6ConditionSecurity=apparmor
7DefaultDependencies=no
8Documentation=man:apparmor(7)
9Documentation=http://wiki.apparmor.net/
10
11# Don't start this unit on the Ubuntu Live CD
12ConditionPathExists=!/rofs/etc/apparmor.d
13
14[Service]
15Type=oneshot
16RemainAfterExit=yes
17ExecStart=/etc/init.d/apparmor start
18ExecStop=/etc/init.d/apparmor stop
19ExecReload=/etc/init.d/apparmor reload
20
21[Install]
22WantedBy=sysinit.target
diff --git a/recipes-security/AppArmor/files/disable_pdf.patch b/recipes-security/AppArmor/files/disable_pdf.patch
new file mode 100644
index 0000000..c6b4bdd
--- /dev/null
+++ b/recipes-security/AppArmor/files/disable_pdf.patch
@@ -0,0 +1,33 @@
1Index: apparmor-2.10.95/parser/Makefile
2===================================================================
3--- apparmor-2.10.95.orig/parser/Makefile
4+++ apparmor-2.10.95/parser/Makefile
5@@ -139,17 +139,6 @@ export Q VERBOSE BUILD_OUTPUT
6 po/${NAME}.pot: ${SRCS} ${HDRS}
7 $(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}"
8
9-techdoc.pdf: techdoc.tex
10- timestamp=$(shell date --utc "+%Y%m%d%H%M%S%z" -r $< );\
11- while pdflatex "\def\fixedpdfdate{$$timestamp}\input $<" ${BUILD_OUTPUT} || exit 1 ; \
12- grep -q "Label(s) may have changed" techdoc.log; \
13- do :; done
14-
15-techdoc/index.html: techdoc.pdf
16- latex2html -show_section_numbers -split 0 -noinfo -nonavigation -noaddress techdoc.tex ${BUILD_OUTPUT}
17-
18-techdoc.txt: techdoc/index.html
19- w3m -dump $< > $@
20
21 # targets arranged this way so that people who don't want full docs can
22 # pick specific targets they want.
23@@ -159,9 +148,7 @@ manpages: $(MANPAGES)
24
25 htmlmanpages: $(HTMLMANPAGES)
26
27-pdf: techdoc.pdf
28-
29-docs: manpages htmlmanpages pdf
30+docs: manpages htmlmanpages
31
32 indep: docs
33 $(Q)$(MAKE) -C po all
diff --git a/recipes-security/AppArmor/files/functions b/recipes-security/AppArmor/files/functions
new file mode 100644
index 0000000..cef8cfe
--- /dev/null
+++ b/recipes-security/AppArmor/files/functions
@@ -0,0 +1,271 @@
1# /lib/apparmor/functions for Debian -*- shell-script -*-
2# ----------------------------------------------------------------------
3# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
4# NOVELL (All rights reserved)
5# Copyright (c) 2008-2010 Canonical, Ltd.
6#
7# This program is free software; you can redistribute it and/or
8# modify it under the terms of version 2 of the GNU General Public
9# License published by the Free Software Foundation.
10#
11# This program is distributed in the hope that it will be useful,
12# but WITHOUT ANY WARRANTY; without even the implied warranty of
13# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14# GNU General Public License for more details.
15#
16# You should have received a copy of the GNU General Public License
17# along with this program; if not, contact Novell, Inc.
18# ----------------------------------------------------------------------
19# Authors:
20# Kees Cook <kees@ubuntu.com>
21
22PROFILES="/etc/apparmor.d"
23PROFILES_CACHE="$PROFILES/cache"
24PROFILES_VAR="/var/lib/apparmor/profiles"
25PROFILES_SNAPPY="/var/lib/snapd/apparmor/profiles"
26PROFILES_CACHE_VAR="/var/cache/apparmor"
27PARSER="/sbin/apparmor_parser"
28SECURITYFS="/sys/kernel/security"
29export AA_SFS="$SECURITYFS/apparmor"
30
31# Suppress warnings when booting in quiet mode
32quiet_arg=""
33[ "${QUIET:-no}" = yes ] && quiet_arg="-q"
34[ "${quiet:-n}" = y ] && quiet_arg="-q"
35
36foreach_configured_profile() {
37 rc_all="0"
38 for pdir in "$PROFILES" "$PROFILES_VAR" "$PROFILES_SNAPPY" ; do
39 if [ ! -d "$pdir" ]; then
40 continue
41 fi
42 num=`find "$pdir" -type f ! -name '*.md5sums' | wc -l`
43 if [ "$num" = "0" ]; then
44 continue
45 fi
46
47 cache_dir="$PROFILES_CACHE"
48 if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then
49 cache_dir="$PROFILES_CACHE_VAR"
50 fi
51 cache_args="--cache-loc=$cache_dir"
52 if [ ! -d "$cache_dir" ]; then
53 cache_args=
54 fi
55
56 # LP: #1383858 - expr tree simplification is too slow for
57 # Touch policy on ARM, so disable it for now
58 cache_extra_args=
59 if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then
60 cache_extra_args="-O no-expr-simplify"
61 fi
62
63 # If need to compile everything, then use -n1 with xargs to
64 # take advantage of -P. When cache files are in use, omit -n1
65 # since it is considerably faster on moderately sized profile
66 # sets to give the parser all the profiles to load at once
67 n1_args=
68 num=`find "$cache_dir" -type f ! -name '.features' | wc -l`
69 if [ "$num" = "0" ]; then
70 n1_args="-n1"
71 fi
72
73 (ls -1 "$pdir" | egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \
74 while read profile; do
75 if [ -f "$pdir"/"$profile" ]; then
76 echo "$pdir"/"$profile"
77 fi
78 done) | \
79 xargs $n1_args -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || {
80 rc_all="$?"
81 # FIXME: when the parser properly handles broken
82 # profiles (LP: #1377338), remove this if statement.
83 # For now, if the xargs returns with error, just run
84 # through everything with -n1. (This could be broken
85 # out and refactored, but this is temporary so make it
86 # easy to understand and revert)
87 if [ "$rc_all" != "0" ]; then
88 (ls -1 "$pdir" | \
89 egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \
90 while read profile; do
91 if [ -f "$pdir"/"$profile" ]; then
92 echo "$pdir"/"$profile"
93 fi
94 done) | \
95 xargs -n1 -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || {
96 rc_all="$?"
97 }
98 fi
99 }
100 done
101 return $rc_all
102}
103
104load_configured_profiles() {
105 clear_cache_if_outdated
106 foreach_configured_profile $quiet_arg --write-cache --replace
107}
108
109load_configured_profiles_without_caching() {
110 foreach_configured_profile $quiet_arg --replace
111}
112
113recache_profiles() {
114 clear_cache
115 foreach_configured_profile $quiet_arg --write-cache --skip-kernel-load
116}
117
118configured_profile_names() {
119 foreach_configured_profile $quiet_arg -N 2>/dev/null | LC_COLLATE=C sort | grep -v '//'
120}
121
122running_profile_names() {
123 # Output a sorted list of loaded profiles, skipping libvirt's
124 # dynamically generated files
125 cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | egrep -v '^libvirt-[0-9a-f\-]+$' | LC_COLLATE=C sort | grep -v '//'
126}
127
128unload_profile() {
129 echo -n "$1" > "$AA_SFS"/.remove
130}
131
132clear_cache() {
133 clear_cache_system
134 clear_cache_var
135}
136
137clear_cache_system() {
138 find "$PROFILES_CACHE" -maxdepth 1 -type f -print0 | xargs -0 rm -f --
139}
140
141clear_cache_var() {
142 find "$PROFILES_CACHE_VAR" -maxdepth 1 -type f -print0 | xargs -0 rm -f --
143}
144
145read_features_dir()
146{
147 for f in `ls -AU "$1"` ; do
148 if [ -f "$1/$f" ] ; then
149 read -r KF < "$1/$f" || true
150 echo -n "$f {$KF } "
151 elif [ -d "$1/$f" ] ; then
152 echo -n "$f {"
153 KF=`read_features_dir "$1/$f"` || true
154 echo -n "$KF} "
155 fi
156 done
157}
158
159clear_cache_if_outdated() {
160 if [ -r "$PROFILES_CACHE"/.features ]; then
161 if [ -d "$AA_SFS"/features ]; then
162 KERN_FEATURES=`read_features_dir "$AA_SFS"/features`
163 else
164 read -r KERN_FEATURES < "$AA_SFS"/features
165 fi
166 CACHE_FEATURES=`tr '\n' ' ' < "$PROFILES_CACHE"/.features`
167 if [ "$KERN_FEATURES" != "$CACHE_FEATURES" ]; then
168 clear_cache
169 fi
170 fi
171}
172
173unload_obsolete_profiles() {
174 # Currently we must re-parse all the profiles to get policy names. :(
175 aa_configured=$(mktemp -t aa-XXXXXX)
176 configured_profile_names > "$aa_configured" || true
177 aa_loaded=$(mktemp -t aa-XXXXXX)
178 running_profile_names > "$aa_loaded" || true
179 LC_COLLATE=C comm -2 -3 "$aa_loaded" "$aa_configured" | while read profile ; do
180 unload_profile "$profile"
181 done
182 rm -f "$aa_configured" "$aa_loaded"
183}
184
185# If the system debsum differs from the saved debsum, the new system debsum is
186# saved and non-zero is returned. Returns 0 if the two debsums matched or if
187# the system debsum file does not exist. This can be removed when system image
188# flavors all move to snappy.
189compare_and_save_debsums() {
190 pkg="$1"
191
192 if [ -n $pkg ] && [ -d "$PROFILES_VAR" ]; then
193 sums="/var/lib/dpkg/info/${pkg}.md5sums"
194 # store saved md5sums in /var/lib/apparmor/profiles since
195 # /var/cache/apparmor might be cleared by apparmor
196 saved_sums="${PROFILES_VAR}/.${pkg}.md5sums"
197
198 if [ -f "$sums" ] && \
199 ! diff -q "$sums" "$saved_sums" 2>&1 >/dev/null ; then
200 cp -f "$sums" "$saved_sums"
201 return 1
202 fi
203 fi
204
205 return 0
206}
207
208compare_previous_version() {
209 installed="/usr/share/snappy/security-policy-version"
210 previous="/var/lib/snappy/security-policy-version"
211
212 # When just $previous doesn't exist, assume this is a new system with
213 # no cache and don't do anything special.
214 if [ -f "$installed" ] && [ -f "$previous" ]; then
215 pv=`grep '^apparmor/' "$previous" | cut -d ' ' -f 2`
216 iv=`grep '^apparmor/' "$installed" | cut -d ' ' -f 2`
217 if [ -n "$iv" ] && [ -n "$pv" ] && [ "$iv" != "$pv" ]; then
218 # snappy updates $previous elsewhere, so just return
219 return 1
220 fi
221 fi
222
223 return 0
224}
225
226# Checks to see if the current container is capable of having internal AppArmor
227# profiles that should be loaded. Callers of this function should have already
228# verified that they're running inside of a container environment with
229# something like `systemd-detect-virt --container`.
230#
231# The only known container environments capable of supporting internal policy
232# are LXD and LXC environment.
233#
234# Returns 0 if the container environment is capable of having its own internal
235# policy and non-zero otherwise.
236#
237# IMPORTANT: This function will return 0 in the case of a non-LXD/non-LXC
238# system container technology being nested inside of a LXD/LXC container that
239# utilized an AppArmor namespace and profile stacking. The reason 0 will be
240# returned is because .ns_stacked will be "yes" and .ns_name will still match
241# "lx[dc]-*" since the nested system container technology will not have set up
242# a new AppArmor profile namespace. This will result in the nested system
243# container's boot process to experience failed policy loads but the boot
244# process should continue without any loss of functionality. This is an
245# unsupported configuration that cannot be properly handled by this function.
246is_container_with_internal_policy() {
247 local ns_stacked_path="${AA_SFS}/.ns_stacked"
248 local ns_name_path="${AA_SFS}/.ns_name"
249 local ns_stacked
250 local ns_name
251
252 if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then
253 return 1
254 fi
255
256 read -r ns_stacked < "$ns_stacked_path"
257 if [ "$ns_stacked" != "yes" ]; then
258 return 1
259 fi
260
261 # LXD and LXC set up AppArmor namespaces starting with "lxd-" and
262 # "lxc-", respectively. Return non-zero for all other namespace
263 # identifiers.
264 read -r ns_name < "$ns_name_path"
265 if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
266 [ "${ns_name#lxc-*}" = "$ns_name" ]; then
267 return 1
268 fi
269
270 return 0
271}
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-11-24 02:31:24 +0000