1 files changed, 211 insertions, 0 deletions
diff --git a/recipes-security/AppArmor/files/apparmor b/recipes-security/AppArmor/files/apparmor
new file mode 100644
index 0000000..c73c1ce
--- /dev/null
+++ b/recipes-security/AppArmor/files/apparmor
@@ -0,0 +1,211 @@
+#!/bin/sh
+# ----------------------------------------------------------------------
+#    Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
+#     NOVELL (All rights reserved)
+#    Copyright (c) 2008, 2009 Canonical, Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program; if not, contact Novell, Inc.
+# ----------------------------------------------------------------------
+# Authors:
+#  Steve Beattie <steve.beattie@canonical.com>
+#  Kees Cook <kees@ubuntu.com>
+#
+# /etc/init.d/apparmor
+#
+### BEGIN INIT INFO
+# Provides: apparmor
+# Required-Start: $local_fs
+# Required-Stop: umountfs
+# Default-Start: S
+# Default-Stop:
+# Short-Description: AppArmor initialization
+# Description: AppArmor init script. This script loads all AppArmor profiles.
+### END INIT INFO
+. /lib/apparmor/functions
+. /lib/lsb/init-functions
+usage() {
+    echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}"
+}
+test -x ${PARSER} || exit 0 # by debian policy
+# LSM is built-in, so it is either there or not enabled for this boot
+test -d /sys/module/apparmor || exit 0
+securityfs() {
+        # Need securityfs for any mode
+        if [ ! -d "${AA_SFS}" ]; then
+                if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then
+                        log_action_msg "AppArmor not available as kernel LSM."
+                        log_end_msg 1
+                        exit 1
+                else
+                        log_action_begin_msg "Mounting securityfs on ${SECURITYFS}"
+                        if ! mount -t securityfs none "${SECURITYFS}"; then
+                                log_action_end_msg 1
+                                log_end_msg 1
+                                exit 1
+                        fi
+                fi
+        fi
+        if [ ! -w "$AA_SFS"/.load ]; then
+                log_action_msg "Insufficient privileges to change profiles."
+                log_end_msg 1
+                exit 1
+        fi
+}
+handle_system_policy_package_updates() {
+        apparmor_was_updated=0
+        if ! compare_previous_version ; then
+                # On snappy flavors, if the current and previous versions are
+                # different then clear the system cache. snappy will handle
+                # "$PROFILES_CACHE_VAR" itself (on Touch flavors
+                # compare_previous_version always returns '0' since snappy
+                # isn't available).
+                clear_cache_system
+                apparmor_was_updated=1
+        elif ! compare_and_save_debsums apparmor ; then
+                # If the system policy has been updated since the last time we
+                # ran, clear the cache to prevent potentially stale binary
+                # cache files after an Ubuntu image based upgrade (LP:
+                # #1350673). This can be removed once all system image flavors
+                # move to snappy (on snappy systems compare_and_save_debsums
+                # always returns '0' since /var/lib/dpkg doesn't exist).
+                clear_cache
+                apparmor_was_updated=1
+        fi
+        if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then
+                # If packages for system policy that affect click packages have
+                # been updated since the last time we ran, run aa-clickhook -f
+                force_clickhook=0
+                force_profile_hook=0
+                if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
+                        force_clickhook=1
+                fi
+                if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
+                        force_clickhook=1
+                fi
+                if ! compare_and_save_debsums click-apparmor ; then
+                        force_clickhook=1
+                        force_profile_hook=1
+                fi
+                if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
+                        aa-clickhook -f
+                fi
+                if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
+                        aa-profile-hook -f
+                fi
+        fi
+}
+# Allow "recache" even when running on the liveCD
+if [ "$1" = "recache" ]; then
+        log_daemon_msg "Recaching AppArmor profiles"
+        recache_profiles
+        rc=$?
+        log_end_msg "$rc"
+        exit $rc
+fi
+# do not perform start/stop/reload actions when running from liveCD
+test -d /rofs/etc/apparmor.d && exit 0
+rc=255
+case "$1" in
+        start)
+                if systemd-detect-virt --quiet --container && \
+                   ! is_container_with_internal_policy; then
+                        log_daemon_msg "Not starting AppArmor in container"
+                        log_end_msg 0
+                        exit 0
+                fi
+                log_daemon_msg "Starting AppArmor profiles"
+                securityfs
+                # That is only useful for click, snappy and system images,
+                # i.e. not in Debian. And it reads and writes to /var, that
+                # can be remote-mounted, so it would prevent us from using
+                # Before=sysinit.target without possibly introducing dependency
+                # loops.
+                handle_system_policy_package_updates
+                load_configured_profiles
+                rc=$?
+                log_end_msg "$rc"
+                ;;
+        stop)
+                log_daemon_msg "Clearing AppArmor profiles cache"
+                clear_cache
+                rc=$?
+                log_end_msg "$rc"
+                cat >&2 <<EOM
+All profile caches have been cleared, but no profiles have been unloaded.
+Unloading profiles will leave already running processes permanently
+unconfined, which can lead to unexpected situations.
+To set a process to complain mode, use the command line tool
+'aa-complain'. To really tear down all profiles, run the init script
+with the 'teardown' option."
+EOM
+                ;;
+        teardown)
+                if systemd-detect-virt --quiet --container && \
+                   ! is_container_with_internal_policy; then
+                        log_daemon_msg "Not tearing down AppArmor in container"
+                        log_end_msg 0
+                        exit 0
+                fi
+                log_daemon_msg "Unloading AppArmor profiles"
+                securityfs
+                running_profile_names | while read profile; do
+                        if ! unload_profile "$profile" ; then
+                                log_end_msg 1
+                                exit 1
+                        fi
+                done
+                rc=0
+                log_end_msg $rc
+                ;;
+        restart|reload|force-reload)
+                if systemd-detect-virt --quiet --container && \
+                   ! is_container_with_internal_policy; then
+                        log_daemon_msg "Not reloading AppArmor in container"
+                        log_end_msg 0
+                        exit 0
+                fi
+                log_daemon_msg "Reloading AppArmor profiles"
+                securityfs
+                clear_cache
+                load_configured_profiles
+                rc=$?
+                unload_obsolete_profiles
+                log_end_msg "$rc"
+                ;;
+        status)
+                securityfs
+                if [ -x /usr/sbin/aa-status ]; then
+                        aa-status --verbose
+                else
+                        cat "$AA_SFS"/profiles
+                fi
+                rc=$?
+                ;;
+        *)
+                usage
+                rc=1
+                ;;
+        esac
+exit $rc

diff --git a/recipes-security/AppArmor/files/apparmor b/recipes-security/AppArmor/files/apparmor new file mode 100644 index 0000000..c73c1ce --- /dev/null +++ b/recipes-security/AppArmor/files/apparmor
@@ -0,0 +1,211 @@
	1	#!/bin/sh
	2	# ----------------------------------------------------------------------
	3	# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
	4	# NOVELL (All rights reserved)
	5	# Copyright (c) 2008, 2009 Canonical, Ltd.
	6	#
	7	# This program is free software; you can redistribute it and/or
	8	# modify it under the terms of version 2 of the GNU General Public
	9	# License published by the Free Software Foundation.
	10	#
	11	# This program is distributed in the hope that it will be useful,
	12	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	# GNU General Public License for more details.
	15	#
	16	# You should have received a copy of the GNU General Public License
	17	# along with this program; if not, contact Novell, Inc.
	18	# ----------------------------------------------------------------------
	19	# Authors:
	20	# Steve Beattie <steve.beattie@canonical.com>
	21	# Kees Cook <kees@ubuntu.com>
	22	#
	23	# /etc/init.d/apparmor
	24	#
	25	### BEGIN INIT INFO
	26	# Provides: apparmor
	27	# Required-Start: $local_fs
	28	# Required-Stop: umountfs
	29	# Default-Start: S
	30	# Default-Stop:
	31	# Short-Description: AppArmor initialization
	32	# Description: AppArmor init script. This script loads all AppArmor profiles.
	33	### END INIT INFO
	34
	35	. /lib/apparmor/functions
	36	. /lib/lsb/init-functions
	37
	38	usage() {
	39	echo "Usage: $0 {start\|stop\|restart\|reload\|force-reload\|status\|recache}"
	40	}
	41
	42	test -x ${PARSER} \|\| exit 0 # by debian policy
	43	# LSM is built-in, so it is either there or not enabled for this boot
	44	test -d /sys/module/apparmor \|\| exit 0
	45
	46	securityfs() {
	47	# Need securityfs for any mode
	48	if [ ! -d "${AA_SFS}" ]; then
	49	if cut -d" " -f2,3 /proc/mounts \| grep -q "^${SECURITYFS} securityfs"'$' ; then
	50	log_action_msg "AppArmor not available as kernel LSM."
	51	log_end_msg 1
	52	exit 1
	53	else
	54	log_action_begin_msg "Mounting securityfs on ${SECURITYFS}"
	55	if ! mount -t securityfs none "${SECURITYFS}"; then
	56	log_action_end_msg 1
	57	log_end_msg 1
	58	exit 1
	59	fi
	60	fi
	61	fi
	62	if [ ! -w "$AA_SFS"/.load ]; then
	63	log_action_msg "Insufficient privileges to change profiles."
	64	log_end_msg 1
	65	exit 1
	66	fi
	67	}
	68
	69	handle_system_policy_package_updates() {
	70	apparmor_was_updated=0
	71
	72	if ! compare_previous_version ; then
	73	# On snappy flavors, if the current and previous versions are
	74	# different then clear the system cache. snappy will handle
	75	# "$PROFILES_CACHE_VAR" itself (on Touch flavors
	76	# compare_previous_version always returns '0' since snappy
	77	# isn't available).
	78	clear_cache_system
	79	apparmor_was_updated=1
	80	elif ! compare_and_save_debsums apparmor ; then
	81	# If the system policy has been updated since the last time we
	82	# ran, clear the cache to prevent potentially stale binary
	83	# cache files after an Ubuntu image based upgrade (LP:
	84	# #1350673). This can be removed once all system image flavors
	85	# move to snappy (on snappy systems compare_and_save_debsums
	86	# always returns '0' since /var/lib/dpkg doesn't exist).
	87	clear_cache
	88	apparmor_was_updated=1
	89	fi
	90
	91	if [ -x /usr/bin/aa-clickhook ] \|\| [ -x /usr/bin/aa-profile-hook ] ; then
	92	# If packages for system policy that affect click packages have
	93	# been updated since the last time we ran, run aa-clickhook -f
	94	force_clickhook=0
	95	force_profile_hook=0
	96	if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
	97	force_clickhook=1
	98	fi
	99	if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
	100	force_clickhook=1
	101	fi
	102	if ! compare_and_save_debsums click-apparmor ; then
	103	force_clickhook=1
	104	force_profile_hook=1
	105	fi
	106	if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] \|\| [ $apparmor_was_updated -eq 1 ]) ; then
	107	aa-clickhook -f
	108	fi
	109	if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] \|\| [ $apparmor_was_updated -eq 1 ]) ; then
	110	aa-profile-hook -f
	111	fi
	112	fi
	113	}
	114
	115	# Allow "recache" even when running on the liveCD
	116	if [ "$1" = "recache" ]; then
	117	log_daemon_msg "Recaching AppArmor profiles"
	118	recache_profiles
	119	rc=$?
	120	log_end_msg "$rc"
	121	exit $rc
	122	fi
	123
	124	# do not perform start/stop/reload actions when running from liveCD
	125	test -d /rofs/etc/apparmor.d && exit 0
	126
	127	rc=255
	128	case "$1" in
	129	start)
	130	if systemd-detect-virt --quiet --container && \
	131	! is_container_with_internal_policy; then
	132	log_daemon_msg "Not starting AppArmor in container"
	133	log_end_msg 0
	134	exit 0
	135	fi
	136	log_daemon_msg "Starting AppArmor profiles"
	137	securityfs
	138	# That is only useful for click, snappy and system images,
	139	# i.e. not in Debian. And it reads and writes to /var, that
	140	# can be remote-mounted, so it would prevent us from using
	141	# Before=sysinit.target without possibly introducing dependency
	142	# loops.
	143	handle_system_policy_package_updates
	144	load_configured_profiles
	145	rc=$?
	146	log_end_msg "$rc"
	147	;;
	148	stop)
	149	log_daemon_msg "Clearing AppArmor profiles cache"
	150	clear_cache
	151	rc=$?
	152	log_end_msg "$rc"
	153	cat >&2 <<EOM
	154	All profile caches have been cleared, but no profiles have been unloaded.
	155	Unloading profiles will leave already running processes permanently
	156	unconfined, which can lead to unexpected situations.
	157
	158	To set a process to complain mode, use the command line tool
	159	'aa-complain'. To really tear down all profiles, run the init script
	160	with the 'teardown' option."
	161	EOM
	162	;;
	163	teardown)
	164	if systemd-detect-virt --quiet --container && \
	165	! is_container_with_internal_policy; then
	166	log_daemon_msg "Not tearing down AppArmor in container"
	167	log_end_msg 0
	168	exit 0
	169	fi
	170	log_daemon_msg "Unloading AppArmor profiles"
	171	securityfs
	172	running_profile_names \| while read profile; do
	173	if ! unload_profile "$profile" ; then
	174	log_end_msg 1
	175	exit 1
	176	fi
	177	done
	178	rc=0
	179	log_end_msg $rc
	180	;;
	181	restart\|reload\|force-reload)
	182	if systemd-detect-virt --quiet --container && \
	183	! is_container_with_internal_policy; then
	184	log_daemon_msg "Not reloading AppArmor in container"
	185	log_end_msg 0
	186	exit 0
	187	fi
	188	log_daemon_msg "Reloading AppArmor profiles"
	189	securityfs
	190	clear_cache
	191	load_configured_profiles
	192	rc=$?
	193	unload_obsolete_profiles
	194
	195	log_end_msg "$rc"
	196	;;
	197	status)
	198	securityfs
	199	if [ -x /usr/sbin/aa-status ]; then
	200	aa-status --verbose
	201	else
	202	cat "$AA_SFS"/profiles
	203	fi
	204	rc=$?
	205	;;
	206	*)
	207	usage
	208	rc=1
	209	;;
	210	esac
	211	exit $rc