From 25b8f02eeab60c01f3dc38c9d9b0ccbd2491ad8b Mon Sep 17 00:00:00 2001 From: Tom Rini Date: Tue, 11 Jul 2017 08:36:29 -0400 Subject: apparmor: Additional runtime fixes - We need various python3 modules and we can only really solve this problem by including all python3-modules. - aa-easyprof needs to have its shebang corrected, do so. - The apparmor initscript depends on functions that LSB does not require so we must provide them. In some cases it's using non-standard function, so we just use more appropriate names. - The apparmor sysvinit-style initscript assumes that systemd-detect-virt will exist on the filesystem. Change this to check that it does before trying to execute it. [for aa-easyprof:] Reported-by: Anders Montonen Signed-off-by: Tom Rini Signed-off-by: Armin Kuster Signed-off-by: Armin Kuster --- recipes-security/AppArmor/apparmor_2.11.0.bb | 6 +++++- recipes-security/AppArmor/files/apparmor | 30 +++++++++++++++++++++------- 2 files changed, 28 insertions(+), 8 deletions(-) diff --git a/recipes-security/AppArmor/apparmor_2.11.0.bb b/recipes-security/AppArmor/apparmor_2.11.0.bb index 647ab12..d9572e4 100644 --- a/recipes-security/AppArmor/apparmor_2.11.0.bb +++ b/recipes-security/AppArmor/apparmor_2.11.0.bb @@ -79,6 +79,10 @@ do_install () { oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install fi + # aa-easyprof is installed by python-tools-setup.py, fix it up + sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof + chmod 0755 ${D}${bindir}/aa-easyprof + install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor install ${WORKDIR}/functions ${D}/lib/apparmor } @@ -124,6 +128,6 @@ FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR} FILES_mod-${PN} = "${libdir}/apache2/modules/*" RDEPENDS_${PN} += "bash lsb" -RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3 python3-argparse python3-json','', d)}" +RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3 python3-modules','', d)}" RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" RDEPENDS_${PN}-ptest += "coreutils dbus-lib" diff --git a/recipes-security/AppArmor/files/apparmor b/recipes-security/AppArmor/files/apparmor index c73c1ce..ac3ab9a 100644 --- a/recipes-security/AppArmor/files/apparmor +++ b/recipes-security/AppArmor/files/apparmor @@ -32,6 +32,20 @@ # Description: AppArmor init script. This script loads all AppArmor profiles. ### END INIT INFO +log_daemon_msg() { + echo $* +} + +log_end_msg () { + retval=$1 + if [ $retval -eq 0 ]; then + echo "." + else + echo " failed!" + fi + return $retval +} + . /lib/apparmor/functions . /lib/lsb/init-functions @@ -47,20 +61,19 @@ securityfs() { # Need securityfs for any mode if [ ! -d "${AA_SFS}" ]; then if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then - log_action_msg "AppArmor not available as kernel LSM." + log_daemon_msg "AppArmor not available as kernel LSM." log_end_msg 1 exit 1 else - log_action_begin_msg "Mounting securityfs on ${SECURITYFS}" + log_daemon_msg "Mounting securityfs on ${SECURITYFS}" if ! mount -t securityfs none "${SECURITYFS}"; then - log_action_end_msg 1 log_end_msg 1 exit 1 fi fi fi if [ ! -w "$AA_SFS"/.load ]; then - log_action_msg "Insufficient privileges to change profiles." + log_daemon_msg "Insufficient privileges to change profiles." log_end_msg 1 exit 1 fi @@ -127,7 +140,8 @@ test -d /rofs/etc/apparmor.d && exit 0 rc=255 case "$1" in start) - if systemd-detect-virt --quiet --container && \ + if test -x /sbin/systemd-detect-virt && \ + systemd-detect-virt --quiet --container && \ ! is_container_with_internal_policy; then log_daemon_msg "Not starting AppArmor in container" log_end_msg 0 @@ -161,7 +175,8 @@ with the 'teardown' option." EOM ;; teardown) - if systemd-detect-virt --quiet --container && \ + if test -x /sbin/systemd-detect-virt && \ + systemd-detect-virt --quiet --container && \ ! is_container_with_internal_policy; then log_daemon_msg "Not tearing down AppArmor in container" log_end_msg 0 @@ -179,7 +194,8 @@ EOM log_end_msg $rc ;; restart|reload|force-reload) - if systemd-detect-virt --quiet --container && \ + if test -x /sbin/systemd-detect-virt && \ + systemd-detect-virt --quiet --container && \ ! is_container_with_internal_policy; then log_daemon_msg "Not reloading AppArmor in container" log_end_msg 0 -- cgit v1.2.3-54-g00ecf