Squashed 'import-layers/meta-security/' content from commit 4d139b9
Subtree from git://git.yoctoproject.org/meta-security
Change-Id: I14bb13faa3f2b2dc1f5d81b339dd48ffedf8562f
git-subtree-dir: import-layers/meta-security
git-subtree-split: 4d139b95c4f152d132592f515c5151f4dd6269c1
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
diff --git a/import-layers/meta-security/recipes-security/AppArmor/files/apparmor b/import-layers/meta-security/recipes-security/AppArmor/files/apparmor
new file mode 100644
index 0000000..ac3ab9a
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/AppArmor/files/apparmor
@@ -0,0 +1,227 @@
+#!/bin/sh
+# ----------------------------------------------------------------------
+# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
+# NOVELL (All rights reserved)
+# Copyright (c) 2008, 2009 Canonical, Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, contact Novell, Inc.
+# ----------------------------------------------------------------------
+# Authors:
+# Steve Beattie <steve.beattie@canonical.com>
+# Kees Cook <kees@ubuntu.com>
+#
+# /etc/init.d/apparmor
+#
+### BEGIN INIT INFO
+# Provides: apparmor
+# Required-Start: $local_fs
+# Required-Stop: umountfs
+# Default-Start: S
+# Default-Stop:
+# Short-Description: AppArmor initialization
+# Description: AppArmor init script. This script loads all AppArmor profiles.
+### END INIT INFO
+
+log_daemon_msg() {
+ echo $*
+}
+
+log_end_msg () {
+ retval=$1
+ if [ $retval -eq 0 ]; then
+ echo "."
+ else
+ echo " failed!"
+ fi
+ return $retval
+}
+
+. /lib/apparmor/functions
+. /lib/lsb/init-functions
+
+usage() {
+ echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}"
+}
+
+test -x ${PARSER} || exit 0 # by debian policy
+# LSM is built-in, so it is either there or not enabled for this boot
+test -d /sys/module/apparmor || exit 0
+
+securityfs() {
+ # Need securityfs for any mode
+ if [ ! -d "${AA_SFS}" ]; then
+ if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then
+ log_daemon_msg "AppArmor not available as kernel LSM."
+ log_end_msg 1
+ exit 1
+ else
+ log_daemon_msg "Mounting securityfs on ${SECURITYFS}"
+ if ! mount -t securityfs none "${SECURITYFS}"; then
+ log_end_msg 1
+ exit 1
+ fi
+ fi
+ fi
+ if [ ! -w "$AA_SFS"/.load ]; then
+ log_daemon_msg "Insufficient privileges to change profiles."
+ log_end_msg 1
+ exit 1
+ fi
+}
+
+handle_system_policy_package_updates() {
+ apparmor_was_updated=0
+
+ if ! compare_previous_version ; then
+ # On snappy flavors, if the current and previous versions are
+ # different then clear the system cache. snappy will handle
+ # "$PROFILES_CACHE_VAR" itself (on Touch flavors
+ # compare_previous_version always returns '0' since snappy
+ # isn't available).
+ clear_cache_system
+ apparmor_was_updated=1
+ elif ! compare_and_save_debsums apparmor ; then
+ # If the system policy has been updated since the last time we
+ # ran, clear the cache to prevent potentially stale binary
+ # cache files after an Ubuntu image based upgrade (LP:
+ # #1350673). This can be removed once all system image flavors
+ # move to snappy (on snappy systems compare_and_save_debsums
+ # always returns '0' since /var/lib/dpkg doesn't exist).
+ clear_cache
+ apparmor_was_updated=1
+ fi
+
+ if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then
+ # If packages for system policy that affect click packages have
+ # been updated since the last time we ran, run aa-clickhook -f
+ force_clickhook=0
+ force_profile_hook=0
+ if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
+ force_clickhook=1
+ fi
+ if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
+ force_clickhook=1
+ fi
+ if ! compare_and_save_debsums click-apparmor ; then
+ force_clickhook=1
+ force_profile_hook=1
+ fi
+ if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
+ aa-clickhook -f
+ fi
+ if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
+ aa-profile-hook -f
+ fi
+ fi
+}
+
+# Allow "recache" even when running on the liveCD
+if [ "$1" = "recache" ]; then
+ log_daemon_msg "Recaching AppArmor profiles"
+ recache_profiles
+ rc=$?
+ log_end_msg "$rc"
+ exit $rc
+fi
+
+# do not perform start/stop/reload actions when running from liveCD
+test -d /rofs/etc/apparmor.d && exit 0
+
+rc=255
+case "$1" in
+ start)
+ if test -x /sbin/systemd-detect-virt && \
+ systemd-detect-virt --quiet --container && \
+ ! is_container_with_internal_policy; then
+ log_daemon_msg "Not starting AppArmor in container"
+ log_end_msg 0
+ exit 0
+ fi
+ log_daemon_msg "Starting AppArmor profiles"
+ securityfs
+ # That is only useful for click, snappy and system images,
+ # i.e. not in Debian. And it reads and writes to /var, that
+ # can be remote-mounted, so it would prevent us from using
+ # Before=sysinit.target without possibly introducing dependency
+ # loops.
+ handle_system_policy_package_updates
+ load_configured_profiles
+ rc=$?
+ log_end_msg "$rc"
+ ;;
+ stop)
+ log_daemon_msg "Clearing AppArmor profiles cache"
+ clear_cache
+ rc=$?
+ log_end_msg "$rc"
+ cat >&2 <<EOM
+All profile caches have been cleared, but no profiles have been unloaded.
+Unloading profiles will leave already running processes permanently
+unconfined, which can lead to unexpected situations.
+
+To set a process to complain mode, use the command line tool
+'aa-complain'. To really tear down all profiles, run the init script
+with the 'teardown' option."
+EOM
+ ;;
+ teardown)
+ if test -x /sbin/systemd-detect-virt && \
+ systemd-detect-virt --quiet --container && \
+ ! is_container_with_internal_policy; then
+ log_daemon_msg "Not tearing down AppArmor in container"
+ log_end_msg 0
+ exit 0
+ fi
+ log_daemon_msg "Unloading AppArmor profiles"
+ securityfs
+ running_profile_names | while read profile; do
+ if ! unload_profile "$profile" ; then
+ log_end_msg 1
+ exit 1
+ fi
+ done
+ rc=0
+ log_end_msg $rc
+ ;;
+ restart|reload|force-reload)
+ if test -x /sbin/systemd-detect-virt && \
+ systemd-detect-virt --quiet --container && \
+ ! is_container_with_internal_policy; then
+ log_daemon_msg "Not reloading AppArmor in container"
+ log_end_msg 0
+ exit 0
+ fi
+ log_daemon_msg "Reloading AppArmor profiles"
+ securityfs
+ clear_cache
+ load_configured_profiles
+ rc=$?
+ unload_obsolete_profiles
+
+ log_end_msg "$rc"
+ ;;
+ status)
+ securityfs
+ if [ -x /usr/sbin/aa-status ]; then
+ aa-status --verbose
+ else
+ cat "$AA_SFS"/profiles
+ fi
+ rc=$?
+ ;;
+ *)
+ usage
+ rc=1
+ ;;
+ esac
+exit $rc