Squashed 'import-layers/meta-security/' content from commit 4d139b9
Subtree from git://git.yoctoproject.org/meta-security
Change-Id: I14bb13faa3f2b2dc1f5d81b339dd48ffedf8562f
git-subtree-dir: import-layers/meta-security
git-subtree-split: 4d139b95c4f152d132592f515c5151f4dd6269c1
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
diff --git a/import-layers/meta-security/recipes-security/AppArmor/files/apparmor.rc b/import-layers/meta-security/recipes-security/AppArmor/files/apparmor.rc
new file mode 100644
index 0000000..1507d7b
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/AppArmor/files/apparmor.rc
@@ -0,0 +1,98 @@
+description "Pre-cache and pre-load apparmor profiles"
+author "Dimitri John Ledkov <xnox@ubuntu.com> and Jamie Strandboge <jamie@ubuntu.com>"
+
+task
+
+start on starting rc-sysinit
+
+script
+ [ -d /rofs/etc/apparmor.d ] && exit 0 # do not load on liveCD
+ [ -d /sys/module/apparmor ] || exit 0 # do not load without AppArmor
+ [ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser
+
+ . /lib/apparmor/functions
+
+ systemd-detect-virt --quiet --container && ! is_container_with_internal_policy && exit 0 || true
+
+ # Need securityfs for any mode
+ if [ ! -d /sys/kernel/security/apparmor ]; then
+ if cut -d" " -f2,3 /proc/mounts | grep -q "^/sys/kernel/security securityfs"'$' ; then
+ exit 0
+ else
+ mount -t securityfs none /sys/kernel/security || exit 0
+ fi
+ fi
+
+ [ -w /sys/kernel/security/apparmor/.load ] || exit 0
+
+ apparmor_was_updated=0
+ if ! compare_previous_version ; then
+ # On snappy flavors, if the current and previous versions are
+ # different then clear the system cache. snappy will handle
+ # "$PROFILES_CACHE_VAR" itself (on Touch flavors
+ # compare_previous_version always returns '0' since snappy
+ # isn't available).
+ clear_cache_system
+ apparmor_was_updated=1
+ elif ! compare_and_save_debsums apparmor ; then
+ # If the system policy has been updated since the last time we
+ # ran, clear the cache to prevent potentially stale binary
+ # cache files after an Ubuntu image based upgrade (LP:
+ # #1350673). This can be removed once all system image flavors
+ # move to snappy (on snappy systems compare_and_save_debsums
+ # always returns '0' since /var/lib/dpkg doesn't exist).
+ clear_cache
+ apparmor_was_updated=1
+ fi
+
+ if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then
+ # If packages for system policy that affect click packages have
+ # been updated since the last time we ran, run aa-clickhook -f
+ force_clickhook=0
+ force_profile_hook=0
+ if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
+ force_clickhook=1
+ fi
+ if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
+ force_clickhook=1
+ fi
+ if ! compare_and_save_debsums click-apparmor ; then
+ force_clickhook=1
+ force_profile_hook=1
+ fi
+ if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
+ aa-clickhook -f
+ fi
+ if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
+ aa-profile-hook -f
+ fi
+ fi
+
+ if [ "$ACTION" = "teardown" ]; then
+ running_profile_names | while read profile; do
+ unload_profile "$profile"
+ done
+ exit 0
+ fi
+
+ if [ "$ACTION" = "clear" ]; then
+ clear_cache
+ exit 0
+ fi
+
+ if [ "$ACTION" = "reload" ] || [ "$ACTION" = "force-reload" ]; then
+ clear_cache
+ load_configured_profiles
+ unload_obsolete_profiles
+ exit 0
+ fi
+
+ # Note: if apparmor-easyprof-ubuntu md5sums didn't match up above,
+ # aa-clickhook will have already compiled the policy, generated the cache
+ # files and loaded them into the kernel by this point, so reloading click
+ # policy from cache, while fairly fast (<2 seconds for 250 profiles on
+ # armhf), is redundant. Fixing this would complicate the logic quite a bit
+ # and it wouldn't improve the (by far) common case (ie, when
+ # 'aa-clickhook -f' is not run).
+ load_configured_profiles
+end script