meta-security/recipes-security/AppArmor/files/apparmor - openbmc/openbmc - Gitiles

 #!/bin/sh
 # ----------------------------------------------------------------------
 #    Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
 #     NOVELL (All rights reserved)
 #    Copyright (c) 2008, 2009 Canonical, Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
 #    License published by the Free Software Foundation.
 #
 #    This program is distributed in the hope that it will be useful,
 #    but WITHOUT ANY WARRANTY; without even the implied warranty of
 #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 #    GNU General Public License for more details.
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program; if not, contact Novell, Inc.
 # ----------------------------------------------------------------------
 # Authors:
 #  Steve Beattie <steve.beattie@canonical.com>
 #  Kees Cook <kees@ubuntu.com>
 #
 # /etc/init.d/apparmor
 #
 ### BEGIN INIT INFO
 # Provides: apparmor
 # Required-Start: $local_fs
 # Required-Stop: umountfs
 # Default-Start: S
 # Default-Stop:
 # Short-Description: AppArmor initialization
 # Description: AppArmor init script. This script loads all AppArmor profiles.
 ### END INIT INFO

 log_daemon_msg() {
     echo $*
 }

 log_end_msg () {
     retval=$1
     if [ $retval -eq 0 ]; then
         echo "."
     else
         echo " failed!"
     fi
     return $retval
 }

 . /lib/apparmor/functions
 . /lib/lsb/init-functions

 usage() {
     echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}"
 }

 test -x ${PARSER} || exit 0 # by debian policy
 # LSM is built-in, so it is either there or not enabled for this boot
 test -d /sys/module/apparmor || exit 0

 securityfs() {
 	# Need securityfs for any mode
 	if [ ! -d "${AA_SFS}" ]; then
 		if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then
 			log_daemon_msg "AppArmor not available as kernel LSM."
 			log_end_msg 1
 			exit 1
 		else
 			log_daemon_msg "Mounting securityfs on ${SECURITYFS}"
 			if ! mount -t securityfs none "${SECURITYFS}"; then
 				log_end_msg 1
 				exit 1
 			fi
 		fi
 	fi
 	if [ ! -w "$AA_SFS"/.load ]; then
 		log_daemon_msg "Insufficient privileges to change profiles."
 		log_end_msg 1
 		exit 1
 	fi
 }

 handle_system_policy_package_updates() {
 	apparmor_was_updated=0

 	if ! compare_previous_version ; then
 		# On snappy flavors, if the current and previous versions are
 		# different then clear the system cache. snappy will handle
 		# "$PROFILES_CACHE_VAR" itself (on Touch flavors
 		# compare_previous_version always returns '0' since snappy
 		# isn't available).
 		clear_cache_system
 		apparmor_was_updated=1
 	elif ! compare_and_save_debsums apparmor ; then
 		# If the system policy has been updated since the last time we
 		# ran, clear the cache to prevent potentially stale binary
 		# cache files after an Ubuntu image based upgrade (LP:
 		# #1350673). This can be removed once all system image flavors
 		# move to snappy (on snappy systems compare_and_save_debsums
 		# always returns '0' since /var/lib/dpkg doesn't exist).
 		clear_cache
 		apparmor_was_updated=1
 	fi

 	if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then
 		# If packages for system policy that affect click packages have
 		# been updated since the last time we ran, run aa-clickhook -f
                 force_clickhook=0
                 force_profile_hook=0
                 if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
                         force_clickhook=1
                 fi
                 if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
                         force_clickhook=1
                 fi
                 if ! compare_and_save_debsums click-apparmor ; then
                         force_clickhook=1
                         force_profile_hook=1
                 fi
                 if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
                         aa-clickhook -f
                 fi
                 if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
                         aa-profile-hook -f
                 fi
 	fi
 }

 # Allow "recache" even when running on the liveCD
 if [ "$1" = "recache" ]; then
 	log_daemon_msg "Recaching AppArmor profiles"
 	recache_profiles
 	rc=$?
 	log_end_msg "$rc"
 	exit $rc
 fi

 # do not perform start/stop/reload actions when running from liveCD
 test -d /rofs/etc/apparmor.d && exit 0

 rc=255
 case "$1" in
 	start)
 		if test -x /sbin/systemd-detect-virt && \
 		   systemd-detect-virt --quiet --container && \
 		   ! is_container_with_internal_policy; then
 			log_daemon_msg "Not starting AppArmor in container"
 			log_end_msg 0
 			exit 0
 		fi
 		log_daemon_msg "Starting AppArmor profiles"
 		securityfs
 		# That is only useful for click, snappy and system images,
 		# i.e. not in Debian. And it reads and writes to /var, that
 		# can be remote-mounted, so it would prevent us from using
 		# Before=sysinit.target without possibly introducing dependency
 		# loops.
 		handle_system_policy_package_updates
 		load_configured_profiles
 		rc=$?
 		log_end_msg "$rc"
 		;;
 	stop)
 		log_daemon_msg "Clearing AppArmor profiles cache"
 		clear_cache
 		rc=$?
 		log_end_msg "$rc"
 		cat >&2 <<EOM
 All profile caches have been cleared, but no profiles have been unloaded.
 Unloading profiles will leave already running processes permanently
 unconfined, which can lead to unexpected situations.

 To set a process to complain mode, use the command line tool
 'aa-complain'. To really tear down all profiles, run the init script
 with the 'teardown' option."
 EOM
 		;;
 	teardown)
 		if test -x /sbin/systemd-detect-virt && \
 		   systemd-detect-virt --quiet --container && \
 		   ! is_container_with_internal_policy; then
 			log_daemon_msg "Not tearing down AppArmor in container"
 			log_end_msg 0
 			exit 0
 		fi
 		log_daemon_msg "Unloading AppArmor profiles"
 		securityfs
 		running_profile_names | while read profile; do
 			if ! unload_profile "$profile" ; then
 				log_end_msg 1
 				exit 1
 			fi
 		done
 		rc=0
 		log_end_msg $rc
 		;;
 	restart|reload|force-reload)
 		if test -x /sbin/systemd-detect-virt && \
 		   systemd-detect-virt --quiet --container && \
 		   ! is_container_with_internal_policy; then
 			log_daemon_msg "Not reloading AppArmor in container"
 			log_end_msg 0
 			exit 0
 		fi
 		log_daemon_msg "Reloading AppArmor profiles"
 		securityfs
 		clear_cache
 		load_configured_profiles
 		rc=$?
 		unload_obsolete_profiles

 		log_end_msg "$rc"
 		;;
 	status)
 		securityfs
 		if [ -x /usr/sbin/aa-status ]; then
 			aa-status --verbose
 		else
 			cat "$AA_SFS"/profiles
 		fi
 		rc=$?
 		;;
 	*)
 		usage
 		rc=1
 		;;
 	esac
 exit $rc
	#!/bin/sh
	# ----------------------------------------------------------------------
	# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
	# NOVELL (All rights reserved)
	# Copyright (c) 2008, 2009 Canonical, Ltd.
	#
	# This program is free software; you can redistribute it and/or
	# modify it under the terms of version 2 of the GNU General Public
	# License published by the Free Software Foundation.
	#
	# This program is distributed in the hope that it will be useful,
	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	# GNU General Public License for more details.
	#
	# You should have received a copy of the GNU General Public License
	# along with this program; if not, contact Novell, Inc.
	# ----------------------------------------------------------------------
	# Authors:
	# Steve Beattie <steve.beattie@canonical.com>
	# Kees Cook <kees@ubuntu.com>
	#
	# /etc/init.d/apparmor
	#
	### BEGIN INIT INFO
	# Provides: apparmor
	# Required-Start: $local_fs
	# Required-Stop: umountfs
	# Default-Start: S
	# Default-Stop:
	# Short-Description: AppArmor initialization
	# Description: AppArmor init script. This script loads all AppArmor profiles.
	### END INIT INFO

	log_daemon_msg() {
	echo $*
	}

	log_end_msg () {
	retval=$1
	if [ $retval -eq 0 ]; then
	echo "."
	else
	echo " failed!"
	fi
	return $retval
	}

	. /lib/apparmor/functions
	. /lib/lsb/init-functions

	usage() {
	echo "Usage: $0 {start\|stop\|restart\|reload\|force-reload\|status\|recache}"
	}

	test -x ${PARSER} \|\| exit 0 # by debian policy
	# LSM is built-in, so it is either there or not enabled for this boot
	test -d /sys/module/apparmor \|\| exit 0

	securityfs() {
	# Need securityfs for any mode
	if [ ! -d "${AA_SFS}" ]; then
	if cut -d" " -f2,3 /proc/mounts \| grep -q "^${SECURITYFS} securityfs"'$' ; then
	log_daemon_msg "AppArmor not available as kernel LSM."
	log_end_msg 1
	exit 1
	else
	log_daemon_msg "Mounting securityfs on ${SECURITYFS}"
	if ! mount -t securityfs none "${SECURITYFS}"; then
	log_end_msg 1
	exit 1
	fi
	fi
	fi
	if [ ! -w "$AA_SFS"/.load ]; then
	log_daemon_msg "Insufficient privileges to change profiles."
	log_end_msg 1
	exit 1
	fi
	}

	handle_system_policy_package_updates() {
	apparmor_was_updated=0

	if ! compare_previous_version ; then
	# On snappy flavors, if the current and previous versions are
	# different then clear the system cache. snappy will handle
	# "$PROFILES_CACHE_VAR" itself (on Touch flavors
	# compare_previous_version always returns '0' since snappy
	# isn't available).
	clear_cache_system
	apparmor_was_updated=1
	elif ! compare_and_save_debsums apparmor ; then
	# If the system policy has been updated since the last time we
	# ran, clear the cache to prevent potentially stale binary
	# cache files after an Ubuntu image based upgrade (LP:
	# #1350673). This can be removed once all system image flavors
	# move to snappy (on snappy systems compare_and_save_debsums
	# always returns '0' since /var/lib/dpkg doesn't exist).
	clear_cache
	apparmor_was_updated=1
	fi

	if [ -x /usr/bin/aa-clickhook ] \|\| [ -x /usr/bin/aa-profile-hook ] ; then
	# If packages for system policy that affect click packages have
	# been updated since the last time we ran, run aa-clickhook -f
	force_clickhook=0
	force_profile_hook=0
	if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
	force_clickhook=1
	fi
	if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
	force_clickhook=1
	fi
	if ! compare_and_save_debsums click-apparmor ; then
	force_clickhook=1
	force_profile_hook=1
	fi
	if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] \|\| [ $apparmor_was_updated -eq 1 ]) ; then
	aa-clickhook -f
	fi
	if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] \|\| [ $apparmor_was_updated -eq 1 ]) ; then
	aa-profile-hook -f
	fi
	fi
	}

	# Allow "recache" even when running on the liveCD
	if [ "$1" = "recache" ]; then
	log_daemon_msg "Recaching AppArmor profiles"
	recache_profiles
	rc=$?
	log_end_msg "$rc"
	exit $rc
	fi

	# do not perform start/stop/reload actions when running from liveCD
	test -d /rofs/etc/apparmor.d && exit 0

	rc=255
	case "$1" in
	start)
	if test -x /sbin/systemd-detect-virt && \
	systemd-detect-virt --quiet --container && \
	! is_container_with_internal_policy; then
	log_daemon_msg "Not starting AppArmor in container"
	log_end_msg 0
	exit 0
	fi
	log_daemon_msg "Starting AppArmor profiles"
	securityfs
	# That is only useful for click, snappy and system images,
	# i.e. not in Debian. And it reads and writes to /var, that
	# can be remote-mounted, so it would prevent us from using
	# Before=sysinit.target without possibly introducing dependency
	# loops.
	handle_system_policy_package_updates
	load_configured_profiles
	rc=$?
	log_end_msg "$rc"
	;;
	stop)
	log_daemon_msg "Clearing AppArmor profiles cache"
	clear_cache
	rc=$?
	log_end_msg "$rc"
	cat >&2 <<EOM
	All profile caches have been cleared, but no profiles have been unloaded.
	Unloading profiles will leave already running processes permanently
	unconfined, which can lead to unexpected situations.

	To set a process to complain mode, use the command line tool
	'aa-complain'. To really tear down all profiles, run the init script
	with the 'teardown' option."
	EOM
	;;
	teardown)
	if test -x /sbin/systemd-detect-virt && \
	systemd-detect-virt --quiet --container && \
	! is_container_with_internal_policy; then
	log_daemon_msg "Not tearing down AppArmor in container"
	log_end_msg 0
	exit 0
	fi
	log_daemon_msg "Unloading AppArmor profiles"
	securityfs
	running_profile_names \| while read profile; do
	if ! unload_profile "$profile" ; then
	log_end_msg 1
	exit 1
	fi
	done
	rc=0
	log_end_msg $rc
	;;
	restart\|reload\|force-reload)
	if test -x /sbin/systemd-detect-virt && \
	systemd-detect-virt --quiet --container && \
	! is_container_with_internal_policy; then
	log_daemon_msg "Not reloading AppArmor in container"
	log_end_msg 0
	exit 0
	fi
	log_daemon_msg "Reloading AppArmor profiles"
	securityfs
	clear_cache
	load_configured_profiles
	rc=$?
	unload_obsolete_profiles

	log_end_msg "$rc"
	;;
	status)
	securityfs
	if [ -x /usr/sbin/aa-status ]; then
	aa-status --verbose
	else
	cat "$AA_SFS"/profiles
	fi
	rc=$?
	;;
	*)
	usage
	rc=1
	;;
	esac
	exit $rc