Blame - meta-security/recipes-mac/AppArmor/files/apparmor - stefanberger/openbmc

blob: 604e48d569efbc84f672d763ea75408e0206c4ea [file] [log] [blame]

Richard Marian Thomaiyar	14fddef	2018-07-13 23:55:56 +0530	[diff] [blame]	1	#!/bin/sh
				2	# ----------------------------------------------------------------------
				3	# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
				4	# NOVELL (All rights reserved)
				5	# Copyright (c) 2008, 2009 Canonical, Ltd.
				6	#
				7	# This program is free software; you can redistribute it and/or
				8	# modify it under the terms of version 2 of the GNU General Public
				9	# License published by the Free Software Foundation.
				10	#
				11	# This program is distributed in the hope that it will be useful,
				12	# but WITHOUT ANY WARRANTY; without even the implied warranty of
				13	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
				14	# GNU General Public License for more details.
				15	#
				16	# You should have received a copy of the GNU General Public License
				17	# along with this program; if not, contact Novell, Inc.
				18	# ----------------------------------------------------------------------
				19	# Authors:
				20	# Steve Beattie <steve.beattie@canonical.com>
				21	# Kees Cook <kees@ubuntu.com>
				22	#
				23	# /etc/init.d/apparmor
				24	#
				25	### BEGIN INIT INFO
				26	# Provides: apparmor
				27	# Required-Start: $local_fs
				28	# Required-Stop: umountfs
				29	# Default-Start: S
				30	# Default-Stop:
				31	# Short-Description: AppArmor initialization
				32	# Description: AppArmor init script. This script loads all AppArmor profiles.
				33	### END INIT INFO
				34
				35	log_daemon_msg() {
				36	echo $*
				37	}
				38
				39	log_end_msg () {
				40	retval=$1
				41	if [ $retval -eq 0 ]; then
				42	echo "."
				43	else
				44	echo " failed!"
				45	fi
				46	return $retval
				47	}
				48
				49	. /lib/apparmor/functions
Richard Marian Thomaiyar	14fddef	2018-07-13 23:55:56 +0530	[diff] [blame]	50
				51	usage() {
				52	echo "Usage: $0 {start\|stop\|restart\|reload\|force-reload\|status\|recache}"
				53	}
				54
				55	test -x ${PARSER} \|\| exit 0 # by debian policy
				56	# LSM is built-in, so it is either there or not enabled for this boot
				57	test -d /sys/module/apparmor \|\| exit 0
				58
				59	securityfs() {
				60	# Need securityfs for any mode
				61	if [ ! -d "${AA_SFS}" ]; then
				62	if cut -d" " -f2,3 /proc/mounts \| grep -q "^${SECURITYFS} securityfs"'$' ; then
				63	log_daemon_msg "AppArmor not available as kernel LSM."
				64	log_end_msg 1
				65	exit 1
				66	else
				67	log_daemon_msg "Mounting securityfs on ${SECURITYFS}"
				68	if ! mount -t securityfs none "${SECURITYFS}"; then
				69	log_end_msg 1
				70	exit 1
				71	fi
				72	fi
				73	fi
				74	if [ ! -w "$AA_SFS"/.load ]; then
				75	log_daemon_msg "Insufficient privileges to change profiles."
				76	log_end_msg 1
				77	exit 1
				78	fi
				79	}
				80
				81	handle_system_policy_package_updates() {
				82	apparmor_was_updated=0
				83
				84	if ! compare_previous_version ; then
				85	# On snappy flavors, if the current and previous versions are
				86	# different then clear the system cache. snappy will handle
				87	# "$PROFILES_CACHE_VAR" itself (on Touch flavors
				88	# compare_previous_version always returns '0' since snappy
				89	# isn't available).
				90	clear_cache_system
				91	apparmor_was_updated=1
				92	elif ! compare_and_save_debsums apparmor ; then
				93	# If the system policy has been updated since the last time we
				94	# ran, clear the cache to prevent potentially stale binary
				95	# cache files after an Ubuntu image based upgrade (LP:
				96	# #1350673). This can be removed once all system image flavors
				97	# move to snappy (on snappy systems compare_and_save_debsums
				98	# always returns '0' since /var/lib/dpkg doesn't exist).
				99	clear_cache
				100	apparmor_was_updated=1
				101	fi
				102
				103	if [ -x /usr/bin/aa-clickhook ] \|\| [ -x /usr/bin/aa-profile-hook ] ; then
				104	# If packages for system policy that affect click packages have
				105	# been updated since the last time we ran, run aa-clickhook -f
				106	force_clickhook=0
				107	force_profile_hook=0
				108	if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
				109	force_clickhook=1
				110	fi
				111	if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
				112	force_clickhook=1
				113	fi
				114	if ! compare_and_save_debsums click-apparmor ; then
				115	force_clickhook=1
				116	force_profile_hook=1
				117	fi
				118	if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] \|\| [ $apparmor_was_updated -eq 1 ]) ; then
				119	aa-clickhook -f
				120	fi
				121	if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] \|\| [ $apparmor_was_updated -eq 1 ]) ; then
				122	aa-profile-hook -f
				123	fi
				124	fi
				125	}
				126
				127	# Allow "recache" even when running on the liveCD
				128	if [ "$1" = "recache" ]; then
				129	log_daemon_msg "Recaching AppArmor profiles"
				130	recache_profiles
				131	rc=$?
				132	log_end_msg "$rc"
				133	exit $rc
				134	fi
				135
				136	# do not perform start/stop/reload actions when running from liveCD
				137	test -d /rofs/etc/apparmor.d && exit 0
				138
				139	rc=255
				140	case "$1" in
				141	start)
				142	if test -x /sbin/systemd-detect-virt && \
				143	systemd-detect-virt --quiet --container && \
				144	! is_container_with_internal_policy; then
				145	log_daemon_msg "Not starting AppArmor in container"
				146	log_end_msg 0
				147	exit 0
				148	fi
				149	log_daemon_msg "Starting AppArmor profiles"
				150	securityfs
				151	# That is only useful for click, snappy and system images,
				152	# i.e. not in Debian. And it reads and writes to /var, that
				153	# can be remote-mounted, so it would prevent us from using
				154	# Before=sysinit.target without possibly introducing dependency
				155	# loops.
				156	handle_system_policy_package_updates
				157	load_configured_profiles
				158	rc=$?
				159	log_end_msg "$rc"
				160	;;
				161	stop)
				162	log_daemon_msg "Clearing AppArmor profiles cache"
				163	clear_cache
				164	rc=$?
				165	log_end_msg "$rc"
				166	cat >&2 <<EOM
				167	All profile caches have been cleared, but no profiles have been unloaded.
				168	Unloading profiles will leave already running processes permanently
				169	unconfined, which can lead to unexpected situations.
				170
				171	To set a process to complain mode, use the command line tool
				172	'aa-complain'. To really tear down all profiles, run the init script
				173	with the 'teardown' option."
				174	EOM
				175	;;
				176	teardown)
				177	if test -x /sbin/systemd-detect-virt && \
				178	systemd-detect-virt --quiet --container && \
				179	! is_container_with_internal_policy; then
				180	log_daemon_msg "Not tearing down AppArmor in container"
				181	log_end_msg 0
				182	exit 0
				183	fi
				184	log_daemon_msg "Unloading AppArmor profiles"
				185	securityfs
				186	running_profile_names \| while read profile; do
				187	if ! unload_profile "$profile" ; then
				188	log_end_msg 1
				189	exit 1
				190	fi
				191	done
				192	rc=0
				193	log_end_msg $rc
				194	;;
				195	restart\|reload\|force-reload)
				196	if test -x /sbin/systemd-detect-virt && \
				197	systemd-detect-virt --quiet --container && \
				198	! is_container_with_internal_policy; then
				199	log_daemon_msg "Not reloading AppArmor in container"
				200	log_end_msg 0
				201	exit 0
				202	fi
				203	log_daemon_msg "Reloading AppArmor profiles"
				204	securityfs
				205	clear_cache
				206	load_configured_profiles
				207	rc=$?
				208	unload_obsolete_profiles
				209
				210	log_end_msg "$rc"
				211	;;
				212	status)
				213	securityfs
				214	if [ -x /usr/sbin/aa-status ]; then
				215	aa-status --verbose
				216	else
				217	cat "$AA_SFS"/profiles
				218	fi
				219	rc=$?
				220	;;
				221	*)
				222	usage
				223	rc=1
				224	;;
				225	esac
				226	exit $rc