Blame - meta-security/recipes-mac/AppArmor/files/apparmor - stefanberger/openbmc

blob: ac3ab9a4acb5503b57562152429ca5d293d24ecc [file] [log] [blame]

Richard Marian Thomaiyar	14fddef	2018-07-13 23:55:56 +0530	[diff] [blame]	1	#!/bin/sh
				2	# ----------------------------------------------------------------------
				3	# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
				4	# NOVELL (All rights reserved)
				5	# Copyright (c) 2008, 2009 Canonical, Ltd.
				6	#
				7	# This program is free software; you can redistribute it and/or
				8	# modify it under the terms of version 2 of the GNU General Public
				9	# License published by the Free Software Foundation.
				10	#
				11	# This program is distributed in the hope that it will be useful,
				12	# but WITHOUT ANY WARRANTY; without even the implied warranty of
				13	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
				14	# GNU General Public License for more details.
				15	#
				16	# You should have received a copy of the GNU General Public License
				17	# along with this program; if not, contact Novell, Inc.
				18	# ----------------------------------------------------------------------
				19	# Authors:
				20	# Steve Beattie <steve.beattie@canonical.com>
				21	# Kees Cook <kees@ubuntu.com>
				22	#
				23	# /etc/init.d/apparmor
				24	#
				25	### BEGIN INIT INFO
				26	# Provides: apparmor
				27	# Required-Start: $local_fs
				28	# Required-Stop: umountfs
				29	# Default-Start: S
				30	# Default-Stop:
				31	# Short-Description: AppArmor initialization
				32	# Description: AppArmor init script. This script loads all AppArmor profiles.
				33	### END INIT INFO
				34
				35	log_daemon_msg() {
				36	echo $*
				37	}
				38
				39	log_end_msg () {
				40	retval=$1
				41	if [ $retval -eq 0 ]; then
				42	echo "."
				43	else
				44	echo " failed!"
				45	fi
				46	return $retval
				47	}
				48
				49	. /lib/apparmor/functions
				50	. /lib/lsb/init-functions
				51
				52	usage() {
				53	echo "Usage: $0 {start\|stop\|restart\|reload\|force-reload\|status\|recache}"
				54	}
				55
				56	test -x ${PARSER} \|\| exit 0 # by debian policy
				57	# LSM is built-in, so it is either there or not enabled for this boot
				58	test -d /sys/module/apparmor \|\| exit 0
				59
				60	securityfs() {
				61	# Need securityfs for any mode
				62	if [ ! -d "${AA_SFS}" ]; then
				63	if cut -d" " -f2,3 /proc/mounts \| grep -q "^${SECURITYFS} securityfs"'$' ; then
				64	log_daemon_msg "AppArmor not available as kernel LSM."
				65	log_end_msg 1
				66	exit 1
				67	else
				68	log_daemon_msg "Mounting securityfs on ${SECURITYFS}"
				69	if ! mount -t securityfs none "${SECURITYFS}"; then
				70	log_end_msg 1
				71	exit 1
				72	fi
				73	fi
				74	fi
				75	if [ ! -w "$AA_SFS"/.load ]; then
				76	log_daemon_msg "Insufficient privileges to change profiles."
				77	log_end_msg 1
				78	exit 1
				79	fi
				80	}
				81
				82	handle_system_policy_package_updates() {
				83	apparmor_was_updated=0
				84
				85	if ! compare_previous_version ; then
				86	# On snappy flavors, if the current and previous versions are
				87	# different then clear the system cache. snappy will handle
				88	# "$PROFILES_CACHE_VAR" itself (on Touch flavors
				89	# compare_previous_version always returns '0' since snappy
				90	# isn't available).
				91	clear_cache_system
				92	apparmor_was_updated=1
				93	elif ! compare_and_save_debsums apparmor ; then
				94	# If the system policy has been updated since the last time we
				95	# ran, clear the cache to prevent potentially stale binary
				96	# cache files after an Ubuntu image based upgrade (LP:
				97	# #1350673). This can be removed once all system image flavors
				98	# move to snappy (on snappy systems compare_and_save_debsums
				99	# always returns '0' since /var/lib/dpkg doesn't exist).
				100	clear_cache
				101	apparmor_was_updated=1
				102	fi
				103
				104	if [ -x /usr/bin/aa-clickhook ] \|\| [ -x /usr/bin/aa-profile-hook ] ; then
				105	# If packages for system policy that affect click packages have
				106	# been updated since the last time we ran, run aa-clickhook -f
				107	force_clickhook=0
				108	force_profile_hook=0
				109	if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
				110	force_clickhook=1
				111	fi
				112	if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
				113	force_clickhook=1
				114	fi
				115	if ! compare_and_save_debsums click-apparmor ; then
				116	force_clickhook=1
				117	force_profile_hook=1
				118	fi
				119	if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] \|\| [ $apparmor_was_updated -eq 1 ]) ; then
				120	aa-clickhook -f
				121	fi
				122	if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] \|\| [ $apparmor_was_updated -eq 1 ]) ; then
				123	aa-profile-hook -f
				124	fi
				125	fi
				126	}
				127
				128	# Allow "recache" even when running on the liveCD
				129	if [ "$1" = "recache" ]; then
				130	log_daemon_msg "Recaching AppArmor profiles"
				131	recache_profiles
				132	rc=$?
				133	log_end_msg "$rc"
				134	exit $rc
				135	fi
				136
				137	# do not perform start/stop/reload actions when running from liveCD
				138	test -d /rofs/etc/apparmor.d && exit 0
				139
				140	rc=255
				141	case "$1" in
				142	start)
				143	if test -x /sbin/systemd-detect-virt && \
				144	systemd-detect-virt --quiet --container && \
				145	! is_container_with_internal_policy; then
				146	log_daemon_msg "Not starting AppArmor in container"
				147	log_end_msg 0
				148	exit 0
				149	fi
				150	log_daemon_msg "Starting AppArmor profiles"
				151	securityfs
				152	# That is only useful for click, snappy and system images,
				153	# i.e. not in Debian. And it reads and writes to /var, that
				154	# can be remote-mounted, so it would prevent us from using
				155	# Before=sysinit.target without possibly introducing dependency
				156	# loops.
				157	handle_system_policy_package_updates
				158	load_configured_profiles
				159	rc=$?
				160	log_end_msg "$rc"
				161	;;
				162	stop)
				163	log_daemon_msg "Clearing AppArmor profiles cache"
				164	clear_cache
				165	rc=$?
				166	log_end_msg "$rc"
				167	cat >&2 <<EOM
				168	All profile caches have been cleared, but no profiles have been unloaded.
				169	Unloading profiles will leave already running processes permanently
				170	unconfined, which can lead to unexpected situations.
				171
				172	To set a process to complain mode, use the command line tool
				173	'aa-complain'. To really tear down all profiles, run the init script
				174	with the 'teardown' option."
				175	EOM
				176	;;
				177	teardown)
				178	if test -x /sbin/systemd-detect-virt && \
				179	systemd-detect-virt --quiet --container && \
				180	! is_container_with_internal_policy; then
				181	log_daemon_msg "Not tearing down AppArmor in container"
				182	log_end_msg 0
				183	exit 0
				184	fi
				185	log_daemon_msg "Unloading AppArmor profiles"
				186	securityfs
				187	running_profile_names \| while read profile; do
				188	if ! unload_profile "$profile" ; then
				189	log_end_msg 1
				190	exit 1
				191	fi
				192	done
				193	rc=0
				194	log_end_msg $rc
				195	;;
				196	restart\|reload\|force-reload)
				197	if test -x /sbin/systemd-detect-virt && \
				198	systemd-detect-virt --quiet --container && \
				199	! is_container_with_internal_policy; then
				200	log_daemon_msg "Not reloading AppArmor in container"
				201	log_end_msg 0
				202	exit 0
				203	fi
				204	log_daemon_msg "Reloading AppArmor profiles"
				205	securityfs
				206	clear_cache
				207	load_configured_profiles
				208	rc=$?
				209	unload_obsolete_profiles
				210
				211	log_end_msg "$rc"
				212	;;
				213	status)
				214	securityfs
				215	if [ -x /usr/sbin/aa-status ]; then
				216	aa-status --verbose
				217	else
				218	cat "$AA_SFS"/profiles
				219	fi
				220	rc=$?
				221	;;
				222	*)
				223	usage
				224	rc=1
				225	;;
				226	esac
				227	exit $rc