blob: ac3ab9a4acb5503b57562152429ca5d293d24ecc [file] [log] [blame]
Richard Marian Thomaiyar14fddef2018-07-13 23:55:56 +05301#!/bin/sh
2# ----------------------------------------------------------------------
3# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
4# NOVELL (All rights reserved)
5# Copyright (c) 2008, 2009 Canonical, Ltd.
6#
7# This program is free software; you can redistribute it and/or
8# modify it under the terms of version 2 of the GNU General Public
9# License published by the Free Software Foundation.
10#
11# This program is distributed in the hope that it will be useful,
12# but WITHOUT ANY WARRANTY; without even the implied warranty of
13# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14# GNU General Public License for more details.
15#
16# You should have received a copy of the GNU General Public License
17# along with this program; if not, contact Novell, Inc.
18# ----------------------------------------------------------------------
19# Authors:
20# Steve Beattie <steve.beattie@canonical.com>
21# Kees Cook <kees@ubuntu.com>
22#
23# /etc/init.d/apparmor
24#
25### BEGIN INIT INFO
26# Provides: apparmor
27# Required-Start: $local_fs
28# Required-Stop: umountfs
29# Default-Start: S
30# Default-Stop:
31# Short-Description: AppArmor initialization
32# Description: AppArmor init script. This script loads all AppArmor profiles.
33### END INIT INFO
34
35log_daemon_msg() {
36 echo $*
37}
38
39log_end_msg () {
40 retval=$1
41 if [ $retval -eq 0 ]; then
42 echo "."
43 else
44 echo " failed!"
45 fi
46 return $retval
47}
48
49. /lib/apparmor/functions
50. /lib/lsb/init-functions
51
52usage() {
53 echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}"
54}
55
56test -x ${PARSER} || exit 0 # by debian policy
57# LSM is built-in, so it is either there or not enabled for this boot
58test -d /sys/module/apparmor || exit 0
59
60securityfs() {
61 # Need securityfs for any mode
62 if [ ! -d "${AA_SFS}" ]; then
63 if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then
64 log_daemon_msg "AppArmor not available as kernel LSM."
65 log_end_msg 1
66 exit 1
67 else
68 log_daemon_msg "Mounting securityfs on ${SECURITYFS}"
69 if ! mount -t securityfs none "${SECURITYFS}"; then
70 log_end_msg 1
71 exit 1
72 fi
73 fi
74 fi
75 if [ ! -w "$AA_SFS"/.load ]; then
76 log_daemon_msg "Insufficient privileges to change profiles."
77 log_end_msg 1
78 exit 1
79 fi
80}
81
82handle_system_policy_package_updates() {
83 apparmor_was_updated=0
84
85 if ! compare_previous_version ; then
86 # On snappy flavors, if the current and previous versions are
87 # different then clear the system cache. snappy will handle
88 # "$PROFILES_CACHE_VAR" itself (on Touch flavors
89 # compare_previous_version always returns '0' since snappy
90 # isn't available).
91 clear_cache_system
92 apparmor_was_updated=1
93 elif ! compare_and_save_debsums apparmor ; then
94 # If the system policy has been updated since the last time we
95 # ran, clear the cache to prevent potentially stale binary
96 # cache files after an Ubuntu image based upgrade (LP:
97 # #1350673). This can be removed once all system image flavors
98 # move to snappy (on snappy systems compare_and_save_debsums
99 # always returns '0' since /var/lib/dpkg doesn't exist).
100 clear_cache
101 apparmor_was_updated=1
102 fi
103
104 if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then
105 # If packages for system policy that affect click packages have
106 # been updated since the last time we ran, run aa-clickhook -f
107 force_clickhook=0
108 force_profile_hook=0
109 if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
110 force_clickhook=1
111 fi
112 if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
113 force_clickhook=1
114 fi
115 if ! compare_and_save_debsums click-apparmor ; then
116 force_clickhook=1
117 force_profile_hook=1
118 fi
119 if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
120 aa-clickhook -f
121 fi
122 if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
123 aa-profile-hook -f
124 fi
125 fi
126}
127
128# Allow "recache" even when running on the liveCD
129if [ "$1" = "recache" ]; then
130 log_daemon_msg "Recaching AppArmor profiles"
131 recache_profiles
132 rc=$?
133 log_end_msg "$rc"
134 exit $rc
135fi
136
137# do not perform start/stop/reload actions when running from liveCD
138test -d /rofs/etc/apparmor.d && exit 0
139
140rc=255
141case "$1" in
142 start)
143 if test -x /sbin/systemd-detect-virt && \
144 systemd-detect-virt --quiet --container && \
145 ! is_container_with_internal_policy; then
146 log_daemon_msg "Not starting AppArmor in container"
147 log_end_msg 0
148 exit 0
149 fi
150 log_daemon_msg "Starting AppArmor profiles"
151 securityfs
152 # That is only useful for click, snappy and system images,
153 # i.e. not in Debian. And it reads and writes to /var, that
154 # can be remote-mounted, so it would prevent us from using
155 # Before=sysinit.target without possibly introducing dependency
156 # loops.
157 handle_system_policy_package_updates
158 load_configured_profiles
159 rc=$?
160 log_end_msg "$rc"
161 ;;
162 stop)
163 log_daemon_msg "Clearing AppArmor profiles cache"
164 clear_cache
165 rc=$?
166 log_end_msg "$rc"
167 cat >&2 <<EOM
168All profile caches have been cleared, but no profiles have been unloaded.
169Unloading profiles will leave already running processes permanently
170unconfined, which can lead to unexpected situations.
171
172To set a process to complain mode, use the command line tool
173'aa-complain'. To really tear down all profiles, run the init script
174with the 'teardown' option."
175EOM
176 ;;
177 teardown)
178 if test -x /sbin/systemd-detect-virt && \
179 systemd-detect-virt --quiet --container && \
180 ! is_container_with_internal_policy; then
181 log_daemon_msg "Not tearing down AppArmor in container"
182 log_end_msg 0
183 exit 0
184 fi
185 log_daemon_msg "Unloading AppArmor profiles"
186 securityfs
187 running_profile_names | while read profile; do
188 if ! unload_profile "$profile" ; then
189 log_end_msg 1
190 exit 1
191 fi
192 done
193 rc=0
194 log_end_msg $rc
195 ;;
196 restart|reload|force-reload)
197 if test -x /sbin/systemd-detect-virt && \
198 systemd-detect-virt --quiet --container && \
199 ! is_container_with_internal_policy; then
200 log_daemon_msg "Not reloading AppArmor in container"
201 log_end_msg 0
202 exit 0
203 fi
204 log_daemon_msg "Reloading AppArmor profiles"
205 securityfs
206 clear_cache
207 load_configured_profiles
208 rc=$?
209 unload_obsolete_profiles
210
211 log_end_msg "$rc"
212 ;;
213 status)
214 securityfs
215 if [ -x /usr/sbin/aa-status ]; then
216 aa-status --verbose
217 else
218 cat "$AA_SFS"/profiles
219 fi
220 rc=$?
221 ;;
222 *)
223 usage
224 rc=1
225 ;;
226 esac
227exit $rc