diff options
Diffstat (limited to 'meta-security/recipes-mac/AppArmor/files/apparmor')
| -rw-r--r-- | meta-security/recipes-mac/AppArmor/files/apparmor | 226 |
1 files changed, 0 insertions, 226 deletions
diff --git a/meta-security/recipes-mac/AppArmor/files/apparmor b/meta-security/recipes-mac/AppArmor/files/apparmor deleted file mode 100644 index 604e48d56..000000000 --- a/meta-security/recipes-mac/AppArmor/files/apparmor +++ /dev/null @@ -1,226 +0,0 @@ -#!/bin/sh -# ---------------------------------------------------------------------- -# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 -# NOVELL (All rights reserved) -# Copyright (c) 2008, 2009 Canonical, Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, contact Novell, Inc. -# ---------------------------------------------------------------------- -# Authors: -# Steve Beattie <steve.beattie@canonical.com> -# Kees Cook <kees@ubuntu.com> -# -# /etc/init.d/apparmor -# -### BEGIN INIT INFO -# Provides: apparmor -# Required-Start: $local_fs -# Required-Stop: umountfs -# Default-Start: S -# Default-Stop: -# Short-Description: AppArmor initialization -# Description: AppArmor init script. This script loads all AppArmor profiles. -### END INIT INFO - -log_daemon_msg() { - echo $* -} - -log_end_msg () { - retval=$1 - if [ $retval -eq 0 ]; then - echo "." - else - echo " failed!" - fi - return $retval -} - -. /lib/apparmor/functions - -usage() { - echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}" -} - -test -x ${PARSER} || exit 0 # by debian policy -# LSM is built-in, so it is either there or not enabled for this boot -test -d /sys/module/apparmor || exit 0 - -securityfs() { - # Need securityfs for any mode - if [ ! -d "${AA_SFS}" ]; then - if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then - log_daemon_msg "AppArmor not available as kernel LSM." - log_end_msg 1 - exit 1 - else - log_daemon_msg "Mounting securityfs on ${SECURITYFS}" - if ! mount -t securityfs none "${SECURITYFS}"; then - log_end_msg 1 - exit 1 - fi - fi - fi - if [ ! -w "$AA_SFS"/.load ]; then - log_daemon_msg "Insufficient privileges to change profiles." - log_end_msg 1 - exit 1 - fi -} - -handle_system_policy_package_updates() { - apparmor_was_updated=0 - - if ! compare_previous_version ; then - # On snappy flavors, if the current and previous versions are - # different then clear the system cache. snappy will handle - # "$PROFILES_CACHE_VAR" itself (on Touch flavors - # compare_previous_version always returns '0' since snappy - # isn't available). - clear_cache_system - apparmor_was_updated=1 - elif ! compare_and_save_debsums apparmor ; then - # If the system policy has been updated since the last time we - # ran, clear the cache to prevent potentially stale binary - # cache files after an Ubuntu image based upgrade (LP: - # #1350673). This can be removed once all system image flavors - # move to snappy (on snappy systems compare_and_save_debsums - # always returns '0' since /var/lib/dpkg doesn't exist). - clear_cache - apparmor_was_updated=1 - fi - - if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then - # If packages for system policy that affect click packages have - # been updated since the last time we ran, run aa-clickhook -f - force_clickhook=0 - force_profile_hook=0 - if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then - force_clickhook=1 - fi - if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then - force_clickhook=1 - fi - if ! compare_and_save_debsums click-apparmor ; then - force_clickhook=1 - force_profile_hook=1 - fi - if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then - aa-clickhook -f - fi - if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then - aa-profile-hook -f - fi - fi -} - -# Allow "recache" even when running on the liveCD -if [ "$1" = "recache" ]; then - log_daemon_msg "Recaching AppArmor profiles" - recache_profiles - rc=$? - log_end_msg "$rc" - exit $rc -fi - -# do not perform start/stop/reload actions when running from liveCD -test -d /rofs/etc/apparmor.d && exit 0 - -rc=255 -case "$1" in - start) - if test -x /sbin/systemd-detect-virt && \ - systemd-detect-virt --quiet --container && \ - ! is_container_with_internal_policy; then - log_daemon_msg "Not starting AppArmor in container" - log_end_msg 0 - exit 0 - fi - log_daemon_msg "Starting AppArmor profiles" - securityfs - # That is only useful for click, snappy and system images, - # i.e. not in Debian. And it reads and writes to /var, that - # can be remote-mounted, so it would prevent us from using - # Before=sysinit.target without possibly introducing dependency - # loops. - handle_system_policy_package_updates - load_configured_profiles - rc=$? - log_end_msg "$rc" - ;; - stop) - log_daemon_msg "Clearing AppArmor profiles cache" - clear_cache - rc=$? - log_end_msg "$rc" - cat >&2 <<EOM -All profile caches have been cleared, but no profiles have been unloaded. -Unloading profiles will leave already running processes permanently -unconfined, which can lead to unexpected situations. - -To set a process to complain mode, use the command line tool -'aa-complain'. To really tear down all profiles, run the init script -with the 'teardown' option." -EOM - ;; - teardown) - if test -x /sbin/systemd-detect-virt && \ - systemd-detect-virt --quiet --container && \ - ! is_container_with_internal_policy; then - log_daemon_msg "Not tearing down AppArmor in container" - log_end_msg 0 - exit 0 - fi - log_daemon_msg "Unloading AppArmor profiles" - securityfs - running_profile_names | while read profile; do - if ! unload_profile "$profile" ; then - log_end_msg 1 - exit 1 - fi - done - rc=0 - log_end_msg $rc - ;; - restart|reload|force-reload) - if test -x /sbin/systemd-detect-virt && \ - systemd-detect-virt --quiet --container && \ - ! is_container_with_internal_policy; then - log_daemon_msg "Not reloading AppArmor in container" - log_end_msg 0 - exit 0 - fi - log_daemon_msg "Reloading AppArmor profiles" - securityfs - clear_cache - load_configured_profiles - rc=$? - unload_obsolete_profiles - - log_end_msg "$rc" - ;; - status) - securityfs - if [ -x /usr/sbin/aa-status ]; then - aa-status --verbose - else - cat "$AA_SFS"/profiles - fi - rc=$? - ;; - *) - usage - rc=1 - ;; - esac -exit $rc |