blob: 1507d7b5f73248800eda77cae34272c94222ede6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
description "Pre-cache and pre-load apparmor profiles"
author "Dimitri John Ledkov <xnox@ubuntu.com> and Jamie Strandboge <jamie@ubuntu.com>"
task
start on starting rc-sysinit
script
[ -d /rofs/etc/apparmor.d ] && exit 0 # do not load on liveCD
[ -d /sys/module/apparmor ] || exit 0 # do not load without AppArmor
[ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser
. /lib/apparmor/functions
systemd-detect-virt --quiet --container && ! is_container_with_internal_policy && exit 0 || true
# Need securityfs for any mode
if [ ! -d /sys/kernel/security/apparmor ]; then
if cut -d" " -f2,3 /proc/mounts | grep -q "^/sys/kernel/security securityfs"'$' ; then
exit 0
else
mount -t securityfs none /sys/kernel/security || exit 0
fi
fi
[ -w /sys/kernel/security/apparmor/.load ] || exit 0
apparmor_was_updated=0
if ! compare_previous_version ; then
# On snappy flavors, if the current and previous versions are
# different then clear the system cache. snappy will handle
# "$PROFILES_CACHE_VAR" itself (on Touch flavors
# compare_previous_version always returns '0' since snappy
# isn't available).
clear_cache_system
apparmor_was_updated=1
elif ! compare_and_save_debsums apparmor ; then
# If the system policy has been updated since the last time we
# ran, clear the cache to prevent potentially stale binary
# cache files after an Ubuntu image based upgrade (LP:
# #1350673). This can be removed once all system image flavors
# move to snappy (on snappy systems compare_and_save_debsums
# always returns '0' since /var/lib/dpkg doesn't exist).
clear_cache
apparmor_was_updated=1
fi
if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then
# If packages for system policy that affect click packages have
# been updated since the last time we ran, run aa-clickhook -f
force_clickhook=0
force_profile_hook=0
if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
force_clickhook=1
fi
if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
force_clickhook=1
fi
if ! compare_and_save_debsums click-apparmor ; then
force_clickhook=1
force_profile_hook=1
fi
if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
aa-clickhook -f
fi
if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
aa-profile-hook -f
fi
fi
if [ "$ACTION" = "teardown" ]; then
running_profile_names | while read profile; do
unload_profile "$profile"
done
exit 0
fi
if [ "$ACTION" = "clear" ]; then
clear_cache
exit 0
fi
if [ "$ACTION" = "reload" ] || [ "$ACTION" = "force-reload" ]; then
clear_cache
load_configured_profiles
unload_obsolete_profiles
exit 0
fi
# Note: if apparmor-easyprof-ubuntu md5sums didn't match up above,
# aa-clickhook will have already compiled the policy, generated the cache
# files and loaded them into the kernel by this point, so reloading click
# policy from cache, while fairly fast (<2 seconds for 250 profiles on
# armhf), is redundant. Fixing this would complicate the logic quite a bit
# and it wouldn't improve the (by far) common case (ie, when
# 'aa-clickhook -f' is not run).
load_configured_profiles
end script
|