summaryrefslogtreecommitdiffstats
path: root/meta-security/recipes-security/AppArmor/files/apparmor
blob: ac3ab9a4acb5503b57562152429ca5d293d24ecc (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
#!/bin/sh
# ----------------------------------------------------------------------
#    Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
#     NOVELL (All rights reserved)
#    Copyright (c) 2008, 2009 Canonical, Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, contact Novell, Inc.
# ----------------------------------------------------------------------
# Authors:
#  Steve Beattie <steve.beattie@canonical.com>
#  Kees Cook <kees@ubuntu.com>
#
# /etc/init.d/apparmor
#
### BEGIN INIT INFO
# Provides: apparmor
# Required-Start: $local_fs
# Required-Stop: umountfs
# Default-Start: S
# Default-Stop:
# Short-Description: AppArmor initialization
# Description: AppArmor init script. This script loads all AppArmor profiles.
### END INIT INFO

log_daemon_msg() {
    echo $*
}

log_end_msg () {
    retval=$1
    if [ $retval -eq 0 ]; then
        echo "."
    else
        echo " failed!"
    fi
    return $retval
}

. /lib/apparmor/functions
. /lib/lsb/init-functions

usage() {
    echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}"
}

test -x ${PARSER} || exit 0 # by debian policy
# LSM is built-in, so it is either there or not enabled for this boot
test -d /sys/module/apparmor || exit 0

securityfs() {
	# Need securityfs for any mode
	if [ ! -d "${AA_SFS}" ]; then
		if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then
			log_daemon_msg "AppArmor not available as kernel LSM."
			log_end_msg 1
			exit 1
		else
			log_daemon_msg "Mounting securityfs on ${SECURITYFS}"
			if ! mount -t securityfs none "${SECURITYFS}"; then
				log_end_msg 1
				exit 1
			fi
		fi
	fi
	if [ ! -w "$AA_SFS"/.load ]; then
		log_daemon_msg "Insufficient privileges to change profiles."
		log_end_msg 1
		exit 1
	fi
}

handle_system_policy_package_updates() {
	apparmor_was_updated=0

	if ! compare_previous_version ; then
		# On snappy flavors, if the current and previous versions are
		# different then clear the system cache. snappy will handle
		# "$PROFILES_CACHE_VAR" itself (on Touch flavors
		# compare_previous_version always returns '0' since snappy
		# isn't available).
		clear_cache_system
		apparmor_was_updated=1
	elif ! compare_and_save_debsums apparmor ; then
		# If the system policy has been updated since the last time we
		# ran, clear the cache to prevent potentially stale binary
		# cache files after an Ubuntu image based upgrade (LP:
		# #1350673). This can be removed once all system image flavors
		# move to snappy (on snappy systems compare_and_save_debsums
		# always returns '0' since /var/lib/dpkg doesn't exist).
		clear_cache
		apparmor_was_updated=1
	fi

	if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then
		# If packages for system policy that affect click packages have
		# been updated since the last time we ran, run aa-clickhook -f
                force_clickhook=0
                force_profile_hook=0
                if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
                        force_clickhook=1
                fi
                if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
                        force_clickhook=1
                fi
                if ! compare_and_save_debsums click-apparmor ; then
                        force_clickhook=1
                        force_profile_hook=1
                fi
                if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
                        aa-clickhook -f
                fi
                if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
                        aa-profile-hook -f
                fi
	fi
}

# Allow "recache" even when running on the liveCD
if [ "$1" = "recache" ]; then
	log_daemon_msg "Recaching AppArmor profiles"
	recache_profiles
	rc=$?
	log_end_msg "$rc"
	exit $rc
fi

# do not perform start/stop/reload actions when running from liveCD
test -d /rofs/etc/apparmor.d && exit 0

rc=255
case "$1" in
	start)
		if test -x /sbin/systemd-detect-virt && \
		   systemd-detect-virt --quiet --container && \
		   ! is_container_with_internal_policy; then
			log_daemon_msg "Not starting AppArmor in container"
			log_end_msg 0
			exit 0
		fi
		log_daemon_msg "Starting AppArmor profiles"
		securityfs
		# That is only useful for click, snappy and system images,
		# i.e. not in Debian. And it reads and writes to /var, that
		# can be remote-mounted, so it would prevent us from using
		# Before=sysinit.target without possibly introducing dependency
		# loops.
		handle_system_policy_package_updates
		load_configured_profiles
		rc=$?
		log_end_msg "$rc"
		;;
	stop)
		log_daemon_msg "Clearing AppArmor profiles cache"
		clear_cache
		rc=$?
		log_end_msg "$rc"
		cat >&2 <<EOM
All profile caches have been cleared, but no profiles have been unloaded.
Unloading profiles will leave already running processes permanently
unconfined, which can lead to unexpected situations.

To set a process to complain mode, use the command line tool
'aa-complain'. To really tear down all profiles, run the init script
with the 'teardown' option."
EOM
		;;
	teardown)
		if test -x /sbin/systemd-detect-virt && \
		   systemd-detect-virt --quiet --container && \
		   ! is_container_with_internal_policy; then
			log_daemon_msg "Not tearing down AppArmor in container"
			log_end_msg 0
			exit 0
		fi
		log_daemon_msg "Unloading AppArmor profiles"
		securityfs
		running_profile_names | while read profile; do
			if ! unload_profile "$profile" ; then
				log_end_msg 1
				exit 1
			fi
		done
		rc=0
		log_end_msg $rc
		;;
	restart|reload|force-reload)
		if test -x /sbin/systemd-detect-virt && \
		   systemd-detect-virt --quiet --container && \
		   ! is_container_with_internal_policy; then
			log_daemon_msg "Not reloading AppArmor in container"
			log_end_msg 0
			exit 0
		fi
		log_daemon_msg "Reloading AppArmor profiles"
		securityfs
		clear_cache
		load_configured_profiles
		rc=$?
		unload_obsolete_profiles

		log_end_msg "$rc"
		;;
	status)
		securityfs
		if [ -x /usr/sbin/aa-status ]; then
			aa-status --verbose
		else
			cat "$AA_SFS"/profiles
		fi
		rc=$?
		;;
	*)
		usage
		rc=1
		;;
	esac
exit $rc
OpenPOWER on IntegriCloud