1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210
|
#!/bin/sh
# ----------------------------------------------------------------------
# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
# NOVELL (All rights reserved)
# Copyright (c) 2008, 2009 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, contact Novell, Inc.
# ----------------------------------------------------------------------
# Authors:
# Steve Beattie <steve.beattie@canonical.com>
# Kees Cook <kees@ubuntu.com>
#
# /etc/init.d/apparmor
#
### BEGIN INIT INFO
# Provides: apparmor
# Required-Start: $local_fs
# Required-Stop: umountfs
# Default-Start: S
# Default-Stop:
# Short-Description: AppArmor initialization
# Description: AppArmor init script. This script loads all AppArmor profiles.
### END INIT INFO
. /lib/apparmor/functions
. /lib/lsb/init-functions
usage() {
echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}"
}
test -x ${PARSER} || exit 0 # by debian policy
# LSM is built-in, so it is either there or not enabled for this boot
test -d /sys/module/apparmor || exit 0
securityfs() {
# Need securityfs for any mode
if [ ! -d "${AA_SFS}" ]; then
if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then
log_action_msg "AppArmor not available as kernel LSM."
log_end_msg 1
exit 1
else
log_action_begin_msg "Mounting securityfs on ${SECURITYFS}"
if ! mount -t securityfs none "${SECURITYFS}"; then
log_action_end_msg 1
log_end_msg 1
exit 1
fi
fi
fi
if [ ! -w "$AA_SFS"/.load ]; then
log_action_msg "Insufficient privileges to change profiles."
log_end_msg 1
exit 1
fi
}
handle_system_policy_package_updates() {
apparmor_was_updated=0
if ! compare_previous_version ; then
# On snappy flavors, if the current and previous versions are
# different then clear the system cache. snappy will handle
# "$PROFILES_CACHE_VAR" itself (on Touch flavors
# compare_previous_version always returns '0' since snappy
# isn't available).
clear_cache_system
apparmor_was_updated=1
elif ! compare_and_save_debsums apparmor ; then
# If the system policy has been updated since the last time we
# ran, clear the cache to prevent potentially stale binary
# cache files after an Ubuntu image based upgrade (LP:
# #1350673). This can be removed once all system image flavors
# move to snappy (on snappy systems compare_and_save_debsums
# always returns '0' since /var/lib/dpkg doesn't exist).
clear_cache
apparmor_was_updated=1
fi
if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then
# If packages for system policy that affect click packages have
# been updated since the last time we ran, run aa-clickhook -f
force_clickhook=0
force_profile_hook=0
if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
force_clickhook=1
fi
if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
force_clickhook=1
fi
if ! compare_and_save_debsums click-apparmor ; then
force_clickhook=1
force_profile_hook=1
fi
if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
aa-clickhook -f
fi
if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
aa-profile-hook -f
fi
fi
}
# Allow "recache" even when running on the liveCD
if [ "$1" = "recache" ]; then
log_daemon_msg "Recaching AppArmor profiles"
recache_profiles
rc=$?
log_end_msg "$rc"
exit $rc
fi
# do not perform start/stop/reload actions when running from liveCD
test -d /rofs/etc/apparmor.d && exit 0
rc=255
case "$1" in
start)
if systemd-detect-virt --quiet --container && \
! is_container_with_internal_policy; then
log_daemon_msg "Not starting AppArmor in container"
log_end_msg 0
exit 0
fi
log_daemon_msg "Starting AppArmor profiles"
securityfs
# That is only useful for click, snappy and system images,
# i.e. not in Debian. And it reads and writes to /var, that
# can be remote-mounted, so it would prevent us from using
# Before=sysinit.target without possibly introducing dependency
# loops.
#handle_system_policy_package_updates
load_configured_profiles
rc=$?
log_end_msg "$rc"
;;
stop)
log_daemon_msg "Clearing AppArmor profiles cache"
clear_cache
rc=$?
log_end_msg "$rc"
cat >&2 <<EOM
All profile caches have been cleared, but no profiles have been unloaded.
Unloading profiles will leave already running processes permanently
unconfined, which can lead to unexpected situations.
To set a process to complain mode, use the command line tool
'aa-complain'. To really tear down all profiles, run the init script
with the 'teardown' option."
EOM
;;
teardown)
if systemd-detect-virt --quiet --container && \
! is_container_with_internal_policy; then
log_daemon_msg "Not tearing down AppArmor in container"
log_end_msg 0
exit 0
fi
log_daemon_msg "Unloading AppArmor profiles"
securityfs
running_profile_names | while read profile; do
if ! unload_profile "$profile" ; then
log_end_msg 1
exit 1
fi
done
rc=0
log_end_msg $rc
;;
restart|reload|force-reload)
if systemd-detect-virt --quiet --container && \
! is_container_with_internal_policy; then
log_daemon_msg "Not reloading AppArmor in container"
log_end_msg 0
exit 0
fi
log_daemon_msg "Reloading AppArmor profiles"
securityfs
clear_cache
load_configured_profiles
rc=$?
log_end_msg "$rc"
;;
status)
securityfs
if [ -x /usr/sbin/aa-status ]; then
aa-status --verbose
else
cat "$AA_SFS"/profiles
fi
rc=$?
;;
*)
usage
rc=1
;;
esac
exit $rc
|