mirrors/meta-security
1
0
Fork 0
mirror of https://git.yoctoproject.org/meta-security synced 2026-05-08 05:09:48 +00:00
Code Issues Projects Releases Wiki Activity
Files
hardknott
meta-security/recipes-mac/AppArmor/files/apparmor.rc
T
Armin Kuster 75e609f7b1 reorg: move mac recipes to recipes-mac 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-03-31 10:37:09 -07:00

99 lines
3.6 KiB
Plaintext
Raw Permalink Blame History

description "Pre-cache and pre-load apparmor profiles"
author "Dimitri John Ledkov <xnox@ubuntu.com> and Jamie Strandboge <jamie@ubuntu.com>"
task
start on starting rc-sysinit
script
[ -d /rofs/etc/apparmor.d ] && exit 0 # do not load on liveCD
[ -d /sys/module/apparmor ] || exit 0 # do not load without AppArmor
[ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser
. /lib/apparmor/functions
systemd-detect-virt --quiet --container && ! is_container_with_internal_policy && exit 0 || true
# Need securityfs for any mode
if [ ! -d /sys/kernel/security/apparmor ]; then
if cut -d" " -f2,3 /proc/mounts | grep -q "^/sys/kernel/security securityfs"'$' ; then
exit 0
else
mount -t securityfs none /sys/kernel/security || exit 0
fi
fi
[ -w /sys/kernel/security/apparmor/.load ] || exit 0
apparmor_was_updated=0
if ! compare_previous_version ; then
# On snappy flavors, if the current and previous versions are
# different then clear the system cache. snappy will handle
# "$PROFILES_CACHE_VAR" itself (on Touch flavors
# compare_previous_version always returns '0' since snappy
# isn't available).
clear_cache_system
apparmor_was_updated=1
elif ! compare_and_save_debsums apparmor ; then
# If the system policy has been updated since the last time we
# ran, clear the cache to prevent potentially stale binary
# cache files after an Ubuntu image based upgrade (LP:
# #1350673). This can be removed once all system image flavors
# move to snappy (on snappy systems compare_and_save_debsums
# always returns '0' since /var/lib/dpkg doesn't exist).
clear_cache
apparmor_was_updated=1
fi
if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then
# If packages for system policy that affect click packages have
# been updated since the last time we ran, run aa-clickhook -f
force_clickhook=0
force_profile_hook=0
if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
force_clickhook=1
fi
if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
force_clickhook=1
fi
if ! compare_and_save_debsums click-apparmor ; then
force_clickhook=1
force_profile_hook=1
fi
if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
aa-clickhook -f
fi
if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
aa-profile-hook -f
fi
fi
if [ "$ACTION" = "teardown" ]; then
running_profile_names | while read profile; do
unload_profile "$profile"
done
exit 0
fi
if [ "$ACTION" = "clear" ]; then
clear_cache
exit 0
fi
if [ "$ACTION" = "reload" ] || [ "$ACTION" = "force-reload" ]; then
clear_cache
load_configured_profiles
unload_obsolete_profiles
exit 0
fi
# Note: if apparmor-easyprof-ubuntu md5sums didn't match up above,
# aa-clickhook will have already compiled the policy, generated the cache
# files and loaded them into the kernel by this point, so reloading click
# policy from cache, while fairly fast (<2 seconds for 250 profiles on
# armhf), is redundant. Fixing this would complicate the logic quite a bit
# and it wouldn't improve the (by far) common case (ie, when
# 'aa-clickhook -f' is not run).
load_configured_profiles
end script
Reference in New Issue View Git Blame Copy Permalink