diff --git a/parser/Makefile b/parser/Makefile index 6e8ff74ce..b18cfe414 100644 --- a/parser/Makefile +++ b/parser/Makefile @@ -2,6 +2,8 @@ # Copyright (c) 1999, 2000, 2001, 2002, 2004, 2005, 2006, 2007 # NOVELL (All rights reserved) # +# Copyright (c) Christian Boltz 2018 +# # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. @@ -22,10 +24,11 @@ include $(COMMONDIR)/Make.rules DESTDIR=/ APPARMOR_BIN_PREFIX=${DESTDIR}/lib/apparmor +SYSTEMD_UNIT_DIR=${DESTDIR}/usr/lib/systemd/system CONFDIR=/etc/apparmor INSTALL_CONFDIR=${DESTDIR}${CONFDIR} LOCALEDIR=/usr/share/locale -MANPAGES=apparmor.d.5 apparmor.7 apparmor_parser.8 subdomain.conf.5 +MANPAGES=apparmor.d.5 apparmor.7 apparmor_parser.8 subdomain.conf.5 aa-teardown.8 YACC := /usr/bin/bison YFLAGS := -d @@ -314,7 +317,7 @@ install-redhat: install -m 755 rc.apparmor.$(subst install-,,$@) $(DESTDIR)/etc/init.d/apparmor .PHONY: install-suse -install-suse: +install-suse: install-systemd install -m 755 -d $(DESTDIR)/sbin ln -sf service $(DESTDIR)/sbin/rcapparmor @@ -376,6 +379,14 @@ install-indep: indep $(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR} $(MAKE) install_manpages DESTDIR=${DESTDIR} +.PHONY: install-systemd +install-systemd: + install -m 755 -d $(SYSTEMD_UNIT_DIR) + install -m 644 apparmor.service $(SYSTEMD_UNIT_DIR) + install -m 644 apparmor.systemd $(APPARMOR_BIN_PREFIX) + install -m 755 -d $(DESTDIR)/sbin + install -m 755 aa-teardown $(DESTDIR)/sbin + ifndef VERBOSE .SILENT: clean endif diff --git a/parser/aa-teardown b/parser/aa-teardown new file mode 100644 index 000000000..f52cbbd08 --- /dev/null +++ b/parser/aa-teardown @@ -0,0 +1,10 @@ +#!/bin/bash + +test $# = 0 || { + echo "Usage: $0" + echo + echo "Unloads all AppArmor profiles" + exit 1 +} + +/lib/apparmor/apparmor.systemd stop diff --git a/parser/aa-teardown.pod b/parser/aa-teardown.pod new file mode 100644 index 000000000..244171493 --- /dev/null +++ b/parser/aa-teardown.pod @@ -0,0 +1,40 @@ +# ---------------------------------------------------------------------- +# Copyright (c) 2018 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, contact Novell, Inc. +# ---------------------------------------------------------------------- + +=pod + +=head1 NAME + +aa-teardown - unload all AppArmor profiles + +=head1 SYNOPSIS + +B + +=head1 DESCRIPTION + +aa-teardown unloads all AppArmor profiles + +=head1 BUGS + +If you find any bugs, please report them at +L. + +=head1 SEE ALSO + +apparmor(7), apparmor.d(5), and L. + +=cut diff --git a/parser/apparmor.service b/parser/apparmor.service new file mode 100644 index 000000000..f84eac952 --- /dev/null +++ b/parser/apparmor.service @@ -0,0 +1,26 @@ +[Unit] +Description=Load AppArmor profiles +DefaultDependencies=no +Before=sysinit.target +After=systemd-journald-audit.socket +# profile cache +After=var.mount var-lib.mount +ConditionSecurity=apparmor + +[Service] +Type=oneshot +ExecStart=/lib/apparmor/apparmor.systemd reload +ExecReload=/lib/apparmor/apparmor.systemd reload + +# systemd maps 'restart' to 'stop; start' which means removing AppArmor confinement +# from running processes (and not being able to re-apply it later). +# Upstream systemd developers refused to implement an option that allows overriding +# this behaviour, therefore we have to make ExecStop a no-op to error out on the +# safe side. +# +# If you really want to unload all AppArmor profiles, run aa-teardown +ExecStop=/bin/true +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/parser/apparmor.systemd b/parser/apparmor.systemd new file mode 100644 index 000000000..55af03764 --- /dev/null +++ b/parser/apparmor.systemd @@ -0,0 +1,100 @@ +#!/bin/sh +# ---------------------------------------------------------------------- +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, contact Novell, Inc. +# ---------------------------------------------------------------------- + +APPARMOR_FUNCTIONS=/lib/apparmor/rc.apparmor.functions + +aa_action() +{ + echo $1 + shift + "$@" + return $? +} + +aa_log_warning_msg() +{ + echo "Warning: $@" +} + +aa_log_failure_msg() +{ + echo "Error: $@" +} + +aa_log_action_start() +{ + echo "$@" +} + +aa_log_action_end() +{ + echo -n +} + +aa_log_daemon_msg() +{ + echo "$@" +} + +aa_log_skipped_msg() +{ + echo "Skipped: $@" +} + +aa_log_end_msg() +{ + echo -n +} + +# source apparmor function library +if [ -f "${APPARMOR_FUNCTIONS}" ]; then + . ${APPARMOR_FUNCTIONS} +else + aa_log_failure_msg "Unable to find AppArmor initscript functions" + exit 1 +fi + +case "$1" in + start) + apparmor_start + rc=$? + ;; + stop) + apparmor_stop + rc=$? + ;; + restart|reload|force-reload) + apparmor_restart + rc=$? + ;; + try-restart) + apparmor_try_restart + rc=$? + ;; + kill) + apparmor_kill + rc=$? + ;; + status) + apparmor_status + rc=$? + ;; + *) + exit 1 + ;; +esac +exit $rc