From 671ddccf19a94debf89315853909d16cbb3c7cbc Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Sun, 18 Mar 2018 17:50:57 +0100 Subject: [PATCH 1/2] Add apparmor.service and aa-teardown ... and the apparmor.systemd wrapper. Also add a new 'install-systemd' target to the Makefile to install these systemd-related files on (open)SUSE by default. Other distributions can follow by adding a dependency on 'install-systemd' on their 'install-$DISTRO' target. Note that apparmor.service has ExecStop=/bin/true to avoid that running processes get unconfined if someone accidently types systemctl restart apparmor (instead of using "reload") Use aa-teardown if you really want to unload all profiles. The files in this commit are used in openSUSE since a while, and also in Arch Linux. BTW: The condition on var-lib.mount is because openSUSE uses /var/lib/apparmor/cache/ - but with the changed btrfs layout on openSUSE, maybe I'll change that to /var/cache/apparmor/ which is a) used by Debian and b) more sane --- parser/Makefile | 13 +++++- parser/aa-teardown | 10 ++++ parser/apparmor.service | 26 +++++++++++ parser/apparmor.systemd | 100 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 148 insertions(+), 1 deletion(-) create mode 100644 parser/aa-teardown create mode 100644 parser/apparmor.service create mode 100644 parser/apparmor.systemd diff --git a/parser/Makefile b/parser/Makefile index 6e8ff74ce..cf76c750e 100644 --- a/parser/Makefile +++ b/parser/Makefile @@ -2,6 +2,8 @@ # Copyright (c) 1999, 2000, 2001, 2002, 2004, 2005, 2006, 2007 # NOVELL (All rights reserved) # +# Copyright (c) Christian Boltz 2018 +# # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. @@ -22,6 +24,7 @@ include $(COMMONDIR)/Make.rules DESTDIR=/ APPARMOR_BIN_PREFIX=${DESTDIR}/lib/apparmor +SYSTEMD_UNIT_DIR=${DESTDIR}/usr/lib/systemd/system CONFDIR=/etc/apparmor INSTALL_CONFDIR=${DESTDIR}${CONFDIR} LOCALEDIR=/usr/share/locale @@ -314,7 +317,7 @@ install-redhat: install -m 755 rc.apparmor.$(subst install-,,$@) $(DESTDIR)/etc/init.d/apparmor .PHONY: install-suse -install-suse: +install-suse: install-systemd install -m 755 -d $(DESTDIR)/sbin ln -sf service $(DESTDIR)/sbin/rcapparmor @@ -376,6 +379,14 @@ install-indep: indep $(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR} $(MAKE) install_manpages DESTDIR=${DESTDIR} +.PHONY: install-systemd +install-systemd: + install -m 755 -d $(SYSTEMD_UNIT_DIR) + install -m 644 apparmor.service $(SYSTEMD_UNIT_DIR) + install -m 644 apparmor.systemd $(APPARMOR_BIN_PREFIX) + install -m 755 -d $(DESTDIR)/sbin + install -m 755 aa-teardown $(DESTDIR)/sbin + ifndef VERBOSE .SILENT: clean endif diff --git a/parser/aa-teardown b/parser/aa-teardown new file mode 100644 index 000000000..f52cbbd08 --- /dev/null +++ b/parser/aa-teardown @@ -0,0 +1,10 @@ +#!/bin/bash + +test $# = 0 || { + echo "Usage: $0" + echo + echo "Unloads all AppArmor profiles" + exit 1 +} + +/lib/apparmor/apparmor.systemd stop diff --git a/parser/apparmor.service b/parser/apparmor.service new file mode 100644 index 000000000..f84eac952 --- /dev/null +++ b/parser/apparmor.service @@ -0,0 +1,26 @@ +[Unit] +Description=Load AppArmor profiles +DefaultDependencies=no +Before=sysinit.target +After=systemd-journald-audit.socket +# profile cache +After=var.mount var-lib.mount +ConditionSecurity=apparmor + +[Service] +Type=oneshot +ExecStart=/lib/apparmor/apparmor.systemd reload +ExecReload=/lib/apparmor/apparmor.systemd reload + +# systemd maps 'restart' to 'stop; start' which means removing AppArmor confinement +# from running processes (and not being able to re-apply it later). +# Upstream systemd developers refused to implement an option that allows overriding +# this behaviour, therefore we have to make ExecStop a no-op to error out on the +# safe side. +# +# If you really want to unload all AppArmor profiles, run aa-teardown +ExecStop=/bin/true +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/parser/apparmor.systemd b/parser/apparmor.systemd new file mode 100644 index 000000000..55af03764 --- /dev/null +++ b/parser/apparmor.systemd @@ -0,0 +1,100 @@ +#!/bin/sh +# ---------------------------------------------------------------------- +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, contact Novell, Inc. +# ---------------------------------------------------------------------- + +APPARMOR_FUNCTIONS=/lib/apparmor/rc.apparmor.functions + +aa_action() +{ + echo $1 + shift + "$@" + return $? +} + +aa_log_warning_msg() +{ + echo "Warning: $@" +} + +aa_log_failure_msg() +{ + echo "Error: $@" +} + +aa_log_action_start() +{ + echo "$@" +} + +aa_log_action_end() +{ + echo -n +} + +aa_log_daemon_msg() +{ + echo "$@" +} + +aa_log_skipped_msg() +{ + echo "Skipped: $@" +} + +aa_log_end_msg() +{ + echo -n +} + +# source apparmor function library +if [ -f "${APPARMOR_FUNCTIONS}" ]; then + . ${APPARMOR_FUNCTIONS} +else + aa_log_failure_msg "Unable to find AppArmor initscript functions" + exit 1 +fi + +case "$1" in + start) + apparmor_start + rc=$? + ;; + stop) + apparmor_stop + rc=$? + ;; + restart|reload|force-reload) + apparmor_restart + rc=$? + ;; + try-restart) + apparmor_try_restart + rc=$? + ;; + kill) + apparmor_kill + rc=$? + ;; + status) + apparmor_status + rc=$? + ;; + *) + exit 1 + ;; +esac +exit $rc From 11ae3f6ecdb250ae47209ec3932b175af48dbe5f Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Sun, 18 Mar 2018 18:14:27 +0100 Subject: [PATCH 2/2] add aa-teardown manpage --- parser/Makefile | 2 +- parser/aa-teardown.pod | 40 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 parser/aa-teardown.pod diff --git a/parser/Makefile b/parser/Makefile index cf76c750e..b18cfe414 100644 --- a/parser/Makefile +++ b/parser/Makefile @@ -28,7 +28,7 @@ SYSTEMD_UNIT_DIR=${DESTDIR}/usr/lib/systemd/system CONFDIR=/etc/apparmor INSTALL_CONFDIR=${DESTDIR}${CONFDIR} LOCALEDIR=/usr/share/locale -MANPAGES=apparmor.d.5 apparmor.7 apparmor_parser.8 subdomain.conf.5 +MANPAGES=apparmor.d.5 apparmor.7 apparmor_parser.8 subdomain.conf.5 aa-teardown.8 YACC := /usr/bin/bison YFLAGS := -d diff --git a/parser/aa-teardown.pod b/parser/aa-teardown.pod new file mode 100644 index 000000000..244171493 --- /dev/null +++ b/parser/aa-teardown.pod @@ -0,0 +1,40 @@ +# ---------------------------------------------------------------------- +# Copyright (c) 2018 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, contact Novell, Inc. +# ---------------------------------------------------------------------- + +=pod + +=head1 NAME + +aa-teardown - unload all AppArmor profiles + +=head1 SYNOPSIS + +B + +=head1 DESCRIPTION + +aa-teardown unloads all AppArmor profiles + +=head1 BUGS + +If you find any bugs, please report them at +L. + +=head1 SEE ALSO + +apparmor(7), apparmor.d(5), and L. + +=cut