mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-30 22:05:27 +00:00
rc.apparmor.functions: add support for an additional profiles directory, defaulting to /var/lib/snapd/apparmor/profiles.
We need this support so that Debian/Ubuntu can switch to using this shell library instead of their own code.
This commit is contained in:
@@ -68,17 +68,20 @@ fi
|
||||
|
||||
# SUBDOMAIN_DIR and APPARMOR_DIR might be defined in subdomain.conf|apparmor.conf
|
||||
if [ -d "${APPARMOR_DIR}" ] ; then
|
||||
PROFILE_DIR=${APPARMOR_DIR}
|
||||
PROFILE_DIRS=${APPARMOR_DIR}
|
||||
elif [ -d "${SUBDOMAIN_DIR}" ] ; then
|
||||
PROFILE_DIR=${SUBDOMAIN_DIR}
|
||||
PROFILE_DIRS=${SUBDOMAIN_DIR}
|
||||
elif [ -d /etc/apparmor.d ] ; then
|
||||
PROFILE_DIR=/etc/apparmor.d
|
||||
PROFILE_DIRS=/etc/apparmor.d
|
||||
elif [ -d /etc/subdomain.d ] ; then
|
||||
PROFILE_DIR=/etc/subdomain.d
|
||||
PROFILE_DIRS=/etc/subdomain.d
|
||||
else
|
||||
aa_log_warning_msg "Unable to find profiles directory, installation problem?"
|
||||
fi
|
||||
|
||||
ADDITIONAL_PROFILE_DIR=/var/lib/snapd/apparmor/profiles
|
||||
if [ -d "$ADDITIONAL_PROFILE_DIR" ]; then
|
||||
PROFILE_DIRS="${PROFILE_DIRS} ${ADDITIONAL_PROFILE_DIR}"
|
||||
fi
|
||||
AA_EV_BIN=/usr/sbin/aa-eventd
|
||||
AA_EV_PIDFILE=/var/run/aa-eventd.pid
|
||||
AA_STATUS=/usr/sbin/aa-status
|
||||
@@ -140,6 +143,59 @@ skip_profile() {
|
||||
return 0
|
||||
}
|
||||
|
||||
__parse_profiles_dir() {
|
||||
local parser_cmd="$1"
|
||||
local profile_dir="$2"
|
||||
local status=0
|
||||
|
||||
if [ ! -d "$profile_dir" ]; then
|
||||
aa_log_failure_msg "Profile directory not found: $profile_dir"
|
||||
return 1
|
||||
fi
|
||||
|
||||
if [ -z "$(ls $profile_dir/)" ]; then
|
||||
aa_log_failure_msg "No profiles found in $profile_dir"
|
||||
return 1
|
||||
fi
|
||||
|
||||
# Note: the parser automatically skips files that match skip_profile()
|
||||
# when we pass it a directory, but not when we pass it an individual
|
||||
# profile. So we need to use skip_profile only in the latter case,
|
||||
# as long as the parser is in sync' with skip_profile().
|
||||
"$PARSER" $PARSER_OPTS $parser_cmd -- "$profile_dir" || {
|
||||
# FIXME: once the parser properly handles broken profiles
|
||||
# (LP: #1377338), remove the following code and the
|
||||
# skip_profile() function. For now, if the parser returns
|
||||
# an error, just run it again separately on each profile.
|
||||
for profile in $profile_dir/*; do
|
||||
skip_profile "${profile}"
|
||||
skip=$?
|
||||
# Ignore skip status == 2 (silent skip)
|
||||
if [ "$skip" -eq 1 ] ; then
|
||||
aa_log_skipped_msg "$profile"
|
||||
logger -t "AppArmor(init)" -p daemon.warn \
|
||||
"Skipping profile $profile"
|
||||
continue
|
||||
elif [ "$skip" -ne 0 ]; then
|
||||
continue
|
||||
fi
|
||||
if [ ! -f "${profile}" ] ; then
|
||||
continue
|
||||
fi
|
||||
echo "$profile"
|
||||
done | \
|
||||
# Use xargs to parallelize calls to the parser over all CPUs
|
||||
xargs -n1 -d"\n" --max-procs=$(getconf _NPROCESSORS_ONLN) \
|
||||
"$PARSER" $PARSER_OPTS $parser_cmd --
|
||||
if [ $? -ne 0 ]; then
|
||||
status=1
|
||||
aa_log_failure_msg "At least one profile failed to load"
|
||||
fi
|
||||
}
|
||||
|
||||
return $status
|
||||
}
|
||||
|
||||
parse_profiles() {
|
||||
# get parser arg
|
||||
case "$1" in
|
||||
@@ -164,52 +220,10 @@ parse_profiles() {
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -d "$PROFILE_DIR" ]; then
|
||||
aa_log_failure_msg "Profile directory not found"
|
||||
aa_log_action_end 1
|
||||
exit 1
|
||||
fi
|
||||
for profile_dir in $PROFILE_DIRS; do
|
||||
__parse_profiles_dir "$PARSER_CMD" "$profile_dir" || STATUS=$?
|
||||
done
|
||||
|
||||
if [ -z "$(ls $PROFILE_DIR/)" ]; then
|
||||
aa_log_failure_msg "No profiles found"
|
||||
aa_log_action_end 1
|
||||
return 1
|
||||
fi
|
||||
|
||||
# Note: the parser automatically skips files that match skip_profile()
|
||||
# when we pass it a directory, but not when we pass it an individual
|
||||
# profile. So we need to use skip_profile only in the latter case,
|
||||
# as long as the parser is in sync' with skip_profile().
|
||||
"$PARSER" $PARSER_OPTS $PARSER_CMD -- "$PROFILE_DIR" || {
|
||||
# FIXME: once the parser properly handles broken profiles
|
||||
# (LP: #1377338), remove the following code and the
|
||||
# skip_profile() function. For now, if the parser returns
|
||||
# an error, just run it again separately on each profile.
|
||||
for profile in $PROFILE_DIR/*; do
|
||||
skip_profile "${profile}"
|
||||
skip=$?
|
||||
# Ignore skip status == 2 (silent skip)
|
||||
if [ "$skip" -eq 1 ] ; then
|
||||
aa_log_skipped_msg "$profile"
|
||||
logger -t "AppArmor(init)" -p daemon.warn \
|
||||
"Skipping profile $profile"
|
||||
continue
|
||||
elif [ "$skip" -ne 0 ]; then
|
||||
continue
|
||||
fi
|
||||
if [ ! -f "${profile}" ] ; then
|
||||
continue
|
||||
fi
|
||||
echo "$profile"
|
||||
done | \
|
||||
# Use xargs to parallelize calls to the parser over all CPUs
|
||||
xargs -n1 -d"\n" --max-procs=$(getconf _NPROCESSORS_ONLN) \
|
||||
"$PARSER" $PARSER_OPTS $PARSER_CMD --
|
||||
if [ $? -ne 0 ]; then
|
||||
STATUS=1
|
||||
aa_log_failure_msg "At least one profile failed to load"
|
||||
fi
|
||||
}
|
||||
if [ $STATUS -eq 2 ]; then
|
||||
STATUS=0
|
||||
fi
|
||||
@@ -224,18 +238,19 @@ profiles_names_list() {
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -d "$PROFILE_DIR" ]; then
|
||||
aa_log_failure_msg "- Profile directory not found"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
for profile in $PROFILE_DIR/*; do
|
||||
if skip_profile "${profile}" && [ -f "${profile}" ] ; then
|
||||
LIST_ADD=$($PARSER -N "$profile" )
|
||||
if [ $? -eq 0 ]; then
|
||||
echo "$LIST_ADD"
|
||||
fi
|
||||
for profile_dir in $PROFILE_DIRS; do
|
||||
if [ ! -d "$profile_dir" ]; then
|
||||
aa_log_warning_msg "- Profile directory not found: $profile_dir"
|
||||
fi
|
||||
|
||||
for profile in $profile_dir/*; do
|
||||
if skip_profile "${profile}" && [ -f "${profile}" ] ; then
|
||||
LIST_ADD=$($PARSER -N "$profile" )
|
||||
if [ $? -eq 0 ]; then
|
||||
echo "$LIST_ADD"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
|
Reference in New Issue
Block a user