rc.apparmor.functions: add support for an additional profiles directory, defaulting to /var/lib/snapd/apparmor/profiles.

We need this support so that Debian/Ubuntu can switch to using this shell
library instead of their own code.

parser/rc.apparmor.functions

@@ -68,17 +68,20 @@ fi
 
 # SUBDOMAIN_DIR and APPARMOR_DIR might be defined in subdomain.conf|apparmor.conf
 if [ -d "${APPARMOR_DIR}" ] ; then
-	PROFILE_DIR=${APPARMOR_DIR}
+	PROFILE_DIRS=${APPARMOR_DIR}
 elif [ -d "${SUBDOMAIN_DIR}" ] ; then
-	PROFILE_DIR=${SUBDOMAIN_DIR}
+	PROFILE_DIRS=${SUBDOMAIN_DIR}
 elif [ -d /etc/apparmor.d ] ; then
-	PROFILE_DIR=/etc/apparmor.d
+	PROFILE_DIRS=/etc/apparmor.d
 elif [ -d /etc/subdomain.d ] ; then
-	PROFILE_DIR=/etc/subdomain.d
+	PROFILE_DIRS=/etc/subdomain.d
 else
 	aa_log_warning_msg "Unable to find profiles directory, installation problem?"
 fi
-
+ADDITIONAL_PROFILE_DIR=/var/lib/snapd/apparmor/profiles
+if [ -d "$ADDITIONAL_PROFILE_DIR" ]; then
+	PROFILE_DIRS="${PROFILE_DIRS} ${ADDITIONAL_PROFILE_DIR}"
+fi
 AA_EV_BIN=/usr/sbin/aa-eventd
 AA_EV_PIDFILE=/var/run/aa-eventd.pid
 AA_STATUS=/usr/sbin/aa-status
@@ -140,6 +143,59 @@ skip_profile() {
 	return 0
 }
 
+__parse_profiles_dir() {
+	local parser_cmd="$1"
+	local profile_dir="$2"
+	local status=0
+
+	if [ ! -d "$profile_dir" ]; then
+		aa_log_failure_msg "Profile directory not found: $profile_dir"
+		return 1
+	fi
+
+	if [ -z "$(ls $profile_dir/)" ]; then
+		aa_log_failure_msg "No profiles found in $profile_dir"
+		return 1
+	fi
+
+	# Note: the parser automatically skips files that match skip_profile()
+	# when we pass it a directory, but not when we pass it an individual
+	# profile. So we need to use skip_profile only in the latter case,
+	# as long as the parser is in sync' with skip_profile().
+	"$PARSER" $PARSER_OPTS $parser_cmd -- "$profile_dir" || {
+		# FIXME: once the parser properly handles broken profiles
+		# (LP: #1377338), remove the following code and the
+		# skip_profile() function. For now, if the parser returns
+		# an error, just run it again separately on each profile.
+		for profile in $profile_dir/*; do
+			skip_profile "${profile}"
+			skip=$?
+			# Ignore skip status == 2 (silent skip)
+			if [ "$skip" -eq 1 ] ; then
+				aa_log_skipped_msg "$profile"
+				logger -t "AppArmor(init)" -p daemon.warn \
+					"Skipping profile $profile"
+				continue
+			elif [ "$skip" -ne 0 ]; then
+				continue
+			fi
+			if [ ! -f "${profile}" ] ; then
+				continue
+			fi
+			echo "$profile"
+		done | \
+		# Use xargs to parallelize calls to the parser over all CPUs
+		xargs -n1 -d"\n" --max-procs=$(getconf _NPROCESSORS_ONLN) \
+			"$PARSER" $PARSER_OPTS $parser_cmd --
+		if [ $? -ne 0 ]; then
+			status=1
+			aa_log_failure_msg "At least one profile failed to load"
+		fi
+	}
+
+	return $status
+}
+
 parse_profiles() {
 	# get parser arg
 	case "$1" in
@@ -164,52 +220,10 @@ parse_profiles() {
 		exit 1
 	fi
 
-	if [ ! -d "$PROFILE_DIR" ]; then
-		aa_log_failure_msg "Profile directory not found"
-		aa_log_action_end 1
-		exit 1
-	fi
+	for profile_dir in $PROFILE_DIRS; do
+		__parse_profiles_dir "$PARSER_CMD" "$profile_dir" || STATUS=$?
+	done
 
-	if [ -z "$(ls $PROFILE_DIR/)" ]; then
-		aa_log_failure_msg "No profiles found"
-		aa_log_action_end 1
-		return 1
-	fi
-
-	# Note: the parser automatically skips files that match skip_profile()
-	# when we pass it a directory, but not when we pass it an individual
-	# profile. So we need to use skip_profile only in the latter case,
-	# as long as the parser is in sync' with skip_profile().
-	"$PARSER" $PARSER_OPTS $PARSER_CMD -- "$PROFILE_DIR" || {
-		# FIXME: once the parser properly handles broken profiles
-		# (LP: #1377338), remove the following code and the
-		# skip_profile() function. For now, if the parser returns
-		# an error, just run it again separately on each profile.
-		for profile in $PROFILE_DIR/*; do
-			skip_profile "${profile}"
-			skip=$?
-			# Ignore skip status == 2 (silent skip)
-			if [ "$skip" -eq 1 ] ; then
-				aa_log_skipped_msg "$profile"
-				logger -t "AppArmor(init)" -p daemon.warn \
-					"Skipping profile $profile"
-				continue
-			elif [ "$skip" -ne 0 ]; then
-				continue
-			fi
-			if [ ! -f "${profile}" ] ; then
-				continue
-			fi
-			echo "$profile"
-		done | \
-		# Use xargs to parallelize calls to the parser over all CPUs
-		xargs -n1 -d"\n" --max-procs=$(getconf _NPROCESSORS_ONLN) \
-			"$PARSER" $PARSER_OPTS $PARSER_CMD --
-		if [ $? -ne 0 ]; then
-			STATUS=1
-			aa_log_failure_msg "At least one profile failed to load"
-		fi
-	}
 	if [ $STATUS -eq 2 ]; then
 		STATUS=0
 	fi
@@ -224,18 +238,19 @@ profiles_names_list() {
 		exit 1
 	fi
 
-	if [ ! -d "$PROFILE_DIR" ]; then
-		aa_log_failure_msg "- Profile directory not found"
-		exit 1
-	fi
-
-	for profile in $PROFILE_DIR/*; do
-	        if skip_profile "${profile}" && [ -f "${profile}" ] ; then
-			LIST_ADD=$($PARSER -N "$profile" )
-			if [ $? -eq 0 ]; then
-				echo "$LIST_ADD"
-			fi
+	for profile_dir in $PROFILE_DIRS; do
+		if [ ! -d "$profile_dir" ]; then
+			aa_log_warning_msg "- Profile directory not found: $profile_dir"
 		fi
+
+		for profile in $profile_dir/*; do
+			if skip_profile "${profile}" && [ -f "${profile}" ] ; then
+				LIST_ADD=$($PARSER -N "$profile" )
+				if [ $? -eq 0 ]; then
+					echo "$LIST_ADD"
+				fi
+			fi
+		done
 	done
 }