mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-02 15:25:27 +00:00
Code Issues Releases Wiki Activity

rc.apparmor.functions: add support for an additional profiles directory, defaulting to /var/lib/snapd/apparmor/profiles.

Browse Source 
We need this support so that Debian/Ubuntu can switch to using this shell
library instead of their own code.
This commit is contained in:
intrigeri
2018-10-30 14:31:39 +00:00
parent 13d9512287
commit f58c96699a
1 changed files with 76 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

123
parser/rc.apparmor.functions
View File

@@ -68,17 +68,20 @@ fi
# SUBDOMAIN_DIR and APPARMOR_DIR might be defined in subdomain.conf|apparmor.conf # SUBDOMAIN_DIR and APPARMOR_DIR might be defined in subdomain.conf|apparmor.conf
if [ -d "${APPARMOR_DIR}" ] ; then if [ -d "${APPARMOR_DIR}" ] ; then
PROFILE_DIR=${APPARMOR_DIR} PROFILE_DIRS=${APPARMOR_DIR}
elif [ -d "${SUBDOMAIN_DIR}" ] ; then elif [ -d "${SUBDOMAIN_DIR}" ] ; then
PROFILE_DIR=${SUBDOMAIN_DIR} PROFILE_DIRS=${SUBDOMAIN_DIR}
elif [ -d /etc/apparmor.d ] ; then elif [ -d /etc/apparmor.d ] ; then
PROFILE_DIR=/etc/apparmor.d PROFILE_DIRS=/etc/apparmor.d
elif [ -d /etc/subdomain.d ] ; then elif [ -d /etc/subdomain.d ] ; then
PROFILE_DIR=/etc/subdomain.d PROFILE_DIRS=/etc/subdomain.d
else else
aa_log_warning_msg "Unable to find profiles directory, installation problem?" aa_log_warning_msg "Unable to find profiles directory, installation problem?"
fi fi
ADDITIONAL_PROFILE_DIR=/var/lib/snapd/apparmor/profiles
if [ -d "$ADDITIONAL_PROFILE_DIR" ]; then
PROFILE_DIRS="${PROFILE_DIRS} ${ADDITIONAL_PROFILE_DIR}"
fi
AA_EV_BIN=/usr/sbin/aa-eventd AA_EV_BIN=/usr/sbin/aa-eventd
AA_EV_PIDFILE=/var/run/aa-eventd.pid AA_EV_PIDFILE=/var/run/aa-eventd.pid
AA_STATUS=/usr/sbin/aa-status AA_STATUS=/usr/sbin/aa-status
@@ -140,6 +143,59 @@ skip_profile() {
return 0 return 0
} }
__parse_profiles_dir() {
local parser_cmd="$1"
local profile_dir="$2"
local status=0
if [ ! -d "$profile_dir" ]; then
aa_log_failure_msg "Profile directory not found: $profile_dir"
return 1
fi
if [ -z "$(ls $profile_dir/)" ]; then
aa_log_failure_msg "No profiles found in $profile_dir"
return 1
fi
# Note: the parser automatically skips files that match skip_profile()
# when we pass it a directory, but not when we pass it an individual
# profile. So we need to use skip_profile only in the latter case,
# as long as the parser is in sync' with skip_profile().
"$PARSER" $PARSER_OPTS $parser_cmd -- "$profile_dir" || {
# FIXME: once the parser properly handles broken profiles
# (LP: #1377338), remove the following code and the
# skip_profile() function. For now, if the parser returns
# an error, just run it again separately on each profile.
for profile in $profile_dir/*; do
skip_profile "${profile}"
skip=$?
# Ignore skip status == 2 (silent skip)
if [ "$skip" -eq 1 ] ; then
aa_log_skipped_msg "$profile"
logger -t "AppArmor(init)" -p daemon.warn \
"Skipping profile $profile"
continue
elif [ "$skip" -ne 0 ]; then
continue
fi
if [ ! -f "${profile}" ] ; then
continue
fi
echo "$profile"
done | \
# Use xargs to parallelize calls to the parser over all CPUs
xargs -n1 -d"\n" --max-procs=$(getconf _NPROCESSORS_ONLN) \
"$PARSER" $PARSER_OPTS $parser_cmd --
if [ $? -ne 0 ]; then
status=1
aa_log_failure_msg "At least one profile failed to load"
fi
}
return $status
}
parse_profiles() { parse_profiles() {
# get parser arg # get parser arg
case "$1" in case "$1" in
@@ -164,52 +220,10 @@ parse_profiles() {
exit 1 exit 1
fi fi
if [ ! -d "$PROFILE_DIR" ]; then for profile_dir in $PROFILE_DIRS; do
aa_log_failure_msg "Profile directory not found" __parse_profiles_dir "$PARSER_CMD" "$profile_dir" || STATUS=$?
aa_log_action_end 1 done
exit 1
fi
if [ -z "$(ls $PROFILE_DIR/)" ]; then
aa_log_failure_msg "No profiles found"
aa_log_action_end 1
return 1
fi
# Note: the parser automatically skips files that match skip_profile()
# when we pass it a directory, but not when we pass it an individual
# profile. So we need to use skip_profile only in the latter case,
# as long as the parser is in sync' with skip_profile().
"$PARSER" $PARSER_OPTS $PARSER_CMD -- "$PROFILE_DIR" || {
# FIXME: once the parser properly handles broken profiles
# (LP: #1377338), remove the following code and the
# skip_profile() function. For now, if the parser returns
# an error, just run it again separately on each profile.
for profile in $PROFILE_DIR/*; do
skip_profile "${profile}"
skip=$?
# Ignore skip status == 2 (silent skip)
if [ "$skip" -eq 1 ] ; then
aa_log_skipped_msg "$profile"
logger -t "AppArmor(init)" -p daemon.warn \
"Skipping profile $profile"
continue
elif [ "$skip" -ne 0 ]; then
continue
fi
if [ ! -f "${profile}" ] ; then
continue
fi
echo "$profile"
done | \
# Use xargs to parallelize calls to the parser over all CPUs
xargs -n1 -d"\n" --max-procs=$(getconf _NPROCESSORS_ONLN) \
"$PARSER" $PARSER_OPTS $PARSER_CMD --
if [ $? -ne 0 ]; then
STATUS=1
aa_log_failure_msg "At least one profile failed to load"
fi
}
if [ $STATUS -eq 2 ]; then if [ $STATUS -eq 2 ]; then
STATUS=0 STATUS=0
fi fi
@@ -224,12 +238,12 @@ profiles_names_list() {
exit 1 exit 1
fi fi
if [ ! -d "$PROFILE_DIR" ]; then for profile_dir in $PROFILE_DIRS; do
aa_log_failure_msg "- Profile directory not found" if [ ! -d "$profile_dir" ]; then
exit 1 aa_log_warning_msg "- Profile directory not found: $profile_dir"
fi fi
for profile in $PROFILE_DIR/*; do for profile in $profile_dir/*; do
if skip_profile "${profile}" && [ -f "${profile}" ] ; then if skip_profile "${profile}" && [ -f "${profile}" ] ; then
LIST_ADD=$($PARSER -N "$profile" ) LIST_ADD=$($PARSER -N "$profile" )
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
@@ -237,6 +251,7 @@ profiles_names_list() {
fi fi
fi fi
done done
done
} }
failstop_system() { failstop_system() {