mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-09-01 14:55:10 +00:00
parser/rc.apparmor.functions: fix minor issues detected by shellcheck/shellharden
This commit is contained in:
Emerson Bernier
@@ -45,7 +45,7 @@ else
|
|||||||
fi
|
fi
|
||||||
ADDITIONAL_PROFILE_DIR=/var/lib/snapd/apparmor/profiles
|
ADDITIONAL_PROFILE_DIR=/var/lib/snapd/apparmor/profiles
|
||||||
if [ -d "$ADDITIONAL_PROFILE_DIR" ]; then
|
if [ -d "$ADDITIONAL_PROFILE_DIR" ]; then
|
||||||
PROFILE_DIRS="${PROFILE_DIRS} ${ADDITIONAL_PROFILE_DIR}"
|
PROFILE_DIRS="$PROFILE_DIRS $ADDITIONAL_PROFILE_DIR"
|
||||||
fi
|
fi
|
||||||
AA_STATUS=/usr/sbin/aa-status
|
AA_STATUS=/usr/sbin/aa-status
|
||||||
SECURITYFS=/sys/kernel/security
|
SECURITYFS=/sys/kernel/security
|
||||||
@@ -79,8 +79,8 @@ is_apparmor_present() {
|
|||||||
# process should continue without any loss of functionality. This is an
|
# process should continue without any loss of functionality. This is an
|
||||||
# unsupported configuration that cannot be properly handled by this function.
|
# unsupported configuration that cannot be properly handled by this function.
|
||||||
is_container_with_internal_policy() {
|
is_container_with_internal_policy() {
|
||||||
local ns_stacked_path="${SFS_MOUNTPOINT}/.ns_stacked"
|
local ns_stacked_path="$SFS_MOUNTPOINT/.ns_stacked"
|
||||||
local ns_name_path="${SFS_MOUNTPOINT}/.ns_name"
|
local ns_name_path="$SFS_MOUNTPOINT/.ns_name"
|
||||||
local ns_stacked
|
local ns_stacked
|
||||||
local ns_name
|
local ns_name
|
||||||
|
|
||||||
@@ -111,25 +111,25 @@ is_container_with_internal_policy() {
|
|||||||
# returns 1 on verbose skip
|
# returns 1 on verbose skip
|
||||||
# returns 2 on silent skip
|
# returns 2 on silent skip
|
||||||
skip_profile() {
|
skip_profile() {
|
||||||
local profile=$1
|
local profile="$1"
|
||||||
if [ "${profile%.rpmnew}" != "${profile}" ] || \
|
if [ "${profile%.rpmnew}" != "$profile" ] || \
|
||||||
[ "${profile%.rpmsave}" != "${profile}" ] || \
|
[ "${profile%.rpmsave}" != "$profile" ] || \
|
||||||
[ "${profile%.orig}" != "${profile}" ] || \
|
[ "${profile%.orig}" != "$profile" ] || \
|
||||||
[ "${profile%.rej}" != "${profile}" ] || \
|
[ "${profile%.rej}" != "$profile" ] || \
|
||||||
[ "${profile%\~}" != "${profile}" ] ; then
|
[ "${profile%\~}" != "$profile" ] ; then
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
# Silently ignore the dpkg, pacman, and xbps files
|
# Silently ignore the dpkg, pacman, and xbps files
|
||||||
if [ "${profile%.dpkg-new}" != "${profile}" ] || \
|
if [ "${profile%.dpkg-new}" != "$profile" ] || \
|
||||||
[ "${profile%.dpkg-old}" != "${profile}" ] || \
|
[ "${profile%.dpkg-old}" != "$profile" ] || \
|
||||||
[ "${profile%.dpkg-dist}" != "${profile}" ] || \
|
[ "${profile%.dpkg-dist}" != "$profile" ] || \
|
||||||
[ "${profile%.dpkg-bak}" != "${profile}" ] || \
|
[ "${profile%.dpkg-bak}" != "$profile" ] || \
|
||||||
[ "${profile%.dpkg-remove}" != "${profile}" ] || \
|
[ "${profile%.dpkg-remove}" != "$profile" ] || \
|
||||||
[ "${profile%.pacsave}" != "${profile}" ] || \
|
[ "${profile%.pacsave}" != "$profile" ] || \
|
||||||
[ "${profile%.pacnew}" != "${profile}" ] ; then
|
[ "${profile%.pacnew}" != "$profile" ] ; then
|
||||||
return 2
|
return 2
|
||||||
fi
|
fi
|
||||||
if echo "${profile}" | grep -E -q '^.+\.new-[0-9\.]+_[0-9]+$'; then
|
if echo "$profile" | grep -E -q '^.+\.new-[0-9\.]+_[0-9]+$'; then
|
||||||
return 2
|
return 2
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@@ -161,7 +161,7 @@ __parse_profiles_dir() {
|
|||||||
# skip_profile() function. For now, if the parser returns
|
# skip_profile() function. For now, if the parser returns
|
||||||
# an error, just run it again separately on each profile.
|
# an error, just run it again separately on each profile.
|
||||||
for profile in "$profile_dir"/*; do
|
for profile in "$profile_dir"/*; do
|
||||||
skip_profile "${profile}"
|
skip_profile "$profile"
|
||||||
skip=$?
|
skip=$?
|
||||||
if [ "$skip" -eq 2 ]; then
|
if [ "$skip" -eq 2 ]; then
|
||||||
# Ignore skip status == 2 (silent skip)
|
# Ignore skip status == 2 (silent skip)
|
||||||
@@ -172,7 +172,7 @@ __parse_profiles_dir() {
|
|||||||
"Skipping profile $profile"
|
"Skipping profile $profile"
|
||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
if [ ! -f "${profile}" ] ; then
|
if [ ! -f "$profile" ] ; then
|
||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
echo "$profile"
|
echo "$profile"
|
||||||
@@ -186,7 +186,7 @@ __parse_profiles_dir() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
return $status
|
return "$status"
|
||||||
}
|
}
|
||||||
|
|
||||||
parse_profiles() {
|
parse_profiles() {
|
||||||
@@ -218,7 +218,7 @@ parse_profiles() {
|
|||||||
done
|
done
|
||||||
|
|
||||||
aa_log_action_end "$STATUS"
|
aa_log_action_end "$STATUS"
|
||||||
return $STATUS
|
return "$STATUS"
|
||||||
}
|
}
|
||||||
|
|
||||||
profiles_names_list() {
|
profiles_names_list() {
|
||||||
@@ -235,8 +235,8 @@ profiles_names_list() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
for profile in "$profile_dir"/*; do
|
for profile in "$profile_dir"/*; do
|
||||||
if skip_profile "${profile}" && [ -f "${profile}" ] ; then
|
if skip_profile "$profile" && [ -f "$profile" ] ; then
|
||||||
LIST_ADD=$($PARSER -N "$profile" )
|
LIST_ADD=$("$PARSER" -N "$profile" )
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
echo "$LIST_ADD"
|
echo "$LIST_ADD"
|
||||||
fi
|
fi
|
||||||
@@ -261,8 +261,8 @@ is_apparmor_loaded() {
|
|||||||
mount_securityfs
|
mount_securityfs
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f "${SECURITYFS}/apparmor/profiles" ]; then
|
if [ -f "$SECURITYFS/apparmor/profiles" ]; then
|
||||||
SFS_MOUNTPOINT="${SECURITYFS}/apparmor"
|
SFS_MOUNTPOINT="$SECURITYFS/apparmor"
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@@ -272,14 +272,14 @@ is_apparmor_loaded() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
is_securityfs_mounted() {
|
is_securityfs_mounted() {
|
||||||
test -d ${SECURITYFS} -a -d /sys/fs/cgroup/systemd || grep -q securityfs /proc/filesystems && grep -q securityfs /proc/mounts
|
test -d "$SECURITYFS" -a -d /sys/fs/cgroup/systemd || grep -q securityfs /proc/filesystems && grep -q securityfs /proc/mounts
|
||||||
return $?
|
return $?
|
||||||
}
|
}
|
||||||
|
|
||||||
mount_securityfs() {
|
mount_securityfs() {
|
||||||
if grep -q securityfs /proc/filesystems ; then
|
if grep -q securityfs /proc/filesystems ; then
|
||||||
aa_action "Mounting securityfs on ${SECURITYFS}" \
|
aa_action "Mounting securityfs on $SECURITYFS" \
|
||||||
mount -t securityfs securityfs "${SECURITYFS}"
|
mount -t securityfs securityfs "$SECURITYFS"
|
||||||
return $?
|
return $?
|
||||||
fi
|
fi
|
||||||
return 0
|
return 0
|
||||||
@@ -304,7 +304,7 @@ apparmor_start() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# if there is anything in the profiles file don't load
|
# if there is anything in the profiles file don't load
|
||||||
if ! read line < "$SFS_MOUNTPOINT/profiles"; then
|
if ! read -r line < "$SFS_MOUNTPOINT/profiles"; then
|
||||||
parse_profiles load
|
parse_profiles load
|
||||||
else
|
else
|
||||||
aa_log_skipped_msg ": already loaded with profiles."
|
aa_log_skipped_msg ": already loaded with profiles."
|
||||||
@@ -330,7 +330,7 @@ remove_profiles() {
|
|||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -x "${PARSER}" ] ; then
|
if [ ! -x "$PARSER" ] ; then
|
||||||
aa_log_failure_msg "Unable to execute AppArmor parser"
|
aa_log_failure_msg "Unable to execute AppArmor parser"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
@@ -340,14 +340,14 @@ remove_profiles() {
|
|||||||
# the children
|
# the children
|
||||||
sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | \
|
sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | \
|
||||||
LC_COLLATE=C sort | grep -v // | {
|
LC_COLLATE=C sort | grep -v // | {
|
||||||
while read profile ; do
|
while read -r profile ; do
|
||||||
echo -n "$profile" > "$SFS_MOUNTPOINT/.remove"
|
printf "%s" "$profile" > "$SFS_MOUNTPOINT/.remove"
|
||||||
rc=$?
|
rc=$?
|
||||||
if [ ${rc} -ne 0 ] ; then
|
if [ "$rc" -ne 0 ] ; then
|
||||||
retval=${rc}
|
retval=$rc
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
return ${retval}
|
return "$retval"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -355,8 +355,8 @@ apparmor_stop() {
|
|||||||
aa_log_daemon_msg "Unloading AppArmor profiles "
|
aa_log_daemon_msg "Unloading AppArmor profiles "
|
||||||
remove_profiles
|
remove_profiles
|
||||||
rc=$?
|
rc=$?
|
||||||
aa_log_end_msg $rc
|
aa_log_end_msg "$rc"
|
||||||
return $rc
|
return "$rc"
|
||||||
}
|
}
|
||||||
|
|
||||||
apparmor_kill() {
|
apparmor_kill() {
|
||||||
@@ -380,15 +380,15 @@ __apparmor_restart() {
|
|||||||
parse_profiles reload
|
parse_profiles reload
|
||||||
|
|
||||||
rc=$?
|
rc=$?
|
||||||
aa_log_end_msg $rc
|
aa_log_end_msg "$rc"
|
||||||
return $rc
|
return "$rc"
|
||||||
}
|
}
|
||||||
|
|
||||||
apparmor_restart() {
|
apparmor_restart() {
|
||||||
if ! is_apparmor_loaded ; then
|
if ! is_apparmor_loaded ; then
|
||||||
apparmor_start
|
apparmor_start
|
||||||
rc=$?
|
rc=$?
|
||||||
return $rc
|
return "$rc"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
__apparmor_restart
|
__apparmor_restart
|
||||||
@@ -405,8 +405,8 @@ apparmor_try_restart() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
apparmor_status () {
|
apparmor_status () {
|
||||||
if test -x ${AA_STATUS} ; then
|
if test -x "$AA_STATUS" ; then
|
||||||
${AA_STATUS} --verbose
|
"$AA_STATUS" --verbose
|
||||||
return $?
|
return $?
|
||||||
fi
|
fi
|
||||||
if ! is_apparmor_loaded ; then
|
if ! is_apparmor_loaded ; then
|
||||||
@@ -417,7 +417,7 @@ apparmor_status () {
|
|||||||
rc=0
|
rc=0
|
||||||
fi
|
fi
|
||||||
echo "Install the apparmor-utils package to receive more detailed"
|
echo "Install the apparmor-utils package to receive more detailed"
|
||||||
echo "status information here (or examine ${SFS_MOUNTPOINT} directly)."
|
echo "status information here (or examine $SFS_MOUNTPOINT directly)."
|
||||||
|
|
||||||
return $rc
|
return "$rc"
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user