mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-29 05:17:59 +00:00
1d3193b55c
In 73e124d4fba8d5944b2a646c719907d0bf8beefc I've upstreamed the `is_container_with_internal_policy()` function, but so far it was not used anywhere upstream. This is the missing bit.
I could trace the history of that patch back to 2012 (2.7.102-0ubuntu3):
* debian/apparmor.init: do nothing in a container. This can be
removed once stacked profiles are supported and used by lxc.
(LP: #978297)
Context: I lack both knowledge and motivation to keep maintaining this as part of the Debian delta. I'd rather see upstream, and in particular folks more knowledgeable than me about LXC/LXD, or with external motivation factors to work on this part of the stack, take care of it.
Note: Debian has similar code in its [sysvinit script](https://salsa.debian.org/apparmor-team/apparmor/-/blob/debian/master/debian/apparmor.init). I'm not touching that one.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/840
Acked-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 5a41024bbe76664e662c38f78b928266bf3b84ed)
Signed-off-by: John Johansen <john.johansen@canonical.com>
116 lines
2.2 KiB
Bash
116 lines
2.2 KiB
Bash
#!/bin/sh
|
|
# ----------------------------------------------------------------------
|
|
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of version 2 of the GNU General Public
|
|
# License published by the Free Software Foundation.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, contact Novell, Inc.
|
|
# ----------------------------------------------------------------------
|
|
|
|
APPARMOR_FUNCTIONS=/lib/apparmor/rc.apparmor.functions
|
|
|
|
aa_action()
|
|
{
|
|
echo "$1"
|
|
shift
|
|
"$@"
|
|
return $?
|
|
}
|
|
|
|
aa_log_warning_msg()
|
|
{
|
|
echo "Warning: $*"
|
|
}
|
|
|
|
aa_log_failure_msg()
|
|
{
|
|
echo "Error: $*"
|
|
}
|
|
|
|
aa_log_action_start()
|
|
{
|
|
echo "$@"
|
|
}
|
|
|
|
aa_log_action_end()
|
|
{
|
|
printf ""
|
|
}
|
|
|
|
aa_log_daemon_msg()
|
|
{
|
|
echo "$@"
|
|
}
|
|
|
|
aa_log_skipped_msg()
|
|
{
|
|
echo "Skipped: $*"
|
|
}
|
|
|
|
aa_log_end_msg()
|
|
{
|
|
printf ""
|
|
}
|
|
|
|
# source apparmor function library
|
|
if [ -f "${APPARMOR_FUNCTIONS}" ]; then
|
|
# shellcheck source=rc.apparmor.functions
|
|
. "${APPARMOR_FUNCTIONS}"
|
|
else
|
|
aa_log_failure_msg "Unable to find AppArmor initscript functions"
|
|
exit 1
|
|
fi
|
|
|
|
case "$1" in
|
|
start)
|
|
if [ -x /usr/bin/systemd-detect-virt ] && \
|
|
systemd-detect-virt --quiet --container && \
|
|
! is_container_with_internal_policy; then
|
|
aa_log_daemon_msg "Not starting AppArmor in container"
|
|
aa_log_end_msg 0
|
|
exit 0
|
|
fi
|
|
apparmor_start
|
|
rc=$?
|
|
;;
|
|
stop)
|
|
apparmor_stop
|
|
rc=$?
|
|
;;
|
|
restart|reload|force-reload)
|
|
if [ -x /usr/bin/systemd-detect-virt ] && \
|
|
systemd-detect-virt --quiet --container && \
|
|
! is_container_with_internal_policy; then
|
|
aa_log_daemon_msg "Not starting AppArmor in container"
|
|
aa_log_end_msg 0
|
|
exit 0
|
|
fi
|
|
apparmor_restart
|
|
rc=$?
|
|
;;
|
|
try-restart)
|
|
apparmor_try_restart
|
|
rc=$?
|
|
;;
|
|
kill)
|
|
apparmor_kill
|
|
rc=$?
|
|
;;
|
|
status)
|
|
apparmor_status
|
|
rc=$?
|
|
;;
|
|
*)
|
|
exit 1
|
|
;;
|
|
esac
|
|
exit "$rc"
|