From 193236933b0f4ab91b1625b64e2187e2db4e0e8f Mon Sep 17 00:00:00 2001 From: Brad Bishop Date: Fri, 5 Apr 2019 15:28:33 -0400 Subject: reset upstream subtrees to HEAD Reset the following subtrees on HEAD: poky: 8217b477a1(master) meta-xilinx: 64aa3d35ae(master) meta-openembedded: 0435c9e193(master) meta-raspberrypi: 490a4441ac(master) meta-security: cb6d1c85ee(master) Squashed patches: meta-phosphor: drop systemd 239 patches meta-phosphor: mrw-api: use correct install path Change-Id: I268e2646d9174ad305630c6bbd3fbc1a6105f43d Signed-off-by: Brad Bishop --- meta-security/recipes-mac/AppArmor/files/apparmor | 227 ++++++++++++++++++++++ 1 file changed, 227 insertions(+) create mode 100644 meta-security/recipes-mac/AppArmor/files/apparmor (limited to 'meta-security/recipes-mac/AppArmor/files/apparmor') diff --git a/meta-security/recipes-mac/AppArmor/files/apparmor b/meta-security/recipes-mac/AppArmor/files/apparmor new file mode 100644 index 000000000..ac3ab9a4a --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/apparmor @@ -0,0 +1,227 @@ +#!/bin/sh +# ---------------------------------------------------------------------- +# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 +# NOVELL (All rights reserved) +# Copyright (c) 2008, 2009 Canonical, Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, contact Novell, Inc. +# ---------------------------------------------------------------------- +# Authors: +# Steve Beattie +# Kees Cook +# +# /etc/init.d/apparmor +# +### BEGIN INIT INFO +# Provides: apparmor +# Required-Start: $local_fs +# Required-Stop: umountfs +# Default-Start: S +# Default-Stop: +# Short-Description: AppArmor initialization +# Description: AppArmor init script. This script loads all AppArmor profiles. +### END INIT INFO + +log_daemon_msg() { + echo $* +} + +log_end_msg () { + retval=$1 + if [ $retval -eq 0 ]; then + echo "." + else + echo " failed!" + fi + return $retval +} + +. /lib/apparmor/functions +. /lib/lsb/init-functions + +usage() { + echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}" +} + +test -x ${PARSER} || exit 0 # by debian policy +# LSM is built-in, so it is either there or not enabled for this boot +test -d /sys/module/apparmor || exit 0 + +securityfs() { + # Need securityfs for any mode + if [ ! -d "${AA_SFS}" ]; then + if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then + log_daemon_msg "AppArmor not available as kernel LSM." + log_end_msg 1 + exit 1 + else + log_daemon_msg "Mounting securityfs on ${SECURITYFS}" + if ! mount -t securityfs none "${SECURITYFS}"; then + log_end_msg 1 + exit 1 + fi + fi + fi + if [ ! -w "$AA_SFS"/.load ]; then + log_daemon_msg "Insufficient privileges to change profiles." + log_end_msg 1 + exit 1 + fi +} + +handle_system_policy_package_updates() { + apparmor_was_updated=0 + + if ! compare_previous_version ; then + # On snappy flavors, if the current and previous versions are + # different then clear the system cache. snappy will handle + # "$PROFILES_CACHE_VAR" itself (on Touch flavors + # compare_previous_version always returns '0' since snappy + # isn't available). + clear_cache_system + apparmor_was_updated=1 + elif ! compare_and_save_debsums apparmor ; then + # If the system policy has been updated since the last time we + # ran, clear the cache to prevent potentially stale binary + # cache files after an Ubuntu image based upgrade (LP: + # #1350673). This can be removed once all system image flavors + # move to snappy (on snappy systems compare_and_save_debsums + # always returns '0' since /var/lib/dpkg doesn't exist). + clear_cache + apparmor_was_updated=1 + fi + + if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then + # If packages for system policy that affect click packages have + # been updated since the last time we ran, run aa-clickhook -f + force_clickhook=0 + force_profile_hook=0 + if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then + force_clickhook=1 + fi + if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then + force_clickhook=1 + fi + if ! compare_and_save_debsums click-apparmor ; then + force_clickhook=1 + force_profile_hook=1 + fi + if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then + aa-clickhook -f + fi + if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then + aa-profile-hook -f + fi + fi +} + +# Allow "recache" even when running on the liveCD +if [ "$1" = "recache" ]; then + log_daemon_msg "Recaching AppArmor profiles" + recache_profiles + rc=$? + log_end_msg "$rc" + exit $rc +fi + +# do not perform start/stop/reload actions when running from liveCD +test -d /rofs/etc/apparmor.d && exit 0 + +rc=255 +case "$1" in + start) + if test -x /sbin/systemd-detect-virt && \ + systemd-detect-virt --quiet --container && \ + ! is_container_with_internal_policy; then + log_daemon_msg "Not starting AppArmor in container" + log_end_msg 0 + exit 0 + fi + log_daemon_msg "Starting AppArmor profiles" + securityfs + # That is only useful for click, snappy and system images, + # i.e. not in Debian. And it reads and writes to /var, that + # can be remote-mounted, so it would prevent us from using + # Before=sysinit.target without possibly introducing dependency + # loops. + handle_system_policy_package_updates + load_configured_profiles + rc=$? + log_end_msg "$rc" + ;; + stop) + log_daemon_msg "Clearing AppArmor profiles cache" + clear_cache + rc=$? + log_end_msg "$rc" + cat >&2 <