This patch implements native systemd support for apparmor. This is performed and tested on opensuse 42.1. I think we can keep rc.apparmor.suse for a bit more time until we decide to fully retire it.
Changes since v1: + Changed installation directory of scripts to /usr/share/apparmor/scripts + Changed apparmor.service to start after local-fs.target + Added documentation tag to service file + Added install-systemd + Changed apparmor_reload.sh to reload files as opposed to stop and start service Signed-off-by: Goldwyn Rodrigues <[email protected]> --- a/parser/Makefile +++ b/parser/Makefile @@ -313,12 +313,17 @@ install -m 755 rc.apparmor.$(subst install-,,$@) $(DESTDIR)/etc/init.d/apparmor .PHONY: install-suse -install-suse: - install -m 755 -d $(DESTDIR)/etc/init.d - install -m 755 rc.apparmor.$(subst install-,,$(@)) $(DESTDIR)/etc/init.d/boot.apparmor - install -m 755 -d $(DESTDIR)/sbin - ln -sf /etc/init.d/boot.apparmor $(DESTDIR)/sbin/rcapparmor - ln -sf rcapparmor $(DESTDIR)/sbin/rcsubdomain +install-suse: install-systemd + +.PHONY: install-systemd +install-systemd: + install -m 755 -d $(DESTDIR)/usr/lib/systemd/system + install -m 0444 apparmor.service $(DESTDIR)/usr/lib/systemd/system + install -m 755 -d $(DESTDIR)/usr/share/apparmor/scripts + install -m 0755 apparmor_start.sh $(DESTDIR)/usr/share/apparmor/scripts + install -m 0755 apparmor_stop.sh $(DESTDIR)/usr/share/apparmor/scripts + install -m 0755 apparmor_reload.sh $(DESTDIR)/usr/share/apparmor/scripts + .PHONY: install-slackware install-slackware: --- /dev/null +++ b/parser/apparmor.service @@ -0,0 +1,18 @@ +[Unit] +Description=Load AppArmor profiles +DefaultDependencies=no +Before=sysinit.target +After=local-fs.target +ConditionSecurity=apparmor +Documentation=man:apparmor(7) +Documentation=http://wiki.apparmor.net + +[Service] +Type=oneshot +ExecStart=/usr/share/apparmor/scripts/apparmor_start.sh +ExecReload=/usr/share/apparmor/scripts/apparmor_reload.sh +ExecStop=/usr/share/apparmor/scripts/apparmor_stop.sh +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target --- /dev/null +++ b/parser/apparmor_reload.sh @@ -0,0 +1,67 @@ +#!/bin/bash +SECURITYFS=/sys/kernel/security +APPARMOR_MOUNTPOINT=$SECURITYFS/apparmor +PROFILE_DIR=/etc/apparmor.d + +force_complain() { + local profile=$1 + + # if profile not in complain mode + if ! egrep -q "^/.*[ \t]+flags[ \t]*=[ \t]*\([ \t]*complain[ \t]*\)[ \t]+{" $profile ; then + local link="${PROFILE_DIR}/force-complain/`basename ${profile}`" + if [ -e "$link" ] ; then + aa_log_warning_msg "found $link, forcing complain mode" + return 0 + fi + fi + + return 1 +} + +skip_profile() { + local profile=$1 + if [ "${profile%.rpmnew}" != "${profile}" -o \ + "${profile%.rpmsave}" != "${profile}" -o \ + -e "${PROFILE_DIR}/disable/`basename ${profile}`" -o \ + "${profile%\~}" != "${profile}" ] ; then + return 1 + fi + # Silently ignore the dpkg files + if [ "${profile%.dpkg-new}" != "${profile}" -o \ + "${profile%.dpkg-old}" != "${profile}" -o \ + "${profile%.dpkg-dist}" != "${profile}" -o \ + "${profile%.dpkg-bak}" != "${profile}" ] ; then + return 2 + fi + + return 0 +} + + +if [ ! -w "$APPARMOR_MOUNTPOINT/.load" ] ; then + exit 1 +fi + +retval=0 +for profile in $PROFILE_DIR/*; do + skip_profile "${profile}" + skip=$? + if [ "$skip" -ne 0 ]; then + continue + fi + + if [ -f "${profile}" ]; then + COMPLAINE="" + if force_complain "${profile}" ; then + COMPLAIN="-C" + fi + + /sbin/apparmor_parser -I${PROFILE_DIR} --replace $COMPLAIN "$profile" + RET=$? + if [ $RET -ne 0 ]; then + retval=$RET + fi + fi +done +exit $retval + --- /dev/null +++ b/parser/apparmor_start.sh @@ -0,0 +1,4 @@ +#!/bin/bash +/sbin/apparmor_parser -r /etc/apparmor.d + + --- /dev/null +++ b/parser/apparmor_stop.sh @@ -0,0 +1,20 @@ +#!/bin/bash +SECURITYFS=/sys/kernel/security +APPARMOR_MOUNTPOINT=$SECURITYFS/apparmor + +if [ ! -w "$APPARMOR_MOUNTPOINT/.remove" ] ; then + exit 1 +fi + +PROFILES=`sed -e "s/ (\(enforce\|complain\))$//" $APPARMOR_MOUNTPOINT/profiles` + +retval=0 +for profile in $PROFILES; do + echo -n "$profile" > $APPARMOR_MOUNTPOINT/.remove + rc=$? + if [ ${rc} -ne 0 ]; then + retval=${rc} + fi +done +exit $retval + -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
