SHARE
TWEET

ArchLinux AppArmor rc.d script

a guest Oct 29th, 2010 1,637 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/sh
  2. # ----------------------------------------------------------------------
  3. #    Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
  4. #     NOVELL (All rights reserved)
  5. #    Copyright (c) 2008, 2009 Canonical, Ltd.
  6. #
  7. #    This program is free software; you can redistribute it and/or
  8. #    modify it under the terms of version 2 of the GNU General Public
  9. #    License published by the Free Software Foundation.
  10. #
  11. #    This program is distributed in the hope that it will be useful,
  12. #    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13. #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14. #    GNU General Public License for more details.
  15. #
  16. #    You should have received a copy of the GNU General Public License
  17. #    along with this program; if not, contact Novell, Inc.
  18. # ----------------------------------------------------------------------
  19. # Authors:
  20. #  Steve Beattie <steve.beattie@canonical.com>
  21. #  Kees Cook <kees@ubuntu.com>
  22. #
  23. # /etc/init.d/apparmor
  24. #
  25. ### BEGIN INIT INFO
  26. # Provides: apparmor
  27. # Required-Start: mountall
  28. # Required-Stop: umountfs
  29. # Default-Start: S
  30. # Default-Stop:
  31. # Short-Description: AppArmor initialization
  32. # Description: AppArmor init script. This script loads all AppArmor profiles.
  33. ### END INIT INFO
  34.  
  35. . /etc/rc.conf
  36. . /etc/rc.d/functions
  37. . /lib/apparmor/rc.apparmor.functions
  38.  
  39. usage() {
  40.     echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}"
  41. }
  42.  
  43. test -x ${PARSER} || exit 0 # by debian policy
  44. # LSM is built-in, so it is either there or not enabled for this boot
  45. test -d /sys/module/apparmor || exit 0
  46.  
  47. securityfs() {
  48.         # Need securityfs for any mode
  49.         if [ ! -d "${AA_SFS}" ]; then
  50.                 if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then
  51.                         log_action_msg "AppArmor not available as kernel LSM."
  52.                         log_end_msg 1
  53.                         exit 1
  54.                 else
  55.                         log_action_begin_msg "Mounting securityfs on ${SECURITYFS}"
  56.                         if ! mount -t securityfs none "${SECURITYFS}"; then
  57.                                 log_action_end_msg 1
  58.                                 log_end_msg 1
  59.                                 exit 1
  60.                         fi
  61.                 fi
  62.         fi
  63.         if [ ! -w "$AA_SFS"/.load ]; then
  64.                 log_action_msg "Insufficient privileges to change profiles."
  65.                 log_end_msg 1
  66.                 exit 1
  67.         fi
  68. }
  69.  
  70. # Allow "recache" even when running on the liveCD
  71. if [ "$1" = "recache" ]; then
  72.         log_daemon_msg "Recaching AppArmor profiles"
  73.         recache_profiles
  74.         rc=$?
  75.         log_end_msg "$rc"
  76.         exit $rc
  77. fi
  78.  
  79. # do not perform start/stop/reload actions when running from liveCD
  80. test -d /rofs/etc/apparmor.d && exit 0
  81.  
  82. rc=255
  83. case "$1" in
  84.         start)
  85.                 log_daemon_msg "Starting AppArmor profiles"
  86.                 securityfs
  87.                 load_configured_profiles
  88.                 rc=$?
  89.                 log_end_msg "$rc"
  90.                 ;;
  91.         stop)
  92.                 log_daemon_msg "Clearing AppArmor profiles cache"
  93.                 clear_cache
  94.                 rc=$?
  95.                 log_end_msg "$rc"
  96.                 cat >&2 <<EOM
  97. All profile caches have been cleared, but no profiles have been unloaded.
  98. Unloading profiles will leave already running processes permanently
  99. unconfined, which can lead to unexpected situations.
  100.  
  101. To set a process to complain mode, use the command line tool
  102. 'aa-complain'. To really tear down all profiles, run the init script
  103. with the 'teardown' option."
  104. EOM
  105.                 ;;
  106.         teardown)
  107.                 log_daemon_msg "Unloading AppArmor profiles"
  108.                 securityfs
  109.                 running_profile_names | while read profile; do
  110.                         if ! unload_profile "$profile" ; then
  111.                                 log_end_msg 1
  112.                                 exit 1
  113.                         fi
  114.                 done
  115.                 rc=0
  116.                 log_end_msg $rc
  117.                 ;;
  118.         restart|reload|force-reload)
  119.                 log_daemon_msg "Reloading AppArmor profiles"
  120.                 securityfs
  121.                 clear_cache
  122.                 load_configured_profiles
  123.                 rc=$?
  124.  
  125.                 # Now, we have to find profiles that were removed.  Currently
  126.                 # we must re-parse all the profiles to get policy names.  :(
  127.                 aa_configured=$(mktemp -t aa-XXXXXX)
  128.                 configured_profile_names > "$aa_configured" || exit 1
  129.                 aa_loaded=$(mktemp -t aa-XXXXXX)
  130.                 running_profile_names > "$aa_loaded" || exit 1
  131.                 comm -2 -3 "$aa_loaded" "$aa_configured" | while read profile ; do
  132.                         unload_profile "$profile"
  133.                 done
  134.                 rm -f "$aa_configured" "$aa_loaded"
  135.  
  136.                 log_end_msg "$rc"
  137.                 ;;
  138.         status)
  139.                 securityfs
  140.                 if [ -x /usr/bin/aa-status ]; then
  141.                         /usr/bin/aa-status --verbose
  142.                 else
  143.                         cat "$AA_SFS"/profiles
  144.                 fi
  145.                 rc=$?
  146.                 ;;
  147.         *)
  148.                 usage
  149.                 rc=1
  150.                 ;;
  151.         esac
  152. exit $rc
RAW Paste Data
Top