ArchLinux AppArmor rc.d script

1. #!/bin/sh
2. # ----------------------------------------------------------------------
3. #    Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
4. #     NOVELL (All rights reserved)
5. #    Copyright (c) 2008, 2009 Canonical, Ltd.
6. #
7. #    This program is free software; you can redistribute it and/or
8. #    modify it under the terms of version 2 of the GNU General Public
9. #    License published by the Free Software Foundation.
10. #
11. #    This program is distributed in the hope that it will be useful,
12. #    but WITHOUT ANY WARRANTY; without even the implied warranty of
13. #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14. #    GNU General Public License for more details.
15. #
16. #    You should have received a copy of the GNU General Public License
17. #    along with this program; if not, contact Novell, Inc.
18. # ----------------------------------------------------------------------
19. # Authors:
20. #  Steve Beattie <steve.beattie@canonical.com>
21. #  Kees Cook <kees@ubuntu.com>
22. #
23. # /etc/init.d/apparmor
24. #
25. ### BEGIN INIT INFO
26. # Provides: apparmor
27. # Required-Start: mountall
28. # Required-Stop: umountfs
29. # Default-Start: S
30. # Default-Stop:
31. # Short-Description: AppArmor initialization
32. # Description: AppArmor init script. This script loads all AppArmor profiles.
33. ### END INIT INFO
34.  
35. . /etc/rc.conf
36. . /etc/rc.d/functions
37. . /lib/apparmor/rc.apparmor.functions
38.  
39. usage() {
40.     echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}"
41. }
42.  
43. test -x ${PARSER} || exit 0 # by debian policy
44. # LSM is built-in, so it is either there or not enabled for this boot
45. test -d /sys/module/apparmor || exit 0
46.  
47. securityfs() {
48.     # Need securityfs for any mode
49.     if [ ! -d "${AA_SFS}" ]; then
50.         if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then
51.             log_action_msg "AppArmor not available as kernel LSM."
52.             log_end_msg 1
53.             exit 1
54.         else
55.             log_action_begin_msg "Mounting securityfs on ${SECURITYFS}"
56.             if ! mount -t securityfs none "${SECURITYFS}"; then
57.                 log_action_end_msg 1
58.                 log_end_msg 1
59.                 exit 1
60.             fi
61.         fi
62.     fi
63.     if [ ! -w "$AA_SFS"/.load ]; then
64.         log_action_msg "Insufficient privileges to change profiles."
65.         log_end_msg 1
66.         exit 1
67.     fi
68. }
69.  
70. # Allow "recache" even when running on the liveCD
71. if [ "$1" = "recache" ]; then
72.     log_daemon_msg "Recaching AppArmor profiles"
73.     recache_profiles
74.     rc=$?
75.     log_end_msg "$rc"
76.     exit $rc
77. fi
78.  
79. # do not perform start/stop/reload actions when running from liveCD
80. test -d /rofs/etc/apparmor.d && exit 0
81.  
82. rc=255
83. case "$1" in
84.     start)
85.         log_daemon_msg "Starting AppArmor profiles"
86.         securityfs
87.         load_configured_profiles
88.         rc=$?
89.         log_end_msg "$rc"
90.         ;;
91.     stop)
92.         log_daemon_msg "Clearing AppArmor profiles cache"
93.         clear_cache
94.         rc=$?
95.         log_end_msg "$rc"
96.         cat >&2 <<EOM
97. All profile caches have been cleared, but no profiles have been unloaded.
98. Unloading profiles will leave already running processes permanently
99. unconfined, which can lead to unexpected situations.
100.  
101. To set a process to complain mode, use the command line tool
102. 'aa-complain'. To really tear down all profiles, run the init script
103. with the 'teardown' option."
104. EOM
105.         ;;
106.     teardown)
107.         log_daemon_msg "Unloading AppArmor profiles"
108.         securityfs
109.         running_profile_names | while read profile; do
110.             if ! unload_profile "$profile" ; then
111.                 log_end_msg 1
112.                 exit 1
113.             fi
114.         done
115.         rc=0
116.         log_end_msg $rc
117.         ;;
118.     restart|reload|force-reload)
119.         log_daemon_msg "Reloading AppArmor profiles"
120.         securityfs
121.         clear_cache
122.         load_configured_profiles
123.         rc=$?
124.  
125.         # Now, we have to find profiles that were removed.  Currently
126.         # we must re-parse all the profiles to get policy names.  :(
127.         aa_configured=$(mktemp -t aa-XXXXXX)
128.         configured_profile_names > "$aa_configured" || exit 1
129.         aa_loaded=$(mktemp -t aa-XXXXXX)
130.         running_profile_names > "$aa_loaded" || exit 1
131.         comm -2 -3 "$aa_loaded" "$aa_configured" | while read profile ; do
132.             unload_profile "$profile"
133.             done
134.         rm -f "$aa_configured" "$aa_loaded"
135.  
136.         log_end_msg "$rc"
137.         ;;
138.     status)
139.         securityfs
140.         if [ -x /usr/bin/aa-status ]; then
141.             /usr/bin/aa-status --verbose
142.         else
143.             cat "$AA_SFS"/profiles
144.         fi
145.         rc=$?
146.         ;;
147.     *)
148.         usage
149.         rc=1
150.         ;;
151.     esac
152. exit $rc