diff options
Diffstat (limited to 'recipes-mac/AppArmor/files')
| -rw-r--r-- | recipes-mac/AppArmor/files/apparmor | 227 | ||||
| -rw-r--r-- | recipes-mac/AppArmor/files/apparmor.rc | 98 | ||||
| -rw-r--r-- | recipes-mac/AppArmor/files/apparmor.service | 22 | ||||
| -rw-r--r-- | recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch | 25 | ||||
| -rw-r--r-- | recipes-mac/AppArmor/files/disable_pdf.patch | 33 | ||||
| -rw-r--r-- | recipes-mac/AppArmor/files/disable_perl_h_check.patch | 19 | ||||
| -rw-r--r-- | recipes-mac/AppArmor/files/functions | 271 | ||||
| -rw-r--r-- | recipes-mac/AppArmor/files/run-ptest | 4 | ||||
| -rw-r--r-- | recipes-mac/AppArmor/files/tool-paths.patch | 37 |
9 files changed, 736 insertions, 0 deletions
diff --git a/recipes-mac/AppArmor/files/apparmor b/recipes-mac/AppArmor/files/apparmor new file mode 100644 index 0000000..ac3ab9a --- /dev/null +++ b/recipes-mac/AppArmor/files/apparmor @@ -0,0 +1,227 @@ +#!/bin/sh +# ---------------------------------------------------------------------- +# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 +# NOVELL (All rights reserved) +# Copyright (c) 2008, 2009 Canonical, Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, contact Novell, Inc. +# ---------------------------------------------------------------------- +# Authors: +# Steve Beattie <steve.beattie@canonical.com> +# Kees Cook <kees@ubuntu.com> +# +# /etc/init.d/apparmor +# +### BEGIN INIT INFO +# Provides: apparmor +# Required-Start: $local_fs +# Required-Stop: umountfs +# Default-Start: S +# Default-Stop: +# Short-Description: AppArmor initialization +# Description: AppArmor init script. This script loads all AppArmor profiles. +### END INIT INFO + +log_daemon_msg() { + echo $* +} + +log_end_msg () { + retval=$1 + if [ $retval -eq 0 ]; then + echo "." + else + echo " failed!" + fi + return $retval +} + +. /lib/apparmor/functions +. /lib/lsb/init-functions + +usage() { + echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}" +} + +test -x ${PARSER} || exit 0 # by debian policy +# LSM is built-in, so it is either there or not enabled for this boot +test -d /sys/module/apparmor || exit 0 + +securityfs() { + # Need securityfs for any mode + if [ ! -d "${AA_SFS}" ]; then + if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then + log_daemon_msg "AppArmor not available as kernel LSM." + log_end_msg 1 + exit 1 + else + log_daemon_msg "Mounting securityfs on ${SECURITYFS}" + if ! mount -t securityfs none "${SECURITYFS}"; then + log_end_msg 1 + exit 1 + fi + fi + fi + if [ ! -w "$AA_SFS"/.load ]; then + log_daemon_msg "Insufficient privileges to change profiles." + log_end_msg 1 + exit 1 + fi +} + +handle_system_policy_package_updates() { + apparmor_was_updated=0 + + if ! compare_previous_version ; then + # On snappy flavors, if the current and previous versions are + # different then clear the system cache. snappy will handle + # "$PROFILES_CACHE_VAR" itself (on Touch flavors + # compare_previous_version always returns '0' since snappy + # isn't available). + clear_cache_system + apparmor_was_updated=1 + elif ! compare_and_save_debsums apparmor ; then + # If the system policy has been updated since the last time we + # ran, clear the cache to prevent potentially stale binary + # cache files after an Ubuntu image based upgrade (LP: + # #1350673). This can be removed once all system image flavors + # move to snappy (on snappy systems compare_and_save_debsums + # always returns '0' since /var/lib/dpkg doesn't exist). + clear_cache + apparmor_was_updated=1 + fi + + if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then + # If packages for system policy that affect click packages have + # been updated since the last time we ran, run aa-clickhook -f + force_clickhook=0 + force_profile_hook=0 + if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then + force_clickhook=1 + fi + if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then + force_clickhook=1 + fi + if ! compare_and_save_debsums click-apparmor ; then + force_clickhook=1 + force_profile_hook=1 + fi + if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then + aa-clickhook -f + fi + if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then + aa-profile-hook -f + fi + fi +} + +# Allow "recache" even when running on the liveCD +if [ "$1" = "recache" ]; then + log_daemon_msg "Recaching AppArmor profiles" + recache_profiles + rc=$? + log_end_msg "$rc" + exit $rc +fi + +# do not perform start/stop/reload actions when running from liveCD +test -d /rofs/etc/apparmor.d && exit 0 + +rc=255 +case "$1" in + start) + if test -x /sbin/systemd-detect-virt && \ + systemd-detect-virt --quiet --container && \ + ! is_container_with_internal_policy; then + log_daemon_msg "Not starting AppArmor in container" + log_end_msg 0 + exit 0 + fi + log_daemon_msg "Starting AppArmor profiles" + securityfs + # That is only useful for click, snappy and system images, + # i.e. not in Debian. And it reads and writes to /var, that + # can be remote-mounted, so it would prevent us from using + # Before=sysinit.target without possibly introducing dependency + # loops. + handle_system_policy_package_updates + load_configured_profiles + rc=$? + log_end_msg "$rc" + ;; + stop) + log_daemon_msg "Clearing AppArmor profiles cache" + clear_cache + rc=$? + log_end_msg "$rc" + cat >&2 <<EOM +All profile caches have been cleared, but no profiles have been unloaded. +Unloading profiles will leave already running processes permanently +unconfined, which can lead to unexpected situations. + +To set a process to complain mode, use the command line tool +'aa-complain'. To really tear down all profiles, run the init script +with the 'teardown' option." +EOM + ;; + teardown) + if test -x /sbin/systemd-detect-virt && \ + systemd-detect-virt --quiet --container && \ + ! is_container_with_internal_policy; then + log_daemon_msg "Not tearing down AppArmor in container" + log_end_msg 0 + exit 0 + fi + log_daemon_msg "Unloading AppArmor profiles" + securityfs + running_profile_names | while read profile; do + if ! unload_profile "$profile" ; then + log_end_msg 1 + exit 1 + fi + done + rc=0 + log_end_msg $rc + ;; + restart|reload|force-reload) + if test -x /sbin/systemd-detect-virt && \ + systemd-detect-virt --quiet --container && \ + ! is_container_with_internal_policy; then + log_daemon_msg "Not reloading AppArmor in container" + log_end_msg 0 + exit 0 + fi + log_daemon_msg "Reloading AppArmor profiles" + securityfs + clear_cache + load_configured_profiles + rc=$? + unload_obsolete_profiles + + log_end_msg "$rc" + ;; + status) + securityfs + if [ -x /usr/sbin/aa-status ]; then + aa-status --verbose + else + cat "$AA_SFS"/profiles + fi + rc=$? + ;; + *) + usage + rc=1 + ;; + esac +exit $rc diff --git a/recipes-mac/AppArmor/files/apparmor.rc b/recipes-mac/AppArmor/files/apparmor.rc new file mode 100644 index 0000000..1507d7b --- /dev/null +++ b/recipes-mac/AppArmor/files/apparmor.rc @@ -0,0 +1,98 @@ +description "Pre-cache and pre-load apparmor profiles" +author "Dimitri John Ledkov <xnox@ubuntu.com> and Jamie Strandboge <jamie@ubuntu.com>" + +task + +start on starting rc-sysinit + +script + [ -d /rofs/etc/apparmor.d ] && exit 0 # do not load on liveCD + [ -d /sys/module/apparmor ] || exit 0 # do not load without AppArmor + [ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser + + . /lib/apparmor/functions + + systemd-detect-virt --quiet --container && ! is_container_with_internal_policy && exit 0 || true + + # Need securityfs for any mode + if [ ! -d /sys/kernel/security/apparmor ]; then + if cut -d" " -f2,3 /proc/mounts | grep -q "^/sys/kernel/security securityfs"'$' ; then + exit 0 + else + mount -t securityfs none /sys/kernel/security || exit 0 + fi + fi + + [ -w /sys/kernel/security/apparmor/.load ] || exit 0 + + apparmor_was_updated=0 + if ! compare_previous_version ; then + # On snappy flavors, if the current and previous versions are + # different then clear the system cache. snappy will handle + # "$PROFILES_CACHE_VAR" itself (on Touch flavors + # compare_previous_version always returns '0' since snappy + # isn't available). + clear_cache_system + apparmor_was_updated=1 + elif ! compare_and_save_debsums apparmor ; then + # If the system policy has been updated since the last time we + # ran, clear the cache to prevent potentially stale binary + # cache files after an Ubuntu image based upgrade (LP: + # #1350673). This can be removed once all system image flavors + # move to snappy (on snappy systems compare_and_save_debsums + # always returns '0' since /var/lib/dpkg doesn't exist). + clear_cache + apparmor_was_updated=1 + fi + + if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then + # If packages for system policy that affect click packages have + # been updated since the last time we ran, run aa-clickhook -f + force_clickhook=0 + force_profile_hook=0 + if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then + force_clickhook=1 + fi + if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then + force_clickhook=1 + fi + if ! compare_and_save_debsums click-apparmor ; then + force_clickhook=1 + force_profile_hook=1 + fi + if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then + aa-clickhook -f + fi + if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then + aa-profile-hook -f + fi + fi + + if [ "$ACTION" = "teardown" ]; then + running_profile_names | while read profile; do + unload_profile "$profile" + done + exit 0 + fi + + if [ "$ACTION" = "clear" ]; then + clear_cache + exit 0 + fi + + if [ "$ACTION" = "reload" ] || [ "$ACTION" = "force-reload" ]; then + clear_cache + load_configured_profiles + unload_obsolete_profiles + exit 0 + fi + + # Note: if apparmor-easyprof-ubuntu md5sums didn't match up above, + # aa-clickhook will have already compiled the policy, generated the cache + # files and loaded them into the kernel by this point, so reloading click + # policy from cache, while fairly fast (<2 seconds for 250 profiles on + # armhf), is redundant. Fixing this would complicate the logic quite a bit + # and it wouldn't improve the (by far) common case (ie, when + # 'aa-clickhook -f' is not run). + load_configured_profiles +end script diff --git a/recipes-mac/AppArmor/files/apparmor.service b/recipes-mac/AppArmor/files/apparmor.service new file mode 100644 index 0000000..e66afe4 --- /dev/null +++ b/recipes-mac/AppArmor/files/apparmor.service @@ -0,0 +1,22 @@ +[Unit] +Description=AppArmor initialization +After=local-fs.target +Before=sysinit.target +AssertPathIsReadWrite=/sys/kernel/security/apparmor/.load +ConditionSecurity=apparmor +DefaultDependencies=no +Documentation=man:apparmor(7) +Documentation=http://wiki.apparmor.net/ + +# Don't start this unit on the Ubuntu Live CD +ConditionPathExists=!/rofs/etc/apparmor.d + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/etc/init.d/apparmor start +ExecStop=/etc/init.d/apparmor stop +ExecReload=/etc/init.d/apparmor reload + +[Install] +WantedBy=sysinit.target diff --git a/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch b/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch new file mode 100644 index 0000000..ef55de7 --- /dev/null +++ b/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch @@ -0,0 +1,25 @@ +Upstream-Status: Inappropriate [configuration] + +As we're cross-compiling here we need to override CC/LD that MakeMaker has +stuck in the generated Makefile with our cross tools. In this case, linking is +done via the compiler rather than the linker directly so pass in CC not LD +here. + +Signed-Off-By: Tom Rini <trini@konsulko.com> + +--- a/libraries/libapparmor/swig/perl/Makefile.am.orig 2017-06-13 19:04:43.296676212 -0400 ++++ b/libraries/libapparmor/swig/perl/Makefile.am 2017-06-13 19:05:03.488676693 -0400 +@@ -16,11 +16,11 @@ + + LibAppArmor.so: libapparmor_wrap.c Makefile.perl + if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi +- $(MAKE) -fMakefile.perl ++ $(MAKE) -fMakefile.perl CC='$(CC)' LD='$(CC)' + if test $(top_srcdir) != $(top_builddir) ; then rm -f libapparmor_wrap.c ; fi + + install-exec-local: Makefile.perl +- $(MAKE) -fMakefile.perl install_vendor ++ $(MAKE) -fMakefile.perl install_vendor CC='$(CC)' LD='$(CC)' + + # sadly there is no make uninstall for perl + #uninstall-local: Makefile.perl diff --git a/recipes-mac/AppArmor/files/disable_pdf.patch b/recipes-mac/AppArmor/files/disable_pdf.patch new file mode 100644 index 0000000..c6b4bdd --- /dev/null +++ b/recipes-mac/AppArmor/files/disable_pdf.patch @@ -0,0 +1,33 @@ +Index: apparmor-2.10.95/parser/Makefile +=================================================================== +--- apparmor-2.10.95.orig/parser/Makefile ++++ apparmor-2.10.95/parser/Makefile +@@ -139,17 +139,6 @@ export Q VERBOSE BUILD_OUTPUT + po/${NAME}.pot: ${SRCS} ${HDRS} + $(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}" + +-techdoc.pdf: techdoc.tex +- timestamp=$(shell date --utc "+%Y%m%d%H%M%S%z" -r $< );\ +- while pdflatex "\def\fixedpdfdate{$$timestamp}\input $<" ${BUILD_OUTPUT} || exit 1 ; \ +- grep -q "Label(s) may have changed" techdoc.log; \ +- do :; done +- +-techdoc/index.html: techdoc.pdf +- latex2html -show_section_numbers -split 0 -noinfo -nonavigation -noaddress techdoc.tex ${BUILD_OUTPUT} +- +-techdoc.txt: techdoc/index.html +- w3m -dump $< > $@ + + # targets arranged this way so that people who don't want full docs can + # pick specific targets they want. +@@ -159,9 +148,7 @@ manpages: $(MANPAGES) + + htmlmanpages: $(HTMLMANPAGES) + +-pdf: techdoc.pdf +- +-docs: manpages htmlmanpages pdf ++docs: manpages htmlmanpages + + indep: docs + $(Q)$(MAKE) -C po all diff --git a/recipes-mac/AppArmor/files/disable_perl_h_check.patch b/recipes-mac/AppArmor/files/disable_perl_h_check.patch new file mode 100644 index 0000000..cf2640f --- /dev/null +++ b/recipes-mac/AppArmor/files/disable_perl_h_check.patch @@ -0,0 +1,19 @@ +Upstream-Status: Inappropriate [configuration] + +Remove file check for $perl_includedir/perl.h. AC_CHECK_FILE will fail on +cross compilation. Rather than try and get a compile check to work here, +we know that we have what's required via our metadata so remove only this +check. + +Signed-Off-By: Tom Rini <trini@konsulko.com> + +--- a/libraries/libapparmor/configure.ac.orig 2017-06-13 16:41:38.668471495 -0400 ++++ b/libraries/libapparmor/configure.ac 2017-06-13 16:41:40.708471543 -0400 +@@ -58,7 +58,6 @@ + AC_PATH_PROG(PERL, perl) + test -z "$PERL" && AC_MSG_ERROR([perl is required when enabling perl bindings]) + perl_includedir="`$PERL -e 'use Config; print $Config{archlib}'`/CORE" +- AC_CHECK_FILE($perl_includedir/perl.h, enable_perl=yes, enable_perl=no) + fi + + diff --git a/recipes-mac/AppArmor/files/functions b/recipes-mac/AppArmor/files/functions new file mode 100644 index 0000000..cef8cfe --- /dev/null +++ b/recipes-mac/AppArmor/files/functions @@ -0,0 +1,271 @@ +# /lib/apparmor/functions for Debian -*- shell-script -*- +# ---------------------------------------------------------------------- +# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 +# NOVELL (All rights reserved) +# Copyright (c) 2008-2010 Canonical, Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, contact Novell, Inc. +# ---------------------------------------------------------------------- +# Authors: +# Kees Cook <kees@ubuntu.com> + +PROFILES="/etc/apparmor.d" +PROFILES_CACHE="$PROFILES/cache" +PROFILES_VAR="/var/lib/apparmor/profiles" +PROFILES_SNAPPY="/var/lib/snapd/apparmor/profiles" +PROFILES_CACHE_VAR="/var/cache/apparmor" +PARSER="/sbin/apparmor_parser" +SECURITYFS="/sys/kernel/security" +export AA_SFS="$SECURITYFS/apparmor" + +# Suppress warnings when booting in quiet mode +quiet_arg="" +[ "${QUIET:-no}" = yes ] && quiet_arg="-q" +[ "${quiet:-n}" = y ] && quiet_arg="-q" + +foreach_configured_profile() { + rc_all="0" + for pdir in "$PROFILES" "$PROFILES_VAR" "$PROFILES_SNAPPY" ; do + if [ ! -d "$pdir" ]; then + continue + fi + num=`find "$pdir" -type f ! -name '*.md5sums' | wc -l` + if [ "$num" = "0" ]; then + continue + fi + + cache_dir="$PROFILES_CACHE" + if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then + cache_dir="$PROFILES_CACHE_VAR" + fi + cache_args="--cache-loc=$cache_dir" + if [ ! -d "$cache_dir" ]; then + cache_args= + fi + + # LP: #1383858 - expr tree simplification is too slow for + # Touch policy on ARM, so disable it for now + cache_extra_args= + if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then + cache_extra_args="-O no-expr-simplify" + fi + + # If need to compile everything, then use -n1 with xargs to + # take advantage of -P. When cache files are in use, omit -n1 + # since it is considerably faster on moderately sized profile + # sets to give the parser all the profiles to load at once + n1_args= + num=`find "$cache_dir" -type f ! -name '.features' | wc -l` + if [ "$num" = "0" ]; then + n1_args="-n1" + fi + + (ls -1 "$pdir" | egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \ + while read profile; do + if [ -f "$pdir"/"$profile" ]; then + echo "$pdir"/"$profile" + fi + done) | \ + xargs $n1_args -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || { + rc_all="$?" + # FIXME: when the parser properly handles broken + # profiles (LP: #1377338), remove this if statement. + # For now, if the xargs returns with error, just run + # through everything with -n1. (This could be broken + # out and refactored, but this is temporary so make it + # easy to understand and revert) + if [ "$rc_all" != "0" ]; then + (ls -1 "$pdir" | \ + egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \ + while read profile; do + if [ -f "$pdir"/"$profile" ]; then + echo "$pdir"/"$profile" + fi + done) | \ + xargs -n1 -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || { + rc_all="$?" + } + fi + } + done + return $rc_all +} + +load_configured_profiles() { + clear_cache_if_outdated + foreach_configured_profile $quiet_arg --write-cache --replace +} + +load_configured_profiles_without_caching() { + foreach_configured_profile $quiet_arg --replace +} + +recache_profiles() { + clear_cache + foreach_configured_profile $quiet_arg --write-cache --skip-kernel-load +} + +configured_profile_names() { + foreach_configured_profile $quiet_arg -N 2>/dev/null | LC_COLLATE=C sort | grep -v '//' +} + +running_profile_names() { + # Output a sorted list of loaded profiles, skipping libvirt's + # dynamically generated files + cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | egrep -v '^libvirt-[0-9a-f\-]+$' | LC_COLLATE=C sort | grep -v '//' +} + +unload_profile() { + echo -n "$1" > "$AA_SFS"/.remove +} + +clear_cache() { + clear_cache_system + clear_cache_var +} + +clear_cache_system() { + find "$PROFILES_CACHE" -maxdepth 1 -type f -print0 | xargs -0 rm -f -- +} + +clear_cache_var() { + find "$PROFILES_CACHE_VAR" -maxdepth 1 -type f -print0 | xargs -0 rm -f -- +} + +read_features_dir() +{ + for f in `ls -AU "$1"` ; do + if [ -f "$1/$f" ] ; then + read -r KF < "$1/$f" || true + echo -n "$f {$KF } " + elif [ -d "$1/$f" ] ; then + echo -n "$f {" + KF=`read_features_dir "$1/$f"` || true + echo -n "$KF} " + fi + done +} + +clear_cache_if_outdated() { + if [ -r "$PROFILES_CACHE"/.features ]; then + if [ -d "$AA_SFS"/features ]; then + KERN_FEATURES=`read_features_dir "$AA_SFS"/features` + else + read -r KERN_FEATURES < "$AA_SFS"/features + fi + CACHE_FEATURES=`tr '\n' ' ' < "$PROFILES_CACHE"/.features` + if [ "$KERN_FEATURES" != "$CACHE_FEATURES" ]; then + clear_cache + fi + fi +} + +unload_obsolete_profiles() { + # Currently we must re-parse all the profiles to get policy names. :( + aa_configured=$(mktemp -t aa-XXXXXX) + configured_profile_names > "$aa_configured" || true + aa_loaded=$(mktemp -t aa-XXXXXX) + running_profile_names > "$aa_loaded" || true + LC_COLLATE=C comm -2 -3 "$aa_loaded" "$aa_configured" | while read profile ; do + unload_profile "$profile" + done + rm -f "$aa_configured" "$aa_loaded" +} + +# If the system debsum differs from the saved debsum, the new system debsum is +# saved and non-zero is returned. Returns 0 if the two debsums matched or if +# the system debsum file does not exist. This can be removed when system image +# flavors all move to snappy. +compare_and_save_debsums() { + pkg="$1" + + if [ -n $pkg ] && [ -d "$PROFILES_VAR" ]; then + sums="/var/lib/dpkg/info/${pkg}.md5sums" + # store saved md5sums in /var/lib/apparmor/profiles since + # /var/cache/apparmor might be cleared by apparmor + saved_sums="${PROFILES_VAR}/.${pkg}.md5sums" + + if [ -f "$sums" ] && \ + ! diff -q "$sums" "$saved_sums" 2>&1 >/dev/null ; then + cp -f "$sums" "$saved_sums" + return 1 + fi + fi + + return 0 +} + +compare_previous_version() { + installed="/usr/share/snappy/security-policy-version" + previous="/var/lib/snappy/security-policy-version" + + # When just $previous doesn't exist, assume this is a new system with + # no cache and don't do anything special. + if [ -f "$installed" ] && [ -f "$previous" ]; then + pv=`grep '^apparmor/' "$previous" | cut -d ' ' -f 2` + iv=`grep '^apparmor/' "$installed" | cut -d ' ' -f 2` + if [ -n "$iv" ] && [ -n "$pv" ] && [ "$iv" != "$pv" ]; then + # snappy updates $previous elsewhere, so just return + return 1 + fi + fi + + return 0 +} + +# Checks to see if the current container is capable of having internal AppArmor +# profiles that should be loaded. Callers of this function should have already +# verified that they're running inside of a container environment with +# something like `systemd-detect-virt --container`. +# +# The only known container environments capable of supporting internal policy +# are LXD and LXC environment. +# +# Returns 0 if the container environment is capable of having its own internal +# policy and non-zero otherwise. +# +# IMPORTANT: This function will return 0 in the case of a non-LXD/non-LXC +# system container technology being nested inside of a LXD/LXC container that +# utilized an AppArmor namespace and profile stacking. The reason 0 will be +# returned is because .ns_stacked will be "yes" and .ns_name will still match +# "lx[dc]-*" since the nested system container technology will not have set up +# a new AppArmor profile namespace. This will result in the nested system +# container's boot process to experience failed policy loads but the boot +# process should continue without any loss of functionality. This is an +# unsupported configuration that cannot be properly handled by this function. +is_container_with_internal_policy() { + local ns_stacked_path="${AA_SFS}/.ns_stacked" + local ns_name_path="${AA_SFS}/.ns_name" + local ns_stacked + local ns_name + + if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then + return 1 + fi + + read -r ns_stacked < "$ns_stacked_path" + if [ "$ns_stacked" != "yes" ]; then + return 1 + fi + + # LXD and LXC set up AppArmor namespaces starting with "lxd-" and + # "lxc-", respectively. Return non-zero for all other namespace + # identifiers. + read -r ns_name < "$ns_name_path" + if [ "${ns_name#lxd-*}" = "$ns_name" ] && \ + [ "${ns_name#lxc-*}" = "$ns_name" ]; then + return 1 + fi + + return 0 +} diff --git a/recipes-mac/AppArmor/files/run-ptest b/recipes-mac/AppArmor/files/run-ptest new file mode 100644 index 0000000..3b8e427 --- /dev/null +++ b/recipes-mac/AppArmor/files/run-ptest @@ -0,0 +1,4 @@ +#! /bin/sh +cd testsuite + +make -C tests/regression/apparmor tests diff --git a/recipes-mac/AppArmor/files/tool-paths.patch b/recipes-mac/AppArmor/files/tool-paths.patch new file mode 100644 index 0000000..aaf08da --- /dev/null +++ b/recipes-mac/AppArmor/files/tool-paths.patch @@ -0,0 +1,37 @@ +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@intel.com> + +From e7edd937adcbf1b3c8d38a31de5bacb2029b1965 Mon Sep 17 00:00:00 2001 +From: John Johansen <john.johansen@canonical.com> +Date: Thu, 4 Oct 2018 23:15:28 -0700 +Subject: [PATCH] parser: fix Makefile hardcoded paths to flex and bison + +The hardcoded paths for flex and python can break builds on systems +where those tools are stored in an alternate location. Use which +to lookup where flex and bison are available. + +This fixes issue #4 + +Signed-off-by: John Johansen <john.johansen@canonical.com> +--- + parser/Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/parser/Makefile b/parser/Makefile +index 4d370c36..015c218d 100644 +--- a/parser/Makefile ++++ b/parser/Makefile +@@ -27,9 +27,9 @@ INSTALL_CONFDIR=${DESTDIR}${CONFDIR} + LOCALEDIR=/usr/share/locale + MANPAGES=apparmor.d.5 apparmor.7 apparmor_parser.8 subdomain.conf.5 + +-YACC := /usr/bin/bison ++YACC := bison + YFLAGS := -d +-LEX := /usr/bin/flex ++LEX := flex + LEXFLAGS = -B -v + WARNINGS = -Wall + EXTRA_WARNINGS = -Wsign-compare -Wmissing-field-initializers -Wformat-security -Wunused-parameter +-- +2.11.0 |