summaryrefslogtreecommitdiff
path: root/pcr
diff options
context:
space:
mode:
authorDavid P <megver83@parabola.nu>2018-04-06 10:23:47 -0300
committerDavid P <megver83@parabola.nu>2018-04-06 10:25:51 -0300
commit0acc9a712cb67d6a793eebc2df362e6e95def52e (patch)
treefe20d749a8d190683b4fb10b9a7cdd4e44f6e704 /pcr
parent0ffe604ceb554d788db0f212db7d7f52e3cfd84c (diff)
downloadabslibre-0acc9a712cb67d6a793eebc2df362e6e95def52e.tar.gz
abslibre-0acc9a712cb67d6a793eebc2df362e6e95def52e.tar.bz2
abslibre-0acc9a712cb67d6a793eebc2df362e6e95def52e.zip
upgpkg: pcr/apparmor 2.12.0-1
Diffstat (limited to 'pcr')
-rw-r--r--pcr/apparmor/aa-teardown10
-rw-r--r--pcr/apparmor/apparmor-utils.install15
-rw-r--r--pcr/apparmor/apparmor.install18
-rw-r--r--pcr/apparmor/apparmor.service19
-rw-r--r--pcr/apparmor/apparmor.systemd85
-rw-r--r--pcr/apparmor/apparmor_load.sh5
-rw-r--r--pcr/apparmor/apparmor_unload.sh5
7 files changed, 113 insertions, 44 deletions
diff --git a/pcr/apparmor/aa-teardown b/pcr/apparmor/aa-teardown
new file mode 100644
index 000000000..44288569e
--- /dev/null
+++ b/pcr/apparmor/aa-teardown
@@ -0,0 +1,10 @@
+#!/usr/bin/bash
+
+test $# = 0 || {
+ echo "Usage: $0"
+ echo
+ echo "Unloads all AppArmor profiles"
+ exit 1
+}
+
+/usr/lib/apparmor/apparmor.systemd stop
diff --git a/pcr/apparmor/apparmor-utils.install b/pcr/apparmor/apparmor-utils.install
deleted file mode 100644
index 85f69d3a3..000000000
--- a/pcr/apparmor/apparmor-utils.install
+++ /dev/null
@@ -1,15 +0,0 @@
-post_install() {
-# echo 'Creating /var/log/messages symlink to improve compatibility...'
-# ln -sf messages.log /var/log/messages
-cat << EOF
-
-==> Use /etc/apparmor/logprof.conf to change system log file
-==> configuration if you have a not-standard syslog-ng.conf.
-
-EOF
-}
-
-post_upgrade() {
- post_install $1
-}
-
diff --git a/pcr/apparmor/apparmor.install b/pcr/apparmor/apparmor.install
index dc25ea832..4f29f997a 100644
--- a/pcr/apparmor/apparmor.install
+++ b/pcr/apparmor/apparmor.install
@@ -1,20 +1,8 @@
post_install() {
- cat << EOF
-==> To enable apparmor, add this to kernel boot line:
-
- apparmor=1 security=apparmor
-
-==> Warning: To full functionality you must have kernel
-==> with apparmor patchset.
-EOF
+ echo "Add 'apparmor=1 security=apparmor' to your kernel parameters."
+ echo "For full functionality use a kernel with apparmor patchset."
}
post_remove() {
- cat << EOF
-==> To completely remove, delete this from kernel boot line:
-
- apparmor=1 security=apparmor
-
-EOF
+ echo "Remove 'apparmor=1 security=apparmor' from your kernel parameters."
}
-
diff --git a/pcr/apparmor/apparmor.service b/pcr/apparmor/apparmor.service
index 93f273a0d..2490d1bb8 100644
--- a/pcr/apparmor/apparmor.service
+++ b/pcr/apparmor/apparmor.service
@@ -1,13 +1,24 @@
[Unit]
-Description=AppArmor profiles
+Description=Load AppArmor profiles
DefaultDependencies=no
-After=local-fs.target
Before=sysinit.target
+After=systemd-journald-audit.socket
+After=var.mount var-lib.mount
+ConditionSecurity=apparmor
[Service]
Type=oneshot
-ExecStart=/usr/bin/apparmor_load.sh
-ExecStop=/usr/bin/apparmor_unload.sh
+ExecStart=/usr/lib/apparmor/apparmor.systemd reload
+ExecReload=/usr/lib/apparmor/apparmor.systemd reload
+
+# systemd maps 'restart' to 'stop; start' which means removing AppArmor confinement
+# from running processes (and not being able to re-apply it later).
+# Upstream systemd developers refused to implement an option that allows overriding
+# this behaviour, therefore we have to make ExecStop a no-op to error out on the
+# safe side.
+#
+# If you really want to unload all AppArmor profiles, run aa-teardown
+ExecStop=/usr/bin/true
RemainAfterExit=yes
[Install]
diff --git a/pcr/apparmor/apparmor.systemd b/pcr/apparmor/apparmor.systemd
new file mode 100644
index 000000000..17794c1ac
--- /dev/null
+++ b/pcr/apparmor/apparmor.systemd
@@ -0,0 +1,85 @@
+#!/usr/bin/sh
+
+APPARMOR_FUNCTIONS='/usr/lib/apparmor/rc.apparmor.functions'
+
+aa_action()
+{
+ echo $1
+ shift
+ "$@"
+ return $?
+}
+
+aa_log_warning_msg()
+{
+ echo "Warning: $@"
+}
+
+aa_log_failure_msg()
+{
+ echo "Error: $@"
+}
+
+aa_log_action_start()
+{
+ echo "$@"
+}
+
+aa_log_action_end()
+{
+ echo -n
+}
+
+aa_log_daemon_msg()
+{
+ echo "$@"
+}
+
+aa_log_skipped_msg()
+{
+ echo "Skipped: $@"
+}
+
+aa_log_end_msg()
+{
+ echo -n
+}
+
+# source apparmor function library
+if [ -f "${APPARMOR_FUNCTIONS}" ]; then
+ . ${APPARMOR_FUNCTIONS}
+else
+ aa_log_failure_msg "Unable to find AppArmor initscript functions"
+ exit 1
+fi
+
+case "$1" in
+ start)
+ apparmor_start
+ rc=$?
+ ;;
+ stop)
+ apparmor_stop
+ rc=$?
+ ;;
+ restart|reload|force-reload)
+ apparmor_restart
+ rc=$?
+ ;;
+ try-restart)
+ apparmor_try_restart
+ rc=$?
+ ;;
+ kill)
+ apparmor_kill
+ rc=$?
+ ;;
+ status)
+ apparmor_status
+ rc=$?
+ ;;
+ *)
+ exit 1
+ ;;
+esac
+exit $rc
diff --git a/pcr/apparmor/apparmor_load.sh b/pcr/apparmor/apparmor_load.sh
deleted file mode 100644
index 663ebc045..000000000
--- a/pcr/apparmor/apparmor_load.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/sh
-
-aa_profiles='/etc/apparmor.d/'
-aa_log='/var/log/apparmor.init.log'
-find "$aa_profiles" -maxdepth 1 -type f -exec /usr/bin/apparmor_parser -r {} + 2>> "$aa_log"
diff --git a/pcr/apparmor/apparmor_unload.sh b/pcr/apparmor/apparmor_unload.sh
deleted file mode 100644
index f2d987dc2..000000000
--- a/pcr/apparmor/apparmor_unload.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/sh
-
-aa_profiles='/etc/apparmor.d/'
-aa_log='/var/log/apparmor.init.log'
-find "$aa_profiles" -maxdepth 1 -type f -exec /usr/bin/apparmor_parser -R {} \; 2>> "$aa_log"