From 0acc9a712cb67d6a793eebc2df362e6e95def52e Mon Sep 17 00:00:00 2001 From: David P Date: Fri, 6 Apr 2018 10:23:47 -0300 Subject: upgpkg: pcr/apparmor 2.12.0-1 --- pcr/apparmor/aa-teardown | 10 +++++ pcr/apparmor/apparmor-utils.install | 15 ------- pcr/apparmor/apparmor.install | 18 ++------ pcr/apparmor/apparmor.service | 19 +++++++-- pcr/apparmor/apparmor.systemd | 85 +++++++++++++++++++++++++++++++++++++ pcr/apparmor/apparmor_load.sh | 5 --- pcr/apparmor/apparmor_unload.sh | 5 --- 7 files changed, 113 insertions(+), 44 deletions(-) create mode 100644 pcr/apparmor/aa-teardown delete mode 100644 pcr/apparmor/apparmor-utils.install create mode 100644 pcr/apparmor/apparmor.systemd delete mode 100644 pcr/apparmor/apparmor_load.sh delete mode 100644 pcr/apparmor/apparmor_unload.sh (limited to 'pcr/apparmor') diff --git a/pcr/apparmor/aa-teardown b/pcr/apparmor/aa-teardown new file mode 100644 index 000000000..44288569e --- /dev/null +++ b/pcr/apparmor/aa-teardown @@ -0,0 +1,10 @@ +#!/usr/bin/bash + +test $# = 0 || { + echo "Usage: $0" + echo + echo "Unloads all AppArmor profiles" + exit 1 +} + +/usr/lib/apparmor/apparmor.systemd stop diff --git a/pcr/apparmor/apparmor-utils.install b/pcr/apparmor/apparmor-utils.install deleted file mode 100644 index 85f69d3a3..000000000 --- a/pcr/apparmor/apparmor-utils.install +++ /dev/null @@ -1,15 +0,0 @@ -post_install() { -# echo 'Creating /var/log/messages symlink to improve compatibility...' -# ln -sf messages.log /var/log/messages -cat << EOF - -==> Use /etc/apparmor/logprof.conf to change system log file -==> configuration if you have a not-standard syslog-ng.conf. - -EOF -} - -post_upgrade() { - post_install $1 -} - diff --git a/pcr/apparmor/apparmor.install b/pcr/apparmor/apparmor.install index dc25ea832..4f29f997a 100644 --- a/pcr/apparmor/apparmor.install +++ b/pcr/apparmor/apparmor.install @@ -1,20 +1,8 @@ post_install() { - cat << EOF -==> To enable apparmor, add this to kernel boot line: - - apparmor=1 security=apparmor - -==> Warning: To full functionality you must have kernel -==> with apparmor patchset. -EOF + echo "Add 'apparmor=1 security=apparmor' to your kernel parameters." + echo "For full functionality use a kernel with apparmor patchset." } post_remove() { - cat << EOF -==> To completely remove, delete this from kernel boot line: - - apparmor=1 security=apparmor - -EOF + echo "Remove 'apparmor=1 security=apparmor' from your kernel parameters." } - diff --git a/pcr/apparmor/apparmor.service b/pcr/apparmor/apparmor.service index 93f273a0d..2490d1bb8 100644 --- a/pcr/apparmor/apparmor.service +++ b/pcr/apparmor/apparmor.service @@ -1,13 +1,24 @@ [Unit] -Description=AppArmor profiles +Description=Load AppArmor profiles DefaultDependencies=no -After=local-fs.target Before=sysinit.target +After=systemd-journald-audit.socket +After=var.mount var-lib.mount +ConditionSecurity=apparmor [Service] Type=oneshot -ExecStart=/usr/bin/apparmor_load.sh -ExecStop=/usr/bin/apparmor_unload.sh +ExecStart=/usr/lib/apparmor/apparmor.systemd reload +ExecReload=/usr/lib/apparmor/apparmor.systemd reload + +# systemd maps 'restart' to 'stop; start' which means removing AppArmor confinement +# from running processes (and not being able to re-apply it later). +# Upstream systemd developers refused to implement an option that allows overriding +# this behaviour, therefore we have to make ExecStop a no-op to error out on the +# safe side. +# +# If you really want to unload all AppArmor profiles, run aa-teardown +ExecStop=/usr/bin/true RemainAfterExit=yes [Install] diff --git a/pcr/apparmor/apparmor.systemd b/pcr/apparmor/apparmor.systemd new file mode 100644 index 000000000..17794c1ac --- /dev/null +++ b/pcr/apparmor/apparmor.systemd @@ -0,0 +1,85 @@ +#!/usr/bin/sh + +APPARMOR_FUNCTIONS='/usr/lib/apparmor/rc.apparmor.functions' + +aa_action() +{ + echo $1 + shift + "$@" + return $? +} + +aa_log_warning_msg() +{ + echo "Warning: $@" +} + +aa_log_failure_msg() +{ + echo "Error: $@" +} + +aa_log_action_start() +{ + echo "$@" +} + +aa_log_action_end() +{ + echo -n +} + +aa_log_daemon_msg() +{ + echo "$@" +} + +aa_log_skipped_msg() +{ + echo "Skipped: $@" +} + +aa_log_end_msg() +{ + echo -n +} + +# source apparmor function library +if [ -f "${APPARMOR_FUNCTIONS}" ]; then + . ${APPARMOR_FUNCTIONS} +else + aa_log_failure_msg "Unable to find AppArmor initscript functions" + exit 1 +fi + +case "$1" in + start) + apparmor_start + rc=$? + ;; + stop) + apparmor_stop + rc=$? + ;; + restart|reload|force-reload) + apparmor_restart + rc=$? + ;; + try-restart) + apparmor_try_restart + rc=$? + ;; + kill) + apparmor_kill + rc=$? + ;; + status) + apparmor_status + rc=$? + ;; + *) + exit 1 + ;; +esac +exit $rc diff --git a/pcr/apparmor/apparmor_load.sh b/pcr/apparmor/apparmor_load.sh deleted file mode 100644 index 663ebc045..000000000 --- a/pcr/apparmor/apparmor_load.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh - -aa_profiles='/etc/apparmor.d/' -aa_log='/var/log/apparmor.init.log' -find "$aa_profiles" -maxdepth 1 -type f -exec /usr/bin/apparmor_parser -r {} + 2>> "$aa_log" diff --git a/pcr/apparmor/apparmor_unload.sh b/pcr/apparmor/apparmor_unload.sh deleted file mode 100644 index f2d987dc2..000000000 --- a/pcr/apparmor/apparmor_unload.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh - -aa_profiles='/etc/apparmor.d/' -aa_log='/var/log/apparmor.init.log' -find "$aa_profiles" -maxdepth 1 -type f -exec /usr/bin/apparmor_parser -R {} \; 2>> "$aa_log" -- cgit v1.2.3