[apparmor] [PATCH v2] Native systemd support
Goldwyn Rodrigues
rgoldwyn at suse.de
Tue Nov 15 15:48:44 UTC 2016
This patch implements native systemd support for apparmor. This
is performed and tested on opensuse 42.1. I think we can keep
rc.apparmor.suse for a bit more time until we decide to
fully retire it.
Changes since v1:
+ Changed installation directory of scripts to /usr/share/apparmor/scripts
+ Changed apparmor.service to start after local-fs.target
+ Added documentation tag to service file
+ Added install-systemd
+ Changed apparmor_reload.sh to reload files as opposed to stop and start service
Signed-off-by: Goldwyn Rodrigues <rgoldwyn at suse.com>
--- a/parser/Makefile
+++ b/parser/Makefile
@@ -313,12 +313,17 @@
install -m 755 rc.apparmor.$(subst install-,,$@) $(DESTDIR)/etc/init.d/apparmor
.PHONY: install-suse
-install-suse:
- install -m 755 -d $(DESTDIR)/etc/init.d
- install -m 755 rc.apparmor.$(subst install-,,$(@)) $(DESTDIR)/etc/init.d/boot.apparmor
- install -m 755 -d $(DESTDIR)/sbin
- ln -sf /etc/init.d/boot.apparmor $(DESTDIR)/sbin/rcapparmor
- ln -sf rcapparmor $(DESTDIR)/sbin/rcsubdomain
+install-suse: install-systemd
+
+.PHONY: install-systemd
+install-systemd:
+ install -m 755 -d $(DESTDIR)/usr/lib/systemd/system
+ install -m 0444 apparmor.service $(DESTDIR)/usr/lib/systemd/system
+ install -m 755 -d $(DESTDIR)/usr/share/apparmor/scripts
+ install -m 0755 apparmor_start.sh $(DESTDIR)/usr/share/apparmor/scripts
+ install -m 0755 apparmor_stop.sh $(DESTDIR)/usr/share/apparmor/scripts
+ install -m 0755 apparmor_reload.sh $(DESTDIR)/usr/share/apparmor/scripts
+
.PHONY: install-slackware
install-slackware:
--- /dev/null
+++ b/parser/apparmor.service
@@ -0,0 +1,18 @@
+[Unit]
+Description=Load AppArmor profiles
+DefaultDependencies=no
+Before=sysinit.target
+After=local-fs.target
+ConditionSecurity=apparmor
+Documentation=man:apparmor(7)
+Documentation=http://wiki.apparmor.net
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/apparmor/scripts/apparmor_start.sh
+ExecReload=/usr/share/apparmor/scripts/apparmor_reload.sh
+ExecStop=/usr/share/apparmor/scripts/apparmor_stop.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+++ b/parser/apparmor_reload.sh
@@ -0,0 +1,67 @@
+#!/bin/bash
+SECURITYFS=/sys/kernel/security
+APPARMOR_MOUNTPOINT=$SECURITYFS/apparmor
+PROFILE_DIR=/etc/apparmor.d
+
+force_complain() {
+ local profile=$1
+
+ # if profile not in complain mode
+ if ! egrep -q "^/.*[ \t]+flags[ \t]*=[ \t]*\([ \t]*complain[ \t]*\)[ \t]+{" $profile ; then
+ local link="${PROFILE_DIR}/force-complain/`basename ${profile}`"
+ if [ -e "$link" ] ; then
+ aa_log_warning_msg "found $link, forcing complain mode"
+ return 0
+ fi
+ fi
+
+ return 1
+}
+
+skip_profile() {
+ local profile=$1
+ if [ "${profile%.rpmnew}" != "${profile}" -o \
+ "${profile%.rpmsave}" != "${profile}" -o \
+ -e "${PROFILE_DIR}/disable/`basename ${profile}`" -o \
+ "${profile%\~}" != "${profile}" ] ; then
+ return 1
+ fi
+ # Silently ignore the dpkg files
+ if [ "${profile%.dpkg-new}" != "${profile}" -o \
+ "${profile%.dpkg-old}" != "${profile}" -o \
+ "${profile%.dpkg-dist}" != "${profile}" -o \
+ "${profile%.dpkg-bak}" != "${profile}" ] ; then
+ return 2
+ fi
+
+ return 0
+}
+
+
+if [ ! -w "$APPARMOR_MOUNTPOINT/.load" ] ; then
+ exit 1
+fi
+
+retval=0
+for profile in $PROFILE_DIR/*; do
+ skip_profile "${profile}"
+ skip=$?
+ if [ "$skip" -ne 0 ]; then
+ continue
+ fi
+
+ if [ -f "${profile}" ]; then
+ COMPLAINE=""
+ if force_complain "${profile}" ; then
+ COMPLAIN="-C"
+ fi
+
+ /sbin/apparmor_parser -I${PROFILE_DIR} --replace $COMPLAIN "$profile"
+ RET=$?
+ if [ $RET -ne 0 ]; then
+ retval=$RET
+ fi
+ fi
+done
+exit $retval
+
--- /dev/null
+++ b/parser/apparmor_start.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+/sbin/apparmor_parser -r /etc/apparmor.d
+
+
--- /dev/null
+++ b/parser/apparmor_stop.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+SECURITYFS=/sys/kernel/security
+APPARMOR_MOUNTPOINT=$SECURITYFS/apparmor
+
+if [ ! -w "$APPARMOR_MOUNTPOINT/.remove" ] ; then
+ exit 1
+fi
+
+PROFILES=`sed -e "s/ (\(enforce\|complain\))$//" $APPARMOR_MOUNTPOINT/profiles`
+
+retval=0
+for profile in $PROFILES; do
+ echo -n "$profile" > $APPARMOR_MOUNTPOINT/.remove
+ rc=$?
+ if [ ${rc} -ne 0 ]; then
+ retval=${rc}
+ fi
+done
+exit $retval
+
More information about the AppArmor
mailing list