1 |
commit: 670625009874671eb04622eca3b1fe3a3ccf274c |
2 |
Author: Michael Palimaka <kensington <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sat Jun 29 13:25:06 2013 +0000 |
4 |
Commit: Michael Palimaka <kensington <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Jun 29 13:25:34 2013 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=67062500 |
7 |
|
8 |
sys-apps/apparmor: replace init script with a wrapper around upstream's RC functions. This removes a lot of duplicate functionality. |
9 |
|
10 |
Package-Manager: portage-2.1.12.11 |
11 |
Manifest-Sign-Key: 675D0D2C |
12 |
|
13 |
--- |
14 |
...armor-2.8.1.ebuild => apparmor-2.8.1-r1.ebuild} | 6 +- |
15 |
.../apparmor/files/apparmor-2.8.1-makefile.patch | 6 +- |
16 |
sys-apps/apparmor/files/apparmor-init | 234 +++++---------------- |
17 |
3 files changed, 61 insertions(+), 185 deletions(-) |
18 |
|
19 |
diff --git a/sys-apps/apparmor/apparmor-2.8.1.ebuild b/sys-apps/apparmor/apparmor-2.8.1-r1.ebuild |
20 |
similarity index 88% |
21 |
rename from sys-apps/apparmor/apparmor-2.8.1.ebuild |
22 |
rename to sys-apps/apparmor/apparmor-2.8.1-r1.ebuild |
23 |
index 18d9566..531cfb9 100644 |
24 |
--- a/sys-apps/apparmor/apparmor-2.8.1.ebuild |
25 |
+++ b/sys-apps/apparmor/apparmor-2.8.1-r1.ebuild |
26 |
@@ -35,6 +35,10 @@ S=${WORKDIR}/apparmor-${PV}/parser |
27 |
src_prepare() { |
28 |
epatch "${FILESDIR}"/${P}-makefile.patch |
29 |
|
30 |
+ # remove warning about missing file that controls features |
31 |
+ # we don't currently support |
32 |
+ sed -e "/installation problem/ctrue" -i rc.apparmor.functions || die |
33 |
+ |
34 |
local lang |
35 |
for lang in ${LANGS}; do |
36 |
if ! use linguas_${lang}; then |
37 |
@@ -49,7 +53,7 @@ src_compile() { |
38 |
} |
39 |
|
40 |
src_install() { |
41 |
- emake DESTDIR="${D}" arch manpages install |
42 |
+ default |
43 |
|
44 |
dodir /etc/apparmor.d |
45 |
|
46 |
|
47 |
diff --git a/sys-apps/apparmor/files/apparmor-2.8.1-makefile.patch b/sys-apps/apparmor/files/apparmor-2.8.1-makefile.patch |
48 |
index 9575d00..0888c15 100644 |
49 |
--- a/sys-apps/apparmor/files/apparmor-2.8.1-makefile.patch |
50 |
+++ b/sys-apps/apparmor/files/apparmor-2.8.1-makefile.patch |
51 |
@@ -9,7 +9,7 @@ |
52 |
|
53 |
YACC := /usr/bin/bison |
54 |
YFLAGS := -d |
55 |
-@@ -152,7 +152,7 @@ |
56 |
+@@ -153,7 +153,7 @@ |
57 |
ln -s `$(CXX) -print-file-name=libstdc++.a` |
58 |
|
59 |
apparmor_parser: $(OBJECTS) $(AAREOBJECTS) |
60 |
@@ -18,15 +18,17 @@ |
61 |
${LEXLIB} $(AAREOBJECTS) $(AARE_LDFLAGS) |
62 |
|
63 |
parser_yacc.c parser_yacc.h: parser_yacc.y parser.h |
64 |
-@@ -284,11 +284,7 @@ |
65 |
+@@ -284,11 +284,9 @@ |
66 |
.PHONY: install-indep |
67 |
install-indep: |
68 |
install -m 755 -d $(INSTALL_CONFDIR) |
69 |
- install -m 644 subdomain.conf $(INSTALL_CONFDIR) |
70 |
++ install -m 755 -d ${DESTDIR}/usr/libexec |
71 |
install -m 644 parser.conf $(INSTALL_CONFDIR) |
72 |
- install -m 755 -d ${DESTDIR}/var/lib/apparmor |
73 |
- install -m 755 -d $(APPARMOR_BIN_PREFIX) |
74 |
- install -m 755 rc.apparmor.functions $(APPARMOR_BIN_PREFIX) |
75 |
++ install -m 755 rc.apparmor.functions ${DESTDIR}/usr/libexec |
76 |
$(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR} |
77 |
$(MAKE) install_manpages DESTDIR=${DESTDIR} |
78 |
|
79 |
|
80 |
diff --git a/sys-apps/apparmor/files/apparmor-init b/sys-apps/apparmor/files/apparmor-init |
81 |
index 6a7ba88..ac1d8d5 100755 |
82 |
--- a/sys-apps/apparmor/files/apparmor-init |
83 |
+++ b/sys-apps/apparmor/files/apparmor-init |
84 |
@@ -8,215 +8,85 @@ description_reload="Reload all profiles" |
85 |
|
86 |
extra_started_commands="reload" |
87 |
|
88 |
-start() { |
89 |
- ebegin "Starting ${SVCNAME}" |
90 |
- eindent |
91 |
- |
92 |
- if ! check_config || ! remove_profiles || ! load_profiles load ; then |
93 |
- eend 1 |
94 |
- return 1 |
95 |
- fi |
96 |
- |
97 |
- eoutdent |
98 |
- eend 0 |
99 |
-} |
100 |
- |
101 |
-stop() { |
102 |
- ebegin "Stopping ${SVCNAME}" |
103 |
+aa_action() { |
104 |
+ local arg=$1 |
105 |
+ local return |
106 |
|
107 |
- if ! check_config ; then |
108 |
- eend 1 |
109 |
- return 1 |
110 |
- fi |
111 |
- |
112 |
- eindent |
113 |
- ebegin "Removing profiles" |
114 |
- remove_profiles |
115 |
- eoutdent |
116 |
- rc=$? |
117 |
- eend $rc |
118 |
- return $rc |
119 |
-} |
120 |
- |
121 |
-reload() { |
122 |
- ebegin "Reloading ${SVCNAME} profiles" |
123 |
- eindent |
124 |
+ shift |
125 |
+ $* |
126 |
+ return=$? |
127 |
|
128 |
- if ! ( check_config && load_profiles reload && unload_obsolete_profiles ); then |
129 |
- eend 1 |
130 |
- return 1 |
131 |
- fi |
132 |
- |
133 |
- eoutdent |
134 |
- eend 0 |
135 |
- return 0 |
136 |
-} |
137 |
- |
138 |
-check_config() { |
139 |
- if [ -z "$PARSER" -o -z "$PROFILE_DIR" -o -z "$SECURITYFS" ]; then |
140 |
- eerror "/etc/conf.d/${SVCNAME} has missing variables" |
141 |
- return 1 |
142 |
- fi |
143 |
- |
144 |
- if ! is_securityfs_mounted ; then |
145 |
- if ! mount_securityfs ; then |
146 |
- eerror "Failed to mount securityfs" |
147 |
- return 1 |
148 |
- fi |
149 |
- fi |
150 |
- |
151 |
- if ! is_apparmor_present ; then |
152 |
- modprobe -q apparmor |
153 |
- if ! is_apparmor_present ; then |
154 |
- eerror "${SVCNAME} kernel support is not present" |
155 |
- return 1 |
156 |
- fi |
157 |
+ if [ ${return} -eq 0 ]; then |
158 |
+ aa_log_success_msg $arg |
159 |
+ else |
160 |
+ aa_log_failure_msg arg |
161 |
fi |
162 |
|
163 |
- if ! check_apparmor_compat ; then |
164 |
- eerror "${SVCNAME} compatibility is not present in the kernel" |
165 |
- return 1 |
166 |
- fi |
167 |
+ return $return |
168 |
} |
169 |
|
170 |
-get_profile_files() { |
171 |
- ARGS="" |
172 |
- IGNORES="$( find ${PROFILE_DIR} -name .ignore )" |
173 |
- LENGTH=$( echo "$IGNORES" | wc -l ) |
174 |
- |
175 |
- I=1; |
176 |
- for IGNORE in $IGNORES; do |
177 |
- ARGS="${ARGS} -path $( dirname ${IGNORE} ) -prune" |
178 |
- if [ $LENGTH -gt 1 -a $I -lt $LENGTH ]; then |
179 |
- ARGS="${ARGS} -o" |
180 |
- fi |
181 |
- I=$(($I+1)) |
182 |
- done |
183 |
- |
184 |
- if [ -n "$ARGS" ]; then |
185 |
- ARGS="${ARGS} -o" |
186 |
- fi |
187 |
- |
188 |
- PROFILES="find ${PROFILE_DIR} "$ARGS" -type f -print" |
189 |
- |
190 |
- echo $( $PROFILES ) |
191 |
+aa_log_action_start() { |
192 |
+ ebegin $1 |
193 |
} |
194 |
|
195 |
-get_active_profiles() { |
196 |
- PROFILES=`sed -e "s/ (\(enforce\|complain\))//" "${SECURITYFS}/profiles"` |
197 |
- echo $PROFILES |
198 |
+aa_log_action_end() { |
199 |
+ eend $1 |
200 |
} |
201 |
|
202 |
-load_profiles() { |
203 |
- case "$1" in |
204 |
- load) |
205 |
- PARSER_ARGS="--add" |
206 |
- MESSAGE="Loading ${SVCNAME} profiles" |
207 |
- ;; |
208 |
- reload) |
209 |
- PARSER_ARGS="--replace" |
210 |
- MESSAGE="Reloading ${SVCNAME} profiles" |
211 |
- ;; |
212 |
- *) |
213 |
- eerror "Invalid load_profile argument" |
214 |
- exit 1 |
215 |
- ;; |
216 |
- esac |
217 |
- |
218 |
- if [ ! -x "${PARSER}" ]; then |
219 |
- eerror "Could not find apparmor_parser" |
220 |
- return 1 |
221 |
- fi |
222 |
- |
223 |
- if [ ! -d "${PROFILE_DIR}" -o -z "$(ls $PROFILE_DIR 2> /dev/null)" ]; then |
224 |
- ewarn "No profiles found" |
225 |
- return 0 |
226 |
- fi |
227 |
- |
228 |
- PROFILES="$(get_profile_files)" |
229 |
- |
230 |
- for PROFILE in $PROFILES; do |
231 |
- $PARSER $PARSER_ARGS $PROFILE |
232 |
- if [ $? -ne 0 ]; then |
233 |
- if [ "${PARSER_ARGS}" = "replace" ]; then |
234 |
- ewarn "Error loading '${PROFILE}', continuing" |
235 |
- else |
236 |
- eerror "Error loading '${PROFILE}', aborting" |
237 |
- remove_profiles |
238 |
- return 1 |
239 |
- fi |
240 |
- fi |
241 |
- done |
242 |
- |
243 |
- return 0 |
244 |
+aa_log_success_msg() { |
245 |
+ einfo $1 |
246 |
} |
247 |
|
248 |
-remove_profiles() { |
249 |
- PROFILES=$(get_active_profiles) |
250 |
- for PROFILE in $PROFILES; do |
251 |
- #use printf instead of echo -n for POSIX compatibility |
252 |
- printf '%s' "$PROFILE" > "${SECURITYFS}/.remove" |
253 |
- done |
254 |
- return 0 |
255 |
+aa_log_warning_msg() { |
256 |
+ ewarn $1 |
257 |
} |
258 |
|
259 |
-is_securityfs_mounted() { |
260 |
- grep -q securityfs /proc/filesystems && grep -q securityfs /proc/mounts |
261 |
- return $? |
262 |
+aa_log_failure_msg() { |
263 |
+ eerror $1 |
264 |
} |
265 |
|
266 |
-mount_securityfs() { |
267 |
- if [ grep -q securityfs /proc/filesystems ]; then |
268 |
- mount -t securityfs securityfs "${SECURITYFS}" |
269 |
- return $? |
270 |
- else |
271 |
- return 1 |
272 |
- fi |
273 |
+aa_log_skipped_msg() { |
274 |
+ einfo $1 |
275 |
} |
276 |
|
277 |
-is_apparmor_present() { |
278 |
- grep -q "^apparmor" /proc/modules |
279 |
- [ $? -ne 0 -a -d /sys/module/apparmor ] |
280 |
- return $? |
281 |
+aa_log_daemon_msg() { |
282 |
+ einfo $1 |
283 |
} |
284 |
|
285 |
-check_apparmor_compat() { |
286 |
- if [ -f "${SECURITYFS}/profiles" ]; then |
287 |
- return 0 |
288 |
- else |
289 |
- return 1 |
290 |
- fi |
291 |
+aa_log_end_msg() { |
292 |
+ eend $1 |
293 |
} |
294 |
|
295 |
-unload_obsolete_profiles() { |
296 |
- TEMPDIR=$(umask 0077 && mktemp -d) |
297 |
+. /usr/libexec/rc.apparmor.functions |
298 |
|
299 |
- if [ ! -d "${TEMPDIR}" ]; then |
300 |
- eerror "Failed to create temporary directory" |
301 |
- return 1 |
302 |
- fi |
303 |
- |
304 |
- cd $TEMPDIR |
305 |
+start() { |
306 |
+ ebegin "Starting AppArmor" |
307 |
+ eindent |
308 |
|
309 |
- local active_profiles=$(get_active_profiles) |
310 |
- if [ -z "${active_profiles}" ] ; then |
311 |
- return 0 |
312 |
+ if ! is_apparmor_loaded ; then |
313 |
+ load_module |
314 |
+ if [ $? -ne 0 ]; then |
315 |
+ eerror "AppArmor kernel support is not present" |
316 |
+ eend 1 |
317 |
+ return 1 |
318 |
+ fi |
319 |
fi |
320 |
|
321 |
- echo ${active_profiles} | tr ' ' '\n' | sort > old |
322 |
- |
323 |
- for PROFILE in $(get_profile_files); do |
324 |
- echo $(${PARSER} -N "$PROFILE") >> new |
325 |
- done |
326 |
+ parse_profiles load |
327 |
|
328 |
- sort new > new_sorted |
329 |
- |
330 |
- for PROFILE in $(comm -2 -3 old new_sorted); do |
331 |
- #use printf instead of echo -n for POSIX compatibility |
332 |
- printf '%s' "$PROFILE" > "${SECURITYFS}/.remove" |
333 |
- done |
334 |
+ eoutdent |
335 |
+} |
336 |
|
337 |
- rm -rf "${TEMPDIR}" |
338 |
+stop() { |
339 |
+ ebegin "Stopping AppArmor" |
340 |
+ eindent |
341 |
+ apparmor_stop |
342 |
+ eoutdent |
343 |
+} |
344 |
|
345 |
- return 0 |
346 |
+reload() { |
347 |
+ # todo: split out clean_profiles into its own function upstream |
348 |
+ # so we can do parse_profiles reload && clean_profiles |
349 |
+ # and do a proper reload instead of restart |
350 |
+ apparmor_restart |
351 |
} |