Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Michael Palimaka <kensington@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-dev:master commit in: sys-apps/apparmor/files/, sys-apps/apparmor/
Date: Sat, 29 Jun 2013 13:27:56
Message-Id: 1372512334.670625009874671eb04622eca3b1fe3a3ccf274c.kensington@gentoo
1 commit: 670625009874671eb04622eca3b1fe3a3ccf274c
2 Author: Michael Palimaka <kensington <AT> gentoo <DOT> org>
3 AuthorDate: Sat Jun 29 13:25:06 2013 +0000
4 Commit: Michael Palimaka <kensington <AT> gentoo <DOT> org>
5 CommitDate: Sat Jun 29 13:25:34 2013 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=67062500
7
8 sys-apps/apparmor: replace init script with a wrapper around upstream's RC functions. This removes a lot of duplicate functionality.
9
10 Package-Manager: portage-2.1.12.11
11 Manifest-Sign-Key: 675D0D2C
12
13 ---
14 ...armor-2.8.1.ebuild => apparmor-2.8.1-r1.ebuild} | 6 +-
15 .../apparmor/files/apparmor-2.8.1-makefile.patch | 6 +-
16 sys-apps/apparmor/files/apparmor-init | 234 +++++----------------
17 3 files changed, 61 insertions(+), 185 deletions(-)
18
19 diff --git a/sys-apps/apparmor/apparmor-2.8.1.ebuild b/sys-apps/apparmor/apparmor-2.8.1-r1.ebuild
20 similarity index 88%
21 rename from sys-apps/apparmor/apparmor-2.8.1.ebuild
22 rename to sys-apps/apparmor/apparmor-2.8.1-r1.ebuild
23 index 18d9566..531cfb9 100644
24 --- a/sys-apps/apparmor/apparmor-2.8.1.ebuild
25 +++ b/sys-apps/apparmor/apparmor-2.8.1-r1.ebuild
26 @@ -35,6 +35,10 @@ S=${WORKDIR}/apparmor-${PV}/parser
27 src_prepare() {
28 epatch "${FILESDIR}"/${P}-makefile.patch
29
30 + # remove warning about missing file that controls features
31 + # we don't currently support
32 + sed -e "/installation problem/ctrue" -i rc.apparmor.functions || die
33 +
34 local lang
35 for lang in ${LANGS}; do
36 if ! use linguas_${lang}; then
37 @@ -49,7 +53,7 @@ src_compile() {
38 }
39
40 src_install() {
41 - emake DESTDIR="${D}" arch manpages install
42 + default
43
44 dodir /etc/apparmor.d
45
46
47 diff --git a/sys-apps/apparmor/files/apparmor-2.8.1-makefile.patch b/sys-apps/apparmor/files/apparmor-2.8.1-makefile.patch
48 index 9575d00..0888c15 100644
49 --- a/sys-apps/apparmor/files/apparmor-2.8.1-makefile.patch
50 +++ b/sys-apps/apparmor/files/apparmor-2.8.1-makefile.patch
51 @@ -9,7 +9,7 @@
52
53 YACC := /usr/bin/bison
54 YFLAGS := -d
55 -@@ -152,7 +152,7 @@
56 +@@ -153,7 +153,7 @@
57 ln -s `$(CXX) -print-file-name=libstdc++.a`
58
59 apparmor_parser: $(OBJECTS) $(AAREOBJECTS)
60 @@ -18,15 +18,17 @@
61 ${LEXLIB} $(AAREOBJECTS) $(AARE_LDFLAGS)
62
63 parser_yacc.c parser_yacc.h: parser_yacc.y parser.h
64 -@@ -284,11 +284,7 @@
65 +@@ -284,11 +284,9 @@
66 .PHONY: install-indep
67 install-indep:
68 install -m 755 -d $(INSTALL_CONFDIR)
69 - install -m 644 subdomain.conf $(INSTALL_CONFDIR)
70 ++ install -m 755 -d ${DESTDIR}/usr/libexec
71 install -m 644 parser.conf $(INSTALL_CONFDIR)
72 - install -m 755 -d ${DESTDIR}/var/lib/apparmor
73 - install -m 755 -d $(APPARMOR_BIN_PREFIX)
74 - install -m 755 rc.apparmor.functions $(APPARMOR_BIN_PREFIX)
75 ++ install -m 755 rc.apparmor.functions ${DESTDIR}/usr/libexec
76 $(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR}
77 $(MAKE) install_manpages DESTDIR=${DESTDIR}
78
79
80 diff --git a/sys-apps/apparmor/files/apparmor-init b/sys-apps/apparmor/files/apparmor-init
81 index 6a7ba88..ac1d8d5 100755
82 --- a/sys-apps/apparmor/files/apparmor-init
83 +++ b/sys-apps/apparmor/files/apparmor-init
84 @@ -8,215 +8,85 @@ description_reload="Reload all profiles"
85
86 extra_started_commands="reload"
87
88 -start() {
89 - ebegin "Starting ${SVCNAME}"
90 - eindent
91 -
92 - if ! check_config || ! remove_profiles || ! load_profiles load ; then
93 - eend 1
94 - return 1
95 - fi
96 -
97 - eoutdent
98 - eend 0
99 -}
100 -
101 -stop() {
102 - ebegin "Stopping ${SVCNAME}"
103 +aa_action() {
104 + local arg=$1
105 + local return
106
107 - if ! check_config ; then
108 - eend 1
109 - return 1
110 - fi
111 -
112 - eindent
113 - ebegin "Removing profiles"
114 - remove_profiles
115 - eoutdent
116 - rc=$?
117 - eend $rc
118 - return $rc
119 -}
120 -
121 -reload() {
122 - ebegin "Reloading ${SVCNAME} profiles"
123 - eindent
124 + shift
125 + $*
126 + return=$?
127
128 - if ! ( check_config && load_profiles reload && unload_obsolete_profiles ); then
129 - eend 1
130 - return 1
131 - fi
132 -
133 - eoutdent
134 - eend 0
135 - return 0
136 -}
137 -
138 -check_config() {
139 - if [ -z "$PARSER" -o -z "$PROFILE_DIR" -o -z "$SECURITYFS" ]; then
140 - eerror "/etc/conf.d/${SVCNAME} has missing variables"
141 - return 1
142 - fi
143 -
144 - if ! is_securityfs_mounted ; then
145 - if ! mount_securityfs ; then
146 - eerror "Failed to mount securityfs"
147 - return 1
148 - fi
149 - fi
150 -
151 - if ! is_apparmor_present ; then
152 - modprobe -q apparmor
153 - if ! is_apparmor_present ; then
154 - eerror "${SVCNAME} kernel support is not present"
155 - return 1
156 - fi
157 + if [ ${return} -eq 0 ]; then
158 + aa_log_success_msg $arg
159 + else
160 + aa_log_failure_msg arg
161 fi
162
163 - if ! check_apparmor_compat ; then
164 - eerror "${SVCNAME} compatibility is not present in the kernel"
165 - return 1
166 - fi
167 + return $return
168 }
169
170 -get_profile_files() {
171 - ARGS=""
172 - IGNORES="$( find ${PROFILE_DIR} -name .ignore )"
173 - LENGTH=$( echo "$IGNORES" | wc -l )
174 -
175 - I=1;
176 - for IGNORE in $IGNORES; do
177 - ARGS="${ARGS} -path $( dirname ${IGNORE} ) -prune"
178 - if [ $LENGTH -gt 1 -a $I -lt $LENGTH ]; then
179 - ARGS="${ARGS} -o"
180 - fi
181 - I=$(($I+1))
182 - done
183 -
184 - if [ -n "$ARGS" ]; then
185 - ARGS="${ARGS} -o"
186 - fi
187 -
188 - PROFILES="find ${PROFILE_DIR} "$ARGS" -type f -print"
189 -
190 - echo $( $PROFILES )
191 +aa_log_action_start() {
192 + ebegin $1
193 }
194
195 -get_active_profiles() {
196 - PROFILES=`sed -e "s/ (\(enforce\|complain\))//" "${SECURITYFS}/profiles"`
197 - echo $PROFILES
198 +aa_log_action_end() {
199 + eend $1
200 }
201
202 -load_profiles() {
203 - case "$1" in
204 - load)
205 - PARSER_ARGS="--add"
206 - MESSAGE="Loading ${SVCNAME} profiles"
207 - ;;
208 - reload)
209 - PARSER_ARGS="--replace"
210 - MESSAGE="Reloading ${SVCNAME} profiles"
211 - ;;
212 - *)
213 - eerror "Invalid load_profile argument"
214 - exit 1
215 - ;;
216 - esac
217 -
218 - if [ ! -x "${PARSER}" ]; then
219 - eerror "Could not find apparmor_parser"
220 - return 1
221 - fi
222 -
223 - if [ ! -d "${PROFILE_DIR}" -o -z "$(ls $PROFILE_DIR 2> /dev/null)" ]; then
224 - ewarn "No profiles found"
225 - return 0
226 - fi
227 -
228 - PROFILES="$(get_profile_files)"
229 -
230 - for PROFILE in $PROFILES; do
231 - $PARSER $PARSER_ARGS $PROFILE
232 - if [ $? -ne 0 ]; then
233 - if [ "${PARSER_ARGS}" = "replace" ]; then
234 - ewarn "Error loading '${PROFILE}', continuing"
235 - else
236 - eerror "Error loading '${PROFILE}', aborting"
237 - remove_profiles
238 - return 1
239 - fi
240 - fi
241 - done
242 -
243 - return 0
244 +aa_log_success_msg() {
245 + einfo $1
246 }
247
248 -remove_profiles() {
249 - PROFILES=$(get_active_profiles)
250 - for PROFILE in $PROFILES; do
251 - #use printf instead of echo -n for POSIX compatibility
252 - printf '%s' "$PROFILE" > "${SECURITYFS}/.remove"
253 - done
254 - return 0
255 +aa_log_warning_msg() {
256 + ewarn $1
257 }
258
259 -is_securityfs_mounted() {
260 - grep -q securityfs /proc/filesystems && grep -q securityfs /proc/mounts
261 - return $?
262 +aa_log_failure_msg() {
263 + eerror $1
264 }
265
266 -mount_securityfs() {
267 - if [ grep -q securityfs /proc/filesystems ]; then
268 - mount -t securityfs securityfs "${SECURITYFS}"
269 - return $?
270 - else
271 - return 1
272 - fi
273 +aa_log_skipped_msg() {
274 + einfo $1
275 }
276
277 -is_apparmor_present() {
278 - grep -q "^apparmor" /proc/modules
279 - [ $? -ne 0 -a -d /sys/module/apparmor ]
280 - return $?
281 +aa_log_daemon_msg() {
282 + einfo $1
283 }
284
285 -check_apparmor_compat() {
286 - if [ -f "${SECURITYFS}/profiles" ]; then
287 - return 0
288 - else
289 - return 1
290 - fi
291 +aa_log_end_msg() {
292 + eend $1
293 }
294
295 -unload_obsolete_profiles() {
296 - TEMPDIR=$(umask 0077 && mktemp -d)
297 +. /usr/libexec/rc.apparmor.functions
298
299 - if [ ! -d "${TEMPDIR}" ]; then
300 - eerror "Failed to create temporary directory"
301 - return 1
302 - fi
303 -
304 - cd $TEMPDIR
305 +start() {
306 + ebegin "Starting AppArmor"
307 + eindent
308
309 - local active_profiles=$(get_active_profiles)
310 - if [ -z "${active_profiles}" ] ; then
311 - return 0
312 + if ! is_apparmor_loaded ; then
313 + load_module
314 + if [ $? -ne 0 ]; then
315 + eerror "AppArmor kernel support is not present"
316 + eend 1
317 + return 1
318 + fi
319 fi
320
321 - echo ${active_profiles} | tr ' ' '\n' | sort > old
322 -
323 - for PROFILE in $(get_profile_files); do
324 - echo $(${PARSER} -N "$PROFILE") >> new
325 - done
326 + parse_profiles load
327
328 - sort new > new_sorted
329 -
330 - for PROFILE in $(comm -2 -3 old new_sorted); do
331 - #use printf instead of echo -n for POSIX compatibility
332 - printf '%s' "$PROFILE" > "${SECURITYFS}/.remove"
333 - done
334 + eoutdent
335 +}
336
337 - rm -rf "${TEMPDIR}"
338 +stop() {
339 + ebegin "Stopping AppArmor"
340 + eindent
341 + apparmor_stop
342 + eoutdent
343 +}
344
345 - return 0
346 +reload() {
347 + # todo: split out clean_profiles into its own function upstream
348 + # so we can do parse_profiles reload && clean_profiles
349 + # and do a proper reload instead of restart
350 + apparmor_restart
351 }
Report Message
Find on MARC Find on Google Groups