| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748 |
- #!/bin/sh
- # profile-load
- #
- # ----------------------------------------------------------------------
- # Copyright (c) 2010-2015 Canonical, Ltd.
- #
- # This program is free software; you can redistribute it and/or
- # modify it under the terms of version 2 of the GNU General Public
- # License published by the Free Software Foundation.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- # GNU General Public License for more details.
- #
- # You should have received a copy of the GNU General Public License
- # along with this program; if not, contact Canonical, Ltd.
- # ----------------------------------------------------------------------
- #
- # Helper for loading an AppArmor profile in pre-start scripts.
- [ -z "$1" ] && exit 1 # require a profile name
- . /lib/apparmor/rc.apparmor.functions
- # do not load in a container
- [ -x /usr/bin/systemd-detect-virt ] && systemd-detect-virt --quiet --container && ! is_container_with_internal_policy && exit 0 || true
- [ -d /rofs/etc/apparmor.d ] && exit 0 # do not load if running liveCD
- profile=/etc/apparmor.d/"$1"
- [ -e "$profile" ] || exit 0 # skip when missing profile
- module=/sys/module/apparmor
- [ -d $module ] || exit 0 # do not load without AppArmor in kernel
- [ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser
- aafs=/sys/kernel/security/apparmor
- [ -d $aafs ] || exit 0 # do not load if unmounted
- [ -w $aafs/.load ] || exit 1 # fail if cannot load profiles
- params=$module/parameters
- [ -r $params/enabled ] || exit 0 # do not load if missing
- read enabled < $params/enabled || exit 1 # if this fails, something went wrong
- [ "$enabled" = "Y" ] || exit 0 # do not load if disabled
- /sbin/apparmor_parser -r -W "$profile" || exit 0 # LP: #1058356
|
