* [meta-security][PATCH 1/2] apparmor: upgrade 3.0 -> 3.0.1
@ 2021-06-23 9:15 Yi Zhao
2021-06-23 9:15 ` [meta-security][PATCH 2/2] apparmor: use its own initscript and service files Yi Zhao
[not found] ` <168B2B5232A141EF.5306@lists.yoctoproject.org>
0 siblings, 2 replies; 4+ messages in thread
From: Yi Zhao @ 2021-06-23 9:15 UTC (permalink / raw)
To: yocto
Drop backport patches:
0001-apparmor-fix-manpage-order.patch
0001-libapparmor-add-missing-include-for-socklen_t.patch
0002-libapparmor-add-aa_features_new_from_file-to-public-.patch
0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch
0001-aa_status-Fix-build-issue-with-musl.patch
0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
.../{apparmor_3.0.bb => apparmor_3.0.1.bb} | 8 +---
...Update-make-check-to-select-tools-ba.patch | 2 +-
...-aa_status-Fix-build-issue-with-musl.patch | 31 -------------
.../0001-apparmor-fix-manpage-order.patch | 43 -------------------
...or-add-missing-include-for-socklen_t.patch | 36 ----------------
...dont-force-host-cpp-to-detect-reallo.patch | 37 ----------------
...aa_features_new_from_file-to-public-.patch | 37 ----------------
...-add-_aa_asprintf-to-private-symbols.patch | 34 ---------------
recipes-mac/AppArmor/files/disable_pdf.patch | 33 --------------
9 files changed, 2 insertions(+), 259 deletions(-)
rename recipes-mac/AppArmor/{apparmor_3.0.bb => apparmor_3.0.1.bb} (92%)
delete mode 100644 recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch
delete mode 100644 recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch
delete mode 100644 recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch
delete mode 100644 recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch
delete mode 100644 recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch
delete mode 100644 recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch
delete mode 100644 recipes-mac/AppArmor/files/disable_pdf.patch
diff --git a/recipes-mac/AppArmor/apparmor_3.0.bb b/recipes-mac/AppArmor/apparmor_3.0.1.bb
similarity index 92%
rename from recipes-mac/AppArmor/apparmor_3.0.bb
rename to recipes-mac/AppArmor/apparmor_3.0.1.bb
index d9c3e4d..6377683 100644
--- a/recipes-mac/AppArmor/apparmor_3.0.bb
+++ b/recipes-mac/AppArmor/apparmor_3.0.1.bb
@@ -23,16 +23,10 @@ SRC_URI = " \
file://apparmor.service \
file://0001-Makefile.am-suppress-perllocal.pod.patch \
file://run-ptest \
- file://0001-apparmor-fix-manpage-order.patch \
file://0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch \
- file://0001-libapparmor-add-missing-include-for-socklen_t.patch \
- file://0002-libapparmor-add-aa_features_new_from_file-to-public-.patch \
- file://0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch \
- file://0001-aa_status-Fix-build-issue-with-musl.patch \
- file://0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch \
"
-SRCREV = "5d51483bfecf556183558644dc8958135397a7e2"
+SRCREV = "b0f08aa9d678197b8e3477c2fbff790f50a1de5e"
S = "${WORKDIR}/git"
PARALLEL_MAKE = ""
diff --git a/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch b/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch
index 791437d..e7abd60 100644
--- a/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch
+++ b/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch
@@ -6,7 +6,7 @@ Subject: [PATCH] Revert "profiles: Update 'make check' to select tools based
This reverts commit 6016f931ebf7b61e1358f19453ef262d9d184a4e.
-Upstream-Statue: OE specific
+Upstream-Status: Inappropriate [OE specific]
These changes cause during packaging with perms changing.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
diff --git a/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch b/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch
deleted file mode 100644
index 239562a..0000000
--- a/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 2bf15cc68f31c9f41962bb60a669ab2b453a039b Mon Sep 17 00:00:00 2001
-From: Armin Kuster <akuster808@gmail.com>
-Date: Wed, 7 Oct 2020 08:27:11 -0700
-Subject: [PATCH] aa_status: Fix build issue with musl
-
-add limits.h
-
-aa_status.c:269:22: error: 'PATH_MAX' undeclared (first use in this function); did you mean 'AF_MAX'?
-| 269 | real_exe = calloc(PATH_MAX + 1, sizeof(char));
-
-Upstream-Status: Pending
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
----
- binutils/aa_status.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/binutils/aa_status.c b/binutils/aa_status.c
-index 78b03409..41f1954e 100644
---- a/binutils/aa_status.c
-+++ b/binutils/aa_status.c
-@@ -10,6 +10,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
-+#include <limits.h>
- #include <sys/types.h>
- #include <sys/stat.h>
- #include <sys/wait.h>
---
-2.17.1
-
diff --git a/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch b/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch
deleted file mode 100644
index 9f3dce4..0000000
--- a/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From c9baef0c70122e1be33b627874772e6e9a5d7744 Mon Sep 17 00:00:00 2001
-From: Armin Kuster <akuster808@gmail.com>
-Date: Fri, 2 Oct 2020 19:43:44 -0700
-Subject: [PATCH] apparmor: fix manpage order
-
-It trys to create a symlink before the man pages are installed.
-
- ln -sf aa-status.8 /(path}/apparmor/3.0-r0/image/usr/share/man/man8/apparmor_status.8
- | ln: failed to create symbolic link '{path}/apparmor/3.0-r0/image/usr/share/man/man8/apparmor_status.8': No such file or directory
-
-Upstream-Status: Pending
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-...
-
-install -d /{path}/apparmor/3.0-r0/image/usr/share/man/man8 ; install -m 644 aa-status.8 /{path}/apparmor/3.0-r0/image/usr/share/man/man8;
-
-Signed-off-by: Armin Kuster <akuster@mvista.com>
----
- binutils/Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/binutils/Makefile b/binutils/Makefile
-index 99e54875..3f1d0011 100644
---- a/binutils/Makefile
-+++ b/binutils/Makefile
-@@ -156,12 +156,12 @@ install-arch: arch
- install -m 755 -d ${SBINDIR}
- ln -sf aa-status ${SBINDIR}/apparmor_status
- install -m 755 ${SBINTOOLS} ${SBINDIR}
-- ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8
-
- .PHONY: install-indep
- install-indep: indep
- $(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR}
- $(MAKE) install_manpages DESTDIR=${DESTDIR}
-+ ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8
-
- ifndef VERBOSE
- .SILENT: clean
---
-2.17.1
-
diff --git a/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch b/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch
deleted file mode 100644
index 2a56d8b..0000000
--- a/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 47263a3a74d7973e7a54b17db6aa903701468ffd Mon Sep 17 00:00:00 2001
-From: Patrick Steinhardt <ps@pks.im>
-Date: Sat, 3 Oct 2020 20:37:55 +0200
-Subject: [PATCH] libapparmor: add missing include for `socklen_t`
-
-While `include/sys/apparmor.h` makes use of `socklen_t`, it doesn't
-include the `<sys/socket.h>` header to make its declaration available.
-While this works on systems using glibc via transitive includes, it
-breaks compilation on musl libc.
-
-Fix the issue by including the header.
-
-Signed-off-by: Patrick Steinhardt <ps@pks.im>
-
-Upstream-Status: Backport
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
----
- libraries/libapparmor/include/sys/apparmor.h | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
-index 32892d06..d70eff94 100644
---- a/libraries/libapparmor/include/sys/apparmor.h
-+++ b/libraries/libapparmor/include/sys/apparmor.h
-@@ -21,6 +21,7 @@
- #include <stdbool.h>
- #include <stdint.h>
- #include <unistd.h>
-+#include <sys/socket.h>
- #include <sys/types.h>
-
- #ifdef __cplusplus
---
-2.17.1
-
diff --git a/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch b/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch
deleted file mode 100644
index 9f7ad3c..0000000
--- a/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 965bb9c3e464f756b258a7c259a92bce3cde74e7 Mon Sep 17 00:00:00 2001
-From: Armin Kuster <akuster@mvista.com>
-Date: Wed, 7 Oct 2020 20:50:38 -0700
-Subject: [PATCH] parser/Makefile: dont force host cpp to detect reallocarray
-
-In cross build environments, using the hosts cpp gives incorrect
-detection of reallocarray. Change cpp to a variable.
-
-fixes:
-parser_misc.c: In function 'int capable_add_cap(const char*, int, unsigned int, capability_flags)':
-| parser_misc.c:297:37: error: 'reallocarray' was not declared in this scope
-| 297 | tmp = (struct capability_table *) reallocarray(cap_table, sizeof(struct capability_table), cap_table_size+1);
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Upstream-Status: Pending
-
----
- parser/Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/parser/Makefile b/parser/Makefile
-index acef3d77..8250ac45 100644
---- a/parser/Makefile
-+++ b/parser/Makefile
-@@ -54,7 +54,7 @@ endif
- CPPFLAGS += -D_GNU_SOURCE
-
- STDLIB_INCLUDE:="\#include <stdlib.h>"
--HAVE_REALLOCARRAY:=$(shell echo $(STDLIB_INCLUDE) | cpp ${CPPFLAGS} | grep -q reallocarray && echo true)
-+HAVE_REALLOCARRAY:=$(shell echo $(STDLIB_INCLUDE) | ${CPP} ${CPPFLAGS} | grep -q reallocarray && echo true)
-
- WARNINGS = -Wall
- CXX_WARNINGS = ${WARNINGS} ${EXTRA_WARNINGS}
---
-2.17.1
-
diff --git a/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch b/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch
deleted file mode 100644
index 333f40f..0000000
--- a/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From c9255a03436e6a91bd4e410601da8d43a341ffc2 Mon Sep 17 00:00:00 2001
-From: Patrick Steinhardt <ps@pks.im>
-Date: Sat, 3 Oct 2020 20:58:45 +0200
-Subject: [PATCH] libapparmor: add `aa_features_new_from_file` to public
- symbols
-
-With AppArmor release 3.0, a new function `aa_features_new_from_file`
-was added, but not added to the list of public symbols. As a result,
-it's not possible to make use of this function when linking against
-libapparmor.so.
-
-Fix the issue by adding it to the symbol map.
-
-Signed-off-by: Patrick Steinhardt <ps@pks.im>
-
-Upstream-Status: Backport
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
----
- libraries/libapparmor/src/libapparmor.map | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
-index bbff51f5..1579509a 100644
---- a/libraries/libapparmor/src/libapparmor.map
-+++ b/libraries/libapparmor/src/libapparmor.map
-@@ -117,6 +117,7 @@ APPARMOR_2.13.1 {
-
- APPARMOR_3.0 {
- global:
-+ aa_features_new_from_file;
- aa_features_write_to_fd;
- aa_features_value;
- local:
---
-2.17.1
-
diff --git a/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch b/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch
deleted file mode 100644
index 543c7a1..0000000
--- a/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 9a8fee6bf1c79c261374d928b838b5eb9244ee9b Mon Sep 17 00:00:00 2001
-From: Patrick Steinhardt <ps@pks.im>
-Date: Sat, 3 Oct 2020 21:04:57 +0200
-Subject: [PATCH] libapparmor: add _aa_asprintf to private symbols
-
-While `_aa_asprintf` is supposed to be of private visibility, it's used
-by apparmor_parser and thus required to be visible when linking. This
-commit thus adds it to the list of private symbols to make it available
-for linking in apparmor_parser.
-
-Signed-off-by: Patrick Steinhardt <ps@pks.im>
-
-Upstream-Status: Backport
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
----
- libraries/libapparmor/src/libapparmor.map | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
-index 1579509a..41e541ac 100644
---- a/libraries/libapparmor/src/libapparmor.map
-+++ b/libraries/libapparmor/src/libapparmor.map
-@@ -127,6 +127,7 @@ APPARMOR_3.0 {
- PRIVATE {
- global:
- _aa_is_blacklisted;
-+ _aa_asprintf;
- _aa_autofree;
- _aa_autoclose;
- _aa_autofclose;
---
-2.17.1
-
diff --git a/recipes-mac/AppArmor/files/disable_pdf.patch b/recipes-mac/AppArmor/files/disable_pdf.patch
deleted file mode 100644
index c6b4bdd..0000000
--- a/recipes-mac/AppArmor/files/disable_pdf.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-Index: apparmor-2.10.95/parser/Makefile
-===================================================================
---- apparmor-2.10.95.orig/parser/Makefile
-+++ apparmor-2.10.95/parser/Makefile
-@@ -139,17 +139,6 @@ export Q VERBOSE BUILD_OUTPUT
- po/${NAME}.pot: ${SRCS} ${HDRS}
- $(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}"
-
--techdoc.pdf: techdoc.tex
-- timestamp=$(shell date --utc "+%Y%m%d%H%M%S%z" -r $< );\
-- while pdflatex "\def\fixedpdfdate{$$timestamp}\input $<" ${BUILD_OUTPUT} || exit 1 ; \
-- grep -q "Label(s) may have changed" techdoc.log; \
-- do :; done
--
--techdoc/index.html: techdoc.pdf
-- latex2html -show_section_numbers -split 0 -noinfo -nonavigation -noaddress techdoc.tex ${BUILD_OUTPUT}
--
--techdoc.txt: techdoc/index.html
-- w3m -dump $< > $@
-
- # targets arranged this way so that people who don't want full docs can
- # pick specific targets they want.
-@@ -159,9 +148,7 @@ manpages: $(MANPAGES)
-
- htmlmanpages: $(HTMLMANPAGES)
-
--pdf: techdoc.pdf
--
--docs: manpages htmlmanpages pdf
-+docs: manpages htmlmanpages
-
- indep: docs
- $(Q)$(MAKE) -C po all
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [meta-security][PATCH 2/2] apparmor: use its own initscript and service files
2021-06-23 9:15 [meta-security][PATCH 1/2] apparmor: upgrade 3.0 -> 3.0.1 Yi Zhao
@ 2021-06-23 9:15 ` Yi Zhao
[not found] ` <168B2B5232A141EF.5306@lists.yoctoproject.org>
1 sibling, 0 replies; 4+ messages in thread
From: Yi Zhao @ 2021-06-23 9:15 UTC (permalink / raw)
To: yocto
Use initscript and service files provided by apparmor.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
recipes-mac/AppArmor/apparmor_3.0.1.bb | 33 +--
...x-hardcoded-installation-directories.patch | 51 ++++
...pparmor.debian-add-missing-functions.patch | 57 ++++
recipes-mac/AppArmor/files/apparmor | 226 ---------------
recipes-mac/AppArmor/files/apparmor.rc | 98 -------
recipes-mac/AppArmor/files/apparmor.service | 22 --
recipes-mac/AppArmor/files/functions | 271 ------------------
7 files changed, 118 insertions(+), 640 deletions(-)
create mode 100644 recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch
create mode 100644 recipes-mac/AppArmor/files/0001-rc.apparmor.debian-add-missing-functions.patch
delete mode 100644 recipes-mac/AppArmor/files/apparmor
delete mode 100644 recipes-mac/AppArmor/files/apparmor.rc
delete mode 100644 recipes-mac/AppArmor/files/apparmor.service
delete mode 100644 recipes-mac/AppArmor/files/functions
diff --git a/recipes-mac/AppArmor/apparmor_3.0.1.bb b/recipes-mac/AppArmor/apparmor_3.0.1.bb
index 6377683..ff5b39b 100644
--- a/recipes-mac/AppArmor/apparmor_3.0.1.bb
+++ b/recipes-mac/AppArmor/apparmor_3.0.1.bb
@@ -15,15 +15,13 @@ DEPENDS = "bison-native apr gettext-native coreutils-native swig-native"
SRC_URI = " \
git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-3.0 \
+ file://run-ptest \
file://disable_perl_h_check.patch \
file://crosscompile_perl_bindings.patch \
- file://apparmor.rc \
- file://functions \
- file://apparmor \
- file://apparmor.service \
file://0001-Makefile.am-suppress-perllocal.pod.patch \
- file://run-ptest \
file://0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch \
+ file://0001-Makefile-fix-hardcoded-installation-directories.patch \
+ file://0001-rc.apparmor.debian-add-missing-functions.patch \
"
SRCREV = "b0f08aa9d678197b8e3477c2fbff790f50a1de5e"
@@ -79,8 +77,6 @@ do_compile () {
}
do_install () {
- install -d ${D}/${INIT_D_DIR}
- install -d ${D}/lib/apparmor
oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install
oe_runmake -C ${B}/binutils DESTDIR="${D}" install
oe_runmake -C ${B}/utils DESTDIR="${D}" install
@@ -96,16 +92,16 @@ do_install () {
fi
if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then
- install -d ${D}/lib/security
oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install
fi
- install -m 755 ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor
- install -m 755 ${WORKDIR}/functions ${D}/lib/apparmor
+ if ${@bb.utils.contains('DISTRO_FEATURES','sysvinit','true','false',d)}; then
+ install -d ${D}${sysconfdir}/init.d
+ install -m 755 ${B}/parser/rc.apparmor.debian ${D}${sysconfdir}/init.d/apparmor
+ fi
if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
- install -d ${D}${systemd_system_unitdir}
- install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir}
+ oe_runmake -C ${B}/parser DESTDIR="${D}" install-systemd
fi
}
@@ -152,15 +148,6 @@ do_install_ptest_arm() {
:
}
-pkg_postinst_ontarget_${PN} () {
-if [ ! -d /etc/apparmor.d/cache ] ; then
- mkdir /etc/apparmor.d/cache
-fi
-}
-
-# We need the init script so don't rm it
-RMINITDIR_class-target_remove = " rm_sysvinit_initddir"
-
INITSCRIPT_PACKAGES = "${PN}"
INITSCRIPT_NAME = "apparmor"
INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ."
@@ -171,9 +158,9 @@ SYSTEMD_AUTO_ENABLE ?= "enable"
PACKAGES += "mod-${PN}"
-FILES_${PN} += "/lib/apparmor/ /lib/security/ ${sysconfdir}/apparmor ${nonarch_libdir}/${PYTHON_DIR}/site-packages"
+FILES_${PN} += "${nonarch_base_libdir}/apparmor/ ${base_libdir}/security/ ${sysconfdir}/apparmor ${nonarch_libdir}/${PYTHON_DIR}/site-packages"
FILES_mod-${PN} = "${libdir}/apache2/modules/*"
-FILES_${PN}-dbg += "/lib/security/"
+FILES_${PN}-dbg += "${base_libdir}/security/.debug"
DEPENDS_append_libc-musl = " fts "
RDEPENDS_${PN}_libc-musl += "musl-utils"
diff --git a/recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch b/recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch
new file mode 100644
index 0000000..f10acb1
--- /dev/null
+++ b/recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch
@@ -0,0 +1,51 @@
+From 363114dcd72abf1c0dcd637c66037227b8be229b Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Mon, 21 Jun 2021 14:18:30 +0800
+Subject: [PATCH 1/2] Makefile: fix hardcoded installation directories
+
+Update the installation directories to fix the do_install error for
+multilib and usrmerge.
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ changehat/pam_apparmor/Makefile | 2 +-
+ parser/Makefile | 8 ++++----
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/changehat/pam_apparmor/Makefile b/changehat/pam_apparmor/Makefile
+index f6ece2d1..0143ae9f 100644
+--- a/changehat/pam_apparmor/Makefile
++++ b/changehat/pam_apparmor/Makefile
+@@ -77,7 +77,7 @@ $(NAME).so: ${OBJECTS}
+
+ # need some better way of determining this
+ DESTDIR=/
+-SECDIR ?= ${DESTDIR}/lib/security
++SECDIR ?= ${DESTDIR}/${base_libdir}/security
+
+ .PHONY: install
+ install: $(NAME).so
+diff --git a/parser/Makefile b/parser/Makefile
+index 8250ac45..cf18bc11 100644
+--- a/parser/Makefile
++++ b/parser/Makefile
+@@ -23,10 +23,10 @@ COMMONDIR=../common/
+ include $(COMMONDIR)/Make.rules
+
+ DESTDIR=/
+-APPARMOR_BIN_PREFIX=${DESTDIR}/lib/apparmor
+-SBINDIR=${DESTDIR}/sbin
+-USR_SBINDIR=${DESTDIR}/usr/sbin
+-SYSTEMD_UNIT_DIR=${DESTDIR}/usr/lib/systemd/system
++APPARMOR_BIN_PREFIX=${DESTDIR}/${nonarch_base_libdir}/apparmor
++SBINDIR=${DESTDIR}/${base_sbindir}
++USR_SBINDIR=${DESTDIR}/${sbindir}
++SYSTEMD_UNIT_DIR=${DESTDIR}/${systemd_system_unitdir}
+ CONFDIR=/etc/apparmor
+ INSTALL_CONFDIR=${DESTDIR}${CONFDIR}
+ LOCALEDIR=/usr/share/locale
+--
+2.17.1
+
diff --git a/recipes-mac/AppArmor/files/0001-rc.apparmor.debian-add-missing-functions.patch b/recipes-mac/AppArmor/files/0001-rc.apparmor.debian-add-missing-functions.patch
new file mode 100644
index 0000000..53bdde8
--- /dev/null
+++ b/recipes-mac/AppArmor/files/0001-rc.apparmor.debian-add-missing-functions.patch
@@ -0,0 +1,57 @@
+From a737c95ac0f887c365fe8f16583ea95da79de1e9 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Mon, 21 Jun 2021 16:53:39 +0800
+Subject: [PATCH] rc.apparmor.debian: add missing functions
+
+Add missing functions:
+ aa_log_action_start
+ aa_log_action_end
+ aa_log_daemon_msg
+ aa_log_end_msg
+
+Fixes:
+$ /etc/init.d/apparmor start
+/lib/apparmor/rc.apparmor.functions: line 294: aa_log_daemon_msg: command not found
+/lib/apparmor/rc.apparmor.functions: line 214: aa_log_action_start: command not found
+
+Upstream-Status: Pending
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ parser/rc.apparmor.debian | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/parser/rc.apparmor.debian b/parser/rc.apparmor.debian
+index 8efd4400..f35124e8 100644
+--- a/parser/rc.apparmor.debian
++++ b/parser/rc.apparmor.debian
+@@ -70,6 +70,26 @@ aa_log_skipped_msg() {
+ echo ": Skipped."
+ }
+
++aa_log_action_start()
++{
++ echo "$@"
++}
++
++aa_log_action_end()
++{
++ printf ""
++}
++
++aa_log_daemon_msg()
++{
++ echo "$@"
++}
++
++aa_log_end_msg()
++{
++ printf ""
++}
++
+ usage() {
+ echo "Usage: $0 {start|stop|restart|try-restart|reload|force-reload|status|kill}"
+ }
+--
+2.17.1
+
diff --git a/recipes-mac/AppArmor/files/apparmor b/recipes-mac/AppArmor/files/apparmor
deleted file mode 100644
index 604e48d..0000000
--- a/recipes-mac/AppArmor/files/apparmor
+++ /dev/null
@@ -1,226 +0,0 @@
-#!/bin/sh
-# ----------------------------------------------------------------------
-# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
-# NOVELL (All rights reserved)
-# Copyright (c) 2008, 2009 Canonical, Ltd.
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of version 2 of the GNU General Public
-# License published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, contact Novell, Inc.
-# ----------------------------------------------------------------------
-# Authors:
-# Steve Beattie <steve.beattie@canonical.com>
-# Kees Cook <kees@ubuntu.com>
-#
-# /etc/init.d/apparmor
-#
-### BEGIN INIT INFO
-# Provides: apparmor
-# Required-Start: $local_fs
-# Required-Stop: umountfs
-# Default-Start: S
-# Default-Stop:
-# Short-Description: AppArmor initialization
-# Description: AppArmor init script. This script loads all AppArmor profiles.
-### END INIT INFO
-
-log_daemon_msg() {
- echo $*
-}
-
-log_end_msg () {
- retval=$1
- if [ $retval -eq 0 ]; then
- echo "."
- else
- echo " failed!"
- fi
- return $retval
-}
-
-. /lib/apparmor/functions
-
-usage() {
- echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}"
-}
-
-test -x ${PARSER} || exit 0 # by debian policy
-# LSM is built-in, so it is either there or not enabled for this boot
-test -d /sys/module/apparmor || exit 0
-
-securityfs() {
- # Need securityfs for any mode
- if [ ! -d "${AA_SFS}" ]; then
- if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then
- log_daemon_msg "AppArmor not available as kernel LSM."
- log_end_msg 1
- exit 1
- else
- log_daemon_msg "Mounting securityfs on ${SECURITYFS}"
- if ! mount -t securityfs none "${SECURITYFS}"; then
- log_end_msg 1
- exit 1
- fi
- fi
- fi
- if [ ! -w "$AA_SFS"/.load ]; then
- log_daemon_msg "Insufficient privileges to change profiles."
- log_end_msg 1
- exit 1
- fi
-}
-
-handle_system_policy_package_updates() {
- apparmor_was_updated=0
-
- if ! compare_previous_version ; then
- # On snappy flavors, if the current and previous versions are
- # different then clear the system cache. snappy will handle
- # "$PROFILES_CACHE_VAR" itself (on Touch flavors
- # compare_previous_version always returns '0' since snappy
- # isn't available).
- clear_cache_system
- apparmor_was_updated=1
- elif ! compare_and_save_debsums apparmor ; then
- # If the system policy has been updated since the last time we
- # ran, clear the cache to prevent potentially stale binary
- # cache files after an Ubuntu image based upgrade (LP:
- # #1350673). This can be removed once all system image flavors
- # move to snappy (on snappy systems compare_and_save_debsums
- # always returns '0' since /var/lib/dpkg doesn't exist).
- clear_cache
- apparmor_was_updated=1
- fi
-
- if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then
- # If packages for system policy that affect click packages have
- # been updated since the last time we ran, run aa-clickhook -f
- force_clickhook=0
- force_profile_hook=0
- if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
- force_clickhook=1
- fi
- if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
- force_clickhook=1
- fi
- if ! compare_and_save_debsums click-apparmor ; then
- force_clickhook=1
- force_profile_hook=1
- fi
- if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
- aa-clickhook -f
- fi
- if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
- aa-profile-hook -f
- fi
- fi
-}
-
-# Allow "recache" even when running on the liveCD
-if [ "$1" = "recache" ]; then
- log_daemon_msg "Recaching AppArmor profiles"
- recache_profiles
- rc=$?
- log_end_msg "$rc"
- exit $rc
-fi
-
-# do not perform start/stop/reload actions when running from liveCD
-test -d /rofs/etc/apparmor.d && exit 0
-
-rc=255
-case "$1" in
- start)
- if test -x /sbin/systemd-detect-virt && \
- systemd-detect-virt --quiet --container && \
- ! is_container_with_internal_policy; then
- log_daemon_msg "Not starting AppArmor in container"
- log_end_msg 0
- exit 0
- fi
- log_daemon_msg "Starting AppArmor profiles"
- securityfs
- # That is only useful for click, snappy and system images,
- # i.e. not in Debian. And it reads and writes to /var, that
- # can be remote-mounted, so it would prevent us from using
- # Before=sysinit.target without possibly introducing dependency
- # loops.
- handle_system_policy_package_updates
- load_configured_profiles
- rc=$?
- log_end_msg "$rc"
- ;;
- stop)
- log_daemon_msg "Clearing AppArmor profiles cache"
- clear_cache
- rc=$?
- log_end_msg "$rc"
- cat >&2 <<EOM
-All profile caches have been cleared, but no profiles have been unloaded.
-Unloading profiles will leave already running processes permanently
-unconfined, which can lead to unexpected situations.
-
-To set a process to complain mode, use the command line tool
-'aa-complain'. To really tear down all profiles, run the init script
-with the 'teardown' option."
-EOM
- ;;
- teardown)
- if test -x /sbin/systemd-detect-virt && \
- systemd-detect-virt --quiet --container && \
- ! is_container_with_internal_policy; then
- log_daemon_msg "Not tearing down AppArmor in container"
- log_end_msg 0
- exit 0
- fi
- log_daemon_msg "Unloading AppArmor profiles"
- securityfs
- running_profile_names | while read profile; do
- if ! unload_profile "$profile" ; then
- log_end_msg 1
- exit 1
- fi
- done
- rc=0
- log_end_msg $rc
- ;;
- restart|reload|force-reload)
- if test -x /sbin/systemd-detect-virt && \
- systemd-detect-virt --quiet --container && \
- ! is_container_with_internal_policy; then
- log_daemon_msg "Not reloading AppArmor in container"
- log_end_msg 0
- exit 0
- fi
- log_daemon_msg "Reloading AppArmor profiles"
- securityfs
- clear_cache
- load_configured_profiles
- rc=$?
- unload_obsolete_profiles
-
- log_end_msg "$rc"
- ;;
- status)
- securityfs
- if [ -x /usr/sbin/aa-status ]; then
- aa-status --verbose
- else
- cat "$AA_SFS"/profiles
- fi
- rc=$?
- ;;
- *)
- usage
- rc=1
- ;;
- esac
-exit $rc
diff --git a/recipes-mac/AppArmor/files/apparmor.rc b/recipes-mac/AppArmor/files/apparmor.rc
deleted file mode 100644
index 1507d7b..0000000
--- a/recipes-mac/AppArmor/files/apparmor.rc
+++ /dev/null
@@ -1,98 +0,0 @@
-description "Pre-cache and pre-load apparmor profiles"
-author "Dimitri John Ledkov <xnox@ubuntu.com> and Jamie Strandboge <jamie@ubuntu.com>"
-
-task
-
-start on starting rc-sysinit
-
-script
- [ -d /rofs/etc/apparmor.d ] && exit 0 # do not load on liveCD
- [ -d /sys/module/apparmor ] || exit 0 # do not load without AppArmor
- [ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser
-
- . /lib/apparmor/functions
-
- systemd-detect-virt --quiet --container && ! is_container_with_internal_policy && exit 0 || true
-
- # Need securityfs for any mode
- if [ ! -d /sys/kernel/security/apparmor ]; then
- if cut -d" " -f2,3 /proc/mounts | grep -q "^/sys/kernel/security securityfs"'$' ; then
- exit 0
- else
- mount -t securityfs none /sys/kernel/security || exit 0
- fi
- fi
-
- [ -w /sys/kernel/security/apparmor/.load ] || exit 0
-
- apparmor_was_updated=0
- if ! compare_previous_version ; then
- # On snappy flavors, if the current and previous versions are
- # different then clear the system cache. snappy will handle
- # "$PROFILES_CACHE_VAR" itself (on Touch flavors
- # compare_previous_version always returns '0' since snappy
- # isn't available).
- clear_cache_system
- apparmor_was_updated=1
- elif ! compare_and_save_debsums apparmor ; then
- # If the system policy has been updated since the last time we
- # ran, clear the cache to prevent potentially stale binary
- # cache files after an Ubuntu image based upgrade (LP:
- # #1350673). This can be removed once all system image flavors
- # move to snappy (on snappy systems compare_and_save_debsums
- # always returns '0' since /var/lib/dpkg doesn't exist).
- clear_cache
- apparmor_was_updated=1
- fi
-
- if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then
- # If packages for system policy that affect click packages have
- # been updated since the last time we ran, run aa-clickhook -f
- force_clickhook=0
- force_profile_hook=0
- if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
- force_clickhook=1
- fi
- if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
- force_clickhook=1
- fi
- if ! compare_and_save_debsums click-apparmor ; then
- force_clickhook=1
- force_profile_hook=1
- fi
- if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
- aa-clickhook -f
- fi
- if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
- aa-profile-hook -f
- fi
- fi
-
- if [ "$ACTION" = "teardown" ]; then
- running_profile_names | while read profile; do
- unload_profile "$profile"
- done
- exit 0
- fi
-
- if [ "$ACTION" = "clear" ]; then
- clear_cache
- exit 0
- fi
-
- if [ "$ACTION" = "reload" ] || [ "$ACTION" = "force-reload" ]; then
- clear_cache
- load_configured_profiles
- unload_obsolete_profiles
- exit 0
- fi
-
- # Note: if apparmor-easyprof-ubuntu md5sums didn't match up above,
- # aa-clickhook will have already compiled the policy, generated the cache
- # files and loaded them into the kernel by this point, so reloading click
- # policy from cache, while fairly fast (<2 seconds for 250 profiles on
- # armhf), is redundant. Fixing this would complicate the logic quite a bit
- # and it wouldn't improve the (by far) common case (ie, when
- # 'aa-clickhook -f' is not run).
- load_configured_profiles
-end script
diff --git a/recipes-mac/AppArmor/files/apparmor.service b/recipes-mac/AppArmor/files/apparmor.service
deleted file mode 100644
index e66afe4..0000000
--- a/recipes-mac/AppArmor/files/apparmor.service
+++ /dev/null
@@ -1,22 +0,0 @@
-[Unit]
-Description=AppArmor initialization
-After=local-fs.target
-Before=sysinit.target
-AssertPathIsReadWrite=/sys/kernel/security/apparmor/.load
-ConditionSecurity=apparmor
-DefaultDependencies=no
-Documentation=man:apparmor(7)
-Documentation=http://wiki.apparmor.net/
-
-# Don't start this unit on the Ubuntu Live CD
-ConditionPathExists=!/rofs/etc/apparmor.d
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/etc/init.d/apparmor start
-ExecStop=/etc/init.d/apparmor stop
-ExecReload=/etc/init.d/apparmor reload
-
-[Install]
-WantedBy=sysinit.target
diff --git a/recipes-mac/AppArmor/files/functions b/recipes-mac/AppArmor/files/functions
deleted file mode 100644
index e9e2bbf..0000000
--- a/recipes-mac/AppArmor/files/functions
+++ /dev/null
@@ -1,271 +0,0 @@
-# /lib/apparmor/functions for Debian -*- shell-script -*-
-# ----------------------------------------------------------------------
-# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
-# NOVELL (All rights reserved)
-# Copyright (c) 2008-2010 Canonical, Ltd.
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of version 2 of the GNU General Public
-# License published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, contact Novell, Inc.
-# ----------------------------------------------------------------------
-# Authors:
-# Kees Cook <kees@ubuntu.com>
-
-PROFILES="/etc/apparmor.d"
-PROFILES_CACHE="$PROFILES/cache"
-PROFILES_VAR="/var/lib/apparmor/profiles"
-PROFILES_SNAPPY="/var/lib/snapd/apparmor/profiles"
-PROFILES_CACHE_VAR="/var/cache/apparmor"
-PARSER="/sbin/apparmor_parser"
-SECURITYFS="/sys/kernel/security"
-export AA_SFS="$SECURITYFS/apparmor"
-
-# Suppress warnings when booting in quiet mode
-quiet_arg=""
-[ "${QUIET:-no}" = yes ] && quiet_arg="-q"
-[ "${quiet:-n}" = y ] && quiet_arg="-q"
-
-foreach_configured_profile() {
- rc_all="0"
- for pdir in "$PROFILES" "$PROFILES_VAR" "$PROFILES_SNAPPY" ; do
- if [ ! -d "$pdir" ]; then
- continue
- fi
- num=`find "$pdir" -type f ! -name '*.md5sums' | wc -l`
- if [ "$num" = "0" ]; then
- continue
- fi
-
- cache_dir="$PROFILES_CACHE"
- if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then
- cache_dir="$PROFILES_CACHE_VAR"
- fi
- cache_args="--cache-loc=$cache_dir"
- if [ ! -d "$cache_dir" ]; then
- cache_args=
- fi
-
- # LP: #1383858 - expr tree simplification is too slow for
- # Touch policy on ARM, so disable it for now
- cache_extra_args=
- if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then
- cache_extra_args="-O no-expr-simplify"
- fi
-
- # If need to compile everything, then use -n1 with xargs to
- # take advantage of -P. When cache files are in use, omit -n1
- # since it is considerably faster on moderately sized profile
- # sets to give the parser all the profiles to load at once
- n1_args=
- num=`find "$cache_dir" -type f ! -name '.features' | wc -l`
- if [ "$num" = "0" ]; then
- n1_args="-n1"
- fi
-
- (ls -1 "$pdir" | egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \
- while read profile; do
- if [ -f "$pdir"/"$profile" ]; then
- echo "$pdir"/"$profile"
- fi
- done) | \
- xargs $n1_args -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || {
- rc_all="$?"
- # FIXME: when the parser properly handles broken
- # profiles (LP: #1377338), remove this if statement.
- # For now, if the xargs returns with error, just run
- # through everything with -n1. (This could be broken
- # out and refactored, but this is temporary so make it
- # easy to understand and revert)
- if [ "$rc_all" != "0" ]; then
- (ls -1 "$pdir" | \
- egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \
- while read profile; do
- if [ -f "$pdir"/"$profile" ]; then
- echo "$pdir"/"$profile"
- fi
- done) | \
- xargs -n1 -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || {
- rc_all="$?"
- }
- fi
- }
- done
- return $rc_all
-}
-
-load_configured_profiles() {
- clear_cache_if_outdated
- foreach_configured_profile $quiet_arg --write-cache --replace
-}
-
-load_configured_profiles_without_caching() {
- foreach_configured_profile $quiet_arg --replace
-}
-
-recache_profiles() {
- clear_cache
- foreach_configured_profile $quiet_arg --write-cache --skip-kernel-load
-}
-
-configured_profile_names() {
- foreach_configured_profile $quiet_arg -N 2>/dev/null | LC_COLLATE=C sort | grep -v '//'
-}
-
-running_profile_names() {
- # Output a sorted list of loaded profiles, skipping libvirt's
- # dynamically generated files
- cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | egrep -v '^libvirt-[0-9a-f\-]+$' | LC_COLLATE=C sort | grep -v '//'
-}
-
-unload_profile() {
- echo -n "$1" > "$AA_SFS"/.remove
-}
-
-clear_cache() {
- clear_cache_system
- clear_cache_var
-}
-
-clear_cache_system() {
- find "$PROFILES_CACHE" -maxdepth 1 -type f -print0 | xargs -0 rm -f --
-}
-
-clear_cache_var() {
- find "$PROFILES_CACHE_VAR" -maxdepth 1 -type f -print0 | xargs -0 rm -f --
-}
-
-read_features_dir()
-{
- for f in `ls -A "$1"` ; do
- if [ -f "$1/$f" ] ; then
- read -r KF < "$1/$f" || true
- echo -n "$f {$KF } "
- elif [ -d "$1/$f" ] ; then
- echo -n "$f {"
- KF=`read_features_dir "$1/$f"` || true
- echo -n "$KF} "
- fi
- done
-}
-
-clear_cache_if_outdated() {
- if [ -r "$PROFILES_CACHE"/.features ]; then
- if [ -d "$AA_SFS"/features ]; then
- KERN_FEATURES=`read_features_dir "$AA_SFS"/features`
- else
- read -r KERN_FEATURES < "$AA_SFS"/features
- fi
- CACHE_FEATURES=`tr '\n' ' ' < "$PROFILES_CACHE"/.features`
- if [ "$KERN_FEATURES" != "$CACHE_FEATURES" ]; then
- clear_cache
- fi
- fi
-}
-
-unload_obsolete_profiles() {
- # Currently we must re-parse all the profiles to get policy names. :(
- aa_configured=$(mktemp -t aa-XXXXXX)
- configured_profile_names > "$aa_configured" || true
- aa_loaded=$(mktemp -t aa-XXXXXX)
- running_profile_names > "$aa_loaded" || true
- LC_COLLATE=C comm -2 -3 "$aa_loaded" "$aa_configured" | while read profile ; do
- unload_profile "$profile"
- done
- rm -f "$aa_configured" "$aa_loaded"
-}
-
-# If the system debsum differs from the saved debsum, the new system debsum is
-# saved and non-zero is returned. Returns 0 if the two debsums matched or if
-# the system debsum file does not exist. This can be removed when system image
-# flavors all move to snappy.
-compare_and_save_debsums() {
- pkg="$1"
-
- if [ -n $pkg ] && [ -d "$PROFILES_VAR" ]; then
- sums="/var/lib/dpkg/info/${pkg}.md5sums"
- # store saved md5sums in /var/lib/apparmor/profiles since
- # /var/cache/apparmor might be cleared by apparmor
- saved_sums="${PROFILES_VAR}/.${pkg}.md5sums"
-
- if [ -f "$sums" ] && \
- ! diff -q "$sums" "$saved_sums" 2>&1 >/dev/null ; then
- cp -f "$sums" "$saved_sums"
- return 1
- fi
- fi
-
- return 0
-}
-
-compare_previous_version() {
- installed="/usr/share/snappy/security-policy-version"
- previous="/var/lib/snappy/security-policy-version"
-
- # When just $previous doesn't exist, assume this is a new system with
- # no cache and don't do anything special.
- if [ -f "$installed" ] && [ -f "$previous" ]; then
- pv=`grep '^apparmor/' "$previous" | cut -d ' ' -f 2`
- iv=`grep '^apparmor/' "$installed" | cut -d ' ' -f 2`
- if [ -n "$iv" ] && [ -n "$pv" ] && [ "$iv" != "$pv" ]; then
- # snappy updates $previous elsewhere, so just return
- return 1
- fi
- fi
-
- return 0
-}
-
-# Checks to see if the current container is capable of having internal AppArmor
-# profiles that should be loaded. Callers of this function should have already
-# verified that they're running inside of a container environment with
-# something like `systemd-detect-virt --container`.
-#
-# The only known container environments capable of supporting internal policy
-# are LXD and LXC environment.
-#
-# Returns 0 if the container environment is capable of having its own internal
-# policy and non-zero otherwise.
-#
-# IMPORTANT: This function will return 0 in the case of a non-LXD/non-LXC
-# system container technology being nested inside of a LXD/LXC container that
-# utilized an AppArmor namespace and profile stacking. The reason 0 will be
-# returned is because .ns_stacked will be "yes" and .ns_name will still match
-# "lx[dc]-*" since the nested system container technology will not have set up
-# a new AppArmor profile namespace. This will result in the nested system
-# container's boot process to experience failed policy loads but the boot
-# process should continue without any loss of functionality. This is an
-# unsupported configuration that cannot be properly handled by this function.
-is_container_with_internal_policy() {
- local ns_stacked_path="${AA_SFS}/.ns_stacked"
- local ns_name_path="${AA_SFS}/.ns_name"
- local ns_stacked
- local ns_name
-
- if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then
- return 1
- fi
-
- read -r ns_stacked < "$ns_stacked_path"
- if [ "$ns_stacked" != "yes" ]; then
- return 1
- fi
-
- # LXD and LXC set up AppArmor namespaces starting with "lxd-" and
- # "lxc-", respectively. Return non-zero for all other namespace
- # identifiers.
- read -r ns_name < "$ns_name_path"
- if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
- [ "${ns_name#lxc-*}" = "$ns_name" ]; then
- return 1
- fi
-
- return 0
-}
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [yocto] [meta-security][PATCH 2/2] apparmor: use its own initscript and service files
[not found] ` <168B2B5232A141EF.5306@lists.yoctoproject.org>
@ 2021-07-06 9:03 ` Yi Zhao
2021-07-10 18:15 ` Armin Kuster
0 siblings, 1 reply; 4+ messages in thread
From: Yi Zhao @ 2021-07-06 9:03 UTC (permalink / raw)
To: yocto, akuster808@gmail.com >> Armin Kuster
[-- Attachment #1: Type: text/plain, Size: 31786 bytes --]
Ping ...
On 6/23/21 5:15 PM, Yi Zhao wrote:
> Use initscript and service files provided by apparmor.
>
> Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
> ---
> recipes-mac/AppArmor/apparmor_3.0.1.bb | 33 +--
> ...x-hardcoded-installation-directories.patch | 51 ++++
> ...pparmor.debian-add-missing-functions.patch | 57 ++++
> recipes-mac/AppArmor/files/apparmor | 226 ---------------
> recipes-mac/AppArmor/files/apparmor.rc | 98 -------
> recipes-mac/AppArmor/files/apparmor.service | 22 --
> recipes-mac/AppArmor/files/functions | 271 ------------------
> 7 files changed, 118 insertions(+), 640 deletions(-)
> create mode 100644 recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch
> create mode 100644 recipes-mac/AppArmor/files/0001-rc.apparmor.debian-add-missing-functions.patch
> delete mode 100644 recipes-mac/AppArmor/files/apparmor
> delete mode 100644 recipes-mac/AppArmor/files/apparmor.rc
> delete mode 100644 recipes-mac/AppArmor/files/apparmor.service
> delete mode 100644 recipes-mac/AppArmor/files/functions
>
> diff --git a/recipes-mac/AppArmor/apparmor_3.0.1.bb b/recipes-mac/AppArmor/apparmor_3.0.1.bb
> index 6377683..ff5b39b 100644
> --- a/recipes-mac/AppArmor/apparmor_3.0.1.bb
> +++ b/recipes-mac/AppArmor/apparmor_3.0.1.bb
> @@ -15,15 +15,13 @@ DEPENDS = "bison-native apr gettext-native coreutils-native swig-native"
>
> SRC_URI = " \
> git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-3.0 \
> + file://run-ptest \
> file://disable_perl_h_check.patch \
> file://crosscompile_perl_bindings.patch \
> - file://apparmor.rc \
> - file://functions \
> - file://apparmor \
> - file://apparmor.service \
> file://0001-Makefile.am-suppress-perllocal.pod.patch \
> - file://run-ptest \
> file://0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch \
> + file://0001-Makefile-fix-hardcoded-installation-directories.patch \
> + file://0001-rc.apparmor.debian-add-missing-functions.patch \
> "
>
> SRCREV = "b0f08aa9d678197b8e3477c2fbff790f50a1de5e"
> @@ -79,8 +77,6 @@ do_compile () {
> }
>
> do_install () {
> - install -d ${D}/${INIT_D_DIR}
> - install -d ${D}/lib/apparmor
> oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install
> oe_runmake -C ${B}/binutils DESTDIR="${D}" install
> oe_runmake -C ${B}/utils DESTDIR="${D}" install
> @@ -96,16 +92,16 @@ do_install () {
> fi
>
> if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then
> - install -d ${D}/lib/security
> oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install
> fi
>
> - install -m 755 ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor
> - install -m 755 ${WORKDIR}/functions ${D}/lib/apparmor
> + if ${@bb.utils.contains('DISTRO_FEATURES','sysvinit','true','false',d)}; then
> + install -d ${D}${sysconfdir}/init.d
> + install -m 755 ${B}/parser/rc.apparmor.debian ${D}${sysconfdir}/init.d/apparmor
> + fi
>
> if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
> - install -d ${D}${systemd_system_unitdir}
> - install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir}
> + oe_runmake -C ${B}/parser DESTDIR="${D}" install-systemd
> fi
> }
>
> @@ -152,15 +148,6 @@ do_install_ptest_arm() {
> :
> }
>
> -pkg_postinst_ontarget_${PN} () {
> -if [ ! -d /etc/apparmor.d/cache ] ; then
> - mkdir /etc/apparmor.d/cache
> -fi
> -}
> -
> -# We need the init script so don't rm it
> -RMINITDIR_class-target_remove = " rm_sysvinit_initddir"
> -
> INITSCRIPT_PACKAGES = "${PN}"
> INITSCRIPT_NAME = "apparmor"
> INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ."
> @@ -171,9 +158,9 @@ SYSTEMD_AUTO_ENABLE ?= "enable"
>
> PACKAGES += "mod-${PN}"
>
> -FILES_${PN} += "/lib/apparmor/ /lib/security/ ${sysconfdir}/apparmor ${nonarch_libdir}/${PYTHON_DIR}/site-packages"
> +FILES_${PN} += "${nonarch_base_libdir}/apparmor/ ${base_libdir}/security/ ${sysconfdir}/apparmor ${nonarch_libdir}/${PYTHON_DIR}/site-packages"
> FILES_mod-${PN} = "${libdir}/apache2/modules/*"
> -FILES_${PN}-dbg += "/lib/security/"
> +FILES_${PN}-dbg += "${base_libdir}/security/.debug"
>
> DEPENDS_append_libc-musl = " fts "
> RDEPENDS_${PN}_libc-musl += "musl-utils"
> diff --git a/recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch b/recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch
> new file mode 100644
> index 0000000..f10acb1
> --- /dev/null
> +++ b/recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch
> @@ -0,0 +1,51 @@
> +From 363114dcd72abf1c0dcd637c66037227b8be229b Mon Sep 17 00:00:00 2001
> +From: Yi Zhao <yi.zhao@windriver.com>
> +Date: Mon, 21 Jun 2021 14:18:30 +0800
> +Subject: [PATCH 1/2] Makefile: fix hardcoded installation directories
> +
> +Update the installation directories to fix the do_install error for
> +multilib and usrmerge.
> +
> +Upstream-Status: Inappropriate [configuration]
> +
> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
> +---
> + changehat/pam_apparmor/Makefile | 2 +-
> + parser/Makefile | 8 ++++----
> + 2 files changed, 5 insertions(+), 5 deletions(-)
> +
> +diff --git a/changehat/pam_apparmor/Makefile b/changehat/pam_apparmor/Makefile
> +index f6ece2d1..0143ae9f 100644
> +--- a/changehat/pam_apparmor/Makefile
> ++++ b/changehat/pam_apparmor/Makefile
> +@@ -77,7 +77,7 @@ $(NAME).so: ${OBJECTS}
> +
> + # need some better way of determining this
> + DESTDIR=/
> +-SECDIR ?= ${DESTDIR}/lib/security
> ++SECDIR ?= ${DESTDIR}/${base_libdir}/security
> +
> + .PHONY: install
> + install: $(NAME).so
> +diff --git a/parser/Makefile b/parser/Makefile
> +index 8250ac45..cf18bc11 100644
> +--- a/parser/Makefile
> ++++ b/parser/Makefile
> +@@ -23,10 +23,10 @@ COMMONDIR=../common/
> + include $(COMMONDIR)/Make.rules
> +
> + DESTDIR=/
> +-APPARMOR_BIN_PREFIX=${DESTDIR}/lib/apparmor
> +-SBINDIR=${DESTDIR}/sbin
> +-USR_SBINDIR=${DESTDIR}/usr/sbin
> +-SYSTEMD_UNIT_DIR=${DESTDIR}/usr/lib/systemd/system
> ++APPARMOR_BIN_PREFIX=${DESTDIR}/${nonarch_base_libdir}/apparmor
> ++SBINDIR=${DESTDIR}/${base_sbindir}
> ++USR_SBINDIR=${DESTDIR}/${sbindir}
> ++SYSTEMD_UNIT_DIR=${DESTDIR}/${systemd_system_unitdir}
> + CONFDIR=/etc/apparmor
> + INSTALL_CONFDIR=${DESTDIR}${CONFDIR}
> + LOCALEDIR=/usr/share/locale
> +--
> +2.17.1
> +
> diff --git a/recipes-mac/AppArmor/files/0001-rc.apparmor.debian-add-missing-functions.patch b/recipes-mac/AppArmor/files/0001-rc.apparmor.debian-add-missing-functions.patch
> new file mode 100644
> index 0000000..53bdde8
> --- /dev/null
> +++ b/recipes-mac/AppArmor/files/0001-rc.apparmor.debian-add-missing-functions.patch
> @@ -0,0 +1,57 @@
> +From a737c95ac0f887c365fe8f16583ea95da79de1e9 Mon Sep 17 00:00:00 2001
> +From: Yi Zhao <yi.zhao@windriver.com>
> +Date: Mon, 21 Jun 2021 16:53:39 +0800
> +Subject: [PATCH] rc.apparmor.debian: add missing functions
> +
> +Add missing functions:
> + aa_log_action_start
> + aa_log_action_end
> + aa_log_daemon_msg
> + aa_log_end_msg
> +
> +Fixes:
> +$ /etc/init.d/apparmor start
> +/lib/apparmor/rc.apparmor.functions: line 294: aa_log_daemon_msg: command not found
> +/lib/apparmor/rc.apparmor.functions: line 214: aa_log_action_start: command not found
> +
> +Upstream-Status: Pending
> +
> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
> +---
> + parser/rc.apparmor.debian | 20 ++++++++++++++++++++
> + 1 file changed, 20 insertions(+)
> +
> +diff --git a/parser/rc.apparmor.debian b/parser/rc.apparmor.debian
> +index 8efd4400..f35124e8 100644
> +--- a/parser/rc.apparmor.debian
> ++++ b/parser/rc.apparmor.debian
> +@@ -70,6 +70,26 @@ aa_log_skipped_msg() {
> + echo ": Skipped."
> + }
> +
> ++aa_log_action_start()
> ++{
> ++ echo "$@"
> ++}
> ++
> ++aa_log_action_end()
> ++{
> ++ printf ""
> ++}
> ++
> ++aa_log_daemon_msg()
> ++{
> ++ echo "$@"
> ++}
> ++
> ++aa_log_end_msg()
> ++{
> ++ printf ""
> ++}
> ++
> + usage() {
> + echo "Usage: $0 {start|stop|restart|try-restart|reload|force-reload|status|kill}"
> + }
> +--
> +2.17.1
> +
> diff --git a/recipes-mac/AppArmor/files/apparmor b/recipes-mac/AppArmor/files/apparmor
> deleted file mode 100644
> index 604e48d..0000000
> --- a/recipes-mac/AppArmor/files/apparmor
> +++ /dev/null
> @@ -1,226 +0,0 @@
> -#!/bin/sh
> -# ----------------------------------------------------------------------
> -# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
> -# NOVELL (All rights reserved)
> -# Copyright (c) 2008, 2009 Canonical, Ltd.
> -#
> -# This program is free software; you can redistribute it and/or
> -# modify it under the terms of version 2 of the GNU General Public
> -# License published by the Free Software Foundation.
> -#
> -# This program is distributed in the hope that it will be useful,
> -# but WITHOUT ANY WARRANTY; without even the implied warranty of
> -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> -# GNU General Public License for more details.
> -#
> -# You should have received a copy of the GNU General Public License
> -# along with this program; if not, contact Novell, Inc.
> -# ----------------------------------------------------------------------
> -# Authors:
> -# Steve Beattie <steve.beattie@canonical.com>
> -# Kees Cook <kees@ubuntu.com>
> -#
> -# /etc/init.d/apparmor
> -#
> -### BEGIN INIT INFO
> -# Provides: apparmor
> -# Required-Start: $local_fs
> -# Required-Stop: umountfs
> -# Default-Start: S
> -# Default-Stop:
> -# Short-Description: AppArmor initialization
> -# Description: AppArmor init script. This script loads all AppArmor profiles.
> -### END INIT INFO
> -
> -log_daemon_msg() {
> - echo $*
> -}
> -
> -log_end_msg () {
> - retval=$1
> - if [ $retval -eq 0 ]; then
> - echo "."
> - else
> - echo " failed!"
> - fi
> - return $retval
> -}
> -
> -. /lib/apparmor/functions
> -
> -usage() {
> - echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}"
> -}
> -
> -test -x ${PARSER} || exit 0 # by debian policy
> -# LSM is built-in, so it is either there or not enabled for this boot
> -test -d /sys/module/apparmor || exit 0
> -
> -securityfs() {
> - # Need securityfs for any mode
> - if [ ! -d "${AA_SFS}" ]; then
> - if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then
> - log_daemon_msg "AppArmor not available as kernel LSM."
> - log_end_msg 1
> - exit 1
> - else
> - log_daemon_msg "Mounting securityfs on ${SECURITYFS}"
> - if ! mount -t securityfs none "${SECURITYFS}"; then
> - log_end_msg 1
> - exit 1
> - fi
> - fi
> - fi
> - if [ ! -w "$AA_SFS"/.load ]; then
> - log_daemon_msg "Insufficient privileges to change profiles."
> - log_end_msg 1
> - exit 1
> - fi
> -}
> -
> -handle_system_policy_package_updates() {
> - apparmor_was_updated=0
> -
> - if ! compare_previous_version ; then
> - # On snappy flavors, if the current and previous versions are
> - # different then clear the system cache. snappy will handle
> - # "$PROFILES_CACHE_VAR" itself (on Touch flavors
> - # compare_previous_version always returns '0' since snappy
> - # isn't available).
> - clear_cache_system
> - apparmor_was_updated=1
> - elif ! compare_and_save_debsums apparmor ; then
> - # If the system policy has been updated since the last time we
> - # ran, clear the cache to prevent potentially stale binary
> - # cache files after an Ubuntu image based upgrade (LP:
> - # #1350673). This can be removed once all system image flavors
> - # move to snappy (on snappy systems compare_and_save_debsums
> - # always returns '0' since /var/lib/dpkg doesn't exist).
> - clear_cache
> - apparmor_was_updated=1
> - fi
> -
> - if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then
> - # If packages for system policy that affect click packages have
> - # been updated since the last time we ran, run aa-clickhook -f
> - force_clickhook=0
> - force_profile_hook=0
> - if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
> - force_clickhook=1
> - fi
> - if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
> - force_clickhook=1
> - fi
> - if ! compare_and_save_debsums click-apparmor ; then
> - force_clickhook=1
> - force_profile_hook=1
> - fi
> - if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
> - aa-clickhook -f
> - fi
> - if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
> - aa-profile-hook -f
> - fi
> - fi
> -}
> -
> -# Allow "recache" even when running on the liveCD
> -if [ "$1" = "recache" ]; then
> - log_daemon_msg "Recaching AppArmor profiles"
> - recache_profiles
> - rc=$?
> - log_end_msg "$rc"
> - exit $rc
> -fi
> -
> -# do not perform start/stop/reload actions when running from liveCD
> -test -d /rofs/etc/apparmor.d && exit 0
> -
> -rc=255
> -case "$1" in
> - start)
> - if test -x /sbin/systemd-detect-virt && \
> - systemd-detect-virt --quiet --container && \
> - ! is_container_with_internal_policy; then
> - log_daemon_msg "Not starting AppArmor in container"
> - log_end_msg 0
> - exit 0
> - fi
> - log_daemon_msg "Starting AppArmor profiles"
> - securityfs
> - # That is only useful for click, snappy and system images,
> - # i.e. not in Debian. And it reads and writes to /var, that
> - # can be remote-mounted, so it would prevent us from using
> - # Before=sysinit.target without possibly introducing dependency
> - # loops.
> - handle_system_policy_package_updates
> - load_configured_profiles
> - rc=$?
> - log_end_msg "$rc"
> - ;;
> - stop)
> - log_daemon_msg "Clearing AppArmor profiles cache"
> - clear_cache
> - rc=$?
> - log_end_msg "$rc"
> - cat >&2 <<EOM
> -All profile caches have been cleared, but no profiles have been unloaded.
> -Unloading profiles will leave already running processes permanently
> -unconfined, which can lead to unexpected situations.
> -
> -To set a process to complain mode, use the command line tool
> -'aa-complain'. To really tear down all profiles, run the init script
> -with the 'teardown' option."
> -EOM
> - ;;
> - teardown)
> - if test -x /sbin/systemd-detect-virt && \
> - systemd-detect-virt --quiet --container && \
> - ! is_container_with_internal_policy; then
> - log_daemon_msg "Not tearing down AppArmor in container"
> - log_end_msg 0
> - exit 0
> - fi
> - log_daemon_msg "Unloading AppArmor profiles"
> - securityfs
> - running_profile_names | while read profile; do
> - if ! unload_profile "$profile" ; then
> - log_end_msg 1
> - exit 1
> - fi
> - done
> - rc=0
> - log_end_msg $rc
> - ;;
> - restart|reload|force-reload)
> - if test -x /sbin/systemd-detect-virt && \
> - systemd-detect-virt --quiet --container && \
> - ! is_container_with_internal_policy; then
> - log_daemon_msg "Not reloading AppArmor in container"
> - log_end_msg 0
> - exit 0
> - fi
> - log_daemon_msg "Reloading AppArmor profiles"
> - securityfs
> - clear_cache
> - load_configured_profiles
> - rc=$?
> - unload_obsolete_profiles
> -
> - log_end_msg "$rc"
> - ;;
> - status)
> - securityfs
> - if [ -x /usr/sbin/aa-status ]; then
> - aa-status --verbose
> - else
> - cat "$AA_SFS"/profiles
> - fi
> - rc=$?
> - ;;
> - *)
> - usage
> - rc=1
> - ;;
> - esac
> -exit $rc
> diff --git a/recipes-mac/AppArmor/files/apparmor.rc b/recipes-mac/AppArmor/files/apparmor.rc
> deleted file mode 100644
> index 1507d7b..0000000
> --- a/recipes-mac/AppArmor/files/apparmor.rc
> +++ /dev/null
> @@ -1,98 +0,0 @@
> -description "Pre-cache and pre-load apparmor profiles"
> -author "Dimitri John Ledkov <xnox@ubuntu.com> and Jamie Strandboge <jamie@ubuntu.com>"
> -
> -task
> -
> -start on starting rc-sysinit
> -
> -script
> - [ -d /rofs/etc/apparmor.d ] && exit 0 # do not load on liveCD
> - [ -d /sys/module/apparmor ] || exit 0 # do not load without AppArmor
> - [ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser
> -
> - . /lib/apparmor/functions
> -
> - systemd-detect-virt --quiet --container && ! is_container_with_internal_policy && exit 0 || true
> -
> - # Need securityfs for any mode
> - if [ ! -d /sys/kernel/security/apparmor ]; then
> - if cut -d" " -f2,3 /proc/mounts | grep -q "^/sys/kernel/security securityfs"'$' ; then
> - exit 0
> - else
> - mount -t securityfs none /sys/kernel/security || exit 0
> - fi
> - fi
> -
> - [ -w /sys/kernel/security/apparmor/.load ] || exit 0
> -
> - apparmor_was_updated=0
> - if ! compare_previous_version ; then
> - # On snappy flavors, if the current and previous versions are
> - # different then clear the system cache. snappy will handle
> - # "$PROFILES_CACHE_VAR" itself (on Touch flavors
> - # compare_previous_version always returns '0' since snappy
> - # isn't available).
> - clear_cache_system
> - apparmor_was_updated=1
> - elif ! compare_and_save_debsums apparmor ; then
> - # If the system policy has been updated since the last time we
> - # ran, clear the cache to prevent potentially stale binary
> - # cache files after an Ubuntu image based upgrade (LP:
> - # #1350673). This can be removed once all system image flavors
> - # move to snappy (on snappy systems compare_and_save_debsums
> - # always returns '0' since /var/lib/dpkg doesn't exist).
> - clear_cache
> - apparmor_was_updated=1
> - fi
> -
> - if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then
> - # If packages for system policy that affect click packages have
> - # been updated since the last time we ran, run aa-clickhook -f
> - force_clickhook=0
> - force_profile_hook=0
> - if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
> - force_clickhook=1
> - fi
> - if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
> - force_clickhook=1
> - fi
> - if ! compare_and_save_debsums click-apparmor ; then
> - force_clickhook=1
> - force_profile_hook=1
> - fi
> - if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
> - aa-clickhook -f
> - fi
> - if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
> - aa-profile-hook -f
> - fi
> - fi
> -
> - if [ "$ACTION" = "teardown" ]; then
> - running_profile_names | while read profile; do
> - unload_profile "$profile"
> - done
> - exit 0
> - fi
> -
> - if [ "$ACTION" = "clear" ]; then
> - clear_cache
> - exit 0
> - fi
> -
> - if [ "$ACTION" = "reload" ] || [ "$ACTION" = "force-reload" ]; then
> - clear_cache
> - load_configured_profiles
> - unload_obsolete_profiles
> - exit 0
> - fi
> -
> - # Note: if apparmor-easyprof-ubuntu md5sums didn't match up above,
> - # aa-clickhook will have already compiled the policy, generated the cache
> - # files and loaded them into the kernel by this point, so reloading click
> - # policy from cache, while fairly fast (<2 seconds for 250 profiles on
> - # armhf), is redundant. Fixing this would complicate the logic quite a bit
> - # and it wouldn't improve the (by far) common case (ie, when
> - # 'aa-clickhook -f' is not run).
> - load_configured_profiles
> -end script
> diff --git a/recipes-mac/AppArmor/files/apparmor.service b/recipes-mac/AppArmor/files/apparmor.service
> deleted file mode 100644
> index e66afe4..0000000
> --- a/recipes-mac/AppArmor/files/apparmor.service
> +++ /dev/null
> @@ -1,22 +0,0 @@
> -[Unit]
> -Description=AppArmor initialization
> -After=local-fs.target
> -Before=sysinit.target
> -AssertPathIsReadWrite=/sys/kernel/security/apparmor/.load
> -ConditionSecurity=apparmor
> -DefaultDependencies=no
> -Documentation=man:apparmor(7)
> -Documentation=http://wiki.apparmor.net/
> -
> -# Don't start this unit on the Ubuntu Live CD
> -ConditionPathExists=!/rofs/etc/apparmor.d
> -
> -[Service]
> -Type=oneshot
> -RemainAfterExit=yes
> -ExecStart=/etc/init.d/apparmor start
> -ExecStop=/etc/init.d/apparmor stop
> -ExecReload=/etc/init.d/apparmor reload
> -
> -[Install]
> -WantedBy=sysinit.target
> diff --git a/recipes-mac/AppArmor/files/functions b/recipes-mac/AppArmor/files/functions
> deleted file mode 100644
> index e9e2bbf..0000000
> --- a/recipes-mac/AppArmor/files/functions
> +++ /dev/null
> @@ -1,271 +0,0 @@
> -# /lib/apparmor/functions for Debian -*- shell-script -*-
> -# ----------------------------------------------------------------------
> -# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
> -# NOVELL (All rights reserved)
> -# Copyright (c) 2008-2010 Canonical, Ltd.
> -#
> -# This program is free software; you can redistribute it and/or
> -# modify it under the terms of version 2 of the GNU General Public
> -# License published by the Free Software Foundation.
> -#
> -# This program is distributed in the hope that it will be useful,
> -# but WITHOUT ANY WARRANTY; without even the implied warranty of
> -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> -# GNU General Public License for more details.
> -#
> -# You should have received a copy of the GNU General Public License
> -# along with this program; if not, contact Novell, Inc.
> -# ----------------------------------------------------------------------
> -# Authors:
> -# Kees Cook <kees@ubuntu.com>
> -
> -PROFILES="/etc/apparmor.d"
> -PROFILES_CACHE="$PROFILES/cache"
> -PROFILES_VAR="/var/lib/apparmor/profiles"
> -PROFILES_SNAPPY="/var/lib/snapd/apparmor/profiles"
> -PROFILES_CACHE_VAR="/var/cache/apparmor"
> -PARSER="/sbin/apparmor_parser"
> -SECURITYFS="/sys/kernel/security"
> -export AA_SFS="$SECURITYFS/apparmor"
> -
> -# Suppress warnings when booting in quiet mode
> -quiet_arg=""
> -[ "${QUIET:-no}" = yes ] && quiet_arg="-q"
> -[ "${quiet:-n}" = y ] && quiet_arg="-q"
> -
> -foreach_configured_profile() {
> - rc_all="0"
> - for pdir in "$PROFILES" "$PROFILES_VAR" "$PROFILES_SNAPPY" ; do
> - if [ ! -d "$pdir" ]; then
> - continue
> - fi
> - num=`find "$pdir" -type f ! -name '*.md5sums' | wc -l`
> - if [ "$num" = "0" ]; then
> - continue
> - fi
> -
> - cache_dir="$PROFILES_CACHE"
> - if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then
> - cache_dir="$PROFILES_CACHE_VAR"
> - fi
> - cache_args="--cache-loc=$cache_dir"
> - if [ ! -d "$cache_dir" ]; then
> - cache_args=
> - fi
> -
> - # LP: #1383858 - expr tree simplification is too slow for
> - # Touch policy on ARM, so disable it for now
> - cache_extra_args=
> - if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then
> - cache_extra_args="-O no-expr-simplify"
> - fi
> -
> - # If need to compile everything, then use -n1 with xargs to
> - # take advantage of -P. When cache files are in use, omit -n1
> - # since it is considerably faster on moderately sized profile
> - # sets to give the parser all the profiles to load at once
> - n1_args=
> - num=`find "$cache_dir" -type f ! -name '.features' | wc -l`
> - if [ "$num" = "0" ]; then
> - n1_args="-n1"
> - fi
> -
> - (ls -1 "$pdir" | egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \
> - while read profile; do
> - if [ -f "$pdir"/"$profile" ]; then
> - echo "$pdir"/"$profile"
> - fi
> - done) | \
> - xargs $n1_args -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || {
> - rc_all="$?"
> - # FIXME: when the parser properly handles broken
> - # profiles (LP: #1377338), remove this if statement.
> - # For now, if the xargs returns with error, just run
> - # through everything with -n1. (This could be broken
> - # out and refactored, but this is temporary so make it
> - # easy to understand and revert)
> - if [ "$rc_all" != "0" ]; then
> - (ls -1 "$pdir" | \
> - egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \
> - while read profile; do
> - if [ -f "$pdir"/"$profile" ]; then
> - echo "$pdir"/"$profile"
> - fi
> - done) | \
> - xargs -n1 -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || {
> - rc_all="$?"
> - }
> - fi
> - }
> - done
> - return $rc_all
> -}
> -
> -load_configured_profiles() {
> - clear_cache_if_outdated
> - foreach_configured_profile $quiet_arg --write-cache --replace
> -}
> -
> -load_configured_profiles_without_caching() {
> - foreach_configured_profile $quiet_arg --replace
> -}
> -
> -recache_profiles() {
> - clear_cache
> - foreach_configured_profile $quiet_arg --write-cache --skip-kernel-load
> -}
> -
> -configured_profile_names() {
> - foreach_configured_profile $quiet_arg -N 2>/dev/null | LC_COLLATE=C sort | grep -v '//'
> -}
> -
> -running_profile_names() {
> - # Output a sorted list of loaded profiles, skipping libvirt's
> - # dynamically generated files
> - cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | egrep -v '^libvirt-[0-9a-f\-]+$' | LC_COLLATE=C sort | grep -v '//'
> -}
> -
> -unload_profile() {
> - echo -n "$1" > "$AA_SFS"/.remove
> -}
> -
> -clear_cache() {
> - clear_cache_system
> - clear_cache_var
> -}
> -
> -clear_cache_system() {
> - find "$PROFILES_CACHE" -maxdepth 1 -type f -print0 | xargs -0 rm -f --
> -}
> -
> -clear_cache_var() {
> - find "$PROFILES_CACHE_VAR" -maxdepth 1 -type f -print0 | xargs -0 rm -f --
> -}
> -
> -read_features_dir()
> -{
> - for f in `ls -A "$1"` ; do
> - if [ -f "$1/$f" ] ; then
> - read -r KF < "$1/$f" || true
> - echo -n "$f {$KF } "
> - elif [ -d "$1/$f" ] ; then
> - echo -n "$f {"
> - KF=`read_features_dir "$1/$f"` || true
> - echo -n "$KF} "
> - fi
> - done
> -}
> -
> -clear_cache_if_outdated() {
> - if [ -r "$PROFILES_CACHE"/.features ]; then
> - if [ -d "$AA_SFS"/features ]; then
> - KERN_FEATURES=`read_features_dir "$AA_SFS"/features`
> - else
> - read -r KERN_FEATURES < "$AA_SFS"/features
> - fi
> - CACHE_FEATURES=`tr '\n' ' ' < "$PROFILES_CACHE"/.features`
> - if [ "$KERN_FEATURES" != "$CACHE_FEATURES" ]; then
> - clear_cache
> - fi
> - fi
> -}
> -
> -unload_obsolete_profiles() {
> - # Currently we must re-parse all the profiles to get policy names. :(
> - aa_configured=$(mktemp -t aa-XXXXXX)
> - configured_profile_names > "$aa_configured" || true
> - aa_loaded=$(mktemp -t aa-XXXXXX)
> - running_profile_names > "$aa_loaded" || true
> - LC_COLLATE=C comm -2 -3 "$aa_loaded" "$aa_configured" | while read profile ; do
> - unload_profile "$profile"
> - done
> - rm -f "$aa_configured" "$aa_loaded"
> -}
> -
> -# If the system debsum differs from the saved debsum, the new system debsum is
> -# saved and non-zero is returned. Returns 0 if the two debsums matched or if
> -# the system debsum file does not exist. This can be removed when system image
> -# flavors all move to snappy.
> -compare_and_save_debsums() {
> - pkg="$1"
> -
> - if [ -n $pkg ] && [ -d "$PROFILES_VAR" ]; then
> - sums="/var/lib/dpkg/info/${pkg}.md5sums"
> - # store saved md5sums in /var/lib/apparmor/profiles since
> - # /var/cache/apparmor might be cleared by apparmor
> - saved_sums="${PROFILES_VAR}/.${pkg}.md5sums"
> -
> - if [ -f "$sums" ] && \
> - ! diff -q "$sums" "$saved_sums" 2>&1 >/dev/null ; then
> - cp -f "$sums" "$saved_sums"
> - return 1
> - fi
> - fi
> -
> - return 0
> -}
> -
> -compare_previous_version() {
> - installed="/usr/share/snappy/security-policy-version"
> - previous="/var/lib/snappy/security-policy-version"
> -
> - # When just $previous doesn't exist, assume this is a new system with
> - # no cache and don't do anything special.
> - if [ -f "$installed" ] && [ -f "$previous" ]; then
> - pv=`grep '^apparmor/' "$previous" | cut -d ' ' -f 2`
> - iv=`grep '^apparmor/' "$installed" | cut -d ' ' -f 2`
> - if [ -n "$iv" ] && [ -n "$pv" ] && [ "$iv" != "$pv" ]; then
> - # snappy updates $previous elsewhere, so just return
> - return 1
> - fi
> - fi
> -
> - return 0
> -}
> -
> -# Checks to see if the current container is capable of having internal AppArmor
> -# profiles that should be loaded. Callers of this function should have already
> -# verified that they're running inside of a container environment with
> -# something like `systemd-detect-virt --container`.
> -#
> -# The only known container environments capable of supporting internal policy
> -# are LXD and LXC environment.
> -#
> -# Returns 0 if the container environment is capable of having its own internal
> -# policy and non-zero otherwise.
> -#
> -# IMPORTANT: This function will return 0 in the case of a non-LXD/non-LXC
> -# system container technology being nested inside of a LXD/LXC container that
> -# utilized an AppArmor namespace and profile stacking. The reason 0 will be
> -# returned is because .ns_stacked will be "yes" and .ns_name will still match
> -# "lx[dc]-*" since the nested system container technology will not have set up
> -# a new AppArmor profile namespace. This will result in the nested system
> -# container's boot process to experience failed policy loads but the boot
> -# process should continue without any loss of functionality. This is an
> -# unsupported configuration that cannot be properly handled by this function.
> -is_container_with_internal_policy() {
> - local ns_stacked_path="${AA_SFS}/.ns_stacked"
> - local ns_name_path="${AA_SFS}/.ns_name"
> - local ns_stacked
> - local ns_name
> -
> - if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then
> - return 1
> - fi
> -
> - read -r ns_stacked < "$ns_stacked_path"
> - if [ "$ns_stacked" != "yes" ]; then
> - return 1
> - fi
> -
> - # LXD and LXC set up AppArmor namespaces starting with "lxd-" and
> - # "lxc-", respectively. Return non-zero for all other namespace
> - # identifiers.
> - read -r ns_name < "$ns_name_path"
> - if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
> - [ "${ns_name#lxc-*}" = "$ns_name" ]; then
> - return 1
> - fi
> -
> - return 0
> -}
>
>
>
[-- Attachment #2: Type: text/html, Size: 34542 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [yocto] [meta-security][PATCH 2/2] apparmor: use its own initscript and service files
2021-07-06 9:03 ` [yocto] " Yi Zhao
@ 2021-07-10 18:15 ` Armin Kuster
0 siblings, 0 replies; 4+ messages in thread
From: Armin Kuster @ 2021-07-10 18:15 UTC (permalink / raw)
To: Yi Zhao, yocto
merged.
thanks for the reminder.
-armin
On 7/6/21 2:03 AM, Yi Zhao wrote:
>
> Ping ...
>
>
> On 6/23/21 5:15 PM, Yi Zhao wrote:
>> Use initscript and service files provided by apparmor.
>>
>> Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
>> ---
>> recipes-mac/AppArmor/apparmor_3.0.1.bb | 33 +--
>> ...x-hardcoded-installation-directories.patch | 51 ++++
>> ...pparmor.debian-add-missing-functions.patch | 57 ++++
>> recipes-mac/AppArmor/files/apparmor | 226 ---------------
>> recipes-mac/AppArmor/files/apparmor.rc | 98 -------
>> recipes-mac/AppArmor/files/apparmor.service | 22 --
>> recipes-mac/AppArmor/files/functions | 271 ------------------
>> 7 files changed, 118 insertions(+), 640 deletions(-)
>> create mode 100644 recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch
>> create mode 100644 recipes-mac/AppArmor/files/0001-rc.apparmor.debian-add-missing-functions.patch
>> delete mode 100644 recipes-mac/AppArmor/files/apparmor
>> delete mode 100644 recipes-mac/AppArmor/files/apparmor.rc
>> delete mode 100644 recipes-mac/AppArmor/files/apparmor.service
>> delete mode 100644 recipes-mac/AppArmor/files/functions
>>
>> diff --git a/recipes-mac/AppArmor/apparmor_3.0.1.bb b/recipes-mac/AppArmor/apparmor_3.0.1.bb
>> index 6377683..ff5b39b 100644
>> --- a/recipes-mac/AppArmor/apparmor_3.0.1.bb
>> +++ b/recipes-mac/AppArmor/apparmor_3.0.1.bb
>> @@ -15,15 +15,13 @@ DEPENDS = "bison-native apr gettext-native coreutils-native swig-native"
>>
>> SRC_URI = " \
>> git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-3.0 \
>> + file://run-ptest \
>> file://disable_perl_h_check.patch \
>> file://crosscompile_perl_bindings.patch \
>> - file://apparmor.rc \
>> - file://functions \
>> - file://apparmor \
>> - file://apparmor.service \
>> file://0001-Makefile.am-suppress-perllocal.pod.patch \
>> - file://run-ptest \
>> file://0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch \
>> + file://0001-Makefile-fix-hardcoded-installation-directories.patch \
>> + file://0001-rc.apparmor.debian-add-missing-functions.patch \
>> "
>>
>> SRCREV = "b0f08aa9d678197b8e3477c2fbff790f50a1de5e"
>> @@ -79,8 +77,6 @@ do_compile () {
>> }
>>
>> do_install () {
>> - install -d ${D}/${INIT_D_DIR}
>> - install -d ${D}/lib/apparmor
>> oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install
>> oe_runmake -C ${B}/binutils DESTDIR="${D}" install
>> oe_runmake -C ${B}/utils DESTDIR="${D}" install
>> @@ -96,16 +92,16 @@ do_install () {
>> fi
>>
>> if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then
>> - install -d ${D}/lib/security
>> oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install
>> fi
>>
>> - install -m 755 ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor
>> - install -m 755 ${WORKDIR}/functions ${D}/lib/apparmor
>> + if ${@bb.utils.contains('DISTRO_FEATURES','sysvinit','true','false',d)}; then
>> + install -d ${D}${sysconfdir}/init.d
>> + install -m 755 ${B}/parser/rc.apparmor.debian ${D}${sysconfdir}/init.d/apparmor
>> + fi
>>
>> if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
>> - install -d ${D}${systemd_system_unitdir}
>> - install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir}
>> + oe_runmake -C ${B}/parser DESTDIR="${D}" install-systemd
>> fi
>> }
>>
>> @@ -152,15 +148,6 @@ do_install_ptest_arm() {
>> :
>> }
>>
>> -pkg_postinst_ontarget_${PN} () {
>> -if [ ! -d /etc/apparmor.d/cache ] ; then
>> - mkdir /etc/apparmor.d/cache
>> -fi
>> -}
>> -
>> -# We need the init script so don't rm it
>> -RMINITDIR_class-target_remove = " rm_sysvinit_initddir"
>> -
>> INITSCRIPT_PACKAGES = "${PN}"
>> INITSCRIPT_NAME = "apparmor"
>> INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ."
>> @@ -171,9 +158,9 @@ SYSTEMD_AUTO_ENABLE ?= "enable"
>>
>> PACKAGES += "mod-${PN}"
>>
>> -FILES_${PN} += "/lib/apparmor/ /lib/security/ ${sysconfdir}/apparmor ${nonarch_libdir}/${PYTHON_DIR}/site-packages"
>> +FILES_${PN} += "${nonarch_base_libdir}/apparmor/ ${base_libdir}/security/ ${sysconfdir}/apparmor ${nonarch_libdir}/${PYTHON_DIR}/site-packages"
>> FILES_mod-${PN} = "${libdir}/apache2/modules/*"
>> -FILES_${PN}-dbg += "/lib/security/"
>> +FILES_${PN}-dbg += "${base_libdir}/security/.debug"
>>
>> DEPENDS_append_libc-musl = " fts "
>> RDEPENDS_${PN}_libc-musl += "musl-utils"
>> diff --git a/recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch b/recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch
>> new file mode 100644
>> index 0000000..f10acb1
>> --- /dev/null
>> +++ b/recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch
>> @@ -0,0 +1,51 @@
>> +From 363114dcd72abf1c0dcd637c66037227b8be229b Mon Sep 17 00:00:00 2001
>> +From: Yi Zhao <yi.zhao@windriver.com>
>> +Date: Mon, 21 Jun 2021 14:18:30 +0800
>> +Subject: [PATCH 1/2] Makefile: fix hardcoded installation directories
>> +
>> +Update the installation directories to fix the do_install error for
>> +multilib and usrmerge.
>> +
>> +Upstream-Status: Inappropriate [configuration]
>> +
>> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
>> +---
>> + changehat/pam_apparmor/Makefile | 2 +-
>> + parser/Makefile | 8 ++++----
>> + 2 files changed, 5 insertions(+), 5 deletions(-)
>> +
>> +diff --git a/changehat/pam_apparmor/Makefile b/changehat/pam_apparmor/Makefile
>> +index f6ece2d1..0143ae9f 100644
>> +--- a/changehat/pam_apparmor/Makefile
>> ++++ b/changehat/pam_apparmor/Makefile
>> +@@ -77,7 +77,7 @@ $(NAME).so: ${OBJECTS}
>> +
>> + # need some better way of determining this
>> + DESTDIR=/
>> +-SECDIR ?= ${DESTDIR}/lib/security
>> ++SECDIR ?= ${DESTDIR}/${base_libdir}/security
>> +
>> + .PHONY: install
>> + install: $(NAME).so
>> +diff --git a/parser/Makefile b/parser/Makefile
>> +index 8250ac45..cf18bc11 100644
>> +--- a/parser/Makefile
>> ++++ b/parser/Makefile
>> +@@ -23,10 +23,10 @@ COMMONDIR=../common/
>> + include $(COMMONDIR)/Make.rules
>> +
>> + DESTDIR=/
>> +-APPARMOR_BIN_PREFIX=${DESTDIR}/lib/apparmor
>> +-SBINDIR=${DESTDIR}/sbin
>> +-USR_SBINDIR=${DESTDIR}/usr/sbin
>> +-SYSTEMD_UNIT_DIR=${DESTDIR}/usr/lib/systemd/system
>> ++APPARMOR_BIN_PREFIX=${DESTDIR}/${nonarch_base_libdir}/apparmor
>> ++SBINDIR=${DESTDIR}/${base_sbindir}
>> ++USR_SBINDIR=${DESTDIR}/${sbindir}
>> ++SYSTEMD_UNIT_DIR=${DESTDIR}/${systemd_system_unitdir}
>> + CONFDIR=/etc/apparmor
>> + INSTALL_CONFDIR=${DESTDIR}${CONFDIR}
>> + LOCALEDIR=/usr/share/locale
>> +--
>> +2.17.1
>> +
>> diff --git a/recipes-mac/AppArmor/files/0001-rc.apparmor.debian-add-missing-functions.patch b/recipes-mac/AppArmor/files/0001-rc.apparmor.debian-add-missing-functions.patch
>> new file mode 100644
>> index 0000000..53bdde8
>> --- /dev/null
>> +++ b/recipes-mac/AppArmor/files/0001-rc.apparmor.debian-add-missing-functions.patch
>> @@ -0,0 +1,57 @@
>> +From a737c95ac0f887c365fe8f16583ea95da79de1e9 Mon Sep 17 00:00:00 2001
>> +From: Yi Zhao <yi.zhao@windriver.com>
>> +Date: Mon, 21 Jun 2021 16:53:39 +0800
>> +Subject: [PATCH] rc.apparmor.debian: add missing functions
>> +
>> +Add missing functions:
>> + aa_log_action_start
>> + aa_log_action_end
>> + aa_log_daemon_msg
>> + aa_log_end_msg
>> +
>> +Fixes:
>> +$ /etc/init.d/apparmor start
>> +/lib/apparmor/rc.apparmor.functions: line 294: aa_log_daemon_msg: command not found
>> +/lib/apparmor/rc.apparmor.functions: line 214: aa_log_action_start: command not found
>> +
>> +Upstream-Status: Pending
>> +
>> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
>> +---
>> + parser/rc.apparmor.debian | 20 ++++++++++++++++++++
>> + 1 file changed, 20 insertions(+)
>> +
>> +diff --git a/parser/rc.apparmor.debian b/parser/rc.apparmor.debian
>> +index 8efd4400..f35124e8 100644
>> +--- a/parser/rc.apparmor.debian
>> ++++ b/parser/rc.apparmor.debian
>> +@@ -70,6 +70,26 @@ aa_log_skipped_msg() {
>> + echo ": Skipped."
>> + }
>> +
>> ++aa_log_action_start()
>> ++{
>> ++ echo "$@"
>> ++}
>> ++
>> ++aa_log_action_end()
>> ++{
>> ++ printf ""
>> ++}
>> ++
>> ++aa_log_daemon_msg()
>> ++{
>> ++ echo "$@"
>> ++}
>> ++
>> ++aa_log_end_msg()
>> ++{
>> ++ printf ""
>> ++}
>> ++
>> + usage() {
>> + echo "Usage: $0 {start|stop|restart|try-restart|reload|force-reload|status|kill}"
>> + }
>> +--
>> +2.17.1
>> +
>> diff --git a/recipes-mac/AppArmor/files/apparmor b/recipes-mac/AppArmor/files/apparmor
>> deleted file mode 100644
>> index 604e48d..0000000
>> --- a/recipes-mac/AppArmor/files/apparmor
>> +++ /dev/null
>> @@ -1,226 +0,0 @@
>> -#!/bin/sh
>> -# ----------------------------------------------------------------------
>> -# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
>> -# NOVELL (All rights reserved)
>> -# Copyright (c) 2008, 2009 Canonical, Ltd.
>> -#
>> -# This program is free software; you can redistribute it and/or
>> -# modify it under the terms of version 2 of the GNU General Public
>> -# License published by the Free Software Foundation.
>> -#
>> -# This program is distributed in the hope that it will be useful,
>> -# but WITHOUT ANY WARRANTY; without even the implied warranty of
>> -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
>> -# GNU General Public License for more details.
>> -#
>> -# You should have received a copy of the GNU General Public License
>> -# along with this program; if not, contact Novell, Inc.
>> -# ----------------------------------------------------------------------
>> -# Authors:
>> -# Steve Beattie <steve.beattie@canonical.com>
>> -# Kees Cook <kees@ubuntu.com>
>> -#
>> -# /etc/init.d/apparmor
>> -#
>> -### BEGIN INIT INFO
>> -# Provides: apparmor
>> -# Required-Start: $local_fs
>> -# Required-Stop: umountfs
>> -# Default-Start: S
>> -# Default-Stop:
>> -# Short-Description: AppArmor initialization
>> -# Description: AppArmor init script. This script loads all AppArmor profiles.
>> -### END INIT INFO
>> -
>> -log_daemon_msg() {
>> - echo $*
>> -}
>> -
>> -log_end_msg () {
>> - retval=$1
>> - if [ $retval -eq 0 ]; then
>> - echo "."
>> - else
>> - echo " failed!"
>> - fi
>> - return $retval
>> -}
>> -
>> -. /lib/apparmor/functions
>> -
>> -usage() {
>> - echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}"
>> -}
>> -
>> -test -x ${PARSER} || exit 0 # by debian policy
>> -# LSM is built-in, so it is either there or not enabled for this boot
>> -test -d /sys/module/apparmor || exit 0
>> -
>> -securityfs() {
>> - # Need securityfs for any mode
>> - if [ ! -d "${AA_SFS}" ]; then
>> - if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then
>> - log_daemon_msg "AppArmor not available as kernel LSM."
>> - log_end_msg 1
>> - exit 1
>> - else
>> - log_daemon_msg "Mounting securityfs on ${SECURITYFS}"
>> - if ! mount -t securityfs none "${SECURITYFS}"; then
>> - log_end_msg 1
>> - exit 1
>> - fi
>> - fi
>> - fi
>> - if [ ! -w "$AA_SFS"/.load ]; then
>> - log_daemon_msg "Insufficient privileges to change profiles."
>> - log_end_msg 1
>> - exit 1
>> - fi
>> -}
>> -
>> -handle_system_policy_package_updates() {
>> - apparmor_was_updated=0
>> -
>> - if ! compare_previous_version ; then
>> - # On snappy flavors, if the current and previous versions are
>> - # different then clear the system cache. snappy will handle
>> - # "$PROFILES_CACHE_VAR" itself (on Touch flavors
>> - # compare_previous_version always returns '0' since snappy
>> - # isn't available).
>> - clear_cache_system
>> - apparmor_was_updated=1
>> - elif ! compare_and_save_debsums apparmor ; then
>> - # If the system policy has been updated since the last time we
>> - # ran, clear the cache to prevent potentially stale binary
>> - # cache files after an Ubuntu image based upgrade (LP:
>> - # #1350673). This can be removed once all system image flavors
>> - # move to snappy (on snappy systems compare_and_save_debsums
>> - # always returns '0' since /var/lib/dpkg doesn't exist).
>> - clear_cache
>> - apparmor_was_updated=1
>> - fi
>> -
>> - if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then
>> - # If packages for system policy that affect click packages have
>> - # been updated since the last time we ran, run aa-clickhook -f
>> - force_clickhook=0
>> - force_profile_hook=0
>> - if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
>> - force_clickhook=1
>> - fi
>> - if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
>> - force_clickhook=1
>> - fi
>> - if ! compare_and_save_debsums click-apparmor ; then
>> - force_clickhook=1
>> - force_profile_hook=1
>> - fi
>> - if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
>> - aa-clickhook -f
>> - fi
>> - if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
>> - aa-profile-hook -f
>> - fi
>> - fi
>> -}
>> -
>> -# Allow "recache" even when running on the liveCD
>> -if [ "$1" = "recache" ]; then
>> - log_daemon_msg "Recaching AppArmor profiles"
>> - recache_profiles
>> - rc=$?
>> - log_end_msg "$rc"
>> - exit $rc
>> -fi
>> -
>> -# do not perform start/stop/reload actions when running from liveCD
>> -test -d /rofs/etc/apparmor.d && exit 0
>> -
>> -rc=255
>> -case "$1" in
>> - start)
>> - if test -x /sbin/systemd-detect-virt && \
>> - systemd-detect-virt --quiet --container && \
>> - ! is_container_with_internal_policy; then
>> - log_daemon_msg "Not starting AppArmor in container"
>> - log_end_msg 0
>> - exit 0
>> - fi
>> - log_daemon_msg "Starting AppArmor profiles"
>> - securityfs
>> - # That is only useful for click, snappy and system images,
>> - # i.e. not in Debian. And it reads and writes to /var, that
>> - # can be remote-mounted, so it would prevent us from using
>> - # Before=sysinit.target without possibly introducing dependency
>> - # loops.
>> - handle_system_policy_package_updates
>> - load_configured_profiles
>> - rc=$?
>> - log_end_msg "$rc"
>> - ;;
>> - stop)
>> - log_daemon_msg "Clearing AppArmor profiles cache"
>> - clear_cache
>> - rc=$?
>> - log_end_msg "$rc"
>> - cat >&2 <<EOM
>> -All profile caches have been cleared, but no profiles have been unloaded.
>> -Unloading profiles will leave already running processes permanently
>> -unconfined, which can lead to unexpected situations.
>> -
>> -To set a process to complain mode, use the command line tool
>> -'aa-complain'. To really tear down all profiles, run the init script
>> -with the 'teardown' option."
>> -EOM
>> - ;;
>> - teardown)
>> - if test -x /sbin/systemd-detect-virt && \
>> - systemd-detect-virt --quiet --container && \
>> - ! is_container_with_internal_policy; then
>> - log_daemon_msg "Not tearing down AppArmor in container"
>> - log_end_msg 0
>> - exit 0
>> - fi
>> - log_daemon_msg "Unloading AppArmor profiles"
>> - securityfs
>> - running_profile_names | while read profile; do
>> - if ! unload_profile "$profile" ; then
>> - log_end_msg 1
>> - exit 1
>> - fi
>> - done
>> - rc=0
>> - log_end_msg $rc
>> - ;;
>> - restart|reload|force-reload)
>> - if test -x /sbin/systemd-detect-virt && \
>> - systemd-detect-virt --quiet --container && \
>> - ! is_container_with_internal_policy; then
>> - log_daemon_msg "Not reloading AppArmor in container"
>> - log_end_msg 0
>> - exit 0
>> - fi
>> - log_daemon_msg "Reloading AppArmor profiles"
>> - securityfs
>> - clear_cache
>> - load_configured_profiles
>> - rc=$?
>> - unload_obsolete_profiles
>> -
>> - log_end_msg "$rc"
>> - ;;
>> - status)
>> - securityfs
>> - if [ -x /usr/sbin/aa-status ]; then
>> - aa-status --verbose
>> - else
>> - cat "$AA_SFS"/profiles
>> - fi
>> - rc=$?
>> - ;;
>> - *)
>> - usage
>> - rc=1
>> - ;;
>> - esac
>> -exit $rc
>> diff --git a/recipes-mac/AppArmor/files/apparmor.rc b/recipes-mac/AppArmor/files/apparmor.rc
>> deleted file mode 100644
>> index 1507d7b..0000000
>> --- a/recipes-mac/AppArmor/files/apparmor.rc
>> +++ /dev/null
>> @@ -1,98 +0,0 @@
>> -description "Pre-cache and pre-load apparmor profiles"
>> -author "Dimitri John Ledkov <xnox@ubuntu.com> and Jamie Strandboge <jamie@ubuntu.com>"
>> -
>> -task
>> -
>> -start on starting rc-sysinit
>> -
>> -script
>> - [ -d /rofs/etc/apparmor.d ] && exit 0 # do not load on liveCD
>> - [ -d /sys/module/apparmor ] || exit 0 # do not load without AppArmor
>> - [ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser
>> -
>> - . /lib/apparmor/functions
>> -
>> - systemd-detect-virt --quiet --container && ! is_container_with_internal_policy && exit 0 || true
>> -
>> - # Need securityfs for any mode
>> - if [ ! -d /sys/kernel/security/apparmor ]; then
>> - if cut -d" " -f2,3 /proc/mounts | grep -q "^/sys/kernel/security securityfs"'$' ; then
>> - exit 0
>> - else
>> - mount -t securityfs none /sys/kernel/security || exit 0
>> - fi
>> - fi
>> -
>> - [ -w /sys/kernel/security/apparmor/.load ] || exit 0
>> -
>> - apparmor_was_updated=0
>> - if ! compare_previous_version ; then
>> - # On snappy flavors, if the current and previous versions are
>> - # different then clear the system cache. snappy will handle
>> - # "$PROFILES_CACHE_VAR" itself (on Touch flavors
>> - # compare_previous_version always returns '0' since snappy
>> - # isn't available).
>> - clear_cache_system
>> - apparmor_was_updated=1
>> - elif ! compare_and_save_debsums apparmor ; then
>> - # If the system policy has been updated since the last time we
>> - # ran, clear the cache to prevent potentially stale binary
>> - # cache files after an Ubuntu image based upgrade (LP:
>> - # #1350673). This can be removed once all system image flavors
>> - # move to snappy (on snappy systems compare_and_save_debsums
>> - # always returns '0' since /var/lib/dpkg doesn't exist).
>> - clear_cache
>> - apparmor_was_updated=1
>> - fi
>> -
>> - if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then
>> - # If packages for system policy that affect click packages have
>> - # been updated since the last time we ran, run aa-clickhook -f
>> - force_clickhook=0
>> - force_profile_hook=0
>> - if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
>> - force_clickhook=1
>> - fi
>> - if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
>> - force_clickhook=1
>> - fi
>> - if ! compare_and_save_debsums click-apparmor ; then
>> - force_clickhook=1
>> - force_profile_hook=1
>> - fi
>> - if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
>> - aa-clickhook -f
>> - fi
>> - if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
>> - aa-profile-hook -f
>> - fi
>> - fi
>> -
>> - if [ "$ACTION" = "teardown" ]; then
>> - running_profile_names | while read profile; do
>> - unload_profile "$profile"
>> - done
>> - exit 0
>> - fi
>> -
>> - if [ "$ACTION" = "clear" ]; then
>> - clear_cache
>> - exit 0
>> - fi
>> -
>> - if [ "$ACTION" = "reload" ] || [ "$ACTION" = "force-reload" ]; then
>> - clear_cache
>> - load_configured_profiles
>> - unload_obsolete_profiles
>> - exit 0
>> - fi
>> -
>> - # Note: if apparmor-easyprof-ubuntu md5sums didn't match up above,
>> - # aa-clickhook will have already compiled the policy, generated the cache
>> - # files and loaded them into the kernel by this point, so reloading click
>> - # policy from cache, while fairly fast (<2 seconds for 250 profiles on
>> - # armhf), is redundant. Fixing this would complicate the logic quite a bit
>> - # and it wouldn't improve the (by far) common case (ie, when
>> - # 'aa-clickhook -f' is not run).
>> - load_configured_profiles
>> -end script
>> diff --git a/recipes-mac/AppArmor/files/apparmor.service b/recipes-mac/AppArmor/files/apparmor.service
>> deleted file mode 100644
>> index e66afe4..0000000
>> --- a/recipes-mac/AppArmor/files/apparmor.service
>> +++ /dev/null
>> @@ -1,22 +0,0 @@
>> -[Unit]
>> -Description=AppArmor initialization
>> -After=local-fs.target
>> -Before=sysinit.target
>> -AssertPathIsReadWrite=/sys/kernel/security/apparmor/.load
>> -ConditionSecurity=apparmor
>> -DefaultDependencies=no
>> -Documentation=man:apparmor(7)
>> -Documentation=http://wiki.apparmor.net/
>> -
>> -# Don't start this unit on the Ubuntu Live CD
>> -ConditionPathExists=!/rofs/etc/apparmor.d
>> -
>> -[Service]
>> -Type=oneshot
>> -RemainAfterExit=yes
>> -ExecStart=/etc/init.d/apparmor start
>> -ExecStop=/etc/init.d/apparmor stop
>> -ExecReload=/etc/init.d/apparmor reload
>> -
>> -[Install]
>> -WantedBy=sysinit.target
>> diff --git a/recipes-mac/AppArmor/files/functions b/recipes-mac/AppArmor/files/functions
>> deleted file mode 100644
>> index e9e2bbf..0000000
>> --- a/recipes-mac/AppArmor/files/functions
>> +++ /dev/null
>> @@ -1,271 +0,0 @@
>> -# /lib/apparmor/functions for Debian -*- shell-script -*-
>> -# ----------------------------------------------------------------------
>> -# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
>> -# NOVELL (All rights reserved)
>> -# Copyright (c) 2008-2010 Canonical, Ltd.
>> -#
>> -# This program is free software; you can redistribute it and/or
>> -# modify it under the terms of version 2 of the GNU General Public
>> -# License published by the Free Software Foundation.
>> -#
>> -# This program is distributed in the hope that it will be useful,
>> -# but WITHOUT ANY WARRANTY; without even the implied warranty of
>> -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
>> -# GNU General Public License for more details.
>> -#
>> -# You should have received a copy of the GNU General Public License
>> -# along with this program; if not, contact Novell, Inc.
>> -# ----------------------------------------------------------------------
>> -# Authors:
>> -# Kees Cook <kees@ubuntu.com>
>> -
>> -PROFILES="/etc/apparmor.d"
>> -PROFILES_CACHE="$PROFILES/cache"
>> -PROFILES_VAR="/var/lib/apparmor/profiles"
>> -PROFILES_SNAPPY="/var/lib/snapd/apparmor/profiles"
>> -PROFILES_CACHE_VAR="/var/cache/apparmor"
>> -PARSER="/sbin/apparmor_parser"
>> -SECURITYFS="/sys/kernel/security"
>> -export AA_SFS="$SECURITYFS/apparmor"
>> -
>> -# Suppress warnings when booting in quiet mode
>> -quiet_arg=""
>> -[ "${QUIET:-no}" = yes ] && quiet_arg="-q"
>> -[ "${quiet:-n}" = y ] && quiet_arg="-q"
>> -
>> -foreach_configured_profile() {
>> - rc_all="0"
>> - for pdir in "$PROFILES" "$PROFILES_VAR" "$PROFILES_SNAPPY" ; do
>> - if [ ! -d "$pdir" ]; then
>> - continue
>> - fi
>> - num=`find "$pdir" -type f ! -name '*.md5sums' | wc -l`
>> - if [ "$num" = "0" ]; then
>> - continue
>> - fi
>> -
>> - cache_dir="$PROFILES_CACHE"
>> - if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then
>> - cache_dir="$PROFILES_CACHE_VAR"
>> - fi
>> - cache_args="--cache-loc=$cache_dir"
>> - if [ ! -d "$cache_dir" ]; then
>> - cache_args=
>> - fi
>> -
>> - # LP: #1383858 - expr tree simplification is too slow for
>> - # Touch policy on ARM, so disable it for now
>> - cache_extra_args=
>> - if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then
>> - cache_extra_args="-O no-expr-simplify"
>> - fi
>> -
>> - # If need to compile everything, then use -n1 with xargs to
>> - # take advantage of -P. When cache files are in use, omit -n1
>> - # since it is considerably faster on moderately sized profile
>> - # sets to give the parser all the profiles to load at once
>> - n1_args=
>> - num=`find "$cache_dir" -type f ! -name '.features' | wc -l`
>> - if [ "$num" = "0" ]; then
>> - n1_args="-n1"
>> - fi
>> -
>> - (ls -1 "$pdir" | egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \
>> - while read profile; do
>> - if [ -f "$pdir"/"$profile" ]; then
>> - echo "$pdir"/"$profile"
>> - fi
>> - done) | \
>> - xargs $n1_args -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || {
>> - rc_all="$?"
>> - # FIXME: when the parser properly handles broken
>> - # profiles (LP: #1377338), remove this if statement.
>> - # For now, if the xargs returns with error, just run
>> - # through everything with -n1. (This could be broken
>> - # out and refactored, but this is temporary so make it
>> - # easy to understand and revert)
>> - if [ "$rc_all" != "0" ]; then
>> - (ls -1 "$pdir" | \
>> - egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \
>> - while read profile; do
>> - if [ -f "$pdir"/"$profile" ]; then
>> - echo "$pdir"/"$profile"
>> - fi
>> - done) | \
>> - xargs -n1 -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || {
>> - rc_all="$?"
>> - }
>> - fi
>> - }
>> - done
>> - return $rc_all
>> -}
>> -
>> -load_configured_profiles() {
>> - clear_cache_if_outdated
>> - foreach_configured_profile $quiet_arg --write-cache --replace
>> -}
>> -
>> -load_configured_profiles_without_caching() {
>> - foreach_configured_profile $quiet_arg --replace
>> -}
>> -
>> -recache_profiles() {
>> - clear_cache
>> - foreach_configured_profile $quiet_arg --write-cache --skip-kernel-load
>> -}
>> -
>> -configured_profile_names() {
>> - foreach_configured_profile $quiet_arg -N 2>/dev/null | LC_COLLATE=C sort | grep -v '//'
>> -}
>> -
>> -running_profile_names() {
>> - # Output a sorted list of loaded profiles, skipping libvirt's
>> - # dynamically generated files
>> - cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | egrep -v '^libvirt-[0-9a-f\-]+$' | LC_COLLATE=C sort | grep -v '//'
>> -}
>> -
>> -unload_profile() {
>> - echo -n "$1" > "$AA_SFS"/.remove
>> -}
>> -
>> -clear_cache() {
>> - clear_cache_system
>> - clear_cache_var
>> -}
>> -
>> -clear_cache_system() {
>> - find "$PROFILES_CACHE" -maxdepth 1 -type f -print0 | xargs -0 rm -f --
>> -}
>> -
>> -clear_cache_var() {
>> - find "$PROFILES_CACHE_VAR" -maxdepth 1 -type f -print0 | xargs -0 rm -f --
>> -}
>> -
>> -read_features_dir()
>> -{
>> - for f in `ls -A "$1"` ; do
>> - if [ -f "$1/$f" ] ; then
>> - read -r KF < "$1/$f" || true
>> - echo -n "$f {$KF } "
>> - elif [ -d "$1/$f" ] ; then
>> - echo -n "$f {"
>> - KF=`read_features_dir "$1/$f"` || true
>> - echo -n "$KF} "
>> - fi
>> - done
>> -}
>> -
>> -clear_cache_if_outdated() {
>> - if [ -r "$PROFILES_CACHE"/.features ]; then
>> - if [ -d "$AA_SFS"/features ]; then
>> - KERN_FEATURES=`read_features_dir "$AA_SFS"/features`
>> - else
>> - read -r KERN_FEATURES < "$AA_SFS"/features
>> - fi
>> - CACHE_FEATURES=`tr '\n' ' ' < "$PROFILES_CACHE"/.features`
>> - if [ "$KERN_FEATURES" != "$CACHE_FEATURES" ]; then
>> - clear_cache
>> - fi
>> - fi
>> -}
>> -
>> -unload_obsolete_profiles() {
>> - # Currently we must re-parse all the profiles to get policy names. :(
>> - aa_configured=$(mktemp -t aa-XXXXXX)
>> - configured_profile_names > "$aa_configured" || true
>> - aa_loaded=$(mktemp -t aa-XXXXXX)
>> - running_profile_names > "$aa_loaded" || true
>> - LC_COLLATE=C comm -2 -3 "$aa_loaded" "$aa_configured" | while read profile ; do
>> - unload_profile "$profile"
>> - done
>> - rm -f "$aa_configured" "$aa_loaded"
>> -}
>> -
>> -# If the system debsum differs from the saved debsum, the new system debsum is
>> -# saved and non-zero is returned. Returns 0 if the two debsums matched or if
>> -# the system debsum file does not exist. This can be removed when system image
>> -# flavors all move to snappy.
>> -compare_and_save_debsums() {
>> - pkg="$1"
>> -
>> - if [ -n $pkg ] && [ -d "$PROFILES_VAR" ]; then
>> - sums="/var/lib/dpkg/info/${pkg}.md5sums"
>> - # store saved md5sums in /var/lib/apparmor/profiles since
>> - # /var/cache/apparmor might be cleared by apparmor
>> - saved_sums="${PROFILES_VAR}/.${pkg}.md5sums"
>> -
>> - if [ -f "$sums" ] && \
>> - ! diff -q "$sums" "$saved_sums" 2>&1 >/dev/null ; then
>> - cp -f "$sums" "$saved_sums"
>> - return 1
>> - fi
>> - fi
>> -
>> - return 0
>> -}
>> -
>> -compare_previous_version() {
>> - installed="/usr/share/snappy/security-policy-version"
>> - previous="/var/lib/snappy/security-policy-version"
>> -
>> - # When just $previous doesn't exist, assume this is a new system with
>> - # no cache and don't do anything special.
>> - if [ -f "$installed" ] && [ -f "$previous" ]; then
>> - pv=`grep '^apparmor/' "$previous" | cut -d ' ' -f 2`
>> - iv=`grep '^apparmor/' "$installed" | cut -d ' ' -f 2`
>> - if [ -n "$iv" ] && [ -n "$pv" ] && [ "$iv" != "$pv" ]; then
>> - # snappy updates $previous elsewhere, so just return
>> - return 1
>> - fi
>> - fi
>> -
>> - return 0
>> -}
>> -
>> -# Checks to see if the current container is capable of having internal AppArmor
>> -# profiles that should be loaded. Callers of this function should have already
>> -# verified that they're running inside of a container environment with
>> -# something like `systemd-detect-virt --container`.
>> -#
>> -# The only known container environments capable of supporting internal policy
>> -# are LXD and LXC environment.
>> -#
>> -# Returns 0 if the container environment is capable of having its own internal
>> -# policy and non-zero otherwise.
>> -#
>> -# IMPORTANT: This function will return 0 in the case of a non-LXD/non-LXC
>> -# system container technology being nested inside of a LXD/LXC container that
>> -# utilized an AppArmor namespace and profile stacking. The reason 0 will be
>> -# returned is because .ns_stacked will be "yes" and .ns_name will still match
>> -# "lx[dc]-*" since the nested system container technology will not have set up
>> -# a new AppArmor profile namespace. This will result in the nested system
>> -# container's boot process to experience failed policy loads but the boot
>> -# process should continue without any loss of functionality. This is an
>> -# unsupported configuration that cannot be properly handled by this function.
>> -is_container_with_internal_policy() {
>> - local ns_stacked_path="${AA_SFS}/.ns_stacked"
>> - local ns_name_path="${AA_SFS}/.ns_name"
>> - local ns_stacked
>> - local ns_name
>> -
>> - if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then
>> - return 1
>> - fi
>> -
>> - read -r ns_stacked < "$ns_stacked_path"
>> - if [ "$ns_stacked" != "yes" ]; then
>> - return 1
>> - fi
>> -
>> - # LXD and LXC set up AppArmor namespaces starting with "lxd-" and
>> - # "lxc-", respectively. Return non-zero for all other namespace
>> - # identifiers.
>> - read -r ns_name < "$ns_name_path"
>> - if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
>> - [ "${ns_name#lxc-*}" = "$ns_name" ]; then
>> - return 1
>> - fi
>> -
>> - return 0
>> -}
>>
>>
>>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-07-10 18:15 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-23 9:15 [meta-security][PATCH 1/2] apparmor: upgrade 3.0 -> 3.0.1 Yi Zhao
2021-06-23 9:15 ` [meta-security][PATCH 2/2] apparmor: use its own initscript and service files Yi Zhao
[not found] ` <168B2B5232A141EF.5306@lists.yoctoproject.org>
2021-07-06 9:03 ` [yocto] " Yi Zhao
2021-07-10 18:15 ` Armin Kuster
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.