diff options
| author |   Michael Palimaka (kensington) <kensington@astralcloak.net> | 2011-11-13 15:51:56 +0000 |
|---|---|---|
| committer | Michael Palimaka (kensington) <kensington@astralcloak.net> | 2011-11-13 15:51:56 +0000 |
| commit | 083a3f874425ef3760b824835103addfea2dd4ec (patch) | |
| tree | bcfc032e7d92eb6201fa61c3eb7ff9e2e3b38f7e /sys-apps/apparmor/files | |
| parent | media-tv/kmttg: Version bump for kmttg (diff) | |
| download | sunrise-083a3f874425ef3760b824835103addfea2dd4ec.tar.gz sunrise-083a3f874425ef3760b824835103addfea2dd4ec.tar.bz2 sunrise-083a3f874425ef3760b824835103addfea2dd4ec.zip | |
sys-apps/apparmor: New Ebuild for bug #118779. Thanks to floppym & hwoarang for feedback.
svn path=/sunrise/; revision=12511
Diffstat (limited to 'sys-apps/apparmor/files')
| -rw-r--r-- | sys-apps/apparmor/files/apparmor-2.6.1-makefile.patch | 84 | ||||
| -rw-r--r-- | sys-apps/apparmor/files/apparmor-confd | 14 | ||||
| -rwxr-xr-x | sys-apps/apparmor/files/apparmor-init | 211 |
3 files changed, 309 insertions, 0 deletions
diff --git a/sys-apps/apparmor/files/apparmor-2.6.1-makefile.patch b/sys-apps/apparmor/files/apparmor-2.6.1-makefile.patch new file mode 100644 index 000000000..c6bddc2c2 --- /dev/null +++ b/sys-apps/apparmor/files/apparmor-2.6.1-makefile.patch @@ -0,0 +1,84 @@ +--- Makefile ++++ Makefile +@@ -31,7 +31,7 @@ + CONFDIR=/etc/apparmor + INSTALL_CONFDIR=${DESTDIR}${CONFDIR} + LOCALEDIR=/usr/share/locale +-MANPAGES=apparmor.d.5 apparmor.7 apparmor_parser.8 subdomain.conf.5 apparmor.vim.5 ++MANPAGES=apparmor.d.5 apparmor.7 apparmor_parser.8 + + YACC := /usr/bin/bison + YFLAGS := -d +@@ -113,7 +113,7 @@ + export Q VERBOSE BUILD_OUTPUT + + po/${NAME}.pot: ${SRCS} ${HDRS} +- make -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}" ++ $(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}" + + techdoc.pdf: techdoc.tex + while pdflatex $< ${BUILD_OUTPUT} || exit 1 ; \ +@@ -129,7 +129,7 @@ + # targets arranged this way so that people who don't want full docs can + # pick specific targets they want. + main: $(TOOLS) +- $(Q)make -C po all ++ $(MAKE) -C po all + + manpages: $(MANPAGES) + +@@ -144,7 +144,7 @@ + apparmor_parser: $(OBJECTS) $(AAREOBJECTS) + rm -f ./libstdc++.a + ln -s `g++ -print-file-name=libstdc++.a` +- g++ $(EXTRA_CFLAGS) -o $@ $(OBJECTS) $(LIBS) \ ++ $(CXX) $(EXTRA_CFLAGS) $(LDFLAGS) -o $@ $(OBJECTS) $(LIBS) \ + ${LEXLIB} $(AAREOBJECTS) -static-libgcc -L. + + parser_yacc.c parser_yacc.h: parser_yacc.y parser.h +@@ -227,7 +227,7 @@ + .SILENT: tests + tests: ${TESTS} + sh -e -c 'for test in ${TESTS} ; do echo "*** running $${test}" && ./$${test} $(BUILD_OUTPUT) ; done' +- $(Q)make -s -C tst tests ++ $(MAKE) -s -C tst tests + + .SILENT: check + check: tests +@@ -236,7 +236,7 @@ + .SILENT: $(AAREOBJECTS) + .PHONY: $(AAREOBJECTS) + $(AAREOBJECTS): +- make -C $(AAREDIR) CFLAGS="$(EXTRA_CXXFLAGS)" ++ $(MAKE) -C $(AAREDIR) CFLAGS="$(EXTRA_CXXFLAGS)" + + .PHONY: install-rhel4 + install-rhel4: install-redhat +@@ -280,12 +280,8 @@ + install -m 755 -d $(DESTDIR)/sbin + install -m 755 ${TOOLS} $(DESTDIR)/sbin + install -m 755 -d $(INSTALL_CONFDIR) +- install -m 644 subdomain.conf $(INSTALL_CONFDIR) +- install -m 755 -d ${DESTDIR}/var/lib/apparmor +- install -m 755 -d $(APPARMOR_BIN_PREFIX) +- install -m 755 rc.apparmor.functions $(APPARMOR_BIN_PREFIX) +- make -C po install NAME=${NAME} DESTDIR=${DESTDIR} +- make install_manpages DESTDIR=${DESTDIR} ++ $(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR} ++ $(MAKE) install_manpages DESTDIR=${DESTDIR} + + .SILENT: clean + .PHONY: clean +@@ -300,9 +296,9 @@ + rm -f af_names.h + rm -f cap_names.h + rm -rf techdoc.aux techdoc.log techdoc.pdf techdoc.toc techdor.txt techdoc/ +- make -s -C $(AAREDIR) clean +- make -s -C po clean +- make -s -C tst clean ++ $(MAKE) -s -C $(AAREDIR) clean ++ $(MAKE) -s -C po clean ++ $(MAKE) -s -C tst clean + + .SILENT: dist_clean + dist_clean: diff --git a/sys-apps/apparmor/files/apparmor-confd b/sys-apps/apparmor/files/apparmor-confd new file mode 100644 index 000000000..11058073c --- /dev/null +++ b/sys-apps/apparmor/files/apparmor-confd @@ -0,0 +1,14 @@ +# config file for /etc/init.d/apparmor + +# Location of parser +PARSER=/sbin/apparmor_parser + +# Directory in which profiles are stored +PROFILE_DIR=/etc/apparmor.d/ + +# Directories within PROFILE_DIR to be ignored +IGNORE_PROFILES=( "abstractions" "tunables" ) + +# Where securityfs is/will be mounted +SECURITYFS=/sys/kernel/security/apparmor + diff --git a/sys-apps/apparmor/files/apparmor-init b/sys-apps/apparmor/files/apparmor-init new file mode 100755 index 000000000..6fac7b1ac --- /dev/null +++ b/sys-apps/apparmor/files/apparmor-init @@ -0,0 +1,211 @@ +#!/sbin/runscript +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: $ + +extra_started_commands="reload" + +start() { + ebegin "Starting ${SVCNAME}" + eindent + + if ! check_config || ! remove_profiles || ! load_profiles load ; then + eend 1 + return 1 + fi + + eoutdent + eend 0 +} + +stop() { + ebegin "Stopping ${SVCNAME}" + + if ! check_config ; then + eend 1 + return 1 + fi + + eindent + ebegin "Removing profiles" + remove_profiles + eoutdent + rc=$? + eend $rc + return $rc +} + +reload() { + ebegin "Reloading ${SVCNAME} profiles" + + if ! ( check_config && load_profiles reload && unload_obsolete_profiles ); then + eend 1 + return 1 + fi + + eend 0 + return 0 +} + +check_config() { + + if [ -z "$PARSER" -o -z "$PROFILE_DIR" -o -z "$SECURITYFS" ]; then + eerror "/etc/conf.d/${SVCNAME} has missing variables" + return 1 + fi + + if ! is_securityfs_mounted ; then + if ! mount_securityfs ; then + eerror "Failed to mount securityfs" + return 1 + fi + fi + + if ! is_apparmor_present ; then + modprobe -q apparmor + if ! is_apparmor_present ; then + eerror "${SVCNAME} kernel support is not present" + return 1 + fi + fi + + if ! check_apparmor_compat ; then + eerror "${SVCNAME} compatibility is not present in the kernel" + return 1 + fi +} + +get_profile_files() { + if [[ "$PROFILE_DIR" != */ ]]; then + PROFILE_DIR="${PROFILE_DIR}/" + fi + + ARGS="" + LENGTH=${#IGNORE_PROFILES[@]} + + for ((I=1; I <= $LENGTH; I++)); do + ARGS="${ARGS} -path ${PROFILE_DIR}${IGNORE_PROFILES[$(($I-1))]} -prune" + if [ $LENGTH -gt 1 -a $I -lt $LENGTH ]; then + ARGS="${ARGS} -o" + fi + done + + if [ -z "$ARGS" ]; then + PROFILES="find /etc/apparmor.d" + else + PROFILES="find /etc/apparmor.d "$ARGS" -o -type f -print" + fi + + echo $( $PROFILES ) +} + +get_active_profiles() { + PROFILES=`sed -e "s/ (\(enforce\|complain\))//" "${SECURITYFS}/profiles"` + echo $PROFILES +} + +load_profiles() { + + case "$1" in + load) + PARSER_ARGS="--add" + MESSAGE="Loading ${SVCNAME} profiles" + ;; + reload) + PARSER_ARGS="--replace" + MESSAGE="Reloading ${SVCNAME} profiles" + ;; + *) + eerror "Invalid load_profile argument" + exit 1 + ;; + esac + + if [ ! -x "${PARSER}" ]; then + eerror "Could not find apparmor_parser" + return 1 + fi + + if [ ! -d "${PROFILE_DIR}" -o -z "$(ls $PROFILE_DIR 2> /dev/null)" ]; then + ewarn "No profiles found" + return 0 + fi + + PROFILES="$(get_profile_files)" + for PROFILE in $PROFILES; do + $PARSER $PARSER_ARGS $PROFILE + if [ $? -ne 0 ]; then + if [ "${PARSER_ARGS}" == "replace" ]; then + ewarn "Error loading '${PROFILE}', continuing" + else + eerror "Error loading '${PROFILE}', aborting" + remove_profiles + return 1 + fi + fi + done + + return 0 +} + +remove_profiles() { + PROFILES=$(get_active_profiles) + for PROFILE in $PROFILES; do + echo -n "$PROFILE" > "${SECURITYFS}/.remove" + done + return 0 +} + +is_securityfs_mounted() { + grep -q securityfs /proc/filesystems && grep -q securityfs /proc/mounts + return $? +} + +mount_securityfs() { + if [ grep -q securityfs /proc/filesystems ]; then + mount -t securityfs securityfs "${SECURITYFS}" + return $? + else + return 1 + fi +} + +is_apparmor_present() { + grep -q "^apparmor" /proc/modules + [ $? -ne 0 -a -d /sys/module/apparmor ] + return $? +} + +check_apparmor_compat() { + if [ -f "${SECURITYFS}/profiles" ]; then + return 0 + else + return 1 + fi +} + +unload_obsolete_profiles() { + + TEMPDIR=$(umask 0077 && mktemp -d) + + if [ ! -d "${TEMPDIR}" ]; then + eerror "Failed to create temporary directory" + return 1 + fi + + cd $TEMPDIR + + echo $(get_active_profiles) | tr ' ' '\n' | sort > old + + for PROFILE in $(get_profile_files); do + echo $(${PARSER} -N "$PROFILE") >> new + done + + for PROFILE in $(comm -2 -3 old new); do + echo -n "$PROFILE" > "${SECURITYFS}/.remove" + done + + rm -rf "${TEMPDIR}" + + return 0 +} |