apparmor: Add new package

Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Armin Kuster <akuster808@gmail.com> 2016-10-30 09:13:59 -0700
committer: Armin Kuster <akuster808@gmail.com> 2017-02-18 11:43:20 -0800
commit: 7fd5f25475e02f39f2f81421dee9264ae56cbee8 (patch)
tree: cd667515204e8373642d97e1e2b63c01b5f03834 /recipes-security/AppArmor/files/functions
parent: 6edbdc7a3443dea309a357618f01c13203cced71 (diff)
download: meta-security-7fd5f25475e02f39f2f81421dee9264ae56cbee8.tar.gz
1 files changed, 271 insertions, 0 deletions
diff --git a/recipes-security/AppArmor/files/functions b/recipes-security/AppArmor/files/functions
new file mode 100644
index 0000000..cef8cfe
--- /dev/null
+++ b/recipes-security/AppArmor/files/functions
@@ -0,0 +1,271 @@
+# /lib/apparmor/functions for Debian -*- shell-script -*-
+# ----------------------------------------------------------------------
+#    Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
+#     NOVELL (All rights reserved)
+#    Copyright (c) 2008-2010 Canonical, Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program; if not, contact Novell, Inc.
+# ----------------------------------------------------------------------
+# Authors:
+#  Kees Cook <kees@ubuntu.com>
+PROFILES="/etc/apparmor.d"
+PROFILES_CACHE="$PROFILES/cache"
+PROFILES_VAR="/var/lib/apparmor/profiles"
+PROFILES_SNAPPY="/var/lib/snapd/apparmor/profiles"
+PROFILES_CACHE_VAR="/var/cache/apparmor"
+PARSER="/sbin/apparmor_parser"
+SECURITYFS="/sys/kernel/security"
+export AA_SFS="$SECURITYFS/apparmor"
+# Suppress warnings when booting in quiet mode
+quiet_arg=""
+[ "${QUIET:-no}" = yes ] && quiet_arg="-q"
+[ "${quiet:-n}" = y ] && quiet_arg="-q"
+foreach_configured_profile() {
+        rc_all="0"
+        for pdir in "$PROFILES" "$PROFILES_VAR" "$PROFILES_SNAPPY" ; do
+                if [ ! -d "$pdir" ]; then
+                        continue
+                fi
+                num=`find "$pdir" -type f ! -name '*.md5sums' | wc -l`
+                if [ "$num" = "0" ]; then
+                        continue
+                fi
+                cache_dir="$PROFILES_CACHE"
+                if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then
+                        cache_dir="$PROFILES_CACHE_VAR"
+                fi
+                cache_args="--cache-loc=$cache_dir"
+                if [ ! -d "$cache_dir" ]; then
+                        cache_args=
+                fi
+                # LP: #1383858 - expr tree simplification is too slow for
+                # Touch policy on ARM, so disable it for now
+                cache_extra_args=
+                if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then
+                        cache_extra_args="-O no-expr-simplify"
+                fi
+                # If need to compile everything, then use -n1 with xargs to
+                # take advantage of -P. When cache files are in use, omit -n1
+                # since it is considerably faster on moderately sized profile
+                # sets to give the parser all the profiles to load at once
+                n1_args=
+                num=`find "$cache_dir" -type f ! -name '.features' | wc -l`
+                if [ "$num" = "0" ]; then
+                        n1_args="-n1"
+                fi
+                (ls -1 "$pdir" | egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \
+                while read profile; do
+                        if [ -f "$pdir"/"$profile" ]; then
+                                echo "$pdir"/"$profile"
+                        fi
+                done) | \
+                xargs $n1_args -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || {
+                        rc_all="$?"
+                        # FIXME: when the parser properly handles broken
+                        # profiles (LP: #1377338), remove this if statement.
+                        # For now, if the xargs returns with error, just run
+                        # through everything with -n1. (This could be broken
+                        # out and refactored, but this is temporary so make it
+                        # easy to understand and revert)
+                        if [ "$rc_all" != "0" ]; then
+                                (ls -1 "$pdir" | \
+                                egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \
+                                while read profile; do
+                                        if [ -f "$pdir"/"$profile" ]; then
+                                                echo "$pdir"/"$profile"
+                                        fi
+                                done) | \
+                                xargs -n1 -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || {
+                                        rc_all="$?"
+                                }
+                        fi
+                }
+        done
+        return $rc_all
+}
+load_configured_profiles() {
+        clear_cache_if_outdated
+        foreach_configured_profile $quiet_arg --write-cache --replace
+}
+load_configured_profiles_without_caching() {
+        foreach_configured_profile $quiet_arg --replace
+}
+recache_profiles() {
+        clear_cache
+        foreach_configured_profile $quiet_arg --write-cache --skip-kernel-load
+}
+configured_profile_names() {
+        foreach_configured_profile $quiet_arg -N 2>/dev/null | LC_COLLATE=C sort | grep -v '//'
+}
+running_profile_names() {
+        # Output a sorted list of loaded profiles, skipping libvirt's
+        # dynamically generated files
+        cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | egrep -v '^libvirt-[0-9a-f\-]+$' | LC_COLLATE=C sort | grep -v '//'
+}
+unload_profile() {
+        echo -n "$1" > "$AA_SFS"/.remove
+}
+clear_cache() {
+        clear_cache_system
+        clear_cache_var
+}
+clear_cache_system() {
+        find "$PROFILES_CACHE" -maxdepth 1 -type f -print0 | xargs -0 rm -f --
+}
+clear_cache_var() {
+        find "$PROFILES_CACHE_VAR" -maxdepth 1 -type f -print0 | xargs -0 rm -f --
+}
+read_features_dir()
+{
+        for f in `ls -AU "$1"` ; do
+                if [ -f "$1/$f" ] ; then
+                        read -r KF < "$1/$f" || true
+                        echo -n "$f {$KF } "
+                elif [ -d "$1/$f" ] ; then
+                        echo -n "$f {"
+                        KF=`read_features_dir "$1/$f"` || true
+                        echo -n "$KF} "
+                fi
+        done
+}
+clear_cache_if_outdated() {
+        if [ -r "$PROFILES_CACHE"/.features ]; then
+                if [ -d "$AA_SFS"/features ]; then
+                        KERN_FEATURES=`read_features_dir "$AA_SFS"/features`
+                else
+                        read -r KERN_FEATURES < "$AA_SFS"/features
+                fi
+                CACHE_FEATURES=`tr '\n' ' ' < "$PROFILES_CACHE"/.features`
+                if [ "$KERN_FEATURES" != "$CACHE_FEATURES" ]; then
+                        clear_cache
+                fi
+        fi
+}
+unload_obsolete_profiles() {
+        # Currently we must re-parse all the profiles to get policy names.  :(
+        aa_configured=$(mktemp -t aa-XXXXXX)
+        configured_profile_names > "$aa_configured" || true
+        aa_loaded=$(mktemp -t aa-XXXXXX)
+        running_profile_names > "$aa_loaded" || true
+        LC_COLLATE=C comm -2 -3 "$aa_loaded" "$aa_configured" | while read profile ; do
+                unload_profile "$profile"
+        done
+        rm -f "$aa_configured" "$aa_loaded"
+}
+# If the system debsum differs from the saved debsum, the new system debsum is
+# saved and non-zero is returned. Returns 0 if the two debsums matched or if
+# the system debsum file does not exist. This can be removed when system image
+# flavors all move to snappy.
+compare_and_save_debsums() {
+        pkg="$1"
+        if [ -n $pkg ] && [ -d "$PROFILES_VAR" ]; then
+                sums="/var/lib/dpkg/info/${pkg}.md5sums"
+                # store saved md5sums in /var/lib/apparmor/profiles since
+                # /var/cache/apparmor might be cleared by apparmor
+                saved_sums="${PROFILES_VAR}/.${pkg}.md5sums"
+                if [ -f "$sums" ] && \
+                   ! diff -q "$sums" "$saved_sums" 2>&1 >/dev/null ; then
+                        cp -f "$sums" "$saved_sums"
+                        return 1
+                fi
+        fi
+        return 0
+}
+compare_previous_version() {
+        installed="/usr/share/snappy/security-policy-version"
+        previous="/var/lib/snappy/security-policy-version"
+        # When just $previous doesn't exist, assume this is a new system with
+        # no cache and don't do anything special.
+        if [ -f "$installed" ] && [ -f "$previous" ]; then
+                pv=`grep '^apparmor/' "$previous" | cut -d ' ' -f 2`
+                iv=`grep '^apparmor/' "$installed" | cut -d ' ' -f 2`
+                if [ -n "$iv" ] && [ -n "$pv" ] && [ "$iv" != "$pv" ]; then
+                        # snappy updates $previous elsewhere, so just return
+                        return 1
+                fi
+        fi
+        return 0
+}
+# Checks to see if the current container is capable of having internal AppArmor
+# profiles that should be loaded. Callers of this function should have already
+# verified that they're running inside of a container environment with
+# something like `systemd-detect-virt --container`.
+#
+# The only known container environments capable of supporting internal policy
+# are LXD and LXC environment.
+#
+# Returns 0 if the container environment is capable of having its own internal
+# policy and non-zero otherwise.
+#
+# IMPORTANT: This function will return 0 in the case of a non-LXD/non-LXC
+# system container technology being nested inside of a LXD/LXC container that
+# utilized an AppArmor namespace and profile stacking. The reason 0 will be
+# returned is because .ns_stacked will be "yes" and .ns_name will still match
+# "lx[dc]-*" since the nested system container technology will not have set up
+# a new AppArmor profile namespace. This will result in the nested system
+# container's boot process to experience failed policy loads but the boot
+# process should continue without any loss of functionality. This is an
+# unsupported configuration that cannot be properly handled by this function.
+is_container_with_internal_policy() {
+        local ns_stacked_path="${AA_SFS}/.ns_stacked"
+        local ns_name_path="${AA_SFS}/.ns_name"
+        local ns_stacked
+        local ns_name
+        if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then
+                return 1
+        fi
+        read -r ns_stacked < "$ns_stacked_path"
+        if [ "$ns_stacked" != "yes" ]; then
+                return 1
+        fi
+        # LXD and LXC set up AppArmor namespaces starting with "lxd-" and
+        # "lxc-", respectively. Return non-zero for all other namespace
+        # identifiers.
+        read -r ns_name < "$ns_name_path"
+        if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
+           [ "${ns_name#lxc-*}" = "$ns_name" ]; then
+                return 1
+        fi
+        return 0
+}
author	Armin Kuster <akuster808@gmail.com>	2016-10-30 09:13:59 -0700
committer	Armin Kuster <akuster808@gmail.com>	2017-02-18 11:43:20 -0800
commit	7fd5f25475e02f39f2f81421dee9264ae56cbee8 (patch)
tree	cd667515204e8373642d97e1e2b63c01b5f03834 /recipes-security/AppArmor/files/functions
parent	6edbdc7a3443dea309a357618f01c13203cced71 (diff)
download	meta-security-7fd5f25475e02f39f2f81421dee9264ae56cbee8.tar.gz

diff --git a/recipes-security/AppArmor/files/functions b/recipes-security/AppArmor/files/functions new file mode 100644 index 0000000..cef8cfe --- /dev/null +++ b/recipes-security/AppArmor/files/functions
@@ -0,0 +1,271 @@
	1	# /lib/apparmor/functions for Debian -- shell-script --
	2	# ----------------------------------------------------------------------
	3	# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
	4	# NOVELL (All rights reserved)
	5	# Copyright (c) 2008-2010 Canonical, Ltd.
	6	#
	7	# This program is free software; you can redistribute it and/or
	8	# modify it under the terms of version 2 of the GNU General Public
	9	# License published by the Free Software Foundation.
	10	#
	11	# This program is distributed in the hope that it will be useful,
	12	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	# GNU General Public License for more details.
	15	#
	16	# You should have received a copy of the GNU General Public License
	17	# along with this program; if not, contact Novell, Inc.
	18	# ----------------------------------------------------------------------
	19	# Authors:
	20	# Kees Cook <kees@ubuntu.com>
	21
	22	PROFILES="/etc/apparmor.d"
	23	PROFILES_CACHE="$PROFILES/cache"
	24	PROFILES_VAR="/var/lib/apparmor/profiles"
	25	PROFILES_SNAPPY="/var/lib/snapd/apparmor/profiles"
	26	PROFILES_CACHE_VAR="/var/cache/apparmor"
	27	PARSER="/sbin/apparmor_parser"
	28	SECURITYFS="/sys/kernel/security"
	29	export AA_SFS="$SECURITYFS/apparmor"
	30
	31	# Suppress warnings when booting in quiet mode
	32	quiet_arg=""
	33	[ "${QUIET:-no}" = yes ] && quiet_arg="-q"
	34	[ "${quiet:-n}" = y ] && quiet_arg="-q"
	35
	36	foreach_configured_profile() {
	37	rc_all="0"
	38	for pdir in "$PROFILES" "$PROFILES_VAR" "$PROFILES_SNAPPY" ; do
	39	if [ ! -d "$pdir" ]; then
	40	continue
	41	fi
	42	num=`find "$pdir" -type f ! -name '*.md5sums' \| wc -l`
	43	if [ "$num" = "0" ]; then
	44	continue
	45	fi
	46
	47	cache_dir="$PROFILES_CACHE"
	48	if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] \|\| [ "$pdir" = "$PROFILES_SNAPPY" ]; then
	49	cache_dir="$PROFILES_CACHE_VAR"
	50	fi
	51	cache_args="--cache-loc=$cache_dir"
	52	if [ ! -d "$cache_dir" ]; then
	53	cache_args=
	54	fi
	55
	56	# LP: #1383858 - expr tree simplification is too slow for
	57	# Touch policy on ARM, so disable it for now
	58	cache_extra_args=
	59	if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] \|\| [ "$pdir" = "$PROFILES_SNAPPY" ]; then
	60	cache_extra_args="-O no-expr-simplify"
	61	fi
	62
	63	# If need to compile everything, then use -n1 with xargs to
	64	# take advantage of -P. When cache files are in use, omit -n1
	65	# since it is considerably faster on moderately sized profile
	66	# sets to give the parser all the profiles to load at once
	67	n1_args=
	68	num=`find "$cache_dir" -type f ! -name '.features' \| wc -l`
	69	if [ "$num" = "0" ]; then
	70	n1_args="-n1"
	71	fi
	72
	73	(ls -1 "$pdir" \| egrep -v '(\.dpkg-(new\|old\|dist\|bak)\|~)$' \| \
	74	while read profile; do
	75	if [ -f "$pdir"/"$profile" ]; then
	76	echo "$pdir"/"$profile"
	77	fi
	78	done) \| \
	79	xargs $n1_args -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- \|\| {
	80	rc_all="$?"
	81	# FIXME: when the parser properly handles broken
	82	# profiles (LP: #1377338), remove this if statement.
	83	# For now, if the xargs returns with error, just run
	84	# through everything with -n1. (This could be broken
	85	# out and refactored, but this is temporary so make it
	86	# easy to understand and revert)
	87	if [ "$rc_all" != "0" ]; then
	88	(ls -1 "$pdir" \| \
	89	egrep -v '(\.dpkg-(new\|old\|dist\|bak)\|~)$' \| \
	90	while read profile; do
	91	if [ -f "$pdir"/"$profile" ]; then
	92	echo "$pdir"/"$profile"
	93	fi
	94	done) \| \
	95	xargs -n1 -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- \|\| {
	96	rc_all="$?"
	97	}
	98	fi
	99	}
	100	done
	101	return $rc_all
	102	}
	103
	104	load_configured_profiles() {
	105	clear_cache_if_outdated
	106	foreach_configured_profile $quiet_arg --write-cache --replace
	107	}
	108
	109	load_configured_profiles_without_caching() {
	110	foreach_configured_profile $quiet_arg --replace
	111	}
	112
	113	recache_profiles() {
	114	clear_cache
	115	foreach_configured_profile $quiet_arg --write-cache --skip-kernel-load
	116	}
	117
	118	configured_profile_names() {
	119	foreach_configured_profile $quiet_arg -N 2>/dev/null \| LC_COLLATE=C sort \| grep -v '//'
	120	}
	121
	122	running_profile_names() {
	123	# Output a sorted list of loaded profiles, skipping libvirt's
	124	# dynamically generated files
	125	cat "$AA_SFS"/profiles \| sed -e "s/ (\(enforce\\|complain\))$//" \| egrep -v '^libvirt-[0-9a-f\-]+$' \| LC_COLLATE=C sort \| grep -v '//'
	126	}
	127
	128	unload_profile() {
	129	echo -n "$1" > "$AA_SFS"/.remove
	130	}
	131
	132	clear_cache() {
	133	clear_cache_system
	134	clear_cache_var
	135	}
	136
	137	clear_cache_system() {
	138	find "$PROFILES_CACHE" -maxdepth 1 -type f -print0 \| xargs -0 rm -f --
	139	}
	140
	141	clear_cache_var() {
	142	find "$PROFILES_CACHE_VAR" -maxdepth 1 -type f -print0 \| xargs -0 rm -f --
	143	}
	144
	145	read_features_dir()
	146	{
	147	for f in `ls -AU "$1"` ; do
	148	if [ -f "$1/$f" ] ; then
	149	read -r KF < "$1/$f" \|\| true
	150	echo -n "$f {$KF } "
	151	elif [ -d "$1/$f" ] ; then
	152	echo -n "$f {"
	153	KF=`read_features_dir "$1/$f"` \|\| true
	154	echo -n "$KF} "
	155	fi
	156	done
	157	}
	158
	159	clear_cache_if_outdated() {
	160	if [ -r "$PROFILES_CACHE"/.features ]; then
	161	if [ -d "$AA_SFS"/features ]; then
	162	KERN_FEATURES=`read_features_dir "$AA_SFS"/features`
	163	else
	164	read -r KERN_FEATURES < "$AA_SFS"/features
	165	fi
	166	CACHE_FEATURES=`tr '\n' ' ' < "$PROFILES_CACHE"/.features`
	167	if [ "$KERN_FEATURES" != "$CACHE_FEATURES" ]; then
	168	clear_cache
	169	fi
	170	fi
	171	}
	172
	173	unload_obsolete_profiles() {
	174	# Currently we must re-parse all the profiles to get policy names. :(
	175	aa_configured=$(mktemp -t aa-XXXXXX)
	176	configured_profile_names > "$aa_configured" \|\| true
	177	aa_loaded=$(mktemp -t aa-XXXXXX)
	178	running_profile_names > "$aa_loaded" \|\| true
	179	LC_COLLATE=C comm -2 -3 "$aa_loaded" "$aa_configured" \| while read profile ; do
	180	unload_profile "$profile"
	181	done
	182	rm -f "$aa_configured" "$aa_loaded"
	183	}
	184
	185	# If the system debsum differs from the saved debsum, the new system debsum is
	186	# saved and non-zero is returned. Returns 0 if the two debsums matched or if
	187	# the system debsum file does not exist. This can be removed when system image
	188	# flavors all move to snappy.
	189	compare_and_save_debsums() {
	190	pkg="$1"
	191
	192	if [ -n $pkg ] && [ -d "$PROFILES_VAR" ]; then
	193	sums="/var/lib/dpkg/info/${pkg}.md5sums"
	194	# store saved md5sums in /var/lib/apparmor/profiles since
	195	# /var/cache/apparmor might be cleared by apparmor
	196	saved_sums="${PROFILES_VAR}/.${pkg}.md5sums"
	197
	198	if [ -f "$sums" ] && \
	199	! diff -q "$sums" "$saved_sums" 2>&1 >/dev/null ; then
	200	cp -f "$sums" "$saved_sums"
	201	return 1
	202	fi
	203	fi
	204
	205	return 0
	206	}
	207
	208	compare_previous_version() {
	209	installed="/usr/share/snappy/security-policy-version"
	210	previous="/var/lib/snappy/security-policy-version"
	211
	212	# When just $previous doesn't exist, assume this is a new system with
	213	# no cache and don't do anything special.
	214	if [ -f "$installed" ] && [ -f "$previous" ]; then
	215	pv=`grep '^apparmor/' "$previous" \| cut -d ' ' -f 2`
	216	iv=`grep '^apparmor/' "$installed" \| cut -d ' ' -f 2`
	217	if [ -n "$iv" ] && [ -n "$pv" ] && [ "$iv" != "$pv" ]; then
	218	# snappy updates $previous elsewhere, so just return
	219	return 1
	220	fi
	221	fi
	222
	223	return 0
	224	}
	225
	226	# Checks to see if the current container is capable of having internal AppArmor
	227	# profiles that should be loaded. Callers of this function should have already
	228	# verified that they're running inside of a container environment with
	229	# something like `systemd-detect-virt --container`.
	230	#
	231	# The only known container environments capable of supporting internal policy
	232	# are LXD and LXC environment.
	233	#
	234	# Returns 0 if the container environment is capable of having its own internal
	235	# policy and non-zero otherwise.
	236	#
	237	# IMPORTANT: This function will return 0 in the case of a non-LXD/non-LXC
	238	# system container technology being nested inside of a LXD/LXC container that
	239	# utilized an AppArmor namespace and profile stacking. The reason 0 will be
	240	# returned is because .ns_stacked will be "yes" and .ns_name will still match
	241	# "lx[dc]-*" since the nested system container technology will not have set up
	242	# a new AppArmor profile namespace. This will result in the nested system
	243	# container's boot process to experience failed policy loads but the boot
	244	# process should continue without any loss of functionality. This is an
	245	# unsupported configuration that cannot be properly handled by this function.
	246	is_container_with_internal_policy() {
	247	local ns_stacked_path="${AA_SFS}/.ns_stacked"
	248	local ns_name_path="${AA_SFS}/.ns_name"
	249	local ns_stacked
	250	local ns_name
	251
	252	if ! [ -f "$ns_stacked_path" ] \|\| ! [ -f "$ns_name_path" ]; then
	253	return 1
	254	fi
	255
	256	read -r ns_stacked < "$ns_stacked_path"
	257	if [ "$ns_stacked" != "yes" ]; then
	258	return 1
	259	fi
	260
	261	# LXD and LXC set up AppArmor namespaces starting with "lxd-" and
	262	# "lxc-", respectively. Return non-zero for all other namespace
	263	# identifiers.
	264	read -r ns_name < "$ns_name_path"
	265	if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
	266	[ "${ns_name#lxc-*}" = "$ns_name" ]; then
	267	return 1
	268	fi
	269
	270	return 0
	271	}