#0x2525

Linux debian-2gb-nbg1 6.1.0-37-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.140-1 (2025-05-22) x86_64
SOFT : Apache/2.4.62 (Debian) PHP : 8.2.28
/lib/apparmor/

162.55.61.15

[ NAME ]	[ SIZE ]	[ PERM ]	[ DATE ]	[ ACT ]
+FILE +DIR
apparmor.systemd	2.179 KB	-rwxr-xr-x	2022-11-22 00:54	R E G D
profile-load	1.912 KB	-rwxr-xr-x	2023-02-14 11:49	R E G D
rc.apparmor.functions	11.586 KB	-rwxr-xr-x	2023-02-14 11:49	R E G D
REQUEST EXIT

#!/bin/sh # ---------------------------------------------------------------------- # Copyright (c) 1999-2008 NOVELL (All rights reserved) # Copyright (c) 2009-2018 Canonical Ltd. (All rights reserved) # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, contact Novell, Inc. # ---------------------------------------------------------------------- # rc.apparmor.functions by Steve Beattie # # NOTE: rc.apparmor initscripts that source this file need to implement # the following set of functions: # aa_action # aa_log_action_start # aa_log_action_end # aa_log_success_msg # aa_log_warning_msg # aa_log_failure_msg # aa_log_skipped_msg # aa_log_daemon_msg # aa_log_end_msg # Some nice defines that we use PARSER=/sbin/apparmor_parser PARSER_OPTS=--write-cache # Suppress warnings when booting in quiet mode if [ "${QUIET:-no}" = yes ] || [ "${quiet:-n}" = y ]; then PARSER_OPTS="$PARSER_OPTS --quiet" fi if [ -d /etc/apparmor.d ] ; then PROFILE_DIRS=/etc/apparmor.d else aa_log_warning_msg "Unable to find profiles directory, installation problem?" fi # Eg. snapd policy might need this on some systems if loading policy # during early boot if not using the snapd unit file ADDITIONAL_PROFILE_DIR= if [ -n "$ADDITIONAL_PROFILE_DIR" ] && [ -d "$ADDITIONAL_PROFILE_DIR" ]; then PROFILE_DIRS="$PROFILE_DIRS $ADDITIONAL_PROFILE_DIR" fi AA_STATUS=/usr/sbin/aa-status SECURITYFS=/sys/kernel/security SFS_MOUNTPOINT="${SECURITYFS}/apparmor" # keep exit status from parser during profile load. 0 is good, 1 is bad STATUS=0 # Test if the apparmor "module" is present. is_apparmor_present() { [ -d /sys/module/apparmor ] } # Checks to see if the current container is capable of having internal AppArmor # profiles that should be loaded. Callers of this function should have already # verified that they're running inside of a container environment with # something like `systemd-detect-virt --container`. # # The only known container environments capable of supporting internal policy # are LXD and LXC environment. # # Returns 0 if the container environment is capable of having its own internal # policy and non-zero otherwise. # # IMPORTANT: This function will return 0 in the case of a non-LXD/non-LXC # system container technology being nested inside of a LXD/LXC container that # utilized an AppArmor namespace and profile stacking. The reason 0 will be # returned is because .ns_stacked will be "yes" and .ns_name will still match # "lx[dc]-*" since the nested system container technology will not have set up # a new AppArmor profile namespace. This will result in the nested system # container's boot process to experience failed policy loads but the boot # process should continue without any loss of functionality. This is an # unsupported configuration that cannot be properly handled by this function. is_container_with_internal_policy() { # this function is sometimes called independently of # is_apparmor_loaded(), so also define this here. local ns_stacked_path="${SFS_MOUNTPOINT}/.ns_stacked" local ns_name_path="${SFS_MOUNTPOINT}/.ns_name" local ns_stacked local ns_name if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then return 1 fi read -r ns_stacked < "$ns_stacked_path" if [ "$ns_stacked" != "yes" ]; then return 1 fi # LXD and LXC set up AppArmor namespaces starting with "lxd-" and # "lxc-", respectively. Return non-zero for all other namespace # identifiers. read -r ns_name < "$ns_name_path" if [ "${ns_name#lxd-*}" = "$ns_name" ] && \ [ "${ns_name#lxc-*}" = "$ns_name" ]; then return 1 fi return 0 } # This set of patterns to skip needs to be kept in sync with # AppArmor.pm::isSkippableFile() # returns 0 if profile should NOT be skipped # returns 1 on verbose skip # returns 2 on silent skip skip_profile() { local profile="$1" if [ "${profile%.rpmnew}" != "$profile" ] || \ [ "${profile%.rpmsave}" != "$profile" ] || \ [ "${profile%.orig}" != "$profile" ] || \ [ "${profile%.rej}" != "$profile" ] || \ [ "${profile%\~}" != "$profile" ] ; then return 1 fi # Silently ignore the dpkg, pacman, and xbps files if [ "${profile%.dpkg-new}" != "$profile" ] || \ [ "${profile%.dpkg-old}" != "$profile" ] || \ [ "${profile%.dpkg-dist}" != "$profile" ] || \ [ "${profile%.dpkg-bak}" != "$profile" ] || \ [ "${profile%.dpkg-remove}" != "$profile" ] || \ [ "${profile%.pacsave}" != "$profile" ] || \ [ "${profile%.pacnew}" != "$profile" ] ; then return 2 fi if echo "$profile" | grep -E -q '^.+\.new-[0-9\.]+_[0-9]+$'; then return 2 fi return 0 } __parse_profiles_dir() { local parser_cmd="$1" local profile_dir="$2" local status=0 if [ ! -d "$profile_dir" ]; then aa_log_failure_msg "Profile directory not found: $profile_dir" return 1 fi if [ -z "$(ls "$profile_dir"/)" ]; then aa_log_failure_msg "No profiles found in $profile_dir" return 1 fi # Note: the parser automatically skips files that match skip_profile() # when we pass it a directory, but not when we pass it an individual # profile. So we need to use skip_profile only in the latter case, # as long as the parser is in sync' with skip_profile(). "$PARSER" $PARSER_OPTS "$parser_cmd" -- "$profile_dir" || { # FIXME: once the parser properly handles broken profiles # (LP: #1377338), remove the following code and the # skip_profile() function. For now, if the parser returns # an error, just run it again separately on each profile. for profile