LILiK
/
openwrt-packages-dist

#!/bin/sh

log_write() {	local facility=kern.$1	logger -t AppArmor -p $facility "$2"}
AA_STATUS=/usr/sbin/aa-statusSECURITYFS=/sys/kernel/securitySFS_MOUNTPOINT="${SECURITYFS}/apparmor"PARSER=/sbin/apparmor_parserPARSER_OPTS=ADDITIONAL_PROFILE_DIR=
[ -d /etc/apparmor.d ] && PROFILE_DIRS=/etc/apparmor.d ||	log_write warning "Unable to find profiles: /etc/apparmor.d"
[ -n "$ADDITIONAL_PROFILE_DIR" ] && [ -d "$ADDITIONAL_PROFILE_DIR" ] &&	PROFILE_DIRS="$PROFILE_DIRS $ADDITIONAL_PROFILE_DIR"
dir_is_empty() {	[ "$(du -s $1 | cut -f 1)" -eq 0 ] && return 0 || return 1}
profiles_loaded_count() {
	[ -f ${SFS_MOUNTPOINT}/profiles ] &&		return $(cat "${SFS_MOUNTPOINT}/profiles" | wc -l) || return 0}
is_profiles_loaded() {
	[ -f ${SFS_MOUNTPOINT}/profiles ] && {		rc=$(cat "${SFS_MOUNTPOINT}/profiles" | wc -l)		[ "$rc" -ne 0 ] && return 0 || return 1	}	return 1}
is_container_with_internal_policy() {
	local ns_stacked_path="${SFS_MOUNTPOINT}/.ns_stacked"	local ns_name_path="${SFS_MOUNTPOINT}/.ns_name"	local ns_stacked	local ns_name
	if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then		return 1	fi
	read -r ns_stacked < "$ns_stacked_path"	if [ "$ns_stacked" != "yes" ]; then		return 1	fi
	# LXD and LXC set up AppArmor namespaces starting with "lxd-" and	# "lxc-", respectively. Return non-zero for all other namespace	# identifiers.
	read -r ns_name < "$ns_name_path"	if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
	   [ "${ns_name#lxc-*}" = "$ns_name" ]; then		return 1	fi
	return 0}
skip_profile() {
	local profile="$1"
	if [ "${profile%.rpmnew}"   != "$profile" ] || \
	   [ "${profile%.rpmsave}"  != "$profile" ] || \
	   [ "${profile%.orig}"     != "$profile" ] || \
	   [ "${profile%.rej}"      != "$profile" ] || \
	   [ "${profile%\~}"        != "$profile" ] ; then		return 1	fi
	# Silently ignore the dpkg, pacman, ipk and xbps files
	if [ "${profile%.dpkg-new}"     != "$profile" ] || \
	   [ "${profile%.dpkg-old}"     != "$profile" ] || \
	   [ "${profile%.dpkg-dist}"    != "$profile" ] || \
	   [ "${profile%.dpkg-bak}"     != "$profile" ] || \
	   [ "${profile%.dpkg-remove}"  != "$profile" ] || \
	   [ "${profile%.ipk}"          != "$profile" ] || \
	   [ "${profile%.ipk-new}"      != "$profile" ] || \
	   [ "${profile%.ipk-old}"      != "$profile" ] || \
	   [ "${profile%.ipk-dist}"     != "$profile" ] || \
	   [ "${profile%.ipk-bak}"      != "$profile" ] || \
	   [ "${profile%.ipk-remove}"   != "$profile" ] || \
	   [ "${profile%.pacsave}"      != "$profile" ] || \
	   [ "${profile%.pacnew}"       != "$profile" ] ; then		return 2	fi
	$(echo "$profile" | grep -E -q '^.+\.new-[0-9\.]+_[0-9]+$'); [ "$?" -eq 0 ] && return 2
	return 0}
__parse_profiles_dir() {
	local parser_cmd="$1"	local profile_dir="$2"	local status=0
	[ -x "$PARSER" ] || {		log_write err "Unable to execute AppArmor parser"		return 1	}
	[ -d "$profile_dir" ] || {		log_write warning "AppArmor profiles not found: $profile_dir"		return 1	}
	dir_is_empty "$profile_dir"; [ "$?" -eq 0 ] && {		log_write err "No profiles found in $profile_dir"		return 1	}
	local nprocs=$(cat /proc/cpuinfo |grep "processor\t:"|wc -l)	local rc=0	local xargs_args=""	[ "$nprocs" -ge 2 ] && xargs_args="--max-procs=$nprocs"
	"$PARSER" $PARSER_OPTS "$parser_cmd" -- "$profile_dir" || {
		for profile in "$profile_dir"/*; do			skip_profile "$profile"			skip=$?			[ "$skip" -ne 0 ] && {				[ "$skip" -ne 2 ] && log_write info "Skipped loading profile $profile"				continue			}			[ -f "$profile" ] || continue			echo "$profile"		done | \

		# Use xargs to parallelize calls to the parser over all CPUs
		/usr/libexec/xargs-findutils -n1 -d"\n" $xargs_args \
			"$PARSER" $PARSER_OPTS "$parser_cmd" --
		[ "$?" -ne 0 ] && {			rc=1			log_write err "At least one profile failed to load"		}	}
	return $rc}
parse_profiles() {
	case "$1" in		load)			PARSER_CMD="--add"			PARSER_MSG="Loading profiles"			;;		reload)			PARSER_CMD="--replace"			PARSER_MSG="Reloading profiles"			;;		*)			log_write err "Unknown parameter $1"			log_write info "parse_profiles parameter must be either 'load' or 'reload'"			return 1			;;	esac
	log_write info "$PARSER_MSG"
	[ -w "$SFS_MOUNTPOINT/.load" ] || {		log_write err "${SFS_MOUNTPOINT}/.load not writable"		return 1	}
	[ -f "$PARSER" ] || {		log_write err "AppArmor parser not found"		return 1	}
	# run parser on all profiles	local rc=0	for profile_dir in $PROFILE_DIRS; do		__parse_profiles_dir "$PARSER_CMD" "$profile_dir" || rc=$?	done
	return $rc}
is_apparmor_loaded() {
	is_securityfs_mounted; [ "$?" -eq 0 ] || {		mount_securityfs	}
	[ -f "${SFS_MOUNTPOINT}/profiles" ] && return 0	[ -d /sys/module/apparmor ] && return 0 || return 1}
is_securityfs_mounted() {
	[ -d "$SECURITYFS" ] && {		grep -q securityfs /proc/filesystems && grep -q securityfs /proc/mounts		return $?	}	return 1}
mount_securityfs() {
	local rc=0
	grep -q securityfs /proc/filesystems; [ "$?" -eq 0 ] && {		mount -t securityfs securityfs "$SECURITYFS"		rc=$?		[ "$rc" -eq 0 ] && log_write info "Mounting securityfs" ||			log_write err "Failed to mount securityfs"	}	return $rc}
apparmor_start() {
	local announced=0	is_securityfs_mounted; [ "$?" -ne 0 ] && {		log_write info "Starting AppArmor"		announced=1		mount_securityfs; [ "$?" -eq 0 ] || return $?	}
	is_apparmor_loaded; [ "$?" -eq 0 ] || {		[ "$announced" -eq 0 ] && log_write info "Starting AppArmor"		announced=1		log_write err "AppArmor kernel support is not present"		return 1	}
	[ -d /var/lib/apparmor ] || mkdir -p /var/lib/apparmor > /dev/null
	is_profiles_loaded; [ "$?" -eq 0 ] || {		[ "$announced" -eq 0 ] && log_write info "Starting AppArmor"		announced=1		parse_profiles load		return $?	} || {		parse_profiles reload		return $?	}}
remove_profiles() {
	log_write info "Unloading profiles"
	is_apparmor_loaded; [ "$?" -eq 0 ] || {		log_write err "AppArmor kernel support is not present"		return 1	}
	[ -w "$SFS_MOUNTPOINT/.remove" ] || {		log_write err "${SFS_MOUNTPOINT}/.remove not writable"		return 1	}
	[ -x "$PARSER" ] || {		log_write err "Unable to execute AppArmor parser"		return 1	}
	local rc=0
	sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | \
	LC_COLLATE=C sort | grep -v // | {		while read -r profile ; do			printf "%s" "$profile" > "$SFS_MOUNTPOINT/.remove"			result=$?			[ "$result" -eq 0 ] || rc=$result		done	}	return $rc}
apparmor_stop() {
	is_apparmor_loaded; [ "$?" -eq 0 ] || return 1	is_profiles_loaded; [ "$?" -eq 0 ] && {		log_write info "Stopping AppArmor"		remove_profiles		return $?	} || return 0}
apparmor_restart() {
	is_profiles_loaded; [ "$?" -eq 0 ] || {		apparmor_start		return $?	}
	is_apparmor_loaded; [ "$?" -eq 0 ] || {		apparmor_start		return $?	}
	log_write info "Restarting AppArmor"	parse_profiles reload	return $?}
apparmor_reload() {
	is_profiles_loaded; [ "$?" -eq 0 ] || {		apparmor_start		return $?	}
	is_apparmor_loaded; [ "$?" -eq 0 ] || {		apparmor_start		return $?	}
	log_write info "Reloading AppArmor"	parse_profiles reload	return $?}
apparmor_list_profiles() {
	is_apparmor_loaded; [ "$?" -eq 0 ] || {		echo "AppArmor kernel support is not present"		return 1	}
        [ -x "$PARSER" ] || {                echo "Unable to execute AppArmor parser"		return 1	}
	# run parser on all profiles	for profile_dir in $PROFILE_DIRS; do		[ -d "$profile_dir" ] || {			echo "AppArmor profiles not found: $profile_dir"			continue		}
		for profile in "$profile_dir"/*; do			if skip_profile "$profile" && [ -f "$profile" ] ; then				LIST_ADD=$("$PARSER" -N "$profile" )				[ "$?" -eq 0 ] && echo "$LIST_ADD"			fi		done	done	return 0}

apparmor_status() {
	is_apparmor_loaded; [ "$?" -eq 0 ] || {		echo "AppArmor kernel support is not present"		return 1	}
	[ -x "$AA_STATUS" ] && {		"$AA_STATUS" --verbose		return $?	}
	echo "AppArmor is enabled."	echo "Install apparmor-utils to receive more detailed status"	echo "information or examine $SFS_MOUNTPOINT directly."
	return 0}