[apparmor] [PATCH] Native systemd support
Goldwyn Rodrigues
rgoldwyn at suse.de
Wed Oct 19 15:45:53 UTC 2016
This patch implements native systemd support for apparmor. This
is performed and tested on opensuse 42.1. I think we can keep
rc.apparmor.suse for a bit more time until we decide to
fully retire it.
Signed-off-by: Goldwyn Rodrigues <rgoldwyn at suse.com>
--- a/parser/Makefile
+++ b/parser/Makefile
@@ -314,11 +314,12 @@
.PHONY: install-suse
install-suse:
- install -m 755 -d $(DESTDIR)/etc/init.d
- install -m 755 rc.apparmor.$(subst install-,,$(@)) $(DESTDIR)/etc/init.d/boot.apparmor
- install -m 755 -d $(DESTDIR)/sbin
- ln -sf /etc/init.d/boot.apparmor $(DESTDIR)/sbin/rcapparmor
- ln -sf rcapparmor $(DESTDIR)/sbin/rcsubdomain
+ install -m 755 -d $(DESTDIR)/usr/lib/systemd/system/
+ install -m 755 -d $(DESTDIR)/usr/lib/systemd/scripts/
+ install -m 0444 apparmor.service $(DESTDIR)/usr/lib/systemd/system
+ install -m 0755 apparmor_start.sh $(DESTDIR)/usr/lib/systemd/scripts
+ install -m 0755 apparmor_stop.sh $(DESTDIR)/usr/lib/systemd/scripts
+ install -m 0755 apparmor_reload.sh $(DESTDIR)/usr/lib/systemd/scripts
.PHONY: install-slackware
install-slackware:
--- /dev/null
+++ b/parser/apparmor.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=Load AppArmor profiles
+DefaultDependencies=no
+Before=sysinit.target
+After=systemd-journald-audit.socket
+ConditionSecurity=apparmor
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/systemd/scripts/apparmor_start.sh
+ExecReload=/usr/lib/systemd/scripts/apparmor_reload.sh
+ExecStop=/usr/lib/systemd/scripts/apparmor_stop.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+++ b/parser/apparmor_reload.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+/usr/lib/systemd/scripts/apparmor_stop.sh
+/sbin/apparmor_parser -r /etc/apparmor.d
--- /dev/null
+++ b/parser/apparmor_start.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+/sbin/apparmor_parser -r /etc/apparmor.d
+
+
--- /dev/null
+++ b/parser/apparmor_stop.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+SECURITYFS=/sys/kernel/security
+APPARMOR_MOUNTPOINT=$SECURITYFS/apparmor
+
+if [ ! -w "$APPARMOR_MOUNTPOINT/.remove" ] ; then
+ exit 1
+fi
+
+PROFILES=`sed -e "s/ (\(enforce\|complain\))$//" $APPARMOR_MOUNTPOINT/profiles`
+
+retval=0
+for profile in $PROFILES; do
+ echo -n "$profile" > $APPARMOR_MOUNTPOINT/.remove
+ rc=$?
+ if [ ${rc} -ne 0 ]; then
+ retval=${rc}
+ fi
+done
+exit $retval
+
More information about the AppArmor
mailing list