[yocto] [meta-security][PATCH] apparmor: Additional runtime fixes
Tom Rini
trini at konsulko.com
Tue Jul 11 05:36:29 PDT 2017
- We need various python3 modules and we can only really solve this
problem by including all python3-modules.
- aa-easyprof needs to have its shebang corrected, do so.
- The apparmor initscript depends on functions that LSB does not require
so we must provide them. In some cases it's using non-standard
function, so we just use more appropriate names.
- The apparmor sysvinit-style initscript assumes that
systemd-detect-virt will exist on the filesystem. Change this to
check that it does before trying to execute it.
[for aa-easyprof:]
Reported-by: Anders Montonen <Anders.Montonen at iki.fi>
Signed-off-by: Tom Rini <trini at konsulko.com>
---
recipes-security/AppArmor/apparmor_2.11.0.bb | 6 +++++-
recipes-security/AppArmor/files/apparmor | 30 +++++++++++++++++++++-------
2 files changed, 28 insertions(+), 8 deletions(-)
diff --git a/recipes-security/AppArmor/apparmor_2.11.0.bb b/recipes-security/AppArmor/apparmor_2.11.0.bb
index 647ab124f115..d9572e4e626f 100644
--- a/recipes-security/AppArmor/apparmor_2.11.0.bb
+++ b/recipes-security/AppArmor/apparmor_2.11.0.bb
@@ -79,6 +79,10 @@ do_install () {
oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install
fi
+ # aa-easyprof is installed by python-tools-setup.py, fix it up
+ sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof
+ chmod 0755 ${D}${bindir}/aa-easyprof
+
install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor
install ${WORKDIR}/functions ${D}/lib/apparmor
}
@@ -124,6 +128,6 @@ FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}
FILES_mod-${PN} = "${libdir}/apache2/modules/*"
RDEPENDS_${PN} += "bash lsb"
-RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3 python3-argparse python3-json','', d)}"
+RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3 python3-modules','', d)}"
RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}"
RDEPENDS_${PN}-ptest += "coreutils dbus-lib"
diff --git a/recipes-security/AppArmor/files/apparmor b/recipes-security/AppArmor/files/apparmor
index c73c1cec94e9..ac3ab9a4acb5 100644
--- a/recipes-security/AppArmor/files/apparmor
+++ b/recipes-security/AppArmor/files/apparmor
@@ -32,6 +32,20 @@
# Description: AppArmor init script. This script loads all AppArmor profiles.
### END INIT INFO
+log_daemon_msg() {
+ echo $*
+}
+
+log_end_msg () {
+ retval=$1
+ if [ $retval -eq 0 ]; then
+ echo "."
+ else
+ echo " failed!"
+ fi
+ return $retval
+}
+
. /lib/apparmor/functions
. /lib/lsb/init-functions
@@ -47,20 +61,19 @@ securityfs() {
# Need securityfs for any mode
if [ ! -d "${AA_SFS}" ]; then
if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then
- log_action_msg "AppArmor not available as kernel LSM."
+ log_daemon_msg "AppArmor not available as kernel LSM."
log_end_msg 1
exit 1
else
- log_action_begin_msg "Mounting securityfs on ${SECURITYFS}"
+ log_daemon_msg "Mounting securityfs on ${SECURITYFS}"
if ! mount -t securityfs none "${SECURITYFS}"; then
- log_action_end_msg 1
log_end_msg 1
exit 1
fi
fi
fi
if [ ! -w "$AA_SFS"/.load ]; then
- log_action_msg "Insufficient privileges to change profiles."
+ log_daemon_msg "Insufficient privileges to change profiles."
log_end_msg 1
exit 1
fi
@@ -127,7 +140,8 @@ test -d /rofs/etc/apparmor.d && exit 0
rc=255
case "$1" in
start)
- if systemd-detect-virt --quiet --container && \
+ if test -x /sbin/systemd-detect-virt && \
+ systemd-detect-virt --quiet --container && \
! is_container_with_internal_policy; then
log_daemon_msg "Not starting AppArmor in container"
log_end_msg 0
@@ -161,7 +175,8 @@ with the 'teardown' option."
EOM
;;
teardown)
- if systemd-detect-virt --quiet --container && \
+ if test -x /sbin/systemd-detect-virt && \
+ systemd-detect-virt --quiet --container && \
! is_container_with_internal_policy; then
log_daemon_msg "Not tearing down AppArmor in container"
log_end_msg 0
@@ -179,7 +194,8 @@ EOM
log_end_msg $rc
;;
restart|reload|force-reload)
- if systemd-detect-virt --quiet --container && \
+ if test -x /sbin/systemd-detect-virt && \
+ systemd-detect-virt --quiet --container && \
! is_container_with_internal_policy; then
log_daemon_msg "Not reloading AppArmor in container"
log_end_msg 0
--
1.9.1
More information about the yocto
mailing list