[yocto] [meta-security][PATCH] apparmor: Additional runtime fixes

Tom Rini trini at konsulko.com
Tue Jul 11 05:36:29 PDT 2017 

- We need various python3 modules and we can only really solve this
  problem by including all python3-modules.
- aa-easyprof needs to have its shebang corrected, do so.
- The apparmor initscript depends on functions that LSB does not require
  so we must provide them.  In some cases it's using non-standard
  function, so we just use more appropriate names.
- The apparmor sysvinit-style initscript assumes that
  systemd-detect-virt will exist on the filesystem.  Change this to
  check that it does before trying to execute it.

[for aa-easyprof:]
Reported-by: Anders Montonen <Anders.Montonen at iki.fi>
Signed-off-by: Tom Rini <trini at konsulko.com>
---
 recipes-security/AppArmor/apparmor_2.11.0.bb |  6 +++++-
 recipes-security/AppArmor/files/apparmor     | 30 +++++++++++++++++++++-------
 2 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/recipes-security/AppArmor/apparmor_2.11.0.bb b/recipes-security/AppArmor/apparmor_2.11.0.bb
index 647ab124f115..d9572e4e626f 100644
--- a/recipes-security/AppArmor/apparmor_2.11.0.bb
+++ b/recipes-security/AppArmor/apparmor_2.11.0.bb
@@ -79,6 +79,10 @@ do_install () {
 		oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install
 	fi
 
+	# aa-easyprof is installed by python-tools-setup.py, fix it up
+	sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof
+	chmod 0755 ${D}${bindir}/aa-easyprof
+
 	install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor
 	install ${WORKDIR}/functions ${D}/lib/apparmor
 }
@@ -124,6 +128,6 @@ FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}
 FILES_mod-${PN} = "${libdir}/apache2/modules/*"
 
 RDEPENDS_${PN} += "bash lsb"
-RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3 python3-argparse python3-json','', d)}"
+RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3 python3-modules','', d)}"
 RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}"
 RDEPENDS_${PN}-ptest += "coreutils dbus-lib"
diff --git a/recipes-security/AppArmor/files/apparmor b/recipes-security/AppArmor/files/apparmor
index c73c1cec94e9..ac3ab9a4acb5 100644
--- a/recipes-security/AppArmor/files/apparmor
+++ b/recipes-security/AppArmor/files/apparmor
@@ -32,6 +32,20 @@
 # Description: AppArmor init script. This script loads all AppArmor profiles.
 ### END INIT INFO
 
+log_daemon_msg() {
+    echo $*
+}
+
+log_end_msg () {
+    retval=$1
+    if [ $retval -eq 0 ]; then
+        echo "."
+    else
+        echo " failed!"
+    fi
+    return $retval
+}
+
 . /lib/apparmor/functions
 . /lib/lsb/init-functions
 
@@ -47,20 +61,19 @@ securityfs() {
 	# Need securityfs for any mode
 	if [ ! -d "${AA_SFS}" ]; then
 		if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then
-			log_action_msg "AppArmor not available as kernel LSM."
+			log_daemon_msg "AppArmor not available as kernel LSM."
 			log_end_msg 1
 			exit 1
 		else
-			log_action_begin_msg "Mounting securityfs on ${SECURITYFS}"
+			log_daemon_msg "Mounting securityfs on ${SECURITYFS}"
 			if ! mount -t securityfs none "${SECURITYFS}"; then
-				log_action_end_msg 1
 				log_end_msg 1
 				exit 1
 			fi
 		fi
 	fi
 	if [ ! -w "$AA_SFS"/.load ]; then
-		log_action_msg "Insufficient privileges to change profiles."
+		log_daemon_msg "Insufficient privileges to change profiles."
 		log_end_msg 1
 		exit 1
 	fi
@@ -127,7 +140,8 @@ test -d /rofs/etc/apparmor.d && exit 0
 rc=255
 case "$1" in
 	start)
-		if systemd-detect-virt --quiet --container && \
+		if test -x /sbin/systemd-detect-virt && \
+		   systemd-detect-virt --quiet --container && \
 		   ! is_container_with_internal_policy; then
 			log_daemon_msg "Not starting AppArmor in container"
 			log_end_msg 0
@@ -161,7 +175,8 @@ with the 'teardown' option."
 EOM
 		;;
 	teardown)
-		if systemd-detect-virt --quiet --container && \
+		if test -x /sbin/systemd-detect-virt && \
+		   systemd-detect-virt --quiet --container && \
 		   ! is_container_with_internal_policy; then
 			log_daemon_msg "Not tearing down AppArmor in container"
 			log_end_msg 0
@@ -179,7 +194,8 @@ EOM
 		log_end_msg $rc
 		;;
 	restart|reload|force-reload)
-		if systemd-detect-virt --quiet --container && \
+		if test -x /sbin/systemd-detect-virt && \
+		   systemd-detect-virt --quiet --container && \
 		   ! is_container_with_internal_policy; then
 			log_daemon_msg "Not reloading AppArmor in container"
 			log_end_msg 0
-- 
1.9.1

More information about the yocto mailing list