-
Notifications
You must be signed in to change notification settings - Fork 17
/
apparmor_init
executable file
·33 lines (27 loc) · 1019 Bytes
/
apparmor_init
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#!/bin/bash
enabled_conf=/etc/apparmor/enabled.conf
profiles_dir=/etc/apparmor.d
profiles_dir_local=/etc/apparmor.local
profiles_sysfs=/sys/kernel/security/apparmor/profiles
cache_dir=/var/lib/apparmor
err=0
mkdir -p -m700 "$cache_dir"
chown root: "$cache_dir"
chmod 700 "$cache_dir"
cache=( --cache-loc "$cache_dir" --write-cache )
abi=( --override-policy-abi "$profiles_dir"/abstractions/abi )
while read p; do
[[ -e "$profiles_dir_local"/"$p" ]] \
&& cd "$profiles_dir_local" || cd "$profiles_dir"
apparmor_parser "${cache[@]}" "${abi[@]}" -r "$p" >&2 || err=1
done < "$enabled_conf"
if [[ -e "$profiles_sysfs" ]]; then
enforce=()
while read bin
do enforce=( ${enforce[@]} $(bash -c "ls -1d $bin" 2>/dev/null) ) # bash is for wildcards
done < <(awk '!/\s+\(enforce\)$/ {print $1}' "$profiles_sysfs")
for p in "${enforce[@]}"; do aa-enforce "$p" >/dev/null; done
awk '!/\s+\(enforce\)$/ {exit 1}' "$profiles_sysfs" \
|| { echo >&2 "ERROR: non-enforced profiles are detected"; exit 1; }
fi
exit $err