[apparmor] [PATCH] Native systemd support

Wed, 19 Oct 2016 08:46:46 -0700 

This patch implements native systemd support for apparmor. This
is performed and tested on opensuse 42.1. I think we can keep
rc.apparmor.suse for a bit more time until we decide to
fully retire it.

Signed-off-by: Goldwyn Rodrigues <[email protected]>

--- a/parser/Makefile
+++ b/parser/Makefile
@@ -314,11 +314,12 @@
 
 .PHONY: install-suse
 install-suse:
-       install -m 755 -d $(DESTDIR)/etc/init.d
-       install -m 755 rc.apparmor.$(subst install-,,$(@)) 
$(DESTDIR)/etc/init.d/boot.apparmor
-       install -m 755 -d $(DESTDIR)/sbin
-       ln -sf /etc/init.d/boot.apparmor $(DESTDIR)/sbin/rcapparmor
-       ln -sf rcapparmor $(DESTDIR)/sbin/rcsubdomain
+       install -m 755 -d $(DESTDIR)/usr/lib/systemd/system/
+       install -m 755 -d $(DESTDIR)/usr/lib/systemd/scripts/
+       install -m 0444 apparmor.service $(DESTDIR)/usr/lib/systemd/system
+       install -m 0755 apparmor_start.sh $(DESTDIR)/usr/lib/systemd/scripts
+       install -m 0755 apparmor_stop.sh $(DESTDIR)/usr/lib/systemd/scripts
+       install -m 0755 apparmor_reload.sh $(DESTDIR)/usr/lib/systemd/scripts
 
 .PHONY: install-slackware
 install-slackware:
--- /dev/null
+++ b/parser/apparmor.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=Load AppArmor profiles
+DefaultDependencies=no
+Before=sysinit.target
+After=systemd-journald-audit.socket
+ConditionSecurity=apparmor
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/systemd/scripts/apparmor_start.sh
+ExecReload=/usr/lib/systemd/scripts/apparmor_reload.sh
+ExecStop=/usr/lib/systemd/scripts/apparmor_stop.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+++ b/parser/apparmor_reload.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+/usr/lib/systemd/scripts/apparmor_stop.sh
+/sbin/apparmor_parser -r /etc/apparmor.d
--- /dev/null
+++ b/parser/apparmor_start.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+/sbin/apparmor_parser -r /etc/apparmor.d
+
+
--- /dev/null
+++ b/parser/apparmor_stop.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+SECURITYFS=/sys/kernel/security
+APPARMOR_MOUNTPOINT=$SECURITYFS/apparmor
+
+if [ ! -w "$APPARMOR_MOUNTPOINT/.remove" ] ; then
+       exit 1
+fi
+
+PROFILES=`sed -e "s/ (\(enforce\|complain\))$//" $APPARMOR_MOUNTPOINT/profiles`
+
+retval=0
+for profile in $PROFILES; do
+       echo -n "$profile" > $APPARMOR_MOUNTPOINT/.remove
+       rc=$?
+       if [ ${rc} -ne 0 ]; then
+               retval=${rc}
+       fi
+done
+exit $retval
+

-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to