github.com/david-imola/snapd@v0.0.0-20210611180407-2de8ddeece6d/cmd/snapd-apparmor/snapd-apparmor (about) 1 #!/bin/sh 2 # This script is provided for integration with systemd on distributions where 3 # apparmor profiles generated and managed by snapd are not loaded by the 4 # system-wide apparmor systemd integration on early boot-up. 5 # 6 # Only the start operation is provided as all other activity is managed by 7 # snapd as a part of the life-cycle of particular snaps. 8 # 9 # In addition the script assumes that the system-wide apparmor service has 10 # already executed, initializing apparmor file-systems as necessary. 11 12 # NOTE: This script doesn't set -e as it contains code copied from apparmor 13 # init script that also does not set it. In addition the intent is to simply 14 # load application profiles, as many as we can, even if for whatever reason 15 # some of those fail. 16 17 # The following portion is copied from /lib/apparmor/functions as shipped by Ubuntu 18 # <copied-code> 19 20 SECURITYFS="/sys/kernel/security" 21 export AA_SFS="$SECURITYFS/apparmor" 22 23 24 # Checks to see if the current container is capable of having internal AppArmor 25 # profiles that should be loaded. Callers of this function should have already 26 # verified that they're running inside of a container environment with 27 # something like `systemd-detect-virt --container`. 28 # 29 # The only known container environments capable of supporting internal policy 30 # are LXD and LXC environment. 31 # 32 # Returns 0 if the container environment is capable of having its own internal 33 # policy and non-zero otherwise. 34 # 35 # IMPORTANT: This function will return 0 in the case of a non-LXD/non-LXC 36 # system container technology being nested inside of a LXD/LXC container that 37 # utilized an AppArmor namespace and profile stacking. The reason 0 will be 38 # returned is because .ns_stacked will be "yes" and .ns_name will still match 39 # "lx[dc]-*" since the nested system container technology will not have set up 40 # a new AppArmor profile namespace. This will result in the nested system 41 # container's boot process to experience failed policy loads but the boot 42 # process should continue without any loss of functionality. This is an 43 # unsupported configuration that cannot be properly handled by this function. 44 is_container_with_internal_policy() { 45 ns_stacked_path="${AA_SFS}/.ns_stacked" 46 ns_name_path="${AA_SFS}/.ns_name" 47 ns_stacked 48 ns_name 49 50 if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then 51 return 1 52 fi 53 54 read -r ns_stacked < "$ns_stacked_path" 55 if [ "$ns_stacked" != "yes" ]; then 56 return 1 57 fi 58 59 # LXD and LXC set up AppArmor namespaces starting with "lxd-" and 60 # "lxc-", respectively. Return non-zero for all other namespace 61 # identifiers. 62 read -r ns_name < "$ns_name_path" 63 if [ "${ns_name#lxd-*}" = "$ns_name" ] && \ 64 [ "${ns_name#lxc-*}" = "$ns_name" ]; then 65 return 1 66 fi 67 68 return 0 69 } 70 71 # This terminates code copied from /lib/apparmor/functions on Ubuntu 72 # </copied-code> 73 74 case "$1" in 75 start) 76 # <copied-code> 77 if [ -x /usr/bin/systemd-detect-virt ] && \ 78 systemd-detect-virt --quiet --container && \ 79 ! is_container_with_internal_policy; then 80 exit 0 81 fi 82 # </copied-code> 83 84 if [ "$(find /var/lib/snapd/apparmor/profiles/ -type f | wc -l)" -eq 0 ]; then 85 exit 0 86 fi 87 for profile in /var/lib/snapd/apparmor/profiles/*; do 88 # Filter out profiles with names ending with ~, those are temporary files created by snapd. 89 test "${profile%\~}" != "${profile}" && continue 90 echo "$profile" 91 done | xargs \ 92 -P"$(getconf _NPROCESSORS_ONLN)" \ 93 apparmor_parser \ 94 --replace \ 95 --write-cache \ 96 --cache-loc=/var/cache/apparmor \ 97 -O no-expr-simplify \ 98 --quiet 99 ;; 100 esac