|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
FEATURES=/var/cache/apparmor/.features
|
|
|
|
|
|
|
|
echo "date is: `date`"
|
|
|
|
|
|
|
|
touch /custom/cache/apparmor/test-timestamp.before
|
|
|
|
echo "I: Content of the /custom dir before apparmor runs:"
|
|
|
|
ls -lR /custom
|
|
|
|
|
|
|
|
echo "I: Content of the apparmor caches before:"
|
|
|
|
ls -lR /var/lib/apparmor
|
|
|
|
ls -lR /var/cache/apparmor
|
|
|
|
|
|
|
|
echo "I: precompiling click apparmor policies"
|
|
|
|
/sbin/apparmor_parser -v -M ${FEATURES} -Q --write-cache --cache-loc=/var/cache/apparmor/ `find /var/lib/apparmor/profiles/ -maxdepth 1 -type f -not -path '*/\.*'`
|
|
|
|
|
|
|
|
echo "I: precompiling deb apparmor policies"
|
|
|
|
/sbin/apparmor_parser -v -M ${FEATURES} -Q --write-cache --cache-loc=/etc/apparmor.d/cache/ `find /etc/apparmor.d/ -maxdepth 1 -type f -not -path '*/\.*'`
|
|
|
|
|
|
|
|
echo "I: precompiling custom click apparmor policies"
|
|
|
|
mkdir -p /custom/cache/apparmor
|
|
|
|
/sbin/apparmor_parser -v -M ${FEATURES} -Q --write-cache --cache-loc=/custom/cache/apparmor/ `find /var/lib/apparmor/profiles/ -maxdepth 1 -type f -not -path '*/\.*'`
|
|
|
|
|
|
|
|
touch /custom/cache/apparmor/test-timestamp.after
|
|
|
|
echo "I: Content of the /custom dir after apparmor ran:"
|
|
|
|
ls -lR /custom
|
|
|
|
|
|
|
|
echo "I: Content of the apparmor caches after:"
|
|
|
|
ls -lR /var/lib/apparmor
|
|
|
|
ls -lR /var/cache/apparmor
|
|
|
|
|
|
|
|
|
|
|
|
#get the apparmor manifests and profiles
|
|
|
|
mkdir -p /custom/lib/apparmor/clicks
|
|
|
|
mkdir -p /custom/lib/apparmor/profiles
|
|
|
|
|
|
|
|
for manifest in /var/lib/apparmor/clicks/*; do
|
|
|
|
# FIXME: if this code survives for very long, it should probably be
|
|
|
|
# rewritten using click's Python bindings
|
|
|
|
pkgdir="$(click pkgdir "$manifest")"
|
|
|
|
manifest_real="$(readlink -f "$manifest")"
|
|
|
|
manifest_tail="${manifest_real#$pkgdir}"
|
|
|
|
# Does this package exist in the custom tarball? If so, move its
|
|
|
|
# profiles there (if it only exists in custom) or copy them (if it
|
|
|
|
# also exists in core).
|
|
|
|
version="${pkgdir##*/}"
|
|
|
|
pkgdir_noversion="${pkgdir%/*}"
|
|
|
|
name="${pkgdir_noversion##*/}"
|
|
|
|
profile="$(basename "$manifest" .json)"
|
|
|
|
if [ -d "/custom/click/$name/$version" ]; then
|
|
|
|
# Clone into custom.
|
|
|
|
ln -nsf "/custom/click/$name/$version$manifest_tail" "/custom/lib/apparmor/clicks/${manifest##*/}"
|
|
|
|
cp -a "/var/lib/apparmor/profiles/click_$profile" /custom/lib/apparmor/profiles/
|
|
|
|
if [ -d "/usr/share/click/preinstalled/$name/$version" ]; then
|
|
|
|
# Ensure that the version in the rootfs points to
|
|
|
|
# the core database.
|
|
|
|
ln -nsf "/usr/share/click/preinstalled/$name/$version$manifest_tail" "$manifest"
|
|
|
|
else
|
|
|
|
# Remove from the rootfs.
|
|
|
|
rm -f "$manifest"
|
|
|
|
rm -f "/var/lib/apparmor/profiles/click_$profile"
|
|
|
|
rm -f "/var/cache/apparmor/click_$profile"
|
|
|
|
fi
|
|
|
|
else
|
|
|
|
# Remove from custom.
|
|
|
|
rm -f "/custom/cache/apparmor/click_$profile"
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
|
|
|
|
echo "I: Content of the final apparmor files:"
|
|
|
|
ls -lR /custom
|
|
|
|
ls -lR /var/lib/apparmor
|
|
|
|
ls -lR /var/cache/apparmor
|