apparmor/parser/profile-load

#!/bin/sh
# profile-load
#
# ----------------------------------------------------------------------
#    Copyright (c) 2010-2015 Canonical, Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, contact Canonical, Ltd.
# ----------------------------------------------------------------------
#
# Helper for loading an AppArmor profile in pre-start scripts.

[ -z "$1" ]                  && exit 1 # require a profile name

. /lib/apparmor/rc.apparmor.functions

# do not load in a container
if [ -x /usr/bin/systemd-detect-virt ] && \
       systemd-detect-virt --quiet --container && \
       ! is_container_with_internal_policy; then
    exit 0
fi

[ -d /rofs/etc/apparmor.d ]  && exit 0 # do not load if running liveCD

profile=/etc/apparmor.d/"$1"
[ -e "$profile" ]            || exit 0 # skip when missing profile

module=/sys/module/apparmor
[ -d $module ]               || exit 0 # do not load without AppArmor in kernel

[ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser

aafs=/sys/kernel/security/apparmor
[ -d $aafs ]                 || exit 0 # do not load if unmounted
[ -w $aafs/.load ]           || exit 1 # fail if cannot load profiles

params=$module/parameters
[ -r $params/enabled ]       || exit 0 # do not load if missing
read -r enabled < $params/enabled || exit 1 # if this fails, something went wrong
[ "$enabled" = "Y" ]         || exit 0 # do not load if disabled

/sbin/apparmor_parser -r -W "$profile" || exit 0 # LP: #1058356