/etc/init/apparmor.conf is in apparmor 2.9.0-3.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 | description "Pre-cache and pre-load apparmor profiles"
author "Dimitri John Ledkov <xnox@ubuntu.com> and Jamie Strandboge <jamie@ubuntu.com>"
task
start on starting rc-sysinit
script
[ -d /rofs/etc/apparmor.d ] && exit 0 # do not load on liveCD
[ -d /sys/module/apparmor ] || exit 0 # do not load without AppArmor
[ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser
[ -x /bin/running-in-container ] && /bin/running-in-container && exit 0
# Need securityfs for any mode
if [ ! -d /sys/kernel/security/apparmor ]; then
if cut -d" " -f2,3 /proc/mounts | grep -q "^/sys/kernel/security securityfs"'$' ; then
exit 0
else
mount -t securityfs none /sys/kernel/security || exit 0
fi
fi
[ -w /sys/kernel/security/apparmor/.load ] || exit 0
. /lib/apparmor/functions
apparmor_was_updated=0
# If the system policy has been updated since the last time we ran,
# clear the cache to prevent potentially stale binary cache files
# after an Ubuntu image based upgrade (LP: #1350673).
if ! compare_and_save_debsums apparmor ; then
clear_cache
apparmor_was_updated=1
fi
[ -x /usr/bin/aa-clickhook ] && {
# If packages for system policy that affect click packages have
# been updated since the last time we ran, run aa-clickhook -f
force_clickhook=0
if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
force_clickhook=1
fi
if ! compare_and_save_debsums click-apparmor ; then
force_clickhook=1
fi
if [ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ] ; then
aa-clickhook -f
fi
}
if [ "$ACTION" = "teardown" ]; then
running_profile_names | while read profile; do
unload_profile "$profile"
done
exit 0
fi
if [ "$ACTION" = "clear" ]; then
clear_cache
exit 0
fi
if [ "$ACTION" = "reload" ] || [ "$ACTION" = "force-reload" ]; then
clear_cache
load_configured_profiles
unload_obsolete_profiles
exit 0
fi
# Note: if apparmor-easyprof-ubuntu md5sums didn't match up above,
# aa-clickhook will have already compiled the policy, generated the cache
# files and loaded them into the kernel by this point, so reloading click
# policy from cache, while fairly fast (<2 seconds for 250 profiles on
# armhf), is redundant. Fixing this would complicate the logic quite a bit
# and it wouldn't improve the (by far) common case (ie, when
# 'aa-clickhook -f' is not run).
load_configured_profiles
end script
|