/usr/bin/aa-exec-click is in click-apparmor 0.3.13.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 | #!/bin/bash
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
set -e
# Wrapper around aa-exec to set various click variables:
# https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement#Launching_applications
usage() {
echo "`basename $0` -p <profile> <args to aa-exec> -- <command> <arg1> ..."
}
profile=""
use_insecure_x=""
xpos=""
while getopts hxp: f ; do
case "$f" in
p) profile="$OPTARG";;
x) use_insecure_x="yes"
xpos=$((OPTIND-1))
;;
h) usage; exit 0;;
*) usage; exit 1;;
esac
done
# strip -x from the list since we pass arguments straight to aa-exec
if [ -z "$xpos" ]; then
if [ "$1" = "-x" ]; then
shift
fi
else
set -- "${@:1:$((xpos-1))}" "${@:$((xpos+1)):$#}"
fi
if [ -z "$profile" ]; then
usage
exit 1
fi
# Perhaps there is a better way to detect this, but for now, this works
if [ -d "/tmp/.X11-unix" ]; then
num_sockets=`ls -1 /tmp/.X11-unix | wc -l`
if [ "$num_sockets" != "0" ] && [ "$use_insecure_x" != "yes" ]; then
echo "Detected click app running under X! Aborting"
exit 1
fi
fi
# gnutriplet should be updated during package build
gnutriplet='x86_64-linux-gnu'
pkgname=`echo "$profile" | cut -d '_' -f 1`
# Make sure we have sane defaults based on the XDG spec
if [ -z "$XDG_CACHE_HOME" ]; then
export XDG_CACHE_HOME="$HOME/.cache"
fi
if [ -z "$XDG_CONFIG_HOME" ]; then
export XDG_CONFIG_HOME="$HOME/.config"
fi
if [ -z "$XDG_DATA_HOME" ]; then
export XDG_DATA_HOME="$HOME/.local/share"
fi
if [ -z "$XDG_RUNTIME_DIR" ]; then
export XDG_RUNTIME_DIR="/run/user/$(id -ru)" # Ubuntu-specific
fi
# Set up various environment variables based on the click install directory
# (click is guaranteed to be installed since click-apparmor Depends on it).
# Also, while 'click pkgdir' should only return a path with the click package
# name, and click package names follow Debian source package rules (see
# (Debian policy 5.6.1), let's be extra careful and filter out any ':' in the
# pkgdir
pkgdir=`click pkgdir "$pkgname" | sed 's/://g'` && {
if [ -n "$pkgdir" ]; then
if [ -n "$XDG_DATA_DIRS" ]; then
export XDG_DATA_DIRS="$pkgdir:$XDG_DATA_DIRS"
else
export XDG_DATA_DIRS="$pkgdir:/usr/share"
fi
if [ -n "$PATH" ]; then
export PATH="$pkgdir:$PATH"
else
export PATH="$pkgdir:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
fi
if [ "$gnutriplet" != "###GNUTRIPLET###" ]; then
libdir="$pkgdir/lib/$gnutriplet"
# We set PATH above, but if have compiled code, also prepend
# $libdir/bin
export PATH="$libdir/bin:$PATH"
# LD_LIBRARY_PATH is searched forwards, so prepend
if [ -n "$LD_LIBRARY_PATH" ]; then
export LD_LIBRARY_PATH="$libdir:$pkgdir/lib:$LD_LIBRARY_PATH"
else
export LD_LIBRARY_PATH="$libdir:$pkgdir/lib"
fi
# QML2_IMPORT_PATH is search backwards, so append
if [ -n "$QML2_IMPORT_PATH" ]; then
export QML2_IMPORT_PATH="$QML2_IMPORT_PATH:$libdir"
else
export QML2_IMPORT_PATH="$libdir"
fi
fi
fi
}
# This may be useful to apps
export APP_ID="$profile"
# Set application isolation environment
export UBUNTU_APPLICATION_ISOLATION=1
export TMPDIR="$XDG_RUNTIME_DIR/confined/$pkgname"
mkdir -p "$TMPDIR" || true
export __GL_SHADER_DISK_CACHE_PATH="$XDG_CACHE_HOME/$pkgname"
aa_exec="aa-exec"
if ! which $aa_exec >/dev/null ; then
aa_exec="/usr/sbin/aa-exec"
fi
exec $aa_exec "$@"
|