      When executing apparmor_status from rc functions and utils are not installed, this message is received:
      AppArmor is enabled,
      Install the apparmor-utils package to receive more detailed
      status information here (or examine directly).
      Attached is a patch to make the initscript not fail if /tmp is full · b8f486de
      Steve Beattie authored
      by converting the comm(1) usage on temporary files to an embedded
      awk script. On both Ubuntu and OpenSUSE, a version of awk (mawk in
      Ubuntu, gawk in OpenSUSE) is either a direct or indirect dependency
      on the minimal or base package set, and the original reporter also
      mentioned that an awk-based solution would be palatable in a way that
      converting to bash, or using perl or python here would not be.
      In the embedded awk script, I've tried to avoid gawk or mawk specific
      behaviors or extensions; e.g. this is the reason for the call to sort
      on the output of the awk script, rather than using gawk's asort(). But
      please let me know if you see anything that shouldn't be portable
      across awk implementations.
      An additional issue that is fixed in both scripts is handling child
      profiles (e.g. hats) during reload. If child profiles are filtered
      out (via grep -v '//') of the list to consider, then on reloading
      a profile where a child profile has been removed or renamed, that
      child profile will continue to stick around. However, if the profile
      containing child profiles is removed entirely, if the initscript
      attempts to unload the child profiles after the parent is removed,
      this will fail because they were unloaded when the parent was unloaded.
      Thus I removed any filtering of child profiles out, but do a post-awk
      reverse sort which guarantees that any child profiles will be removed
      before their parent is. I also added the LC_COLLATE=C (based on the
      Ubuntu version) to the sort call to ensure a consistent sort order.
      To restate, the problem with the existing code is that it creates
      temporary files in $TMPDIR (by default /tmp) and if that partition
      is full, problems with the reload action ensue. Alternate solutions
      include switching the initscript to use bash and its <$() extension
      or setting TMPDIR to /dev/shm/. The former is unpalatable to some
      (particularly for an initscript), and for the latter, /dev/shm is
      only guaranteed to exist on GNU libc based systems (glibc apparently
      expects /dev/shm to exist for its POSIX shared memory implementation;
      see shm_overview(7)).  So to me, awk (sans GNU extensions) looks to
      be the least bad option here.
      Bug: https://launchpad.net/bugs/775785
      Bug: https://bugs.launchpad.net/apparmor/+bug/788616 · fdae9784
      Steve Beattie authored
      This patch fixes the init scripts helper functions file to
      filter out the hat/child process separator as currently used
      by the parser, '//' rather than what used to be used, the '^'
      symbol. This fixes bugs where profiles that covered regexs (e.g.
      '/usr/lib/firefox-4.0.1/firefox{,*[^s][^h]}') and thus were being
      improperly filtered away and unloaded when reloading apparmor policy.
      Submitted By: Mario Fetka (mario dot fetka at gmail dot com) · 6cfcb1a8
      Steve Beattie authored
      Description: fix compile on build
      Patch from Gentoo community:
        - fix up a couple of missing semicolons in syntax (bison compensates
          by emitting it's own)
        - Fix yet another variable tyop in rc.apparmor.functions
        - dump stderr of ls in rc.apparmor.functions to /dev/null
        - add an install-unknown make target
      - rc.apparmor.functions were not correctly removing profiles on replace and
        reload, also convert to using the module interface directly bypassing the
      - fix cx ->  named transitions
      - fix apparmor_parser -N so that it emits hats as profiles under new kernel
        modules.  This is the correct behavior as hats are promoted to profiles.
      Subject: initscript: subdomain -> apparmor · 77cc0302
      Steve Beattie authored
      This patch converts some of the internal references from subdomain to
      apparmor (and s/sd/aa/ as well). Variables referenced in
      /etc/apparmor/subdomain.conf (which also needs to be renamed) are not
    • Steve Beattie's avatar
      Subject: initscript: kill debug option · 1696851e
      Steve Beattie authored
      The apparmor module no longer supports being loaded with the
      subdomain_debug module argument. Kill the option that tried to do this.