38 lines
1.7 KiB
Plaintext
38 lines
1.7 KiB
Plaintext
# network-interface-security - configure network device security
|
|
#
|
|
# This is a one-time start-up script to load AppArmor profiles needed
|
|
# before the network comes up.
|
|
|
|
description "configure network device security"
|
|
|
|
# In order to avoid upstart bug LP: #447654, we cannot have an AND
|
|
# statement here (with the ORs). An "and virtual-filesystems" is desired
|
|
# here to make sure that the securityfs is mounted, but since each of the
|
|
# ORed services already require virtual-filesystems be mounted, this is safe:
|
|
start on (starting network-interface
|
|
or starting network-manager
|
|
or starting networking)
|
|
stop on (stopped network-interface JOB=$JOB INTERFACE=$INTERFACE
|
|
or stopped network-manager JOB=$JOB
|
|
or stopped networking JOB=$JOB)
|
|
|
|
# In order to handle the lack of upstart feature LP: #568860, we need to
|
|
# run multiple times, for each of the above "starting" service instances, or
|
|
# else another one might run while we're running, and not wait for us to
|
|
# finish.
|
|
instance $JOB${INTERFACE:+/}${INTERFACE:-}
|
|
|
|
# Since we need these profiles to be loaded before any of the above services
|
|
# begin running, this service must be a pre-start so that its pre-start
|
|
# script finishes before the above services' start scripts begin.
|
|
pre-start script
|
|
[ -f /run/network-interface-security ] && exit 0 # already ran
|
|
[ -d /rofs/etc/apparmor.d ] && exit 0 # do not load on liveCD
|
|
[ -d /sys/module/apparmor ] || exit 0 # do not load without AppArmor
|
|
[ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser
|
|
for link in /etc/apparmor/init/network-interface-security/* ; do
|
|
[ -L $link ] && /sbin/apparmor_parser -r -W $link || true
|
|
done
|
|
> /run/network-interface-security
|
|
end script
|