- release 5

[packages/apparmor-parser.git] / apparmor-parser-bzr.patch

=== modified file 'parser/rc.apparmor.functions'
--- parser/rc.apparmor.functions        2011-08-13 12:15:58 +0000
+++ parser/rc.apparmor.functions        2011-08-26 22:55:43 +0000
@@ -83,15 +83,6 @@
 SUBDOMAINFS_MOUNTPOINT=$(grep subdomainfs /etc/fstab  | \
        sed -e 's|^[[:space:]]*[^[:space:]]\+[[:space:]]\+\(/[^[:space:]]*\)[[:space:]]\+subdomainfs.*$|\1|' 2> /dev/null)
 
-if [ -d "/var/lib/${MODULE}" ] ; then
-       APPARMOR_TMPDIR="/var/lib/${MODULE}"
-elif [ -d "/var/lib/${OLD_MODULE}" ] ; then
-       APPARMOR_TMPDIR="/var/lib/${OLD_MODULE}"
-else
-       APPARMOR_TMPDIR="/tmp"
-fi
-
-
 # keep exit status from parser during profile load.  0 is good, 1 is bad
 STATUS=0
 
@@ -221,7 +212,6 @@
 
 profiles_names_list() {
        # run the parser on all of the apparmor profiles
-       TMPFILE=$1
        if [ ! -f "$PARSER" ]; then
                aa_log_failure_msg "- AppArmor parser not found"
                exit 1
@@ -234,9 +224,9 @@
 
        for profile in $PROFILE_DIR/*; do
                if skip_profile "${profile}" && [ -f "${profile}" ] ; then
-                       LIST_ADD=$($PARSER $ABSTRACTIONS -N "$profile" | grep -v '\^')
+                       LIST_ADD=$($PARSER $ABSTRACTIONS -N "$profile" )
                        if [ $? -eq 0 ]; then
-                               echo "$LIST_ADD" >>$TMPFILE
+                               echo "$LIST_ADD"
                        fi
                fi
        done
@@ -408,18 +398,16 @@
        fi
 
        retval=0
-       #the list of profiles isn't stable once we start adding or removing
-       #them so store to tmp first (in reverse order so hat profiles are removed first)
-       MODULE_PLIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX)
-       sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort -r > "$MODULE_PLIST"
-       cat "$MODULE_PLIST" | while read profile ; do
+       # We filter child profiles as removing the parent will remove
+       # the children
+       sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | \
+       LC_COLLATE=C sort | grep -v // | while read profile ; do
                echo -n "$profile" > "$SFS_MOUNTPOINT/.remove"
                rc=$?
                if [ ${rc} -ne 0 ] ; then 
                        retval=${rc}
                fi
        done
-       rm "$MODULE_PLIST"
        return ${retval}
 }
 
@@ -461,17 +449,33 @@
 
        configure_owlsm
        parse_profiles reload
-       PNAMES_LIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX)
-       profiles_names_list ${PNAMES_LIST}
-       MODULE_PLIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX)
        # Clean out running profiles not associated with the current profile
        # set, excluding the libvirt dynamically generated profiles.
-       sed  -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | egrep -v '^libvirt-[0-9a-f\-]+$' | sort >"$MODULE_PLIST"
-       sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while IFS= read profile ; do
+       # Note that we reverse sort the list of profiles to remove to
+       # ensure that child profiles (e.g. hats) are removed before the
+       # parent. We *do* need to remove the child profile and not rely
+       # on removing the parent profile when the profile has had its
+       # child profile names changed.
+       profiles_names_list | awk '
+BEGIN {
+  while (getline < "'${SFS_MOUNTPOINT}'/profiles" ) {
+    str = sub(/ \((enforce|complain)\)$/, "", $0);
+    if (match($0, /^libvirt-[0-9a-f\-]+$/) == 0)
+      arr[$str] = $str
+  }
+}
+
+{ if (length(arr[$0]) > 0) { delete arr[$0] } }
+
+END {
+  for (key in arr)
+    if (length(arr[key]) > 0) {
+      printf("%s\n", arr[key])
+    }
+}
+' | LC_COLLATE=C sort -r | while IFS= read profile ; do
                echo -n "$profile" > "$SFS_MOUNTPOINT/.remove"
        done
-       rm "$MODULE_PLIST"
-       rm "$PNAMES_LIST"
        return 0
 }