| Server IP : 127.0.0.2 / Your IP : 3.149.249.184 Web Server : Apache/2.4.18 (Ubuntu) System : User : www-data ( ) PHP Version : 7.0.33-0ubuntu0.16.04.16 Disable Function : disk_free_space,disk_total_space,diskfreespace,dl,exec,fpaththru,getmyuid,getmypid,highlight_file,ignore_user_abord,leak,listen,link,opcache_get_configuration,opcache_get_status,passthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,php_uname,phpinfo,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix,_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid,posix_setpgid,posix_setsid,posix_setuid,posix_times,posix_ttyname,posix_uname,pclose,popen,proc_open,proc_close,proc_get_status,proc_nice,proc_terminate,shell_exec,source,show_source,system,virtual MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : ON | Sudo : ON | Pkexec : ON Directory : /usr/sbin/ |
Upload File : |
#!/bin/sh
# ----------------------------------------------------------------------
# Copyright (c) 2017 Canonical Ltd. (All rights reserved)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# ----------------------------------------------------------------------
APPARMOR_FUNCTIONS=/lib/apparmor/functions
APPARMORFS=/sys/kernel/security/apparmor
PROFILES_IFACE="${APPARMORFS}/profiles"
REMOVE="${APPARMORFS}/.remove"
DRY_RUN=0
. $APPARMOR_FUNCTIONS
usage() {
local progname="$1"
local rc="$2"
local msg="usage: ${progname} [options]\n
Remove profiles unknown to the system
Options:
-h, --help Show this help message and exit
-n Dry run; don't remove profiles"
if [ "$rc" -ne 0 ] ; then
echo "$msg" 1>&2
else
echo "$msg"
fi
exit "$rc"
}
if [ "$#" -gt 1 ] ; then
usage "$0" 1
elif [ "$#" -eq 1 ] ; then
if [ "$1" = "-h" -o "$1" = "--help" ] ; then
usage "$0" 0
elif [ "$1" = "-n" ] ; then
DRY_RUN=1
else
usage "$0" 1
fi
fi
# We can't use a -r test here because while $PROFILES_IFACE is world-readable,
# apparmorfs may still return EACCES from open()
#
# We have to do this check because error checking awk's getline() below is
# tricky and, as is, results in an infinite loop when apparmorfs returns an
# error from open().
if ! IFS= read line < "$PROFILES_IFACE" ; then
echo "ERROR: Unable to read apparmorfs profiles file" 1>&2
exit 1
elif [ ! -w "$REMOVE" ] ; then
echo "ERROR: Unable to write to apparmorfs remove file" 1>&2
exit 1
fi
# Clean out running profiles not associated with the current profile
# set, excluding the libvirt dynamically generated profiles.
aa_configured=$(mktemp -t aa-XXXXXX)
configured_profile_names > "$aa_configured"
if [ "$?" -ne 0 ] ; then
echo "ERROR: Unable to enumerate the known profiles" 1>&2
rm -f "$aa_configured" "$aa_loaded"
exit 1
fi
aa_loaded=$(mktemp -t aa-XXXXXX)
running_profile_names > "$aa_loaded" || true
if [ "$?" -ne 0 ] ; then
echo "ERROR: Unable to enumerate the running profiles" 1>&2
rm -f "$aa_configured" "$aa_loaded"
exit 1
fi
LC_COLLATE=C comm -2 -3 "$aa_loaded" "$aa_configured" | while read profile ; do
if [ "$DRY_RUN" -ne 0 ]; then
echo "Would remove '${profile}'"
else
echo "Removing '${profile}'"
unload_profile "$profile"
fi
done
ret="$?"
rm -f "$aa_configured" "$aa_loaded"
# will not catch all errors, but still better than nothing
exit $ret