(CommandList children: [ (C {(.)} {(/lib/apparmor/functions)}) (C {(.)} {(/lib/lsb/init-functions)}) (FuncDef name: usage body: (BraceGroup children: [ (C {(echo)} { (DQ ("Usage: ") ($ VSub_Number "$0") (" {start|stop|restart|reload|force-reload|status|recache}") ) } ) ] spids: [113] ) spids: [109 112] ) (AndOr children: [(C {(test)} {(-x)} {(${ VSub_Name PARSER)}) (C {(exit)} {(0)})] op_id: Op_DPipe ) (AndOr children: [(C {(test)} {(-d)} {(/sys/module/apparmor)}) (C {(exit)} {(0)})] op_id: Op_DPipe ) (FuncDef name: securityfs body: (BraceGroup children: [ (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other "[")} {(KW_Bang "!")} {(-d)} {(DQ (${ VSub_Name AA_SFS))} {(Lit_Other "]")} ) terminator: <Op_Semi ";"> ) ] action: [ (If arms: [ (if_arm cond: [ (Sentence child: (Pipeline children: [ (C {(cut)} {(-d) (DQ (" "))} {(-f2) (Lit_Comma ",") (3)} {(/proc/mounts)} ) (C {(grep)} {(-q)} {(DQ ("^") (${ VSub_Name SECURITYFS) (" securityfs")) (SQ <"$">) } ) ] negated: False ) terminator: <Op_Semi ";"> ) ] action: [ (C {(log_action_msg)} {(DQ ("AppArmor not available as kernel LSM."))}) (C {(log_end_msg)} {(1)}) (C {(exit)} {(1)}) ] spids: [-1 225] ) ] else_action: [ (C {(log_action_begin_msg)} {(DQ ("Mounting securityfs on ") (${ VSub_Name SECURITYFS))} ) (If arms: [ (if_arm cond: [ (Sentence child: (Pipeline children: [ (C {(mount)} {(-t)} {(securityfs)} {(none)} {(DQ (${ VSub_Name SECURITYFS))} ) ] negated: True ) terminator: <Op_Semi ";"> ) ] action: [ (C {(log_action_end_msg)} {(1)}) (C {(log_end_msg)} {(1)}) (C {(exit)} {(1)}) ] spids: [-1 277] ) ] spids: [-1 295] ) ] spids: [245 298] ) ] spids: [-1 188] ) ] spids: [-1 301] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other "[")} {(KW_Bang "!")} {(-w)} {(DQ ($ VSub_Name "$AA_SFS")) (/.load)} {(Lit_Other "]")} ) terminator: <Op_Semi ";"> ) ] action: [ (C {(log_action_msg)} {(DQ ("Insufficient privileges to change profiles."))}) (C {(log_end_msg)} {(1)}) (C {(exit)} {(1)}) ] spids: [-1 320] ) ] spids: [-1 340] ) ] spids: [164] ) spids: [160 163] ) (FuncDef name: handle_system_policy_package_updates body: (BraceGroup children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:apparmor_was_updated) op: Equal rhs: {(0)} spids: [352] ) ] spids: [352] ) (If arms: [ (if_arm cond: [ (Sentence child: (Pipeline children:[(C {(compare_previous_version)})] negated:True) terminator: <Op_Semi ";"> ) ] action: [ (C {(clear_cache_system)}) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:apparmor_was_updated) op: Equal rhs: {(1)} spids: [391] ) ] spids: [391] ) ] spids: [-1 365] ) (if_arm cond: [ (Sentence child: (Pipeline children: [(C {(compare_and_save_debsums)} {(apparmor)})] negated: True ) terminator: <Op_Semi ";"> ) ] action: [ (C {(clear_cache)}) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:apparmor_was_updated) op: Equal rhs: {(1)} spids: [435] ) ] spids: [435] ) ] spids: [395 405] ) ] spids: [-1 439] ) (If arms: [ (if_arm cond: [ (Sentence child: (AndOr children: [ (C {(Lit_Other "[")} {(-x)} {(/usr/bin/aa-clickhook)} {(Lit_Other "]")}) (C {(Lit_Other "[")} {(-x)} {(/usr/bin/aa-profile-hook)} {(Lit_Other "]")}) ] op_id: Op_DPipe ) terminator: <Op_Semi ";"> ) ] action: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:force_clickhook) op: Equal rhs: {(0)} spids: [476] ) ] spids: [476] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:force_profile_hook) op: Equal rhs: {(0)} spids: [480] ) ] spids: [480] ) (If arms: [ (if_arm cond: [ (Sentence child: (Pipeline children: [ (C {(compare_and_save_debsums)} {(apparmor-easyprof-ubuntu)}) ] negated: True ) terminator: <Op_Semi ";"> ) ] action: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:force_clickhook) op: Equal rhs: {(1)} spids: [497] ) ] spids: [497] ) ] spids: [-1 494] ) ] spids: [-1 501] ) (If arms: [ (if_arm cond: [ (Sentence child: (Pipeline children: [ (C {(compare_and_save_debsums)} {(apparmor-easyprof-ubuntu-snappy)}) ] negated: True ) terminator: <Op_Semi ";"> ) ] action: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:force_clickhook) op: Equal rhs: {(1)} spids: [517] ) ] spids: [517] ) ] spids: [-1 514] ) ] spids: [-1 521] ) (If arms: [ (if_arm cond: [ (Sentence child: (Pipeline children: [(C {(compare_and_save_debsums)} {(click-apparmor)})] negated: True ) terminator: <Op_Semi ";"> ) ] action: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:force_clickhook) op: Equal rhs: {(1)} spids: [537] ) ] spids: [537] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:force_profile_hook) op: Equal rhs: {(1)} spids: [541] ) ] spids: [541] ) ] spids: [-1 534] ) ] spids: [-1 545] ) (If arms: [ (if_arm cond: [ (Sentence child: (AndOr children: [ (C {(Lit_Other "[")} {(-x)} {(/usr/bin/aa-clickhook)} {(Lit_Other "]")} ) (Subshell child: (AndOr children: [ (C {(Lit_Other "[")} {($ VSub_Name "$force_clickhook")} {(-eq)} {(1)} {(Lit_Other "]")} ) (C {(Lit_Other "[")} {($ VSub_Name "$apparmor_was_updated")} {(-eq)} {(1)} {(Lit_Other "]")} ) ] op_id: Op_DPipe ) spids: [560 582] ) ] op_id: Op_DAmp ) terminator: <Op_Semi ";"> ) ] action: [(C {(aa-clickhook)} {(-f)})] spids: [-1 586] ) ] spids: [-1 594] ) (If arms: [ (if_arm cond: [ (Sentence child: (AndOr children: [ (C {(Lit_Other "[")} {(-x)} {(/usr/bin/aa-profile-hook)} {(Lit_Other "]")} ) (Subshell child: (AndOr children: [ (C {(Lit_Other "[")} {($ VSub_Name "$force_profile_hook")} {(-eq)} {(1)} {(Lit_Other "]")} ) (C {(Lit_Other "[")} {($ VSub_Name "$apparmor_was_updated")} {(-eq)} {(1)} {(Lit_Other "]")} ) ] op_id: Op_DPipe ) spids: [609 631] ) ] op_id: Op_DAmp ) terminator: <Op_Semi ";"> ) ] action: [(C {(aa-profile-hook)} {(-f)})] spids: [-1 635] ) ] spids: [-1 643] ) ] spids: [-1 465] ) ] spids: [-1 646] ) ] spids: [349] ) spids: [345 348] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other "[")} {(DQ ($ VSub_Number "$1"))} {(Lit_Other "=")} {(DQ (recache))} {(Lit_Other "]")} ) terminator: <Op_Semi ";"> ) ] action: [ (C {(log_daemon_msg)} {(DQ ("Recaching AppArmor profiles"))}) (C {(recache_profiles)}) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:rc) op: Equal rhs: {($ VSub_QMark "$?")} spids: [684] ) ] spids: [684] ) (C {(log_end_msg)} {(DQ ($ VSub_Name "$rc"))}) (C {(exit)} {($ VSub_Name "$rc")}) ] spids: [-1 671] ) ] spids: [-1 699] ) (AndOr children: [(C {(test)} {(-d)} {(/rofs/etc/apparmor.d)}) (C {(exit)} {(0)})] op_id: Op_DAmp ) (Assignment keyword: Assign_None pairs: [(assign_pair lhs:(LhsName name:rc) op:Equal rhs:{(255)} spids:[718])] spids: [718] ) (Case to_match: {(DQ ($ VSub_Number "$1"))} arms: [ (case_arm pat_list: [{(start)}] action: [ (If arms: [ (if_arm cond: [ (Sentence child: (AndOr children: [ (C {(systemd-detect-virt)} {(--quiet)} {(--container)}) (Pipeline children: [(C {(is_container_with_internal_policy)})] negated: True ) ] op_id: Op_DAmp ) terminator: <Op_Semi ";"> ) ] action: [ (C {(log_daemon_msg)} {(DQ ("Not starting AppArmor in container"))}) (C {(log_end_msg)} {(0)}) (C {(exit)} {(0)}) ] spids: [-1 751] ) ] spids: [-1 771] ) (C {(log_daemon_msg)} {(DQ ("Starting AppArmor profiles"))}) (C {(securityfs)}) (C {(handle_system_policy_package_updates)}) (C {(load_configured_profiles)}) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:rc) op: Equal rhs: {($ VSub_QMark "$?")} spids: [790] ) ] spids: [790] ) (C {(log_end_msg)} {(DQ ($ VSub_Name "$rc"))}) ] spids: [730 731 801 -1] ) (case_arm pat_list: [{(stop)}] action: [ (C {(log_daemon_msg)} {(DQ ("Clearing AppArmor profiles cache"))}) (C {(clear_cache)}) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:rc) op: Equal rhs: {($ VSub_QMark "$?")} spids: [818] ) ] spids: [818] ) (C {(log_end_msg)} {(DQ ($ VSub_Name "$rc"))}) (SimpleCommand words: [{(cat)}] redirects: [ (Redir op_id:Redir_GreatAnd fd:-1 arg_word:{(2)} spids:[831]) (HereDoc op_id: Redir_DLess fd: -1 body: { (DQ ( "All profile caches have been cleared, but no profiles have been unloaded.\n" ) ("Unloading profiles will leave already running processes permanently\n") ("unconfined, which can lead to unexpected situations.\n") ("\n") ("To set a process to complain mode, use the command line tool\n") ("'aa-complain'. To really tear down all profiles, run the init script\n") ("with the 'teardown' option.") (Right_DoubleQuote "\"") ("\n") ) } do_expansion: True here_end: EOM was_filled: True spids: [834] ) ] ) ] spids: [804 805 847 -1] ) (case_arm pat_list: [{(teardown)}] action: [ (If arms: [ (if_arm cond: [ (Sentence child: (AndOr children: [ (C {(systemd-detect-virt)} {(--quiet)} {(--container)}) (Pipeline children: [(C {(is_container_with_internal_policy)})] negated: True ) ] op_id: Op_DAmp ) terminator: <Op_Semi ";"> ) ] action: [ (C {(log_daemon_msg)} {(DQ ("Not tearing down AppArmor in container"))}) (C {(log_end_msg)} {(0)}) (C {(exit)} {(0)}) ] spids: [-1 871] ) ] spids: [-1 891] ) (C {(log_daemon_msg)} {(DQ ("Unloading AppArmor profiles"))}) (C {(securityfs)}) (Pipeline children: [ (C {(running_profile_names)}) (While cond: [(Sentence child:(C {(read)} {(profile)}) terminator:<Op_Semi ";">)] body: (DoGroup children: [ (If arms: [ (if_arm cond: [ (Sentence child: (Pipeline children: [(C {(unload_profile)} {(DQ ($ VSub_Name "$profile"))})] negated: True ) terminator: <Op_Semi ";"> ) ] action: [(C {(log_end_msg)} {(1)}) (C {(exit)} {(1)})] spids: [-1 930] ) ] spids: [-1 943] ) ] spids: [915 946] ) ) ] negated: False ) (Assignment keyword: Assign_None pairs: [(assign_pair lhs:(LhsName name:rc) op:Equal rhs:{(0)} spids:[949])] spids: [949] ) (C {(log_end_msg)} {($ VSub_Name "$rc")}) ] spids: [850 851 958 -1] ) (case_arm pat_list: [{(restart)} {(reload)} {(force-reload)}] action: [ (If arms: [ (if_arm cond: [ (Sentence child: (AndOr children: [ (C {(systemd-detect-virt)} {(--quiet)} {(--container)}) (Pipeline children: [(C {(is_container_with_internal_policy)})] negated: True ) ] op_id: Op_DAmp ) terminator: <Op_Semi ";"> ) ] action: [ (C {(log_daemon_msg)} {(DQ ("Not reloading AppArmor in container"))}) (C {(log_end_msg)} {(0)}) (C {(exit)} {(0)}) ] spids: [-1 986] ) ] spids: [-1 1006] ) (C {(log_daemon_msg)} {(DQ ("Reloading AppArmor profiles"))}) (C {(securityfs)}) (C {(clear_cache)}) (C {(load_configured_profiles)}) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:rc) op: Equal rhs: {($ VSub_QMark "$?")} spids: [1025] ) ] spids: [1025] ) (C {(log_end_msg)} {(DQ ($ VSub_Name "$rc"))}) ] spids: [961 966 1037 -1] ) (case_arm pat_list: [{(status)}] action: [ (C {(securityfs)}) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other "[")} {(-x)} {(/usr/sbin/aa-status)} {(Lit_Other "]")}) terminator: <Op_Semi ";"> ) ] action: [(C {(aa-status)} {(--verbose)})] spids: [-1 1058] ) ] else_action: [(C {(cat)} {(DQ ($ VSub_Name "$AA_SFS")) (/profiles)})] spids: [1066 1077] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:rc) op: Equal rhs: {($ VSub_QMark "$?")} spids: [1080] ) ] spids: [1080] ) ] spids: [1040 1041 1084 -1] ) (case_arm pat_list: [{(Lit_Other "*")}] action: [ (C {(usage)}) (Assignment keyword: Assign_None pairs: [(assign_pair lhs:(LhsName name:rc) op:Equal rhs:{(1)} spids:[1094])] spids: [1094] ) ] spids: [1087 1088 1098 -1] ) ] spids: [721 727 1101] ) (C {(exit)} {($ VSub_Name "$rc")}) ] )