(CommandList children: [ (C {(.)} {(/lib/apparmor/functions)}) (C {(.)} {(/lib/lsb/init-functions)}) (FuncDef name: usage body: (BraceGroup children: [ (C {(echo)} { (DQ ('Usage: ') ($ VSub_Number '$0') (' {start|stop|restart|reload|force-reload|status|recache}') ) } ) ] spids: [113] ) spids: [109 112] ) (AndOr ops: [Op_DPipe] children: [ (C {(test)} {(-x)} {(${ VSub_Name PARSER)}) (ControlFlow token:<ControlFlow_Exit exit> arg_word:{(0)}) ] ) (AndOr ops: [Op_DPipe] children: [ (C {(test)} {(-d)} {(/sys/module/apparmor)}) (ControlFlow token:<ControlFlow_Exit exit> arg_word:{(0)}) ] ) (FuncDef name: securityfs body: (BraceGroup children: [ (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {(KW_Bang '!')} {(-d)} {(DQ (${ VSub_Name AA_SFS))} {(Lit_Other ']')} ) terminator: <Op_Semi ';'> ) ] action: [ (If arms: [ (if_arm cond: [ (Sentence child: (Pipeline children: [ (C {(cut)} {(-d) (DQ (' '))} {(-f2) (Lit_Comma ',') (3)} {(/proc/mounts)} ) (C {(grep)} {(-q)} {(DQ ('^') (${ VSub_Name SECURITYFS) (' securityfs')) (SQ <'$'>) } ) ] negated: F ) terminator: <Op_Semi ';'> ) ] action: [ (C {(log_action_msg)} {(DQ ('AppArmor not available as kernel LSM.'))}) (C {(log_end_msg)} {(1)}) (ControlFlow token: <ControlFlow_Exit exit> arg_word: {(1)} ) ] spids: [16777215 225] ) ] else_action: [ (C {(log_action_begin_msg)} {(DQ ('Mounting securityfs on ') (${ VSub_Name SECURITYFS))} ) (If arms: [ (if_arm cond: [ (Sentence child: (Pipeline children: [ (C {(mount)} {(-t)} {(securityfs)} {(none)} {(DQ (${ VSub_Name SECURITYFS))} ) ] negated: T ) terminator: <Op_Semi ';'> ) ] action: [ (C {(log_action_end_msg)} {(1)}) (C {(log_end_msg)} {(1)}) (ControlFlow token: <ControlFlow_Exit exit> arg_word: {(1)} ) ] spids: [16777215 277] ) ] spids: [16777215 295] ) ] spids: [245 298] ) ] spids: [16777215 188] ) ] spids: [16777215 301] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {(KW_Bang '!')} {(-w)} {(DQ ($ VSub_Name '$AA_SFS')) (/.load)} {(Lit_Other ']')} ) terminator: <Op_Semi ';'> ) ] action: [ (C {(log_action_msg)} {(DQ ('Insufficient privileges to change profiles.'))}) (C {(log_end_msg)} {(1)}) (ControlFlow token:<ControlFlow_Exit exit> arg_word:{(1)}) ] spids: [16777215 320] ) ] spids: [16777215 340] ) ] spids: [164] ) spids: [160 163] ) (FuncDef name: handle_system_policy_package_updates body: (BraceGroup children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:apparmor_was_updated) op: Equal rhs: {(0)} spids: [352] ) ] spids: [352] ) (If arms: [ (if_arm cond: [ (Sentence child: (Pipeline children:[(C {(compare_previous_version)})] negated:T) terminator: <Op_Semi ';'> ) ] action: [ (C {(clear_cache_system)}) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:apparmor_was_updated) op: Equal rhs: {(1)} spids: [391] ) ] spids: [391] ) ] spids: [16777215 365] ) (if_arm cond: [ (Sentence child: (Pipeline children: [(C {(compare_and_save_debsums)} {(apparmor)})] negated: T ) terminator: <Op_Semi ';'> ) ] action: [ (C {(clear_cache)}) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:apparmor_was_updated) op: Equal rhs: {(1)} spids: [435] ) ] spids: [435] ) ] spids: [395 405] ) ] spids: [16777215 439] ) (If arms: [ (if_arm cond: [ (Sentence child: (AndOr ops: [Op_DPipe] children: [ (C {(Lit_Other '[')} {(-x)} {(/usr/bin/aa-clickhook)} {(Lit_Other ']')}) (C {(Lit_Other '[')} {(-x)} {(/usr/bin/aa-profile-hook)} {(Lit_Other ']')}) ] ) terminator: <Op_Semi ';'> ) ] action: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:force_clickhook) op: Equal rhs: {(0)} spids: [476] ) ] spids: [476] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:force_profile_hook) op: Equal rhs: {(0)} spids: [480] ) ] spids: [480] ) (If arms: [ (if_arm cond: [ (Sentence child: (Pipeline children: [ (C {(compare_and_save_debsums)} {(apparmor-easyprof-ubuntu)}) ] negated: T ) terminator: <Op_Semi ';'> ) ] action: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:force_clickhook) op: Equal rhs: {(1)} spids: [497] ) ] spids: [497] ) ] spids: [16777215 494] ) ] spids: [16777215 501] ) (If arms: [ (if_arm cond: [ (Sentence child: (Pipeline children: [ (C {(compare_and_save_debsums)} {(apparmor-easyprof-ubuntu-snappy)}) ] negated: T ) terminator: <Op_Semi ';'> ) ] action: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:force_clickhook) op: Equal rhs: {(1)} spids: [517] ) ] spids: [517] ) ] spids: [16777215 514] ) ] spids: [16777215 521] ) (If arms: [ (if_arm cond: [ (Sentence child: (Pipeline children: [(C {(compare_and_save_debsums)} {(click-apparmor)})] negated: T ) terminator: <Op_Semi ';'> ) ] action: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:force_clickhook) op: Equal rhs: {(1)} spids: [537] ) ] spids: [537] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:force_profile_hook) op: Equal rhs: {(1)} spids: [541] ) ] spids: [541] ) ] spids: [16777215 534] ) ] spids: [16777215 545] ) (If arms: [ (if_arm cond: [ (Sentence child: (AndOr ops: [Op_DAmp] children: [ (C {(Lit_Other '[')} {(-x)} {(/usr/bin/aa-clickhook)} {(Lit_Other ']')} ) (Subshell child: (AndOr ops: [Op_DPipe] children: [ (C {(Lit_Other '[')} {($ VSub_Name '$force_clickhook')} {(-eq)} {(1)} {(Lit_Other ']')} ) (C {(Lit_Other '[')} {($ VSub_Name '$apparmor_was_updated')} {(-eq)} {(1)} {(Lit_Other ']')} ) ] ) spids: [560 582] ) ] ) terminator: <Op_Semi ';'> ) ] action: [(C {(aa-clickhook)} {(-f)})] spids: [16777215 586] ) ] spids: [16777215 594] ) (If arms: [ (if_arm cond: [ (Sentence child: (AndOr ops: [Op_DAmp] children: [ (C {(Lit_Other '[')} {(-x)} {(/usr/bin/aa-profile-hook)} {(Lit_Other ']')} ) (Subshell child: (AndOr ops: [Op_DPipe] children: [ (C {(Lit_Other '[')} {($ VSub_Name '$force_profile_hook')} {(-eq)} {(1)} {(Lit_Other ']')} ) (C {(Lit_Other '[')} {($ VSub_Name '$apparmor_was_updated')} {(-eq)} {(1)} {(Lit_Other ']')} ) ] ) spids: [609 631] ) ] ) terminator: <Op_Semi ';'> ) ] action: [(C {(aa-profile-hook)} {(-f)})] spids: [16777215 635] ) ] spids: [16777215 643] ) ] spids: [16777215 465] ) ] spids: [16777215 646] ) ] spids: [349] ) spids: [345 348] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {(DQ ($ VSub_Number '$1'))} {(Lit_Other '=')} {(DQ (recache))} {(Lit_Other ']')} ) terminator: <Op_Semi ';'> ) ] action: [ (C {(log_daemon_msg)} {(DQ ('Recaching AppArmor profiles'))}) (C {(recache_profiles)}) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:rc) op: Equal rhs: {($ VSub_QMark '$?')} spids: [684] ) ] spids: [684] ) (C {(log_end_msg)} {(DQ ($ VSub_Name '$rc'))}) (ControlFlow token:<ControlFlow_Exit exit> arg_word:{($ VSub_Name '$rc')}) ] spids: [16777215 671] ) ] spids: [16777215 699] ) (AndOr ops: [Op_DAmp] children: [ (C {(test)} {(-d)} {(/rofs/etc/apparmor.d)}) (ControlFlow token:<ControlFlow_Exit exit> arg_word:{(0)}) ] ) (Assignment keyword: Assign_None pairs: [(assign_pair lhs:(LhsName name:rc) op:Equal rhs:{(255)} spids:[718])] spids: [718] ) (Case to_match: {(DQ ($ VSub_Number '$1'))} arms: [ (case_arm pat_list: [{(start)}] action: [ (If arms: [ (if_arm cond: [ (Sentence child: (AndOr ops: [Op_DAmp] children: [ (C {(systemd-detect-virt)} {(--quiet)} {(--container)}) (Pipeline children: [(C {(is_container_with_internal_policy)})] negated: T ) ] ) terminator: <Op_Semi ';'> ) ] action: [ (C {(log_daemon_msg)} {(DQ ('Not starting AppArmor in container'))}) (C {(log_end_msg)} {(0)}) (ControlFlow token:<ControlFlow_Exit exit> arg_word:{(0)}) ] spids: [16777215 751] ) ] spids: [16777215 771] ) (C {(log_daemon_msg)} {(DQ ('Starting AppArmor profiles'))}) (C {(securityfs)}) (C {(handle_system_policy_package_updates)}) (C {(load_configured_profiles)}) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:rc) op: Equal rhs: {($ VSub_QMark '$?')} spids: [790] ) ] spids: [790] ) (C {(log_end_msg)} {(DQ ($ VSub_Name '$rc'))}) ] spids: [730 731 801 16777215] ) (case_arm pat_list: [{(stop)}] action: [ (C {(log_daemon_msg)} {(DQ ('Clearing AppArmor profiles cache'))}) (C {(clear_cache)}) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:rc) op: Equal rhs: {($ VSub_QMark '$?')} spids: [818] ) ] spids: [818] ) (C {(log_end_msg)} {(DQ ($ VSub_Name '$rc'))}) (SimpleCommand words: [{(cat)}] redirects: [ (Redir op_id:Redir_GreatAnd fd:16777215 arg_word:{(2)} spids:[831]) (HereDoc op_id: Redir_DLess fd: 16777215 body: { (DQ ( 'All profile caches have been cleared, but no profiles have been unloaded.\n' ) ('Unloading profiles will leave already running processes permanently\n') ('unconfined, which can lead to unexpected situations.\n') ('\n') ('To set a process to complain mode, use the command line tool\n') ("'aa-complain'. To really tear down all profiles, run the init script\n") ("with the 'teardown' option.") (Right_DoubleQuote '"') ('\n') ) } do_expansion: True here_end: EOM was_filled: T spids: [834] ) ] ) ] spids: [804 805 848 16777215] ) (case_arm pat_list: [{(teardown)}] action: [ (If arms: [ (if_arm cond: [ (Sentence child: (AndOr ops: [Op_DAmp] children: [ (C {(systemd-detect-virt)} {(--quiet)} {(--container)}) (Pipeline children: [(C {(is_container_with_internal_policy)})] negated: T ) ] ) terminator: <Op_Semi ';'> ) ] action: [ (C {(log_daemon_msg)} {(DQ ('Not tearing down AppArmor in container'))}) (C {(log_end_msg)} {(0)}) (ControlFlow token:<ControlFlow_Exit exit> arg_word:{(0)}) ] spids: [16777215 872] ) ] spids: [16777215 892] ) (C {(log_daemon_msg)} {(DQ ('Unloading AppArmor profiles'))}) (C {(securityfs)}) (Pipeline children: [ (C {(running_profile_names)}) (While cond: [(Sentence child:(C {(read)} {(profile)}) terminator:<Op_Semi ';'>)] body: (DoGroup children: [ (If arms: [ (if_arm cond: [ (Sentence child: (Pipeline children: [(C {(unload_profile)} {(DQ ($ VSub_Name '$profile'))})] negated: T ) terminator: <Op_Semi ';'> ) ] action: [ (C {(log_end_msg)} {(1)}) (ControlFlow token: <ControlFlow_Exit exit> arg_word: {(1)} ) ] spids: [16777215 931] ) ] spids: [16777215 944] ) ] spids: [916 947] ) ) ] negated: F ) (Assignment keyword: Assign_None pairs: [(assign_pair lhs:(LhsName name:rc) op:Equal rhs:{(0)} spids:[950])] spids: [950] ) (C {(log_end_msg)} {($ VSub_Name '$rc')}) ] spids: [851 852 959 16777215] ) (case_arm pat_list: [{(restart)} {(reload)} {(force-reload)}] action: [ (If arms: [ (if_arm cond: [ (Sentence child: (AndOr ops: [Op_DAmp] children: [ (C {(systemd-detect-virt)} {(--quiet)} {(--container)}) (Pipeline children: [(C {(is_container_with_internal_policy)})] negated: T ) ] ) terminator: <Op_Semi ';'> ) ] action: [ (C {(log_daemon_msg)} {(DQ ('Not reloading AppArmor in container'))}) (C {(log_end_msg)} {(0)}) (ControlFlow token:<ControlFlow_Exit exit> arg_word:{(0)}) ] spids: [16777215 987] ) ] spids: [16777215 1007] ) (C {(log_daemon_msg)} {(DQ ('Reloading AppArmor profiles'))}) (C {(securityfs)}) (C {(clear_cache)}) (C {(load_configured_profiles)}) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:rc) op: Equal rhs: {($ VSub_QMark '$?')} spids: [1026] ) ] spids: [1026] ) (C {(log_end_msg)} {(DQ ($ VSub_Name '$rc'))}) ] spids: [962 967 1038 16777215] ) (case_arm pat_list: [{(status)}] action: [ (C {(securityfs)}) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other '[')} {(-x)} {(/usr/sbin/aa-status)} {(Lit_Other ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(aa-status)} {(--verbose)})] spids: [16777215 1059] ) ] else_action: [(C {(cat)} {(DQ ($ VSub_Name '$AA_SFS')) (/profiles)})] spids: [1067 1078] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:rc) op: Equal rhs: {($ VSub_QMark '$?')} spids: [1081] ) ] spids: [1081] ) ] spids: [1041 1042 1085 16777215] ) (case_arm pat_list: [{(Lit_Other '*')}] action: [ (C {(usage)}) (Assignment keyword: Assign_None pairs: [(assign_pair lhs:(LhsName name:rc) op:Equal rhs:{(1)} spids:[1095])] spids: [1095] ) ] spids: [1088 1089 1099 16777215] ) ] spids: [721 727 1102] ) (ControlFlow token:<ControlFlow_Exit exit> arg_word:{($ VSub_Name '$rc')}) ] )