(command.CommandList children: [ (C {(.)} {(/lib/apparmor/functions)}) (C {(.)} {(/lib/lsb/init-functions)}) (command.FuncDef name: usage body: (command.BraceGroup children: [ (C {(echo)} { (DQ ('Usage: ') ($ VSub_Number '$0') (' {start|stop|restart|reload|force-reload|status|recache}') ) } ) ] ) ) (command.AndOr ops: [Op_DPipe] children: [ (C {(test)} {(-x)} {(${ VSub_Name PARSER)}) (command.ControlFlow token:<ControlFlow_Exit exit> arg_word:{(0)}) ] ) (command.AndOr ops: [Op_DPipe] children: [ (C {(test)} {(-d)} {(/sys/module/apparmor)}) (command.ControlFlow token:<ControlFlow_Exit exit> arg_word:{(0)}) ] ) (command.FuncDef name: securityfs body: (command.BraceGroup children: [ (command.If arms: [ (if_arm cond: [ (command.Sentence child: (C {(Lit_LBracket '[')} {(KW_Bang '!')} {(-d)} {(DQ (${ VSub_Name AA_SFS))} {(Lit_RBracket ']')} ) terminator: <Op_Semi ';'> ) ] action: [ (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [ (C {(cut)} {(-d) (DQ (' '))} {(-f2) (Lit_Comma ',') (3)} {(/proc/mounts)} ) (C {(grep)} {(-q)} {(DQ ('^') (${ VSub_Name SECURITYFS) (' securityfs')) (SQ <'$'>)} ) ] negated: F ) terminator: <Op_Semi ';'> ) ] action: [ (C {(log_action_msg)} {(DQ ('AppArmor not available as kernel LSM.'))}) (C {(log_end_msg)} {(1)}) (command.ControlFlow token: <ControlFlow_Exit exit> arg_word: {(1)} ) ] ) ] else_action: [ (C {(log_action_begin_msg)} {(DQ ('Mounting securityfs on ') (${ VSub_Name SECURITYFS))} ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [ (C {(mount)} {(-t)} {(securityfs)} {(none)} {(DQ (${ VSub_Name SECURITYFS))} ) ] negated: T ) terminator: <Op_Semi ';'> ) ] action: [ (C {(log_action_end_msg)} {(1)}) (C {(log_end_msg)} {(1)}) (command.ControlFlow token: <ControlFlow_Exit exit> arg_word: {(1)} ) ] ) ] ) ] ) ] ) ] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (C {(Lit_LBracket '[')} {(KW_Bang '!')} {(-w)} {(DQ ($ VSub_DollarName '$AA_SFS')) (/.load)} {(Lit_RBracket ']')} ) terminator: <Op_Semi ';'> ) ] action: [ (C {(log_action_msg)} {(DQ ('Insufficient privileges to change profiles.'))}) (C {(log_end_msg)} {(1)}) (command.ControlFlow token: <ControlFlow_Exit exit> arg_word: {(1)} ) ] ) ] ) ] ) ) (command.FuncDef name: handle_system_policy_package_updates body: (command.BraceGroup children: [ (command.Assignment pairs: [(assign_pair lhs:(lhs_expr.LhsName name:apparmor_was_updated) op:Equal rhs:{(0)})] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children:[(C {(compare_previous_version)})] negated:T) terminator: <Op_Semi ';'> ) ] action: [ (C {(clear_cache_system)}) (command.Assignment pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:apparmor_was_updated) op: Equal rhs: {(1)} ) ] ) ] ) (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [(C {(compare_and_save_debsums)} {(apparmor)})] negated: T ) terminator: <Op_Semi ';'> ) ] action: [ (C {(clear_cache)}) (command.Assignment pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:apparmor_was_updated) op: Equal rhs: {(1)} ) ] ) ] ) ] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.AndOr ops: [Op_DPipe] children: [ (C {(Lit_LBracket '[')} {(-x)} {(/usr/bin/aa-clickhook)} {(Lit_RBracket ']')}) (C {(Lit_LBracket '[')} {(-x)} {(/usr/bin/aa-profile-hook)} {(Lit_RBracket ']')} ) ] ) terminator: <Op_Semi ';'> ) ] action: [ (command.Assignment pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:force_clickhook) op: Equal rhs: {(0)} ) ] ) (command.Assignment pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:force_profile_hook) op: Equal rhs: {(0)} ) ] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [ (C {(compare_and_save_debsums)} {(apparmor-easyprof-ubuntu)}) ] negated: T ) terminator: <Op_Semi ';'> ) ] action: [ (command.Assignment pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:force_clickhook) op: Equal rhs: {(1)} ) ] ) ] ) ] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [ (C {(compare_and_save_debsums)} {(apparmor-easyprof-ubuntu-snappy)}) ] negated: T ) terminator: <Op_Semi ';'> ) ] action: [ (command.Assignment pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:force_clickhook) op: Equal rhs: {(1)} ) ] ) ] ) ] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [(C {(compare_and_save_debsums)} {(click-apparmor)})] negated: T ) terminator: <Op_Semi ';'> ) ] action: [ (command.Assignment pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:force_clickhook) op: Equal rhs: {(1)} ) ] ) (command.Assignment pairs: [ (assign_pair lhs: (lhs_expr.LhsName name:force_profile_hook) op: Equal rhs: {(1)} ) ] ) ] ) ] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.AndOr ops: [Op_DAmp] children: [ (C {(Lit_LBracket '[')} {(-x)} {(/usr/bin/aa-clickhook)} {(Lit_RBracket ']')} ) (command.Subshell command_list: (command.CommandList children: [ (command.AndOr ops: [Op_DPipe] children: [ (C {(Lit_LBracket '[')} {($ VSub_DollarName '$force_clickhook')} {(-eq)} {(1)} {(Lit_RBracket ']')} ) (C {(Lit_LBracket '[')} {($ VSub_DollarName '$apparmor_was_updated')} {(-eq)} {(1)} {(Lit_RBracket ']')} ) ] ) ] ) ) ] ) terminator: <Op_Semi ';'> ) ] action: [(C {(aa-clickhook)} {(-f)})] ) ] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.AndOr ops: [Op_DAmp] children: [ (C {(Lit_LBracket '[')} {(-x)} {(/usr/bin/aa-profile-hook)} {(Lit_RBracket ']')} ) (command.Subshell command_list: (command.CommandList children: [ (command.AndOr ops: [Op_DPipe] children: [ (C {(Lit_LBracket '[')} {($ VSub_DollarName '$force_profile_hook')} {(-eq)} {(1)} {(Lit_RBracket ']')} ) (C {(Lit_LBracket '[')} {($ VSub_DollarName '$apparmor_was_updated')} {(-eq)} {(1)} {(Lit_RBracket ']')} ) ] ) ] ) ) ] ) terminator: <Op_Semi ';'> ) ] action: [(C {(aa-profile-hook)} {(-f)})] ) ] ) ] ) ] ) ] ) ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (C {(Lit_LBracket '[')} {(DQ ($ VSub_Number '$1'))} {(Lit_Other '=')} {(DQ (recache))} {(Lit_RBracket ']')} ) terminator: <Op_Semi ';'> ) ] action: [ (C {(log_daemon_msg)} {(DQ ('Recaching AppArmor profiles'))}) (C {(recache_profiles)}) (command.Assignment pairs: [(assign_pair lhs:(lhs_expr.LhsName name:rc) op:Equal rhs:{($ VSub_QMark '$?')})] ) (C {(log_end_msg)} {(DQ ($ VSub_DollarName '$rc'))}) (command.ControlFlow token: <ControlFlow_Exit exit> arg_word: {($ VSub_DollarName '$rc')} ) ] ) ] ) (command.AndOr ops: [Op_DAmp] children: [ (C {(test)} {(-d)} {(/rofs/etc/apparmor.d)}) (command.ControlFlow token:<ControlFlow_Exit exit> arg_word:{(0)}) ] ) (command.Assignment pairs: [(assign_pair lhs:(lhs_expr.LhsName name:rc) op:Equal rhs:{(255)})] ) (command.Case to_match: {(DQ ($ VSub_Number '$1'))} arms: [ (case_arm pat_list: [{(start)}] action: [ (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.AndOr ops: [Op_DAmp] children: [ (C {(systemd-detect-virt)} {(--quiet)} {(--container)}) (command.Pipeline children: [(C {(is_container_with_internal_policy)})] negated: T ) ] ) terminator: <Op_Semi ';'> ) ] action: [ (C {(log_daemon_msg)} {(DQ ('Not starting AppArmor in container'))}) (C {(log_end_msg)} {(0)}) (command.ControlFlow token: <ControlFlow_Exit exit> arg_word: {(0)} ) ] ) ] ) (C {(log_daemon_msg)} {(DQ ('Starting AppArmor profiles'))}) (C {(securityfs)}) (C {(handle_system_policy_package_updates)}) (C {(load_configured_profiles)}) (command.Assignment pairs: [(assign_pair lhs:(lhs_expr.LhsName name:rc) op:Equal rhs:{($ VSub_QMark '$?')})] ) (C {(log_end_msg)} {(DQ ($ VSub_DollarName '$rc'))}) ] ) (case_arm pat_list: [{(stop)}] action: [ (C {(log_daemon_msg)} {(DQ ('Clearing AppArmor profiles cache'))}) (C {(clear_cache)}) (command.Assignment pairs: [(assign_pair lhs:(lhs_expr.LhsName name:rc) op:Equal rhs:{($ VSub_QMark '$?')})] ) (C {(log_end_msg)} {(DQ ($ VSub_DollarName '$rc'))}) (command.Simple words: [{(cat)}] redirects: [ (redir.Redir op:<Redir_GreatAnd '>&'> fd:16777215 arg_word:{(2)}) (redir.HereDoc op: <Redir_DLess '<<'> fd: 16777215 here_begin: {(EOM)} here_end_span_id: 847 stdin_parts: [ ('All profile caches have been cleared, but no profiles have been unloaded.\n') ('Unloading profiles will leave already running processes permanently\n') ('unconfined, which can lead to unexpected situations.\n') ('\n') ('To set a process to complain mode, use the command line tool\n') ("'aa-complain'. To really tear down all profiles, run the init script\n") ("with the 'teardown' option.") (Right_DoubleQuote '"') ('\n') ] ) ] ) ] ) (case_arm pat_list: [{(teardown)}] action: [ (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.AndOr ops: [Op_DAmp] children: [ (C {(systemd-detect-virt)} {(--quiet)} {(--container)}) (command.Pipeline children: [(C {(is_container_with_internal_policy)})] negated: T ) ] ) terminator: <Op_Semi ';'> ) ] action: [ (C {(log_daemon_msg)} {(DQ ('Not tearing down AppArmor in container'))}) (C {(log_end_msg)} {(0)}) (command.ControlFlow token: <ControlFlow_Exit exit> arg_word: {(0)} ) ] ) ] ) (C {(log_daemon_msg)} {(DQ ('Unloading AppArmor profiles'))}) (C {(securityfs)}) (command.Pipeline children: [ (C {(running_profile_names)}) (command.WhileUntil keyword: <KW_While while> cond: [(command.Sentence child:(C {(read)} {(profile)}) terminator:<Op_Semi ';'>)] body: (command.DoGroup children: [ (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [ (C {(unload_profile)} {(DQ ($ VSub_DollarName '$profile'))}) ] negated: T ) terminator: <Op_Semi ';'> ) ] action: [ (C {(log_end_msg)} {(1)}) (command.ControlFlow token: <ControlFlow_Exit exit> arg_word: {(1)} ) ] ) ] ) ] ) ) ] negated: F ) (command.Assignment pairs: [(assign_pair lhs:(lhs_expr.LhsName name:rc) op:Equal rhs:{(0)})] ) (C {(log_end_msg)} {($ VSub_DollarName '$rc')}) ] ) (case_arm pat_list: [{(restart)} {(reload)} {(force-reload)}] action: [ (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.AndOr ops: [Op_DAmp] children: [ (C {(systemd-detect-virt)} {(--quiet)} {(--container)}) (command.Pipeline children: [(C {(is_container_with_internal_policy)})] negated: T ) ] ) terminator: <Op_Semi ';'> ) ] action: [ (C {(log_daemon_msg)} {(DQ ('Not reloading AppArmor in container'))}) (C {(log_end_msg)} {(0)}) (command.ControlFlow token: <ControlFlow_Exit exit> arg_word: {(0)} ) ] ) ] ) (C {(log_daemon_msg)} {(DQ ('Reloading AppArmor profiles'))}) (C {(securityfs)}) (C {(clear_cache)}) (C {(load_configured_profiles)}) (command.Assignment pairs: [(assign_pair lhs:(lhs_expr.LhsName name:rc) op:Equal rhs:{($ VSub_QMark '$?')})] ) (C {(log_end_msg)} {(DQ ($ VSub_DollarName '$rc'))}) ] ) (case_arm pat_list: [{(status)}] action: [ (C {(securityfs)}) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (C {(Lit_LBracket '[')} {(-x)} {(/usr/sbin/aa-status)} {(Lit_RBracket ']')}) terminator: <Op_Semi ';'> ) ] action: [(C {(aa-status)} {(--verbose)})] ) ] else_action: [(C {(cat)} {(DQ ($ VSub_DollarName '$AA_SFS')) (/profiles)})] ) (command.Assignment pairs: [(assign_pair lhs:(lhs_expr.LhsName name:rc) op:Equal rhs:{($ VSub_QMark '$?')})] ) ] ) (case_arm pat_list: [{(Lit_Star '*')}] action: [ (C {(usage)}) (command.Assignment pairs: [(assign_pair lhs:(lhs_expr.LhsName name:rc) op:Equal rhs:{(1)})] ) ] ) ] ) (command.ControlFlow token:<ControlFlow_Exit exit> arg_word:{($ VSub_DollarName '$rc')}) ] )