(command.CommandList children: [ (C {(.)} {(/lib/apparmor/functions)}) (C {(.)} {(/lib/lsb/init-functions)}) (command.ShFunction name: usage body: (command.BraceGroup children: [ (C {(echo)} { (DQ ('Usage: ') ($ Id.VSub_Number '$0') (' {start|stop|restart|reload|force-reload|status|recache}') ) } ) ] ) ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(test)} {(-x)} {(${ Id.VSub_Name PARSER)}) (command.ControlFlow token: (Token id:Id.ControlFlow_Exit val:exit span_id:137) arg_word: {(0)} ) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(test)} {(-d)} {(/sys/module/apparmor)}) (command.ControlFlow token: (Token id:Id.ControlFlow_Exit val:exit span_id:155) arg_word: {(0)} ) ] ) (command.ShFunction name: securityfs body: (command.BraceGroup children: [ (command.If arms: [ (if_arm cond: [ (command.Sentence child: (C {(Id.Lit_LBracket '[')} {(Id.KW_Bang '!')} {(-d)} {(DQ (${ Id.VSub_Name AA_SFS))} {(Id.Lit_RBracket ']')} ) terminator: (Token id:Id.Op_Semi val:';' span_id:186) ) ] action: [ (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [ (C {(cut)} {(-d) (DQ (' '))} {(-f2) (Id.Lit_Comma ',') (3)} {(/proc/mounts)} ) (C {(grep)} {(-q)} {(DQ ('^') (${ Id.VSub_Name SECURITYFS) (' securityfs')) (SQ (Token id:Id.Lit_Chars val:'$' span_id:220)) } ) ] negated: F ) terminator: (Token id:Id.Op_Semi val:';' span_id:223) ) ] action: [ (C {(log_action_msg)} {(DQ ('AppArmor not available as kernel LSM.'))}) (C {(log_end_msg)} {(1)}) (command.ControlFlow token: (Token id:Id.ControlFlow_Exit val:exit span_id:240) arg_word: {(1)} ) ] spids: [191 225] ) ] else_action: [ (C {(log_action_begin_msg)} {(DQ ('Mounting securityfs on ') (${ Id.VSub_Name SECURITYFS))} ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [ (C {(mount)} {(-t)} {(securityfs)} {(none)} {(DQ (${ Id.VSub_Name SECURITYFS))} ) ] negated: T ) terminator: (Token id:Id.Op_Semi val:';' span_id:275) ) ] action: [ (C {(log_action_end_msg)} {(1)}) (C {(log_end_msg)} {(1)}) (command.ControlFlow token: (Token id:Id.ControlFlow_Exit val:exit span_id:290) arg_word: {(1)} ) ] spids: [258 277] ) ] ) ] ) ] spids: [171 188] ) ] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (C {(Id.Lit_LBracket '[')} {(Id.KW_Bang '!')} {(-w)} {(DQ ($ Id.VSub_DollarName '$AA_SFS')) (/.load)} {(Id.Lit_RBracket ']')} ) terminator: (Token id:Id.Op_Semi val:';' span_id:318) ) ] action: [ (C {(log_action_msg)} {(DQ ('Insufficient privileges to change profiles.'))}) (C {(log_end_msg)} {(1)}) (command.ControlFlow token: (Token id:Id.ControlFlow_Exit val:exit span_id:335) arg_word: {(1)} ) ] spids: [304 320] ) ] ) ] ) ) (command.ShFunction name: handle_system_policy_package_updates body: (command.BraceGroup children: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:apparmor_was_updated) op: assign_op.Equal rhs: {(0)} spids: [352] ) ] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children:[(C {(compare_previous_version)})] negated:T) terminator: (Token id:Id.Op_Semi val:';' span_id:363) ) ] action: [ (C {(clear_cache_system)}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:apparmor_was_updated) op: assign_op.Equal rhs: {(1)} spids: [391] ) ] ) ] spids: [357 365] ) (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [(C {(compare_and_save_debsums)} {(apparmor)})] negated: T ) terminator: (Token id:Id.Op_Semi val:';' span_id:403) ) ] action: [ (C {(clear_cache)}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:apparmor_was_updated) op: assign_op.Equal rhs: {(1)} spids: [435] ) ] ) ] spids: [395 405] ) ] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(Id.Lit_LBracket '[')} {(-x)} {(/usr/bin/aa-clickhook)} {(Id.Lit_RBracket ']')} ) (C {(Id.Lit_LBracket '[')} {(-x)} {(/usr/bin/aa-profile-hook)} {(Id.Lit_RBracket ']')} ) ] ) terminator: (Token id:Id.Op_Semi val:';' span_id:463) ) ] action: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:force_clickhook) op: assign_op.Equal rhs: {(0)} spids: [476] ) ] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:force_profile_hook) op: assign_op.Equal rhs: {(0)} spids: [480] ) ] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [ (C {(compare_and_save_debsums)} {(apparmor-easyprof-ubuntu)}) ] negated: T ) terminator: (Token id:Id.Op_Semi val:';' span_id:492) ) ] action: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:force_clickhook) op: assign_op.Equal rhs: {(1)} spids: [497] ) ] ) ] spids: [484 494] ) ] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [ (C {(compare_and_save_debsums)} {(apparmor-easyprof-ubuntu-snappy)}) ] negated: T ) terminator: (Token id:Id.Op_Semi val:';' span_id:512) ) ] action: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:force_clickhook) op: assign_op.Equal rhs: {(1)} spids: [517] ) ] ) ] spids: [504 514] ) ] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [(C {(compare_and_save_debsums)} {(click-apparmor)})] negated: T ) terminator: (Token id:Id.Op_Semi val:';' span_id:532) ) ] action: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:force_clickhook) op: assign_op.Equal rhs: {(1)} spids: [537] ) ] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:force_profile_hook) op: assign_op.Equal rhs: {(1)} spids: [541] ) ] ) ] spids: [524 534] ) ] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.AndOr ops: [Id.Op_DAmp] children: [ (C {(Id.Lit_LBracket '[')} {(-x)} {(/usr/bin/aa-clickhook)} {(Id.Lit_RBracket ']')} ) (command.Subshell command_list: (command.CommandList children: [ (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(Id.Lit_LBracket '[')} {($ Id.VSub_DollarName '$force_clickhook')} {(-eq)} {(1)} {(Id.Lit_RBracket ']')} ) (C {(Id.Lit_LBracket '[')} {($ Id.VSub_DollarName '$apparmor_was_updated')} {(-eq)} {(1)} {(Id.Lit_RBracket ']')} ) ] ) ] ) ) ] ) terminator: (Token id:Id.Op_Semi val:';' span_id:584) ) ] action: [(C {(aa-clickhook)} {(-f)})] spids: [548 586] ) ] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.AndOr ops: [Id.Op_DAmp] children: [ (C {(Id.Lit_LBracket '[')} {(-x)} {(/usr/bin/aa-profile-hook)} {(Id.Lit_RBracket ']')} ) (command.Subshell command_list: (command.CommandList children: [ (command.AndOr ops: [Id.Op_DPipe] children: [ (C {(Id.Lit_LBracket '[')} {($ Id.VSub_DollarName '$force_profile_hook')} {(-eq)} {(1)} {(Id.Lit_RBracket ']')} ) (C {(Id.Lit_LBracket '[')} {($ Id.VSub_DollarName '$apparmor_was_updated')} {(-eq)} {(1)} {(Id.Lit_RBracket ']')} ) ] ) ] ) ) ] ) terminator: (Token id:Id.Op_Semi val:';' span_id:633) ) ] action: [(C {(aa-profile-hook)} {(-f)})] spids: [597 635] ) ] ) ] spids: [443 465] ) ] ) ] ) ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (C {(Id.Lit_LBracket '[')} {(DQ ($ Id.VSub_Number '$1'))} {(Id.Lit_Equals '=')} {(DQ (recache))} {(Id.Lit_RBracket ']')} ) terminator: (Token id:Id.Op_Semi val:';' span_id:669) ) ] action: [ (C {(log_daemon_msg)} {(DQ ('Recaching AppArmor profiles'))}) (C {(recache_profiles)}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:rc) op: assign_op.Equal rhs: {($ Id.VSub_QMark '$?')} spids: [684] ) ] ) (C {(log_end_msg)} {(DQ ($ Id.VSub_DollarName '$rc'))}) (command.ControlFlow token: (Token id:Id.ControlFlow_Exit val:exit span_id:695) arg_word: {($ Id.VSub_DollarName '$rc')} ) ] spids: [654 671] ) ] ) (command.AndOr ops: [Id.Op_DAmp] children: [ (C {(test)} {(-d)} {(/rofs/etc/apparmor.d)}) (command.ControlFlow token: (Token id:Id.ControlFlow_Exit val:exit span_id:713) arg_word: {(0)} ) ] ) (command.ShAssignment pairs: [(assign_pair lhs:(sh_lhs_expr.Name name:rc) op:assign_op.Equal rhs:{(255)} spids:[718])] ) (command.Case to_match: {(DQ ($ Id.VSub_Number '$1'))} arms: [ (case_arm pat_list: [{(start)}] action: [ (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.AndOr ops: [Id.Op_DAmp] children: [ (C {(systemd-detect-virt)} {(--quiet)} {(--container)}) (command.Pipeline children: [(C {(is_container_with_internal_policy)})] negated: T ) ] ) terminator: (Token id:Id.Op_Semi val:';' span_id:749) ) ] action: [ (C {(log_daemon_msg)} {(DQ ('Not starting AppArmor in container'))}) (C {(log_end_msg)} {(0)}) (command.ControlFlow token: (Token id:Id.ControlFlow_Exit val:exit span_id:766) arg_word: {(0)} ) ] spids: [734 751] ) ] ) (C {(log_daemon_msg)} {(DQ ('Starting AppArmor profiles'))}) (C {(securityfs)}) (C {(handle_system_policy_package_updates)}) (C {(load_configured_profiles)}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:rc) op: assign_op.Equal rhs: {($ Id.VSub_QMark '$?')} spids: [790] ) ] ) (C {(log_end_msg)} {(DQ ($ Id.VSub_DollarName '$rc'))}) ] spids: [730 731 801 -1] ) (case_arm pat_list: [{(stop)}] action: [ (C {(log_daemon_msg)} {(DQ ('Clearing AppArmor profiles cache'))}) (C {(clear_cache)}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:rc) op: assign_op.Equal rhs: {($ Id.VSub_QMark '$?')} spids: [818] ) ] ) (C {(log_end_msg)} {(DQ ($ Id.VSub_DollarName '$rc'))}) (command.Simple words: [{(cat)}] redirects: [ (redir.Redir op: (Token id:Id.Redir_GreatAnd val:'>&' span_id:831) fd: -1 arg_word: {(2)} ) (redir.HereDoc op: (Token id:Id.Redir_DLess val:'<<' span_id:834) fd: -1 here_begin: {(EOM)} here_end_span_id: 847 stdin_parts: [ ('All profile caches have been cleared, but no profiles have been unloaded.\n') ('Unloading profiles will leave already running processes permanently\n') ('unconfined, which can lead to unexpected situations.\n') ('\n') ('To set a process to complain mode, use the command line tool\n') ("'aa-complain'. To really tear down all profiles, run the init script\n") ("with the 'teardown' option.") (Id.Right_DoubleQuote '"') ('\n') ] ) ] ) ] spids: [804 805 849 -1] ) (case_arm pat_list: [{(teardown)}] action: [ (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.AndOr ops: [Id.Op_DAmp] children: [ (C {(systemd-detect-virt)} {(--quiet)} {(--container)}) (command.Pipeline children: [(C {(is_container_with_internal_policy)})] negated: T ) ] ) terminator: (Token id:Id.Op_Semi val:';' span_id:871) ) ] action: [ (C {(log_daemon_msg)} {(DQ ('Not tearing down AppArmor in container'))}) (C {(log_end_msg)} {(0)}) (command.ControlFlow token: (Token id:Id.ControlFlow_Exit val:exit span_id:888) arg_word: {(0)} ) ] spids: [856 873] ) ] ) (C {(log_daemon_msg)} {(DQ ('Unloading AppArmor profiles'))}) (C {(securityfs)}) (command.Pipeline children: [ (C {(running_profile_names)}) (command.WhileUntil keyword: (Token id:Id.KW_While val:while span_id:910) cond: [ (command.Sentence child: (C {(read)} {(profile)}) terminator: (Token id:Id.Op_Semi val:';' span_id:915) ) ] body: (command.DoGroup children: [ (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [ (C {(unload_profile)} {(DQ ($ Id.VSub_DollarName '$profile'))}) ] negated: T ) terminator: (Token id:Id.Op_Semi val:';' span_id:930) ) ] action: [ (C {(log_end_msg)} {(1)}) (command.ControlFlow token: (Token id:Id.ControlFlow_Exit val:exit span_id:940) arg_word: {(1)} ) ] spids: [920 932] ) ] ) ] ) ) ] negated: F ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:rc) op: assign_op.Equal rhs: {(0)} spids: [951] ) ] ) (C {(log_end_msg)} {($ Id.VSub_DollarName '$rc')}) ] spids: [852 853 960 -1] ) (case_arm pat_list: [{(restart)} {(reload)} {(force-reload)}] action: [ (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.AndOr ops: [Id.Op_DAmp] children: [ (C {(systemd-detect-virt)} {(--quiet)} {(--container)}) (command.Pipeline children: [(C {(is_container_with_internal_policy)})] negated: T ) ] ) terminator: (Token id:Id.Op_Semi val:';' span_id:986) ) ] action: [ (C {(log_daemon_msg)} {(DQ ('Not reloading AppArmor in container'))}) (C {(log_end_msg)} {(0)}) (command.ControlFlow token: (Token id:Id.ControlFlow_Exit val:exit span_id:1003) arg_word: {(0)} ) ] spids: [971 988] ) ] ) (C {(log_daemon_msg)} {(DQ ('Reloading AppArmor profiles'))}) (C {(securityfs)}) (C {(clear_cache)}) (C {(load_configured_profiles)}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:rc) op: assign_op.Equal rhs: {($ Id.VSub_QMark '$?')} spids: [1027] ) ] ) (C {(log_end_msg)} {(DQ ($ Id.VSub_DollarName '$rc'))}) ] spids: [963 968 1039 -1] ) (case_arm pat_list: [{(status)}] action: [ (C {(securityfs)}) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (C {(Id.Lit_LBracket '[')} {(-x)} {(/usr/sbin/aa-status)} {(Id.Lit_RBracket ']')}) terminator: (Token id:Id.Op_Semi val:';' span_id:1058) ) ] action: [(C {(aa-status)} {(--verbose)})] spids: [1049 1060] ) ] else_action: [(C {(cat)} {(DQ ($ Id.VSub_DollarName '$AA_SFS')) (/profiles)})] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:rc) op: assign_op.Equal rhs: {($ Id.VSub_QMark '$?')} spids: [1082] ) ] ) ] spids: [1042 1043 1086 -1] ) (case_arm pat_list: [{(Id.Lit_Star '*')}] action: [ (C {(usage)}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:rc) op: assign_op.Equal rhs: {(1)} spids: [1096] ) ] ) ] spids: [1089 1090 1100 -1] ) ] ) (command.ControlFlow token: (Token id:Id.ControlFlow_Exit val:exit span_id:1105) arg_word: {($ Id.VSub_DollarName '$rc')} ) ] )