(command.CommandList children: [ (C {<.>} {<'/lib/apparmor/functions'>}) (C {<.>} {<'/lib/lsb/init-functions'>}) (command.ShFunction name: usage body: (BraceGroup children: [ (C {<echo>} { (DQ <'Usage: '> ($ Id.VSub_Number '$0') <' {start|stop|restart|reload|force-reload|status|recache}'> ) } ) ] ) ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {<test>} {<-x>} {(${ Id.VSub_Name PARSER)}) (command.ControlFlow token:<Id.ControlFlow_Exit exit> arg_word:{<0>}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {<test>} {<-d>} {<'/sys/module/apparmor'>}) (command.ControlFlow token:<Id.ControlFlow_Exit exit> arg_word:{<0>}) ] ) (command.ShFunction name: securityfs body: (BraceGroup children: [ (command.If arms: [ (if_arm cond: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {<Id.KW_Bang '!'>} {<-d>} {(DQ (${ Id.VSub_Name AA_SFS))} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] action: [ (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [ (C {<cut>} {<-d> (DQ <' '>)} {<-f2> <Id.Lit_Comma ','> <3>} {<'/proc/mounts'>} ) (C {<grep>} {<-q>} {(DQ <'^'> (${ Id.VSub_Name SECURITYFS) <' securityfs'>) (SQ <'$'>) } ) ] negated: F ) terminator: <Id.Op_Semi _> ) ] action: [ (C {<log_action_msg>} {(DQ <'AppArmor not available as kernel LSM.'>)}) (C {<log_end_msg>} {<1>}) (command.ControlFlow token: <Id.ControlFlow_Exit exit> arg_word: {<1>} ) ] spids: [191 225] ) ] else_action: [ (C {<log_action_begin_msg>} {(DQ <'Mounting securityfs on '> (${ Id.VSub_Name SECURITYFS))} ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [ (C {<mount>} {<-t>} {<securityfs>} {<none>} {(DQ (${ Id.VSub_Name SECURITYFS))} ) ] negated: T ) terminator: <Id.Op_Semi _> ) ] action: [ (C {<log_action_end_msg>} {<1>}) (C {<log_end_msg>} {<1>}) (command.ControlFlow token: <Id.ControlFlow_Exit exit> arg_word: {<1>} ) ] spids: [258 277] ) ] ) ] ) ] spids: [171 188] ) ] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {<Id.KW_Bang '!'>} {<-w>} {(DQ ($ Id.VSub_DollarName '$AA_SFS')) <'/.load'>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] action: [ (C {<log_action_msg>} {(DQ <'Insufficient privileges to change profiles.'>)}) (C {<log_end_msg>} {<1>}) (command.ControlFlow token: <Id.ControlFlow_Exit exit> arg_word: {<1>} ) ] spids: [304 320] ) ] ) ] ) ) (command.ShFunction name: handle_system_policy_package_updates body: (BraceGroup children: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:apparmor_was_updated) op: assign_op.Equal rhs: {<0>} spids: [352] ) ] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children:[(C {<compare_previous_version>})] negated:T) terminator: <Id.Op_Semi _> ) ] action: [ (C {<clear_cache_system>}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:apparmor_was_updated) op: assign_op.Equal rhs: {<1>} spids: [391] ) ] ) ] spids: [357 365] ) (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [(C {<compare_and_save_debsums>} {<apparmor>})] negated: T ) terminator: <Id.Op_Semi _> ) ] action: [ (C {<clear_cache>}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:apparmor_was_updated) op: assign_op.Equal rhs: {<1>} spids: [435] ) ] ) ] spids: [395 405] ) ] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.AndOr ops: [Id.Op_DPipe] children: [ (C {<Id.Lit_LBracket '['>} {<-x>} {<'/usr/bin/aa-clickhook'>} {<Id.Lit_RBracket ']'>} ) (C {<Id.Lit_LBracket '['>} {<-x>} {<'/usr/bin/aa-profile-hook'>} {<Id.Lit_RBracket ']'>} ) ] ) terminator: <Id.Op_Semi _> ) ] action: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:force_clickhook) op: assign_op.Equal rhs: {<0>} spids: [476] ) ] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:force_profile_hook) op: assign_op.Equal rhs: {<0>} spids: [480] ) ] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [ (C {<compare_and_save_debsums>} {<apparmor-easyprof-ubuntu>}) ] negated: T ) terminator: <Id.Op_Semi _> ) ] action: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:force_clickhook) op: assign_op.Equal rhs: {<1>} spids: [497] ) ] ) ] spids: [484 494] ) ] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [ (C {<compare_and_save_debsums>} {<apparmor-easyprof-ubuntu-snappy>}) ] negated: T ) terminator: <Id.Op_Semi _> ) ] action: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:force_clickhook) op: assign_op.Equal rhs: {<1>} spids: [517] ) ] ) ] spids: [504 514] ) ] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [(C {<compare_and_save_debsums>} {<click-apparmor>})] negated: T ) terminator: <Id.Op_Semi _> ) ] action: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:force_clickhook) op: assign_op.Equal rhs: {<1>} spids: [537] ) ] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:force_profile_hook) op: assign_op.Equal rhs: {<1>} spids: [541] ) ] ) ] spids: [524 534] ) ] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.AndOr ops: [Id.Op_DAmp] children: [ (C {<Id.Lit_LBracket '['>} {<-x>} {<'/usr/bin/aa-clickhook'>} {<Id.Lit_RBracket ']'>} ) (command.Subshell child: (command.AndOr ops: [Id.Op_DPipe] children: [ (C {<Id.Lit_LBracket '['>} {($ Id.VSub_DollarName '$force_clickhook')} {<-eq>} {<1>} {<Id.Lit_RBracket ']'>} ) (C {<Id.Lit_LBracket '['>} {($ Id.VSub_DollarName '$apparmor_was_updated')} {<-eq>} {<1>} {<Id.Lit_RBracket ']'>} ) ] ) ) ] ) terminator: <Id.Op_Semi _> ) ] action: [(C {<aa-clickhook>} {<-f>})] spids: [548 586] ) ] ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.AndOr ops: [Id.Op_DAmp] children: [ (C {<Id.Lit_LBracket '['>} {<-x>} {<'/usr/bin/aa-profile-hook'>} {<Id.Lit_RBracket ']'>} ) (command.Subshell child: (command.AndOr ops: [Id.Op_DPipe] children: [ (C {<Id.Lit_LBracket '['>} {($ Id.VSub_DollarName '$force_profile_hook')} {<-eq>} {<1>} {<Id.Lit_RBracket ']'>} ) (C {<Id.Lit_LBracket '['>} {($ Id.VSub_DollarName '$apparmor_was_updated')} {<-eq>} {<1>} {<Id.Lit_RBracket ']'>} ) ] ) ) ] ) terminator: <Id.Op_Semi _> ) ] action: [(C {<aa-profile-hook>} {<-f>})] spids: [597 635] ) ] ) ] spids: [443 465] ) ] ) ] ) ) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {(DQ ($ Id.VSub_Number '$1'))} {<Id.Lit_Equals '='>} {(DQ <recache>)} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] action: [ (C {<log_daemon_msg>} {(DQ <'Recaching AppArmor profiles'>)}) (C {<recache_profiles>}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:rc) op: assign_op.Equal rhs: {($ Id.VSub_QMark '$?')} spids: [684] ) ] ) (C {<log_end_msg>} {(DQ ($ Id.VSub_DollarName '$rc'))}) (command.ControlFlow token: <Id.ControlFlow_Exit exit> arg_word: {($ Id.VSub_DollarName '$rc')} ) ] spids: [654 671] ) ] ) (command.AndOr ops: [Id.Op_DAmp] children: [ (C {<test>} {<-d>} {<'/rofs/etc/apparmor.d'>}) (command.ControlFlow token:<Id.ControlFlow_Exit exit> arg_word:{<0>}) ] ) (command.ShAssignment pairs: [(assign_pair lhs:(sh_lhs_expr.Name name:rc) op:assign_op.Equal rhs:{<255>} spids:[718])] ) (command.Case to_match: {(DQ ($ Id.VSub_Number '$1'))} arms: [ (case_arm pat_list: [{<start>}] action: [ (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.AndOr ops: [Id.Op_DAmp] children: [ (C {<systemd-detect-virt>} {<--quiet>} {<--container>}) (command.Pipeline children: [(C {<is_container_with_internal_policy>})] negated: T ) ] ) terminator: <Id.Op_Semi _> ) ] action: [ (C {<log_daemon_msg>} {(DQ <'Not starting AppArmor in container'>)}) (C {<log_end_msg>} {<0>}) (command.ControlFlow token: <Id.ControlFlow_Exit exit> arg_word: {<0>} ) ] spids: [734 751] ) ] ) (C {<log_daemon_msg>} {(DQ <'Starting AppArmor profiles'>)}) (C {<securityfs>}) (C {<handle_system_policy_package_updates>}) (C {<load_configured_profiles>}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:rc) op: assign_op.Equal rhs: {($ Id.VSub_QMark '$?')} spids: [790] ) ] ) (C {<log_end_msg>} {(DQ ($ Id.VSub_DollarName '$rc'))}) ] spids: [730 731 801 -1] ) (case_arm pat_list: [{<stop>}] action: [ (C {<log_daemon_msg>} {(DQ <'Clearing AppArmor profiles cache'>)}) (C {<clear_cache>}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:rc) op: assign_op.Equal rhs: {($ Id.VSub_QMark '$?')} spids: [818] ) ] ) (C {<log_end_msg>} {(DQ ($ Id.VSub_DollarName '$rc'))}) (command.Simple words: [{<cat>}] redirects: [ (redir op:<Id.Redir_GreatAnd '>&'> loc:(redir_loc.Fd fd:1) arg:{<2>}) (redir op: <Id.Redir_DLess '<<'> loc: (redir_loc.Fd fd:0) arg: (redir_param.MultiLine here_begin: {<EOM>} here_end_span_id: 847 stdin_parts: [ < 'All profile caches have been cleared, but no profiles have been unloaded.\n' > <'Unloading profiles will leave already running processes permanently\n'> <'unconfined, which can lead to unexpected situations.\n'> <'\n'> <'To set a process to complain mode, use the command line tool\n'> <'\'aa-complain\'. To really tear down all profiles, run the init script\n'> <'with the \'teardown\' option.'> <Id.Right_DoubleQuote '"'> <'\n'> ] ) ) ] do_fork: T ) ] spids: [804 805 849 -1] ) (case_arm pat_list: [{<teardown>}] action: [ (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.AndOr ops: [Id.Op_DAmp] children: [ (C {<systemd-detect-virt>} {<--quiet>} {<--container>}) (command.Pipeline children: [(C {<is_container_with_internal_policy>})] negated: T ) ] ) terminator: <Id.Op_Semi _> ) ] action: [ (C {<log_daemon_msg>} {(DQ <'Not tearing down AppArmor in container'>)}) (C {<log_end_msg>} {<0>}) (command.ControlFlow token: <Id.ControlFlow_Exit exit> arg_word: {<0>} ) ] spids: [856 873] ) ] ) (C {<log_daemon_msg>} {(DQ <'Unloading AppArmor profiles'>)}) (C {<securityfs>}) (command.Pipeline children: [ (C {<running_profile_names>}) (command.WhileUntil keyword: <Id.KW_While while> cond: [(command.Sentence child:(C {<read>} {<profile>}) terminator:<Id.Op_Semi _>)] body: (command.DoGroup children: [ (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.Pipeline children: [ (C {<unload_profile>} {(DQ ($ Id.VSub_DollarName '$profile'))}) ] negated: T ) terminator: <Id.Op_Semi _> ) ] action: [ (C {<log_end_msg>} {<1>}) (command.ControlFlow token: <Id.ControlFlow_Exit exit> arg_word: {<1>} ) ] spids: [920 932] ) ] ) ] ) ) ] negated: F ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:rc) op: assign_op.Equal rhs: {<0>} spids: [951] ) ] ) (C {<log_end_msg>} {($ Id.VSub_DollarName '$rc')}) ] spids: [852 853 960 -1] ) (case_arm pat_list: [{<restart>} {<reload>} {<force-reload>}] action: [ (command.If arms: [ (if_arm cond: [ (command.Sentence child: (command.AndOr ops: [Id.Op_DAmp] children: [ (C {<systemd-detect-virt>} {<--quiet>} {<--container>}) (command.Pipeline children: [(C {<is_container_with_internal_policy>})] negated: T ) ] ) terminator: <Id.Op_Semi _> ) ] action: [ (C {<log_daemon_msg>} {(DQ <'Not reloading AppArmor in container'>)}) (C {<log_end_msg>} {<0>}) (command.ControlFlow token: <Id.ControlFlow_Exit exit> arg_word: {<0>} ) ] spids: [971 988] ) ] ) (C {<log_daemon_msg>} {(DQ <'Reloading AppArmor profiles'>)}) (C {<securityfs>}) (C {<clear_cache>}) (C {<load_configured_profiles>}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:rc) op: assign_op.Equal rhs: {($ Id.VSub_QMark '$?')} spids: [1027] ) ] ) (C {<log_end_msg>} {(DQ ($ Id.VSub_DollarName '$rc'))}) ] spids: [963 968 1039 -1] ) (case_arm pat_list: [{<status>}] action: [ (C {<securityfs>}) (command.If arms: [ (if_arm cond: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {<-x>} {<'/usr/sbin/aa-status'>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] action: [(C {<aa-status>} {<--verbose>})] spids: [1049 1060] ) ] else_action: [(C {<cat>} {(DQ ($ Id.VSub_DollarName '$AA_SFS')) <'/profiles'>})] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:rc) op: assign_op.Equal rhs: {($ Id.VSub_QMark '$?')} spids: [1082] ) ] ) ] spids: [1042 1043 1086 -1] ) (case_arm pat_list: [{<Id.Lit_Star '*'>}] action: [ (C {<usage>}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name name:rc) op: assign_op.Equal rhs: {<1>} spids: [1096] ) ] ) ] spids: [1089 1090 1100 -1] ) ] ) (command.ControlFlow token:<Id.ControlFlow_Exit exit> arg_word:{($ Id.VSub_DollarName '$rc')}) ] )