1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
#
# == Define: apparmor::profile
#
# Install an Apparmor profile and a local profile to add/override some rules
#
# === Parameters
#
# [*default_base*]
# Default path to use with $source and $local_source. If unset (default),
# defaults to a distro specific path.
#
# [*source*]
# Source path to the Apparmor profile. If unset (default), defaults to
# "${default_base}/${name}".
#
# [*local_source*]
# Tri-state variable that can be true, false (default) or a source path to the
# local Apparmor profile. If true, uses "${default_base}/local/${name}" as the
# source path to the local Apparmor profile. If false, do not install a local
# profile. If set to something else, use it as the source path.
#
# [*post_cmd*]
# The command to run after installing a profile (usually to restart a daemon).
# If unset (default), no command is run after installing the profile.
#
# === Variables
#
# [*lsbdistrelease*]
# The LSB distribution release number (normally provided as a fact).
#
# === Examples
#
# apparmor::profile { 'usr.sbin.nsd':
# $local_source => true,
# $post_cmd => 'service nsd3 restart',
# }
#
# apparmor::profile { 'usr.sbin.ssmtp': }
#
# apparmor::profile { 'usr.sbin.apt-cacher-ng':
# source => 'puppet:///modules/bar/apt-cacher-ng/aa-profile',
# }
#
# === Authors
#
# Simon Deziel <simon.deziel@gmail.com>
#
# === Copyright
#
# Copyright 2012 Simon Deziel
#
define apparmor::profile (
$default_base = "puppet:///modules/apparmor/aa-profiles/${::lsbdistrelease}",
$source = undef,
$local_source = false,
$post_cmd = undef,
) {
include apparmor
$apparmor_d = $apparmor::apparmor_d
if $source {
$real_source = $source
} else {
$real_source = "${default_base}/${name}"
}
file { "${apparmor_d}/${name}":
source => $real_source,
notify => Exec["aa-enable-${name}"],
}
# Remove the "disable" symlink if any
file { "${apparmor_d}/disable/${name}":
ensure => absent,
notify => Exec["aa-enable-${name}"],
}
if ($local_source == true) {
$real_local_source = "${default_base}/local/${name}"
} elsif ($local_source == false) {
$real_local_source = undef
} else {
$real_local_source = $local_source
}
if $real_local_source {
file { "${apparmor_d}/local/${name}":
source => $real_local_source,
notify => Exec["aa-enable-${name}"],
# Make sure the local profile is installed first to avoid
# calling apparmor_parser without the local profile.
before => File["${apparmor_d}/${name}"],
}
}
# (Re)load the profile and run the post command
if $post_cmd {
$command = "apparmor_parser -r -T -W ${apparmor_d}/${name} && ${post_cmd}"
} else {
$command = "apparmor_parser -r -T -W ${apparmor_d}/${name}"
}
exec { "aa-enable-${name}":
command => $command,
path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
refreshonly => true,
}
}
|
