Add check for $TZ_SYS_RUN/lock existance in update scripts

The location for locking directory can be not mounted/not created
yet at update running time. TV images should not run security-manager
at this moment, so the updaring script should continue normally

Change-Id: I8d84af74a33354efd5e5dcae672340793d3d961d

7 files changed, 42 insertions, 0 deletions

diff --git a/policy/updates/update-policy-to-v3.sh b/policy/updates/update-policy-to-v3.sh
index 967ac23e..d32d559d 100755
--- a/policy/updates/update-policy-to-v3.sh
+++ b/policy/updates/update-policy-to-v3.sh
@@ -34,8 +34,12 @@ set -e
 ### ...but we have to be sure that the daemon is not running;
 ### manually choosing file descriptor number (9) as sh on some images is quite old
 ### doesn't seem to support the exec {fd_var}>/path/to/file syntax
+lock_taken=false
+if [ -d "$TZ_SYS_RUN/lock" ]; then
 exec 9>"$TZ_SYS_RUN/lock/security-manager.lock"
 flock -n 9 || { echo "ERROR: flock() failed, security-manager daemon is probably running, exiting from update" >&2; exit 1; }
+lock_taken=true
+fi
 
 label_mapping=`mktemp`
 
@@ -90,7 +94,9 @@ xargs sed -i rules/* `find -type f -name apps-labels`
 cat rules/* | tee rules-merged/rules.merged | smackload
 
 ### Still needed in case systemd is managing service, otherwise systemctl will fail to start daemon
+if [ "$lock_taken" = true ]; then
 flock -u 9
+fi
 
 ### +/-e needed as systemd can be unavailable or purposedly lacking configuration on some images (ie. TV)
 set +e
diff --git a/policy/updates/update-policy-to-v4.sh b/policy/updates/update-policy-to-v4.sh
index b746fcfd..883c7cce 100755
--- a/policy/updates/update-policy-to-v4.sh
+++ b/policy/updates/update-policy-to-v4.sh
@@ -34,8 +34,12 @@ set -e
 ### ...but we have to be sure that the daemon is not running;
 ### manually choosing file descriptor number (9) as sh on some images is quite old
 ### doesn't seem to support the exec {fd_var}>/path/to/file syntax
+lock_taken=false
+if [ -d "$TZ_SYS_RUN/lock" ]; then
 exec 9>"$TZ_SYS_RUN/lock/security-manager.lock"
 flock -n 9 || { echo "ERROR: flock() failed, security-manager daemon is probably running, exiting from update" >&2; exit 1; }
+lock_taken=true
+fi
 
 app_label_nonhybrid=`mktemp`
 
@@ -63,7 +67,9 @@ done
 cat rules/* | tee rules-merged/rules.merged | smackload
 
 ### Still needed in case systemd is managing service, otherwise systemctl will fail to start daemon
+if [ "$lock_taken" = true ]; then
 flock -u 9
+fi
 
 ### +/-e needed as systemd can be unavailable or purposedly lacking configuration on some images (ie. TV)
 set +e
diff --git a/policy/updates/update-policy-to-v5.sh b/policy/updates/update-policy-to-v5.sh
index 9ef3a576..374e31fb 100755
--- a/policy/updates/update-policy-to-v5.sh
+++ b/policy/updates/update-policy-to-v5.sh
@@ -34,13 +34,19 @@ set -e
 ### ...but we have to be sure that the daemon is not running;
 ### manually choosing file descriptor number (9) as sh on some images is quite old
 ### doesn't seem to support the exec {fd_var}>/path/to/file syntax
+lock_taken=false
+if [ -d "$TZ_SYS_RUN/lock" ]; then
 exec 9>"$TZ_SYS_RUN/lock/security-manager.lock"
 flock -n 9 || { echo "ERROR: flock() failed, security-manager daemon is probably running, exiting from update" >&2; exit 1; }
+lock_taken=true
+fi
 
 sed -r '/^\s*$/d' -i $TZ_SYS_VAR/security-manager/rules/* $TZ_SYS_VAR/security-manager/rules-merged/*
 
 ### Still needed in case systemd is managing service, otherwise systemctl will fail to start daemon
+if [ "$lock_taken" = true ]; then
 flock -u 9
+fi
 
 ### +/-e needed as systemd can be unavailable or purposedly lacking configuration on some images (ie. TV)
 set +e
diff --git a/policy/updates/update-policy-to-v6.sh b/policy/updates/update-policy-to-v6.sh
index 1b10abc8..4a87ebe7 100755
--- a/policy/updates/update-policy-to-v6.sh
+++ b/policy/updates/update-policy-to-v6.sh
@@ -34,8 +34,12 @@ set -e
 ### ...but we have to be sure that the daemon is not running;
 ### manually choosing file descriptor number (9) as sh on some images is quite old
 ### doesn't seem to support the exec {fd_var}>/path/to/file syntax
+lock_taken=false
+if [ -d "$TZ_SYS_RUN/lock" ]; then
 exec 9>"$TZ_SYS_RUN/lock/security-manager.lock"
 flock -n 9 || { echo "ERROR: flock() failed, security-manager daemon is probably running, exiting from update" >&2; exit 1; }
+lock_taken=true
+fi
 
 cyad --set-bucket=MANIFESTS_GLOBAL --type=DENY
 cyad --set-bucket=MANIFESTS_LOCAL --type=DENY
@@ -67,7 +71,9 @@ done
 cyad --delete-bucket=MANIFESTS
 
 ### Still needed in case systemd is managing service, otherwise systemctl will fail to start daemon
+if [ "$lock_taken" = true ]; then
 flock -u 9
+fi
 
 ### +/-e needed as systemd can be unavailable or purposedly lacking configuration on some images (ie. TV)
 set +e
diff --git a/policy/updates/update-policy-to-v7.sh b/policy/updates/update-policy-to-v7.sh
index af642ca0..88a3f075 100755
--- a/policy/updates/update-policy-to-v7.sh
+++ b/policy/updates/update-policy-to-v7.sh
@@ -34,13 +34,19 @@ set -e
 ### ...but we have to be sure that the daemon is not running;
 ### manually choosing file descriptor number (9) as sh on some images is quite old
 ### doesn't seem to support the exec {fd_var}>/path/to/file syntax
+lock_taken=false
+if [ -d "$TZ_SYS_RUN/lock" ]; then
 exec 9>"$TZ_SYS_RUN/lock/security-manager.lock"
 flock -n 9 || { echo "ERROR: flock() failed, security-manager daemon is probably running, exiting from update" >&2; exit 1; }
+lock_taken=true
+fi
 
 rm -rf "$TZ_SYS_VAR"/security-manager/rules{,-merged}
 
 ### Still needed in case systemd is managing service, otherwise systemctl will fail to start daemon
+if [ "$lock_taken" = true ]; then
 flock -u 9
+fi
 
 ### +/-e needed as systemd can be unavailable or purposedly lacking configuration on some images (ie. TV)
 set +e
diff --git a/policy/updates/update-policy-to-v8.sh b/policy/updates/update-policy-to-v8.sh
index c1e80d76..7eb4f582 100755
--- a/policy/updates/update-policy-to-v8.sh
+++ b/policy/updates/update-policy-to-v8.sh
@@ -34,8 +34,12 @@ set -e
 ### ...but we have to be sure that the daemon is not running;
 ### manually choosing file descriptor number (9) as sh on some images is quite old
 ### doesn't seem to support the exec {fd_var}>/path/to/file syntax
+lock_taken=false
+if [ -d "$TZ_SYS_RUN/lock" ]; then
 exec 9>"$TZ_SYS_RUN/lock/security-manager.lock"
 flock -n 9 || { echo "ERROR: flock() failed, security-manager daemon is probably running, exiting from update" >&2; exit 1; }
+lock_taken=true
+fi
 
 temp_dir=`mktemp -d`
 
@@ -55,7 +59,9 @@ done
 rmdir $temp_dir
 
 ### Still needed in case systemd is managing service, otherwise systemctl will fail to start daemon
+if [ "$lock_taken" = true ]; then
 flock -u 9
+fi
 
 ### +/-e needed as systemd can be unavailable or purposedly lacking configuration on some images (ie. TV)
 set +e
diff --git a/policy/updates/update-policy-to-v9.sh b/policy/updates/update-policy-to-v9.sh
index 0b93b77a..a1e6f404 100755
--- a/policy/updates/update-policy-to-v9.sh
+++ b/policy/updates/update-policy-to-v9.sh
@@ -34,8 +34,12 @@ set -e
 ### ...but we have to be sure that the daemon is not running;
 ### manually choosing file descriptor number (9) as sh on some images is quite old
 ### doesn't seem to support the exec {fd_var}>/path/to/file syntax
+lock_taken=false
+if [ -d "$TZ_SYS_RUN/lock" ]; then
 exec 9>"$TZ_SYS_RUN/lock/security-manager.lock"
 flock -n 9 || { echo "ERROR: flock() failed, security-manager daemon is probably running, exiting from update" >&2; exit 1; }
+lock_taken=true
+fi
 
 trusted_dirs=`find "$TZ_SYS_OPT" -name trusted | grep apps_rw`
 
@@ -50,7 +54,9 @@ do
 done
 
 ### Still needed in case systemd is managing service, otherwise systemctl will fail to start daemon
+if [ "$lock_taken" = true ]; then
 flock -u 9
+fi
 
 ### +/-e needed as systemd can be unavailable or purposedly lacking configuration on some images (ie. TV)
 set +e