diff options
author | Tomasz Swierczek <t.swierczek@samsung.com> | 2020-10-29 09:55:09 +0100 |
---|---|---|
committer | Tomasz Swierczek <t.swierczek@samsung.com> | 2020-10-29 09:55:09 +0100 |
commit | 5de0aca49241c05091ffe10ce614ee9c1db91191 (patch) | |
tree | b54ed277dcf6407562158435ebb4a29c8d4c2a95 | |
parent | edea460aa5186489c2f74a74f520b8f0ae1e4fc6 (diff) | |
download | security-manager-5de0aca49241c05091ffe10ce614ee9c1db91191.tar.gz security-manager-5de0aca49241c05091ffe10ce614ee9c1db91191.tar.bz2 security-manager-5de0aca49241c05091ffe10ce614ee9c1db91191.zip |
Add check for $TZ_SYS_RUN/lock existance in update scripts
The location for locking directory can be not mounted/not created
yet at update running time. TV images should not run security-manager
at this moment, so the updaring script should continue normally
Change-Id: I8d84af74a33354efd5e5dcae672340793d3d961d
-rwxr-xr-x | policy/updates/update-policy-to-v3.sh | 6 | ||||
-rwxr-xr-x | policy/updates/update-policy-to-v4.sh | 6 | ||||
-rwxr-xr-x | policy/updates/update-policy-to-v5.sh | 6 | ||||
-rwxr-xr-x | policy/updates/update-policy-to-v6.sh | 6 | ||||
-rwxr-xr-x | policy/updates/update-policy-to-v7.sh | 6 | ||||
-rwxr-xr-x | policy/updates/update-policy-to-v8.sh | 6 | ||||
-rwxr-xr-x | policy/updates/update-policy-to-v9.sh | 6 |
7 files changed, 42 insertions, 0 deletions
diff --git a/policy/updates/update-policy-to-v3.sh b/policy/updates/update-policy-to-v3.sh index 967ac23e..d32d559d 100755 --- a/policy/updates/update-policy-to-v3.sh +++ b/policy/updates/update-policy-to-v3.sh @@ -34,8 +34,12 @@ set -e ### ...but we have to be sure that the daemon is not running; ### manually choosing file descriptor number (9) as sh on some images is quite old ### doesn't seem to support the exec {fd_var}>/path/to/file syntax +lock_taken=false +if [ -d "$TZ_SYS_RUN/lock" ]; then exec 9>"$TZ_SYS_RUN/lock/security-manager.lock" flock -n 9 || { echo "ERROR: flock() failed, security-manager daemon is probably running, exiting from update" >&2; exit 1; } +lock_taken=true +fi label_mapping=`mktemp` @@ -90,7 +94,9 @@ xargs sed -i rules/* `find -type f -name apps-labels` cat rules/* | tee rules-merged/rules.merged | smackload ### Still needed in case systemd is managing service, otherwise systemctl will fail to start daemon +if [ "$lock_taken" = true ]; then flock -u 9 +fi ### +/-e needed as systemd can be unavailable or purposedly lacking configuration on some images (ie. TV) set +e diff --git a/policy/updates/update-policy-to-v4.sh b/policy/updates/update-policy-to-v4.sh index b746fcfd..883c7cce 100755 --- a/policy/updates/update-policy-to-v4.sh +++ b/policy/updates/update-policy-to-v4.sh @@ -34,8 +34,12 @@ set -e ### ...but we have to be sure that the daemon is not running; ### manually choosing file descriptor number (9) as sh on some images is quite old ### doesn't seem to support the exec {fd_var}>/path/to/file syntax +lock_taken=false +if [ -d "$TZ_SYS_RUN/lock" ]; then exec 9>"$TZ_SYS_RUN/lock/security-manager.lock" flock -n 9 || { echo "ERROR: flock() failed, security-manager daemon is probably running, exiting from update" >&2; exit 1; } +lock_taken=true +fi app_label_nonhybrid=`mktemp` @@ -63,7 +67,9 @@ done cat rules/* | tee rules-merged/rules.merged | smackload ### Still needed in case systemd is managing service, otherwise systemctl will fail to start daemon +if [ "$lock_taken" = true ]; then flock -u 9 +fi ### +/-e needed as systemd can be unavailable or purposedly lacking configuration on some images (ie. TV) set +e diff --git a/policy/updates/update-policy-to-v5.sh b/policy/updates/update-policy-to-v5.sh index 9ef3a576..374e31fb 100755 --- a/policy/updates/update-policy-to-v5.sh +++ b/policy/updates/update-policy-to-v5.sh @@ -34,13 +34,19 @@ set -e ### ...but we have to be sure that the daemon is not running; ### manually choosing file descriptor number (9) as sh on some images is quite old ### doesn't seem to support the exec {fd_var}>/path/to/file syntax +lock_taken=false +if [ -d "$TZ_SYS_RUN/lock" ]; then exec 9>"$TZ_SYS_RUN/lock/security-manager.lock" flock -n 9 || { echo "ERROR: flock() failed, security-manager daemon is probably running, exiting from update" >&2; exit 1; } +lock_taken=true +fi sed -r '/^\s*$/d' -i $TZ_SYS_VAR/security-manager/rules/* $TZ_SYS_VAR/security-manager/rules-merged/* ### Still needed in case systemd is managing service, otherwise systemctl will fail to start daemon +if [ "$lock_taken" = true ]; then flock -u 9 +fi ### +/-e needed as systemd can be unavailable or purposedly lacking configuration on some images (ie. TV) set +e diff --git a/policy/updates/update-policy-to-v6.sh b/policy/updates/update-policy-to-v6.sh index 1b10abc8..4a87ebe7 100755 --- a/policy/updates/update-policy-to-v6.sh +++ b/policy/updates/update-policy-to-v6.sh @@ -34,8 +34,12 @@ set -e ### ...but we have to be sure that the daemon is not running; ### manually choosing file descriptor number (9) as sh on some images is quite old ### doesn't seem to support the exec {fd_var}>/path/to/file syntax +lock_taken=false +if [ -d "$TZ_SYS_RUN/lock" ]; then exec 9>"$TZ_SYS_RUN/lock/security-manager.lock" flock -n 9 || { echo "ERROR: flock() failed, security-manager daemon is probably running, exiting from update" >&2; exit 1; } +lock_taken=true +fi cyad --set-bucket=MANIFESTS_GLOBAL --type=DENY cyad --set-bucket=MANIFESTS_LOCAL --type=DENY @@ -67,7 +71,9 @@ done cyad --delete-bucket=MANIFESTS ### Still needed in case systemd is managing service, otherwise systemctl will fail to start daemon +if [ "$lock_taken" = true ]; then flock -u 9 +fi ### +/-e needed as systemd can be unavailable or purposedly lacking configuration on some images (ie. TV) set +e diff --git a/policy/updates/update-policy-to-v7.sh b/policy/updates/update-policy-to-v7.sh index af642ca0..88a3f075 100755 --- a/policy/updates/update-policy-to-v7.sh +++ b/policy/updates/update-policy-to-v7.sh @@ -34,13 +34,19 @@ set -e ### ...but we have to be sure that the daemon is not running; ### manually choosing file descriptor number (9) as sh on some images is quite old ### doesn't seem to support the exec {fd_var}>/path/to/file syntax +lock_taken=false +if [ -d "$TZ_SYS_RUN/lock" ]; then exec 9>"$TZ_SYS_RUN/lock/security-manager.lock" flock -n 9 || { echo "ERROR: flock() failed, security-manager daemon is probably running, exiting from update" >&2; exit 1; } +lock_taken=true +fi rm -rf "$TZ_SYS_VAR"/security-manager/rules{,-merged} ### Still needed in case systemd is managing service, otherwise systemctl will fail to start daemon +if [ "$lock_taken" = true ]; then flock -u 9 +fi ### +/-e needed as systemd can be unavailable or purposedly lacking configuration on some images (ie. TV) set +e diff --git a/policy/updates/update-policy-to-v8.sh b/policy/updates/update-policy-to-v8.sh index c1e80d76..7eb4f582 100755 --- a/policy/updates/update-policy-to-v8.sh +++ b/policy/updates/update-policy-to-v8.sh @@ -34,8 +34,12 @@ set -e ### ...but we have to be sure that the daemon is not running; ### manually choosing file descriptor number (9) as sh on some images is quite old ### doesn't seem to support the exec {fd_var}>/path/to/file syntax +lock_taken=false +if [ -d "$TZ_SYS_RUN/lock" ]; then exec 9>"$TZ_SYS_RUN/lock/security-manager.lock" flock -n 9 || { echo "ERROR: flock() failed, security-manager daemon is probably running, exiting from update" >&2; exit 1; } +lock_taken=true +fi temp_dir=`mktemp -d` @@ -55,7 +59,9 @@ done rmdir $temp_dir ### Still needed in case systemd is managing service, otherwise systemctl will fail to start daemon +if [ "$lock_taken" = true ]; then flock -u 9 +fi ### +/-e needed as systemd can be unavailable or purposedly lacking configuration on some images (ie. TV) set +e diff --git a/policy/updates/update-policy-to-v9.sh b/policy/updates/update-policy-to-v9.sh index 0b93b77a..a1e6f404 100755 --- a/policy/updates/update-policy-to-v9.sh +++ b/policy/updates/update-policy-to-v9.sh @@ -34,8 +34,12 @@ set -e ### ...but we have to be sure that the daemon is not running; ### manually choosing file descriptor number (9) as sh on some images is quite old ### doesn't seem to support the exec {fd_var}>/path/to/file syntax +lock_taken=false +if [ -d "$TZ_SYS_RUN/lock" ]; then exec 9>"$TZ_SYS_RUN/lock/security-manager.lock" flock -n 9 || { echo "ERROR: flock() failed, security-manager daemon is probably running, exiting from update" >&2; exit 1; } +lock_taken=true +fi trusted_dirs=`find "$TZ_SYS_OPT" -name trusted | grep apps_rw` @@ -50,7 +54,9 @@ do done ### Still needed in case systemd is managing service, otherwise systemctl will fail to start daemon +if [ "$lock_taken" = true ]; then flock -u 9 +fi ### +/-e needed as systemd can be unavailable or purposedly lacking configuration on some images (ie. TV) set +e |