(command.CommandList children: [ (C {<.>} {<'/lib/apparmor/functions'>}) (C {<.>} {<'/lib/lsb/init-functions'>}) (command.ShFunction name: usage body: (BraceGroup left: <Id.Lit_LBrace '{'> children: [ (C {<echo>} { (DQ <'Usage: '> ($ Id.VSub_Number 0) <' {start|stop|restart|reload|force-reload|status|recache}'> ) } ) ] redirects: [] right: <Id.Lit_RBrace '}'> ) ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {<test>} {<-x>} {(${ Id.VSub_Name PARSER)}) (command.ControlFlow token:<Id.ControlFlow_Exit exit> arg_word:{<0>}) ] ) (command.AndOr ops: [Id.Op_DPipe] children: [ (C {<test>} {<-d>} {<'/sys/module/apparmor'>}) (command.ControlFlow token:<Id.ControlFlow_Exit exit> arg_word:{<0>}) ] ) (command.ShFunction name: securityfs body: (BraceGroup left: <Id.Lit_LBrace '{'> children: [ (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {<Id.KW_Bang '!'>} {<-d>} {(DQ (${ Id.VSub_Name AA_SFS))} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (command.Pipeline children: [ (C {<cut>} {<-d> (DQ <' '>)} {<-f2> <Id.Lit_Comma ','> <3>} {<'/proc/mounts'>} ) (C {<grep>} {<-q>} {(DQ <'^'> (${ Id.VSub_Name SECURITYFS) <' securityfs'>) (SQ <'$'>) } ) ] negated: F stderr_indices: [] ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<log_action_msg>} {(DQ <'AppArmor not available as kernel LSM.'>)}) (C {<log_end_msg>} {<1>}) (command.ControlFlow token: <Id.ControlFlow_Exit exit> arg_word: {<1>} ) ] spids: [191 225] ) ] else_action: [ (C {<log_action_begin_msg>} {(DQ <'Mounting securityfs on '> (${ Id.VSub_Name SECURITYFS))} ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (command.Pipeline children: [ (C {<mount>} {<-t>} {<securityfs>} {<none>} {(DQ (${ Id.VSub_Name SECURITYFS))} ) ] negated: T stderr_indices: [] ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<log_action_end_msg>} {<1>}) (C {<log_end_msg>} {<1>}) (command.ControlFlow token: <Id.ControlFlow_Exit exit> arg_word: {<1>} ) ] spids: [258 277] ) ] else_action: [] redirects: [] ) ] redirects: [] ) ] spids: [171 188] ) ] else_action: [] redirects: [] ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {<Id.KW_Bang '!'>} {<-w>} {(DQ ($ Id.VSub_DollarName AA_SFS)) <'/.load'>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<log_action_msg>} {(DQ <'Insufficient privileges to change profiles.'>)}) (C {<log_end_msg>} {<1>}) (command.ControlFlow token: <Id.ControlFlow_Exit exit> arg_word: {<1>} ) ] spids: [304 320] ) ] else_action: [] redirects: [] ) ] redirects: [] right: <Id.Lit_RBrace '}'> ) ) (command.ShFunction name: handle_system_policy_package_updates body: (BraceGroup left: <Id.Lit_LBrace '{'> children: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name left: <Id.Lit_VarLike 'apparmor_was_updated='> name: apparmor_was_updated ) op: assign_op.Equal rhs: {<0>} spids: [352] ) ] redirects: [] ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (command.Pipeline children: [(C {<compare_previous_version>})] negated: T stderr_indices: [] ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<clear_cache_system>}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name left: <Id.Lit_VarLike 'apparmor_was_updated='> name: apparmor_was_updated ) op: assign_op.Equal rhs: {<1>} spids: [391] ) ] redirects: [] ) ] spids: [357 365] ) (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (command.Pipeline children: [(C {<compare_and_save_debsums>} {<apparmor>})] negated: T stderr_indices: [] ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<clear_cache>}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name left: <Id.Lit_VarLike 'apparmor_was_updated='> name: apparmor_was_updated ) op: assign_op.Equal rhs: {<1>} spids: [435] ) ] redirects: [] ) ] spids: [395 405] ) ] else_action: [] redirects: [] ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (command.AndOr ops: [Id.Op_DPipe] children: [ (C {<Id.Lit_LBracket '['>} {<-x>} {<'/usr/bin/aa-clickhook'>} {<Id.Lit_RBracket ']'>} ) (C {<Id.Lit_LBracket '['>} {<-x>} {<'/usr/bin/aa-profile-hook'>} {<Id.Lit_RBracket ']'>} ) ] ) terminator: <Id.Op_Semi _> ) ] ) action: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name left: <Id.Lit_VarLike 'force_clickhook='> name: force_clickhook ) op: assign_op.Equal rhs: {<0>} spids: [476] ) ] redirects: [] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name left: <Id.Lit_VarLike 'force_profile_hook='> name: force_profile_hook ) op: assign_op.Equal rhs: {<0>} spids: [480] ) ] redirects: [] ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (command.Pipeline children: [ (C {<compare_and_save_debsums>} {<apparmor-easyprof-ubuntu>}) ] negated: T stderr_indices: [] ) terminator: <Id.Op_Semi _> ) ] ) action: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name left: <Id.Lit_VarLike 'force_clickhook='> name: force_clickhook ) op: assign_op.Equal rhs: {<1>} spids: [497] ) ] redirects: [] ) ] spids: [484 494] ) ] else_action: [] redirects: [] ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (command.Pipeline children: [ (C {<compare_and_save_debsums>} {<apparmor-easyprof-ubuntu-snappy>} ) ] negated: T stderr_indices: [] ) terminator: <Id.Op_Semi _> ) ] ) action: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name left: <Id.Lit_VarLike 'force_clickhook='> name: force_clickhook ) op: assign_op.Equal rhs: {<1>} spids: [517] ) ] redirects: [] ) ] spids: [504 514] ) ] else_action: [] redirects: [] ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (command.Pipeline children: [(C {<compare_and_save_debsums>} {<click-apparmor>})] negated: T stderr_indices: [] ) terminator: <Id.Op_Semi _> ) ] ) action: [ (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name left: <Id.Lit_VarLike 'force_clickhook='> name: force_clickhook ) op: assign_op.Equal rhs: {<1>} spids: [537] ) ] redirects: [] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name left: <Id.Lit_VarLike 'force_profile_hook='> name: force_profile_hook ) op: assign_op.Equal rhs: {<1>} spids: [541] ) ] redirects: [] ) ] spids: [524 534] ) ] else_action: [] redirects: [] ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (command.AndOr ops: [Id.Op_DAmp] children: [ (C {<Id.Lit_LBracket '['>} {<-x>} {<'/usr/bin/aa-clickhook'>} {<Id.Lit_RBracket ']'>} ) (command.Subshell child: (command.AndOr ops: [Id.Op_DPipe] children: [ (C {<Id.Lit_LBracket '['>} {($ Id.VSub_DollarName force_clickhook)} {<-eq>} {<1>} {<Id.Lit_RBracket ']'>} ) (C {<Id.Lit_LBracket '['>} {($ Id.VSub_DollarName apparmor_was_updated)} {<-eq>} {<1>} {<Id.Lit_RBracket ']'>} ) ] ) redirects: [] ) ] ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<aa-clickhook>} {<-f>})] spids: [548 586] ) ] else_action: [] redirects: [] ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (command.AndOr ops: [Id.Op_DAmp] children: [ (C {<Id.Lit_LBracket '['>} {<-x>} {<'/usr/bin/aa-profile-hook'>} {<Id.Lit_RBracket ']'>} ) (command.Subshell child: (command.AndOr ops: [Id.Op_DPipe] children: [ (C {<Id.Lit_LBracket '['>} {($ Id.VSub_DollarName force_profile_hook)} {<-eq>} {<1>} {<Id.Lit_RBracket ']'>} ) (C {<Id.Lit_LBracket '['>} {($ Id.VSub_DollarName apparmor_was_updated)} {<-eq>} {<1>} {<Id.Lit_RBracket ']'>} ) ] ) redirects: [] ) ] ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<aa-profile-hook>} {<-f>})] spids: [597 635] ) ] else_action: [] redirects: [] ) ] spids: [443 465] ) ] else_action: [] redirects: [] ) ] redirects: [] right: <Id.Lit_RBrace '}'> ) ) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {(DQ ($ Id.VSub_Number 1))} {<Id.Lit_Equals '='>} {(DQ <recache>)} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<log_daemon_msg>} {(DQ <'Recaching AppArmor profiles'>)}) (C {<recache_profiles>}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'rc='> name:rc) op: assign_op.Equal rhs: {($ Id.VSub_QMark '?')} spids: [684] ) ] redirects: [] ) (C {<log_end_msg>} {(DQ ($ Id.VSub_DollarName rc))}) (command.ControlFlow token: <Id.ControlFlow_Exit exit> arg_word: {($ Id.VSub_DollarName rc)} ) ] spids: [654 671] ) ] else_action: [] redirects: [] ) (command.AndOr ops: [Id.Op_DAmp] children: [ (C {<test>} {<-d>} {<'/rofs/etc/apparmor.d'>}) (command.ControlFlow token:<Id.ControlFlow_Exit exit> arg_word:{<0>}) ] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'rc='> name:rc) op: assign_op.Equal rhs: {<255>} spids: [718] ) ] redirects: [] ) (command.Case to_match: {(DQ ($ Id.VSub_Number 1))} arms: [ (case_arm pat_list: [{<start>}] action: [ (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (command.AndOr ops: [Id.Op_DAmp] children: [ (C {<systemd-detect-virt>} {<--quiet>} {<--container>}) (command.Pipeline children: [(C {<is_container_with_internal_policy>})] negated: T stderr_indices: [] ) ] ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<log_daemon_msg>} {(DQ <'Not starting AppArmor in container'>)}) (C {<log_end_msg>} {<0>}) (command.ControlFlow token: <Id.ControlFlow_Exit exit> arg_word: {<0>} ) ] spids: [734 751] ) ] else_action: [] redirects: [] ) (C {<log_daemon_msg>} {(DQ <'Starting AppArmor profiles'>)}) (C {<securityfs>}) (C {<handle_system_policy_package_updates>}) (C {<load_configured_profiles>}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'rc='> name:rc) op: assign_op.Equal rhs: {($ Id.VSub_QMark '?')} spids: [790] ) ] redirects: [] ) (C {<log_end_msg>} {(DQ ($ Id.VSub_DollarName rc))}) ] spids: [730 731 801 -1] ) (case_arm pat_list: [{<stop>}] action: [ (C {<log_daemon_msg>} {(DQ <'Clearing AppArmor profiles cache'>)}) (C {<clear_cache>}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'rc='> name:rc) op: assign_op.Equal rhs: {($ Id.VSub_QMark '?')} spids: [818] ) ] redirects: [] ) (C {<log_end_msg>} {(DQ ($ Id.VSub_DollarName rc))}) (command.Simple words: [{<cat>}] redirects: [ (redir op:<Id.Redir_GreatAnd '>&'> loc:(redir_loc.Fd fd:1) arg:{<2>}) (redir op: <Id.Redir_DLess '<<'> loc: (redir_loc.Fd fd:0) arg: (redir_param.HereDoc here_begin: {<EOM>} here_end_span_id: 847 stdin_parts: [ < 'All profile caches have been cleared, but no profiles have been unloaded.\n' > <'Unloading profiles will leave already running processes permanently\n'> <'unconfined, which can lead to unexpected situations.\n'> <'\n'> <'To set a process to complain mode, use the command line tool\n'> <'\'aa-complain\'. To really tear down all profiles, run the init script\n'> <'with the \'teardown\' option.'> <Id.Right_DoubleQuote '"'> <'\n'> ] ) ) ] more_env: [] do_fork: T ) ] spids: [804 805 849 -1] ) (case_arm pat_list: [{<teardown>}] action: [ (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (command.AndOr ops: [Id.Op_DAmp] children: [ (C {<systemd-detect-virt>} {<--quiet>} {<--container>}) (command.Pipeline children: [(C {<is_container_with_internal_policy>})] negated: T stderr_indices: [] ) ] ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<log_daemon_msg>} {(DQ <'Not tearing down AppArmor in container'>)}) (C {<log_end_msg>} {<0>}) (command.ControlFlow token: <Id.ControlFlow_Exit exit> arg_word: {<0>} ) ] spids: [856 873] ) ] else_action: [] redirects: [] ) (C {<log_daemon_msg>} {(DQ <'Unloading AppArmor profiles'>)}) (C {<securityfs>}) (command.Pipeline children: [ (C {<running_profile_names>}) (command.WhileUntil keyword: <Id.KW_While while> cond: (condition.Shell commands: [ (command.Sentence child: (C {<read>} {<profile>}) terminator: <Id.Op_Semi _> ) ] ) body: (command.DoGroup children: [ (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (command.Pipeline children: [ (C {<unload_profile>} {(DQ ($ Id.VSub_DollarName profile))}) ] negated: T stderr_indices: [] ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<log_end_msg>} {<1>}) (command.ControlFlow token: <Id.ControlFlow_Exit exit> arg_word: {<1>} ) ] spids: [920 932] ) ] else_action: [] redirects: [] ) ] ) redirects: [] ) ] negated: F stderr_indices: [] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'rc='> name:rc) op: assign_op.Equal rhs: {<0>} spids: [951] ) ] redirects: [] ) (C {<log_end_msg>} {($ Id.VSub_DollarName rc)}) ] spids: [852 853 960 -1] ) (case_arm pat_list: [{<restart>} {<reload>} {<force-reload>}] action: [ (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (command.AndOr ops: [Id.Op_DAmp] children: [ (C {<systemd-detect-virt>} {<--quiet>} {<--container>}) (command.Pipeline children: [(C {<is_container_with_internal_policy>})] negated: T stderr_indices: [] ) ] ) terminator: <Id.Op_Semi _> ) ] ) action: [ (C {<log_daemon_msg>} {(DQ <'Not reloading AppArmor in container'>)}) (C {<log_end_msg>} {<0>}) (command.ControlFlow token: <Id.ControlFlow_Exit exit> arg_word: {<0>} ) ] spids: [971 988] ) ] else_action: [] redirects: [] ) (C {<log_daemon_msg>} {(DQ <'Reloading AppArmor profiles'>)}) (C {<securityfs>}) (C {<clear_cache>}) (C {<load_configured_profiles>}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'rc='> name:rc) op: assign_op.Equal rhs: {($ Id.VSub_QMark '?')} spids: [1027] ) ] redirects: [] ) (C {<log_end_msg>} {(DQ ($ Id.VSub_DollarName rc))}) ] spids: [963 968 1039 -1] ) (case_arm pat_list: [{<status>}] action: [ (C {<securityfs>}) (command.If arms: [ (if_arm cond: (condition.Shell commands: [ (command.Sentence child: (C {<Id.Lit_LBracket '['>} {<-x>} {<'/usr/sbin/aa-status'>} {<Id.Lit_RBracket ']'>} ) terminator: <Id.Op_Semi _> ) ] ) action: [(C {<aa-status>} {<--verbose>})] spids: [1049 1060] ) ] else_action: [(C {<cat>} {(DQ ($ Id.VSub_DollarName AA_SFS)) <'/profiles'>})] redirects: [] ) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'rc='> name:rc) op: assign_op.Equal rhs: {($ Id.VSub_QMark '?')} spids: [1082] ) ] redirects: [] ) ] spids: [1042 1043 1086 -1] ) (case_arm pat_list: [{<Id.Lit_Star '*'>}] action: [ (C {<usage>}) (command.ShAssignment pairs: [ (assign_pair lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'rc='> name:rc) op: assign_op.Equal rhs: {<1>} spids: [1096] ) ] redirects: [] ) ] spids: [1089 1090 1100 -1] ) ] redirects: [] ) (command.ControlFlow token:<Id.ControlFlow_Exit exit> arg_word:{($ Id.VSub_DollarName rc)}) ] )