# network-interface-security - configure network device security
#
# This is a one-time start-up script to load AppArmor profiles needed
# before the network comes up.

description	"configure network device security"

# In order to avoid upstart bug LP: #447654, we cannot have an AND
# statement here (with the ORs).  An "and virtual-filesystems" is desired
# here to make sure that the securityfs is mounted, but since each of the
# ORed services already require virtual-filesystems be mounted, this is safe:
start on (starting network-interface
          or starting network-manager
          or starting networking)

# In order to handle the lack of upstart feature LP: #568860, we need to
# run multiple times, for each of the above "starting" service instances, or
# else another one might run while we're running, and not wait for us to
# finish.
instance $JOB${INTERFACE:+/}${INTERFACE:-}

# Since we need these profiles to be loaded before any of the above services
# begin running, this service must be a pre-start so that its pre-start
# script finishes before the above services' start scripts begin.
pre-start script
    [ -f /{,var/}run/network-interface-security ] && exit 0 # already ran
    [ -d /rofs/etc/apparmor.d ]  && exit 0 # do not load on liveCD
    [ -d /sys/module/apparmor ]  || exit 0 # do not load without AppArmor
    [ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser
    for link in /etc/apparmor/init/network-interface-security/* ; do
        [ -L $link ] && /sbin/apparmor_parser -r -W $link || true
    done
    > /{,var/}run/network-interface-security
end script