From: Tomasz Swierczek Date: Fri, 23 Oct 2020 06:54:16 +0000 (+0200) Subject: Relax exit-on-error in update scripts X-Git-Tag: submit/tizen/20201026.160418~1 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F82%2F246082%2F8;p=platform%2Fcore%2Fsecurity%2Fsecurity-manager.git Relax exit-on-error in update scripts These scripts use systemctl systemd command to start & stop service/socket of security-manager. On systems where systemd is not used to manage security-manager (ie. some TV images), this can result in update script being not executed properly. Added "set +e/set -e" before each systemctl invocation. With this set of changes, it is assumed that whatever mechanism is actually used to manage security-manager service, it is ensuring that the daemon is NOT running when updates are being executed and that it IS started after the update. Updated scripts will try to lock the $TZ_SYS_RUN/lock/security-manager.lock file, usually taken by daemon at its startup; if that fails, updates will exit with an error. Change-Id: If452415465a6c31ba7360f4b0272d51708602242 --- diff --git a/policy/updates/update-policy-to-v3.sh b/policy/updates/update-policy-to-v3.sh index 7ab8d78c..967ac23e 100755 --- a/policy/updates/update-policy-to-v3.sh +++ b/policy/updates/update-policy-to-v3.sh @@ -25,8 +25,17 @@ export PATH=/sbin:/usr/sbin:/bin:/usr/bin . /etc/tizen-platform.conf -systemctl stop security-manager.service security-manager.socket - +### In case there is no systemd or no systemd configuration on image (ie. some TV images) +### this can be still run... +set +e +systemctl stop security-manager.service security-manager.socket || echo "Problem with systemd (no .service/.socket files?), continuing" +set -e + +### ...but we have to be sure that the daemon is not running; +### manually choosing file descriptor number (9) as sh on some images is quite old +### doesn't seem to support the exec {fd_var}>/path/to/file syntax +exec 9>"$TZ_SYS_RUN/lock/security-manager.lock" +flock -n 9 || { echo "ERROR: flock() failed, security-manager daemon is probably running, exiting from update" >&2; exit 1; } label_mapping=`mktemp` @@ -80,7 +89,13 @@ xargs sed -i rules/* `find -type f -name apps-labels` cat rules/* | tee rules-merged/rules.merged | smackload -systemctl start security-manager.service security-manager.socket +### Still needed in case systemd is managing service, otherwise systemctl will fail to start daemon +flock -u 9 + +### +/-e needed as systemd can be unavailable or purposedly lacking configuration on some images (ie. TV) +set +e +systemctl start security-manager.service security-manager.socket || echo "Problem with systemd (no .service/.socket files?), continuing" +set -e echo "Migration successful" rm -f $label_mapping diff --git a/policy/updates/update-policy-to-v4.sh b/policy/updates/update-policy-to-v4.sh index 8dc517ba..b746fcfd 100755 --- a/policy/updates/update-policy-to-v4.sh +++ b/policy/updates/update-policy-to-v4.sh @@ -25,8 +25,17 @@ export PATH=/sbin:/usr/sbin:/bin:/usr/bin . /etc/tizen-platform.conf -systemctl stop security-manager.service security-manager.socket +### In case there is no systemd or no systemd configuration on image (ie. some TV images) +### this can be still run... +set +e +systemctl stop security-manager.service security-manager.socket || echo "Problem with systemd (no .service/.socket files?), continuing" +set -e +### ...but we have to be sure that the daemon is not running; +### manually choosing file descriptor number (9) as sh on some images is quite old +### doesn't seem to support the exec {fd_var}>/path/to/file syntax +exec 9>"$TZ_SYS_RUN/lock/security-manager.lock" +flock -n 9 || { echo "ERROR: flock() failed, security-manager daemon is probably running, exiting from update" >&2; exit 1; } app_label_nonhybrid=`mktemp` @@ -53,7 +62,13 @@ done cat rules/* | tee rules-merged/rules.merged | smackload -systemctl start security-manager.service security-manager.socket +### Still needed in case systemd is managing service, otherwise systemctl will fail to start daemon +flock -u 9 + +### +/-e needed as systemd can be unavailable or purposedly lacking configuration on some images (ie. TV) +set +e +systemctl start security-manager.service security-manager.socket || echo "Problem with systemd (no .service/.socket files?), continuing" +set -e echo "Migration successful" rm -f $app_label_nonhybrid diff --git a/policy/updates/update-policy-to-v5.sh b/policy/updates/update-policy-to-v5.sh index a4336b29..9ef3a576 100755 --- a/policy/updates/update-policy-to-v5.sh +++ b/policy/updates/update-policy-to-v5.sh @@ -25,6 +25,24 @@ export PATH=/sbin:/usr/sbin:/bin:/usr/bin . /etc/tizen-platform.conf -systemctl stop security-manager.service security-manager.socket +### In case there is no systemd or no systemd configuration on image (ie. some TV images) +### this can be still run... +set +e +systemctl stop security-manager.service security-manager.socket || echo "Problem with systemd (no .service/.socket files?), continuing" +set -e + +### ...but we have to be sure that the daemon is not running; +### manually choosing file descriptor number (9) as sh on some images is quite old +### doesn't seem to support the exec {fd_var}>/path/to/file syntax +exec 9>"$TZ_SYS_RUN/lock/security-manager.lock" +flock -n 9 || { echo "ERROR: flock() failed, security-manager daemon is probably running, exiting from update" >&2; exit 1; } + sed -r '/^\s*$/d' -i $TZ_SYS_VAR/security-manager/rules/* $TZ_SYS_VAR/security-manager/rules-merged/* -systemctl start security-manager.service security-manager.socket + +### Still needed in case systemd is managing service, otherwise systemctl will fail to start daemon +flock -u 9 + +### +/-e needed as systemd can be unavailable or purposedly lacking configuration on some images (ie. TV) +set +e +systemctl start security-manager.service security-manager.socket || echo "Problem with systemd (no .service/.socket files?), continuing" +set -e \ No newline at end of file diff --git a/policy/updates/update-policy-to-v6.sh b/policy/updates/update-policy-to-v6.sh index 9fb8d77b..1b10abc8 100755 --- a/policy/updates/update-policy-to-v6.sh +++ b/policy/updates/update-policy-to-v6.sh @@ -25,7 +25,17 @@ export PATH=/sbin:/usr/sbin:/bin:/usr/bin . /etc/tizen-platform.conf -systemctl stop security-manager.service security-manager.socket +### In case there is no systemd or no systemd configuration on image (ie. some TV images) +### this can be still run... +set +e +systemctl stop security-manager.service security-manager.socket || echo "Problem with systemd (no .service/.socket files?), continuing" +set -e + +### ...but we have to be sure that the daemon is not running; +### manually choosing file descriptor number (9) as sh on some images is quite old +### doesn't seem to support the exec {fd_var}>/path/to/file syntax +exec 9>"$TZ_SYS_RUN/lock/security-manager.lock" +flock -n 9 || { echo "ERROR: flock() failed, security-manager daemon is probably running, exiting from update" >&2; exit 1; } cyad --set-bucket=MANIFESTS_GLOBAL --type=DENY cyad --set-bucket=MANIFESTS_LOCAL --type=DENY @@ -56,4 +66,10 @@ done cyad --delete-bucket=MANIFESTS -systemctl start security-manager.service security-manager.socket +### Still needed in case systemd is managing service, otherwise systemctl will fail to start daemon +flock -u 9 + +### +/-e needed as systemd can be unavailable or purposedly lacking configuration on some images (ie. TV) +set +e +systemctl start security-manager.service security-manager.socket || echo "Problem with systemd (no .service/.socket files?), continuing" +set -e \ No newline at end of file diff --git a/policy/updates/update-policy-to-v7.sh b/policy/updates/update-policy-to-v7.sh index e11db166..af642ca0 100755 --- a/policy/updates/update-policy-to-v7.sh +++ b/policy/updates/update-policy-to-v7.sh @@ -25,8 +25,24 @@ export PATH=/sbin:/usr/sbin:/bin:/usr/bin . /etc/tizen-platform.conf -systemctl stop security-manager.service security-manager.socket +### In case there is no systemd or no systemd configuration on image (ie. some TV images) +### this can be still run... +set +e +systemctl stop security-manager.service security-manager.socket || echo "Problem with systemd (no .service/.socket files?), continuing" +set -e + +### ...but we have to be sure that the daemon is not running; +### manually choosing file descriptor number (9) as sh on some images is quite old +### doesn't seem to support the exec {fd_var}>/path/to/file syntax +exec 9>"$TZ_SYS_RUN/lock/security-manager.lock" +flock -n 9 || { echo "ERROR: flock() failed, security-manager daemon is probably running, exiting from update" >&2; exit 1; } rm -rf "$TZ_SYS_VAR"/security-manager/rules{,-merged} -systemctl start security-manager.service security-manager.socket +### Still needed in case systemd is managing service, otherwise systemctl will fail to start daemon +flock -u 9 + +### +/-e needed as systemd can be unavailable or purposedly lacking configuration on some images (ie. TV) +set +e +systemctl start security-manager.service security-manager.socket || echo "Problem with systemd (no .service/.socket files?), continuing" +set -e \ No newline at end of file diff --git a/policy/updates/update-policy-to-v8.sh b/policy/updates/update-policy-to-v8.sh index f5d6f00c..c1e80d76 100755 --- a/policy/updates/update-policy-to-v8.sh +++ b/policy/updates/update-policy-to-v8.sh @@ -25,7 +25,17 @@ export PATH=/sbin:/usr/sbin:/bin:/usr/bin . /etc/tizen-platform.conf -systemctl stop security-manager.service security-manager.socket +### In case there is no systemd or no systemd configuration on image (ie. some TV images) +### this can be still run... +set +e +systemctl stop security-manager.service security-manager.socket || echo "Problem with systemd (no .service/.socket files?), continuing" +set -e + +### ...but we have to be sure that the daemon is not running; +### manually choosing file descriptor number (9) as sh on some images is quite old +### doesn't seem to support the exec {fd_var}>/path/to/file syntax +exec 9>"$TZ_SYS_RUN/lock/security-manager.lock" +flock -n 9 || { echo "ERROR: flock() failed, security-manager daemon is probably running, exiting from update" >&2; exit 1; } temp_dir=`mktemp -d` @@ -44,4 +54,10 @@ done rmdir $temp_dir -systemctl start security-manager.service security-manager.socket +### Still needed in case systemd is managing service, otherwise systemctl will fail to start daemon +flock -u 9 + +### +/-e needed as systemd can be unavailable or purposedly lacking configuration on some images (ie. TV) +set +e +systemctl start security-manager.service security-manager.socket || echo "Problem with systemd (no .service/.socket files?), continuing" +set -e \ No newline at end of file diff --git a/policy/updates/update-policy-to-v9.sh b/policy/updates/update-policy-to-v9.sh index 710bb8ea..0b93b77a 100755 --- a/policy/updates/update-policy-to-v9.sh +++ b/policy/updates/update-policy-to-v9.sh @@ -25,7 +25,17 @@ export PATH=/sbin:/usr/sbin:/bin:/usr/bin . /etc/tizen-platform.conf -systemctl stop security-manager.service security-manager.socket +### In case there is no systemd or no systemd configuration on image (ie. some TV images) +### this can be still run... +set +e +systemctl stop security-manager.service security-manager.socket || echo "Problem with systemd (no .service/.socket files?), continuing" +set -e + +### ...but we have to be sure that the daemon is not running; +### manually choosing file descriptor number (9) as sh on some images is quite old +### doesn't seem to support the exec {fd_var}>/path/to/file syntax +exec 9>"$TZ_SYS_RUN/lock/security-manager.lock" +flock -n 9 || { echo "ERROR: flock() failed, security-manager daemon is probably running, exiting from update" >&2; exit 1; } trusted_dirs=`find "$TZ_SYS_OPT" -name trusted | grep apps_rw` @@ -39,5 +49,11 @@ do fi done -systemctl start security-manager-rules-loader.service -systemctl start security-manager.service security-manager.socket +### Still needed in case systemd is managing service, otherwise systemctl will fail to start daemon +flock -u 9 + +### +/-e needed as systemd can be unavailable or purposedly lacking configuration on some images (ie. TV) +set +e +systemctl start security-manager-rules-loader.service || echo "Problem with systemd (no .service/.socket files?), continuing" +systemctl start security-manager.service security-manager.socket || echo "Problem with systemd (no .service/.socket files?), continuing" +set -e \ No newline at end of file