[apparmor] [PATCH 4/5] Add the ability to read proc attr interfaces

John Johansen john.johansen at canonical.com
Fri Jul 15 02:35:15 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/14/2011 04:29 PM, Steve Beattie wrote:
> On Tue, Jul 12, 2011 at 01:50:22PM -0700, John Johansen wrote:
>> On 07/12/2011 12:01 PM, Seth Arnold wrote:
>>> The ret=1 just before the for loop isn't needed (except to quiet warnings?) 
>>> I think the entire for loop would be easier read as a while loop.
>>>
>> heh, sorry you were right, I missed that I was double assigning ret.
>>
>> revised patch using while and fixing a couple of bugs below
>>
>> ---
>>
>> Add the ability to read proc attr interfaces
>>
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
>>
>> diff --git a/libraries/libapparmor/src/kernel_interface.c b/libraries/libapparmor/src/kernel_interface.c
>> index 0e61065..9f16bd0 100644
>> --- a/libraries/libapparmor/src/kernel_interface.c
>> +++ b/libraries/libapparmor/src/kernel_interface.c
>> @@ -54,6 +54,68 @@ static char *procattr_path(pid_t pid, const char *attr)
>>  	return NULL;
>>  }
>>  
>> +/**
>> + * getprocattr - get the contents of @attr for @tid into @buf
>> + * @tid: tid of task to query
>> + * @attr: which /proc/<tid>/current/attr to query
> 
> Nitpick: "which /proc/<tid>/attr/<attr> to query"
> 
>> + * @buf: buffer to store the result in
>> + * @len: size of the buffer
>> + *
>> + * Returns: size of data read or -1 on error, and sets errno
>> + */
>> +static int getprocattr(pid_t tid, const char *attr, char *buf, int len)
>> +{
>> +	int rc = -1;
>> +	int fd, ret;
>> +	char *ctl = NULL;
>> +	int size = 0;
>> +
>> +	if (!buf || len <= 0) {
>> +		errno = EINVAL;
>> +		goto out;
>> +	}
>> +
>> +	ctl = procattr_path(tid, attr);
>> +	if (!ctl)
>> +		goto out;
>> +
>> +	fd = open(ctl, O_RDONLY);
>> +	if (fd == -1) {
>> +		goto out;
>> +	}
>> +
>> +	do {
>> +		ret = read(fd, buf, len);
>> +		if (ret <= 0)
>> +			break;
>> +		buf += ret;
>> +		size += ret;
>> +		len -= ret;
>> +		if (len < 0) {
>> +			errno = ENAMETOOLONG;
>> +			break;
> 
> Is the intent to require the caller to check both errno and the return
> value rc? Because with the current code, if the buffer is too small, rc
> is still set to the amount read. You can see this with the attached
> patch to the aa_logmisc.c unit tests (I had to make getprocattr not
> static for it to work).
> 
nope, you should only need to check errno if rc == -1

so I have fixed, both of your complaints.  Revised patch below

- ---

Library interface for tasks introspecting confinement.

Signed-off-by: John Johansen <john.johansen at canonical.com>

diff --git a/libraries/libapparmor/src/apparmor.h b/libraries/libapparmor/src/apparmor.h
index 4ae0a03..e8c9975 100644
- --- a/libraries/libapparmor/src/apparmor.h
+++ b/libraries/libapparmor/src/apparmor.h
@@ -33,6 +33,8 @@ extern int aa_change_onexec(const char *profile);
 
 extern int aa_change_hatv(const char *subprofiles[], unsigned long token);
 extern int (aa_change_hat_vargs)(unsigned long token, int count, ...);
+extern int aa_query_confinement(pid_t target, char **confinement);
+extern int aa_introspect_confinement(char **confinement);
 
 #define __macroarg_counter(Y...) __macroarg_count1 ( , ##Y)
 #define __macroarg_count1(Y...) __macroarg_count2 (Y, 16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0)
diff --git a/libraries/libapparmor/src/kernel_interface.c b/libraries/libapparmor/src/kernel_interface.c
index 9f16bd0..63825cb 100644
- --- a/libraries/libapparmor/src/kernel_interface.c
+++ b/libraries/libapparmor/src/kernel_interface.c
@@ -57,7 +57,7 @@ static char *procattr_path(pid_t pid, const char *attr)
 /**
  * getprocattr - get the contents of @attr for @tid into @buf
  * @tid: tid of task to query
- - * @attr: which /proc/<tid>/current/attr to query
+ * @attr: which /proc/<tid>/attr/current to query
  * @buf: buffer to store the result in
  * @len: size of the buffer
  *
@@ -93,6 +93,7 @@ static int getprocattr(pid_t tid, const char *attr, char *buf, int len)
 		len -= ret;
 		if (len < 0) {
 			errno = ENAMETOOLONG;
+			ret = -1;
 			break;
 		}
 	} while (ret > 0);
@@ -333,3 +334,33 @@ int (aa_change_hat_vargs)(unsigned long token, int nhats, ...)
 	va_end(ap);
 	return aa_change_hatv(argv, token);
 }
+
+/**
+ * aa_query_confinement - query what the confinement for task @target is
+ * @target: task to query
+ * @confinement: pointer to the buffer with the profile name if successful
+ *
+ * Returns: length of confinement data or -1 on error and sets errno
+ */
+int aa_query_confinement(pid_t target, char **confinement)
+{
+	int size;
+	char *buffer = malloc(PATH_MAX);
+	if (!buffer)
+		return -1;
+	size = getprocattr(target, "current", buffer, PATH_MAX);
+	if (size != -1)
+		*confinement = buffer;
+	return size;
+}
+
+/**
+ * aa_introspect_confinement - query what the confinement for current task is
+ * @confinement: pointer to the buffer with the profile name if successful
+ *
+ * Returns: length of confinement data or -1 on error and sets errno
+ */
+int aa_introspect_confinement(char **confinement)
+{
+	return aa_query_confinement(aa_gettid(), confinement);
+}
diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
index c56cb86..ebd13c9 100644
- --- a/libraries/libapparmor/src/libapparmor.map
+++ b/libraries/libapparmor/src/libapparmor.map
@@ -21,6 +21,8 @@ APPARMOR_1.1 {
         aa_change_hat_vargs;
         aa_change_profile;
         aa_change_onexec;
+        aa_query_confinement;
+        aa_introspect_confinement;
         parse_record;
         free_record;
   local:
diff --git a/libraries/libapparmor/swig/SWIG/libapparmor.i b/libraries/libapparmor/swig/SWIG/libapparmor.i
index 1f2ede3..830f1c0 100644
- --- a/libraries/libapparmor/swig/SWIG/libapparmor.i
+++ b/libraries/libapparmor/swig/SWIG/libapparmor.i
@@ -18,4 +18,5 @@ extern int aa_change_profile(const char *profile);
 extern int aa_change_onexec(const char *profile);
 extern int aa_change_hatv(const char *subprofiles[], unsigned long token);
 extern int aa_change_hat_vargs(unsigned long token, int count, ...);
- -
+extern int aa_query_confinement(pid_t target, char **confinement);
+extern int aa_introspect_confinement(char **confinement);
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4fp1wACgkQxAVxIsEKI+YgqQCfZsplrn2BxlNL2V+UK06P+zBd
ZYYAn2pRJP5dP4hBjAWNeOliFQkaZFjT
=aw5z
-----END PGP SIGNATURE-----

More information about the AppArmor mailing list