[apparmor] [PATCH 5/5] Function to test if apparmor support isenabled.
Seth Arnold
seth.arnold at gmail.com
Thu Jul 21 19:06:27 UTC 2011
I'm not sure I like a 0 return for "enabled" :)
if (!aa_is_enabled()) { /* enabled */ } else { /* check errno */ }
The routine also makes some big assumptions about specific path names (similar to the mountpoint finder -- existence of the path /sys/kernel/security/apparmor doesn't necessarily mean it is a securityfs mount point) and a confined program's ability to use the filesystem -- EPERM should probably also be included as "AA potentially enabled and confinement forbids learning details".
Thanks John!
-----Original Message-----
From: John Johansen <john.johansen at canonical.com>
Sender: apparmor-bounces at lists.ubuntu.com
Date: Thu, 21 Jul 2011 11:16:38
To: <apparmor at lists.ubuntu.com>
Subject: [apparmor] [PATCH 5/5] Function to test if apparmor support is
enabled.
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
libraries/libapparmor/doc/aa_find_mountpoint.pod | 29 ++++++++++
libraries/libapparmor/src/apparmor.h | 1 +
libraries/libapparmor/src/kernel_interface.c | 66 ++++++++++++++++++++++
libraries/libapparmor/src/libapparmor.map | 1 +
libraries/libapparmor/swig/SWIG/libapparmor.i | 1 +
5 files changed, 98 insertions(+), 0 deletions(-)
diff --git a/libraries/libapparmor/doc/aa_find_mountpoint.pod b/libraries/libapparmor/doc/aa_find_mountpoint.pod
index 5f5923f..937d5dd 100644
--- a/libraries/libapparmor/doc/aa_find_mountpoint.pod
+++ b/libraries/libapparmor/doc/aa_find_mountpoint.pod
@@ -22,18 +22,25 @@
=head1 NAME
+aa_is_enabled - determine if apparmor is available
+
aa_find_mountpoint - find where the apparmor interface filesystem is mounted
=head1 SYNOPSIS
B<#include E<lt>sys/apparmor.hE<gt>>
+B<int aa_is_enabled(void);>
+
B<int aa_find_mountpoint(char **mnt);>
Link with B<-lapparmor> when compiling.
=head1 DESCRIPTION
+The aa_is_enabled function returns whether apparmor is enabled and if it
+isn't sets the errno to reflect the reason it is not enabled.
+
The aa_find_mountpoint function finds where the apparmor filesystem is mounted
on the system, and returns a string containing the mount path. It is the
callers responsibility to free the returned path.
@@ -47,6 +54,28 @@ appropriately.
=over 4
+B<aa_is_enabled>
+
+=item B<ENOSYS>
+
+AppArmor extensions to the system are not available.
+
+=item B<ECANCELED>
+
+AppArmor is available on the system but has been disabled at boot.
+
+=item B<ENOENT>
+
+AppArmor is available (and maybe even enforcing policy) but the interface is
+not available.
+
+=item B<ENOMEM>
+
+Insufficient memory was available.
+
+
+B<aa_find_mountpoint>
+
=item B<ENOMEM>
Insufficient memory was available.
diff --git a/libraries/libapparmor/src/apparmor.h b/libraries/libapparmor/src/apparmor.h
index 903cecd..fbfaae0 100644
--- a/libraries/libapparmor/src/apparmor.h
+++ b/libraries/libapparmor/src/apparmor.h
@@ -21,6 +21,7 @@
__BEGIN_DECLS
/* Prototypes for apparmor state queries */
+extern int aa_is_enabled(void);
extern int aa_find_mountpoint(char **mnt);
/* Prototypes for self directed domain transitions
diff --git a/libraries/libapparmor/src/kernel_interface.c b/libraries/libapparmor/src/kernel_interface.c
index 5a390a5..dc8e96b 100644
--- a/libraries/libapparmor/src/kernel_interface.c
+++ b/libraries/libapparmor/src/kernel_interface.c
@@ -29,6 +29,8 @@
#include <stdarg.h>
#include <mntent.h>
+#include "apparmor.h"
+
/* some non-Linux systems do not define a static value */
#ifndef PATH_MAX
# define PATH_MAX 4096
@@ -88,6 +90,70 @@ int aa_find_mountpoint(char **mnt)
return rc;
}
+/* cache the status of aa_is_disabled lookup routine */
+static int aa_state = -1;
+
+/**
+ * aa_is_enabled_raw - determine if apparmor is enabled
+ *
+ * Returns: 0 if enabled else reason it is not, or -1 on error
+ *
+ * ENOSYS - no indication apparmor is present in the system
+ * ENOENT - enabled but interface could not be found
+ * ECANCELED - disabled at boot
+ * ENOMEM - out of memory
+ */
+static int aa_is_enabled_raw(void)
+{
+ int serrno, fd, rc, size;
+ char buffer[2];
+ char *mnt;
+
+ /* if the interface mountpoint is available apparmor is enabled */
+ rc = aa_find_mountpoint(&mnt);
+ if (rc == 0) {
+ free(mnt);
+ aa_state = 0;
+ return 0;
+ }
+
+ /* determine why the interface mountpoint isn't available */
+ fd = open("/sys/module/apparmor/parameters/enabled", O_RDONLY);
+ if (fd == -1) {
+ if (errno == ENOENT)
+ errno = ENOSYS;
+ return -1;
+ }
+
+ size = read(fd, &buffer, 2);
+ serrno = errno;
+ close(fd);
+ errno = serrno;
+
+ if (size > 0) {
+ if (buffer[0] == 'Y')
+ errno = ENOENT;
+ else
+ errno = ECANCELED;
+ }
+ return -1;
+}
+
+int aa_is_enabled(void)
+{
+ int rc;
+
+ if (aa_state == 0) {
+ return 0;
+ } else if (aa_state != -1) {
+ errno = aa_state;
+ return -1;
+ }
+
+ rc = aa_is_enabled_raw();
+ aa_state = errno;
+ return rc;
+}
static inline pid_t aa_gettid(void)
{
diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
index df51d01..444278e 100644
--- a/libraries/libapparmor/src/libapparmor.map
+++ b/libraries/libapparmor/src/libapparmor.map
@@ -16,6 +16,7 @@ APPARMOR_1.0 {
APPARMOR_1.1 {
global:
+ aa_is_enabled;
aa_find_mountpoint;
aa_change_hat;
aa_change_hatv;
diff --git a/libraries/libapparmor/swig/SWIG/libapparmor.i b/libraries/libapparmor/swig/SWIG/libapparmor.i
index 1b6b5c7..f0ebf5a 100644
--- a/libraries/libapparmor/swig/SWIG/libapparmor.i
+++ b/libraries/libapparmor/swig/SWIG/libapparmor.i
@@ -13,6 +13,7 @@
* are manually inserted here
*/
+extern int aa_is_enabled(void);
extern int aa_find_mountpoint(char **mnt);
extern int aa_change_hat(const char *subprofile, unsigned long magic_token);
extern int aa_change_profile(const char *profile);
--
1.7.5.4
--
AppArmor mailing list
AppArmor at lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
More information about the AppArmor
mailing list