[apparmor] debugging aa_change_profile

Steve Beattie steve at nxnw.org
Thu Apr 26 20:28:35 UTC 2012 

Hi Jeroen,

On Thu, Apr 26, 2012 at 12:25:16PM -0700, Jeroen Ooms wrote:
> If it is helpful, here is some instructions to reproduce the problem.
> I am using Ubuntu 11.10.
> 
> # one time install:
> sudo apt-get install r-base libapparmor-dev
> wget http://www.stat.ucla.edu/~jeroen/files/rApparmor_0.1.tar.gz
> sudo R CMD INSTALL rApparmor_0.1.tar.gz
> 
> # start R:
> R
> 
> # enter these commands in the R console:
> library(rApparmor)
> aa_change_profile("testprofile")

The issue here is a type-mismatch in your wrapper code. From the Writing
R Extensions manual, section 5.2
http://cran.r-project.org/doc/manuals/R-exts.html#Interface-functions-_002eC-and-_002eFortran

  The following table gives the mapping between the modes of R vectors
  and the types of arguments to a C function or FORTRAN subroutine.

   R storage mode C type          FORTRAN type
   [SNIP]
   character      char **         CHARACTER*255

Your wrapper functions don't take this into account:

  void aa_change_profile_wrapper (int *ret, char *profile) {
    *ret = aa_change_profile (profile);
    if(ret != 0){
      *ret = errno;
    }
  }

You need to convert the "char *profile" declaration to "char
**profile" and then evaluate one level of pointer in the
aa_change_profile() call, like so:

  void aa_change_profile_wrapper (int *ret, char **profile) {
    *ret = aa_change_profile (*profile);
    if(ret != 0){
      *ret = errno;
    }
  }

When I do this, I am able to successfully make aa_change_profile calls
from within R:

  $ R
  > library(rApparmor)

(switch to a different shell)

  $ cat /proc/$(pidof R)/attr/current
  unconfined

(back to R)

  > library(rApparmor)
  > aa_change_profile("testprofile")
  Error in aa_change_profile("testprofile") :
    Failed to change profile to: testprofile.
  Error: 2
  > aa_change_profile("/bin/ping")
  >

(and back to the other shell)

  $ cat /proc/$(pidof R)/attr/current
  /bin/ping (enforce)

I didn't look at the aa_change_hat wrapper function, but I suspect a
similar type mis-match there as well.

Thanks for trying this out! I'm really curious how well this
functionality works in R.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120426/e6a8d8ce/attachment.pgp>

More information about the AppArmor mailing list