[apparmor] debugging aa_change_profile

Jeroen Ooms jeroen.ooms at stat.ucla.edu
Thu Apr 26 21:09:15 UTC 2012 

Thank you so much for researching and resolving this. It seems to be
working now indeed.

Additional question: after switching profiles, I cannot switch back
anymore. Which privileges exactly are required to be able to call
aa_change_profile ?

J





On Thu, Apr 26, 2012 at 1:28 PM, Steve Beattie <steve at nxnw.org> wrote:
> Hi Jeroen,
>
> On Thu, Apr 26, 2012 at 12:25:16PM -0700, Jeroen Ooms wrote:
>> If it is helpful, here is some instructions to reproduce the problem.
>> I am using Ubuntu 11.10.
>>
>> # one time install:
>> sudo apt-get install r-base libapparmor-dev
>> wget http://www.stat.ucla.edu/~jeroen/files/rApparmor_0.1.tar.gz
>> sudo R CMD INSTALL rApparmor_0.1.tar.gz
>>
>> # start R:
>> R
>>
>> # enter these commands in the R console:
>> library(rApparmor)
>> aa_change_profile("testprofile")
>
> The issue here is a type-mismatch in your wrapper code. From the Writing
> R Extensions manual, section 5.2
> http://cran.r-project.org/doc/manuals/R-exts.html#Interface-functions-_002eC-and-_002eFortran
>
>  The following table gives the mapping between the modes of R vectors
>  and the types of arguments to a C function or FORTRAN subroutine.
>
>   R storage mode C type          FORTRAN type
>   [SNIP]
>   character      char **         CHARACTER*255
>
> Your wrapper functions don't take this into account:
>
>  void aa_change_profile_wrapper (int *ret, char *profile) {
>    *ret = aa_change_profile (profile);
>    if(ret != 0){
>      *ret = errno;
>    }
>  }
>
> You need to convert the "char *profile" declaration to "char
> **profile" and then evaluate one level of pointer in the
> aa_change_profile() call, like so:
>
>  void aa_change_profile_wrapper (int *ret, char **profile) {
>    *ret = aa_change_profile (*profile);
>    if(ret != 0){
>      *ret = errno;
>    }
>  }
>
> When I do this, I am able to successfully make aa_change_profile calls
> from within R:
>
>  $ R
>  > library(rApparmor)
>
> (switch to a different shell)
>
>  $ cat /proc/$(pidof R)/attr/current
>  unconfined
>
> (back to R)
>
>  > library(rApparmor)
>  > aa_change_profile("testprofile")
>  Error in aa_change_profile("testprofile") :
>    Failed to change profile to: testprofile.
>  Error: 2
>  > aa_change_profile("/bin/ping")
>  >
>
> (and back to the other shell)
>
>  $ cat /proc/$(pidof R)/attr/current
>  /bin/ping (enforce)
>
> I didn't look at the aa_change_hat wrapper function, but I suspect a
> similar type mis-match there as well.
>
> Thanks for trying this out! I'm really curious how well this
> functionality works in R.
>
> --
> Steve Beattie
> <sbeattie at ubuntu.com>
> http://NxNW.org/~steve/

More information about the AppArmor mailing list