[apparmor] [PATCH 3/3] Add the aa-namespace utility command

John Johansen john.johansen at canonical.com
Fri Jan 6 17:53:18 UTC 2012 

The aa-namespace comand can be used to help setup alternate policy
namespaces.  The current version only supports the most basic of
operations that can be supported under the old interface.

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 utils/Makefile         |    2 +-
 utils/aa-namespace     |  124 ++++++++++++++++++++++++++++++++++++++++++++++++
 utils/aa-namespace.pod |   98 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 223 insertions(+), 1 deletions(-)
 create mode 100755 utils/aa-namespace
 create mode 100644 utils/aa-namespace.pod

diff --git a/utils/Makefile b/utils/Makefile
index 5baa26d..4d17487 100644
--- a/utils/Makefile
+++ b/utils/Makefile
@@ -28,7 +28,7 @@ endif
 
 MODDIR = Immunix
 PERLTOOLS = aa-genprof aa-logprof aa-autodep aa-audit aa-complain aa-enforce \
-	aa-unconfined aa-notify aa-disable aa-exec aa-stack
+	aa-unconfined aa-notify aa-disable aa-exec aa-stack aa-namespace
 TOOLS = ${PERLTOOLS} aa-decode aa-status
 MODULES = ${MODDIR}/AppArmor.pm ${MODDIR}/Repository.pm \
 	${MODDIR}/Config.pm ${MODDIR}/Severity.pm
diff --git a/utils/aa-namespace b/utils/aa-namespace
new file mode 100755
index 0000000..b726963
--- /dev/null
+++ b/utils/aa-namespace
@@ -0,0 +1,124 @@
+#!/usr/bin/perl
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2009-2011 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+use strict;
+use warnings;
+use Errno;
+
+require LibAppArmor;
+require POSIX;
+require Time::Local;
+require File::Basename;
+
+my $opt_m = '';
+my $opt_l = '';
+my $opt_c = '';
+my $opt_u = '';
+my $opt_n = '';
+my $opt_i = '';
+my $opt_h = '';
+my $opt_v = '';
+my $opt_d = '';
+
+sub _warn {
+    my $msg = $_[0];
+    print STDERR "aa-namespace: WARN: $msg\n";
+}
+sub _error {
+    my $msg = $_[0];
+    print STDERR "aa-namespace: ERROR: $msg\n";
+    exit 1
+}
+
+sub _debug {
+    $opt_d or return;
+    my $msg = $_[0];
+    print STDERR "aa-namespace: DEBUG: $msg\n";
+}
+
+sub _verbose {
+    $opt_v or return;
+    my $msg = $_[0];
+    print STDERR "$msg\n";
+}
+
+sub setup_old_iface() {
+    # load a dummy init profile to create the namespace
+    my $output = `echo "profile init { }" | apparmor_parser -q -n $opt_n`;
+    if ($output) {
+	_error("could not create namespace $opt_n, $output");
+    }
+
+    # remove the dummy init profile, namespaces are not auto removed
+    $output = `echo "profile init { }" | apparmor_parser -R -q -n $opt_n`;
+    if ($output) {
+	_error("could not remove init profile");
+    }
+}
+
+sub usage() {
+    my $s = <<'EOF';
+USAGE: aa-namespace [OPTIONS] -n <name> [<profiles> ...]
+
+Create and setup a new AppArmor profile namespace <name>.
+
+OPTIONS:
+  -n NAME, --name=NAME		NAME to use for the namespace being created
+  -m MEM, --mem=MEM		Maximum memory for policy in the namespace
+  -l COUNT, --limit=COUNT	Maximum number of profiles that can be loaded
+  -c, --cleanup			Cleanup and remove namespace when no longer used
+  -i, --visible			Make parent namespace visible to introspection
+  -u USER, --user=USER		If supported USER to bind namespace to
+  -I INC, --include=INC		Includes base for profiles
+  -v, --verbose			Show messages with stats
+  -h, --help			Display this help
+
+EOF
+    print $s;
+}
+
+use Getopt::Long;
+
+GetOptions(
+    'name|n=s'       => \$opt_n,
+    'mem|m=n'        => \$opt_m,
+    'limit|l=n'      => \$opt_l,
+    'cleanup|c'      => \$opt_c,
+    'visible|i'      => \$opt_i,
+    'user|u=s'       => \$opt_u,
+    'include|I=s'    => \$opt_i,
+    'verbose|v'      => \$opt_v,
+    'debug|d'        => \$opt_d,
+    'help|h'         => \$opt_h,
+);
+
+my $ARGC = @ARGV;
+
+if ($opt_h || !$opt_n) {
+    usage();
+    exit(0);
+}
+
+if (!LibAppArmor::aa_is_enabled()) {
+    _error("AppArmor is not enabled");
+}
+
+my $cmnt;
+if (!LibAppArmor::aa_find_mountpoint($cmnt)) {
+    _error("could not find AppArmor interface.");
+}
+
+setup_old_iface();
+
+if ($ARGC > 0) {
+    print "loading -n $opt_n @ARGV\n";
+    exec("apparmor_parser -n $opt_n @ARGV");
+}
diff --git a/utils/aa-namespace.pod b/utils/aa-namespace.pod
new file mode 100644
index 0000000..1ae8cdf
--- /dev/null
+++ b/utils/aa-namespace.pod
@@ -0,0 +1,98 @@
+# This publication is intellectual property of Canonical Ltd. Its contents
+# can be duplicated, either in part or in whole, provided that a copyright
+# label is visibly located on each copy.
+#
+# All information found in this book has been compiled with utmost
+# attention to detail. However, this does not guarantee complete accuracy.
+# Neither Canonical Ltd, the authors, nor the translators shall be held
+# liable for possible errors or the consequences thereof.
+#
+# Many of the software and hardware descriptions cited in this book
+# are registered trademarks. All trade names are subject to copyright
+# restrictions and may be registered trade marks. Canonical Ltd
+# essentially adheres to the manufacturer's spelling.
+#
+# Names of products and trademarks appearing in this book (with or without
+# specific notation) are likewise subject to trademark and trade protection
+# laws and may thus fall under copyright restrictions.
+#
+
+
+=pod
+
+=head1 NAME
+
+aa-namespace - tool to help set up a profile namespace
+
+=head1 SYNOPSIS
+
+B<aa-namespace> [options] -n I<E<lt>nameE<gt>> [I<E<lt>profilesE<gt>> ...]
+
+=head1 DESCRIPTION
+
+B<aa-namespace> is used to create and set up an AppArmor policy namespace.
+After creating the namespace it will set any specified options and precede
+the namespace with any specified profiles.
+
+Require privileges to administer the MAC namespace, aka MAC_ADMIN capability
+(root on most systems).
+
+=head1 OPTIONS
+B<aa-namespace> accepts the following arguments:
+
+=over 4
+
+=item -m MEM, --mem=MEM  (NOT SUPPORTED)
+
+Maximum amount of memory policy loaded into the namespace can use.
+
+=item -l COUNT, --limit=COUNT (NOT SUPPORTED)
+
+Maximum number of profiles that can be loaded into the profile.
+
+=item -c, --cleanup (NOT SUPPORTED)
+
+Cleanup and remove the namespace when it is no longer used.  The namespace
+will be removed from policy management visibility after all its profiles
+are removed.  The namespace may continue to exist as long as programs are
+confined by profiles in the namespace.
+
+If the namespace is created without profiles, it will not be removed until
+after the first profile has been added, and then all its profiles have been
+removed.
+
+=item -i, --visible (NOT SUPPORTED)
+
+Make the parent namespace visible to introspection queries from task confined
+inside the namespace.
+
+=item u, --user (NOT SUPPORTED)
+
+Create a user policy namespace, that can by managed by the specified user.
+The user can manage and load policy in this namespace.
+
+This feature is not currently supported.
+
+=item -I, --include
+
+Set the include PATH for any profiles to be loaded
+
+=item -v, --verbose
+
+show commands being performed
+
+=item -d, --debug
+
+show commands and error codes
+
+=head1 BUGS
+
+If you find any bugs, please report them at
+L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+
+=head1 SEE ALSO
+
+apparmor(7), apparmor_namespaces(8), apparmor.d(5), aa-confine(1), aa-stack(1),
+and L<http://wiki.apparmor.net>.
+
+=cut
-- 
1.7.7.3

More information about the AppArmor mailing list