[apparmor] [PATCH 3/3] Add the aa-namespace utility command

Steve Beattie steve at nxnw.org
Thu Jan 12 14:05:32 UTC 2012 

On Fri, Jan 06, 2012 at 09:53:18AM -0800, John Johansen wrote:
> The aa-namespace comand can be used to help setup alternate policy
> namespaces.  The current version only supports the most basic of
> operations that can be supported under the old interface.
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> ---
>  utils/Makefile         |    2 +-
>  utils/aa-namespace     |  124 ++++++++++++++++++++++++++++++++++++++++++++++++
>  utils/aa-namespace.pod |   98 ++++++++++++++++++++++++++++++++++++++
>  3 files changed, 223 insertions(+), 1 deletions(-)
>  create mode 100755 utils/aa-namespace
>  create mode 100644 utils/aa-namespace.pod
> 
> diff --git a/utils/Makefile b/utils/Makefile
> index 5baa26d..4d17487 100644
> --- a/utils/Makefile
> +++ b/utils/Makefile
> @@ -28,7 +28,7 @@ endif
>  
>  MODDIR = Immunix
>  PERLTOOLS = aa-genprof aa-logprof aa-autodep aa-audit aa-complain aa-enforce \
> -	aa-unconfined aa-notify aa-disable aa-exec aa-stack
> +	aa-unconfined aa-notify aa-disable aa-exec aa-stack aa-namespace
>  TOOLS = ${PERLTOOLS} aa-decode aa-status
>  MODULES = ${MODDIR}/AppArmor.pm ${MODDIR}/Repository.pm \
>  	${MODDIR}/Config.pm ${MODDIR}/Severity.pm
> diff --git a/utils/aa-namespace b/utils/aa-namespace
> new file mode 100755
> index 0000000..b726963
> --- /dev/null
> +++ b/utils/aa-namespace
> @@ -0,0 +1,124 @@
> +#!/usr/bin/perl
> +# ------------------------------------------------------------------
> +#
> +#    Copyright (C) 2009-2011 Canonical Ltd.
> +#
> +#    This program is free software; you can redistribute it and/or
> +#    modify it under the terms of version 2 of the GNU General Public
> +#    License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +
> +use strict;
> +use warnings;
> +use Errno;
> +
> +require LibAppArmor;
> +require POSIX;
> +require Time::Local;
> +require File::Basename;
> +
> +my $opt_m = '';
> +my $opt_l = '';
> +my $opt_c = '';
> +my $opt_u = '';
> +my $opt_n = '';
> +my $opt_i = '';
> +my $opt_h = '';
> +my $opt_v = '';
> +my $opt_d = '';

I'm not nacking based on this (particularly given that I didn't flag
it on the prior patches), but stylistically rather than have the short
argument as the variable name, I'd rather see the long name (e.g.
$opt_name instead of $opt_n) as I lose track of what the shortname
is supposed to stand for later in the code.

> +
> +sub _warn {
> +    my $msg = $_[0];
> +    print STDERR "aa-namespace: WARN: $msg\n";
> +}
> +sub _error {
> +    my $msg = $_[0];
> +    print STDERR "aa-namespace: ERROR: $msg\n";
> +    exit 1
> +}
> +
> +sub _debug {
> +    $opt_d or return;
> +    my $msg = $_[0];
> +    print STDERR "aa-namespace: DEBUG: $msg\n";
> +}
> +
> +sub _verbose {
> +    $opt_v or return;
> +    my $msg = $_[0];
> +    print STDERR "$msg\n";
> +}
> +
> +sub setup_old_iface() {
> +    # load a dummy init profile to create the namespace
> +    my $output = `echo "profile init { }" | apparmor_parser -q -n $opt_n`;
> +    if ($output) {
> +	_error("could not create namespace $opt_n, $output");
> +    }
> +
> +    # remove the dummy init profile, namespaces are not auto removed
> +    $output = `echo "profile init { }" | apparmor_parser -R -q -n $opt_n`;
> +    if ($output) {
> +	_error("could not remove init profile");
> +    }
> +}
> +
> +sub usage() {
> +    my $s = <<'EOF';
> +USAGE: aa-namespace [OPTIONS] -n <name> [<profiles> ...]
> +
> +Create and setup a new AppArmor profile namespace <name>.
> +
> +OPTIONS:
> +  -n NAME, --name=NAME		NAME to use for the namespace being created
> +  -m MEM, --mem=MEM		Maximum memory for policy in the namespace
> +  -l COUNT, --limit=COUNT	Maximum number of profiles that can be loaded
> +  -c, --cleanup			Cleanup and remove namespace when no longer used
> +  -i, --visible			Make parent namespace visible to introspection
> +  -u USER, --user=USER		If supported USER to bind namespace to
> +  -I INC, --include=INC		Includes base for profiles
> +  -v, --verbose			Show messages with stats
> +  -h, --help			Display this help
> +
> +EOF
> +    print $s;
> +}
> +
> +use Getopt::Long;
> +
> +GetOptions(
> +    'name|n=s'       => \$opt_n,
> +    'mem|m=n'        => \$opt_m,
> +    'limit|l=n'      => \$opt_l,
> +    'cleanup|c'      => \$opt_c,

None of the last 3 option variables above are used anywhere.

Ah, I see from below that these options and --user are not supported
yet. These should probably cause a warning and/or be indicated as such
in the usage statement.

> +    'visible|i'      => \$opt_i,

This points to the same variable as --include below.

> +    'user|u=s'       => \$opt_u,
> +    'include|I=s'    => \$opt_i,
> +    'verbose|v'      => \$opt_v,
> +    'debug|d'        => \$opt_d,
> +    'help|h'         => \$opt_h,
> +);
> +
> +my $ARGC = @ARGV;
> +
> +if ($opt_h || !$opt_n) {
> +    usage();
> +    exit(0);
> +}
> +
> +if (!LibAppArmor::aa_is_enabled()) {
> +    _error("AppArmor is not enabled");
> +}
> +
> +my $cmnt;
> +if (!LibAppArmor::aa_find_mountpoint($cmnt)) {
> +    _error("could not find AppArmor interface.");
> +}
> +
> +setup_old_iface();
> +
> +if ($ARGC > 0) {
> +    print "loading -n $opt_n @ARGV\n";
> +    exec("apparmor_parser -n $opt_n @ARGV");

Again you want to pass a list rather than a string, for similar reasons
to system().

> +}
> diff --git a/utils/aa-namespace.pod b/utils/aa-namespace.pod
> new file mode 100644
> index 0000000..1ae8cdf
> --- /dev/null
> +++ b/utils/aa-namespace.pod
> @@ -0,0 +1,98 @@
> +# This publication is intellectual property of Canonical Ltd. Its contents
> +# can be duplicated, either in part or in whole, provided that a copyright
> +# label is visibly located on each copy.
> +#
> +# All information found in this book has been compiled with utmost
> +# attention to detail. However, this does not guarantee complete accuracy.
> +# Neither Canonical Ltd, the authors, nor the translators shall be held
> +# liable for possible errors or the consequences thereof.
> +#
> +# Many of the software and hardware descriptions cited in this book
> +# are registered trademarks. All trade names are subject to copyright
> +# restrictions and may be registered trade marks. Canonical Ltd
> +# essentially adheres to the manufacturer's spelling.
> +#
> +# Names of products and trademarks appearing in this book (with or without
> +# specific notation) are likewise subject to trademark and trade protection
> +# laws and may thus fall under copyright restrictions.
> +#
> +
> +
> +=pod
> +
> +=head1 NAME
> +
> +aa-namespace - tool to help set up a profile namespace
> +
> +=head1 SYNOPSIS
> +
> +B<aa-namespace> [options] -n I<E<lt>nameE<gt>> [I<E<lt>profilesE<gt>> ...]
> +
> +=head1 DESCRIPTION
> +
> +B<aa-namespace> is used to create and set up an AppArmor policy namespace.
> +After creating the namespace it will set any specified options and precede
> +the namespace with any specified profiles.
> +
> +Require privileges to administer the MAC namespace, aka MAC_ADMIN capability

"Require privileges to administer the MAC namespace" is not a complete
sentence. I'm not quite sure what you're trying to say.

> +(root on most systems).
> +
> +=head1 OPTIONS
> +B<aa-namespace> accepts the following arguments:
> +
> +=over 4
> +
> +=item -m MEM, --mem=MEM  (NOT SUPPORTED)
> +
> +Maximum amount of memory policy loaded into the namespace can use.
> +
> +=item -l COUNT, --limit=COUNT (NOT SUPPORTED)
> +
> +Maximum number of profiles that can be loaded into the profile.
> +
> +=item -c, --cleanup (NOT SUPPORTED)
> +
> +Cleanup and remove the namespace when it is no longer used.  The namespace
> +will be removed from policy management visibility after all its profiles
> +are removed.  The namespace may continue to exist as long as programs are
> +confined by profiles in the namespace.
> +
> +If the namespace is created without profiles, it will not be removed until
> +after the first profile has been added, and then all its profiles have been
> +removed.
> +
> +=item -i, --visible (NOT SUPPORTED)
> +
> +Make the parent namespace visible to introspection queries from task confined
> +inside the namespace.
> +
> +=item u, --user (NOT SUPPORTED)
> +
> +Create a user policy namespace, that can by managed by the specified user.
> +The user can manage and load policy in this namespace.
> +
> +This feature is not currently supported.
> +
> +=item -I, --include
> +
> +Set the include PATH for any profiles to be loaded
> +
> +=item -v, --verbose
> +
> +show commands being performed
> +
> +=item -d, --debug
> +
> +show commands and error codes
> +
> +=head1 BUGS
> +
> +If you find any bugs, please report them at
> +L<http://https://bugs.launchpad.net/apparmor/+filebug>.
> +
> +=head1 SEE ALSO
> +
> +apparmor(7), apparmor_namespaces(8), apparmor.d(5), aa-confine(1), aa-stack(1),

Do you have a patch for an apparmor_namespaces manpage? Did I miss a
patch I was supposed to review?

> +and L<http://wiki.apparmor.net>.
> +
> +=cut
> -- 
> 1.7.7.3
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120112/77539100/attachment-0001.pgp>

More information about the AppArmor mailing list