[apparmor] aa_getcon
John Johansen
john.johansen at canonical.com
Wed Jul 18 06:14:24 UTC 2012
On 07/17/2012 05:10 PM, Jeroen Ooms wrote:
> I am implementing an interface to aa_getcon as described here:
> http://manpages.ubuntu.com/manpages/precise/man2/aa_getcon.2.html, but
> I am getting a bit stuck. This might be largely due to my lack of
> experience with C, but hopefully someone can give me some pointers (or
> pointers to pointers :-)
>
> As I understand it, aa_getcon can be used to get the confinement
> information for the current process. When I call it from an unconfined
> process, char **con correctly contains "unconfined". However char
> **mode contains nothing? I get a 'memory not mapped' error when
> trying to copy the variable mode.
>
when you get unconfined, there is no profile so mode is not set. From
C you would test
if (mode != NULL)
> When calling aa_getcon from a confined process, I always get an errno
> 13. I think this is permission denied. Do I need to add any special
> capabilities to the profile for aa_getcon to work?
>
yes, the profile needs access to the interface. Currently the language
does not have a shorthand for this so use
@{PROC}/[0-9]*/attr/current r,
or something similar
More information about the AppArmor
mailing list