[apparmor] [PATCH v2] libapparmor: ENOENT should only signify label not found in label queries

Tyler Hicks tyhicks at canonical.com
Fri Aug 9 19:11:02 UTC 2013 

It may be useful to applications that do AppArmor queries to know if the
subject label in the query is unknown to the kernel. For example, the
corresponding profile may have been removed/renamed.

This patch eliminates all potential return locations of aa_query_label()
that may have errno set to ENOENT, except for the write() to
apparmorfs/.access that sets ENOENT when the subject label isn't found
by the kernel.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---

After giving it some thought, we don't want to support applications doing test
queries during their initialization. However, it is helpful if applications can
be notified if the subject label in their query has been renamed/removed.

* Changes in v2:
  - Update changelog and function comments to *not* mention the possibility of
    doing test queries
  - Only mention that ENOENT signifies that the kernel doesn't know about the
    subject label in the query

 libraries/libapparmor/src/kernel_interface.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/libraries/libapparmor/src/kernel_interface.c b/libraries/libapparmor/src/kernel_interface.c
index 34f9579..1b604fc 100644
--- a/libraries/libapparmor/src/kernel_interface.c
+++ b/libraries/libapparmor/src/kernel_interface.c
@@ -684,7 +684,9 @@ static void aafs_access_init_once(void)
  * @audited: upon successful return, will be 1 if query should be audited and 0
  *           if not
  *
- * Returns: 0 on success else -1 and sets errno
+ * Returns: 0 on success else -1 and sets errno. If -1 is returned and errno is
+ *          ENOENT, the subject label in the query string is unknown to the
+ *          kernel.
  */
 int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
 		   int *audited)
@@ -708,8 +710,11 @@ int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
 	}
 
 	fd = open(aafs_access, O_RDWR);
-	if (fd == -1)
+	if (fd == -1) {
+		if (errno == ENOENT)
+			errno = EPROTONOSUPPORT;
 		return -1;
+	}
 
 	memcpy(query, AA_QUERY_CMD_LABEL, AA_QUERY_CMD_LABEL_SIZE);
 	errno = 0;
@@ -717,6 +722,10 @@ int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
 	if (ret != size) {
 		if (ret >= 0)
 			errno = EPROTO;
+		/* IMPORTANT: This is the only valid error path that can have
+		 * errno set to ENOENT. It indicates that the subject label
+		 * could not be found by the kernel.
+		 */
 		return -1;
 	}
 
@@ -725,8 +734,7 @@ int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
 	(void)close(fd);
 	errno = saved;
 	if (ret != QUERY_LABEL_REPLY_LEN) {
-		if (ret >= 0)
-			errno = EPROTO;
+		errno = EPROTO;
 		return -1;
 	}
 
-- 
1.8.3.2

More information about the AppArmor mailing list