[apparmor] AppArmor APIs
Seth Arnold
seth.arnold at canonical.com
Mon Dec 14 22:49:44 UTC 2015
On Mon, Dec 14, 2015 at 03:44:56PM +0000, Colin Ian King wrote:
> I'm looking at writing some stress tests for AppArmor, so I'd like to
> construct some simple rules and insert/remove them. I looked for some
> API documentation, but all I can find is:
>
> http://wiki.apparmor.net/index.php/AppArmorAPIs
Excellent, thanks!
> Are there any API docs, guides or worked examples for libaaparse and
> libapparmor?
libaaparse doesn't yet exist. There is work underway to make the
apparmor_parser suitable for use as a library but it is currently only
usable as an executable.
The simplest way to create rules, load, and unload would be something like
this:
echo "profile profile_name /attachement/specification { /rules/ r, }" | \
apparmor_parser --replace
(I always use --replace because it's idempotent. --add is not.)
echo "profile profile_name /attachment/specification { }" | \
apparmor_parser --remove
If this is too onerous for integrating into stress-ng, then the next best
starting point is probably process_profile() in parser_main.c. That
orchestrates loading either a binary blob from the cache or the compiled
profile into the kernel. Since there's extensive use of global variables
in the parser it probably still makes sense to fork off new processes for
each use as needed. (Even this seems like it might be a lot of work
compared to stealing the 'interface' code from parser_interface.c and
using that on stress-ng-supplied binary blobs.)
libapparmor is in better shape: the aa_change_hat(), aa_change_profile()
and aa_change_onexec() calls are documented in manpages in libapparmor-dev.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151214/ad419096/attachment.pgp>
More information about the AppArmor
mailing list