[apparmor] AppArmor APIs
Colin Ian King
colin.king at canonical.com
Tue Dec 15 17:29:43 UTC 2015
Thanks John,
So far I've been successful from the info you have provided. I've
compiled a policy into a binary blob and got it loaded into a buffer and
successfully loaded this into the kernel.
Colin
On 15/12/15 00:32, John Johansen wrote:
> On 12/14/2015 07:44 AM, Colin Ian King wrote:
>> Hi there,
>>
>> I'm looking at writing some stress tests for AppArmor, so I'd like to
>> construct some simple rules and insert/remove them. I looked for some
>> API documentation, but all I can find is:
>>
>> http://wiki.apparmor.net/index.php/AppArmorAPIs
>>
>> Are there any API docs, guides or worked examples for libaaparse and
>> libapparmor?
>>
>
> Hey Colin,
> sorry the interfaces aren't better documented. It is one of those perpetual
> todo items. There is a quick view of the basic apis bellow and I'll work on
> getting you some better docs
>
> The libapparmor api, is fairly well documented in the man pages (though it
> seems the cross refs to find them could stand to be updated)
>
> man aa_change_hat
> aa_change_hatv
> aa_change_hat_vargs
>
> man aa_change_profile
> aa_change_onexec
>
> man aa_getprocattr_raw
> aa_getprocattr
> aa_gettaskcon
> aa_getcon
> aa_getpeercon_raw
> aa_getpeercon
>
> man aa_splitcon
>
> man aa_features
> aa_features_new
> aa_features_new_from_string
> aa_features_new_from_kernel
> aa_features_ref
> aa_features_unref
> aa_features_write_to_file
> aa_features_is_equal
> aa_features_supports
>
> man aa_is_enabled
> aa_find_mountpoint
>
> man aa_kernel_interface
> aa_kernel_interface_new
> aa_kernel_interface_ref
> aa_kernel_interface_unref
> aa_kernel_interface_load_policy
> aa_kernel_interface_load_policy_from_file
> aa_kernel_interface_load_policy_from_fd
> aa_kernel_interface_replace_policy
> aa_kernel_interface_replace_policy_from_file
> aa_kernel_interface_replace_policy_from_fd
> aa_kernel_interface_remove_policy
> aa_kernel_interface_write_policy
>
> man aa_policy_cache
> aa_policy_cache_new
> aa_policy_cache_ref
> aa_policy_cache_unref
> aa_policy_cache_remove
> aa_policy_cache_replace_all
>
> man aa_query_label
> aa_query_file_path
> aa_query_file_path_len
> aa_query_link_path_len
> aa_query_link_path
>
>
>
> the logparsing doesn't seem to be documented at all :(
> The 2 exported functions are
> aa_log_record *parse_record(char *str)
> void free_record(aa_log_record *record)
>
> with aa_log_record being defined in include/aalogparse.h
> there are a fair number of log parsing tests in
> libraries/libapparmor/testsuite/
>
> there are a set of private functions that a pseudo exported but being private apis may change at any time
> _aa_is_blacklisted;
> _aa_autofree;
> _aa_autoclose;
> _aa_autofclose;
> _aa_dirat_for_each;
>
>
>
> the apparmor_parser flags are fairly well documented in
> man apparmor_parser
>
>
>
> the lowlevel interfaces are not well documented at all
> reading of a sockets label is done via
> getsockopt(fd, SOL_SOCKET, SO_PEERSEC, buf, &optlen);
>
> read of a tasks label is done via
> /proc/<pid>/attr/current
>
> read of a scheduled change at exec via
> /proc/<pid>/attr/exec
>
> read of parent while in a hat
> /proc/<pid>/attr/prev
>
> setting self label (another tasks label can not be directly set) is done by writing to
> /proc/<pid>/attr/current
>
> setting of self label at exec (again another tasks is not allow) is done via writing to
> /proc/<pid>/attr/exec
>
> the /proc/<pid>/attr/ fscreate keycreate sockcreate files are currently not used
>
> the sock and proc/attr interface are limited to pagesize reads and writes atm
>
>
>
> the apparmor filesystem used for loading and introspecting policy is usually mounted at
> /sys/kernel/security/apparmor.
>
> Well its not really the apparmor filesystem anymore as it is a sub of the securityfs
> filesystem. Under this there is
> ls apparmor/
> .access features .load .null policy profiles .remove .replace
>
> .access - is a file that allows querying permissions. I'll work on getting you some docs
> on its format
>
> profiles - flattened, virtualized view of what policy is visible to the inquiring task.
> I'll work on some better docs for you
>
> features - dir of features supported by the kernel (should be read only)
>
> policy - dir of policy currently visible (actually currently this is always from root
> policy ns, but ideally it should get virtualized (except doing that properly
> with the way the vfs is setup is impossible, so there will be something half
> assed for 16.04).
>
> This represents an expanded view of what is available in the profiles file,
> and is currently entirely read only.
>
> the hierarch is basically
>
> policy/namespaces/ #subnamespaces follow exactly same format as whats in policy
> /profiles/<swizzled profile name>.uniq#/
> name #name of profile
> attach #exec profile attachment
> mode #mode of profile
> sha1 #sha1 of loaded profile
> profiles/ #present if profile has its own subprofiles
>
>
> The policy load/remove interface which could really use some fuzzy.
> .load - atomic write of a set of profiles to load (does not allow replacement). I'll work
> on getting you some docs on its format
>
> .replace - same as .load except indicated replacement is allowed.
>
> .replace - similar to .load/.replace but different format. Again I'll work on getting
> you some docs.
>
>
> .null - special null file used in mediation of uninheritable files
>
>
More information about the AppArmor
mailing list