[apparmor] [PATCH v2 2/6] utils: Initial implementation of aa-exec in C

Thu Dec 17 22:09:31 UTC 2015

On 12/16/2015 07:25 PM, Tyler Hicks wrote:
> Create a simple aa-exec implementation, written in C, matching the
> --help, --debug, --verbose, and --profile options present in the current
> Perl implementation.
> 
> The new aa-exec sources reside in the binutils/ directory.
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>

Acked-by: John Johansen <john.johansen at canonical.com>

> ---
>  binutils/Makefile  |   9 ++-
>  binutils/aa_exec.c | 167 +++++++++++++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 173 insertions(+), 3 deletions(-)
>  create mode 100644 binutils/aa_exec.c
> 
> diff --git a/binutils/Makefile b/binutils/Makefile
> index 3b99c3e..aec2d62 100644
> --- a/binutils/Makefile
> +++ b/binutils/Makefile
> @@ -50,7 +50,7 @@ EXTRA_CFLAGS+=-DPACKAGE=\"${NAME}\" -DLOCALEDIR=\"${LOCALEDIR}\"
>  
>  SRCS = aa_enabled.c
>  HDRS =
> -TOOLS = aa-enabled
> +TOOLS = aa-enabled aa-exec
>  
>  AALIB = -Wl,-Bstatic -lapparmor  -Wl,-Bdynamic -lpthread
>  
> @@ -106,7 +106,7 @@ all:	arch indep
>  
>  .PHONY: coverage
>  coverage:
> -	$(MAKE) clean aa-enabled COVERAGE=1
> +	$(MAKE) clean aa-enabled aa-exec COVERAGE=1
>  
>  ifndef USE_SYSTEM
>  $(LIBAPPARMOR_A):
> @@ -121,12 +121,15 @@ endif
>  aa-enabled: aa_enabled.c $(LIBAPPARMOR_A)
>  	$(CC) $(LDFLAGS) $(EXTRA_CFLAGS) -o $@ $< $(LIBS) $(AALIB) 
>  
> +aa-exec: aa_exec.c $(LIBAPPARMOR_A)
> +	$(CC) $(LDFLAGS) $(EXTRA_CFLAGS) -o $@ $< $(LIBS) $(AALIB)
> +
>  .SILENT: check
>  .PHONY: check
>  check: check_pod_files tests
>  
>  .SILENT: tests
> -tests: aa-enabled $(TESTS)
> +tests: aa-enabled aa-exec $(TESTS)
>  	echo "no tests atm"
>  
>  .PHONY: install
> diff --git a/binutils/aa_exec.c b/binutils/aa_exec.c
> new file mode 100644
> index 0000000..a6a6008
> --- /dev/null
> +++ b/binutils/aa_exec.c
> @@ -0,0 +1,167 @@
> +/*
> + *   Copyright (c) 2015
> + *   Canonical, Ltd. (All rights reserved)
> + *
> + *   This program is free software; you can redistribute it and/or
> + *   modify it under the terms of version 2 of the GNU General Public
> + *   License published by the Free Software Foundation.
> + *
> + *   This program is distributed in the hope that it will be useful,
> + *   but WITHOUT ANY WARRANTY; without even the implied warranty of
> + *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> + *   GNU General Public License for more details.
> + *
> + *   You should have received a copy of the GNU General Public License
> + *   along with this program; if not, contact Novell, Inc. or Canonical
> + *   Ltd.
> + */
> +
> +#include <errno.h>
> +#include <getopt.h>
> +#include <libintl.h>
> +#include <stdio.h>
> +#include <stdarg.h>
> +#include <stdlib.h>
> +#include <string.h>
> +#include <sys/apparmor.h>
> +#include <unistd.h>
> +#define _(s) gettext(s)
> +
> +static const char *opt_profile = NULL;
> +static bool opt_debug = false;
> +static bool opt_verbose = false;
> +
> +static void usage(const char *name, bool error)
> +{
> +	FILE *stream = stdout;
> +	int status = EXIT_SUCCESS;
> +
> +	if (error) {
> +		stream = stderr;
> +		status = EXIT_FAILURE;
> +	}
> +
> +	fprintf(stream,
> +		_("USAGE: %s [OPTIONS] <prog> <args>\n"
> +		"\n"
> +		"Confine <prog> with the specified PROFILE.\n"
> +		"\n"
> +		"OPTIONS:\n"
> +		"  -p PROFILE, --profile=PROFILE		PROFILE to confine <prog> with\n"
> +		"  -d, --debug				show messages with debugging information\n"
> +		"  -v, --verbose				show messages with stats\n"
> +		"  -h, --help				display this help\n"
> +		"\n"), name);
> +	exit(status);
> +}
> +
> +#define error(fmt, args...) _error(_("aa-exec: ERROR: " fmt "\n"), ## args)
> +static void _error(const char *fmt, ...)
> +{
> +	va_list args;
> +
> +	va_start(args, fmt);
> +	vfprintf(stderr, fmt, args);
> +	va_end(args);
> +	exit(EXIT_FAILURE);
> +}
> +
> +#define debug(fmt, args...) _debug(_("aa-exec: DEBUG: " fmt "\n"), ## args)
> +static void _debug(const char *fmt, ...)
> +{
> +	va_list args;
> +
> +	if (!opt_debug)
> +		return;
> +
> +	va_start(args, fmt);
> +	vfprintf(stderr, fmt, args);
> +	va_end(args);
> +}
> +
> +#define verbose(fmt, args...) _verbose(_(fmt "\n"), ## args)
> +static void _verbose(const char *fmt, ...)
> +{
> +	va_list args;
> +
> +	if (!opt_verbose)
> +		return;
> +
> +	va_start(args, fmt);
> +	vfprintf(stderr, fmt, args);
> +	va_end(args);
> +}
> +
> +static void verbose_print_argv(char **argv)
> +{
> +	if (!opt_verbose)
> +		return;
> +
> +	fprintf(stderr, _("exec"));
> +	for (; *argv; argv++)
> +		fprintf(stderr, " %s", *argv);
> +	fprintf(stderr, "\n");
> +}
> +
> +static char **parse_args(int argc, char **argv)
> +{
> +	int opt;
> +	struct option long_opts[] = {
> +		{"debug", no_argument, 0, 'd'},
> +		{"help", no_argument, 0, 'h'},
> +		{"profile", required_argument, 0, 'p'},
> +		{"verbose", no_argument, 0, 'v'},
> +	};
> +
> +	while ((opt = getopt_long(argc, argv, "+dhp:v", long_opts, NULL)) != -1) {
> +		switch (opt) {
> +		case 'd':
> +			opt_debug = true;
> +			break;
> +		case 'h':
> +			usage(argv[0], false);
> +			break;
> +		case 'p':
> +			opt_profile = optarg;
> +			break;
> +		case 'v':
> +			opt_verbose = true;
> +			break;
> +		default:
> +			usage(argv[0], true);
> +			break;
> +		}
> +	}
> +
> +	if (optind >= argc)
> +		usage(argv[0], true);
> +
> +	return argv + optind;
> +}
> +
> +int main(int argc, char **argv)
> +{
> +	int rc = 0;
> +
> +	argv = parse_args(argc, argv);
> +
> +	if (opt_profile) {
> +		verbose("aa_change_onexec(\"%s\")", opt_profile);
> +		rc = aa_change_onexec(opt_profile);
> +		debug("%d = aa_change_onexec(\"%s\")", rc, opt_profile);
> +	}
> +
> +	if (rc) {
> +		if (errno == ENOENT || errno == EACCES) {
> +			error("profile '%s' does not exist", opt_profile);
> +		} else if (errno == EINVAL) {
> +			error("AppArmor interface not available");
> +		} else {
> +			error("%m");
> +		}
> +	}
> +
> +	verbose_print_argv(argv);
> +	execvp(argv[0], argv);
> +	error("Failed to execute \"%s\": %m", argv[0]);
> +}
>