[apparmor] [PATCH v2 5/6] utils: Replace Perl aa-exec with C aa-exec
John Johansen
john.johansen at canonical.com
Thu Dec 17 22:49:13 UTC 2015
On 12/16/2015 07:25 PM, Tyler Hicks wrote:
> Remove the Perl aa-exec implementation, move the aa-exec(8) man page to
> binutils/, and point the regression test to the C based aa-exec in
> binutils/.
>
> Note that the new C aa-exec does not implement the --file option which
> was present in the Perl aa-exec. It encouraged running programs as root,
> since root privileges were required to load the specified profile.
>
> All other features of the Perl aa-exec are present in the C aa-exec.
>
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
drop the --file option from the man page and you can have my (no need
to resend the patch)
Acked-by: John Johansen <john.johansen at canonical.com>
> ---
> binutils/Makefile | 2 +-
> binutils/aa-exec.pod | 97 ++++++++++++++++++++
> tests/regression/apparmor/Makefile | 6 +-
> tests/regression/apparmor/uservars.inc.source | 2 +-
> utils/Makefile | 2 +-
> utils/aa-exec | 122 --------------------------
> utils/aa-exec.pod | 97 --------------------
> 7 files changed, 103 insertions(+), 225 deletions(-)
> create mode 100644 binutils/aa-exec.pod
> delete mode 100755 utils/aa-exec
> delete mode 100644 utils/aa-exec.pod
>
> diff --git a/binutils/Makefile b/binutils/Makefile
> index aec2d62..91ae4cd 100644
> --- a/binutils/Makefile
> +++ b/binutils/Makefile
> @@ -20,7 +20,7 @@ include $(COMMONDIR)/Make.rules
> DESTDIR=/
> BINDIR=${DESTDIR}bin
> LOCALEDIR=/usr/share/locale
> -MANPAGES=aa-enabled.8
> +MANPAGES=aa-enabled.8 aa-exec.8
>
> WARNINGS = -Wall
> EXTRA_WARNINGS = -Wsign-compare -Wmissing-field-initializers -Wformat-security -Wunused-parameter
> diff --git a/binutils/aa-exec.pod b/binutils/aa-exec.pod
> new file mode 100644
> index 0000000..58dedb2
> --- /dev/null
> +++ b/binutils/aa-exec.pod
> @@ -0,0 +1,97 @@
> +# This publication is intellectual property of Canonical Ltd. Its contents
> +# can be duplicated, either in part or in whole, provided that a copyright
> +# label is visibly located on each copy.
> +#
> +# All information found in this book has been compiled with utmost
> +# attention to detail. However, this does not guarantee complete accuracy.
> +# Neither Canonical Ltd, the authors, nor the translators shall be held
> +# liable for possible errors or the consequences thereof.
> +#
> +# Many of the software and hardware descriptions cited in this book
> +# are registered trademarks. All trade names are subject to copyright
> +# restrictions and may be registered trade marks. Canonical Ltd
> +# essentially adheres to the manufacturer's spelling.
> +#
> +# Names of products and trademarks appearing in this book (with or without
> +# specific notation) are likewise subject to trademark and trade protection
> +# laws and may thus fall under copyright restrictions.
> +#
> +
> +
> +=pod
> +
> +=head1 NAME
> +
> +aa-exec - confine a program with the specified AppArmor profile
> +
> +=head1 SYNOPSIS
> +
> +B<aa-exec> [options] [--] [I<E<lt>commandE<gt>> ...]
> +
> +=head1 DESCRIPTION
> +
> +B<aa-exec> is used to launch a program confined by the specified profile
> +and or namespace. If both a profile and namespace are specified command
> +will be confined by profile in the new policy namespace. If only a namespace
> +is specified, the profile name of the current confinement will be used. If
> +neither a profile or namespace is specified command will be run using
> +standard profile attachment (ie. as if run without the aa-exec command).
> +
> +If the arguments are to be pasted to the I<E<lt>commandE<gt>> being invoked
> +by aa-exec then -- should be used to separate aa-exec arguments from the
> +command.
> + aa-exec -p profile1 -- ls -l
> +
> +=head1 OPTIONS
> +B<aa-exec> accepts the following arguments:
> +
> +=over 4
> +
> +=item -p PROFILE, --profile=PROFILE
> +
> +confine I<E<lt>commandE<gt>> with PROFILE. If the PROFILE is not specified
> +use the current profile name (likely unconfined).
> +
> +=item -n NAMESPACE, --namespace=NAMESPACE
> +
> +use profiles in NAMESPACE. This will result in confinement transitioning
> +to using the new profile namespace.
> +
> +=item -f FILE, --file=FILE
> +
> +a file or directory containing profiles to load before confining the program.
> +
> +=item -i, --immediate
> +
> +transition to PROFILE before doing executing I<E<lt>commandE<gt>>. This
> +subjects the running of I<E<lt>commandE<gt>> to the exec transition rules
> +of the current profile.
> +
> +=item -v, --verbose
> +
> +show commands being performed
> +
> +=item -d, --debug
> +
> +show commands and error codes
> +
> +=item --
> +
> +Signal the end of options and disables further option processing. Any
> +arguments after the -- are treated as arguments of the command. This is
> +useful when passing arguments to the I<E<lt>commandE<gt>> being invoked by
> +aa-exec.
> +
> +=back
> +
> +=head1 BUGS
> +
> +If you find any bugs, please report them at
> +L<https://bugs.launchpad.net/apparmor/+filebug>.
> +
> +=head1 SEE ALSO
> +
> +aa-stack(8), aa-namespace(8), apparmor(7), apparmor.d(5), aa_change_profile(3),
> +aa_change_onexec(3) and L<http://wiki.apparmor.net>.
> +
> +=cut
> diff --git a/tests/regression/apparmor/Makefile b/tests/regression/apparmor/Makefile
> index d0e4b35..892f1c5 100644
> --- a/tests/regression/apparmor/Makefile
> +++ b/tests/regression/apparmor/Makefile
> @@ -52,12 +52,12 @@ libapparmor by adding USE_SYSTEM=1 to your make command.${nl}\
> ************************************************************************${nl})
> endif
>
> - UTILS_SRC := ../../../utils
> - AA_EXEC = $(UTILS_SRC)/aa-exec
> + BINUTILS_SRC := ../../../binutils
> + AA_EXEC = $(BINUTILS_SRC)/aa-exec
> ifeq ($(realpath $(AA_EXEC)),)
> AA_EXEC_ERROR_MESSAGE = $(error ${nl}\
> ************************************************************************${nl}\
> -$(AA_EXEC) is missing; either build the $(UTILS_SRC) directory${nl}\
> +$(AA_EXEC) is missing; either build the $(BINUTILS_SRC) directory${nl}\
> and then try again (see the top-level README for help) or use the${nl}\
> system aa-exec by adding USE_SYSTEM=1 to your make command.${nl}\
> ************************************************************************${nl})
> diff --git a/tests/regression/apparmor/uservars.inc.source b/tests/regression/apparmor/uservars.inc.source
> index aff53d2..198df43 100644
> --- a/tests/regression/apparmor/uservars.inc.source
> +++ b/tests/regression/apparmor/uservars.inc.source
> @@ -14,4 +14,4 @@ tmpdir=/tmp/sdtest.$$-$RANDOM
> sys_profiles=/sys/kernel/security/apparmor/profiles
>
> # 5. Location of aa-exec
> -aa_exec=${PWD}/../../../utils/aa-exec
> +aa_exec=${PWD}/../../../binutils/aa-exec
> diff --git a/utils/Makefile b/utils/Makefile
> index 4762262..acfddba 100644
> --- a/utils/Makefile
> +++ b/utils/Makefile
> @@ -20,7 +20,7 @@ COMMONDIR=../common/
>
> include $(COMMONDIR)/Make.rules
>
> -PERLTOOLS = aa-exec aa-notify
> +PERLTOOLS = aa-notify
> PYTOOLS = aa-easyprof aa-genprof aa-logprof aa-cleanprof aa-mergeprof \
> aa-autodep aa-audit aa-complain aa-enforce aa-disable \
> aa-status aa-unconfined
> diff --git a/utils/aa-exec b/utils/aa-exec
> deleted file mode 100755
> index 23bd3ac..0000000
> --- a/utils/aa-exec
> +++ /dev/null
> @@ -1,122 +0,0 @@
> -#!/usr/bin/perl
> -# ------------------------------------------------------------------
> -#
> -# Copyright (C) 2011-2013 Canonical Ltd.
> -#
> -# This program is free software; you can redistribute it and/or
> -# modify it under the terms of version 2 of the GNU General Public
> -# License published by the Free Software Foundation.
> -#
> -# ------------------------------------------------------------------
> -
> -use strict;
> -use warnings;
> -use Errno;
> -
> -require LibAppArmor;
> -require POSIX;
> -
> -my $opt_d = '';
> -my $opt_h = '';
> -my $opt_p = '';
> -my $opt_n = '';
> -my $opt_i = '';
> -my $opt_v = '';
> -my $opt_f = '';
> -
> -sub _warn {
> - my $msg = $_[0];
> - print STDERR "aa-exec: WARN: $msg\n";
> -}
> -sub _error {
> - my $msg = $_[0];
> - print STDERR "aa-exec: ERROR: $msg\n";
> - exit 1
> -}
> -
> -sub _debug {
> - $opt_d or return;
> - my $msg = $_[0];
> - print STDERR "aa-exec: DEBUG: $msg\n";
> -}
> -
> -sub _verbose {
> - $opt_v or return;
> - my $msg = $_[0];
> - print STDERR "$msg\n";
> -}
> -
> -sub usage() {
> - my $s = <<'EOF';
> -USAGE: aa-exec [OPTIONS] <prog> <args>
> -
> -Confine <prog> with the specified PROFILE.
> -
> -OPTIONS:
> - -p PROFILE, --profile=PROFILE PROFILE to confine <prog> with
> - -n NAMESPACE, --namespace=NAMESPACE NAMESPACE to confine <prog> in
> - -f FILE, --file FILE profile file to load
> - -i, --immediate change profile immediately instead of at exec
> - -v, --verbose show messages with stats
> - -h, --help display this help
> -
> -EOF
> - print $s;
> -}
> -
> -use Getopt::Long;
> -
> -GetOptions(
> - 'debug|d' => \$opt_d,
> - 'help|h' => \$opt_h,
> - 'profile|p=s' => \$opt_p,
> - 'namespace|n=s' => \$opt_n,
> - 'file|f=s' => \$opt_f,
> - 'immediate|i' => \$opt_i,
> - 'verbose|v' => \$opt_v,
> -);
> -
> -if ($opt_h) {
> - usage();
> - exit(0);
> -}
> -
> -if ($opt_n || $opt_p) {
> - my $test;
> - my $prof;
> -
> - if ($opt_n) {
> - $prof = ":$opt_n:";
> - }
> -
> - $prof .= $opt_p;
> -
> - if ($opt_f) {
> - system("apparmor_parser", "-r", "$opt_f") == 0
> - or _error("\'aborting could not load $opt_f\'");
> - }
> -
> - if ($opt_i) {
> - _verbose("aa_change_profile(\"$prof\")");
> - $test = LibAppArmor::aa_change_profile($prof);
> - _debug("$test = aa_change_profile(\"$prof\"); $!");
> - } else {
> - _verbose("aa_change_onexec(\"$prof\")");
> - $test = LibAppArmor::aa_change_onexec($prof);
> - _debug("$test = aa_change_onexec(\"$prof\"); $!");
> - }
> -
> - if ($test != 0) {
> - if ($!{ENOENT} || $!{EACCESS}) {
> - my $pre = ($opt_p) ? "profile" : "namespace";
> - _error("$pre \'$prof\' does not exist\n");
> - } elsif ($!{EINVAL}) {
> - _error("AppArmor interface not available\n");
> - } else {
> - _error("$!\n");
> - }
> - }
> -}
> -
> -_verbose("exec @ARGV");
> -exec @ARGV;
> diff --git a/utils/aa-exec.pod b/utils/aa-exec.pod
> deleted file mode 100644
> index 58dedb2..0000000
> --- a/utils/aa-exec.pod
> +++ /dev/null
> @@ -1,97 +0,0 @@
> -# This publication is intellectual property of Canonical Ltd. Its contents
> -# can be duplicated, either in part or in whole, provided that a copyright
> -# label is visibly located on each copy.
> -#
> -# All information found in this book has been compiled with utmost
> -# attention to detail. However, this does not guarantee complete accuracy.
> -# Neither Canonical Ltd, the authors, nor the translators shall be held
> -# liable for possible errors or the consequences thereof.
> -#
> -# Many of the software and hardware descriptions cited in this book
> -# are registered trademarks. All trade names are subject to copyright
> -# restrictions and may be registered trade marks. Canonical Ltd
> -# essentially adheres to the manufacturer's spelling.
> -#
> -# Names of products and trademarks appearing in this book (with or without
> -# specific notation) are likewise subject to trademark and trade protection
> -# laws and may thus fall under copyright restrictions.
> -#
> -
> -
> -=pod
> -
> -=head1 NAME
> -
> -aa-exec - confine a program with the specified AppArmor profile
> -
> -=head1 SYNOPSIS
> -
> -B<aa-exec> [options] [--] [I<E<lt>commandE<gt>> ...]
> -
> -=head1 DESCRIPTION
> -
> -B<aa-exec> is used to launch a program confined by the specified profile
> -and or namespace. If both a profile and namespace are specified command
> -will be confined by profile in the new policy namespace. If only a namespace
> -is specified, the profile name of the current confinement will be used. If
> -neither a profile or namespace is specified command will be run using
> -standard profile attachment (ie. as if run without the aa-exec command).
> -
> -If the arguments are to be pasted to the I<E<lt>commandE<gt>> being invoked
> -by aa-exec then -- should be used to separate aa-exec arguments from the
> -command.
> - aa-exec -p profile1 -- ls -l
> -
> -=head1 OPTIONS
> -B<aa-exec> accepts the following arguments:
> -
> -=over 4
> -
> -=item -p PROFILE, --profile=PROFILE
> -
> -confine I<E<lt>commandE<gt>> with PROFILE. If the PROFILE is not specified
> -use the current profile name (likely unconfined).
> -
> -=item -n NAMESPACE, --namespace=NAMESPACE
> -
> -use profiles in NAMESPACE. This will result in confinement transitioning
> -to using the new profile namespace.
> -
> -=item -f FILE, --file=FILE
> -
> -a file or directory containing profiles to load before confining the program.
> -
> -=item -i, --immediate
> -
> -transition to PROFILE before doing executing I<E<lt>commandE<gt>>. This
> -subjects the running of I<E<lt>commandE<gt>> to the exec transition rules
> -of the current profile.
> -
> -=item -v, --verbose
> -
> -show commands being performed
> -
> -=item -d, --debug
> -
> -show commands and error codes
> -
> -=item --
> -
> -Signal the end of options and disables further option processing. Any
> -arguments after the -- are treated as arguments of the command. This is
> -useful when passing arguments to the I<E<lt>commandE<gt>> being invoked by
> -aa-exec.
> -
> -=back
> -
> -=head1 BUGS
> -
> -If you find any bugs, please report them at
> -L<https://bugs.launchpad.net/apparmor/+filebug>.
> -
> -=head1 SEE ALSO
> -
> -aa-stack(8), aa-namespace(8), apparmor(7), apparmor.d(5), aa_change_profile(3),
> -aa_change_onexec(3) and L<http://wiki.apparmor.net>.
> -
> -=cut
>
More information about the AppArmor
mailing list