[apparmor] [PATCH v2 5/6] utils: Replace Perl aa-exec with C aa-exec
John Johansen
john.johansen at canonical.com
Thu Dec 17 22:50:05 UTC 2015
On 12/17/2015 02:49 PM, John Johansen wrote:
> On 12/16/2015 07:25 PM, Tyler Hicks wrote:
>> Remove the Perl aa-exec implementation, move the aa-exec(8) man page to
>> binutils/, and point the regression test to the C based aa-exec in
>> binutils/.
>>
>> Note that the new C aa-exec does not implement the --file option which
>> was present in the Perl aa-exec. It encouraged running programs as root,
>> since root privileges were required to load the specified profile.
>>
>> All other features of the Perl aa-exec are present in the C aa-exec.
>>
>> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
>
> drop the --file option from the man page and you can have my (no need
> to resend the patch)
>
oops, hahaha. I forgot that is the next patch
> Acked-by: John Johansen <john.johansen at canonical.com>
>
>> ---
>> binutils/Makefile | 2 +-
>> binutils/aa-exec.pod | 97 ++++++++++++++++++++
>> tests/regression/apparmor/Makefile | 6 +-
>> tests/regression/apparmor/uservars.inc.source | 2 +-
>> utils/Makefile | 2 +-
>> utils/aa-exec | 122 --------------------------
>> utils/aa-exec.pod | 97 --------------------
>> 7 files changed, 103 insertions(+), 225 deletions(-)
>> create mode 100644 binutils/aa-exec.pod
>> delete mode 100755 utils/aa-exec
>> delete mode 100644 utils/aa-exec.pod
>>
>> diff --git a/binutils/Makefile b/binutils/Makefile
>> index aec2d62..91ae4cd 100644
>> --- a/binutils/Makefile
>> +++ b/binutils/Makefile
>> @@ -20,7 +20,7 @@ include $(COMMONDIR)/Make.rules
>> DESTDIR=/
>> BINDIR=${DESTDIR}bin
>> LOCALEDIR=/usr/share/locale
>> -MANPAGES=aa-enabled.8
>> +MANPAGES=aa-enabled.8 aa-exec.8
>>
>> WARNINGS = -Wall
>> EXTRA_WARNINGS = -Wsign-compare -Wmissing-field-initializers -Wformat-security -Wunused-parameter
>> diff --git a/binutils/aa-exec.pod b/binutils/aa-exec.pod
>> new file mode 100644
>> index 0000000..58dedb2
>> --- /dev/null
>> +++ b/binutils/aa-exec.pod
>> @@ -0,0 +1,97 @@
>> +# This publication is intellectual property of Canonical Ltd. Its contents
>> +# can be duplicated, either in part or in whole, provided that a copyright
>> +# label is visibly located on each copy.
>> +#
>> +# All information found in this book has been compiled with utmost
>> +# attention to detail. However, this does not guarantee complete accuracy.
>> +# Neither Canonical Ltd, the authors, nor the translators shall be held
>> +# liable for possible errors or the consequences thereof.
>> +#
>> +# Many of the software and hardware descriptions cited in this book
>> +# are registered trademarks. All trade names are subject to copyright
>> +# restrictions and may be registered trade marks. Canonical Ltd
>> +# essentially adheres to the manufacturer's spelling.
>> +#
>> +# Names of products and trademarks appearing in this book (with or without
>> +# specific notation) are likewise subject to trademark and trade protection
>> +# laws and may thus fall under copyright restrictions.
>> +#
>> +
>> +
>> +=pod
>> +
>> +=head1 NAME
>> +
>> +aa-exec - confine a program with the specified AppArmor profile
>> +
>> +=head1 SYNOPSIS
>> +
>> +B<aa-exec> [options] [--] [I<E<lt>commandE<gt>> ...]
>> +
>> +=head1 DESCRIPTION
>> +
>> +B<aa-exec> is used to launch a program confined by the specified profile
>> +and or namespace. If both a profile and namespace are specified command
>> +will be confined by profile in the new policy namespace. If only a namespace
>> +is specified, the profile name of the current confinement will be used. If
>> +neither a profile or namespace is specified command will be run using
>> +standard profile attachment (ie. as if run without the aa-exec command).
>> +
>> +If the arguments are to be pasted to the I<E<lt>commandE<gt>> being invoked
>> +by aa-exec then -- should be used to separate aa-exec arguments from the
>> +command.
>> + aa-exec -p profile1 -- ls -l
>> +
>> +=head1 OPTIONS
>> +B<aa-exec> accepts the following arguments:
>> +
>> +=over 4
>> +
>> +=item -p PROFILE, --profile=PROFILE
>> +
>> +confine I<E<lt>commandE<gt>> with PROFILE. If the PROFILE is not specified
>> +use the current profile name (likely unconfined).
>> +
>> +=item -n NAMESPACE, --namespace=NAMESPACE
>> +
>> +use profiles in NAMESPACE. This will result in confinement transitioning
>> +to using the new profile namespace.
>> +
>> +=item -f FILE, --file=FILE
>> +
>> +a file or directory containing profiles to load before confining the program.
>> +
>> +=item -i, --immediate
>> +
>> +transition to PROFILE before doing executing I<E<lt>commandE<gt>>. This
>> +subjects the running of I<E<lt>commandE<gt>> to the exec transition rules
>> +of the current profile.
>> +
>> +=item -v, --verbose
>> +
>> +show commands being performed
>> +
>> +=item -d, --debug
>> +
>> +show commands and error codes
>> +
>> +=item --
>> +
>> +Signal the end of options and disables further option processing. Any
>> +arguments after the -- are treated as arguments of the command. This is
>> +useful when passing arguments to the I<E<lt>commandE<gt>> being invoked by
>> +aa-exec.
>> +
>> +=back
>> +
>> +=head1 BUGS
>> +
>> +If you find any bugs, please report them at
>> +L<https://bugs.launchpad.net/apparmor/+filebug>.
>> +
>> +=head1 SEE ALSO
>> +
>> +aa-stack(8), aa-namespace(8), apparmor(7), apparmor.d(5), aa_change_profile(3),
>> +aa_change_onexec(3) and L<http://wiki.apparmor.net>.
>> +
>> +=cut
>> diff --git a/tests/regression/apparmor/Makefile b/tests/regression/apparmor/Makefile
>> index d0e4b35..892f1c5 100644
>> --- a/tests/regression/apparmor/Makefile
>> +++ b/tests/regression/apparmor/Makefile
>> @@ -52,12 +52,12 @@ libapparmor by adding USE_SYSTEM=1 to your make command.${nl}\
>> ************************************************************************${nl})
>> endif
>>
>> - UTILS_SRC := ../../../utils
>> - AA_EXEC = $(UTILS_SRC)/aa-exec
>> + BINUTILS_SRC := ../../../binutils
>> + AA_EXEC = $(BINUTILS_SRC)/aa-exec
>> ifeq ($(realpath $(AA_EXEC)),)
>> AA_EXEC_ERROR_MESSAGE = $(error ${nl}\
>> ************************************************************************${nl}\
>> -$(AA_EXEC) is missing; either build the $(UTILS_SRC) directory${nl}\
>> +$(AA_EXEC) is missing; either build the $(BINUTILS_SRC) directory${nl}\
>> and then try again (see the top-level README for help) or use the${nl}\
>> system aa-exec by adding USE_SYSTEM=1 to your make command.${nl}\
>> ************************************************************************${nl})
>> diff --git a/tests/regression/apparmor/uservars.inc.source b/tests/regression/apparmor/uservars.inc.source
>> index aff53d2..198df43 100644
>> --- a/tests/regression/apparmor/uservars.inc.source
>> +++ b/tests/regression/apparmor/uservars.inc.source
>> @@ -14,4 +14,4 @@ tmpdir=/tmp/sdtest.$$-$RANDOM
>> sys_profiles=/sys/kernel/security/apparmor/profiles
>>
>> # 5. Location of aa-exec
>> -aa_exec=${PWD}/../../../utils/aa-exec
>> +aa_exec=${PWD}/../../../binutils/aa-exec
>> diff --git a/utils/Makefile b/utils/Makefile
>> index 4762262..acfddba 100644
>> --- a/utils/Makefile
>> +++ b/utils/Makefile
>> @@ -20,7 +20,7 @@ COMMONDIR=../common/
>>
>> include $(COMMONDIR)/Make.rules
>>
>> -PERLTOOLS = aa-exec aa-notify
>> +PERLTOOLS = aa-notify
>> PYTOOLS = aa-easyprof aa-genprof aa-logprof aa-cleanprof aa-mergeprof \
>> aa-autodep aa-audit aa-complain aa-enforce aa-disable \
>> aa-status aa-unconfined
>> diff --git a/utils/aa-exec b/utils/aa-exec
>> deleted file mode 100755
>> index 23bd3ac..0000000
>> --- a/utils/aa-exec
>> +++ /dev/null
>> @@ -1,122 +0,0 @@
>> -#!/usr/bin/perl
>> -# ------------------------------------------------------------------
>> -#
>> -# Copyright (C) 2011-2013 Canonical Ltd.
>> -#
>> -# This program is free software; you can redistribute it and/or
>> -# modify it under the terms of version 2 of the GNU General Public
>> -# License published by the Free Software Foundation.
>> -#
>> -# ------------------------------------------------------------------
>> -
>> -use strict;
>> -use warnings;
>> -use Errno;
>> -
>> -require LibAppArmor;
>> -require POSIX;
>> -
>> -my $opt_d = '';
>> -my $opt_h = '';
>> -my $opt_p = '';
>> -my $opt_n = '';
>> -my $opt_i = '';
>> -my $opt_v = '';
>> -my $opt_f = '';
>> -
>> -sub _warn {
>> - my $msg = $_[0];
>> - print STDERR "aa-exec: WARN: $msg\n";
>> -}
>> -sub _error {
>> - my $msg = $_[0];
>> - print STDERR "aa-exec: ERROR: $msg\n";
>> - exit 1
>> -}
>> -
>> -sub _debug {
>> - $opt_d or return;
>> - my $msg = $_[0];
>> - print STDERR "aa-exec: DEBUG: $msg\n";
>> -}
>> -
>> -sub _verbose {
>> - $opt_v or return;
>> - my $msg = $_[0];
>> - print STDERR "$msg\n";
>> -}
>> -
>> -sub usage() {
>> - my $s = <<'EOF';
>> -USAGE: aa-exec [OPTIONS] <prog> <args>
>> -
>> -Confine <prog> with the specified PROFILE.
>> -
>> -OPTIONS:
>> - -p PROFILE, --profile=PROFILE PROFILE to confine <prog> with
>> - -n NAMESPACE, --namespace=NAMESPACE NAMESPACE to confine <prog> in
>> - -f FILE, --file FILE profile file to load
>> - -i, --immediate change profile immediately instead of at exec
>> - -v, --verbose show messages with stats
>> - -h, --help display this help
>> -
>> -EOF
>> - print $s;
>> -}
>> -
>> -use Getopt::Long;
>> -
>> -GetOptions(
>> - 'debug|d' => \$opt_d,
>> - 'help|h' => \$opt_h,
>> - 'profile|p=s' => \$opt_p,
>> - 'namespace|n=s' => \$opt_n,
>> - 'file|f=s' => \$opt_f,
>> - 'immediate|i' => \$opt_i,
>> - 'verbose|v' => \$opt_v,
>> -);
>> -
>> -if ($opt_h) {
>> - usage();
>> - exit(0);
>> -}
>> -
>> -if ($opt_n || $opt_p) {
>> - my $test;
>> - my $prof;
>> -
>> - if ($opt_n) {
>> - $prof = ":$opt_n:";
>> - }
>> -
>> - $prof .= $opt_p;
>> -
>> - if ($opt_f) {
>> - system("apparmor_parser", "-r", "$opt_f") == 0
>> - or _error("\'aborting could not load $opt_f\'");
>> - }
>> -
>> - if ($opt_i) {
>> - _verbose("aa_change_profile(\"$prof\")");
>> - $test = LibAppArmor::aa_change_profile($prof);
>> - _debug("$test = aa_change_profile(\"$prof\"); $!");
>> - } else {
>> - _verbose("aa_change_onexec(\"$prof\")");
>> - $test = LibAppArmor::aa_change_onexec($prof);
>> - _debug("$test = aa_change_onexec(\"$prof\"); $!");
>> - }
>> -
>> - if ($test != 0) {
>> - if ($!{ENOENT} || $!{EACCESS}) {
>> - my $pre = ($opt_p) ? "profile" : "namespace";
>> - _error("$pre \'$prof\' does not exist\n");
>> - } elsif ($!{EINVAL}) {
>> - _error("AppArmor interface not available\n");
>> - } else {
>> - _error("$!\n");
>> - }
>> - }
>> -}
>> -
>> -_verbose("exec @ARGV");
>> -exec @ARGV;
>> diff --git a/utils/aa-exec.pod b/utils/aa-exec.pod
>> deleted file mode 100644
>> index 58dedb2..0000000
>> --- a/utils/aa-exec.pod
>> +++ /dev/null
>> @@ -1,97 +0,0 @@
>> -# This publication is intellectual property of Canonical Ltd. Its contents
>> -# can be duplicated, either in part or in whole, provided that a copyright
>> -# label is visibly located on each copy.
>> -#
>> -# All information found in this book has been compiled with utmost
>> -# attention to detail. However, this does not guarantee complete accuracy.
>> -# Neither Canonical Ltd, the authors, nor the translators shall be held
>> -# liable for possible errors or the consequences thereof.
>> -#
>> -# Many of the software and hardware descriptions cited in this book
>> -# are registered trademarks. All trade names are subject to copyright
>> -# restrictions and may be registered trade marks. Canonical Ltd
>> -# essentially adheres to the manufacturer's spelling.
>> -#
>> -# Names of products and trademarks appearing in this book (with or without
>> -# specific notation) are likewise subject to trademark and trade protection
>> -# laws and may thus fall under copyright restrictions.
>> -#
>> -
>> -
>> -=pod
>> -
>> -=head1 NAME
>> -
>> -aa-exec - confine a program with the specified AppArmor profile
>> -
>> -=head1 SYNOPSIS
>> -
>> -B<aa-exec> [options] [--] [I<E<lt>commandE<gt>> ...]
>> -
>> -=head1 DESCRIPTION
>> -
>> -B<aa-exec> is used to launch a program confined by the specified profile
>> -and or namespace. If both a profile and namespace are specified command
>> -will be confined by profile in the new policy namespace. If only a namespace
>> -is specified, the profile name of the current confinement will be used. If
>> -neither a profile or namespace is specified command will be run using
>> -standard profile attachment (ie. as if run without the aa-exec command).
>> -
>> -If the arguments are to be pasted to the I<E<lt>commandE<gt>> being invoked
>> -by aa-exec then -- should be used to separate aa-exec arguments from the
>> -command.
>> - aa-exec -p profile1 -- ls -l
>> -
>> -=head1 OPTIONS
>> -B<aa-exec> accepts the following arguments:
>> -
>> -=over 4
>> -
>> -=item -p PROFILE, --profile=PROFILE
>> -
>> -confine I<E<lt>commandE<gt>> with PROFILE. If the PROFILE is not specified
>> -use the current profile name (likely unconfined).
>> -
>> -=item -n NAMESPACE, --namespace=NAMESPACE
>> -
>> -use profiles in NAMESPACE. This will result in confinement transitioning
>> -to using the new profile namespace.
>> -
>> -=item -f FILE, --file=FILE
>> -
>> -a file or directory containing profiles to load before confining the program.
>> -
>> -=item -i, --immediate
>> -
>> -transition to PROFILE before doing executing I<E<lt>commandE<gt>>. This
>> -subjects the running of I<E<lt>commandE<gt>> to the exec transition rules
>> -of the current profile.
>> -
>> -=item -v, --verbose
>> -
>> -show commands being performed
>> -
>> -=item -d, --debug
>> -
>> -show commands and error codes
>> -
>> -=item --
>> -
>> -Signal the end of options and disables further option processing. Any
>> -arguments after the -- are treated as arguments of the command. This is
>> -useful when passing arguments to the I<E<lt>commandE<gt>> being invoked by
>> -aa-exec.
>> -
>> -=back
>> -
>> -=head1 BUGS
>> -
>> -If you find any bugs, please report them at
>> -L<https://bugs.launchpad.net/apparmor/+filebug>.
>> -
>> -=head1 SEE ALSO
>> -
>> -aa-stack(8), aa-namespace(8), apparmor(7), apparmor.d(5), aa_change_profile(3),
>> -aa_change_onexec(3) and L<http://wiki.apparmor.net>.
>> -
>> -=cut
>>
>
>
More information about the AppArmor
mailing list