[apparmor] [PATCH v2 38/42] libapparmor: Move the aa_kernel_interface API
John Johansen
john.johansen at canonical.com
Thu Mar 12 12:06:18 UTC 2015
On 03/06/2015 01:48 PM, Tyler Hicks wrote:
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Acked-by: John Johansen <john.johansen at canonical.com>
> ---
> libraries/libapparmor/include/sys/apparmor.h | 23 ++
> libraries/libapparmor/src/Makefile.am | 2 +-
> libraries/libapparmor/src/kernel_interface.c | 393 ++++++++++++++++++++++++++
> libraries/libapparmor/src/libapparmor.map | 11 +
> parser/Makefile | 7 +-
> parser/kernel_interface.c | 395 ---------------------------
> parser/kernel_interface.h | 50 ----
> parser/parser.h | 3 +-
> parser/parser_interface.c | 2 +-
> parser/parser_main.c | 1 -
> parser/parser_policy.c | 2 +-
> 11 files changed, 434 insertions(+), 455 deletions(-)
> create mode 100644 libraries/libapparmor/src/kernel_interface.c
> delete mode 100644 parser/kernel_interface.c
> delete mode 100644 parser/kernel_interface.h
>
> diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
> index 34507e4..f7ff1a7 100644
> --- a/libraries/libapparmor/include/sys/apparmor.h
> +++ b/libraries/libapparmor/include/sys/apparmor.h
> @@ -116,6 +116,29 @@ int aa_features_write_to_file(aa_features *features, const char *path);
> bool aa_features_is_equal(aa_features *features1, aa_features *features2);
> bool aa_features_supports(aa_features *features, char *str);
>
> +typedef struct aa_kernel_interface aa_kernel_interface;
> +int aa_kernel_interface_new(aa_kernel_interface **kernel_interface,
> + aa_features *kernel_features,
> + const char *apparmorfs);
> +aa_kernel_interface *aa_kernel_interface_ref(aa_kernel_interface *kernel_interface);
> +void aa_kernel_interface_unref(aa_kernel_interface *kernel_interface);
> +
> +int aa_kernel_interface_load_policy(aa_kernel_interface *kernel_interface,
> + const char *buffer, size_t size);
> +int aa_kernel_interface_load_policy_from_file(aa_kernel_interface *kernel_interface,
> + const char *path);
> +int aa_kernel_interface_load_policy_from_fd(aa_kernel_interface *kernel_interface,
> + int fd);
> +int aa_kernel_interface_replace_policy(aa_kernel_interface *kernel_interface,
> + const char *buffer, size_t size);
> +int aa_kernel_interface_replace_policy_from_file(aa_kernel_interface *kernel_interface,
> + const char *path);
> +int aa_kernel_interface_replace_policy_from_fd(aa_kernel_interface *kernel_interface,
> + int fd);
> +int aa_kernel_interface_remove_policy(aa_kernel_interface *kernel_interface,
> + const char *fqname);
> +int aa_kernel_interface_write_policy(int fd, const char *buffer, size_t size);
> +
> __END_DECLS
>
> #endif /* sys/apparmor.h */
> diff --git a/libraries/libapparmor/src/Makefile.am b/libraries/libapparmor/src/Makefile.am
> index a43109d..86996dd 100644
> --- a/libraries/libapparmor/src/Makefile.am
> +++ b/libraries/libapparmor/src/Makefile.am
> @@ -48,7 +48,7 @@ af_protos.h: /usr/include/netinet/in.h
> lib_LTLIBRARIES = libapparmor.la
> noinst_HEADERS = grammar.h parser.h scanner.h af_protos.h private.h
>
> -libapparmor_la_SOURCES = grammar.y libaalogparse.c kernel.c scanner.c private.c features.c
> +libapparmor_la_SOURCES = grammar.y libaalogparse.c kernel.c scanner.c private.c features.c kernel_interface.c
> libapparmor_la_LDFLAGS = -version-info $(AA_LIB_CURRENT):$(AA_LIB_REVISION):$(AA_LIB_AGE) -XCClinker -dynamic -pthread \
> -Wl,--version-script=$(top_srcdir)/src/libapparmor.map
>
> diff --git a/libraries/libapparmor/src/kernel_interface.c b/libraries/libapparmor/src/kernel_interface.c
> new file mode 100644
> index 0000000..f142b8d
> --- /dev/null
> +++ b/libraries/libapparmor/src/kernel_interface.c
> @@ -0,0 +1,393 @@
> +/*
> + * Copyright (c) 2014
> + * Canonical, Ltd. (All rights reserved)
> + *
> + * This program is free software; you can redistribute it and/or
> + * modify it under the terms of version 2 of the GNU General Public
> + * License published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> + * GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with this program; if not, contact Novell, Inc. or Canonical
> + * Ltd.
> + */
> +
> +#include <errno.h>
> +#include <fcntl.h>
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <string.h>
> +#include <sys/stat.h>
> +#include <sys/types.h>
> +#include <unistd.h>
> +#include <sys/apparmor.h>
> +
> +#include "private.h"
> +
> +#define DEFAULT_APPARMORFS "/sys/kernel/security/apparmor"
> +
> +struct aa_kernel_interface {
> + unsigned int ref_count;
> + bool supports_setload;
> + int dirfd;
> +};
> +
> +/**
> + * find_iface_dir - find where the apparmor interface is located
> + * @dir - RETURNs: stored location of interface director
> + *
> + * Returns: 0 on success, -1 with errno set if there is an error
> + */
> +static int find_iface_dir(char **dir)
> +{
> + if (aa_find_mountpoint(dir) == -1) {
> + struct stat buf;
> + if (stat(DEFAULT_APPARMORFS, &buf) == -1) {
> + return -1;
> + } else {
> + *dir = strdup(DEFAULT_APPARMORFS);
> + if (*dir == NULL)
> + return -1;
> + }
> + }
> +
> + return 0;
> +}
> +
> +/* bleah the kernel should just loop and do multiple load, but to support
> + * older systems we need to do this
> + */
> +#define PROFILE_HEADER_SIZE
> +static char header_version[] = "\x04\x08\x00version";
> +
> +static const char *next_profile_buffer(const char *buffer, int size)
> +{
> + const char *b = buffer;
> +
> + for (; size - sizeof(header_version); b++, size--) {
> + if (memcmp(b, header_version, sizeof(header_version)) == 0) {
> + return b;
> + }
> + }
> + return NULL;
> +}
> +
> +static int write_buffer(int fd, const char *buffer, int size)
> +{
> + int wsize = write(fd, buffer, size);
> + if (wsize < 0) {
> + return -1;
> + } else if (wsize < size) {
> + errno = EPROTO;
> + return -1;
> + }
> + return 0;
> +}
> +
> +/**
> + * write_policy_buffer - load compiled policy into the kernel
> + * @fd: kernel iterface to write to
> + * @atomic: whether to load all policy in buffer atomically (true)
> + * @buffer: buffer of policy to load
> + * @size: the size of the data in the buffer
> + *
> + * Returns: 0 if the buffer loaded correctly
> + * -1 if the load failed with errno set to the error
> + *
> + * @atomic should only be set to true if the kernel supports atomic profile
> + * set loads, otherwise only the 1st profile in the buffer will be loaded
> + * (older kernels only support loading one profile at a time).
> + */
> +static int write_policy_buffer(int fd, int atomic,
> + const char *buffer, size_t size)
> +{
> + size_t bsize;
> + int rc;
> +
> + if (atomic) {
> + rc = write_buffer(fd, buffer, size);
> + } else {
> + const char *b, *next;
> +
> + rc = 0; /* in case there are no profiles */
> + for (b = buffer; b; b = next, size -= bsize) {
> + next = next_profile_buffer(b + sizeof(header_version),
> + size);
> + if (next)
> + bsize = next - b;
> + else
> + bsize = size;
> + if (write_buffer(fd, b, bsize) == -1)
> + return -1;
> + }
> + }
> +
> + if (rc)
> + return -1;
> +
> + return 0;
> +}
> +
> +#define AA_IFACE_FILE_LOAD ".load"
> +#define AA_IFACE_FILE_REMOVE ".remove"
> +#define AA_IFACE_FILE_REPLACE ".replace"
> +
> +static int write_policy_buffer_to_iface(aa_kernel_interface *kernel_interface,
> + const char *iface_file,
> + const char *buffer, size_t size)
> +{
> + autoclose int fd = -1;
> +
> + fd = openat(kernel_interface->dirfd, iface_file, O_WRONLY | O_CLOEXEC);
> + if (fd == -1)
> + return -1;
> +
> + return write_policy_buffer(fd, kernel_interface->supports_setload,
> + buffer, size);
> +}
> +
> +static int write_policy_fd_to_iface(aa_kernel_interface *kernel_interface,
> + const char *iface_file, int fd)
> +{
> + autofree char *buffer = NULL;
> + int size = 0, asize = 0, rsize;
> + int chunksize = 1 << 14;
> +
> + do {
> + if (asize - size == 0) {
> + buffer = (char *) realloc(buffer, chunksize);
> + asize = chunksize;
> + chunksize <<= 1;
> + if (!buffer) {
> + errno = ENOMEM;
> + return -1;
> + }
> + }
> +
> + rsize = read(fd, buffer + size, asize - size);
> + if (rsize)
> + size += rsize;
> + } while (rsize > 0);
> +
> + if (rsize == -1)
> + return -1;
> +
> + return write_policy_buffer_to_iface(kernel_interface, iface_file,
> + buffer, size);
> +}
> +
> +static int write_policy_file_to_iface(aa_kernel_interface *kernel_interface,
> + const char *iface_file, const char *path)
> +{
> + autoclose int fd;
> +
> + fd = open(path, O_RDONLY);
> + if (fd == -1)
> + return -1;
> +
> + return write_policy_fd_to_iface(kernel_interface, iface_file, fd);
> +}
> +
> +/**
> + * aa_kernel_interface_new - create a new kernel_interface from an optional path
> + * @kernel_interface: will point to the address of an allocated and initialized
> + * aa_kernel_interface object upon success
> + * @kernel_features: features representing the currently running kernel
> + * @apparmorfs: path to the apparmor directory of the mounted securityfs (can
> + * be NULL and the path will be auto discovered)
> + *
> + * Returns: 0 on success, -1 on error with errnot set and *@kernel_interface
> + * pointing to NULL
> + */
> +int aa_kernel_interface_new(aa_kernel_interface **kernel_interface,
> + aa_features *kernel_features,
> + const char *apparmorfs)
> +{
> + aa_kernel_interface *ki;
> + autofree char *alloced_apparmorfs = NULL;
> + char set_load[] = "policy/set_load";
> +
> + *kernel_interface = NULL;
> +
> + ki = (aa_kernel_interface *) calloc(1, sizeof(*ki));
> + if (!ki) {
> + errno = ENOMEM;
> + return -1;
> + }
> + aa_kernel_interface_ref(ki);
> + ki->dirfd = -1;
> +
> + ki->supports_setload = kernel_features ?
> + aa_features_supports(kernel_features, set_load) :
> + false;
> +
> + if (!apparmorfs) {
> + if (find_iface_dir(&alloced_apparmorfs) == -1) {
> + int save = errno;
> +
> + alloced_apparmorfs = NULL;
> + aa_kernel_interface_unref(ki);
> + errno = save;
> + return -1;
> + }
> + /* alloced_apparmorfs will be autofree'ed */
> + apparmorfs = alloced_apparmorfs;
> + }
> +
> + ki->dirfd = open(apparmorfs, O_RDONLY | O_CLOEXEC | O_DIRECTORY);
> + if (ki->dirfd < 0) {
> + int save = errno;
> +
> + aa_kernel_interface_unref(ki);
> + errno = save;
> + return -1;
> + }
> +
> + *kernel_interface = ki;
> +
> + return 0;
> +}
> +
> +/**
> + * aa_kernel_interface_ref - increments the ref count of a kernel_interface
> + * @kernel_interface: the kernel_interface
> + *
> + * Returns: the kernel_interface
> + */
> +aa_kernel_interface *aa_kernel_interface_ref(aa_kernel_interface *kernel_interface)
> +{
> + atomic_inc(&kernel_interface->ref_count);
> + return kernel_interface;
> +}
> +
> +/**
> + * aa_kernel_interface_unref - decrements the ref count and frees the kernel_interface when 0
> + * @kernel_interface: the kernel_interface (can be NULL)
> + */
> +void aa_kernel_interface_unref(aa_kernel_interface *kernel_interface)
> +{
> + if (kernel_interface &&
> + atomic_dec_and_test(&kernel_interface->ref_count)) {
> + close(kernel_interface->dirfd);
> + free(kernel_interface);
> + }
> +}
> +
> +/**
> + * aa_kernel_interface_load_policy - load a policy into the kernel
> + * @kernel_interface: valid aa_kernel_interface
> + * @buffer: a buffer containing a policy
> + * @size: the size of the buffer
> + *
> + * Returns: 0 on success, -1 on error with errno set
> + */
> +int aa_kernel_interface_load_policy(aa_kernel_interface *kernel_interface,
> + const char *buffer, size_t size)
> +{
> + return write_policy_buffer_to_iface(kernel_interface,
> + AA_IFACE_FILE_LOAD, buffer, size);
> +}
> +
> +/**
> + * aa_kernel_interface_load_policy_from_file - load a policy into the kernel
> + * @kernel_interface: valid aa_kernel_interface
> + * @path: path to a policy binary
> + *
> + * Returns: 0 on success, -1 on error with errno set
> + */
> +int aa_kernel_interface_load_policy_from_file(aa_kernel_interface *kernel_interface,
> + const char *path)
> +{
> + return write_policy_file_to_iface(kernel_interface, AA_IFACE_FILE_LOAD,
> + path);
> +}
> +
> +/**
> + * aa_kernel_interface_load_policy_from_fd - load a policy into the kernel
> + * @kernel_interface: valid aa_kernel_interface
> + * @fd: a pre-opened, readable file descriptor at the correct offset
> + *
> + * Returns: 0 on success, -1 on error with errno set
> + */
> +int aa_kernel_interface_load_policy_from_fd(aa_kernel_interface *kernel_interface,
> + int fd)
> +{
> + return write_policy_fd_to_iface(kernel_interface, AA_IFACE_FILE_LOAD,
> + fd);
> +}
> +
> +/**
> + * aa_kernel_interface_replace_policy - replace a policy in the kernel
> + * @kernel_interface: valid aa_kernel_interface
> + * @buffer: a buffer containing a policy
> + * @size: the size of the buffer
> + *
> + * Returns: 0 on success, -1 on error with errno set
> + */
> +int aa_kernel_interface_replace_policy(aa_kernel_interface *kernel_interface,
> + const char *buffer, size_t size)
> +{
> + return write_policy_buffer_to_iface(kernel_interface,
> + AA_IFACE_FILE_REPLACE,
> + buffer, size);
> +}
> +
> +/**
> + * aa_kernel_interface_replace_policy_from_file - replace a policy in the kernel
> + * @kernel_interface: valid aa_kernel_interface
> + * @path: path to a policy binary
> + *
> + * Returns: 0 on success, -1 on error with errno set
> + */
> +int aa_kernel_interface_replace_policy_from_file(aa_kernel_interface *kernel_interface,
> + const char *path)
> +{
> + return write_policy_file_to_iface(kernel_interface,
> + AA_IFACE_FILE_REPLACE, path);
> +}
> +
> +/**
> + * aa_kernel_interface_replace_policy_from_fd - replace a policy in the kernel
> + * @kernel_interface: valid aa_kernel_interface
> + * @fd: a pre-opened, readable file descriptor at the correct offset
> + *
> + * Returns: 0 on success, -1 on error with errno set
> + */
> +int aa_kernel_interface_replace_policy_from_fd(aa_kernel_interface *kernel_interface,
> + int fd)
> +{
> + return write_policy_fd_to_iface(kernel_interface, AA_IFACE_FILE_REPLACE,
> + fd);
> +}
> +
> +/**
> + * aa_kernel_interface_remove_policy - remove a policy from the kernel
> + * @kernel_interface: valid aa_kernel_interface
> + * @fqname: nul-terminated fully qualified name of the policy to remove
> + *
> + * Returns: 0 on success, -1 on error with errno set
> + */
> +int aa_kernel_interface_remove_policy(aa_kernel_interface *kernel_interface,
> + const char *fqname)
> +{
> + return write_policy_buffer_to_iface(kernel_interface,
> + AA_IFACE_FILE_REMOVE,
> + fqname, strlen(fqname) + 1);
> +}
> +
> +/**
> + * aa_kernel_interface_write_policy - write a policy to a file descriptor
> + * @fd: a pre-opened, writeable file descriptor at the correct offset
> + * @buffer: a buffer containing a policy
> + * @size: the size of the buffer
> + *
> + * Returns: 0 on success, -1 on error with errno set
> + */
> +int aa_kernel_interface_write_policy(int fd, const char *buffer, size_t size)
> +{
> + return write_policy_buffer(fd, 1, buffer, size);
> +}
> diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
> index d0020c7..5b06b54 100644
> --- a/libraries/libapparmor/src/libapparmor.map
> +++ b/libraries/libapparmor/src/libapparmor.map
> @@ -71,6 +71,17 @@ APPARMOR_2.10 {
> aa_features_supports_signal;
> aa_features_supports_ptrace;
> aa_features_supports_diff_encode;
> + aa_kernel_interface_new;
> + aa_kernel_interface_ref;
> + aa_kernel_interface_unref;
> + aa_kernel_interface_load_policy;
> + aa_kernel_interface_load_policy_from_file;
> + aa_kernel_interface_load_policy_from_fd;
> + aa_kernel_interface_replace_policy;
> + aa_kernel_interface_replace_policy_from_file;
> + aa_kernel_interface_replace_policy_from_fd;
> + aa_kernel_interface_remove_policy;
> + aa_kernel_interface_write_policy;
> local:
> *;
> } APPARMOR_2.9;
> diff --git a/parser/Makefile b/parser/Makefile
> index 120672f..c4a4224 100644
> --- a/parser/Makefile
> +++ b/parser/Makefile
> @@ -75,10 +75,10 @@ SRCS = parser_common.c parser_include.c parser_interface.c parser_lex.c \
> parser_yacc.c parser_regex.c parser_variable.c parser_policy.c \
> parser_alias.c common_optarg.c lib.c network.c \
> mount.cc dbus.cc profile.cc rule.cc signal.cc ptrace.cc \
> - af_rule.cc af_unix.cc policy_cache.c kernel_interface.c
> + af_rule.cc af_unix.cc policy_cache.c
> HDRS = parser.h parser_include.h immunix.h mount.h dbus.h lib.h profile.h \
> rule.h common_optarg.h signal.h ptrace.h network.h af_rule.h af_unix.h \
> - policy_cache.h kernel_interface.h
> + policy_cache.h
> TOOLS = apparmor_parser
>
> OBJECTS = $(patsubst %.cc, %.o, $(SRCS:.c=.o))
> @@ -240,9 +240,6 @@ common_optarg.o: common_optarg.c common_optarg.h parser.h libapparmor_re/apparmo
> policy_cache.o: policy_cache.c policy_cache.h parser.h
> $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>
> -kernel_interface.o: kernel_interface.c kernel_interface.h
> - $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
> -
> lib.o: lib.c lib.h parser.h
> $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>
> diff --git a/parser/kernel_interface.c b/parser/kernel_interface.c
> deleted file mode 100644
> index c046e0e..0000000
> --- a/parser/kernel_interface.c
> +++ /dev/null
> @@ -1,395 +0,0 @@
> -/*
> - * Copyright (c) 2014
> - * Canonical, Ltd. (All rights reserved)
> - *
> - * This program is free software; you can redistribute it and/or
> - * modify it under the terms of version 2 of the GNU General Public
> - * License published by the Free Software Foundation.
> - *
> - * This program is distributed in the hope that it will be useful,
> - * but WITHOUT ANY WARRANTY; without even the implied warranty of
> - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> - * GNU General Public License for more details.
> - *
> - * You should have received a copy of the GNU General Public License
> - * along with this program; if not, contact Novell, Inc. or Canonical
> - * Ltd.
> - */
> -
> -#include <errno.h>
> -#include <fcntl.h>
> -#include <stdio.h>
> -#include <stdlib.h>
> -#include <string.h>
> -#include <sys/stat.h>
> -#include <sys/types.h>
> -#include <sys/apparmor.h>
> -#include <unistd.h>
> -
> -#include "kernel_interface.h"
> -#include "lib.h"
> -#include "parser.h"
> -
> -#define DEFAULT_APPARMORFS "/sys/kernel/security/apparmor"
> -
> -struct aa_kernel_interface {
> - unsigned int ref_count;
> - bool supports_setload;
> - int dirfd;
> -};
> -
> -/**
> - * find_iface_dir - find where the apparmor interface is located
> - * @dir - RETURNs: stored location of interface director
> - *
> - * Returns: 0 on success, -1 with errno set if there is an error
> - */
> -static int find_iface_dir(char **dir)
> -{
> - if (aa_find_mountpoint(dir) == -1) {
> - struct stat buf;
> - if (stat(DEFAULT_APPARMORFS, &buf) == -1) {
> - return -1;
> - } else {
> - *dir = strdup(DEFAULT_APPARMORFS);
> - if (*dir == NULL)
> - return -1;
> - }
> - }
> -
> - return 0;
> -}
> -
> -/* bleah the kernel should just loop and do multiple load, but to support
> - * older systems we need to do this
> - */
> -#define PROFILE_HEADER_SIZE
> -static char header_version[] = "\x04\x08\x00version";
> -
> -static const char *next_profile_buffer(const char *buffer, int size)
> -{
> - const char *b = buffer;
> -
> - for (; size - sizeof(header_version); b++, size--) {
> - if (memcmp(b, header_version, sizeof(header_version)) == 0) {
> - return b;
> - }
> - }
> - return NULL;
> -}
> -
> -static int write_buffer(int fd, const char *buffer, int size)
> -{
> - int wsize = write(fd, buffer, size);
> - if (wsize < 0) {
> - return -1;
> - } else if (wsize < size) {
> - errno = EPROTO;
> - return -1;
> - }
> - return 0;
> -}
> -
> -/**
> - * write_policy_buffer - load compiled policy into the kernel
> - * @fd: kernel iterface to write to
> - * @atomic: whether to load all policy in buffer atomically (true)
> - * @buffer: buffer of policy to load
> - * @size: the size of the data in the buffer
> - *
> - * Returns: 0 if the buffer loaded correctly
> - * -1 if the load failed with errno set to the error
> - *
> - * @atomic should only be set to true if the kernel supports atomic profile
> - * set loads, otherwise only the 1st profile in the buffer will be loaded
> - * (older kernels only support loading one profile at a time).
> - */
> -static int write_policy_buffer(int fd, int atomic,
> - const char *buffer, size_t size)
> -{
> - size_t bsize;
> - int rc;
> -
> - if (atomic) {
> - rc = write_buffer(fd, buffer, size);
> - } else {
> - const char *b, *next;
> -
> - rc = 0; /* in case there are no profiles */
> - for (b = buffer; b; b = next, size -= bsize) {
> - next = next_profile_buffer(b + sizeof(header_version),
> - size);
> - if (next)
> - bsize = next - b;
> - else
> - bsize = size;
> - if (write_buffer(fd, b, bsize) == -1)
> - return -1;
> - }
> - }
> -
> - if (rc)
> - return -1;
> -
> - return 0;
> -}
> -
> -#define AA_IFACE_FILE_LOAD ".load"
> -#define AA_IFACE_FILE_REMOVE ".remove"
> -#define AA_IFACE_FILE_REPLACE ".replace"
> -
> -static int write_policy_buffer_to_iface(aa_kernel_interface *kernel_interface,
> - const char *iface_file,
> - const char *buffer, size_t size)
> -{
> - autoclose int fd = -1;
> -
> - fd = openat(kernel_interface->dirfd, iface_file, O_WRONLY | O_CLOEXEC);
> - if (fd == -1)
> - return -1;
> -
> - return write_policy_buffer(fd, kernel_interface->supports_setload,
> - buffer, size);
> -}
> -
> -static int write_policy_fd_to_iface(aa_kernel_interface *kernel_interface,
> - const char *iface_file, int fd)
> -{
> - autofree char *buffer = NULL;
> - int size = 0, asize = 0, rsize;
> - int chunksize = 1 << 14;
> -
> - do {
> - if (asize - size == 0) {
> - buffer = (char *) realloc(buffer, chunksize);
> - asize = chunksize;
> - chunksize <<= 1;
> - if (!buffer) {
> - errno = ENOMEM;
> - return -1;
> - }
> - }
> -
> - rsize = read(fd, buffer + size, asize - size);
> - if (rsize)
> - size += rsize;
> - } while (rsize > 0);
> -
> - if (rsize == -1)
> - return -1;
> -
> - return write_policy_buffer_to_iface(kernel_interface, iface_file,
> - buffer, size);
> -}
> -
> -static int write_policy_file_to_iface(aa_kernel_interface *kernel_interface,
> - const char *iface_file, const char *path)
> -{
> - autoclose int fd;
> -
> - fd = open(path, O_RDONLY);
> - if (fd == -1)
> - return -1;
> -
> - return write_policy_fd_to_iface(kernel_interface, iface_file, fd);
> -}
> -
> -/**
> - * aa_kernel_interface_new - create a new kernel_interface from an optional path
> - * @kernel_interface: will point to the address of an allocated and initialized
> - * aa_kernel_interface object upon success
> - * @kernel_features: features representing the currently running kernel
> - * @apparmorfs: path to the apparmor directory of the mounted securityfs (can
> - * be NULL and the path will be auto discovered)
> - *
> - * Returns: 0 on success, -1 on error with errnot set and *@kernel_interface
> - * pointing to NULL
> - */
> -int aa_kernel_interface_new(aa_kernel_interface **kernel_interface,
> - aa_features *kernel_features,
> - const char *apparmorfs)
> -{
> - aa_kernel_interface *ki;
> - autofree char *alloced_apparmorfs = NULL;
> - char set_load[] = "policy/set_load";
> -
> - *kernel_interface = NULL;
> -
> - ki = (aa_kernel_interface *) calloc(1, sizeof(*ki));
> - if (!ki) {
> - errno = ENOMEM;
> - return -1;
> - }
> - aa_kernel_interface_ref(ki);
> - ki->dirfd = -1;
> -
> - ki->supports_setload = kernel_features ?
> - aa_features_supports(kernel_features, set_load) :
> - false;
> -
> - if (!apparmorfs) {
> - if (find_iface_dir(&alloced_apparmorfs) == -1) {
> - int save = errno;
> -
> - alloced_apparmorfs = NULL;
> - aa_kernel_interface_unref(ki);
> - errno = save;
> - return -1;
> - }
> - /* alloced_apparmorfs will be autofree'ed */
> - apparmorfs = alloced_apparmorfs;
> - }
> -
> - ki->dirfd = open(apparmorfs, O_RDONLY | O_CLOEXEC | O_DIRECTORY);
> - if (ki->dirfd < 0) {
> - int save = errno;
> -
> - aa_kernel_interface_unref(ki);
> - errno = save;
> - return -1;
> - }
> -
> - *kernel_interface = ki;
> -
> - return 0;
> -}
> -
> -/**
> - * aa_kernel_interface_ref - increments the ref count of a kernel_interface
> - * @kernel_interface: the kernel_interface
> - *
> - * Returns: the kernel_interface
> - */
> -aa_kernel_interface *aa_kernel_interface_ref(aa_kernel_interface *kernel_interface)
> -{
> - atomic_inc(&kernel_interface->ref_count);
> - return kernel_interface;
> -}
> -
> -/**
> - * aa_kernel_interface_unref - decrements the ref count and frees the kernel_interface when 0
> - * @kernel_interface: the kernel_interface (can be NULL)
> - */
> -void aa_kernel_interface_unref(aa_kernel_interface *kernel_interface)
> -{
> - if (kernel_interface &&
> - atomic_dec_and_test(&kernel_interface->ref_count)) {
> - close(kernel_interface->dirfd);
> - free(kernel_interface);
> - }
> -}
> -
> -/**
> - * aa_kernel_interface_load_policy - load a policy into the kernel
> - * @kernel_interface: valid aa_kernel_interface
> - * @buffer: a buffer containing a policy
> - * @size: the size of the buffer
> - *
> - * Returns: 0 on success, -1 on error with errno set
> - */
> -int aa_kernel_interface_load_policy(aa_kernel_interface *kernel_interface,
> - const char *buffer, size_t size)
> -{
> - return write_policy_buffer_to_iface(kernel_interface,
> - AA_IFACE_FILE_LOAD, buffer, size);
> -}
> -
> -/**
> - * aa_kernel_interface_load_policy_from_file - load a policy into the kernel
> - * @kernel_interface: valid aa_kernel_interface
> - * @path: path to a policy binary
> - *
> - * Returns: 0 on success, -1 on error with errno set
> - */
> -int aa_kernel_interface_load_policy_from_file(aa_kernel_interface *kernel_interface,
> - const char *path)
> -{
> - return write_policy_file_to_iface(kernel_interface, AA_IFACE_FILE_LOAD,
> - path);
> -}
> -
> -/**
> - * aa_kernel_interface_load_policy_from_fd - load a policy into the kernel
> - * @kernel_interface: valid aa_kernel_interface
> - * @fd: a pre-opened, readable file descriptor at the correct offset
> - *
> - * Returns: 0 on success, -1 on error with errno set
> - */
> -int aa_kernel_interface_load_policy_from_fd(aa_kernel_interface *kernel_interface,
> - int fd)
> -{
> - return write_policy_fd_to_iface(kernel_interface, AA_IFACE_FILE_LOAD,
> - fd);
> -}
> -
> -/**
> - * aa_kernel_interface_replace_policy - replace a policy in the kernel
> - * @kernel_interface: valid aa_kernel_interface
> - * @buffer: a buffer containing a policy
> - * @size: the size of the buffer
> - *
> - * Returns: 0 on success, -1 on error with errno set
> - */
> -int aa_kernel_interface_replace_policy(aa_kernel_interface *kernel_interface,
> - const char *buffer, size_t size)
> -{
> - return write_policy_buffer_to_iface(kernel_interface,
> - AA_IFACE_FILE_REPLACE,
> - buffer, size);
> -}
> -
> -/**
> - * aa_kernel_interface_replace_policy_from_file - replace a policy in the kernel
> - * @kernel_interface: valid aa_kernel_interface
> - * @path: path to a policy binary
> - *
> - * Returns: 0 on success, -1 on error with errno set
> - */
> -int aa_kernel_interface_replace_policy_from_file(aa_kernel_interface *kernel_interface,
> - const char *path)
> -{
> - return write_policy_file_to_iface(kernel_interface,
> - AA_IFACE_FILE_REPLACE, path);
> -}
> -
> -/**
> - * aa_kernel_interface_replace_policy_from_fd - replace a policy in the kernel
> - * @kernel_interface: valid aa_kernel_interface
> - * @fd: a pre-opened, readable file descriptor at the correct offset
> - *
> - * Returns: 0 on success, -1 on error with errno set
> - */
> -int aa_kernel_interface_replace_policy_from_fd(aa_kernel_interface *kernel_interface,
> - int fd)
> -{
> - return write_policy_fd_to_iface(kernel_interface, AA_IFACE_FILE_REPLACE,
> - fd);
> -}
> -
> -/**
> - * aa_kernel_interface_remove_policy - remove a policy from the kernel
> - * @kernel_interface: valid aa_kernel_interface
> - * @fqname: nul-terminated fully qualified name of the policy to remove
> - *
> - * Returns: 0 on success, -1 on error with errno set
> - */
> -int aa_kernel_interface_remove_policy(aa_kernel_interface *kernel_interface,
> - const char *fqname)
> -{
> - return write_policy_buffer_to_iface(kernel_interface,
> - AA_IFACE_FILE_REMOVE,
> - fqname, strlen(fqname) + 1);
> -}
> -
> -/**
> - * aa_kernel_interface_write_policy - write a policy to a file descriptor
> - * @fd: a pre-opened, writeable file descriptor at the correct offset
> - * @buffer: a buffer containing a policy
> - * @size: the size of the buffer
> - *
> - * Returns: 0 on success, -1 on error with errno set
> - */
> -int aa_kernel_interface_write_policy(int fd, const char *buffer, size_t size)
> -{
> - return write_policy_buffer(fd, 1, buffer, size);
> -}
> diff --git a/parser/kernel_interface.h b/parser/kernel_interface.h
> deleted file mode 100644
> index 8e210d1..0000000
> --- a/parser/kernel_interface.h
> +++ /dev/null
> @@ -1,50 +0,0 @@
> -/*
> - * Copyright (c) 2014
> - * Canonical, Ltd. (All rights reserved)
> - *
> - * This program is free software; you can redistribute it and/or
> - * modify it under the terms of version 2 of the GNU General Public
> - * License published by the Free Software Foundation.
> - *
> - * This program is distributed in the hope that it will be useful,
> - * but WITHOUT ANY WARRANTY; without even the implied warranty of
> - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> - * GNU General Public License for more details.
> - *
> - * You should have received a copy of the GNU General Public License
> - * along with this program; if not, contact Novell, Inc. or Canonical
> - * Ltd.
> - */
> -
> -#ifndef __AA_KERNEL_INTERFACE_H
> -#define __AA_KERNEL_INTERFACE_H
> -
> -#include <sys/apparmor.h>
> -
> -#include "features.h"
> -
> -typedef struct aa_kernel_interface aa_kernel_interface;
> -
> -int aa_kernel_interface_new(aa_kernel_interface **kernel_interface,
> - aa_features *kernel_features,
> - const char *apparmorfs);
> -aa_kernel_interface *aa_kernel_interface_ref(aa_kernel_interface *kernel_interface);
> -void aa_kernel_interface_unref(aa_kernel_interface *kernel_interface);
> -
> -int aa_kernel_interface_load_policy(aa_kernel_interface *kernel_interface,
> - const char *buffer, size_t size);
> -int aa_kernel_interface_load_policy_from_file(aa_kernel_interface *kernel_interface,
> - const char *path);
> -int aa_kernel_interface_load_policy_from_fd(aa_kernel_interface *kernel_interface,
> - int fd);
> -int aa_kernel_interface_replace_policy(aa_kernel_interface *kernel_interface,
> - const char *buffer, size_t size);
> -int aa_kernel_interface_replace_policy_from_file(aa_kernel_interface *kernel_interface,
> - const char *path);
> -int aa_kernel_interface_replace_policy_from_fd(aa_kernel_interface *kernel_interface,
> - int fd);
> -int aa_kernel_interface_remove_policy(aa_kernel_interface *kernel_interface,
> - const char *fqname);
> -int aa_kernel_interface_write_policy(int fd, const char *buffer, size_t size);
> -
> -#endif /* __AA_KERNEL_INTERFACE_H */
> diff --git a/parser/parser.h b/parser/parser.h
> index 50f5bb0..f4566b9 100644
> --- a/parser/parser.h
> +++ b/parser/parser.h
> @@ -30,10 +30,11 @@
> #include <libintl.h>
> #define _(s) gettext(s)
>
> +#include <sys/apparmor.h>
> +
> #include "immunix.h"
> #include "libapparmor_re/apparmor_re.h"
> #include "libapparmor_re/aare_rules.h"
> -#include "kernel_interface.h"
>
> #include <string>
>
> diff --git a/parser/parser_interface.c b/parser/parser_interface.c
> index f864cd8..5d9e0a0 100644
> --- a/parser/parser_interface.c
> +++ b/parser/parser_interface.c
> @@ -27,9 +27,9 @@
>
> #include <string>
> #include <sstream>
> +#include <sys/apparmor.h>
>
> #include "lib.h"
> -#include "kernel_interface.h"
> #include "parser.h"
> #include "profile.h"
> #include "libapparmor_re/apparmor_re.h"
> diff --git a/parser/parser_main.c b/parser/parser_main.c
> index b230a91..8fb7394 100644
> --- a/parser/parser_main.c
> +++ b/parser/parser_main.c
> @@ -41,7 +41,6 @@
>
> #include "lib.h"
> #include "features.h"
> -#include "kernel_interface.h"
> #include "parser.h"
> #include "parser_version.h"
> #include "parser_include.h"
> diff --git a/parser/parser_policy.c b/parser/parser_policy.c
> index 0652715..5e4add6 100644
> --- a/parser/parser_policy.c
> +++ b/parser/parser_policy.c
> @@ -27,11 +27,11 @@
> #include <search.h>
> #include <string.h>
> #include <errno.h>
> +#include <sys/apparmor.h>
>
> #include "parser.h"
> #include "profile.h"
> #include "parser_yacc.h"
> -#include "kernel_interface.h"
>
> /* #define DEBUG */
> #ifdef DEBUG
>
More information about the AppArmor
mailing list