[apparmor] [PATCH 09/20] add helper fn to query file path permissions

Fri May 29 08:39:15 UTC 2015

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 libraries/libapparmor/doc/aa_query_label.pod  |  9 +++++++++
 libraries/libapparmor/include/sys/apparmor.h  |  4 +++-
 libraries/libapparmor/src/kernel.c            | 24 ++++++++++++++++++++++++
 libraries/libapparmor/src/libapparmor.map     |  1 +
 libraries/libapparmor/swig/SWIG/libapparmor.i |  2 ++
 5 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/libraries/libapparmor/doc/aa_query_label.pod b/libraries/libapparmor/doc/aa_query_label.pod
index 9aa563a..db15fcc 100644
--- a/libraries/libapparmor/doc/aa_query_label.pod
+++ b/libraries/libapparmor/doc/aa_query_label.pod
@@ -30,6 +30,8 @@ B<#include E<lt>sys/apparmor.hE<gt>>
 
 B<int aa_query_label((uint32_t mask, char *query, size_t size, int *allowed,
 		int *audited);>
+B<int aa_query_file((uint32_t mask, const char *label, const char *path,
+		int *allowed, int *audited);>
 
 Link with B<-lapparmor> when compiling.
 
@@ -52,6 +54,13 @@ of directly using I<aa_query_label>. If directly using the interface the
 I<query> string is required to have a header of B<AA_QUERY_CMD_LABEL_SIZE>
 that will be used by I<aa_query_label>.
 
+
+The B<aa_query_file> function is a helper function that assembles a properly
+formated path query for the B<aa_query_label> function. The I<label> is a valid
+apparmor label as returned by I<aa_split_con> and the I<path> is any valid
+filesystem path to query permissions for.
+
+
 =head1 RETURN VALUE
 
 On success 0 is returned, and the I<allowed> and I<audited> parameters
diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
index 99ce36b..a408741 100644
--- a/libraries/libapparmor/include/sys/apparmor.h
+++ b/libraries/libapparmor/include/sys/apparmor.h
@@ -27,7 +27,7 @@ __BEGIN_DECLS
 /*
  * Class of public mediation types in the AppArmor policy db
  */
-
+#define AA_CLASS_FILE		2
 #define AA_CLASS_DBUS		32
 
 
@@ -79,6 +79,8 @@ extern int aa_getpeercon(int fd, char **label, char **mode);
 
 extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
 			  int *audit);
+extern int aa_query_file(uint32_t mask, const char *label, const char *path,
+			 int *allowed, int *audited);
 
 #define __macroarg_counter(Y...) __macroarg_count1 ( , ##Y)
 #define __macroarg_count1(Y...) __macroarg_count2 (Y, 16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0)
diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
index 9d5f45d..d140f6b 100644
--- a/libraries/libapparmor/src/kernel.c
+++ b/libraries/libapparmor/src/kernel.c
@@ -786,3 +786,27 @@ int query_label(uint32_t mask, char *query, size_t size, int *allowed,
 extern typeof((query_label)) __aa_query_label __attribute__((alias ("query_label")));
 symbol_version(__aa_query_label, aa_query_label, APPARMOR_1.1);
 default_symbol_version(query_label, aa_query_label, APPARMOR_2.9);
+
+
+int aa_query_file(uint32_t mask, const char *label, const char *path,
+		  int *allowed, int *audited)
+{
+	int rc;
+	char *query;
+
+	int lsize = strlen(label);
+	int psize = strlen(path);
+	/* + 1 for null separator */
+	int size = AA_QUERY_CMD_LABEL_SIZE + lsize + 1 + psize;
+	query = malloc(size + 1);
+	if (!query)
+		return -1;
+	/* we want the null terminator here */
+	strcpy(query + AA_QUERY_CMD_LABEL_SIZE, label);
+	query[AA_QUERY_CMD_LABEL_SIZE + lsize + 1] = AA_CLASS_FILE;
+	memcpy(query + AA_QUERY_CMD_LABEL_SIZE + lsize + 2, path, psize);
+	rc = aa_query_label(mask, query, size , allowed, audited);
+	free(query);
+
+	return rc;
+}
diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
index 3f43494..3514682 100644
--- a/libraries/libapparmor/src/libapparmor.map
+++ b/libraries/libapparmor/src/libapparmor.map
@@ -54,6 +54,7 @@ APPARMOR_2.9 {
 
 APPARMOR_2.10 {
   global:
+        aa_query_file;
         aa_features_new;
         aa_features_new_from_string;
         aa_features_new_from_kernel;
diff --git a/libraries/libapparmor/swig/SWIG/libapparmor.i b/libraries/libapparmor/swig/SWIG/libapparmor.i
index 6bae3f6..0bf3b2a 100644
--- a/libraries/libapparmor/swig/SWIG/libapparmor.i
+++ b/libraries/libapparmor/swig/SWIG/libapparmor.i
@@ -39,5 +39,7 @@ extern int aa_getpeercon_raw(int fd, char *buf, int *len, char **mode);
 extern int aa_getpeercon(int fd, char **label, char **mode);
 extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
 			  int *audit);
+extern int aa_query_file(uint32_t mask, const char *label, const char *path,
+			 int *allowed, int *audited);
 
 %exception;
-- 
2.1.4


