[apparmor] aa-sha1 utility

John Johansen john.johansen at canonical.com
Thu Sep 10 10:13:11 UTC 2015 

It seems this has been asked for a lot lately, this is a slightly cleaned
up version of the shell script hack I have been using. We certainly need
a real tool for this but until then

---

#!/bin/bash
#usage aa-sha1 cachefile ...
#
#hack to compute sha1 of profile files
#The cache file is a container for 1 or more compiled profiles
#This finds where in the cache file a profile is located and its size
#prepends the version info which is part of the header and computes the
#sha1sum
#
# The output is in the form of
# FILE: <filename>
#   sha1sum: <profile1>
#   ...
# ...
#
# eg.
# > aa-sha1 /etc/apparmor.d/cache/usr.bin.evince
#FILE: usr.bin.evince
#  b6a1eb8bb4863af3aca7ad26ca5da009603a5256: /usr/bin/evince
#  bd5486d3e9e8f722ce3c98e1b53660972b6aad66: /usr/bin/evince//sanitized_helper
#  41b58f50eccf90782d8f27b356911bac808fd5e0: /usr/bin/evince-previewer
#  a4edb950534a22996f8dbfbac3f8be70659e78cc: /usr/bin/evince-previewer//sanitized_helper
#  d9856107fe9c85f88fe62ad3ee60ee1469a8ec59: /usr/bin/evince-thumbnailer
#  c7fa4e57e2ffd051c97d87c43fd3dfc8a5c7b3b7: /usr/bin/evince-thumbnailer//sanitized_helper
#
# The output should match up with the sha1 for the profile in the kernel.
# In this case
# 
# > cat /sys/kernel/security/apparmor/policy/profiles/usr.bin.evince.56/sha1 
# b6a1eb8bb4863af3aca7ad26ca5da009603a5256
#
# > cat /sys/kernel/security/apparmor/policy/profiles/usr.bin.evince.56/profiles/sanitized_helper.57/sha1
# bd5486d3e9e8f722ce3c98e1b53660972b6aad66
#
# > cat /sys/kernel/security/apparmor/policy/profiles/usr.bin.evince-previewer.58/sha1 
# 41b58f50eccf90782d8f27b356911bac808fd5e0
#
# > cat /sys/kernel/security/apparmor/policy/profiles/usr.bin.evince-previewer.58/profiles/sanitized_helper.59/sha1 
# a4edb950534a22996f8dbfbac3f8be70659e78cc
#
# > cat /sys/kernel/security/apparmor/policy/profiles/usr.bin.evince-thumbnailer.60/sha1 
# d9856107fe9c85f88fe62ad3ee60ee1469a8ec59
#
# > cat /sys/kernel/security/apparmor/policy/profiles/usr.bin.evince-thumbnailer.60/profiles/sanitized_helper.61/sha1 
# c7fa4e57e2ffd051c97d87c43fd3dfc8a5c7b3b7

dosha1() {
    local version=$1
    local fsize=$2
    local fname=$3
    local start=$4
    shift 4

    f=`mktemp`
    while [ $# -gt 0 ] ; do
	cp $version $f
	local size=$(($1 - $start))
	tail -c "+$(($start + 1))" $fname | head -c $size | tail -c 16 | head -c 11 | grep -Uaq -P '\x04\x08\x00version\x00'
	res=$?
	if [ $res -eq 0 ] ; then
	    size=$(($size - 16))
	fi
	tail -c "+$(($start + 1))" $fname | head -c $size >> $f
	IFS= read -r -d '' name X  < <(tail -c +20 $f)
	local sum=`sha1sum $f | awk '{print $1}'`
	echo -e "  $sum: $name"
        start=$1
        shift 1
    done
    rm $f
}

process_file() {
    offsets=`grep -obUa -P '\x04\x08\x00profile\x00\x07' "$3" | awk --field-separator ":" '{print $1}'`

    offsets="$offsets $2"
    echo "FILE: $3"

    dosha1 $1 $2 $3 $offsets
}

version=`mktemp`
for arg in $@ ; do
    head -c 16 $arg | tail -c 4 >$version
    size=`ls -l $arg | awk '{print $5 }'`
    if [ $? -ne 0 ] ; then
       echo "Error processing file \'$@\'"
       exit
    fi
    process_file $version $size $arg
done
rm $version

More information about the AppArmor mailing list