[apparmor] [PATCH 1/5] Split aa_query_label into a base aa_query_cmd and it, aa_query_label

John Johansen john.johansen at canonical.com
Fri Dec 16 17:57:13 UTC 2016 

Split the basic transaction file query out of aa_query_label so that
it can be reused by other query types.

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 libraries/libapparmor/doc/aa_query_label.pod  | 16 ++++-
 libraries/libapparmor/include/sys/apparmor.h  |  2 +
 libraries/libapparmor/src/kernel.c            | 93 +++++++++++++++++++++------
 libraries/libapparmor/src/libapparmor.map     |  7 ++
 libraries/libapparmor/swig/SWIG/libapparmor.i |  2 +
 5 files changed, 96 insertions(+), 24 deletions(-)

diff --git a/libraries/libapparmor/doc/aa_query_label.pod b/libraries/libapparmor/doc/aa_query_label.pod
index 06129b6..73f430b 100644
--- a/libraries/libapparmor/doc/aa_query_label.pod
+++ b/libraries/libapparmor/doc/aa_query_label.pod
@@ -32,11 +32,18 @@ aa_query_link_path, aa_query_link_path_len - query access permissions of a link
 
 B<#include E<lt>sys/apparmor.hE<gt>>
 
-B<int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed, int *audited);>
+B<int aa_query_cmd(const char *cmd, size_t cmd_size, char *query,
+		size_t size, char *buffer, size_t bsize);>
 
-B<int aa_query_file_path(uint32_t mask, const char *label, size_t label_len, const char *path, int *allowed, int *audited);>
+B<int aa_query_label(uint32_t mask, char *query, size_t size,
+		int *allowed, int *audited);>
 
-B<int aa_query_file_path_len(uint32_t mask, const char *label, size_t label_len, const char *path, size_t path_len, int *allowed, int *audited);>
+B<int aa_query_file_path(uint32_t mask, const char *label, size_t label_len,
+		const char *path, int *allowed, int *audited);>
+
+B<int aa_query_file_path_len(uint32_t mask, const char *label,
+		size_t label_len, const char *path, size_t path_len,
+		int *allowed, int *audited);>
 
 B<int aa_query_link_path(const char *label, const char *target, const char *link, int *allowed, int *audited);>
 
@@ -47,6 +54,9 @@ Link with B<-lapparmor> when compiling.
 
 =head1 DESCRIPTION
 
+The B<aa_query_cmd> function sets up and does a raw query of the kernel. It is
+the basis of the other query functions.
+
 The B<aa_query_label> function fetches the current permissions granted by the
 specified I<label> in the I<query> string.
 
diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
index 752a5bd..5e43ba2 100644
--- a/libraries/libapparmor/include/sys/apparmor.h
+++ b/libraries/libapparmor/include/sys/apparmor.h
@@ -101,6 +101,8 @@ extern int aa_getpeercon(int fd, char **label, char **mode);
 #define AA_QUERY_CMD_LABEL		"label"
 #define AA_QUERY_CMD_LABEL_SIZE		sizeof(AA_QUERY_CMD_LABEL)
 
+extern int aa_query_cmd(const char *cmd, size_t cmd_size, char *query,
+			size_t size, char *buffer, size_t bsize);
 extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
 			  int *audit);
 extern int aa_query_file_path_len(uint32_t mask, const char *label,
diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
index 49c74e1..1fe1b61 100644
--- a/libraries/libapparmor/src/kernel.c
+++ b/libraries/libapparmor/src/kernel.c
@@ -802,30 +802,22 @@ static void aafs_access_init_once(void)
 	free(aafs);
 }
 
-/* "allow 0x00000000\ndeny 0x00000000\naudit 0x00000000\nquiet 0x00000000\n" */
-#define QUERY_LABEL_REPLY_LEN	67
-
 /**
- * aa_query_label - query the access(es) of a label
- * @mask: permission bits to query
- * @query: binary query string, must be offset by AA_QUERY_CMD_LABEL_SIZE
- * @size: size of the query string must include AA_QUERY_CMD_LABEL_SIZE
- * @allowed: upon successful return, will be 1 if query is allowed and 0 if not
- * @audited: upon successful return, will be 1 if query should be audited and 0
- *           if not
+ * aa_query_cmd_open - begin a query for labels @cmd info
+ * @cmd: query cmd to use
+ * @cmd_size: size of the cmd being used
+ * @query: binary query string, must be offset by @cmd_size
+ * @size: size of the query string must include @cmd_size
  *
- * Returns: 0 on success else -1 and sets errno. If -1 is returned and errno is
- *          ENOENT, the subject label in the query string is unknown to the
- *          kernel.
+ * Returns: fd with the query issued and results waiting to be read else -1 and sets errno.
+ *          If -1 is returned and errno is ENOENT, the subject label in
+ *          the query string is unknown to the kernel.
  */
-int query_label(uint32_t mask, char *query, size_t size, int *allowed,
-		int *audited)
+static int aa_query_cmd_open(const char *cmd, size_t cmd_size, char *query, size_t size)
 {
-	char buf[QUERY_LABEL_REPLY_LEN];
-	uint32_t allow, deny, audit, quiet;
-	int fd, ret, saved;
+	int fd, ret;
 
-	if (!mask || size <= AA_QUERY_CMD_LABEL_SIZE) {
+	if (size <= cmd_size) {
 		errno = EINVAL;
 		return -1;
 	}
@@ -846,7 +838,7 @@ int query_label(uint32_t mask, char *query, size_t size, int *allowed,
 		return -1;
 	}
 
-	memcpy(query, AA_QUERY_CMD_LABEL, AA_QUERY_CMD_LABEL_SIZE);
+	memcpy(query, cmd, cmd_size);
 	errno = 0;
 	ret = write(fd, query, size);
 	if (ret != size) {
@@ -860,10 +852,69 @@ int query_label(uint32_t mask, char *query, size_t size, int *allowed,
 		return -1;
 	}
 
-	ret = read(fd, buf, QUERY_LABEL_REPLY_LEN);
+	return fd;
+}
+
+/**
+ * aa_query_cmd - make a query for labels @cmd info
+ * @cmd: query cmd to use
+ * @cmd_size: size of the cmd being used
+ * @query: binary query string, must be offset by @cmd_size
+ * @size: size of the query string must include @cmd_size
+ * @buffer: buffer to return query data in
+ * @bsize: size of @buffer
+ *
+ * Returns: size of data read on success else -1 and sets errno.
+ *          If -1 is returned and errno is ENOENT, the subject label in
+ *          the query string is unknown to the kernel.
+ */
+int aa_query_cmd(const char *cmd, size_t cmd_size, char *query, size_t size,
+		 char *buffer, size_t bsize)
+{
+	int fd, ret, saved;
+
+	fd = aa_query_cmd_open(cmd, cmd_size, query, size);
+	if (fd == -1)
+		return -1;
+
+	ret = read(fd, buffer, bsize);
 	saved = errno;
 	(void)close(fd);
 	errno = saved;
+
+	return ret;
+}
+
+/* "allow 0x00000000\ndeny 0x00000000\naudit 0x00000000\nquiet 0x00000000\n" */
+#define QUERY_LABEL_REPLY_LEN	67
+
+/**
+ * aa_query_label - query the access(es) of a label
+ * @mask: permission bits to query
+ * @query: binary query string, must be offset by AA_QUERY_CMD_LABEL_SIZE
+ * @size: size of the query string must include AA_QUERY_CMD_LABEL_SIZE
+ * @allowed: upon successful return, will be 1 if query is allowed and 0 if not
+ * @audited: upon successful return, will be 1 if query should be audited and 0
+ *           if not
+ *
+ * Returns: 0 on success else -1 and sets errno. If -1 is returned and errno is
+ *          ENOENT, the subject label in the query string is unknown to the
+ *          kernel.
+ */
+int query_label(uint32_t mask, char *query, size_t size, int *allowed,
+		int *audited)
+{
+	char buf[QUERY_LABEL_REPLY_LEN];
+	uint32_t allow, deny, audit, quiet;
+	int ret;
+
+	if (!mask) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	ret = aa_query_cmd(AA_QUERY_CMD_LABEL, AA_QUERY_CMD_LABEL_SIZE, query,
+			   size, buf, QUERY_LABEL_REPLY_LEN);
 	if (ret != QUERY_LABEL_REPLY_LEN) {
 		errno = EPROTO;
 		return -1;
diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
index 5cbd4e8..69207d3 100644
--- a/libraries/libapparmor/src/libapparmor.map
+++ b/libraries/libapparmor/src/libapparmor.map
@@ -95,6 +95,13 @@ APPARMOR_2.11 {
         *;
 } APPARMOR_2.10;
 
+APPARMOR_2.12 {
+  global:
+        aa_query_cmd;
+  local:
+        *;
+} APPARMOR_2.11;
+
 PRIVATE {
 	global:
 		_aa_is_blacklisted;
diff --git a/libraries/libapparmor/swig/SWIG/libapparmor.i b/libraries/libapparmor/swig/SWIG/libapparmor.i
index 005dd7f..9165882 100644
--- a/libraries/libapparmor/swig/SWIG/libapparmor.i
+++ b/libraries/libapparmor/swig/SWIG/libapparmor.i
@@ -57,6 +57,8 @@ extern int aa_gettaskcon(pid_t target, char **label, char **mode);
 extern int aa_getcon(char **label, char **mode);
 extern int aa_getpeercon_raw(int fd, char *buf, int *len, char **mode);
 extern int aa_getpeercon(int fd, char **label, char **mode);
+extern int aa_query_cmd(const char *cmd, size_t cmd_size, char *query,
+			size_t size, char *buffer, size_t bsize);
 extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
 			  int *audit);
 extern int aa_query_file_path_len(uint32_t mask, const char *label,
-- 
2.9.3

More information about the AppArmor mailing list