[apparmor] [PATCH 2/2] libapparmor: Implement aa_stack_profile and aa_stack_onexec
Tyler Hicks
tyhicks at canonical.com
Sat Feb 13 00:06:49 UTC 2016
Based on the existing implementations of aa_change_profile(2) and
aa_change_onexec(2).
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
libraries/libapparmor/include/sys/apparmor.h | 2 ++
libraries/libapparmor/src/kernel.c | 42 +++++++++++++++++++++++++++
libraries/libapparmor/src/libapparmor.map | 8 +++++
libraries/libapparmor/swig/SWIG/libapparmor.i | 2 ++
4 files changed, 54 insertions(+)
diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
index 13a6a8c..752a5bd 100644
--- a/libraries/libapparmor/include/sys/apparmor.h
+++ b/libraries/libapparmor/include/sys/apparmor.h
@@ -78,6 +78,8 @@ extern int aa_change_onexec(const char *profile);
extern int aa_change_hatv(const char *subprofiles[], unsigned long token);
extern int (aa_change_hat_vargs)(unsigned long token, int count, ...);
+extern int aa_stack_profile(const char *profile);
+extern int aa_stack_onexec(const char *profile);
extern char *aa_splitcon(char *con, char **mode);
/* Protypes for introspecting task confinement
diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
index d2daf8d..108b654 100644
--- a/libraries/libapparmor/src/kernel.c
+++ b/libraries/libapparmor/src/kernel.c
@@ -594,6 +594,48 @@ int (aa_change_hat_vargs)(unsigned long token, int nhats, ...)
return aa_change_hatv(argv, token);
}
+int aa_stack_profile(const char *profile)
+{
+ char *buf = NULL;
+ int len;
+ int rc;
+
+ if (!profile) {
+ errno = EINVAL;
+ return -1;
+ }
+
+ len = asprintf(&buf, "stackprofile %s", profile);
+ if (len < 0)
+ return -1;
+
+ rc = setprocattr(aa_gettid(), "current", buf, len);
+
+ free(buf);
+ return rc;
+}
+
+int aa_stack_onexec(const char *profile)
+{
+ char *buf = NULL;
+ int len;
+ int rc;
+
+ if (!profile) {
+ errno = EINVAL;
+ return -1;
+ }
+
+ len = asprintf(&buf, "stackexec %s", profile);
+ if (len < 0)
+ return -1;
+
+ rc = setprocattr(aa_gettid(), "exec", buf, len);
+
+ free(buf);
+ return rc;
+}
+
/**
* aa_gettaskcon - get the confinement context for task @target in an allocated buffer
* @target: task to query
diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
index 98d97ea..5cbd4e8 100644
--- a/libraries/libapparmor/src/libapparmor.map
+++ b/libraries/libapparmor/src/libapparmor.map
@@ -87,6 +87,14 @@ APPARMOR_2.10 {
*;
} APPARMOR_2.9;
+APPARMOR_2.11 {
+ global:
+ aa_stack_profile;
+ aa_stack_onexec;
+ local:
+ *;
+} APPARMOR_2.10;
+
PRIVATE {
global:
_aa_is_blacklisted;
diff --git a/libraries/libapparmor/swig/SWIG/libapparmor.i b/libraries/libapparmor/swig/SWIG/libapparmor.i
index 69b4cc2..005dd7f 100644
--- a/libraries/libapparmor/swig/SWIG/libapparmor.i
+++ b/libraries/libapparmor/swig/SWIG/libapparmor.i
@@ -48,6 +48,8 @@ extern int aa_change_profile(const char *profile);
extern int aa_change_onexec(const char *profile);
extern int aa_change_hatv(const char *subprofiles[], unsigned long token);
extern int aa_change_hat_vargs(unsigned long token, int count, ...);
+extern int aa_stack_profile(const char *profile);
+extern int aa_stack_onexec(const char *profile);
extern int aa_getprocattr_raw(pid_t tid, const char *attr, char *buf, int len,
char **mode);
extern int aa_getprocattr(pid_t tid, const char *attr, char **buf, char **mode);
--
2.7.0
More information about the AppArmor
mailing list