[apparmor] [PATCH 2/2] libapparmor: Implement aa_stack_profile and aa_stack_onexec

Tyler Hicks tyhicks at canonical.com
Sat Feb 13 00:06:49 UTC 2016


Based on the existing implementations of aa_change_profile(2) and
aa_change_onexec(2).

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 libraries/libapparmor/include/sys/apparmor.h  |  2 ++
 libraries/libapparmor/src/kernel.c            | 42 +++++++++++++++++++++++++++
 libraries/libapparmor/src/libapparmor.map     |  8 +++++
 libraries/libapparmor/swig/SWIG/libapparmor.i |  2 ++
 4 files changed, 54 insertions(+)

diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
index 13a6a8c..752a5bd 100644
--- a/libraries/libapparmor/include/sys/apparmor.h
+++ b/libraries/libapparmor/include/sys/apparmor.h
@@ -78,6 +78,8 @@ extern int aa_change_onexec(const char *profile);
 
 extern int aa_change_hatv(const char *subprofiles[], unsigned long token);
 extern int (aa_change_hat_vargs)(unsigned long token, int count, ...);
+extern int aa_stack_profile(const char *profile);
+extern int aa_stack_onexec(const char *profile);
 
 extern char *aa_splitcon(char *con, char **mode);
 /* Protypes for introspecting task confinement
diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
index d2daf8d..108b654 100644
--- a/libraries/libapparmor/src/kernel.c
+++ b/libraries/libapparmor/src/kernel.c
@@ -594,6 +594,48 @@ int (aa_change_hat_vargs)(unsigned long token, int nhats, ...)
 	return aa_change_hatv(argv, token);
 }
 
+int aa_stack_profile(const char *profile)
+{
+	char *buf = NULL;
+	int len;
+	int rc;
+
+	if (!profile) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	len = asprintf(&buf, "stackprofile %s", profile);
+	if (len < 0)
+		return -1;
+
+	rc = setprocattr(aa_gettid(), "current", buf, len);
+
+	free(buf);
+	return rc;
+}
+
+int aa_stack_onexec(const char *profile)
+{
+	char *buf = NULL;
+	int len;
+	int rc;
+
+	if (!profile) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	len = asprintf(&buf, "stackexec %s", profile);
+	if (len < 0)
+		return -1;
+
+	rc = setprocattr(aa_gettid(), "exec", buf, len);
+
+	free(buf);
+	return rc;
+}
+
 /**
  * aa_gettaskcon - get the confinement context for task @target in an allocated buffer
  * @target: task to query
diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
index 98d97ea..5cbd4e8 100644
--- a/libraries/libapparmor/src/libapparmor.map
+++ b/libraries/libapparmor/src/libapparmor.map
@@ -87,6 +87,14 @@ APPARMOR_2.10 {
         *;
 } APPARMOR_2.9;
 
+APPARMOR_2.11 {
+  global:
+        aa_stack_profile;
+        aa_stack_onexec;
+  local:
+        *;
+} APPARMOR_2.10;
+
 PRIVATE {
 	global:
 		_aa_is_blacklisted;
diff --git a/libraries/libapparmor/swig/SWIG/libapparmor.i b/libraries/libapparmor/swig/SWIG/libapparmor.i
index 69b4cc2..005dd7f 100644
--- a/libraries/libapparmor/swig/SWIG/libapparmor.i
+++ b/libraries/libapparmor/swig/SWIG/libapparmor.i
@@ -48,6 +48,8 @@ extern int aa_change_profile(const char *profile);
 extern int aa_change_onexec(const char *profile);
 extern int aa_change_hatv(const char *subprofiles[], unsigned long token);
 extern int aa_change_hat_vargs(unsigned long token, int count, ...);
+extern int aa_stack_profile(const char *profile);
+extern int aa_stack_onexec(const char *profile);
 extern int aa_getprocattr_raw(pid_t tid, const char *attr, char *buf, int len,
 			      char **mode);
 extern int aa_getprocattr(pid_t tid, const char *attr, char **buf, char **mode);
-- 
2.7.0




More information about the AppArmor mailing list