[apparmor] [PATCH 2/2] libapparmor: Implement aa_stack_profile and aa_stack_onexec
John Johansen
john.johansen at canonical.com
Thu Feb 25 12:02:16 UTC 2016
On 02/12/2016 04:06 PM, Tyler Hicks wrote:
> Based on the existing implementations of aa_change_profile(2) and
> aa_change_onexec(2).
>
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
so this is fine as is and gets
Acked-by: John Johansen <john.johansen at canonical.com>
but what do you think about changing the command to just stack
(see below)?
The file being written already distinguishes them from each
other, and if I had it to do over changeprofile would be just
'change' or 'set'.
> ---
> libraries/libapparmor/include/sys/apparmor.h | 2 ++
> libraries/libapparmor/src/kernel.c | 42 +++++++++++++++++++++++++++
> libraries/libapparmor/src/libapparmor.map | 8 +++++
> libraries/libapparmor/swig/SWIG/libapparmor.i | 2 ++
> 4 files changed, 54 insertions(+)
>
> diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
> index 13a6a8c..752a5bd 100644
> --- a/libraries/libapparmor/include/sys/apparmor.h
> +++ b/libraries/libapparmor/include/sys/apparmor.h
> @@ -78,6 +78,8 @@ extern int aa_change_onexec(const char *profile);
>
> extern int aa_change_hatv(const char *subprofiles[], unsigned long token);
> extern int (aa_change_hat_vargs)(unsigned long token, int count, ...);
> +extern int aa_stack_profile(const char *profile);
> +extern int aa_stack_onexec(const char *profile);
>
> extern char *aa_splitcon(char *con, char **mode);
> /* Protypes for introspecting task confinement
> diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
> index d2daf8d..108b654 100644
> --- a/libraries/libapparmor/src/kernel.c
> +++ b/libraries/libapparmor/src/kernel.c
> @@ -594,6 +594,48 @@ int (aa_change_hat_vargs)(unsigned long token, int nhats, ...)
> return aa_change_hatv(argv, token);
> }
>
> +int aa_stack_profile(const char *profile)
> +{
> + char *buf = NULL;
> + int len;
> + int rc;
> +
> + if (!profile) {
> + errno = EINVAL;
> + return -1;
> + }
> +
> + len = asprintf(&buf, "stackprofile %s", profile);
len = asprintf(&buf, "stack %s", profile);
> + if (len < 0)
> + return -1;
> +
> + rc = setprocattr(aa_gettid(), "current", buf, len);
> +
> + free(buf);
> + return rc;
> +}
> +
> +int aa_stack_onexec(const char *profile)
> +{
> + char *buf = NULL;
> + int len;
> + int rc;
> +
> + if (!profile) {
> + errno = EINVAL;
> + return -1;
> + }
> +
> + len = asprintf(&buf, "stackexec %s", profile);
len = asprintf(&buf, "stack %s", profile);
> + if (len < 0)
> + return -1;
> +
> + rc = setprocattr(aa_gettid(), "exec", buf, len);
> +
> + free(buf);
> + return rc;
> +}
> +
> /**
> * aa_gettaskcon - get the confinement context for task @target in an allocated buffer
> * @target: task to query
> diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
> index 98d97ea..5cbd4e8 100644
> --- a/libraries/libapparmor/src/libapparmor.map
> +++ b/libraries/libapparmor/src/libapparmor.map
> @@ -87,6 +87,14 @@ APPARMOR_2.10 {
> *;
> } APPARMOR_2.9;
>
> +APPARMOR_2.11 {
> + global:
> + aa_stack_profile;
> + aa_stack_onexec;
> + local:
> + *;
> +} APPARMOR_2.10;
> +
> PRIVATE {
> global:
> _aa_is_blacklisted;
> diff --git a/libraries/libapparmor/swig/SWIG/libapparmor.i b/libraries/libapparmor/swig/SWIG/libapparmor.i
> index 69b4cc2..005dd7f 100644
> --- a/libraries/libapparmor/swig/SWIG/libapparmor.i
> +++ b/libraries/libapparmor/swig/SWIG/libapparmor.i
> @@ -48,6 +48,8 @@ extern int aa_change_profile(const char *profile);
> extern int aa_change_onexec(const char *profile);
> extern int aa_change_hatv(const char *subprofiles[], unsigned long token);
> extern int aa_change_hat_vargs(unsigned long token, int count, ...);
> +extern int aa_stack_profile(const char *profile);
> +extern int aa_stack_onexec(const char *profile);
> extern int aa_getprocattr_raw(pid_t tid, const char *attr, char *buf, int len,
> char **mode);
> extern int aa_getprocattr(pid_t tid, const char *attr, char **buf, char **mode);
>
More information about the AppArmor
mailing list