[apparmor] [PATCH 2/2] libapparmor: Implement aa_stack_profile and aa_stack_onexec

Thu Feb 25 15:28:06 UTC 2016

On 2016-02-25 04:02:16, John Johansen wrote:
> On 02/12/2016 04:06 PM, Tyler Hicks wrote:
> > Based on the existing implementations of aa_change_profile(2) and
> > aa_change_onexec(2).
> > 
> > Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> 
> so this is fine as is and gets
> 
> Acked-by: John Johansen <john.johansen at canonical.com>
> 
> but what do you think about changing the command to just stack
> (see below)?

That's easy. I'll make that change locally. Thanks!

Tyler

> 
> The file being written already distinguishes them from each
> other, and if I had it to do over changeprofile would be just
> 'change' or 'set'.
> 
> 
> > ---
> >  libraries/libapparmor/include/sys/apparmor.h  |  2 ++
> >  libraries/libapparmor/src/kernel.c            | 42 +++++++++++++++++++++++++++
> >  libraries/libapparmor/src/libapparmor.map     |  8 +++++
> >  libraries/libapparmor/swig/SWIG/libapparmor.i |  2 ++
> >  4 files changed, 54 insertions(+)
> > 
> > diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
> > index 13a6a8c..752a5bd 100644
> > --- a/libraries/libapparmor/include/sys/apparmor.h
> > +++ b/libraries/libapparmor/include/sys/apparmor.h
> > @@ -78,6 +78,8 @@ extern int aa_change_onexec(const char *profile);
> >  
> >  extern int aa_change_hatv(const char *subprofiles[], unsigned long token);
> >  extern int (aa_change_hat_vargs)(unsigned long token, int count, ...);
> > +extern int aa_stack_profile(const char *profile);
> > +extern int aa_stack_onexec(const char *profile);
> >  
> >  extern char *aa_splitcon(char *con, char **mode);
> >  /* Protypes for introspecting task confinement
> > diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
> > index d2daf8d..108b654 100644
> > --- a/libraries/libapparmor/src/kernel.c
> > +++ b/libraries/libapparmor/src/kernel.c
> > @@ -594,6 +594,48 @@ int (aa_change_hat_vargs)(unsigned long token, int nhats, ...)
> >  	return aa_change_hatv(argv, token);
> >  }
> >  
> > +int aa_stack_profile(const char *profile)
> > +{
> > +	char *buf = NULL;
> > +	int len;
> > +	int rc;
> > +
> > +	if (!profile) {
> > +		errno = EINVAL;
> > +		return -1;
> > +	}
> > +
> > +	len = asprintf(&buf, "stackprofile %s", profile);
> len = asprintf(&buf, "stack %s", profile);
> > +	if (len < 0)
> > +		return -1;
> > +
> > +	rc = setprocattr(aa_gettid(), "current", buf, len);
> > +
> > +	free(buf);
> > +	return rc;
> > +}
> > +
> > +int aa_stack_onexec(const char *profile)
> > +{
> > +	char *buf = NULL;
> > +	int len;
> > +	int rc;
> > +
> > +	if (!profile) {
> > +		errno = EINVAL;
> > +		return -1;
> > +	}
> > +
> > +	len = asprintf(&buf, "stackexec %s", profile);
> len = asprintf(&buf, "stack %s", profile);
> > +	if (len < 0)
> > +		return -1;
> > +
> > +	rc = setprocattr(aa_gettid(), "exec", buf, len);
> > +
> > +	free(buf);
> > +	return rc;
> > +}
> > +
> >  /**
> >   * aa_gettaskcon - get the confinement context for task @target in an allocated buffer
> >   * @target: task to query
> > diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
> > index 98d97ea..5cbd4e8 100644
> > --- a/libraries/libapparmor/src/libapparmor.map
> > +++ b/libraries/libapparmor/src/libapparmor.map
> > @@ -87,6 +87,14 @@ APPARMOR_2.10 {
> >          *;
> >  } APPARMOR_2.9;
> >  
> > +APPARMOR_2.11 {
> > +  global:
> > +        aa_stack_profile;
> > +        aa_stack_onexec;
> > +  local:
> > +        *;
> > +} APPARMOR_2.10;
> > +
> >  PRIVATE {
> >  	global:
> >  		_aa_is_blacklisted;
> > diff --git a/libraries/libapparmor/swig/SWIG/libapparmor.i b/libraries/libapparmor/swig/SWIG/libapparmor.i
> > index 69b4cc2..005dd7f 100644
> > --- a/libraries/libapparmor/swig/SWIG/libapparmor.i
> > +++ b/libraries/libapparmor/swig/SWIG/libapparmor.i
> > @@ -48,6 +48,8 @@ extern int aa_change_profile(const char *profile);
> >  extern int aa_change_onexec(const char *profile);
> >  extern int aa_change_hatv(const char *subprofiles[], unsigned long token);
> >  extern int aa_change_hat_vargs(unsigned long token, int count, ...);
> > +extern int aa_stack_profile(const char *profile);
> > +extern int aa_stack_onexec(const char *profile);
> >  extern int aa_getprocattr_raw(pid_t tid, const char *attr, char *buf, int len,
> >  			      char **mode);
> >  extern int aa_getprocattr(pid_t tid, const char *attr, char **buf, char **mode);
> > 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160225/27cc1ca4/attachment.pgp>