[apparmor] [PATCH 1/7] Split aa_query_label into a base aa_query_cmd and it, aa_query_label
Seth Arnold
seth.arnold at canonical.com
Wed Feb 15 02:41:46 UTC 2017
On Fri, Feb 10, 2017 at 12:46:07PM -0800, John Johansen wrote:
> Split the basic transaction file query out of aa_query_label so that
> it can be reused by other query types.
>
> Signed-off-by: John Johansen <john.johansen at canonical.com>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
Thanks
> ---
> libraries/libapparmor/doc/aa_query_label.pod | 16 ++++-
> libraries/libapparmor/include/sys/apparmor.h | 2 +
> libraries/libapparmor/src/kernel.c | 93 +++++++++++++++++++++------
> libraries/libapparmor/src/libapparmor.map | 7 ++
> libraries/libapparmor/swig/SWIG/libapparmor.i | 2 +
> 5 files changed, 96 insertions(+), 24 deletions(-)
>
> diff --git a/libraries/libapparmor/doc/aa_query_label.pod b/libraries/libapparmor/doc/aa_query_label.pod
> index 06129b6..73f430b 100644
> --- a/libraries/libapparmor/doc/aa_query_label.pod
> +++ b/libraries/libapparmor/doc/aa_query_label.pod
> @@ -32,11 +32,18 @@ aa_query_link_path, aa_query_link_path_len - query access permissions of a link
>
> B<#include E<lt>sys/apparmor.hE<gt>>
>
> -B<int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed, int *audited);>
> +B<int aa_query_cmd(const char *cmd, size_t cmd_size, char *query,
> + size_t size, char *buffer, size_t bsize);>
>
> -B<int aa_query_file_path(uint32_t mask, const char *label, size_t label_len, const char *path, int *allowed, int *audited);>
> +B<int aa_query_label(uint32_t mask, char *query, size_t size,
> + int *allowed, int *audited);>
>
> -B<int aa_query_file_path_len(uint32_t mask, const char *label, size_t label_len, const char *path, size_t path_len, int *allowed, int *audited);>
> +B<int aa_query_file_path(uint32_t mask, const char *label, size_t label_len,
> + const char *path, int *allowed, int *audited);>
> +
> +B<int aa_query_file_path_len(uint32_t mask, const char *label,
> + size_t label_len, const char *path, size_t path_len,
> + int *allowed, int *audited);>
>
> B<int aa_query_link_path(const char *label, const char *target, const char *link, int *allowed, int *audited);>
>
> @@ -47,6 +54,9 @@ Link with B<-lapparmor> when compiling.
>
> =head1 DESCRIPTION
>
> +The B<aa_query_cmd> function sets up and does a raw query of the kernel. It is
> +the basis of the other query functions.
> +
> The B<aa_query_label> function fetches the current permissions granted by the
> specified I<label> in the I<query> string.
>
> diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
> index 752a5bd..5e43ba2 100644
> --- a/libraries/libapparmor/include/sys/apparmor.h
> +++ b/libraries/libapparmor/include/sys/apparmor.h
> @@ -101,6 +101,8 @@ extern int aa_getpeercon(int fd, char **label, char **mode);
> #define AA_QUERY_CMD_LABEL "label"
> #define AA_QUERY_CMD_LABEL_SIZE sizeof(AA_QUERY_CMD_LABEL)
>
> +extern int aa_query_cmd(const char *cmd, size_t cmd_size, char *query,
> + size_t size, char *buffer, size_t bsize);
> extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
> int *audit);
> extern int aa_query_file_path_len(uint32_t mask, const char *label,
> diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
> index 49c74e1..1fe1b61 100644
> --- a/libraries/libapparmor/src/kernel.c
> +++ b/libraries/libapparmor/src/kernel.c
> @@ -802,30 +802,22 @@ static void aafs_access_init_once(void)
> free(aafs);
> }
>
> -/* "allow 0x00000000\ndeny 0x00000000\naudit 0x00000000\nquiet 0x00000000\n" */
> -#define QUERY_LABEL_REPLY_LEN 67
> -
> /**
> - * aa_query_label - query the access(es) of a label
> - * @mask: permission bits to query
> - * @query: binary query string, must be offset by AA_QUERY_CMD_LABEL_SIZE
> - * @size: size of the query string must include AA_QUERY_CMD_LABEL_SIZE
> - * @allowed: upon successful return, will be 1 if query is allowed and 0 if not
> - * @audited: upon successful return, will be 1 if query should be audited and 0
> - * if not
> + * aa_query_cmd_open - begin a query for labels @cmd info
> + * @cmd: query cmd to use
> + * @cmd_size: size of the cmd being used
> + * @query: binary query string, must be offset by @cmd_size
> + * @size: size of the query string must include @cmd_size
> *
> - * Returns: 0 on success else -1 and sets errno. If -1 is returned and errno is
> - * ENOENT, the subject label in the query string is unknown to the
> - * kernel.
> + * Returns: fd with the query issued and results waiting to be read else -1 and sets errno.
> + * If -1 is returned and errno is ENOENT, the subject label in
> + * the query string is unknown to the kernel.
> */
> -int query_label(uint32_t mask, char *query, size_t size, int *allowed,
> - int *audited)
> +static int aa_query_cmd_open(const char *cmd, size_t cmd_size, char *query, size_t size)
> {
> - char buf[QUERY_LABEL_REPLY_LEN];
> - uint32_t allow, deny, audit, quiet;
> - int fd, ret, saved;
> + int fd, ret;
>
> - if (!mask || size <= AA_QUERY_CMD_LABEL_SIZE) {
> + if (size <= cmd_size) {
> errno = EINVAL;
> return -1;
> }
> @@ -846,7 +838,7 @@ int query_label(uint32_t mask, char *query, size_t size, int *allowed,
> return -1;
> }
>
> - memcpy(query, AA_QUERY_CMD_LABEL, AA_QUERY_CMD_LABEL_SIZE);
> + memcpy(query, cmd, cmd_size);
> errno = 0;
> ret = write(fd, query, size);
> if (ret != size) {
> @@ -860,10 +852,69 @@ int query_label(uint32_t mask, char *query, size_t size, int *allowed,
> return -1;
> }
>
> - ret = read(fd, buf, QUERY_LABEL_REPLY_LEN);
> + return fd;
> +}
> +
> +/**
> + * aa_query_cmd - make a query for labels @cmd info
> + * @cmd: query cmd to use
> + * @cmd_size: size of the cmd being used
> + * @query: binary query string, must be offset by @cmd_size
> + * @size: size of the query string must include @cmd_size
> + * @buffer: buffer to return query data in
> + * @bsize: size of @buffer
> + *
> + * Returns: size of data read on success else -1 and sets errno.
> + * If -1 is returned and errno is ENOENT, the subject label in
> + * the query string is unknown to the kernel.
> + */
> +int aa_query_cmd(const char *cmd, size_t cmd_size, char *query, size_t size,
> + char *buffer, size_t bsize)
> +{
> + int fd, ret, saved;
> +
> + fd = aa_query_cmd_open(cmd, cmd_size, query, size);
> + if (fd == -1)
> + return -1;
> +
> + ret = read(fd, buffer, bsize);
> saved = errno;
> (void)close(fd);
> errno = saved;
> +
> + return ret;
> +}
> +
> +/* "allow 0x00000000\ndeny 0x00000000\naudit 0x00000000\nquiet 0x00000000\n" */
> +#define QUERY_LABEL_REPLY_LEN 67
> +
> +/**
> + * aa_query_label - query the access(es) of a label
> + * @mask: permission bits to query
> + * @query: binary query string, must be offset by AA_QUERY_CMD_LABEL_SIZE
> + * @size: size of the query string must include AA_QUERY_CMD_LABEL_SIZE
> + * @allowed: upon successful return, will be 1 if query is allowed and 0 if not
> + * @audited: upon successful return, will be 1 if query should be audited and 0
> + * if not
> + *
> + * Returns: 0 on success else -1 and sets errno. If -1 is returned and errno is
> + * ENOENT, the subject label in the query string is unknown to the
> + * kernel.
> + */
> +int query_label(uint32_t mask, char *query, size_t size, int *allowed,
> + int *audited)
> +{
> + char buf[QUERY_LABEL_REPLY_LEN];
> + uint32_t allow, deny, audit, quiet;
> + int ret;
> +
> + if (!mask) {
> + errno = EINVAL;
> + return -1;
> + }
> +
> + ret = aa_query_cmd(AA_QUERY_CMD_LABEL, AA_QUERY_CMD_LABEL_SIZE, query,
> + size, buf, QUERY_LABEL_REPLY_LEN);
> if (ret != QUERY_LABEL_REPLY_LEN) {
> errno = EPROTO;
> return -1;
> diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
> index 5cbd4e8..69207d3 100644
> --- a/libraries/libapparmor/src/libapparmor.map
> +++ b/libraries/libapparmor/src/libapparmor.map
> @@ -95,6 +95,13 @@ APPARMOR_2.11 {
> *;
> } APPARMOR_2.10;
>
> +APPARMOR_2.12 {
> + global:
> + aa_query_cmd;
> + local:
> + *;
> +} APPARMOR_2.11;
> +
> PRIVATE {
> global:
> _aa_is_blacklisted;
> diff --git a/libraries/libapparmor/swig/SWIG/libapparmor.i b/libraries/libapparmor/swig/SWIG/libapparmor.i
> index 005dd7f..9165882 100644
> --- a/libraries/libapparmor/swig/SWIG/libapparmor.i
> +++ b/libraries/libapparmor/swig/SWIG/libapparmor.i
> @@ -57,6 +57,8 @@ extern int aa_gettaskcon(pid_t target, char **label, char **mode);
> extern int aa_getcon(char **label, char **mode);
> extern int aa_getpeercon_raw(int fd, char *buf, int *len, char **mode);
> extern int aa_getpeercon(int fd, char **label, char **mode);
> +extern int aa_query_cmd(const char *cmd, size_t cmd_size, char *query,
> + size_t size, char *buffer, size_t bsize);
> extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
> int *audit);
> extern int aa_query_file_path_len(uint32_t mask, const char *label,
> --
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170214/8c46612d/attachment.pgp>
More information about the AppArmor
mailing list