[apparmor] [PATCH 1/7] Split aa_query_label into a base aa_query_cmd and it, aa_query_label

Seth Arnold seth.arnold at canonical.com
Wed Feb 15 02:41:46 UTC 2017 

On Fri, Feb 10, 2017 at 12:46:07PM -0800, John Johansen wrote:
> Split the basic transaction file query out of aa_query_label so that
> it can be reused by other query types.
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks

> ---
>  libraries/libapparmor/doc/aa_query_label.pod  | 16 ++++-
>  libraries/libapparmor/include/sys/apparmor.h  |  2 +
>  libraries/libapparmor/src/kernel.c            | 93 +++++++++++++++++++++------
>  libraries/libapparmor/src/libapparmor.map     |  7 ++
>  libraries/libapparmor/swig/SWIG/libapparmor.i |  2 +
>  5 files changed, 96 insertions(+), 24 deletions(-)
> 
> diff --git a/libraries/libapparmor/doc/aa_query_label.pod b/libraries/libapparmor/doc/aa_query_label.pod
> index 06129b6..73f430b 100644
> --- a/libraries/libapparmor/doc/aa_query_label.pod
> +++ b/libraries/libapparmor/doc/aa_query_label.pod
> @@ -32,11 +32,18 @@ aa_query_link_path, aa_query_link_path_len - query access permissions of a link
>  
>  B<#include E<lt>sys/apparmor.hE<gt>>
>  
> -B<int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed, int *audited);>
> +B<int aa_query_cmd(const char *cmd, size_t cmd_size, char *query,
> +		size_t size, char *buffer, size_t bsize);>
>  
> -B<int aa_query_file_path(uint32_t mask, const char *label, size_t label_len, const char *path, int *allowed, int *audited);>
> +B<int aa_query_label(uint32_t mask, char *query, size_t size,
> +		int *allowed, int *audited);>
>  
> -B<int aa_query_file_path_len(uint32_t mask, const char *label, size_t label_len, const char *path, size_t path_len, int *allowed, int *audited);>
> +B<int aa_query_file_path(uint32_t mask, const char *label, size_t label_len,
> +		const char *path, int *allowed, int *audited);>
> +
> +B<int aa_query_file_path_len(uint32_t mask, const char *label,
> +		size_t label_len, const char *path, size_t path_len,
> +		int *allowed, int *audited);>
>  
>  B<int aa_query_link_path(const char *label, const char *target, const char *link, int *allowed, int *audited);>
>  
> @@ -47,6 +54,9 @@ Link with B<-lapparmor> when compiling.
>  
>  =head1 DESCRIPTION
>  
> +The B<aa_query_cmd> function sets up and does a raw query of the kernel. It is
> +the basis of the other query functions.
> +
>  The B<aa_query_label> function fetches the current permissions granted by the
>  specified I<label> in the I<query> string.
>  
> diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
> index 752a5bd..5e43ba2 100644
> --- a/libraries/libapparmor/include/sys/apparmor.h
> +++ b/libraries/libapparmor/include/sys/apparmor.h
> @@ -101,6 +101,8 @@ extern int aa_getpeercon(int fd, char **label, char **mode);
>  #define AA_QUERY_CMD_LABEL		"label"
>  #define AA_QUERY_CMD_LABEL_SIZE		sizeof(AA_QUERY_CMD_LABEL)
>  
> +extern int aa_query_cmd(const char *cmd, size_t cmd_size, char *query,
> +			size_t size, char *buffer, size_t bsize);
>  extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
>  			  int *audit);
>  extern int aa_query_file_path_len(uint32_t mask, const char *label,
> diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
> index 49c74e1..1fe1b61 100644
> --- a/libraries/libapparmor/src/kernel.c
> +++ b/libraries/libapparmor/src/kernel.c
> @@ -802,30 +802,22 @@ static void aafs_access_init_once(void)
>  	free(aafs);
>  }
>  
> -/* "allow 0x00000000\ndeny 0x00000000\naudit 0x00000000\nquiet 0x00000000\n" */
> -#define QUERY_LABEL_REPLY_LEN	67
> -
>  /**
> - * aa_query_label - query the access(es) of a label
> - * @mask: permission bits to query
> - * @query: binary query string, must be offset by AA_QUERY_CMD_LABEL_SIZE
> - * @size: size of the query string must include AA_QUERY_CMD_LABEL_SIZE
> - * @allowed: upon successful return, will be 1 if query is allowed and 0 if not
> - * @audited: upon successful return, will be 1 if query should be audited and 0
> - *           if not
> + * aa_query_cmd_open - begin a query for labels @cmd info
> + * @cmd: query cmd to use
> + * @cmd_size: size of the cmd being used
> + * @query: binary query string, must be offset by @cmd_size
> + * @size: size of the query string must include @cmd_size
>   *
> - * Returns: 0 on success else -1 and sets errno. If -1 is returned and errno is
> - *          ENOENT, the subject label in the query string is unknown to the
> - *          kernel.
> + * Returns: fd with the query issued and results waiting to be read else -1 and sets errno.
> + *          If -1 is returned and errno is ENOENT, the subject label in
> + *          the query string is unknown to the kernel.
>   */
> -int query_label(uint32_t mask, char *query, size_t size, int *allowed,
> -		int *audited)
> +static int aa_query_cmd_open(const char *cmd, size_t cmd_size, char *query, size_t size)
>  {
> -	char buf[QUERY_LABEL_REPLY_LEN];
> -	uint32_t allow, deny, audit, quiet;
> -	int fd, ret, saved;
> +	int fd, ret;
>  
> -	if (!mask || size <= AA_QUERY_CMD_LABEL_SIZE) {
> +	if (size <= cmd_size) {
>  		errno = EINVAL;
>  		return -1;
>  	}
> @@ -846,7 +838,7 @@ int query_label(uint32_t mask, char *query, size_t size, int *allowed,
>  		return -1;
>  	}
>  
> -	memcpy(query, AA_QUERY_CMD_LABEL, AA_QUERY_CMD_LABEL_SIZE);
> +	memcpy(query, cmd, cmd_size);
>  	errno = 0;
>  	ret = write(fd, query, size);
>  	if (ret != size) {
> @@ -860,10 +852,69 @@ int query_label(uint32_t mask, char *query, size_t size, int *allowed,
>  		return -1;
>  	}
>  
> -	ret = read(fd, buf, QUERY_LABEL_REPLY_LEN);
> +	return fd;
> +}
> +
> +/**
> + * aa_query_cmd - make a query for labels @cmd info
> + * @cmd: query cmd to use
> + * @cmd_size: size of the cmd being used
> + * @query: binary query string, must be offset by @cmd_size
> + * @size: size of the query string must include @cmd_size
> + * @buffer: buffer to return query data in
> + * @bsize: size of @buffer
> + *
> + * Returns: size of data read on success else -1 and sets errno.
> + *          If -1 is returned and errno is ENOENT, the subject label in
> + *          the query string is unknown to the kernel.
> + */
> +int aa_query_cmd(const char *cmd, size_t cmd_size, char *query, size_t size,
> +		 char *buffer, size_t bsize)
> +{
> +	int fd, ret, saved;
> +
> +	fd = aa_query_cmd_open(cmd, cmd_size, query, size);
> +	if (fd == -1)
> +		return -1;
> +
> +	ret = read(fd, buffer, bsize);
>  	saved = errno;
>  	(void)close(fd);
>  	errno = saved;
> +
> +	return ret;
> +}
> +
> +/* "allow 0x00000000\ndeny 0x00000000\naudit 0x00000000\nquiet 0x00000000\n" */
> +#define QUERY_LABEL_REPLY_LEN	67
> +
> +/**
> + * aa_query_label - query the access(es) of a label
> + * @mask: permission bits to query
> + * @query: binary query string, must be offset by AA_QUERY_CMD_LABEL_SIZE
> + * @size: size of the query string must include AA_QUERY_CMD_LABEL_SIZE
> + * @allowed: upon successful return, will be 1 if query is allowed and 0 if not
> + * @audited: upon successful return, will be 1 if query should be audited and 0
> + *           if not
> + *
> + * Returns: 0 on success else -1 and sets errno. If -1 is returned and errno is
> + *          ENOENT, the subject label in the query string is unknown to the
> + *          kernel.
> + */
> +int query_label(uint32_t mask, char *query, size_t size, int *allowed,
> +		int *audited)
> +{
> +	char buf[QUERY_LABEL_REPLY_LEN];
> +	uint32_t allow, deny, audit, quiet;
> +	int ret;
> +
> +	if (!mask) {
> +		errno = EINVAL;
> +		return -1;
> +	}
> +
> +	ret = aa_query_cmd(AA_QUERY_CMD_LABEL, AA_QUERY_CMD_LABEL_SIZE, query,
> +			   size, buf, QUERY_LABEL_REPLY_LEN);
>  	if (ret != QUERY_LABEL_REPLY_LEN) {
>  		errno = EPROTO;
>  		return -1;
> diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
> index 5cbd4e8..69207d3 100644
> --- a/libraries/libapparmor/src/libapparmor.map
> +++ b/libraries/libapparmor/src/libapparmor.map
> @@ -95,6 +95,13 @@ APPARMOR_2.11 {
>          *;
>  } APPARMOR_2.10;
>  
> +APPARMOR_2.12 {
> +  global:
> +        aa_query_cmd;
> +  local:
> +        *;
> +} APPARMOR_2.11;
> +
>  PRIVATE {
>  	global:
>  		_aa_is_blacklisted;
> diff --git a/libraries/libapparmor/swig/SWIG/libapparmor.i b/libraries/libapparmor/swig/SWIG/libapparmor.i
> index 005dd7f..9165882 100644
> --- a/libraries/libapparmor/swig/SWIG/libapparmor.i
> +++ b/libraries/libapparmor/swig/SWIG/libapparmor.i
> @@ -57,6 +57,8 @@ extern int aa_gettaskcon(pid_t target, char **label, char **mode);
>  extern int aa_getcon(char **label, char **mode);
>  extern int aa_getpeercon_raw(int fd, char *buf, int *len, char **mode);
>  extern int aa_getpeercon(int fd, char **label, char **mode);
> +extern int aa_query_cmd(const char *cmd, size_t cmd_size, char *query,
> +			size_t size, char *buffer, size_t bsize);
>  extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
>  			  int *audit);
>  extern int aa_query_file_path_len(uint32_t mask, const char *label,
> -- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170214/8c46612d/attachment.pgp>

More information about the AppArmor mailing list