...
  View open merge request
Commits (6)
......@@ -32,21 +32,34 @@ aa_query_link_path, aa_query_link_path_len - query access permissions of a link
B<#include E<lt>sys/apparmor.hE<gt>>
B<int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed, int *audited);>
B<int aa_query_cmd(const char *cmd, size_t cmd_size, char *query,
size_t size, char *buffer, size_t bsize);>
B<int aa_query_file_path(uint32_t mask, const char *label, size_t label_len, const char *path, int *allowed, int *audited);>
B<int aa_query_label(uint32_t mask, char *query, size_t size,
int *allowed, int *audited);>
B<int aa_query_file_path_len(uint32_t mask, const char *label, size_t label_len, const char *path, size_t path_len, int *allowed, int *audited);>
B<int aa_query_file_path(uint32_t mask, const char *label, size_t label_len,
const char *path, int *allowed, int *audited);>
B<int aa_query_file_path_len(uint32_t mask, const char *label,
size_t label_len, const char *path, size_t path_len,
int *allowed, int *audited);>
B<int aa_query_link_path(const char *label, const char *target, const char *link, int *allowed, int *audited);>
B<int aa_query_link_path_len(const char *label, size_t label_len, const char *target, size_t target_len, const char *link, size_t link_len, int *allowed, int *audited);>
B<int aa_query_label_data(const char *label, const char *key,
aa_label_data_info *out);>
B<void aa_clear_label_data(aa_label_data_info *info);>
Link with B<-lapparmor> when compiling.
=head1 DESCRIPTION
The B<aa_query_cmd> function sets up and does a raw query of the kernel. It is
the basis of the other query functions.
The B<aa_query_label> function fetches the current permissions granted by the
specified I<label> in the I<query> string.
......@@ -78,6 +91,13 @@ B<aa_query_label> function. The I<link_len> and I<target_len> parameters
specify the number of bytes in the I<link> and I<target> to use as part of
the query.
The B<aa_query_label_data> function does a raw query of any extra data stored
as I<key> in the label. The data is returned as a single blob in
<Iout->data>. The data is further broken into subentries by the
<Iout->ents> vec whose entries points back into the <Iout->data> blob. The
data returned by B<aa_query_label_data> should be freed by
B<aa_clear_label_data>.
=head1 RETURN VALUE
On success 0 is returned, and the I<allowed> and I<audited> parameters
......
......@@ -18,8 +18,10 @@
#ifndef _SYS_APPARMOR_H
#define _SYS_APPARMOR_H 1
#include <sys/select.h>
#include <stdbool.h>
#include <stdint.h>
#include <sys/time.h>
#include <sys/types.h>
#ifdef __cplusplus
......@@ -102,7 +104,11 @@ extern int aa_getpeercon(int fd, char **label, char **mode);
*/
#define AA_QUERY_CMD_LABEL "label"
#define AA_QUERY_CMD_LABEL_SIZE sizeof(AA_QUERY_CMD_LABEL)
#define AA_QUERY_CMD_DATA "data"
#define AA_QUERY_CMD_DATA_SIZE sizeof(AA_QUERY_CMD_DATA)
extern int aa_query_cmd(const char *cmd, size_t cmd_size, char *query,
size_t size, char *buffer, size_t bsize);
extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
int *audit);
extern int aa_query_file_path_len(uint32_t mask, const char *label,
......@@ -117,6 +123,23 @@ extern int aa_query_link_path_len(const char *label, size_t label_len,
extern int aa_query_link_path(const char *label, const char *target,
const char *link, int *allowed, int *audited);
typedef struct {
uint32_t size; /* length of s */
const char *entry; /* not necessarily NULL-terminated */
} aa_label_data_ent;
typedef struct {
char *data; /* free data */
uint32_t n; /* number of ents */
aa_label_data_ent *ents; /* free vec of entries */
} aa_label_data_info;
extern int aa_query_label_data(const char *label, const char *key,
aa_label_data_info *out);
extern void aa_clear_label_data(aa_label_data_info *info);
#define __macroarg_counter(Y...) __macroarg_count1 ( , ##Y)
#define __macroarg_count1(Y...) __macroarg_count2 (Y, 16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0)
#define __macroarg_count2(_,x0,x1,x2,x3,x4,x5,x6,x7,x8,x9,x10,x11,x12,x13,x14,x15,n,Y...) n
......@@ -193,6 +216,12 @@ extern int aa_policy_cache_remove(int dirfd, const char *path);
extern int aa_policy_cache_replace_all(aa_policy_cache *policy_cache,
aa_kernel_interface *kernel_interface);
int aa_policy_notification_open(const char *ns);
void aa_policy_notification_close(int fd);
long aa_policy_revision(int fd);
long aa_policy_wait(int fd, const struct timespec *timeout,
const sigset_t *sigmask);
#ifdef __cplusplus
}
#endif
......
......@@ -48,7 +48,7 @@ af_protos.h: /usr/include/netinet/in.h
lib_LTLIBRARIES = libapparmor.la
noinst_HEADERS = grammar.h parser.h scanner.h af_protos.h private.h
libapparmor_la_SOURCES = grammar.y libaalogparse.c kernel.c scanner.c private.c features.c kernel_interface.c policy_cache.c
libapparmor_la_SOURCES = grammar.y libaalogparse.c kernel.c scanner.c private.c features.c kernel_interface.c policy_cache.c notify.c
libapparmor_la_LDFLAGS = -version-info $(AA_LIB_CURRENT):$(AA_LIB_REVISION):$(AA_LIB_AGE) -XCClinker -dynamic -pthread \
-Wl,--version-script=$(top_srcdir)/src/libapparmor.map
......
This diff is collapsed.
......@@ -95,6 +95,15 @@ APPARMOR_2.11 {
*;
} APPARMOR_2.10;
APPARMOR_2.12 {
global:
aa_query_cmd;
aa_clear_label_data;
aa_query_label_data;
local:
*;
} APPARMOR_2.11;
PRIVATE {
global:
_aa_is_blacklisted;
......
/*
* Copyright (c) 2017
* Canonical, Ltd. (All rights reserved)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of version 2 of the GNU General Public
* License published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, contact Canonical Ltd.
*/
#include <limits.h>
#include <fcntl.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/select.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <sys/apparmor.h>
#include "private.h"
/* The policy notification api provides some abstraction from the actual
* kernel communication method
*/
/**
* aa_policy_notification_open - open an fd for policy update notifications
* @ns: name of namespace to open notifications for. If null current ns
* Returns: an fd or -1 on error
*
* This provides a generic mechanism to receive policy update notifications.
* The under lying mechanism of the notifications is not guarenteed nor
* is the wire format of the data on the fd. To access the data use the
* access fns. The only guarentee is that the fd can be used in
* select/poll.
*/
int aa_policy_notification_open(const char *ns)
{
autofree char *aafs;
autofree char *aafs_rev;
int ret;
ret = aa_find_mountpoint(&aafs);
if (ret < 0)
return -1;
ret = asprintf(&aafs_rev, "%s/.revision", aafs);
if (ret < 0)
return -1;
return open(aafs_rev, O_RDONLY);
}
/**
* aa_policy_notification_close - close fd associated with policy notifications
* @fd: the fd to close.
*/
void aa_policy_notification_close(int fd)
{
close(fd);
}
/**
* aa_policy_revision - return the current policy revision.
* @fd: a policy revision fd opened by aa_policy_notification_open
* Returns: policy revision or -1 on error with errno set
*/
long aa_policy_revision(int fd)
{
char buf[32];
char *end;
ssize_t ret;
long rev;
ret = read(fd, buf, sizeof(buf));
if (ret < 0)
return -1;
buf[ret] = 0;
rev = strtol(buf, &end, 0);
if (rev == LONG_MIN || rev == LONG_MAX || rev < 0)
return -1;
return rev;
}
/**
* aa_policy_wait - wait for the next policy revision and return its value
* @fd: the policy fd to wait on
* @timeout: maximum time to block, Maybe NULL for no timeout
* @sigmask: sigmask that can cause
* Returns: the revision # of updated revision or -1 on error with errno set
*
* Note: may not block if policy has already been updated
* EINTR - a signal caused the wakeup
*/
long aa_policy_wait(int fd, const struct timespec *timeout,
const sigset_t *sigmask)
{
fd_set fds;
int ret;
FD_ZERO(&fds);
FD_SET(fd, &fds);
ret = pselect(fd+1, &fds, NULL, NULL, timeout, sigmask);
if (ret == -1)
return -1;
return aa_policy_revision(fd);
}
......@@ -57,6 +57,8 @@ extern int aa_gettaskcon(pid_t target, char **label, char **mode);
extern int aa_getcon(char **label, char **mode);
extern int aa_getpeercon_raw(int fd, char *buf, int *len, char **mode);
extern int aa_getpeercon(int fd, char **label, char **mode);
extern int aa_query_cmd(const char *cmd, size_t cmd_size, char *query,
size_t size, char *buffer, size_t bsize);
extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
int *audit);
extern int aa_query_file_path_len(uint32_t mask, const char *label,
......@@ -70,5 +72,8 @@ extern int aa_query_link_path_len(const char *label, size_t label_len,
int *allowed, int *audited);
extern int aa_query_link_path(const char *label, const char *target,
const char *link, int *allowed, int *audited);
extern int aa_query_label_data(const char *label, const char *key,
aa_label_data_info *out);
extern void aa_clear_label_data(aa_label_data_info *info);
%exception;
......@@ -250,7 +250,7 @@ static inline void sd_write_name(std::ostringstream &buf, const char *name)
}
}
static inline void sd_write_blob(std::ostringstream &buf, void *b, int buf_size, char *name)
static inline void sd_write_blob(std::ostringstream &buf, const void *b, int buf_size, const char *name)
{
sd_write_name(buf, name);
sd_write8(buf, SD_BLOB);
......@@ -273,7 +273,7 @@ static inline void sd_write_aligned_blob(std::ostringstream &buf, void *b, int b
buf.write((const char *) b, b_size);
}
static void sd_write_strn(std::ostringstream &buf, char *b, int size, const char *name)
static void sd_write_strn(std::ostringstream &buf, const char *b, int size, const char *name)
{
sd_write_name(buf, name);
sd_write8(buf, SD_STRING);
......@@ -281,7 +281,7 @@ static void sd_write_strn(std::ostringstream &buf, char *b, int size, const char
buf.write(b, size);
}
static inline void sd_write_string(std::ostringstream &buf, char *b, const char *name)
static inline void sd_write_string(std::ostringstream &buf, const char *b, const char *name)
{
sd_write_strn(buf, b, strlen(b) + 1, name);
}
......