On Thu, Jan 12, 2012 at 11:20:34AM +0100, Steve Beattie wrote: > On Fri, Jan 06, 2012 at 09:53:16AM -0800, John Johansen wrote: > > The aa-exec command can be used to launch an application under a specified > > confinement, which may be different for what regular profile attachment > > would apply.
Another question: if you specify a profile to add with -f, should it get removed after the command you exec completes? > > Signed-off-by: John Johansen <[email protected]> > > --- > > utils/Makefile | 2 +- > > utils/aa-exec | 124 > > +++++++++++++++++++++++++++++++++++++++++++++++++++++ > > utils/aa-exec.pod | 83 +++++++++++++++++++++++++++++++++++ > > 3 files changed, 208 insertions(+), 1 deletions(-) > > create mode 100755 utils/aa-exec > > create mode 100644 utils/aa-exec.pod > > > > diff --git a/utils/Makefile b/utils/Makefile > > index f733828..f4f8707 100644 > > --- a/utils/Makefile > > +++ b/utils/Makefile > > @@ -28,7 +28,7 @@ endif > > > > MODDIR = Immunix > > PERLTOOLS = aa-genprof aa-logprof aa-autodep aa-audit aa-complain > > aa-enforce \ > > - aa-unconfined aa-notify aa-disable > > + aa-unconfined aa-notify aa-disable aa-exec > > TOOLS = ${PERLTOOLS} aa-decode aa-status > > MODULES = ${MODDIR}/AppArmor.pm ${MODDIR}/Repository.pm \ > > ${MODDIR}/Config.pm ${MODDIR}/Severity.pm > > diff --git a/utils/aa-exec b/utils/aa-exec > > new file mode 100755 > > index 0000000..805da9e > > --- /dev/null > > +++ b/utils/aa-exec > > @@ -0,0 +1,124 @@ > > +#!/usr/bin/perl > > +# ------------------------------------------------------------------ > > +# > > +# Copyright (C) 2011 Canonical Ltd. > > +# > > +# This program is free software; you can redistribute it and/or > > +# modify it under the terms of version 2 of the GNU General Public > > +# License published by the Free Software Foundation. > > +# > > +# ------------------------------------------------------------------ > > + > > +use strict; > > +use warnings; > > +use Errno; > > + > > +require LibAppArmor; > > +require POSIX; > > +require Time::Local; > > +require File::Basename; > > + > > +my $opt_d = ''; > > +my $opt_h = ''; > > +my $opt_p = ''; > > +my $opt_n = ''; > > +my $opt_i = ''; > > +my $opt_v = ''; > > +my $opt_f = ''; > > + > > +sub _warn { > > + my $msg = $_[0]; > > + print STDERR "aa-exec: WARN: $msg\n"; > > +} > > +sub _error { > > + my $msg = $_[0]; > > + print STDERR "aa-exec: ERROR: $msg\n"; > > + exit 1 > > +} > > + > > +sub _debug { > > + $opt_d or return; > > + my $msg = $_[0]; > > + print STDERR "aa-exec: DEBUG: $msg\n"; > > +} > > + > > +sub _verbose { > > + $opt_v or return; > > + my $msg = $_[0]; > > + print STDERR "$msg\n"; > > +} > > + > > +sub usage() { > > + my $s = <<'EOF'; > > +USAGE: aa-exec [OPTIONS] <prog> <args> > > + > > +Confine <prog> with the specified PROFILE. > > + > > +OPTIONS: > > + -p PROFILE, --profile=PROFILE PROFILE to confine <prog> with > > + -n NAMESPACE, --namespace=NAMESPACE NAMESPACE to confine <prog> in > > + -f FILE, --file FILE profile file to load > > + -i, --immediate change profile immediately instead of at exec > > + -v, --verbose show messages with stats > > + -h, --help display this help > > + > > +EOF > > + print $s; > > +} > > + > > +use Getopt::Long; > > + > > +GetOptions( > > + 'debug|d' => \$opt_d, > > + 'help|h' => \$opt_h, > > + 'profile|p=s' => \$opt_p, > > + 'namespace|n=s' => \$opt_n, > > + 'file|f=s' => \$opt_f, > > + 'immediate|i' => \$opt_i, > > + 'verbose|v' => \$opt_v, > > +); > > + > > +if ($opt_h) { > > + usage(); > > + exit(0); > > +} > > + > > +if ($opt_n || $opt_p) { > > + my $test; > > + my $prof; > > + > > + if ($opt_n) { > > + $prof = ":$opt_n:"; > > + } > > + > > + $prof .= $opt_p; > > + > > + if ($opt_f) { > > + system("apparmor_parser -r $opt_f") == 0 > > Please convert this to a list, e.g.: > > system("apparmor_parser", "-r", "$opt_f") == 0 > > because otherwise if there are any shell metacharacters in $opt_f, perl > will hand off the entire string to '/bin/sh -c' to run and the shell > metacharacters will get evaluated, leading to perhaps unexpected > results. > > > + or _error("\'aborting could not load $opt_f\'"); > > + } > > + > > + if ($opt_i) { > > + _verbose("aa_change_profile(\"$prof\")"); > > + $test = LibAppArmor::aa_change_profile($prof); > > + _debug("$test = aa_change_profile(\"$prof\"); $!"); > > + } else { > > + _verbose("aa_change_onexec(\"$prof\")"); > > + $test = LibAppArmor::aa_change_onexec($prof); > > + _debug("$test = aa_change_onexec(\"$prof\"); $!"); > > + } > > + > > + if ($test != 0) { > > + if ($!{ENOENT} || $!{EACCESS}) { > > + my $pre = ($opt_p) ? "profile" : "namespace"; > > + _error("$pre \'$prof\' does not exist\n"); > > + } elsif ($!{EINVAL}) { > > + _error("AppArmor interface not available\n"); > > + } else { > > + _error("$!\n"); > > + } > > + } > > +} > > + > > +_verbose("exec @ARGV"); > > +exec @ARGV; > > diff --git a/utils/aa-exec.pod b/utils/aa-exec.pod > > new file mode 100644 > > index 0000000..a973193 > > --- /dev/null > > +++ b/utils/aa-exec.pod > > @@ -0,0 +1,83 @@ > > +# This publication is intellectual property of Canonical Ltd. Its contents > > +# can be duplicated, either in part or in whole, provided that a copyright > > +# label is visibly located on each copy. > > +# > > +# All information found in this book has been compiled with utmost > > +# attention to detail. However, this does not guarantee complete accuracy. > > +# Neither Canonical Ltd, the authors, nor the translators shall be held > > +# liable for possible errors or the consequences thereof. > > +# > > +# Many of the software and hardware descriptions cited in this book > > +# are registered trademarks. All trade names are subject to copyright > > +# restrictions and may be registered trade marks. Canonical Ltd > > +# essentially adheres to the manufacturer's spelling. > > +# > > +# Names of products and trademarks appearing in this book (with or without > > +# specific notation) are likewise subject to trademark and trade protection > > +# laws and may thus fall under copyright restrictions. > > +# > > + > > + > > +=pod > > + > > +=head1 NAME > > + > > +aa-exec - confine a program with the specified AppArmor profile > > + > > +=head1 SYNOPSIS > > + > > +B<aa-exec> [options] [I<E<lt>executableE<gt>> ...] > > + > > +=head1 DESCRIPTION > > + > > +B<aa-exec> is used to launch a program confined by the specified profile > > +and or namespace. If both a profile and namespace are specified executable > > +will be confined by profile in the new policy namespace. If only a > > namespace > > +is specified, the profile name of the current confinement will be used. If > > +neither a profile or namespace is specified executable will be run using > > +standard profile attachment (ie. as if run without the aa-exec command). > > With using Getopt::Long to parse options to aa-exec, we should probably > mention here that you should use -- to pass command-line arguments (e.g. > '-a' on to the command you wish to exec(). > > > +=head1 OPTIONS > > +B<aa-exec> accepts the following arguments: > > + > > +=over 4 > > + > > +=item -p PROFILE, --profile=PROFILE > > + > > +confine I<E<lt>executableE<gt>> with PROFILE. If the PROFILE is not > > specified > > +use the current profile name (likely unconfined). > > + > > +=item -n NAMESPACE, --namespace=NAMESPACE > > + > > +use profiles in NAMESPACE. This will result in confinement transitioning > > +to using the new profile namespace. > > + > > +=item -f FILE, --file=FILE > > + > > +a file or directory containing profiles to load before confining the > > program. > > + > > +=item -i, --immediate > > + > > +transition to PROFILE before doing executing I<E<lt>executableE<gt>>. This > > +subjects the running of I<E<lt>executableE<gt>> to the exec transition > > rules > > +of the current profile. > > + > > +=item -v, --verbose > > + > > +show commands being performed > > + > > +=item -d, --debug > > + > > +show commands and error codes > > + > > +=head1 BUGS > > + > > +If you find any bugs, please report them at > > +L<http://https://bugs.launchpad.net/apparmor/+filebug>. > > + > > +=head1 SEE ALSO > > + > > +aa-statck(8), aa-namespace(8), apparmor(7), apparmor.d(5), > > aa_change_profile(3), > > aa-statck? > > > +aa_change_onexec(3) and L<http://wiki.apparmor.net>. > > + > > +=cut > > Otherwise I think this looks good. > > -- > Steve Beattie > <[email protected]> > http://NxNW.org/~steve/ > -- > AppArmor mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor -- Steve Beattie <[email protected]> http://NxNW.org/~steve/
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
