On 2015-05-29 01:39:15, John Johansen wrote: > Signed-off-by: John Johansen <[email protected]> > --- > libraries/libapparmor/doc/aa_query_label.pod | 9 +++++++++ > libraries/libapparmor/include/sys/apparmor.h | 4 +++- > libraries/libapparmor/src/kernel.c | 24 ++++++++++++++++++++++++ > libraries/libapparmor/src/libapparmor.map | 1 + > libraries/libapparmor/swig/SWIG/libapparmor.i | 2 ++ > 5 files changed, 39 insertions(+), 1 deletion(-) > > diff --git a/libraries/libapparmor/doc/aa_query_label.pod > b/libraries/libapparmor/doc/aa_query_label.pod > index 9aa563a..db15fcc 100644 > --- a/libraries/libapparmor/doc/aa_query_label.pod > +++ b/libraries/libapparmor/doc/aa_query_label.pod > @@ -30,6 +30,8 @@ B<#include E<lt>sys/apparmor.hE<gt>> > > B<int aa_query_label((uint32_t mask, char *query, size_t size, int *allowed, > int *audited);> > +B<int aa_query_file((uint32_t mask, const char *label, const char *path, > + int *allowed, int *audited);>
Bah, I wish we would have already made the switch to C99 mode before I
implemented aa_query_label(). I wish allowed and audited were bools. Too
late now...
>
> Link with B<-lapparmor> when compiling.
>
> @@ -52,6 +54,13 @@ of directly using I<aa_query_label>. If directly using the
> interface the
> I<query> string is required to have a header of B<AA_QUERY_CMD_LABEL_SIZE>
> that will be used by I<aa_query_label>.
>
> +
> +The B<aa_query_file> function is a helper function that assembles a properly
> +formated path query for the B<aa_query_label> function. The I<label> is a
> valid
formatted
> +apparmor label as returned by I<aa_split_con> and the I<path> is any valid
I<aa_splitcon>
> +filesystem path to query permissions for.
> +
> +
> =head1 RETURN VALUE
>
> On success 0 is returned, and the I<allowed> and I<audited> parameters
> diff --git a/libraries/libapparmor/include/sys/apparmor.h
> b/libraries/libapparmor/include/sys/apparmor.h
> index 99ce36b..a408741 100644
> --- a/libraries/libapparmor/include/sys/apparmor.h
> +++ b/libraries/libapparmor/include/sys/apparmor.h
> @@ -27,7 +27,7 @@ __BEGIN_DECLS
> /*
> * Class of public mediation types in the AppArmor policy db
> */
> -
> +#define AA_CLASS_FILE 2
> #define AA_CLASS_DBUS 32
>
>
> @@ -79,6 +79,8 @@ extern int aa_getpeercon(int fd, char **label, char **mode);
>
> extern int aa_query_label(uint32_t mask, char *query, size_t size, int
> *allow,
> int *audit);
> +extern int aa_query_file(uint32_t mask, const char *label, const char *path,
> + int *allowed, int *audited);
>
> #define __macroarg_counter(Y...) __macroarg_count1 ( , ##Y)
> #define __macroarg_count1(Y...) __macroarg_count2 (Y,
> 16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0)
> diff --git a/libraries/libapparmor/src/kernel.c
> b/libraries/libapparmor/src/kernel.c
> index 9d5f45d..d140f6b 100644
> --- a/libraries/libapparmor/src/kernel.c
> +++ b/libraries/libapparmor/src/kernel.c
> @@ -786,3 +786,27 @@ int query_label(uint32_t mask, char *query, size_t size,
> int *allowed,
> extern typeof((query_label)) __aa_query_label __attribute__((alias
> ("query_label")));
> symbol_version(__aa_query_label, aa_query_label, APPARMOR_1.1);
> default_symbol_version(query_label, aa_query_label, APPARMOR_2.9);
> +
> +
> +int aa_query_file(uint32_t mask, const char *label, const char *path,
> + int *allowed, int *audited)
I prefer that we require 'size_t label_len' and 'size_t path_len'
parameters. The caller may already have the string lengths stored in
variables, eliminating unnecessary calls to strlen(). Also, it allows
for non-nul-terminated strings to be used.
> +{
> + int rc;
> + char *query;
Seems like a perfect opportunity to break out 'autofree'. Be sure to
initialize query to NULL if you decide to use it.
> +
> + int lsize = strlen(label);
> + int psize = strlen(path);
> + /* + 1 for null separator */
> + int size = AA_QUERY_CMD_LABEL_SIZE + lsize + 1 + psize;
change to size_t?
> + query = malloc(size + 1);
> + if (!query)
> + return -1;
> + /* we want the null terminator here */
> + strcpy(query + AA_QUERY_CMD_LABEL_SIZE, label);
> + query[AA_QUERY_CMD_LABEL_SIZE + lsize + 1] = AA_CLASS_FILE;
> + memcpy(query + AA_QUERY_CMD_LABEL_SIZE + lsize + 2, path, psize);
> + rc = aa_query_label(mask, query, size , allowed, audited);
> + free(query);
This free() goes away if you switch to autofree.
Tyler
> +
> + return rc;
> +}
> diff --git a/libraries/libapparmor/src/libapparmor.map
> b/libraries/libapparmor/src/libapparmor.map
> index 3f43494..3514682 100644
> --- a/libraries/libapparmor/src/libapparmor.map
> +++ b/libraries/libapparmor/src/libapparmor.map
> @@ -54,6 +54,7 @@ APPARMOR_2.9 {
>
> APPARMOR_2.10 {
> global:
> + aa_query_file;
> aa_features_new;
> aa_features_new_from_string;
> aa_features_new_from_kernel;
> diff --git a/libraries/libapparmor/swig/SWIG/libapparmor.i
> b/libraries/libapparmor/swig/SWIG/libapparmor.i
> index 6bae3f6..0bf3b2a 100644
> --- a/libraries/libapparmor/swig/SWIG/libapparmor.i
> +++ b/libraries/libapparmor/swig/SWIG/libapparmor.i
> @@ -39,5 +39,7 @@ extern int aa_getpeercon_raw(int fd, char *buf, int *len,
> char **mode);
> extern int aa_getpeercon(int fd, char **label, char **mode);
> extern int aa_query_label(uint32_t mask, char *query, size_t size, int
> *allow,
> int *audit);
> +extern int aa_query_file(uint32_t mask, const char *label, const char *path,
> + int *allowed, int *audited);
>
> %exception;
> --
> 2.1.4
>
>
> --
> AppArmor mailing list
> [email protected]
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
