Signed-off-by: John Johansen <[email protected]>
---
libraries/libapparmor/doc/aa_query_label.pod | 16 ++++++++
libraries/libapparmor/include/sys/apparmor.h | 28 +++++++++++++-
libraries/libapparmor/src/kernel.c | 56 +++++++++++++++++++++++++++
libraries/libapparmor/src/libapparmor.map | 2 +
libraries/libapparmor/swig/SWIG/libapparmor.i | 5 +++
5 files changed, 106 insertions(+), 1 deletion(-)
diff --git a/libraries/libapparmor/doc/aa_query_label.pod
b/libraries/libapparmor/doc/aa_query_label.pod
index 3bba71b..002a106 100644
--- a/libraries/libapparmor/doc/aa_query_label.pod
+++ b/libraries/libapparmor/doc/aa_query_label.pod
@@ -31,6 +31,14 @@ B<#include E<lt>sys/apparmor.hE<gt>>
B<int aa_query_label((uint32_t mask, char *query, size_t size,
int *allowed, int *audited);>
+B<int aa_query_file_path((uint32_t mask, const char *label, size_t label_len,
+ const char *path, int *allowed, int *audited);>
+
+B<int aa_query_file_path_len((uint32_t mask, const char *label,
+ size_t label_len, const char *path, size_t n,
+ int *allowed, int *audited);>
+
+
Link with B<-lapparmor> when compiling.
=head1 DESCRIPTION
@@ -52,6 +60,14 @@ of directly using I<aa_query_label>. If directly using the
interface the
I<query> string is required to have a header of B<AA_QUERY_CMD_LABEL_SIZE>
that will be used by I<aa_query_label>.
+The B<aa_query_file_path> and B<aa_query_file_path_len> functions are helper
+function that assemble a properly formatted file path query for the
+B<aa_query_label> function. The I<label> is a valid apparmor label as
+returned by I<aa_splitcon> with I<label_len> being the lenght of the I<label>.
+The I<path> is any valid filesystem path to query permissions for. For the
+B<aa_query_file_path_len> variant the I<n> parameter specifies the number of
+bytes in the I<path> to use as part of the query.
+
=head1 RETURN VALUE
On success 0 is returned, and the I<allowed> and I<audited> parameters
diff --git a/libraries/libapparmor/include/sys/apparmor.h
b/libraries/libapparmor/include/sys/apparmor.h
index a7f9098..43f9549 100644
--- a/libraries/libapparmor/include/sys/apparmor.h
+++ b/libraries/libapparmor/include/sys/apparmor.h
@@ -27,10 +27,31 @@ __BEGIN_DECLS
/*
* Class of public mediation types in the AppArmor policy db
*/
-
+#define AA_CLASS_FILE 2
#define AA_CLASS_DBUS 32
+/* Permission flags for the AA_CLASS_FILE mediation class */
+#define AA_MAY_EXEC (1 << 0)
+#define AA_MAY_WRITE (1 << 1)
+#define AA_MAY_READ (1 << 2)
+#define AA_MAY_APPEND (1 << 3)
+#define AA_MAY_CREATE (1 << 4)
+#define AA_MAY_DELETE (1 << 5)
+#define AA_MAY_OPEN (1 << 6)
+#define AA_MAY_RENAME (1 << 7)
+#define AA_MAY_SETATTR (1 << 8)
+#define AA_MAY_GETATTR (1 << 9)
+#define AA_MAY_SETCRED (1 << 10)
+#define AA_MAY_GETCRED (1 << 11)
+#define AA_MAY_CHMOD (1 << 12)
+#define AA_MAY_CHOWN (1 << 13)
+#define AA_MAY_LOCK 0x8000
+#define AA_EXEC_MMAP 0x10000
+#define AA_MAY_LINK 0x40000
+#define AA_MAY_ONEXEC 0x20000000
+#define AA_MAY_CHANGE_PROFILE 0x40000000
+
/* Permission flags for the AA_CLASS_DBUS mediation class */
#define AA_DBUS_SEND (1 << 1)
#define AA_DBUS_RECEIVE (1 << 2)
@@ -80,6 +101,11 @@ extern int aa_getpeercon(int fd, char **label, char **mode);
extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
int *audit);
+extern int aa_query_file_path_len(uint32_t mask, const char *label,
+ size_t label_len, const char *path,
+ size_t path_len, int *allowed, int *audited);
+extern int aa_query_file_path(uint32_t mask, const char *label,
+ const char *path, int *allowed, int *audited);
#define __macroarg_counter(Y...) __macroarg_count1 ( , ##Y)
#define __macroarg_count1(Y...) __macroarg_count2 (Y,
16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0)
diff --git a/libraries/libapparmor/src/kernel.c
b/libraries/libapparmor/src/kernel.c
index 07bc9b4..50bc062 100644
--- a/libraries/libapparmor/src/kernel.c
+++ b/libraries/libapparmor/src/kernel.c
@@ -32,6 +32,7 @@
#include <pthread.h>
#include <sys/apparmor.h>
+#include "private.h"
/* some non-Linux systems do not define a static value */
#ifndef PATH_MAX
@@ -849,3 +850,58 @@ int query_label(uint32_t mask, char *query, size_t size,
int *allowed,
extern typeof((query_label)) __aa_query_label __attribute__((alias
("query_label")));
symbol_version(__aa_query_label, aa_query_label, APPARMOR_1.1);
default_symbol_version(query_label, aa_query_label, APPARMOR_2.9);
+
+
+/**
+ * aa_query_file_path_len - query access permissions for a file @path
+ * @mask: permission bits to query
+ * @label: apparmor label
+ * @label_len: length of @label (does not include any terminating nul byte)
+ * @path: file path to query permissions for
+ * @path_len: length of @path (does not include any terminating nul byte)
+ * @allowed: upon successful return, will be 1 if query is allowed and 0 if not
+ * @audited: upon successful return, will be 1 if query should be audited and 0
+ * if not
+ *
+ * Returns: 0 on success else -1 and sets errno. If -1 is returned and errno is
+ * ENOENT, the subject label in the query string is unknown to the
+ * kernel.
+ */
+int aa_query_file_path_len(uint32_t mask, const char *label, size_t label_len,
+ const char *path, size_t path_len, int *allowed,
+ int *audited)
+{
+ autofree char *query = NULL;
+
+ /* + 1 for null separator */
+ size_t size = AA_QUERY_CMD_LABEL_SIZE + label_len + 1 + path_len;
+ query = malloc(size + 1);
+ if (!query)
+ return -1;
+ memcpy(query + AA_QUERY_CMD_LABEL_SIZE, label, label_len);
+ /* null separator */
+ query[AA_QUERY_CMD_LABEL_SIZE + label_len] = 0;
+ query[AA_QUERY_CMD_LABEL_SIZE + label_len + 1] = AA_CLASS_FILE;
+ memcpy(query + AA_QUERY_CMD_LABEL_SIZE + label_len + 2, path, path_len);
+ return aa_query_label(mask, query, size , allowed, audited);
+}
+
+/**
+ * aa_query_file_path - query access permissions for a file @path
+ * @mask: permission bits to query
+ * @label: apparmor label
+ * @path: file path to query permissions for
+ * @allowed: upon successful return, will be 1 if query is allowed and 0 if not
+ * @audited: upon successful return, will be 1 if query should be audited and 0
+ * if not
+ *
+ * Returns: 0 on success else -1 and sets errno. If -1 is returned and errno is
+ * ENOENT, the subject label in the query string is unknown to the
+ * kernel.
+ */
+int aa_query_file_path(uint32_t mask, const char *label, const char *path,
+ int *allowed, int *audited)
+{
+ return aa_query_file_path_len(mask, label, strlen(label), path,
+ strlen(path), allowed, audited);
+}
diff --git a/libraries/libapparmor/src/libapparmor.map
b/libraries/libapparmor/src/libapparmor.map
index 28f245f..8a3c60b 100644
--- a/libraries/libapparmor/src/libapparmor.map
+++ b/libraries/libapparmor/src/libapparmor.map
@@ -54,6 +54,8 @@ APPARMOR_2.9 {
APPARMOR_2.10 {
global:
+ aa_query_file_path;
+ aa_query_file_path_len;
aa_features_new;
aa_features_new_from_string;
aa_features_new_from_kernel;
diff --git a/libraries/libapparmor/swig/SWIG/libapparmor.i
b/libraries/libapparmor/swig/SWIG/libapparmor.i
index 6bae3f6..c98cca8 100644
--- a/libraries/libapparmor/swig/SWIG/libapparmor.i
+++ b/libraries/libapparmor/swig/SWIG/libapparmor.i
@@ -39,5 +39,10 @@ extern int aa_getpeercon_raw(int fd, char *buf, int *len,
char **mode);
extern int aa_getpeercon(int fd, char **label, char **mode);
extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
int *audit);
+extern int aa_query_file_path_len(uint32_t mask, const char *label,
+ size_t label_len, const char *path,
+ size_t path_len, int *allowed, int *audited);
+extern int aa_query_file_path(uint32_t mask, const char *label,
+ const char *path, int *allowed, int *audited);
%exception;
--
2.1.4
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
