Re: [apparmor] [PATCH 02/14] add helper fn to query file path permissions

Tyler Hicks Thu, 04 Jun 2015 07:00:44 -0700

On 2015-06-04 03:56:31, John Johansen wrote:
> Signed-off-by: John Johansen <[email protected]>
> ---
>  libraries/libapparmor/doc/aa_query_label.pod  | 16 ++++++++
>  libraries/libapparmor/include/sys/apparmor.h  | 28 +++++++++++++-
>  libraries/libapparmor/src/kernel.c            | 56 
> +++++++++++++++++++++++++++
>  libraries/libapparmor/src/libapparmor.map     |  2 +
>  libraries/libapparmor/swig/SWIG/libapparmor.i |  5 +++
>  5 files changed, 106 insertions(+), 1 deletion(-)
> 
> diff --git a/libraries/libapparmor/doc/aa_query_label.pod 
> b/libraries/libapparmor/doc/aa_query_label.pod
> index 3bba71b..002a106 100644
> --- a/libraries/libapparmor/doc/aa_query_label.pod
> +++ b/libraries/libapparmor/doc/aa_query_label.pod
> @@ -31,6 +31,14 @@ B<#include E<lt>sys/apparmor.hE<gt>>
>  B<int aa_query_label((uint32_t mask, char *query, size_t size,
>               int *allowed, int *audited);>
>  
> +B<int aa_query_file_path((uint32_t mask, const char *label, size_t label_len,
> +             const char *path, int *allowed, int *audited);>
> +
> +B<int aa_query_file_path_len((uint32_t mask, const char *label,
> +             size_t label_len, const char *path, size_t n,


The actual function prototype uses path_len instead of n. I think
path_len is more clear so it is probably what should be used in the man
page, too.

> +             int *allowed, int *audited);>
> +
> +
>  Link with B<-lapparmor> when compiling.
>  
>  =head1 DESCRIPTION
> @@ -52,6 +60,14 @@ of directly using I<aa_query_label>. If directly using the 
> interface the
>  I<query> string is required to have a header of B<AA_QUERY_CMD_LABEL_SIZE>
>  that will be used by I<aa_query_label>.
>  
> +The B<aa_query_file_path> and B<aa_query_file_path_len> functions are helper
> +function that assemble a properly formatted file path query for the
> +B<aa_query_label> function. The I<label> is a valid apparmor label as
> +returned by I<aa_splitcon> with I<label_len> being the lenght of the 
> I<label>.

Should be "length" above

> +The I<path> is any valid filesystem path to query permissions for. For the
> +B<aa_query_file_path_len> variant the I<n> parameter specifies the number of
> +bytes in the I<path> to use as part of the query.

Change n to path_len in the above paragraph, too.

With those changes,

Acked-by: Tyler Hicks <[email protected]>

Tyler

> +
>  =head1 RETURN VALUE
>  
>  On success 0 is returned, and the I<allowed> and I<audited> parameters
> diff --git a/libraries/libapparmor/include/sys/apparmor.h 
> b/libraries/libapparmor/include/sys/apparmor.h
> index a7f9098..43f9549 100644
> --- a/libraries/libapparmor/include/sys/apparmor.h
> +++ b/libraries/libapparmor/include/sys/apparmor.h
> @@ -27,10 +27,31 @@ __BEGIN_DECLS
>  /*
>   * Class of public mediation types in the AppArmor policy db
>   */
> -
> +#define AA_CLASS_FILE                2
>  #define AA_CLASS_DBUS                32
>  
>  
> +/* Permission flags for the AA_CLASS_FILE mediation class */
> +#define AA_MAY_EXEC                  (1 << 0)
> +#define AA_MAY_WRITE                 (1 << 1)
> +#define AA_MAY_READ                  (1 << 2)
> +#define AA_MAY_APPEND                        (1 << 3)
> +#define AA_MAY_CREATE                        (1 << 4)
> +#define AA_MAY_DELETE                        (1 << 5)
> +#define AA_MAY_OPEN                  (1 << 6)
> +#define AA_MAY_RENAME                        (1 << 7)
> +#define AA_MAY_SETATTR                       (1 << 8)
> +#define AA_MAY_GETATTR                       (1 << 9)
> +#define AA_MAY_SETCRED                       (1 << 10)
> +#define AA_MAY_GETCRED                       (1 << 11)
> +#define AA_MAY_CHMOD                 (1 << 12)
> +#define AA_MAY_CHOWN                 (1 << 13)
> +#define AA_MAY_LOCK                  0x8000
> +#define AA_EXEC_MMAP                 0x10000
> +#define AA_MAY_LINK                  0x40000
> +#define AA_MAY_ONEXEC                        0x20000000
> +#define AA_MAY_CHANGE_PROFILE                0x40000000
> +
>  /* Permission flags for the AA_CLASS_DBUS mediation class */
>  #define AA_DBUS_SEND                 (1 << 1)
>  #define AA_DBUS_RECEIVE                      (1 << 2)
> @@ -80,6 +101,11 @@ extern int aa_getpeercon(int fd, char **label, char 
> **mode);
>  
>  extern int aa_query_label(uint32_t mask, char *query, size_t size, int 
> *allow,
>                         int *audit);
> +extern int aa_query_file_path_len(uint32_t mask, const char *label,
> +                               size_t label_len, const char *path,
> +                               size_t path_len, int *allowed, int *audited);
> +extern int aa_query_file_path(uint32_t mask, const char *label,
> +                           const char *path, int *allowed, int *audited);
>  
>  #define __macroarg_counter(Y...) __macroarg_count1 ( , ##Y)
>  #define __macroarg_count1(Y...) __macroarg_count2 (Y, 
> 16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0)
> diff --git a/libraries/libapparmor/src/kernel.c 
> b/libraries/libapparmor/src/kernel.c
> index 07bc9b4..50bc062 100644
> --- a/libraries/libapparmor/src/kernel.c
> +++ b/libraries/libapparmor/src/kernel.c
> @@ -32,6 +32,7 @@
>  #include <pthread.h>
>  
>  #include <sys/apparmor.h>
> +#include "private.h"
>  
>  /* some non-Linux systems do not define a static value */
>  #ifndef PATH_MAX
> @@ -849,3 +850,58 @@ int query_label(uint32_t mask, char *query, size_t size, 
> int *allowed,
>  extern typeof((query_label)) __aa_query_label __attribute__((alias 
> ("query_label")));
>  symbol_version(__aa_query_label, aa_query_label, APPARMOR_1.1);
>  default_symbol_version(query_label, aa_query_label, APPARMOR_2.9);
> +
> +
> +/**
> + * aa_query_file_path_len - query access permissions for a file @path
> + * @mask: permission bits to query
> + * @label: apparmor label
> + * @label_len: length of @label (does not include any terminating nul byte)
> + * @path: file path to query permissions for
> + * @path_len: length of @path (does not include any terminating nul byte)
> + * @allowed: upon successful return, will be 1 if query is allowed and 0 if 
> not
> + * @audited: upon successful return, will be 1 if query should be audited 
> and 0
> + *           if not
> + *
> + * Returns: 0 on success else -1 and sets errno. If -1 is returned and errno 
> is
> + *          ENOENT, the subject label in the query string is unknown to the
> + *          kernel.
> + */
> +int aa_query_file_path_len(uint32_t mask, const char *label, size_t 
> label_len,
> +                        const char *path, size_t path_len, int *allowed,
> +                        int *audited)
> +{
> +     autofree char *query = NULL;
> +
> +     /* + 1 for null separator */
> +     size_t size = AA_QUERY_CMD_LABEL_SIZE + label_len + 1 + path_len;
> +     query = malloc(size + 1);
> +     if (!query)
> +             return -1;
> +     memcpy(query + AA_QUERY_CMD_LABEL_SIZE, label, label_len);
> +     /* null separator */
> +     query[AA_QUERY_CMD_LABEL_SIZE + label_len] = 0;
> +     query[AA_QUERY_CMD_LABEL_SIZE + label_len + 1] = AA_CLASS_FILE;
> +     memcpy(query + AA_QUERY_CMD_LABEL_SIZE + label_len + 2, path, path_len);
> +     return aa_query_label(mask, query, size , allowed, audited);
> +}
> +
> +/**
> + * aa_query_file_path - query access permissions for a file @path
> + * @mask: permission bits to query
> + * @label: apparmor label
> + * @path: file path to query permissions for
> + * @allowed: upon successful return, will be 1 if query is allowed and 0 if 
> not
> + * @audited: upon successful return, will be 1 if query should be audited 
> and 0
> + *           if not
> + *
> + * Returns: 0 on success else -1 and sets errno. If -1 is returned and errno 
> is
> + *          ENOENT, the subject label in the query string is unknown to the
> + *          kernel.
> + */
> +int aa_query_file_path(uint32_t mask, const char *label, const char *path,
> +                    int *allowed, int *audited)
> +{
> +     return aa_query_file_path_len(mask, label, strlen(label), path,
> +                                   strlen(path), allowed, audited);
> +}
> diff --git a/libraries/libapparmor/src/libapparmor.map 
> b/libraries/libapparmor/src/libapparmor.map
> index 28f245f..8a3c60b 100644
> --- a/libraries/libapparmor/src/libapparmor.map
> +++ b/libraries/libapparmor/src/libapparmor.map
> @@ -54,6 +54,8 @@ APPARMOR_2.9 {
>  
>  APPARMOR_2.10 {
>    global:
> +        aa_query_file_path;
> +        aa_query_file_path_len;
>          aa_features_new;
>          aa_features_new_from_string;
>          aa_features_new_from_kernel;
> diff --git a/libraries/libapparmor/swig/SWIG/libapparmor.i 
> b/libraries/libapparmor/swig/SWIG/libapparmor.i
> index 6bae3f6..c98cca8 100644
> --- a/libraries/libapparmor/swig/SWIG/libapparmor.i
> +++ b/libraries/libapparmor/swig/SWIG/libapparmor.i
> @@ -39,5 +39,10 @@ extern int aa_getpeercon_raw(int fd, char *buf, int *len, 
> char **mode);
>  extern int aa_getpeercon(int fd, char **label, char **mode);
>  extern int aa_query_label(uint32_t mask, char *query, size_t size, int 
> *allow,
>                         int *audit);
> +extern int aa_query_file_path_len(uint32_t mask, const char *label,
> +                               size_t label_len, const char *path,
> +                               size_t path_len, int *allowed, int *audited);
> +extern int aa_query_file_path(uint32_t mask, const char *label,
> +                           const char *path, int *allowed, int *audited);
>  
>  %exception;
> -- 
> 2.1.4
> 
> 
> -- 
> AppArmor mailing list
> [email protected]
> Modify settings or unsubscribe at: 
> https://lists.ubuntu.com/mailman/listinfo/apparmor

signature.asc
Description: Digital signature

-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] [PATCH 02/14] add helper fn to query file path permissions

Reply via email to