On 12/14/2015 02:49 PM, Seth Arnold wrote:
> On Mon, Dec 14, 2015 at 03:44:56PM +0000, Colin Ian King wrote:
>> I'm looking at writing some stress tests for AppArmor, so I'd like to
>> construct some simple rules and insert/remove them. I looked for some
>> API documentation, but all I can find is:
>>
>> http://wiki.apparmor.net/index.php/AppArmorAPIs
>
> Excellent, thanks!
>
>> Are there any API docs, guides or worked examples for libaaparse and
>> libapparmor?
>
> libaaparse doesn't yet exist. There is work underway to make the
> apparmor_parser suitable for use as a library but it is currently only
> usable as an executable.
>
Actually it does, its pretty rudimentary though, but gen/logprof has been
using it since 2.3. It consists of 2 fns
parse_record and free_record
> The simplest way to create rules, load, and unload would be something like
> this:
>
> echo "profile profile_name /attachement/specification { /rules/ r, }" | \
> apparmor_parser --replace
>
> (I always use --replace because it's idempotent. --add is not.)
>
> echo "profile profile_name /attachment/specification { }" | \
> apparmor_parser --remove
>
sure, this is a parser level view. I think Colin is really looking to
stress the underlying interfaces, which are in desperate need of documentation
> If this is too onerous for integrating into stress-ng, then the next best
> starting point is probably process_profile() in parser_main.c. That
> orchestrates loading either a binary blob from the cache or the compiled
> profile into the kernel. Since there's extensive use of global variables
> in the parser it probably still makes sense to fork off new processes for
> each use as needed. (Even this seems like it might be a lot of work
> compared to stealing the 'interface' code from parser_interface.c and
> using that on stress-ng-supplied binary blobs.)
>
the parser has decent documentation between
man apparmor_parser
man apparmor.d
and apparmor_parser -h
but yes the underlying code is a mess, and I don't see much point in
documenting it until we are finished the transition (from C to more C++).
Currently the front and mid are in the parser/ dir the main work is done in
parser/libapparmor_re/ and with the loading being driven by the from in
parser/ and libapparmor
the bulk of the parser tests are either unit tests that are inlined unit
tests and build by defining some macros. And tests under the tst/ dir
which with simple_tests/ dir having profile syntax examples and
other tests focused on other parts
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
