On 12/14/2015 02:49 PM, Seth Arnold wrote: > On Mon, Dec 14, 2015 at 03:44:56PM +0000, Colin Ian King wrote: >> I'm looking at writing some stress tests for AppArmor, so I'd like to >> construct some simple rules and insert/remove them. I looked for some >> API documentation, but all I can find is: >> >> http://wiki.apparmor.net/index.php/AppArmorAPIs > > Excellent, thanks! > >> Are there any API docs, guides or worked examples for libaaparse and >> libapparmor? > > libaaparse doesn't yet exist. There is work underway to make the > apparmor_parser suitable for use as a library but it is currently only > usable as an executable. >
Actually it does, its pretty rudimentary though, but gen/logprof has been using it since 2.3. It consists of 2 fns parse_record and free_record > The simplest way to create rules, load, and unload would be something like > this: > > echo "profile profile_name /attachement/specification { /rules/ r, }" | \ > apparmor_parser --replace > > (I always use --replace because it's idempotent. --add is not.) > > echo "profile profile_name /attachment/specification { }" | \ > apparmor_parser --remove > sure, this is a parser level view. I think Colin is really looking to stress the underlying interfaces, which are in desperate need of documentation > If this is too onerous for integrating into stress-ng, then the next best > starting point is probably process_profile() in parser_main.c. That > orchestrates loading either a binary blob from the cache or the compiled > profile into the kernel. Since there's extensive use of global variables > in the parser it probably still makes sense to fork off new processes for > each use as needed. (Even this seems like it might be a lot of work > compared to stealing the 'interface' code from parser_interface.c and > using that on stress-ng-supplied binary blobs.) > the parser has decent documentation between man apparmor_parser man apparmor.d and apparmor_parser -h but yes the underlying code is a mess, and I don't see much point in documenting it until we are finished the transition (from C to more C++). Currently the front and mid are in the parser/ dir the main work is done in parser/libapparmor_re/ and with the loading being driven by the from in parser/ and libapparmor the bulk of the parser tests are either unit tests that are inlined unit tests and build by defining some macros. And tests under the tst/ dir which with simple_tests/ dir having profile syntax examples and other tests focused on other parts -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor