Re: [apparmor] [PATCH 1/7] Split aa_query_label into a base aa_query_cmd and it, aa_query_label

Seth Arnold Tue, 14 Feb 2017 18:42:25 -0800

On Fri, Feb 10, 2017 at 12:46:07PM -0800, John Johansen wrote:
> Split the basic transaction file query out of aa_query_label so that
> it can be reused by other query types.
> 
> Signed-off-by: John Johansen <[email protected]>


Acked-by: Seth Arnold <[email protected]>

Thanks

> ---
>  libraries/libapparmor/doc/aa_query_label.pod  | 16 ++++-
>  libraries/libapparmor/include/sys/apparmor.h  |  2 +
>  libraries/libapparmor/src/kernel.c            | 93 
> +++++++++++++++++++++------
>  libraries/libapparmor/src/libapparmor.map     |  7 ++
>  libraries/libapparmor/swig/SWIG/libapparmor.i |  2 +
>  5 files changed, 96 insertions(+), 24 deletions(-)
> 
> diff --git a/libraries/libapparmor/doc/aa_query_label.pod 
> b/libraries/libapparmor/doc/aa_query_label.pod
> index 06129b6..73f430b 100644
> --- a/libraries/libapparmor/doc/aa_query_label.pod
> +++ b/libraries/libapparmor/doc/aa_query_label.pod
> @@ -32,11 +32,18 @@ aa_query_link_path, aa_query_link_path_len - query access 
> permissions of a link
>  
>  B<#include E<lt>sys/apparmor.hE<gt>>
>  
> -B<int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed, 
> int *audited);>
> +B<int aa_query_cmd(const char *cmd, size_t cmd_size, char *query,
> +             size_t size, char *buffer, size_t bsize);>
>  
> -B<int aa_query_file_path(uint32_t mask, const char *label, size_t label_len, 
> const char *path, int *allowed, int *audited);>
> +B<int aa_query_label(uint32_t mask, char *query, size_t size,
> +             int *allowed, int *audited);>
>  
> -B<int aa_query_file_path_len(uint32_t mask, const char *label, size_t 
> label_len, const char *path, size_t path_len, int *allowed, int *audited);>
> +B<int aa_query_file_path(uint32_t mask, const char *label, size_t label_len,
> +             const char *path, int *allowed, int *audited);>
> +
> +B<int aa_query_file_path_len(uint32_t mask, const char *label,
> +             size_t label_len, const char *path, size_t path_len,
> +             int *allowed, int *audited);>
>  
>  B<int aa_query_link_path(const char *label, const char *target, const char 
> *link, int *allowed, int *audited);>
>  
> @@ -47,6 +54,9 @@ Link with B<-lapparmor> when compiling.
>  
>  =head1 DESCRIPTION
>  
> +The B<aa_query_cmd> function sets up and does a raw query of the kernel. It 
> is
> +the basis of the other query functions.
> +
>  The B<aa_query_label> function fetches the current permissions granted by the
>  specified I<label> in the I<query> string.
>  
> diff --git a/libraries/libapparmor/include/sys/apparmor.h 
> b/libraries/libapparmor/include/sys/apparmor.h
> index 752a5bd..5e43ba2 100644
> --- a/libraries/libapparmor/include/sys/apparmor.h
> +++ b/libraries/libapparmor/include/sys/apparmor.h
> @@ -101,6 +101,8 @@ extern int aa_getpeercon(int fd, char **label, char 
> **mode);
>  #define AA_QUERY_CMD_LABEL           "label"
>  #define AA_QUERY_CMD_LABEL_SIZE              sizeof(AA_QUERY_CMD_LABEL)
>  
> +extern int aa_query_cmd(const char *cmd, size_t cmd_size, char *query,
> +                     size_t size, char *buffer, size_t bsize);
>  extern int aa_query_label(uint32_t mask, char *query, size_t size, int 
> *allow,
>                         int *audit);
>  extern int aa_query_file_path_len(uint32_t mask, const char *label,
> diff --git a/libraries/libapparmor/src/kernel.c 
> b/libraries/libapparmor/src/kernel.c
> index 49c74e1..1fe1b61 100644
> --- a/libraries/libapparmor/src/kernel.c
> +++ b/libraries/libapparmor/src/kernel.c
> @@ -802,30 +802,22 @@ static void aafs_access_init_once(void)
>       free(aafs);
>  }
>  
> -/* "allow 0x00000000\ndeny 0x00000000\naudit 0x00000000\nquiet 0x00000000\n" 
> */
> -#define QUERY_LABEL_REPLY_LEN        67
> -
>  /**
> - * aa_query_label - query the access(es) of a label
> - * @mask: permission bits to query
> - * @query: binary query string, must be offset by AA_QUERY_CMD_LABEL_SIZE
> - * @size: size of the query string must include AA_QUERY_CMD_LABEL_SIZE
> - * @allowed: upon successful return, will be 1 if query is allowed and 0 if 
> not
> - * @audited: upon successful return, will be 1 if query should be audited 
> and 0
> - *           if not
> + * aa_query_cmd_open - begin a query for labels @cmd info
> + * @cmd: query cmd to use
> + * @cmd_size: size of the cmd being used
> + * @query: binary query string, must be offset by @cmd_size
> + * @size: size of the query string must include @cmd_size
>   *
> - * Returns: 0 on success else -1 and sets errno. If -1 is returned and errno 
> is
> - *          ENOENT, the subject label in the query string is unknown to the
> - *          kernel.
> + * Returns: fd with the query issued and results waiting to be read else -1 
> and sets errno.
> + *          If -1 is returned and errno is ENOENT, the subject label in
> + *          the query string is unknown to the kernel.
>   */
> -int query_label(uint32_t mask, char *query, size_t size, int *allowed,
> -             int *audited)
> +static int aa_query_cmd_open(const char *cmd, size_t cmd_size, char *query, 
> size_t size)
>  {
> -     char buf[QUERY_LABEL_REPLY_LEN];
> -     uint32_t allow, deny, audit, quiet;
> -     int fd, ret, saved;
> +     int fd, ret;
>  
> -     if (!mask || size <= AA_QUERY_CMD_LABEL_SIZE) {
> +     if (size <= cmd_size) {
>               errno = EINVAL;
>               return -1;
>       }
> @@ -846,7 +838,7 @@ int query_label(uint32_t mask, char *query, size_t size, 
> int *allowed,
>               return -1;
>       }
>  
> -     memcpy(query, AA_QUERY_CMD_LABEL, AA_QUERY_CMD_LABEL_SIZE);
> +     memcpy(query, cmd, cmd_size);
>       errno = 0;
>       ret = write(fd, query, size);
>       if (ret != size) {
> @@ -860,10 +852,69 @@ int query_label(uint32_t mask, char *query, size_t 
> size, int *allowed,
>               return -1;
>       }
>  
> -     ret = read(fd, buf, QUERY_LABEL_REPLY_LEN);
> +     return fd;
> +}
> +
> +/**
> + * aa_query_cmd - make a query for labels @cmd info
> + * @cmd: query cmd to use
> + * @cmd_size: size of the cmd being used
> + * @query: binary query string, must be offset by @cmd_size
> + * @size: size of the query string must include @cmd_size
> + * @buffer: buffer to return query data in
> + * @bsize: size of @buffer
> + *
> + * Returns: size of data read on success else -1 and sets errno.
> + *          If -1 is returned and errno is ENOENT, the subject label in
> + *          the query string is unknown to the kernel.
> + */
> +int aa_query_cmd(const char *cmd, size_t cmd_size, char *query, size_t size,
> +              char *buffer, size_t bsize)
> +{
> +     int fd, ret, saved;
> +
> +     fd = aa_query_cmd_open(cmd, cmd_size, query, size);
> +     if (fd == -1)
> +             return -1;
> +
> +     ret = read(fd, buffer, bsize);
>       saved = errno;
>       (void)close(fd);
>       errno = saved;
> +
> +     return ret;
> +}
> +
> +/* "allow 0x00000000\ndeny 0x00000000\naudit 0x00000000\nquiet 0x00000000\n" 
> */
> +#define QUERY_LABEL_REPLY_LEN        67
> +
> +/**
> + * aa_query_label - query the access(es) of a label
> + * @mask: permission bits to query
> + * @query: binary query string, must be offset by AA_QUERY_CMD_LABEL_SIZE
> + * @size: size of the query string must include AA_QUERY_CMD_LABEL_SIZE
> + * @allowed: upon successful return, will be 1 if query is allowed and 0 if 
> not
> + * @audited: upon successful return, will be 1 if query should be audited 
> and 0
> + *           if not
> + *
> + * Returns: 0 on success else -1 and sets errno. If -1 is returned and errno 
> is
> + *          ENOENT, the subject label in the query string is unknown to the
> + *          kernel.
> + */
> +int query_label(uint32_t mask, char *query, size_t size, int *allowed,
> +             int *audited)
> +{
> +     char buf[QUERY_LABEL_REPLY_LEN];
> +     uint32_t allow, deny, audit, quiet;
> +     int ret;
> +
> +     if (!mask) {
> +             errno = EINVAL;
> +             return -1;
> +     }
> +
> +     ret = aa_query_cmd(AA_QUERY_CMD_LABEL, AA_QUERY_CMD_LABEL_SIZE, query,
> +                        size, buf, QUERY_LABEL_REPLY_LEN);
>       if (ret != QUERY_LABEL_REPLY_LEN) {
>               errno = EPROTO;
>               return -1;
> diff --git a/libraries/libapparmor/src/libapparmor.map 
> b/libraries/libapparmor/src/libapparmor.map
> index 5cbd4e8..69207d3 100644
> --- a/libraries/libapparmor/src/libapparmor.map
> +++ b/libraries/libapparmor/src/libapparmor.map
> @@ -95,6 +95,13 @@ APPARMOR_2.11 {
>          *;
>  } APPARMOR_2.10;
>  
> +APPARMOR_2.12 {
> +  global:
> +        aa_query_cmd;
> +  local:
> +        *;
> +} APPARMOR_2.11;
> +
>  PRIVATE {
>       global:
>               _aa_is_blacklisted;
> diff --git a/libraries/libapparmor/swig/SWIG/libapparmor.i 
> b/libraries/libapparmor/swig/SWIG/libapparmor.i
> index 005dd7f..9165882 100644
> --- a/libraries/libapparmor/swig/SWIG/libapparmor.i
> +++ b/libraries/libapparmor/swig/SWIG/libapparmor.i
> @@ -57,6 +57,8 @@ extern int aa_gettaskcon(pid_t target, char **label, char 
> **mode);
>  extern int aa_getcon(char **label, char **mode);
>  extern int aa_getpeercon_raw(int fd, char *buf, int *len, char **mode);
>  extern int aa_getpeercon(int fd, char **label, char **mode);
> +extern int aa_query_cmd(const char *cmd, size_t cmd_size, char *query,
> +                     size_t size, char *buffer, size_t bsize);
>  extern int aa_query_label(uint32_t mask, char *query, size_t size, int 
> *allow,
>                         int *audit);
>  extern int aa_query_file_path_len(uint32_t mask, const char *label,
> --

signature.asc
Description: PGP signature

-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] [PATCH 1/7] Split aa_query_label into a base aa_query_cmd and it, aa_query_label

Reply via email to