Re: [apparmor] AppArmor APIs

Thanks John, So far I've been successful from the info you have provided. I've compiled a policy into a binary blob and got it loaded into a buffer and successfully loaded this into the kernel. Colin On 15/12/15 00:32, John Johansen wrote: > On 12/14/2015 07:44 AM, Colin Ian King wrote: >> Hi

Re: [apparmor] AppArmor APIs

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 15/12/15 18:45, Steve Beattie wrote: > Hey Colin, > > On Tue, Dec 15, 2015 at 05:29:43PM +, Colin Ian King wrote: >> So far I've been successful from the info you have provided. I've >> compiled a policy into a binary blob and got it loaded

Re: [apparmor] AppArmor APIs

Hey Colin, On Tue, Dec 15, 2015 at 05:29:43PM +, Colin Ian King wrote: > So far I've been successful from the info you have provided. I've > compiled a policy into a binary blob and got it loaded into a buffer and > successfully loaded this into the kernel. That's great! I'm curious which

[apparmor] [PATCH 2/6] utils: Initial implementation of aa-exec in C

Create a simple aa-exec implementation, written in C, matching the --help, --debug, --verbose, and --profile options present in the current Perl implementation. The build system is updated to honor the USE_SYSTEM make variable which allows aa-exec to be linked against the system libapparmor

[apparmor] [PATCH 0/6] Rewrite aa-exec in C

This patch set creates regression tests for aa-exec and rewrites aa-exec in C rather than Perl. The main reason behind the rewrite is that aa-exec is becoming a widely used utility that has its place on even the most minimal of Linux images and Perl is falling out of favor in some of those

[apparmor] [PATCH 1/6] tests: Add regression tests for aa-exec

Add regression tests for the --profile, --namespace, and --immediate options of aa-exec. A new variable is added to uservars.inc to point to the in-tree or system aa-exec depending on the presence of the USE_SYSTEM=1 make variable at build time. Signed-off-by: Tyler Hicks

[apparmor] [PATCH 6/6] utils: Remove --file option from aa-exec(8) man page

The new C based aa-exec does not implement the --file option. Signed-off-by: Tyler Hicks --- utils/aa-exec.pod | 4 1 file changed, 4 deletions(-) diff --git a/utils/aa-exec.pod b/utils/aa-exec.pod index 58dedb2..14f0429 100644 --- a/utils/aa-exec.pod +++

[apparmor] [PATCH 3/6] utils: Add --immediate option to C based aa-exec

Call aa_change_profile(), instead of aa_change_onexec(), when --immediate is passed in. Signed-off-by: Tyler Hicks --- utils/aa_exec.c | 18 -- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/utils/aa_exec.c b/utils/aa_exec.c index

[apparmor] [PATCH 5/6] utils: Replace Perl aa-exec with C aa-exec

Remove the Perl aa-exec implementation and build aa_exec.c as aa-exec. Note that the new C aa-exec does not implement the --file option which was present in the Perl aa-exec. It encouraged running programs as root, since root privileges were required to load the specified profile. All other

Re: [apparmor] [PATCH 0/6] Rewrite aa-exec in C

On 12/15/2015 12:55 PM, Tyler Hicks wrote: > This patch set creates regression tests for aa-exec and rewrites aa-exec in C > rather than Perl. The main reason behind the rewrite is that aa-exec is > becoming a widely used utility that has its place on even the most minimal of > Linux images and

Re: [apparmor] [PATCH] utils: Print aa-easyprof error to stderr upon manifest parsing error

On 2015-12-15 17:37:35, Tyler Hicks wrote: > On 2015-12-02 22:00:32, Christian Boltz wrote: > > Hello, > > > > Am Dienstag, 1. Dezember 2015 schrieb Christian Boltz: > > > Am Montag, 30. November 2015 schrieb Tyler Hicks: > > > > A common usage of aa-easyprof is to pipe its stdout to a file > > >

Re: [apparmor] aa-enabled

On Tue, Dec 15, 2015 at 06:41:48PM -0600, Tyler Hicks wrote: > > + if (!quiet) { > > + switch(err) { > > + case ENOSYS: > > + printf(_("No - not available on this system.\n")); > > + break; > > + case ECANCELED: > > +

Re: [apparmor] [PATCH 5/6] utils: Replace Perl aa-exec with C aa-exec

On 12/15/2015 12:56 PM, Tyler Hicks wrote: > Remove the Perl aa-exec implementation and build aa_exec.c as aa-exec. > > Note that the new C aa-exec does not implement the --file option which > was present in the Perl aa-exec. It encouraged running programs as root, > since root privileges were

Re: [apparmor] [PATCH 6/6] utils: Remove --file option from aa-exec(8) man page

On 12/15/2015 12:56 PM, Tyler Hicks wrote: > The new C based aa-exec does not implement the --file option. > > Signed-off-by: Tyler Hicks Acked-by: John Johansen > --- > utils/aa-exec.pod | 4 > 1 file changed, 4 deletions(-) > > diff

[apparmor] [PATCH] utils: Use apparmor.fail for AppArmorException handling in aa-easyprof

Don't catch AppArmorExceptions in aa-easyprof any longer and rely on apparmor.fail to print the exception to stderr. Signed-off-by: Tyler Hicks --- utils/aa-easyprof | 12 ++-- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/utils/aa-easyprof

Re: [apparmor] aa-enabled

John asked that I take a look at this patch in order to see if my proposed aa-exec rewrite in C should use the binutils/ dir proposed by this patch. On 2015-11-28 10:38:34, John Johansen wrote: > v3 > > change conflicting/unknown option warning message slightly > output error string on failure >