[apparmor] [PATCH 1/3] Add the aa-exec command line utility
Steve Beattie
steve at nxnw.org
Thu Jan 12 10:36:09 UTC 2012
On Thu, Jan 12, 2012 at 11:20:34AM +0100, Steve Beattie wrote:
> On Fri, Jan 06, 2012 at 09:53:16AM -0800, John Johansen wrote:
> > The aa-exec command can be used to launch an application under a specified
> > confinement, which may be different for what regular profile attachment
> > would apply.
Another question: if you specify a profile to add with -f, should it get
removed after the command you exec completes?
> > Signed-off-by: John Johansen <john.johansen at canonical.com>
> > ---
> > utils/Makefile | 2 +-
> > utils/aa-exec | 124 +++++++++++++++++++++++++++++++++++++++++++++++++++++
> > utils/aa-exec.pod | 83 +++++++++++++++++++++++++++++++++++
> > 3 files changed, 208 insertions(+), 1 deletions(-)
> > create mode 100755 utils/aa-exec
> > create mode 100644 utils/aa-exec.pod
> >
> > diff --git a/utils/Makefile b/utils/Makefile
> > index f733828..f4f8707 100644
> > --- a/utils/Makefile
> > +++ b/utils/Makefile
> > @@ -28,7 +28,7 @@ endif
> >
> > MODDIR = Immunix
> > PERLTOOLS = aa-genprof aa-logprof aa-autodep aa-audit aa-complain aa-enforce \
> > - aa-unconfined aa-notify aa-disable
> > + aa-unconfined aa-notify aa-disable aa-exec
> > TOOLS = ${PERLTOOLS} aa-decode aa-status
> > MODULES = ${MODDIR}/AppArmor.pm ${MODDIR}/Repository.pm \
> > ${MODDIR}/Config.pm ${MODDIR}/Severity.pm
> > diff --git a/utils/aa-exec b/utils/aa-exec
> > new file mode 100755
> > index 0000000..805da9e
> > --- /dev/null
> > +++ b/utils/aa-exec
> > @@ -0,0 +1,124 @@
> > +#!/usr/bin/perl
> > +# ------------------------------------------------------------------
> > +#
> > +# Copyright (C) 2011 Canonical Ltd.
> > +#
> > +# This program is free software; you can redistribute it and/or
> > +# modify it under the terms of version 2 of the GNU General Public
> > +# License published by the Free Software Foundation.
> > +#
> > +# ------------------------------------------------------------------
> > +
> > +use strict;
> > +use warnings;
> > +use Errno;
> > +
> > +require LibAppArmor;
> > +require POSIX;
> > +require Time::Local;
> > +require File::Basename;
> > +
> > +my $opt_d = '';
> > +my $opt_h = '';
> > +my $opt_p = '';
> > +my $opt_n = '';
> > +my $opt_i = '';
> > +my $opt_v = '';
> > +my $opt_f = '';
> > +
> > +sub _warn {
> > + my $msg = $_[0];
> > + print STDERR "aa-exec: WARN: $msg\n";
> > +}
> > +sub _error {
> > + my $msg = $_[0];
> > + print STDERR "aa-exec: ERROR: $msg\n";
> > + exit 1
> > +}
> > +
> > +sub _debug {
> > + $opt_d or return;
> > + my $msg = $_[0];
> > + print STDERR "aa-exec: DEBUG: $msg\n";
> > +}
> > +
> > +sub _verbose {
> > + $opt_v or return;
> > + my $msg = $_[0];
> > + print STDERR "$msg\n";
> > +}
> > +
> > +sub usage() {
> > + my $s = <<'EOF';
> > +USAGE: aa-exec [OPTIONS] <prog> <args>
> > +
> > +Confine <prog> with the specified PROFILE.
> > +
> > +OPTIONS:
> > + -p PROFILE, --profile=PROFILE PROFILE to confine <prog> with
> > + -n NAMESPACE, --namespace=NAMESPACE NAMESPACE to confine <prog> in
> > + -f FILE, --file FILE profile file to load
> > + -i, --immediate change profile immediately instead of at exec
> > + -v, --verbose show messages with stats
> > + -h, --help display this help
> > +
> > +EOF
> > + print $s;
> > +}
> > +
> > +use Getopt::Long;
> > +
> > +GetOptions(
> > + 'debug|d' => \$opt_d,
> > + 'help|h' => \$opt_h,
> > + 'profile|p=s' => \$opt_p,
> > + 'namespace|n=s' => \$opt_n,
> > + 'file|f=s' => \$opt_f,
> > + 'immediate|i' => \$opt_i,
> > + 'verbose|v' => \$opt_v,
> > +);
> > +
> > +if ($opt_h) {
> > + usage();
> > + exit(0);
> > +}
> > +
> > +if ($opt_n || $opt_p) {
> > + my $test;
> > + my $prof;
> > +
> > + if ($opt_n) {
> > + $prof = ":$opt_n:";
> > + }
> > +
> > + $prof .= $opt_p;
> > +
> > + if ($opt_f) {
> > + system("apparmor_parser -r $opt_f") == 0
>
> Please convert this to a list, e.g.:
>
> system("apparmor_parser", "-r", "$opt_f") == 0
>
> because otherwise if there are any shell metacharacters in $opt_f, perl
> will hand off the entire string to '/bin/sh -c' to run and the shell
> metacharacters will get evaluated, leading to perhaps unexpected
> results.
>
> > + or _error("\'aborting could not load $opt_f\'");
> > + }
> > +
> > + if ($opt_i) {
> > + _verbose("aa_change_profile(\"$prof\")");
> > + $test = LibAppArmor::aa_change_profile($prof);
> > + _debug("$test = aa_change_profile(\"$prof\"); $!");
> > + } else {
> > + _verbose("aa_change_onexec(\"$prof\")");
> > + $test = LibAppArmor::aa_change_onexec($prof);
> > + _debug("$test = aa_change_onexec(\"$prof\"); $!");
> > + }
> > +
> > + if ($test != 0) {
> > + if ($!{ENOENT} || $!{EACCESS}) {
> > + my $pre = ($opt_p) ? "profile" : "namespace";
> > + _error("$pre \'$prof\' does not exist\n");
> > + } elsif ($!{EINVAL}) {
> > + _error("AppArmor interface not available\n");
> > + } else {
> > + _error("$!\n");
> > + }
> > + }
> > +}
> > +
> > +_verbose("exec @ARGV");
> > +exec @ARGV;
> > diff --git a/utils/aa-exec.pod b/utils/aa-exec.pod
> > new file mode 100644
> > index 0000000..a973193
> > --- /dev/null
> > +++ b/utils/aa-exec.pod
> > @@ -0,0 +1,83 @@
> > +# This publication is intellectual property of Canonical Ltd. Its contents
> > +# can be duplicated, either in part or in whole, provided that a copyright
> > +# label is visibly located on each copy.
> > +#
> > +# All information found in this book has been compiled with utmost
> > +# attention to detail. However, this does not guarantee complete accuracy.
> > +# Neither Canonical Ltd, the authors, nor the translators shall be held
> > +# liable for possible errors or the consequences thereof.
> > +#
> > +# Many of the software and hardware descriptions cited in this book
> > +# are registered trademarks. All trade names are subject to copyright
> > +# restrictions and may be registered trade marks. Canonical Ltd
> > +# essentially adheres to the manufacturer's spelling.
> > +#
> > +# Names of products and trademarks appearing in this book (with or without
> > +# specific notation) are likewise subject to trademark and trade protection
> > +# laws and may thus fall under copyright restrictions.
> > +#
> > +
> > +
> > +=pod
> > +
> > +=head1 NAME
> > +
> > +aa-exec - confine a program with the specified AppArmor profile
> > +
> > +=head1 SYNOPSIS
> > +
> > +B<aa-exec> [options] [I<E<lt>executableE<gt>> ...]
> > +
> > +=head1 DESCRIPTION
> > +
> > +B<aa-exec> is used to launch a program confined by the specified profile
> > +and or namespace. If both a profile and namespace are specified executable
> > +will be confined by profile in the new policy namespace. If only a namespace
> > +is specified, the profile name of the current confinement will be used. If
> > +neither a profile or namespace is specified executable will be run using
> > +standard profile attachment (ie. as if run without the aa-exec command).
>
> With using Getopt::Long to parse options to aa-exec, we should probably
> mention here that you should use -- to pass command-line arguments (e.g.
> '-a' on to the command you wish to exec().
>
> > +=head1 OPTIONS
> > +B<aa-exec> accepts the following arguments:
> > +
> > +=over 4
> > +
> > +=item -p PROFILE, --profile=PROFILE
> > +
> > +confine I<E<lt>executableE<gt>> with PROFILE. If the PROFILE is not specified
> > +use the current profile name (likely unconfined).
> > +
> > +=item -n NAMESPACE, --namespace=NAMESPACE
> > +
> > +use profiles in NAMESPACE. This will result in confinement transitioning
> > +to using the new profile namespace.
> > +
> > +=item -f FILE, --file=FILE
> > +
> > +a file or directory containing profiles to load before confining the program.
> > +
> > +=item -i, --immediate
> > +
> > +transition to PROFILE before doing executing I<E<lt>executableE<gt>>. This
> > +subjects the running of I<E<lt>executableE<gt>> to the exec transition rules
> > +of the current profile.
> > +
> > +=item -v, --verbose
> > +
> > +show commands being performed
> > +
> > +=item -d, --debug
> > +
> > +show commands and error codes
> > +
> > +=head1 BUGS
> > +
> > +If you find any bugs, please report them at
> > +L<http://https://bugs.launchpad.net/apparmor/+filebug>.
> > +
> > +=head1 SEE ALSO
> > +
> > +aa-statck(8), aa-namespace(8), apparmor(7), apparmor.d(5), aa_change_profile(3),
>
> aa-statck?
>
> > +aa_change_onexec(3) and L<http://wiki.apparmor.net>.
> > +
> > +=cut
>
> Otherwise I think this looks good.
>
> --
> Steve Beattie
> <sbeattie at ubuntu.com>
> http://NxNW.org/~steve/
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120112/ecbbebf7/attachment.pgp>
More information about the AppArmor
mailing list