[apparmor] [PATCH 0/12] Move aa_{match, features, kernel_interface, policy_cache} APIs
Tyler Hicks
tyhicks at canonical.com
Wed Dec 10 22:12:21 UTC 2014
This set of patches moves the previously proposed[1] APIs to
libapparmor. It feels a little like jumping the gun since the proposed
APIs haven't been approved yet but I think this set of patches
compliment the APIs and may help reviewers see the bigger picture.
With this patch set, libapparmor contains sufficient features to allow
the parser to operate as it previously did. Additionally, libapparmor
provides an extremely simple API to reload all AppArmor policies in a
policy cache. This may be useful, for example, in the case of an init
daemon wanting to do an early-in-the-boot-cycle policy cache load that
doesn't need to compile profiles or compare timestamps between profiles
and cache files. Here's some example code that performs a "blind load"
of all cache policies:
===
#include <stdio.h>
#include <sys/apparmor.h>
int main(void)
{
aa_features *features = NULL;
aa_policy_cache *policy_cache = NULL;
int retval = 1;
if (aa_features_new_from_kernel(&features) == -1) {
perror("Failed to detect AppArmor kernel features");
goto out;
}
if (aa_policy_cache_new(&policy_cache, features,
"/etc/apparmor.d/cache", false) == -1) {
perror("Failed to find a valid AppArmor policy cache");
goto out;
}
if (aa_policy_cache_replace_all(policy_cache, NULL) == -1) {
perror("Failed to reload cached AppArmor policies");
goto out;
}
retval = 0;
out:
aa_policy_cache_unref(policy_cache);
aa_features_unref(features);
return retval;
}
===
Tyler
[1] https://lists.ubuntu.com/archives/apparmor/2014-December/006929.html
More information about the AppArmor
mailing list