[apparmor] [PATCH 5/6] libapparmor: Add aa_splitcon() public function

Tyler Hicks tyhicks at canonical.com
Mon Apr 13 21:56:31 UTC 2015 

Create a new libapparmor public function that allows external code to
split an AppArmor confinement context.

This is immediately useful for code that retrieves a D-Bus peer's
AppArmor confinement context using the
org.freedesktop.DBus.GetConnectionCredentials bus method.

https://launchpad.net/bugs/1430532

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 libraries/libapparmor/doc/Makefile.am        |  2 +-
 libraries/libapparmor/doc/aa_getcon.pod      |  4 +-
 libraries/libapparmor/doc/aa_splitcon.pod    | 65 ++++++++++++++++++++++++++++
 libraries/libapparmor/include/sys/apparmor.h |  1 +
 libraries/libapparmor/src/kernel.c           | 17 ++++++++
 libraries/libapparmor/src/libapparmor.map    |  1 +
 6 files changed, 87 insertions(+), 3 deletions(-)
 create mode 100644 libraries/libapparmor/doc/aa_splitcon.pod

diff --git a/libraries/libapparmor/doc/Makefile.am b/libraries/libapparmor/doc/Makefile.am
index 67de347..73dc1d5 100644
--- a/libraries/libapparmor/doc/Makefile.am
+++ b/libraries/libapparmor/doc/Makefile.am
@@ -5,7 +5,7 @@ PODCHECKER = podchecker
 
 if ENABLE_MAN_PAGES
 
-man_MANS = aa_change_hat.2 aa_change_profile.2 aa_getcon.2 aa_find_mountpoint.2 aa_features.3 aa_kernel_interface.3 aa_policy_cache.3
+man_MANS = aa_change_hat.2 aa_change_profile.2 aa_getcon.2 aa_find_mountpoint.2 aa_features.3 aa_kernel_interface.3 aa_policy_cache.3 aa_splitcon.3
 
 PODS = $(subst .2,.pod,$(man_MANS)) $(subst .3,.pod,$(man_MANS))
 
diff --git a/libraries/libapparmor/doc/aa_getcon.pod b/libraries/libapparmor/doc/aa_getcon.pod
index d944fec..32ef61f 100644
--- a/libraries/libapparmor/doc/aa_getcon.pod
+++ b/libraries/libapparmor/doc/aa_getcon.pod
@@ -131,7 +131,7 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 
-apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_profile(2) and
-L<http://wiki.apparmor.net>.
+apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_profile(2),
+aa_splitcon(3) and L<http://wiki.apparmor.net>.
 
 =cut
diff --git a/libraries/libapparmor/doc/aa_splitcon.pod b/libraries/libapparmor/doc/aa_splitcon.pod
new file mode 100644
index 0000000..f95109b
--- /dev/null
+++ b/libraries/libapparmor/doc/aa_splitcon.pod
@@ -0,0 +1,65 @@
+# This publication is intellectual property of Canonical Ltd. Its contents
+# can be duplicated, either in part or in whole, provided that a copyright
+# label is visibly located on each copy.
+#
+# All information found in this book has been compiled with utmost
+# attention to detail. However, this does not guarantee complete accuracy.
+# Neither Canonical Ltd, the authors, nor the translators shall be held
+# liable for possible errors or the consequences thereof.
+#
+# Many of the software and hardware descriptions cited in this book
+# are registered trademarks. All trade names are subject to copyright
+# restrictions and may be registered trade marks. Canonical Ltd.
+# essentially adhere to the manufacturer's spelling.
+#
+# Names of products and trademarks appearing in this book (with or without
+# specific notation) are likewise subject to trademark and trade protection
+# laws and may thus fall under copyright restrictions.
+#
+
+
+=pod
+
+=head1 NAME
+
+aa_splitcon - split the confinement context into a label and mode
+
+=head1 SYNOPSIS
+
+B<#include E<lt>sys/apparmor.hE<gt>>
+
+B<char *aa_splitcon(char *con, char **mode);>
+
+Link with B<-lapparmor> when compiling.
+
+=head1 DESCRIPTION
+
+The aa_splitcon() function Splits a confinement context into separate label
+and mode strings. The @con string is modified so that the label portion is NUL
+terminated. The enforcement mode is also NUL terminated and the parenthesis
+surrounding the mode are removed. If @mode is non-NULL, it will point to the
+first character in the enforcement mode string on success.
+
+=head1 RETURN VALUE
+
+Returns a pointer to the first character in the label string. NULL is returned
+on error.
+
+=head1 EXAMPLE
+
+ Context                        Label               Mode 
+ -----------------------------  ------------------  -------
+ unconfined                     unconfined          NULL
+ /bin/ping (enforce)            /bin/ping           enforce
+ /usr/sbin/rsyslogd (complain)  /usr/sbin/rsyslogd  complain
+
+=head1 BUGS
+
+None known. If you find any, please report them at
+L<https://bugs.launchpad.net/apparmor/+filebug>.
+
+=head1 SEE ALSO
+
+aa_getcon(2) and L<http://wiki.apparmor.net>.
+
+=cut
diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
index ca75e5a..6b2148a 100644
--- a/libraries/libapparmor/include/sys/apparmor.h
+++ b/libraries/libapparmor/include/sys/apparmor.h
@@ -58,6 +58,7 @@ extern int aa_change_onexec(const char *profile);
 extern int aa_change_hatv(const char *subprofiles[], unsigned long token);
 extern int (aa_change_hat_vargs)(unsigned long token, int count, ...);
 
+extern char *aa_splitcon(char *con, char **mode);
 /* Protypes for introspecting task confinement
  * Please see the aa_getcon(2) manpage for information
  */
diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
index b792ac2..5f2d835 100644
--- a/libraries/libapparmor/src/kernel.c
+++ b/libraries/libapparmor/src/kernel.c
@@ -209,6 +209,23 @@ out:
 }
 
 /**
+ * aa_splitcon - split the confinement context into a label and mode
+ * @con: the confinement context
+ * @mode: if non-NULL and a mode is present, will point to mode string in @con
+ *  on success
+ *
+ * Modifies the @con string to split it into separate label and mode strings.
+ * The @mode argument is optional. If @mode is NULL, @con will still be split
+ * between the label and mode (if present) but @mode will not be set.
+ *
+ * Returns: a pointer to the label string or NULL on error
+ */
+char *aa_splitcon(char *con, char **mode)
+{
+	return splitcon(con, strlen(con), mode);
+}
+
+/**
  * aa_getprocattr_raw - get the contents of @attr for @tid into @buf
  * @tid: tid of task to query
  * @attr: which /proc/<tid>/attr/<attr> to query
diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
index 2f440f0..494d2c4 100644
--- a/libraries/libapparmor/src/libapparmor.map
+++ b/libraries/libapparmor/src/libapparmor.map
@@ -80,6 +80,7 @@ APPARMOR_2.10 {
         aa_policy_cache_make_valid;
         aa_policy_cache_remove;
         aa_policy_cache_replace_all;
+        aa_splitcon;
   local:
         *;
 } APPARMOR_2.9;
-- 
2.1.4

More information about the AppArmor mailing list