[apparmor] [PATCH 5/6] utils: Replace Perl aa-exec with C aa-exec

Tue Dec 15 20:56:00 UTC 2015

Remove the Perl aa-exec implementation and build aa_exec.c as aa-exec.

Note that the new C aa-exec does not implement the --file option which
was present in the Perl aa-exec. It encouraged running programs as root,
since root privileges were required to load the specified profile.

All other features of the Perl aa-exec are present in the C aa-exec.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 utils/Makefile |  11 +++---
 utils/aa-exec  | 122 ---------------------------------------------------------
 2 files changed, 6 insertions(+), 127 deletions(-)
 delete mode 100755 utils/aa-exec

diff --git a/utils/Makefile b/utils/Makefile
index 711626b..3511d23 100644
--- a/utils/Makefile
+++ b/utils/Makefile
@@ -20,7 +20,8 @@ COMMONDIR=../common/
 
 include $(COMMONDIR)/Make.rules
 
-PERLTOOLS = aa-exec aa-notify
+SRCS = aa-exec.c
+PERLTOOLS = aa-notify
 PYTOOLS = aa-easyprof aa-genprof aa-logprof aa-cleanprof aa-mergeprof \
           aa-autodep aa-audit aa-complain aa-enforce aa-disable \
 	  aa-status aa-unconfined
@@ -30,7 +31,7 @@ PYMODULES = $(wildcard apparmor/*.py apparmor/rule/*.py)
 
 MANPAGES = ${TOOLS:=.8} logprof.conf.5
 
-all: ${MANPAGES} ${HTMLMANPAGES}
+all: ${MANPAGES} ${HTMLMANPAGES} aa-exec
 	$(MAKE) -C po all
 	$(MAKE) -C vim all
 
@@ -43,7 +44,7 @@ PYPREFIX=/usr
 PYFLAKES=pyflakes
 
 po/${NAME}.pot: ${TOOLS} ${PYMODULES}
-	$(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${TOOLS} ${PYMODULES} aa-exec.c"
+	$(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${TOOLS} ${PYMODULES} ${SRCS}"
 
 ifdef USE_SYSTEM
   LIBAPPARMOR = $(shell if pkg-config --exists libapparmor ; then \
@@ -81,7 +82,7 @@ endif # USE_SYSTEM
 
 CFLAGS += -g -O0 -Wall -Wstrict-prototypes
 
-aa-exec-c: aa_exec.c
+aa-exec: aa_exec.c
 	${CC} ${CFLAGS} ${LDFLAGS} $^ -o $@ ${LDLIBS}
 
 .PHONY: install
@@ -110,7 +111,7 @@ clean: pod_clean
 	rm -rf staging/ build/
 	rm -f apparmor/*.pyc apparmor/rule/*.pyc
 	rm -rf apparmor/__pycache__/ apparmor/rule/__pycache__/
-	rm -f aa-exec-c
+	rm -f aa-exec
 
 # ${CAPABILITIES} is defined in common/Make.rules
 .PHONY: check_severity_db
diff --git a/utils/aa-exec b/utils/aa-exec
deleted file mode 100755
index 23bd3ac..0000000
--- a/utils/aa-exec
+++ /dev/null
@@ -1,122 +0,0 @@
-#!/usr/bin/perl
-# ------------------------------------------------------------------
-#
-#    Copyright (C) 2011-2013 Canonical Ltd.
-#
-#    This program is free software; you can redistribute it and/or
-#    modify it under the terms of version 2 of the GNU General Public
-#    License published by the Free Software Foundation.
-#
-# ------------------------------------------------------------------
-
-use strict;
-use warnings;
-use Errno;
-
-require LibAppArmor;
-require POSIX;
-
-my $opt_d = '';
-my $opt_h = '';
-my $opt_p = '';
-my $opt_n = '';
-my $opt_i = '';
-my $opt_v = '';
-my $opt_f = '';
-
-sub _warn {
-    my $msg = $_[0];
-    print STDERR "aa-exec: WARN: $msg\n";
-}
-sub _error {
-    my $msg = $_[0];
-    print STDERR "aa-exec: ERROR: $msg\n";
-    exit 1
-}
-
-sub _debug {
-    $opt_d or return;
-    my $msg = $_[0];
-    print STDERR "aa-exec: DEBUG: $msg\n";
-}
-
-sub _verbose {
-    $opt_v or return;
-    my $msg = $_[0];
-    print STDERR "$msg\n";
-}
-
-sub usage() {
-    my $s = <<'EOF';
-USAGE: aa-exec [OPTIONS] <prog> <args>
-
-Confine <prog> with the specified PROFILE.
-
-OPTIONS:
-  -p PROFILE, --profile=PROFILE		PROFILE to confine <prog> with
-  -n NAMESPACE, --namespace=NAMESPACE	NAMESPACE to confine <prog> in
-  -f FILE, --file FILE		profile file to load
-  -i, --immediate		change profile immediately instead of at exec
-  -v, --verbose			show messages with stats
-  -h, --help			display this help
-
-EOF
-    print $s;
-}
-
-use Getopt::Long;
-
-GetOptions(
-    'debug|d'        => \$opt_d,
-    'help|h'         => \$opt_h,
-    'profile|p=s'    => \$opt_p,
-    'namespace|n=s'  => \$opt_n,
-    'file|f=s'       => \$opt_f,
-    'immediate|i'    => \$opt_i,
-    'verbose|v'      => \$opt_v,
-);
-
-if ($opt_h) {
-    usage();
-    exit(0);
-}
-
-if ($opt_n || $opt_p) {
-   my $test;
-   my $prof;
-
-   if ($opt_n) {
-      $prof = ":$opt_n:";
-   }
-
-   $prof .= $opt_p;
-
-   if ($opt_f) {
-       system("apparmor_parser", "-r", "$opt_f") == 0
-	   or _error("\'aborting could not load $opt_f\'");
-   }
-
-   if ($opt_i) {
-       _verbose("aa_change_profile(\"$prof\")");
-       $test = LibAppArmor::aa_change_profile($prof);
-       _debug("$test = aa_change_profile(\"$prof\"); $!");
-   } else {
-       _verbose("aa_change_onexec(\"$prof\")");
-       $test = LibAppArmor::aa_change_onexec($prof);
-       _debug("$test = aa_change_onexec(\"$prof\"); $!");
-   }
-
-   if ($test != 0) {
-       if ($!{ENOENT} || $!{EACCESS}) {
-	   my $pre = ($opt_p) ? "profile" : "namespace";
-	   _error("$pre \'$prof\' does not exist\n");
-       } elsif ($!{EINVAL}) {
-	   _error("AppArmor interface not available\n");
-       } else {
-	   _error("$!\n");
-       }
-   }
-}
-
-_verbose("exec @ARGV");
-exec @ARGV;
-- 
2.5.0


