[apparmor] [PATCH v2 5/6] utils: Replace Perl aa-exec with C aa-exec
Tyler Hicks
tyhicks at canonical.com
Thu Dec 17 03:25:06 UTC 2015
Remove the Perl aa-exec implementation, move the aa-exec(8) man page to
binutils/, and point the regression test to the C based aa-exec in
binutils/.
Note that the new C aa-exec does not implement the --file option which
was present in the Perl aa-exec. It encouraged running programs as root,
since root privileges were required to load the specified profile.
All other features of the Perl aa-exec are present in the C aa-exec.
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
binutils/Makefile | 2 +-
binutils/aa-exec.pod | 97 ++++++++++++++++++++
tests/regression/apparmor/Makefile | 6 +-
tests/regression/apparmor/uservars.inc.source | 2 +-
utils/Makefile | 2 +-
utils/aa-exec | 122 --------------------------
utils/aa-exec.pod | 97 --------------------
7 files changed, 103 insertions(+), 225 deletions(-)
create mode 100644 binutils/aa-exec.pod
delete mode 100755 utils/aa-exec
delete mode 100644 utils/aa-exec.pod
diff --git a/binutils/Makefile b/binutils/Makefile
index aec2d62..91ae4cd 100644
--- a/binutils/Makefile
+++ b/binutils/Makefile
@@ -20,7 +20,7 @@ include $(COMMONDIR)/Make.rules
DESTDIR=/
BINDIR=${DESTDIR}bin
LOCALEDIR=/usr/share/locale
-MANPAGES=aa-enabled.8
+MANPAGES=aa-enabled.8 aa-exec.8
WARNINGS = -Wall
EXTRA_WARNINGS = -Wsign-compare -Wmissing-field-initializers -Wformat-security -Wunused-parameter
diff --git a/binutils/aa-exec.pod b/binutils/aa-exec.pod
new file mode 100644
index 0000000..58dedb2
--- /dev/null
+++ b/binutils/aa-exec.pod
@@ -0,0 +1,97 @@
+# This publication is intellectual property of Canonical Ltd. Its contents
+# can be duplicated, either in part or in whole, provided that a copyright
+# label is visibly located on each copy.
+#
+# All information found in this book has been compiled with utmost
+# attention to detail. However, this does not guarantee complete accuracy.
+# Neither Canonical Ltd, the authors, nor the translators shall be held
+# liable for possible errors or the consequences thereof.
+#
+# Many of the software and hardware descriptions cited in this book
+# are registered trademarks. All trade names are subject to copyright
+# restrictions and may be registered trade marks. Canonical Ltd
+# essentially adheres to the manufacturer's spelling.
+#
+# Names of products and trademarks appearing in this book (with or without
+# specific notation) are likewise subject to trademark and trade protection
+# laws and may thus fall under copyright restrictions.
+#
+
+
+=pod
+
+=head1 NAME
+
+aa-exec - confine a program with the specified AppArmor profile
+
+=head1 SYNOPSIS
+
+B<aa-exec> [options] [--] [I<E<lt>commandE<gt>> ...]
+
+=head1 DESCRIPTION
+
+B<aa-exec> is used to launch a program confined by the specified profile
+and or namespace. If both a profile and namespace are specified command
+will be confined by profile in the new policy namespace. If only a namespace
+is specified, the profile name of the current confinement will be used. If
+neither a profile or namespace is specified command will be run using
+standard profile attachment (ie. as if run without the aa-exec command).
+
+If the arguments are to be pasted to the I<E<lt>commandE<gt>> being invoked
+by aa-exec then -- should be used to separate aa-exec arguments from the
+command.
+ aa-exec -p profile1 -- ls -l
+
+=head1 OPTIONS
+B<aa-exec> accepts the following arguments:
+
+=over 4
+
+=item -p PROFILE, --profile=PROFILE
+
+confine I<E<lt>commandE<gt>> with PROFILE. If the PROFILE is not specified
+use the current profile name (likely unconfined).
+
+=item -n NAMESPACE, --namespace=NAMESPACE
+
+use profiles in NAMESPACE. This will result in confinement transitioning
+to using the new profile namespace.
+
+=item -f FILE, --file=FILE
+
+a file or directory containing profiles to load before confining the program.
+
+=item -i, --immediate
+
+transition to PROFILE before doing executing I<E<lt>commandE<gt>>. This
+subjects the running of I<E<lt>commandE<gt>> to the exec transition rules
+of the current profile.
+
+=item -v, --verbose
+
+show commands being performed
+
+=item -d, --debug
+
+show commands and error codes
+
+=item --
+
+Signal the end of options and disables further option processing. Any
+arguments after the -- are treated as arguments of the command. This is
+useful when passing arguments to the I<E<lt>commandE<gt>> being invoked by
+aa-exec.
+
+=back
+
+=head1 BUGS
+
+If you find any bugs, please report them at
+L<https://bugs.launchpad.net/apparmor/+filebug>.
+
+=head1 SEE ALSO
+
+aa-stack(8), aa-namespace(8), apparmor(7), apparmor.d(5), aa_change_profile(3),
+aa_change_onexec(3) and L<http://wiki.apparmor.net>.
+
+=cut
diff --git a/tests/regression/apparmor/Makefile b/tests/regression/apparmor/Makefile
index d0e4b35..892f1c5 100644
--- a/tests/regression/apparmor/Makefile
+++ b/tests/regression/apparmor/Makefile
@@ -52,12 +52,12 @@ libapparmor by adding USE_SYSTEM=1 to your make command.${nl}\
************************************************************************${nl})
endif
- UTILS_SRC := ../../../utils
- AA_EXEC = $(UTILS_SRC)/aa-exec
+ BINUTILS_SRC := ../../../binutils
+ AA_EXEC = $(BINUTILS_SRC)/aa-exec
ifeq ($(realpath $(AA_EXEC)),)
AA_EXEC_ERROR_MESSAGE = $(error ${nl}\
************************************************************************${nl}\
-$(AA_EXEC) is missing; either build the $(UTILS_SRC) directory${nl}\
+$(AA_EXEC) is missing; either build the $(BINUTILS_SRC) directory${nl}\
and then try again (see the top-level README for help) or use the${nl}\
system aa-exec by adding USE_SYSTEM=1 to your make command.${nl}\
************************************************************************${nl})
diff --git a/tests/regression/apparmor/uservars.inc.source b/tests/regression/apparmor/uservars.inc.source
index aff53d2..198df43 100644
--- a/tests/regression/apparmor/uservars.inc.source
+++ b/tests/regression/apparmor/uservars.inc.source
@@ -14,4 +14,4 @@ tmpdir=/tmp/sdtest.$$-$RANDOM
sys_profiles=/sys/kernel/security/apparmor/profiles
# 5. Location of aa-exec
-aa_exec=${PWD}/../../../utils/aa-exec
+aa_exec=${PWD}/../../../binutils/aa-exec
diff --git a/utils/Makefile b/utils/Makefile
index 4762262..acfddba 100644
--- a/utils/Makefile
+++ b/utils/Makefile
@@ -20,7 +20,7 @@ COMMONDIR=../common/
include $(COMMONDIR)/Make.rules
-PERLTOOLS = aa-exec aa-notify
+PERLTOOLS = aa-notify
PYTOOLS = aa-easyprof aa-genprof aa-logprof aa-cleanprof aa-mergeprof \
aa-autodep aa-audit aa-complain aa-enforce aa-disable \
aa-status aa-unconfined
diff --git a/utils/aa-exec b/utils/aa-exec
deleted file mode 100755
index 23bd3ac..0000000
--- a/utils/aa-exec
+++ /dev/null
@@ -1,122 +0,0 @@
-#!/usr/bin/perl
-# ------------------------------------------------------------------
-#
-# Copyright (C) 2011-2013 Canonical Ltd.
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of version 2 of the GNU General Public
-# License published by the Free Software Foundation.
-#
-# ------------------------------------------------------------------
-
-use strict;
-use warnings;
-use Errno;
-
-require LibAppArmor;
-require POSIX;
-
-my $opt_d = '';
-my $opt_h = '';
-my $opt_p = '';
-my $opt_n = '';
-my $opt_i = '';
-my $opt_v = '';
-my $opt_f = '';
-
-sub _warn {
- my $msg = $_[0];
- print STDERR "aa-exec: WARN: $msg\n";
-}
-sub _error {
- my $msg = $_[0];
- print STDERR "aa-exec: ERROR: $msg\n";
- exit 1
-}
-
-sub _debug {
- $opt_d or return;
- my $msg = $_[0];
- print STDERR "aa-exec: DEBUG: $msg\n";
-}
-
-sub _verbose {
- $opt_v or return;
- my $msg = $_[0];
- print STDERR "$msg\n";
-}
-
-sub usage() {
- my $s = <<'EOF';
-USAGE: aa-exec [OPTIONS] <prog> <args>
-
-Confine <prog> with the specified PROFILE.
-
-OPTIONS:
- -p PROFILE, --profile=PROFILE PROFILE to confine <prog> with
- -n NAMESPACE, --namespace=NAMESPACE NAMESPACE to confine <prog> in
- -f FILE, --file FILE profile file to load
- -i, --immediate change profile immediately instead of at exec
- -v, --verbose show messages with stats
- -h, --help display this help
-
-EOF
- print $s;
-}
-
-use Getopt::Long;
-
-GetOptions(
- 'debug|d' => \$opt_d,
- 'help|h' => \$opt_h,
- 'profile|p=s' => \$opt_p,
- 'namespace|n=s' => \$opt_n,
- 'file|f=s' => \$opt_f,
- 'immediate|i' => \$opt_i,
- 'verbose|v' => \$opt_v,
-);
-
-if ($opt_h) {
- usage();
- exit(0);
-}
-
-if ($opt_n || $opt_p) {
- my $test;
- my $prof;
-
- if ($opt_n) {
- $prof = ":$opt_n:";
- }
-
- $prof .= $opt_p;
-
- if ($opt_f) {
- system("apparmor_parser", "-r", "$opt_f") == 0
- or _error("\'aborting could not load $opt_f\'");
- }
-
- if ($opt_i) {
- _verbose("aa_change_profile(\"$prof\")");
- $test = LibAppArmor::aa_change_profile($prof);
- _debug("$test = aa_change_profile(\"$prof\"); $!");
- } else {
- _verbose("aa_change_onexec(\"$prof\")");
- $test = LibAppArmor::aa_change_onexec($prof);
- _debug("$test = aa_change_onexec(\"$prof\"); $!");
- }
-
- if ($test != 0) {
- if ($!{ENOENT} || $!{EACCESS}) {
- my $pre = ($opt_p) ? "profile" : "namespace";
- _error("$pre \'$prof\' does not exist\n");
- } elsif ($!{EINVAL}) {
- _error("AppArmor interface not available\n");
- } else {
- _error("$!\n");
- }
- }
-}
-
-_verbose("exec @ARGV");
-exec @ARGV;
diff --git a/utils/aa-exec.pod b/utils/aa-exec.pod
deleted file mode 100644
index 58dedb2..0000000
--- a/utils/aa-exec.pod
+++ /dev/null
@@ -1,97 +0,0 @@
-# This publication is intellectual property of Canonical Ltd. Its contents
-# can be duplicated, either in part or in whole, provided that a copyright
-# label is visibly located on each copy.
-#
-# All information found in this book has been compiled with utmost
-# attention to detail. However, this does not guarantee complete accuracy.
-# Neither Canonical Ltd, the authors, nor the translators shall be held
-# liable for possible errors or the consequences thereof.
-#
-# Many of the software and hardware descriptions cited in this book
-# are registered trademarks. All trade names are subject to copyright
-# restrictions and may be registered trade marks. Canonical Ltd
-# essentially adheres to the manufacturer's spelling.
-#
-# Names of products and trademarks appearing in this book (with or without
-# specific notation) are likewise subject to trademark and trade protection
-# laws and may thus fall under copyright restrictions.
-#
-
-
-=pod
-
-=head1 NAME
-
-aa-exec - confine a program with the specified AppArmor profile
-
-=head1 SYNOPSIS
-
-B<aa-exec> [options] [--] [I<E<lt>commandE<gt>> ...]
-
-=head1 DESCRIPTION
-
-B<aa-exec> is used to launch a program confined by the specified profile
-and or namespace. If both a profile and namespace are specified command
-will be confined by profile in the new policy namespace. If only a namespace
-is specified, the profile name of the current confinement will be used. If
-neither a profile or namespace is specified command will be run using
-standard profile attachment (ie. as if run without the aa-exec command).
-
-If the arguments are to be pasted to the I<E<lt>commandE<gt>> being invoked
-by aa-exec then -- should be used to separate aa-exec arguments from the
-command.
- aa-exec -p profile1 -- ls -l
-
-=head1 OPTIONS
-B<aa-exec> accepts the following arguments:
-
-=over 4
-
-=item -p PROFILE, --profile=PROFILE
-
-confine I<E<lt>commandE<gt>> with PROFILE. If the PROFILE is not specified
-use the current profile name (likely unconfined).
-
-=item -n NAMESPACE, --namespace=NAMESPACE
-
-use profiles in NAMESPACE. This will result in confinement transitioning
-to using the new profile namespace.
-
-=item -f FILE, --file=FILE
-
-a file or directory containing profiles to load before confining the program.
-
-=item -i, --immediate
-
-transition to PROFILE before doing executing I<E<lt>commandE<gt>>. This
-subjects the running of I<E<lt>commandE<gt>> to the exec transition rules
-of the current profile.
-
-=item -v, --verbose
-
-show commands being performed
-
-=item -d, --debug
-
-show commands and error codes
-
-=item --
-
-Signal the end of options and disables further option processing. Any
-arguments after the -- are treated as arguments of the command. This is
-useful when passing arguments to the I<E<lt>commandE<gt>> being invoked by
-aa-exec.
-
-=back
-
-=head1 BUGS
-
-If you find any bugs, please report them at
-L<https://bugs.launchpad.net/apparmor/+filebug>.
-
-=head1 SEE ALSO
-
-aa-stack(8), aa-namespace(8), apparmor(7), apparmor.d(5), aa_change_profile(3),
-aa_change_onexec(3) and L<http://wiki.apparmor.net>.
-
-=cut
--
2.5.0
More information about the AppArmor
mailing list