[apparmor] [PATCH 1/4] Split aa_query_label into a base aa_query_cmd and it aa_query_label
John Johansen
john.johansen at canonical.com
Tue Oct 6 17:12:50 UTC 2015
>From ad3b28cbb1e78d1894d9f1e1780902d140316d42 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen at canonical.com>
Date: Wed, 15 Jul 2015 05:36:32 -0700
Subject: [PATCH 1/4] Split aa_query_label into a base aa_query_cmd and it
aa_query_label
Split the basic transaction file query out of aa_query_label so that
it can be reused by other query types.
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
libraries/libapparmor/doc/aa_query_label.pod | 12 +++-
libraries/libapparmor/include/sys/apparmor.h | 2 +
libraries/libapparmor/src/kernel.c | 92 +++++++++++++++++++++------
libraries/libapparmor/swig/SWIG/libapparmor.i | 2 +
4 files changed, 84 insertions(+), 24 deletions(-)
diff --git a/libraries/libapparmor/doc/aa_query_label.pod b/libraries/libapparmor/doc/aa_query_label.pod
index 3e943a7..900e2d0 100644
--- a/libraries/libapparmor/doc/aa_query_label.pod
+++ b/libraries/libapparmor/doc/aa_query_label.pod
@@ -28,13 +28,16 @@ aa_query_label - query access permission associated with a label
B<#include E<lt>sys/apparmor.hE<gt>>
-B<int aa_query_label((uint32_t mask, char *query, size_t size,
+B<int aa_query_cmd(const char *cmd, size_t cmd_size, char *query,
+ size_t size, char *buffer, size_t bsize);>
+
+B<int aa_query_label(uint32_t mask, char *query, size_t size,
int *allowed, int *audited);>
-B<int aa_query_file_path((uint32_t mask, const char *label, size_t label_len,
+B<int aa_query_file_path(uint32_t mask, const char *label, size_t label_len,
const char *path, int *allowed, int *audited);>
-B<int aa_query_file_path_len((uint32_t mask, const char *label,
+B<int aa_query_file_path_len(uint32_t mask, const char *label,
size_t label_len, const char *path, size_t path_len,
int *allowed, int *audited);>
@@ -51,6 +54,9 @@ Link with B<-lapparmor> when compiling.
=head1 DESCRIPTION
+The aa_query_cmd function setup and does the raw query of the kernel. It is
+the basis of the other query_X functions.
+
The aa_query_label function fetches the current permissions granted by the
specified I<label> in the I<query> string.
diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
index 13a6a8c..61629bc 100644
--- a/libraries/libapparmor/include/sys/apparmor.h
+++ b/libraries/libapparmor/include/sys/apparmor.h
@@ -99,6 +99,8 @@ extern int aa_getpeercon(int fd, char **label, char **mode);
#define AA_QUERY_CMD_LABEL "label"
#define AA_QUERY_CMD_LABEL_SIZE sizeof(AA_QUERY_CMD_LABEL)
+extern int aa_query_cmd(const char *cmd, size_t cmd_size, char *query,
+ size_t size, char *buffer, size_t bsize);
extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
int *audit);
extern int aa_query_file_path_len(uint32_t mask, const char *label,
diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
index a3f8efa..1de4e54 100644
--- a/libraries/libapparmor/src/kernel.c
+++ b/libraries/libapparmor/src/kernel.c
@@ -760,30 +760,22 @@ static void aafs_access_init_once(void)
free(aafs);
}
-/* "allow 0x00000000\ndeny 0x00000000\naudit 0x00000000\nquiet 0x00000000\n" */
-#define QUERY_LABEL_REPLY_LEN 67
-
/**
- * aa_query_label - query the access(es) of a label
- * @mask: permission bits to query
- * @query: binary query string, must be offset by AA_QUERY_CMD_LABEL_SIZE
- * @size: size of the query string must include AA_QUERY_CMD_LABEL_SIZE
- * @allowed: upon successful return, will be 1 if query is allowed and 0 if not
- * @audited: upon successful return, will be 1 if query should be audited and 0
- * if not
+ * aa_query_cmd_open - begin a query for labels @cmd info
+ * @cmd: query cmd to use
+ * @cmd_size: size of the cmd being used
+ * @query: binary query string, must be offset by @cmd_size
+ * @size: size of the query string must include @cmd_size
*
- * Returns: 0 on success else -1 and sets errno. If -1 is returned and errno is
- * ENOENT, the subject label in the query string is unknown to the
- * kernel.
+ * Returns: fd with the query issued and results waiting to be read else -1 and sets errno.
+ * If -1 is returned and errno is ENOENT, the subject label in
+ * the query string is unknown to the kernel.
*/
-int query_label(uint32_t mask, char *query, size_t size, int *allowed,
- int *audited)
+static int aa_query_cmd_open(const char *cmd, size_t cmd_size, char *query, size_t size)
{
- char buf[QUERY_LABEL_REPLY_LEN];
- uint32_t allow, deny, audit, quiet;
int fd, ret, saved;
- if (!mask || size <= AA_QUERY_CMD_LABEL_SIZE) {
+ if (size <= cmd_size) {
errno = EINVAL;
return -1;
}
@@ -804,7 +796,7 @@ int query_label(uint32_t mask, char *query, size_t size, int *allowed,
return -1;
}
- memcpy(query, AA_QUERY_CMD_LABEL, AA_QUERY_CMD_LABEL_SIZE);
+ memcpy(query, cmd, cmd_size);
errno = 0;
ret = write(fd, query, size);
if (ret != size) {
@@ -818,10 +810,69 @@ int query_label(uint32_t mask, char *query, size_t size, int *allowed,
return -1;
}
- ret = read(fd, buf, QUERY_LABEL_REPLY_LEN);
+ return fd;
+}
+
+/**
+ * aa_query_cmd - make a query for labels @cmd info
+ * @cmd: query cmd to use
+ * @cmd_size: size of the cmd being used
+ * @query: binary query string, must be offset by @cmd_size
+ * @size: size of the query string must include @cmd_size
+ * @buffer: buffer to return query data in
+ * @bsize: size of @buffer
+ *
+ * Returns: size of data read on success else -1 and sets errno.
+ * If -1 is returned and errno is ENOENT, the subject label in
+ * the query string is unknown to the kernel.
+ */
+int aa_query_cmd(const char *cmd, size_t cmd_size, char *query, size_t size,
+ char *buffer, size_t bsize)
+{
+ int fd, ret, saved;
+
+ fd = aa_query_cmd_open(cmd, cmd_size, query, size);
+ if (fd == -1)
+ return -1;
+
+ ret = read(fd, buffer, bsize);
saved = errno;
(void)close(fd);
errno = saved;
+
+ return ret;
+}
+
+/* "allow 0x00000000\ndeny 0x00000000\naudit 0x00000000\nquiet 0x00000000\n" */
+#define QUERY_LABEL_REPLY_LEN 67
+
+/**
+ * aa_query_label - query the access(es) of a label
+ * @mask: permission bits to query
+ * @query: binary query string, must be offset by AA_QUERY_CMD_LABEL_SIZE
+ * @size: size of the query string must include AA_QUERY_CMD_LABEL_SIZE
+ * @allowed: upon successful return, will be 1 if query is allowed and 0 if not
+ * @audited: upon successful return, will be 1 if query should be audited and 0
+ * if not
+ *
+ * Returns: 0 on success else -1 and sets errno. If -1 is returned and errno is
+ * ENOENT, the subject label in the query string is unknown to the
+ * kernel.
+ */
+int query_label(uint32_t mask, char *query, size_t size, int *allowed,
+ int *audited)
+{
+ char buf[QUERY_LABEL_REPLY_LEN];
+ uint32_t allow, deny, audit, quiet;
+ int ret;
+
+ if (!mask) {
+ errno = EINVAL;
+ return -1;
+ }
+
+ ret = aa_query_cmd(AA_QUERY_CMD_LABEL, AA_QUERY_CMD_LABEL_SIZE, query,
+ size, buf, QUERY_LABEL_REPLY_LEN);
if (ret != QUERY_LABEL_REPLY_LEN) {
errno = EPROTO;
return -1;
@@ -928,7 +979,6 @@ int aa_query_link_path_len(const char *label, size_t label_len,
int *allowed, int *audited)
{
autofree char *query = NULL;
- int rc;
/* + 1 for null separators */
size_t size = AA_QUERY_CMD_LABEL_SIZE + label_len + 1 + target_len +
diff --git a/libraries/libapparmor/swig/SWIG/libapparmor.i b/libraries/libapparmor/swig/SWIG/libapparmor.i
index 69b4cc2..3e1950a 100644
--- a/libraries/libapparmor/swig/SWIG/libapparmor.i
+++ b/libraries/libapparmor/swig/SWIG/libapparmor.i
@@ -55,6 +55,8 @@ extern int aa_gettaskcon(pid_t target, char **label, char **mode);
extern int aa_getcon(char **label, char **mode);
extern int aa_getpeercon_raw(int fd, char *buf, int *len, char **mode);
extern int aa_getpeercon(int fd, char **label, char **mode);
+extern int aa_query_cmd(const char *cmd, size_t cmd_size, char *query,
+ size_t size, char *buffer, size_t bsize);
extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
int *audit);
extern int aa_query_file_path_len(uint32_t mask, const char *label,
--
2.1.4
More information about the AppArmor
mailing list