The aa-namespace comand can be used to help setup alternate policy namespaces. The current version only supports the most basic of operations that can be supported under the old interface.
Signed-off-by: John Johansen <[email protected]> --- utils/Makefile | 2 +- utils/aa-namespace | 124 ++++++++++++++++++++++++++++++++++++++++++++++++ utils/aa-namespace.pod | 98 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 223 insertions(+), 1 deletions(-) create mode 100755 utils/aa-namespace create mode 100644 utils/aa-namespace.pod diff --git a/utils/Makefile b/utils/Makefile index 5baa26d..4d17487 100644 --- a/utils/Makefile +++ b/utils/Makefile @@ -28,7 +28,7 @@ endif MODDIR = Immunix PERLTOOLS = aa-genprof aa-logprof aa-autodep aa-audit aa-complain aa-enforce \ - aa-unconfined aa-notify aa-disable aa-exec aa-stack + aa-unconfined aa-notify aa-disable aa-exec aa-stack aa-namespace TOOLS = ${PERLTOOLS} aa-decode aa-status MODULES = ${MODDIR}/AppArmor.pm ${MODDIR}/Repository.pm \ ${MODDIR}/Config.pm ${MODDIR}/Severity.pm diff --git a/utils/aa-namespace b/utils/aa-namespace new file mode 100755 index 0000000..b726963 --- /dev/null +++ b/utils/aa-namespace @@ -0,0 +1,124 @@ +#!/usr/bin/perl +# ------------------------------------------------------------------ +# +# Copyright (C) 2009-2011 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +use strict; +use warnings; +use Errno; + +require LibAppArmor; +require POSIX; +require Time::Local; +require File::Basename; + +my $opt_m = ''; +my $opt_l = ''; +my $opt_c = ''; +my $opt_u = ''; +my $opt_n = ''; +my $opt_i = ''; +my $opt_h = ''; +my $opt_v = ''; +my $opt_d = ''; + +sub _warn { + my $msg = $_[0]; + print STDERR "aa-namespace: WARN: $msg\n"; +} +sub _error { + my $msg = $_[0]; + print STDERR "aa-namespace: ERROR: $msg\n"; + exit 1 +} + +sub _debug { + $opt_d or return; + my $msg = $_[0]; + print STDERR "aa-namespace: DEBUG: $msg\n"; +} + +sub _verbose { + $opt_v or return; + my $msg = $_[0]; + print STDERR "$msg\n"; +} + +sub setup_old_iface() { + # load a dummy init profile to create the namespace + my $output = `echo "profile init { }" | apparmor_parser -q -n $opt_n`; + if ($output) { + _error("could not create namespace $opt_n, $output"); + } + + # remove the dummy init profile, namespaces are not auto removed + $output = `echo "profile init { }" | apparmor_parser -R -q -n $opt_n`; + if ($output) { + _error("could not remove init profile"); + } +} + +sub usage() { + my $s = <<'EOF'; +USAGE: aa-namespace [OPTIONS] -n <name> [<profiles> ...] + +Create and setup a new AppArmor profile namespace <name>. + +OPTIONS: + -n NAME, --name=NAME NAME to use for the namespace being created + -m MEM, --mem=MEM Maximum memory for policy in the namespace + -l COUNT, --limit=COUNT Maximum number of profiles that can be loaded + -c, --cleanup Cleanup and remove namespace when no longer used + -i, --visible Make parent namespace visible to introspection + -u USER, --user=USER If supported USER to bind namespace to + -I INC, --include=INC Includes base for profiles + -v, --verbose Show messages with stats + -h, --help Display this help + +EOF + print $s; +} + +use Getopt::Long; + +GetOptions( + 'name|n=s' => \$opt_n, + 'mem|m=n' => \$opt_m, + 'limit|l=n' => \$opt_l, + 'cleanup|c' => \$opt_c, + 'visible|i' => \$opt_i, + 'user|u=s' => \$opt_u, + 'include|I=s' => \$opt_i, + 'verbose|v' => \$opt_v, + 'debug|d' => \$opt_d, + 'help|h' => \$opt_h, +); + +my $ARGC = @ARGV; + +if ($opt_h || !$opt_n) { + usage(); + exit(0); +} + +if (!LibAppArmor::aa_is_enabled()) { + _error("AppArmor is not enabled"); +} + +my $cmnt; +if (!LibAppArmor::aa_find_mountpoint($cmnt)) { + _error("could not find AppArmor interface."); +} + +setup_old_iface(); + +if ($ARGC > 0) { + print "loading -n $opt_n @ARGV\n"; + exec("apparmor_parser -n $opt_n @ARGV"); +} diff --git a/utils/aa-namespace.pod b/utils/aa-namespace.pod new file mode 100644 index 0000000..1ae8cdf --- /dev/null +++ b/utils/aa-namespace.pod @@ -0,0 +1,98 @@ +# This publication is intellectual property of Canonical Ltd. Its contents +# can be duplicated, either in part or in whole, provided that a copyright +# label is visibly located on each copy. +# +# All information found in this book has been compiled with utmost +# attention to detail. However, this does not guarantee complete accuracy. +# Neither Canonical Ltd, the authors, nor the translators shall be held +# liable for possible errors or the consequences thereof. +# +# Many of the software and hardware descriptions cited in this book +# are registered trademarks. All trade names are subject to copyright +# restrictions and may be registered trade marks. Canonical Ltd +# essentially adheres to the manufacturer's spelling. +# +# Names of products and trademarks appearing in this book (with or without +# specific notation) are likewise subject to trademark and trade protection +# laws and may thus fall under copyright restrictions. +# + + +=pod + +=head1 NAME + +aa-namespace - tool to help set up a profile namespace + +=head1 SYNOPSIS + +B<aa-namespace> [options] -n I<E<lt>nameE<gt>> [I<E<lt>profilesE<gt>> ...] + +=head1 DESCRIPTION + +B<aa-namespace> is used to create and set up an AppArmor policy namespace. +After creating the namespace it will set any specified options and precede +the namespace with any specified profiles. + +Require privileges to administer the MAC namespace, aka MAC_ADMIN capability +(root on most systems). + +=head1 OPTIONS +B<aa-namespace> accepts the following arguments: + +=over 4 + +=item -m MEM, --mem=MEM (NOT SUPPORTED) + +Maximum amount of memory policy loaded into the namespace can use. + +=item -l COUNT, --limit=COUNT (NOT SUPPORTED) + +Maximum number of profiles that can be loaded into the profile. + +=item -c, --cleanup (NOT SUPPORTED) + +Cleanup and remove the namespace when it is no longer used. The namespace +will be removed from policy management visibility after all its profiles +are removed. The namespace may continue to exist as long as programs are +confined by profiles in the namespace. + +If the namespace is created without profiles, it will not be removed until +after the first profile has been added, and then all its profiles have been +removed. + +=item -i, --visible (NOT SUPPORTED) + +Make the parent namespace visible to introspection queries from task confined +inside the namespace. + +=item u, --user (NOT SUPPORTED) + +Create a user policy namespace, that can by managed by the specified user. +The user can manage and load policy in this namespace. + +This feature is not currently supported. + +=item -I, --include + +Set the include PATH for any profiles to be loaded + +=item -v, --verbose + +show commands being performed + +=item -d, --debug + +show commands and error codes + +=head1 BUGS + +If you find any bugs, please report them at +L<http://https://bugs.launchpad.net/apparmor/+filebug>. + +=head1 SEE ALSO + +apparmor(7), apparmor_namespaces(8), apparmor.d(5), aa-confine(1), aa-stack(1), +and L<http://wiki.apparmor.net>. + +=cut -- 1.7.7.3 -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
