Split the basic transaction file query out of aa_query_label so that it can be reused by other query types.
Signed-off-by: John Johansen <[email protected]> --- libraries/libapparmor/doc/aa_query_label.pod | 16 ++++- libraries/libapparmor/include/sys/apparmor.h | 2 + libraries/libapparmor/src/kernel.c | 93 +++++++++++++++++++++------ libraries/libapparmor/src/libapparmor.map | 7 ++ libraries/libapparmor/swig/SWIG/libapparmor.i | 2 + 5 files changed, 96 insertions(+), 24 deletions(-) diff --git a/libraries/libapparmor/doc/aa_query_label.pod b/libraries/libapparmor/doc/aa_query_label.pod index 06129b6..73f430b 100644 --- a/libraries/libapparmor/doc/aa_query_label.pod +++ b/libraries/libapparmor/doc/aa_query_label.pod @@ -32,11 +32,18 @@ aa_query_link_path, aa_query_link_path_len - query access permissions of a link B<#include E<lt>sys/apparmor.hE<gt>> -B<int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed, int *audited);> +B<int aa_query_cmd(const char *cmd, size_t cmd_size, char *query, + size_t size, char *buffer, size_t bsize);> -B<int aa_query_file_path(uint32_t mask, const char *label, size_t label_len, const char *path, int *allowed, int *audited);> +B<int aa_query_label(uint32_t mask, char *query, size_t size, + int *allowed, int *audited);> -B<int aa_query_file_path_len(uint32_t mask, const char *label, size_t label_len, const char *path, size_t path_len, int *allowed, int *audited);> +B<int aa_query_file_path(uint32_t mask, const char *label, size_t label_len, + const char *path, int *allowed, int *audited);> + +B<int aa_query_file_path_len(uint32_t mask, const char *label, + size_t label_len, const char *path, size_t path_len, + int *allowed, int *audited);> B<int aa_query_link_path(const char *label, const char *target, const char *link, int *allowed, int *audited);> @@ -47,6 +54,9 @@ Link with B<-lapparmor> when compiling. =head1 DESCRIPTION +The B<aa_query_cmd> function sets up and does a raw query of the kernel. It is +the basis of the other query functions. + The B<aa_query_label> function fetches the current permissions granted by the specified I<label> in the I<query> string. diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h index 752a5bd..5e43ba2 100644 --- a/libraries/libapparmor/include/sys/apparmor.h +++ b/libraries/libapparmor/include/sys/apparmor.h @@ -101,6 +101,8 @@ extern int aa_getpeercon(int fd, char **label, char **mode); #define AA_QUERY_CMD_LABEL "label" #define AA_QUERY_CMD_LABEL_SIZE sizeof(AA_QUERY_CMD_LABEL) +extern int aa_query_cmd(const char *cmd, size_t cmd_size, char *query, + size_t size, char *buffer, size_t bsize); extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow, int *audit); extern int aa_query_file_path_len(uint32_t mask, const char *label, diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c index 49c74e1..1fe1b61 100644 --- a/libraries/libapparmor/src/kernel.c +++ b/libraries/libapparmor/src/kernel.c @@ -802,30 +802,22 @@ static void aafs_access_init_once(void) free(aafs); } -/* "allow 0x00000000\ndeny 0x00000000\naudit 0x00000000\nquiet 0x00000000\n" */ -#define QUERY_LABEL_REPLY_LEN 67 - /** - * aa_query_label - query the access(es) of a label - * @mask: permission bits to query - * @query: binary query string, must be offset by AA_QUERY_CMD_LABEL_SIZE - * @size: size of the query string must include AA_QUERY_CMD_LABEL_SIZE - * @allowed: upon successful return, will be 1 if query is allowed and 0 if not - * @audited: upon successful return, will be 1 if query should be audited and 0 - * if not + * aa_query_cmd_open - begin a query for labels @cmd info + * @cmd: query cmd to use + * @cmd_size: size of the cmd being used + * @query: binary query string, must be offset by @cmd_size + * @size: size of the query string must include @cmd_size * - * Returns: 0 on success else -1 and sets errno. If -1 is returned and errno is - * ENOENT, the subject label in the query string is unknown to the - * kernel. + * Returns: fd with the query issued and results waiting to be read else -1 and sets errno. + * If -1 is returned and errno is ENOENT, the subject label in + * the query string is unknown to the kernel. */ -int query_label(uint32_t mask, char *query, size_t size, int *allowed, - int *audited) +static int aa_query_cmd_open(const char *cmd, size_t cmd_size, char *query, size_t size) { - char buf[QUERY_LABEL_REPLY_LEN]; - uint32_t allow, deny, audit, quiet; - int fd, ret, saved; + int fd, ret; - if (!mask || size <= AA_QUERY_CMD_LABEL_SIZE) { + if (size <= cmd_size) { errno = EINVAL; return -1; } @@ -846,7 +838,7 @@ int query_label(uint32_t mask, char *query, size_t size, int *allowed, return -1; } - memcpy(query, AA_QUERY_CMD_LABEL, AA_QUERY_CMD_LABEL_SIZE); + memcpy(query, cmd, cmd_size); errno = 0; ret = write(fd, query, size); if (ret != size) { @@ -860,10 +852,69 @@ int query_label(uint32_t mask, char *query, size_t size, int *allowed, return -1; } - ret = read(fd, buf, QUERY_LABEL_REPLY_LEN); + return fd; +} + +/** + * aa_query_cmd - make a query for labels @cmd info + * @cmd: query cmd to use + * @cmd_size: size of the cmd being used + * @query: binary query string, must be offset by @cmd_size + * @size: size of the query string must include @cmd_size + * @buffer: buffer to return query data in + * @bsize: size of @buffer + * + * Returns: size of data read on success else -1 and sets errno. + * If -1 is returned and errno is ENOENT, the subject label in + * the query string is unknown to the kernel. + */ +int aa_query_cmd(const char *cmd, size_t cmd_size, char *query, size_t size, + char *buffer, size_t bsize) +{ + int fd, ret, saved; + + fd = aa_query_cmd_open(cmd, cmd_size, query, size); + if (fd == -1) + return -1; + + ret = read(fd, buffer, bsize); saved = errno; (void)close(fd); errno = saved; + + return ret; +} + +/* "allow 0x00000000\ndeny 0x00000000\naudit 0x00000000\nquiet 0x00000000\n" */ +#define QUERY_LABEL_REPLY_LEN 67 + +/** + * aa_query_label - query the access(es) of a label + * @mask: permission bits to query + * @query: binary query string, must be offset by AA_QUERY_CMD_LABEL_SIZE + * @size: size of the query string must include AA_QUERY_CMD_LABEL_SIZE + * @allowed: upon successful return, will be 1 if query is allowed and 0 if not + * @audited: upon successful return, will be 1 if query should be audited and 0 + * if not + * + * Returns: 0 on success else -1 and sets errno. If -1 is returned and errno is + * ENOENT, the subject label in the query string is unknown to the + * kernel. + */ +int query_label(uint32_t mask, char *query, size_t size, int *allowed, + int *audited) +{ + char buf[QUERY_LABEL_REPLY_LEN]; + uint32_t allow, deny, audit, quiet; + int ret; + + if (!mask) { + errno = EINVAL; + return -1; + } + + ret = aa_query_cmd(AA_QUERY_CMD_LABEL, AA_QUERY_CMD_LABEL_SIZE, query, + size, buf, QUERY_LABEL_REPLY_LEN); if (ret != QUERY_LABEL_REPLY_LEN) { errno = EPROTO; return -1; diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map index 5cbd4e8..69207d3 100644 --- a/libraries/libapparmor/src/libapparmor.map +++ b/libraries/libapparmor/src/libapparmor.map @@ -95,6 +95,13 @@ APPARMOR_2.11 { *; } APPARMOR_2.10; +APPARMOR_2.12 { + global: + aa_query_cmd; + local: + *; +} APPARMOR_2.11; + PRIVATE { global: _aa_is_blacklisted; diff --git a/libraries/libapparmor/swig/SWIG/libapparmor.i b/libraries/libapparmor/swig/SWIG/libapparmor.i index 005dd7f..9165882 100644 --- a/libraries/libapparmor/swig/SWIG/libapparmor.i +++ b/libraries/libapparmor/swig/SWIG/libapparmor.i @@ -57,6 +57,8 @@ extern int aa_gettaskcon(pid_t target, char **label, char **mode); extern int aa_getcon(char **label, char **mode); extern int aa_getpeercon_raw(int fd, char *buf, int *len, char **mode); extern int aa_getpeercon(int fd, char **label, char **mode); +extern int aa_query_cmd(const char *cmd, size_t cmd_size, char *query, + size_t size, char *buffer, size_t bsize); extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow, int *audit); extern int aa_query_file_path_len(uint32_t mask, const char *label, -- 2.9.3 -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
