On 12/15/2015 12:56 PM, Tyler Hicks wrote:
> Remove the Perl aa-exec implementation and build aa_exec.c as aa-exec.
>
> Note that the new C aa-exec does not implement the --file option which
> was present in the Perl aa-exec. It encouraged running programs as root,
> since root privileges were required to load the specified profile.
>
> All other features of the Perl aa-exec are present in the C aa-exec.
>
> Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
so this hits the question (again) of where we want these binary tools
packaged. So for aa-enabled I dropped it in ... binutils, and we are
also going to have an aa-sha1 tool landing in there as well.
I am not opposed to dropping the C based tools in utils but it seemed
that people where leaning towards a separate dir and a separate package
> ---
> utils/Makefile | 11 +++---
> utils/aa-exec | 122
> ---------------------------------------------------------
> 2 files changed, 6 insertions(+), 127 deletions(-)
> delete mode 100755 utils/aa-exec
>
> diff --git a/utils/Makefile b/utils/Makefile
> index 711626b..3511d23 100644
> --- a/utils/Makefile
> +++ b/utils/Makefile
> @@ -20,7 +20,8 @@ COMMONDIR=../common/
>
> include $(COMMONDIR)/Make.rules
>
> -PERLTOOLS = aa-exec aa-notify
> +SRCS = aa-exec.c
> +PERLTOOLS = aa-notify
> PYTOOLS = aa-easyprof aa-genprof aa-logprof aa-cleanprof aa-mergeprof \
> aa-autodep aa-audit aa-complain aa-enforce aa-disable \
> aa-status aa-unconfined
> @@ -30,7 +31,7 @@ PYMODULES = $(wildcard apparmor/*.py apparmor/rule/*.py)
>
> MANPAGES = ${TOOLS:=.8} logprof.conf.5
>
> -all: ${MANPAGES} ${HTMLMANPAGES}
> +all: ${MANPAGES} ${HTMLMANPAGES} aa-exec
> $(MAKE) -C po all
> $(MAKE) -C vim all
>
> @@ -43,7 +44,7 @@ PYPREFIX=/usr
> PYFLAKES=pyflakes
>
> po/${NAME}.pot: ${TOOLS} ${PYMODULES}
> - $(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${TOOLS} ${PYMODULES}
> aa-exec.c"
> + $(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${TOOLS} ${PYMODULES}
> ${SRCS}"
>
> ifdef USE_SYSTEM
> LIBAPPARMOR = $(shell if pkg-config --exists libapparmor ; then \
> @@ -81,7 +82,7 @@ endif # USE_SYSTEM
>
> CFLAGS += -g -O0 -Wall -Wstrict-prototypes
>
> -aa-exec-c: aa_exec.c
> +aa-exec: aa_exec.c
> ${CC} ${CFLAGS} ${LDFLAGS} $^ -o $@ ${LDLIBS}
>
> .PHONY: install
> @@ -110,7 +111,7 @@ clean: pod_clean
> rm -rf staging/ build/
> rm -f apparmor/*.pyc apparmor/rule/*.pyc
> rm -rf apparmor/__pycache__/ apparmor/rule/__pycache__/
> - rm -f aa-exec-c
> + rm -f aa-exec
>
> # ${CAPABILITIES} is defined in common/Make.rules
> .PHONY: check_severity_db
> diff --git a/utils/aa-exec b/utils/aa-exec
> deleted file mode 100755
> index 23bd3ac..0000000
> --- a/utils/aa-exec
> +++ /dev/null
> @@ -1,122 +0,0 @@
> -#!/usr/bin/perl
> -# ------------------------------------------------------------------
> -#
> -# Copyright (C) 2011-2013 Canonical Ltd.
> -#
> -# This program is free software; you can redistribute it and/or
> -# modify it under the terms of version 2 of the GNU General Public
> -# License published by the Free Software Foundation.
> -#
> -# ------------------------------------------------------------------
> -
> -use strict;
> -use warnings;
> -use Errno;
> -
> -require LibAppArmor;
> -require POSIX;
> -
> -my $opt_d = '';
> -my $opt_h = '';
> -my $opt_p = '';
> -my $opt_n = '';
> -my $opt_i = '';
> -my $opt_v = '';
> -my $opt_f = '';
> -
> -sub _warn {
> - my $msg = $_[0];
> - print STDERR "aa-exec: WARN: $msg\n";
> -}
> -sub _error {
> - my $msg = $_[0];
> - print STDERR "aa-exec: ERROR: $msg\n";
> - exit 1
> -}
> -
> -sub _debug {
> - $opt_d or return;
> - my $msg = $_[0];
> - print STDERR "aa-exec: DEBUG: $msg\n";
> -}
> -
> -sub _verbose {
> - $opt_v or return;
> - my $msg = $_[0];
> - print STDERR "$msg\n";
> -}
> -
> -sub usage() {
> - my $s = <<'EOF';
> -USAGE: aa-exec [OPTIONS] <prog> <args>
> -
> -Confine <prog> with the specified PROFILE.
> -
> -OPTIONS:
> - -p PROFILE, --profile=PROFILE PROFILE to confine <prog> with
> - -n NAMESPACE, --namespace=NAMESPACE NAMESPACE to confine <prog> in
> - -f FILE, --file FILE profile file to load
> - -i, --immediate change profile immediately instead of at exec
> - -v, --verbose show messages with stats
> - -h, --help display this help
> -
> -EOF
> - print $s;
> -}
> -
> -use Getopt::Long;
> -
> -GetOptions(
> - 'debug|d' => \$opt_d,
> - 'help|h' => \$opt_h,
> - 'profile|p=s' => \$opt_p,
> - 'namespace|n=s' => \$opt_n,
> - 'file|f=s' => \$opt_f,
> - 'immediate|i' => \$opt_i,
> - 'verbose|v' => \$opt_v,
> -);
> -
> -if ($opt_h) {
> - usage();
> - exit(0);
> -}
> -
> -if ($opt_n || $opt_p) {
> - my $test;
> - my $prof;
> -
> - if ($opt_n) {
> - $prof = ":$opt_n:";
> - }
> -
> - $prof .= $opt_p;
> -
> - if ($opt_f) {
> - system("apparmor_parser", "-r", "$opt_f") == 0
> - or _error("\'aborting could not load $opt_f\'");
> - }
> -
> - if ($opt_i) {
> - _verbose("aa_change_profile(\"$prof\")");
> - $test = LibAppArmor::aa_change_profile($prof);
> - _debug("$test = aa_change_profile(\"$prof\"); $!");
> - } else {
> - _verbose("aa_change_onexec(\"$prof\")");
> - $test = LibAppArmor::aa_change_onexec($prof);
> - _debug("$test = aa_change_onexec(\"$prof\"); $!");
> - }
> -
> - if ($test != 0) {
> - if ($!{ENOENT} || $!{EACCESS}) {
> - my $pre = ($opt_p) ? "profile" : "namespace";
> - _error("$pre \'$prof\' does not exist\n");
> - } elsif ($!{EINVAL}) {
> - _error("AppArmor interface not available\n");
> - } else {
> - _error("$!\n");
> - }
> - }
> -}
> -
> -_verbose("exec @ARGV");
> -exec @ARGV;
>
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
