Re: [systemd-devel] [PATCH 1/2] Add switch_apparmor_profile helper, to switch the profile of the next command to run. This can be used to load a custom apparmor profile for a unit.
Le lundi 06 janvier 2014 à 03:20 +0100, Zbigniew Jędrzejewski-Szmek a
écrit :
> On Fri, Jan 03, 2014 at 05:22:42PM +0100, m...@zarb.org wrote:
> > From: Michael Scherer
> >
> > ---
> > src/shared/apparmor-util.c | 15 +++
> > src/shared/apparmor-util.h | 1 +
> > 2 files changed, 16 insertions(+)
> >
> > diff --git a/src/shared/apparmor-util.c b/src/shared/apparmor-util.c
> > index 2b85da1..a75bec4 100644
> > --- a/src/shared/apparmor-util.c
> > +++ b/src/shared/apparmor-util.c
> > @@ -39,3 +39,18 @@ bool use_apparmor(void) {
> >
> > return use_apparmor_cached;
> > }
> > +
> > +int switch_apparmor_profile(const char * profile) {
> > +_cleanup_free_ char *filename = NULL;
> > +_cleanup_fclose_ FILE *proc = NULL;
> > +
> > +if (asprintf (&filename, "/proc/%d/attr/exec", getpid()) <0)
> > +return -ENOMEM;
> > +
> > +proc = fopen (filename, "w");
> > +if (! proc)
> > +return -errno;
> > +
> > +fprintf (proc, "exec %s\n", profile);
> > +return 0;
> > +}
> This should be something like
>
> int apparmor_switch_profile(const char *profile) {
> char *p, *t;
>
> p = procfs_file_alloca(0, "attr/exec");
> t = strappenda("exec ", profile);
>
> return write_string_file(p, t);
> }
>
> Totally untested, but there's no unnecessary malloc, and there's
> a meaningful error returned if the thing most likely to fail, i.e. the
> write, actually fails.
>
I rewrote this part using libapparmor, so the new patch is simpler
( didn't send yet, I am adding the support of ignoring with '-' and
doing a few more tests ), so please do not merge this one :).
I will also look at adding a test, but this requires kernel support to
work ( but I can test this is a no-op ).
--
Michael Scherer
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH 1/2] Add switch_apparmor_profile helper, to switch the profile of the next command to run. This can be used to load a custom apparmor profile for a unit.
On Fri, Jan 03, 2014 at 05:22:42PM +0100, m...@zarb.org wrote:
> From: Michael Scherer
>
> ---
> src/shared/apparmor-util.c | 15 +++
> src/shared/apparmor-util.h | 1 +
> 2 files changed, 16 insertions(+)
>
> diff --git a/src/shared/apparmor-util.c b/src/shared/apparmor-util.c
> index 2b85da1..a75bec4 100644
> --- a/src/shared/apparmor-util.c
> +++ b/src/shared/apparmor-util.c
> @@ -39,3 +39,18 @@ bool use_apparmor(void) {
>
> return use_apparmor_cached;
> }
> +
> +int switch_apparmor_profile(const char * profile) {
> +_cleanup_free_ char *filename = NULL;
> +_cleanup_fclose_ FILE *proc = NULL;
> +
> +if (asprintf (&filename, "/proc/%d/attr/exec", getpid()) <0)
> +return -ENOMEM;
> +
> +proc = fopen (filename, "w");
> +if (! proc)
> +return -errno;
> +
> +fprintf (proc, "exec %s\n", profile);
> +return 0;
> +}
This should be something like
int apparmor_switch_profile(const char *profile) {
char *p, *t;
p = procfs_file_alloca(0, "attr/exec");
t = strappenda("exec ", profile);
return write_string_file(p, t);
}
Totally untested, but there's no unnecessary malloc, and there's
a meaningful error returned if the thing most likely to fail, i.e. the
write, actually fails.
> diff --git a/src/shared/apparmor-util.h b/src/shared/apparmor-util.h
> index 4b056a1..f27608d 100644
> --- a/src/shared/apparmor-util.h
> +++ b/src/shared/apparmor-util.h
> @@ -24,3 +24,4 @@
> #include
>
> bool use_apparmor(void);
> +int switch_apparmor_profile(const char * profile);
const char *profile
Zbyszek
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH 1/2] Add switch_apparmor_profile helper, to switch the profile of the next command to run. This can be used to load a custom apparmor profile for a unit.
From: Michael Scherer
---
src/shared/apparmor-util.c | 15 +++
src/shared/apparmor-util.h | 1 +
2 files changed, 16 insertions(+)
diff --git a/src/shared/apparmor-util.c b/src/shared/apparmor-util.c
index 2b85da1..a75bec4 100644
--- a/src/shared/apparmor-util.c
+++ b/src/shared/apparmor-util.c
@@ -39,3 +39,18 @@ bool use_apparmor(void) {
return use_apparmor_cached;
}
+
+int switch_apparmor_profile(const char * profile) {
+_cleanup_free_ char *filename = NULL;
+_cleanup_fclose_ FILE *proc = NULL;
+
+if (asprintf (&filename, "/proc/%d/attr/exec", getpid()) <0)
+return -ENOMEM;
+
+proc = fopen (filename, "w");
+if (! proc)
+return -errno;
+
+fprintf (proc, "exec %s\n", profile);
+return 0;
+}
diff --git a/src/shared/apparmor-util.h b/src/shared/apparmor-util.h
index 4b056a1..f27608d 100644
--- a/src/shared/apparmor-util.h
+++ b/src/shared/apparmor-util.h
@@ -24,3 +24,4 @@
#include
bool use_apparmor(void);
+int switch_apparmor_profile(const char * profile);
--
1.8.4.2
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
