[apparmor] [PATCH v2 5/6] utils: Replace Perl aa-exec with C aa-exec

Remove the Perl aa-exec implementation, move the aa-exec(8) man page to binutils/, and point the regression test to the C based aa-exec in binutils/. Note that the new C aa-exec does not implement the --file option which was present in the Perl aa-exec. It encouraged running programs as root, sinc

[apparmor] [PATCH v2 4/6] utils: Add the --namespace option to C based aa-exec

Switch to the policy in the namespace specified by the --namespace option. Signed-off-by: Tyler Hicks --- binutils/aa_exec.c | 55 +- 1 file changed, 46 insertions(+), 9 deletions(-) diff --git a/binutils/aa_exec.c b/binutils/aa_exec.c index 9

[apparmor] [PATCH v2 6/6] utils: Remove --file option from aa-exec(8) man page

The new C based aa-exec does not implement the --file option. Signed-off-by: Tyler Hicks Acked-by: John Johansen --- binutils/aa-exec.pod | 4 1 file changed, 4 deletions(-) diff --git a/binutils/aa-exec.pod b/binutils/aa-exec.pod index 58dedb2..14f0429 100644 --- a/binutils/aa-exec.pod +

[apparmor] [PATCH v2 1/6] tests: Add regression tests for aa-exec

Add regression tests for the --profile, --namespace, and --immediate options of aa-exec. A new variable is added to uservars.inc to point to the in-tree or system aa-exec depending on the presence of the USE_SYSTEM=1 make variable at build time. Signed-off-by: Tyler Hicks --- tests/regression/a

[apparmor] [PATCH v2 0/6] Rewrite aa-exec in C

This patch set creates regression tests for aa-exec and rewrites aa-exec in C rather than Perl. The main reason behind the rewrite is that aa-exec is becoming a widely used utility that has its place on even the most minimal of Linux images and Perl is falling out of favor in some of those environm

[apparmor] [PATCH v2 2/6] utils: Initial implementation of aa-exec in C

Create a simple aa-exec implementation, written in C, matching the --help, --debug, --verbose, and --profile options present in the current Perl implementation. The new aa-exec sources reside in the binutils/ directory. Signed-off-by: Tyler Hicks --- binutils/Makefile | 9 ++- binutils/aa_ex

[apparmor] [PATCH v2 3/6] utils: Add --immediate option to C based aa-exec

Call aa_change_profile(), instead of aa_change_onexec(), when --immediate is passed in. Signed-off-by: Tyler Hicks --- binutils/aa_exec.c | 18 -- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/binutils/aa_exec.c b/binutils/aa_exec.c index a6a6008..9bcd62f 100644

Re: [apparmor] [PATCH] binutils: Install to /bin instead of /sbin

On 2015-12-16 20:30:23, Tyler Hicks wrote: > aa-enabled should live in /bin, rather than /sbin, since it requires no > root privileges. I'm on the fence about whether aa-enabled, and eventually aa-exec, should live in /bin or /usr/bin. libapparmor is in /lib (at least that's true in Ubuntu) so I

[apparmor] [PATCH] binutils: Install to /bin instead of /sbin

aa-enabled should live in /bin, rather than /sbin, since it requires no root privileges. Signed-off-by: Tyler Hicks --- binutils/Makefile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/binutils/Makefile b/binutils/Makefile index fc6a8f3..3b99c3e 100644 --- a/binutils/Ma

[apparmor] [PATCH] binutils: Remove distro install targets from Makefile

Clean up the Makefile by removing distro-related install targets. These should not be needed. Signed-off-by: Tyler Hicks --- binutils/Makefile | 46 +- 1 file changed, 1 insertion(+), 45 deletions(-) diff --git a/binutils/Makefile b/binutils/Makefile

Re: [apparmor] [PATCH v4] binutils: Add aa-enabled program to check AppArmor status

On 2015-12-16 15:21:46, John Johansen wrote: > On 12/16/2015 03:17 PM, Tyler Hicks wrote: > > On 2015-12-16 23:46:23, Christian Boltz wrote: > >> Hello, > >> > >> Am Mittwoch, 16. Dezember 2015 schrieb Tyler Hicks: > >>> diff --git a/README b/README > >>> index 4ebd25d..4797b78 100644 > >>> --- a/R

[apparmor] Pending patches

Hello, after the patch reviews done in the last days (thanks!), the following patches are still pending. Most of them are Acked-by , but I'd prefer a real review ;-) Just as a hint - some of the patches are very easy to review, so pick one or two quickly before someone else does ;-) ==> 21-c

Re: [apparmor] [PATCH v4] binutils: Add aa-enabled program to check AppArmor status

On 12/16/2015 03:17 PM, Tyler Hicks wrote: > On 2015-12-16 23:46:23, Christian Boltz wrote: >> Hello, >> >> Am Mittwoch, 16. Dezember 2015 schrieb Tyler Hicks: >>> diff --git a/README b/README >>> index 4ebd25d..4797b78 100644 >>> --- a/README >>> +++ b/README >> >>> @@ -104,7 +112,7 @@ $ make chec

Re: [apparmor] [PATCH v4] binutils: Add aa-enabled program to check AppArmor status

On 2015-12-16 23:46:23, Christian Boltz wrote: > Hello, > > Am Mittwoch, 16. Dezember 2015 schrieb Tyler Hicks: > > diff --git a/README b/README > > index 4ebd25d..4797b78 100644 > > --- a/README > > +++ b/README > > > @@ -104,7 +112,7 @@ $ make check# depends on the parser having been > > bu

Re: [apparmor] [PATCH v4] binutils: Add aa-enabled program to check AppArmor status

Hello, Am Mittwoch, 16. Dezember 2015 schrieb Tyler Hicks: > diff --git a/README b/README > index 4ebd25d..4797b78 100644 > --- a/README > +++ b/README > @@ -104,7 +112,7 @@ $ make check # depends on the parser having been > built first $ make install > > > -[Note that for the parser and t

[apparmor] [PATCH] utils: Don't read apparmorfs/profiles when checking enabled status

`sudo aa-status --enabled` was exiting with error code '2' when AppArmor was enabled but no profiles were loaded. However, the intent of the command is to check if AppArmor is enabled and whether or not a profile is loaded should not affect the exit code. This patch adjusts the logic so that the la

[apparmor] [PATCH v4] binutils: Add aa-enabled program to check AppArmor status

From: John Johansen The new aa-enabled program can be used as a barebones replacement for `aa-status --enabled`. It is written in C, rather than Python, which keeps its dependencies to a minimum. By default, aa-enabled prints a human-readable status of AppArmor's availability to stdout. It suppo

Re: [apparmor] aa-enabled

On 2015-12-16 08:34:20, John Johansen wrote: > On 12/16/2015 08:13 AM, Tyler Hicks wrote: > > On 2015-12-16 14:07:53, Christian Boltz wrote: > >> Hello, > >> > >> Am Dienstag, 15. Dezember 2015 schrieb Seth Arnold: > >>> On Tue, Dec 15, 2015 at 06:41:48PM -0600, Tyler Hicks wrote: > > + i

Re: [apparmor] aa-enabled

On 12/16/2015 08:13 AM, Tyler Hicks wrote: > On 2015-12-16 14:07:53, Christian Boltz wrote: >> Hello, >> >> Am Dienstag, 15. Dezember 2015 schrieb Seth Arnold: >>> On Tue, Dec 15, 2015 at 06:41:48PM -0600, Tyler Hicks wrote: > + if (!quiet) { > + switch(err) { > + case E

Re: [apparmor] aa-enabled

On 2015-12-16 14:07:53, Christian Boltz wrote: > Hello, > > Am Dienstag, 15. Dezember 2015 schrieb Seth Arnold: > > On Tue, Dec 15, 2015 at 06:41:48PM -0600, Tyler Hicks wrote: > > > > + if (!quiet) { > > > > + switch(err) { > > > > + case ENOSYS: > > > > +

Re: [apparmor] aa-enabled

Hello, Am Dienstag, 15. Dezember 2015 schrieb Seth Arnold: > On Tue, Dec 15, 2015 at 06:41:48PM -0600, Tyler Hicks wrote: > > > + if (!quiet) { > > > + switch(err) { > > > + case ENOSYS: > > > + printf(_("No - not available on this system.\n")); > > > +

Re: [apparmor] [PATCH] utils: Use apparmor.fail for AppArmorException handling in aa-easyprof

Hello, Am Dienstag, 15. Dezember 2015 schrieb Tyler Hicks: > Don't catch AppArmorExceptions in aa-easyprof any longer and rely on > apparmor.fail to print the exception to stderr. > > Signed-off-by: Tyler Hicks This change will also make importing AppArmorException superfluous (which means make