libapparmor: Add aa_splitcon() public function

Create a new libapparmor public function that allows external code to
split an AppArmor confinement context.

This is immediately useful for code that retrieves a D-Bus peer's
AppArmor confinement context using the
org.freedesktop.DBus.GetConnectionCredentials bus method.

https://launchpad.net/bugs/1430532

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>

libraries/libapparmor/doc/Makefile.am

@@ -5,9 +5,9 @@ PODCHECKER = podchecker
 
 if ENABLE_MAN_PAGES
 
-man_MANS = aa_change_hat.2 aa_change_profile.2 aa_getcon.2 aa_find_mountpoint.2
+man_MANS = aa_change_hat.2 aa_change_profile.2 aa_getcon.2 aa_find_mountpoint.2 aa_splitcon.3
 
-PODS = $(subst .2,.pod,$(man_MANS))
+PODS = $(subst .2,.pod,$(man_MANS)) $(subst .3,.pod,$(man_MANS))
 
 EXTRA_DIST = $(man_MANS) $(PODS)
 
@@ -23,4 +23,13 @@ CLEANFILES = $(man_MANS)
 		--stderr \
 		$< > $@
 
+%.3: %.pod
+	$(PODCHECKER) -warnings -warnings $<
+	$(POD2MAN) \
+		--section=3 \
+		--release="AppArmor $(VERSION)" \
+		--center="AppArmor" \
+		--stderr \
+		$< > $@
+
 endif

libraries/libapparmor/doc/aa_getcon.pod

@@ -131,7 +131,7 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 
-apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_profile(2) and
+apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_profile(2),
-L<http://wiki.apparmor.net>.
+aa_splitcon(3) and L<http://wiki.apparmor.net>.
 
 =cut

libraries/libapparmor/doc/aa_splitcon.pod

@@ -0,0 +1,65 @@
+# This publication is intellectual property of Canonical Ltd. Its contents
+# can be duplicated, either in part or in whole, provided that a copyright
+# label is visibly located on each copy.
+#
+# All information found in this book has been compiled with utmost
+# attention to detail. However, this does not guarantee complete accuracy.
+# Neither Canonical Ltd, the authors, nor the translators shall be held
+# liable for possible errors or the consequences thereof.
+#
+# Many of the software and hardware descriptions cited in this book
+# are registered trademarks. All trade names are subject to copyright
+# restrictions and may be registered trade marks. Canonical Ltd.
+# essentially adhere to the manufacturer's spelling.
+#
+# Names of products and trademarks appearing in this book (with or without
+# specific notation) are likewise subject to trademark and trade protection
+# laws and may thus fall under copyright restrictions.
+#
+
+
+=pod
+
+=head1 NAME
+
+aa_splitcon - split the confinement context into a label and mode
+
+=head1 SYNOPSIS
+
+B<#include E<lt>sys/apparmor.hE<gt>>
+
+B<char *aa_splitcon(char *con, char **mode);>
+
+Link with B<-lapparmor> when compiling.
+
+=head1 DESCRIPTION
+
+The aa_splitcon() function splits a confinement context into separate label
+and mode strings. The @con string is modified so that the label portion is NUL
+terminated. The enforcement mode is also NUL terminated and the parenthesis
+surrounding the mode are removed. If @mode is non-NULL, it will point to the
+first character in the enforcement mode string on success.
+
+=head1 RETURN VALUE
+
+Returns a pointer to the first character in the label string. NULL is returned
+on error.
+
+=head1 EXAMPLE
+
+ Context                        Label               Mode 
+ -----------------------------  ------------------  -------
+ unconfined                     unconfined          NULL
+ /bin/ping (enforce)            /bin/ping           enforce
+ /usr/sbin/rsyslogd (complain)  /usr/sbin/rsyslogd  complain
+
+=head1 BUGS
+
+None known. If you find any, please report them at
+L<https://bugs.launchpad.net/apparmor/+filebug>.
+
+=head1 SEE ALSO
+
+aa_getcon(2) and L<http://wiki.apparmor.net>.
+
+=cut

libraries/libapparmor/include/sys/apparmor.h

@@ -58,6 +58,7 @@ extern int aa_change_onexec(const char *profile);
 extern int aa_change_hatv(const char *subprofiles[], unsigned long token);
 extern int (aa_change_hat_vargs)(unsigned long token, int count, ...);
 
+extern char *aa_splitcon(char *con, char **mode);
 /* Protypes for introspecting task confinement
  * Please see the aa_getcon(2) manpage for information
  */

libraries/libapparmor/src/kernel.c

@@ -208,6 +208,23 @@ out:
 	return label;
 }
 
+/**
+ * aa_splitcon - split the confinement context into a label and mode
+ * @con: the confinement context
+ * @mode: if non-NULL and a mode is present, will point to mode string in @con
+ *  on success
+ *
+ * Modifies the @con string to split it into separate label and mode strings.
+ * The @mode argument is optional. If @mode is NULL, @con will still be split
+ * between the label and mode (if present) but @mode will not be set.
+ *
+ * Returns: a pointer to the label string or NULL on error
+ */
+char *aa_splitcon(char *con, char **mode)
+{
+	return splitcon(con, strlen(con), mode);
+}
+
 /**
  * aa_getprocattr_raw - get the contents of @attr for @tid into @buf
  * @tid: tid of task to query

libraries/libapparmor/src/libapparmor.map

@@ -80,6 +80,7 @@ APPARMOR_2.10 {
         aa_policy_cache_create;
         aa_policy_cache_remove;
         aa_policy_cache_replace_all;
+        aa_splitcon;
   local:
         *;
 } APPARMOR_2.9;