binutils: Replace Perl aa-exec with C aa-exec

Remove the Perl aa-exec implementation, move the aa-exec(8) man page to
binutils/, and point the regression test to the C based aa-exec in
binutils/.

Note that the new C aa-exec does not implement the --file option which
was present in the Perl aa-exec. It encouraged running programs as root,
since root privileges were required to load the specified profile.

All other features of the Perl aa-exec are present in the C aa-exec.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>

binutils/Makefile

@@ -20,7 +20,7 @@ include $(COMMONDIR)/Make.rules
 DESTDIR=/
 BINDIR=${DESTDIR}/usr/bin
 LOCALEDIR=/usr/share/locale
-MANPAGES=aa-enabled.8
+MANPAGES=aa-enabled.8 aa-exec.8
 
 WARNINGS = -Wall
 EXTRA_WARNINGS = -Wsign-compare -Wmissing-field-initializers -Wformat-security -Wunused-parameter

tests/regression/apparmor/Makefile

@@ -52,12 +52,12 @@ libapparmor by adding USE_SYSTEM=1 to your make command.${nl}\
 ************************************************************************${nl})
   endif
 
-  UTILS_SRC := ../../../utils
+  BINUTILS_SRC := ../../../binutils
-  AA_EXEC = $(UTILS_SRC)/aa-exec
+  AA_EXEC = $(BINUTILS_SRC)/aa-exec
   ifeq ($(realpath $(AA_EXEC)),)
         AA_EXEC_ERROR_MESSAGE = $(error ${nl}\
 ************************************************************************${nl}\
-$(AA_EXEC) is missing; either build the $(UTILS_SRC) directory${nl}\
+$(AA_EXEC) is missing; either build the $(BINUTILS_SRC) directory${nl}\
 and then try again (see the top-level README for help) or use the${nl}\
 system aa-exec by adding USE_SYSTEM=1 to your make command.${nl}\
 ************************************************************************${nl})

tests/regression/apparmor/uservars.inc.source

@@ -14,4 +14,4 @@ tmpdir=/tmp/sdtest.$$-$RANDOM
 sys_profiles=/sys/kernel/security/apparmor/profiles
 
 # 5. Location of aa-exec
-aa_exec=${PWD}/../../../utils/aa-exec
+aa_exec=${PWD}/../../../binutils/aa-exec

utils/Makefile

@@ -20,7 +20,7 @@ COMMONDIR=../common/
 
 include $(COMMONDIR)/Make.rules
 
-PERLTOOLS = aa-exec aa-notify
+PERLTOOLS = aa-notify
 PYTOOLS = aa-easyprof aa-genprof aa-logprof aa-cleanprof aa-mergeprof \
           aa-autodep aa-audit aa-complain aa-enforce aa-disable \
 	  aa-status aa-unconfined

utils/aa-exec

@@ -1,122 +0,0 @@
-#!/usr/bin/perl
-# ------------------------------------------------------------------
-#
-#    Copyright (C) 2011-2013 Canonical Ltd.
-#
-#    This program is free software; you can redistribute it and/or
-#    modify it under the terms of version 2 of the GNU General Public
-#    License published by the Free Software Foundation.
-#
-# ------------------------------------------------------------------
-
-use strict;
-use warnings;
-use Errno;
-
-require LibAppArmor;
-require POSIX;
-
-my $opt_d = '';
-my $opt_h = '';
-my $opt_p = '';
-my $opt_n = '';
-my $opt_i = '';
-my $opt_v = '';
-my $opt_f = '';
-
-sub _warn {
-    my $msg = $_[0];
-    print STDERR "aa-exec: WARN: $msg\n";
-}
-sub _error {
-    my $msg = $_[0];
-    print STDERR "aa-exec: ERROR: $msg\n";
-    exit 1
-}
-
-sub _debug {
-    $opt_d or return;
-    my $msg = $_[0];
-    print STDERR "aa-exec: DEBUG: $msg\n";
-}
-
-sub _verbose {
-    $opt_v or return;
-    my $msg = $_[0];
-    print STDERR "$msg\n";
-}
-
-sub usage() {
-    my $s = <<'EOF';
-USAGE: aa-exec [OPTIONS] <prog> <args>
-
-Confine <prog> with the specified PROFILE.
-
-OPTIONS:
-  -p PROFILE, --profile=PROFILE		PROFILE to confine <prog> with
-  -n NAMESPACE, --namespace=NAMESPACE	NAMESPACE to confine <prog> in
-  -f FILE, --file FILE		profile file to load
-  -i, --immediate		change profile immediately instead of at exec
-  -v, --verbose			show messages with stats
-  -h, --help			display this help
-
-EOF
-    print $s;
-}
-
-use Getopt::Long;
-
-GetOptions(
-    'debug|d'        => \$opt_d,
-    'help|h'         => \$opt_h,
-    'profile|p=s'    => \$opt_p,
-    'namespace|n=s'  => \$opt_n,
-    'file|f=s'       => \$opt_f,
-    'immediate|i'    => \$opt_i,
-    'verbose|v'      => \$opt_v,
-);
-
-if ($opt_h) {
-    usage();
-    exit(0);
-}
-
-if ($opt_n || $opt_p) {
-   my $test;
-   my $prof;
-
-   if ($opt_n) {
-      $prof = ":$opt_n:";
-   }
-
-   $prof .= $opt_p;
-
-   if ($opt_f) {
-       system("apparmor_parser", "-r", "$opt_f") == 0
-	   or _error("\'aborting could not load $opt_f\'");
-   }
-
-   if ($opt_i) {
-       _verbose("aa_change_profile(\"$prof\")");
-       $test = LibAppArmor::aa_change_profile($prof);
-       _debug("$test = aa_change_profile(\"$prof\"); $!");
-   } else {
-       _verbose("aa_change_onexec(\"$prof\")");
-       $test = LibAppArmor::aa_change_onexec($prof);
-       _debug("$test = aa_change_onexec(\"$prof\"); $!");
-   }
-
-   if ($test != 0) {
-       if ($!{ENOENT} || $!{EACCESS}) {
-	   my $pre = ($opt_p) ? "profile" : "namespace";
-	   _error("$pre \'$prof\' does not exist\n");
-       } elsif ($!{EINVAL}) {
-	   _error("AppArmor interface not available\n");
-       } else {
-	   _error("$!\n");
-       }
-   }
-}
-
-_verbose("exec @ARGV");
-exec @ARGV;