mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-09-01 06:45:38 +00:00
Merge Fix whitespace in aa_change_hat.pod and aa_stack_profile.pod
This was reported by podchecker as \*\*\* WARNING: line containing nothing but whitespace in paragraph MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/559 Acked-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
@@ -137,11 +137,11 @@ First, a simple high-level overview of aa_change_hat() use:
|
|||||||
|
|
||||||
void foo (void) {
|
void foo (void) {
|
||||||
unsigned long magic_token;
|
unsigned long magic_token;
|
||||||
|
|
||||||
/* get a random magic token value
|
/* get a random magic token value
|
||||||
from our huge entropy pool */
|
from our huge entropy pool */
|
||||||
magic_token = random_function();
|
magic_token = random_function();
|
||||||
|
|
||||||
/* change into the subprofile while
|
/* change into the subprofile while
|
||||||
* we do stuff we don't trust */
|
* we do stuff we don't trust */
|
||||||
aa_change_hat("stuff_we_dont_trust", magic_token);
|
aa_change_hat("stuff_we_dont_trust", magic_token);
|
||||||
@@ -166,20 +166,20 @@ aren't accessible after an aa_change_hat() call:
|
|||||||
#include <fcntl.h>
|
#include <fcntl.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
|
|
||||||
|
|
||||||
int main(int argc, char *argv[]) {
|
int main(int argc, char *argv[]) {
|
||||||
int fd;
|
int fd;
|
||||||
unsigned long tok;
|
unsigned long tok;
|
||||||
char buf[10];
|
char buf[10];
|
||||||
|
|
||||||
/* random() is a poor choice */
|
/* random() is a poor choice */
|
||||||
tok = random();
|
tok = random();
|
||||||
|
|
||||||
/* open /etc/passwd outside of any hat */
|
/* open /etc/passwd outside of any hat */
|
||||||
if ((fd=open("/etc/passwd", O_RDONLY)) < 0)
|
if ((fd=open("/etc/passwd", O_RDONLY)) < 0)
|
||||||
perror("Failure opening /etc/passwd");
|
perror("Failure opening /etc/passwd");
|
||||||
|
|
||||||
/* confirm for ourselves that we can really read /etc/passwd */
|
/* confirm for ourselves that we can really read /etc/passwd */
|
||||||
memset(&buf, 0, 10);
|
memset(&buf, 0, 10);
|
||||||
if (read(fd, &buf, 10) == -1) {
|
if (read(fd, &buf, 10) == -1) {
|
||||||
@@ -188,7 +188,7 @@ aren't accessible after an aa_change_hat() call:
|
|||||||
}
|
}
|
||||||
buf[9] = '\0';
|
buf[9] = '\0';
|
||||||
printf("/etc/passwd: %s\n", buf);
|
printf("/etc/passwd: %s\n", buf);
|
||||||
|
|
||||||
/* change hat to the "hat" subprofile, which should not have
|
/* change hat to the "hat" subprofile, which should not have
|
||||||
* read access to /etc/passwd -- even though we have a valid
|
* read access to /etc/passwd -- even though we have a valid
|
||||||
* file descriptor at the time of the aa_change_hat() call. */
|
* file descriptor at the time of the aa_change_hat() call. */
|
||||||
@@ -196,7 +196,7 @@ aren't accessible after an aa_change_hat() call:
|
|||||||
perror("Failure changing hat -- aborting");
|
perror("Failure changing hat -- aborting");
|
||||||
_exit(1);
|
_exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* confirm that we cannot read /etc/passwd */
|
/* confirm that we cannot read /etc/passwd */
|
||||||
lseek(fd,0,SEEK_SET);
|
lseek(fd,0,SEEK_SET);
|
||||||
memset(&buf, 0, 10);
|
memset(&buf, 0, 10);
|
||||||
@@ -204,7 +204,7 @@ aren't accessible after an aa_change_hat() call:
|
|||||||
perror("Failure reading /etc/passwd post-hat");
|
perror("Failure reading /etc/passwd post-hat");
|
||||||
buf[9] = '\0';
|
buf[9] = '\0';
|
||||||
printf("/etc/passwd: %s\n", buf);
|
printf("/etc/passwd: %s\n", buf);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -137,12 +137,12 @@ aa_stack_profile().
|
|||||||
{
|
{
|
||||||
int fd;
|
int fd;
|
||||||
char buf[10];
|
char buf[10];
|
||||||
|
|
||||||
if ((fd=open("/etc/passwd", O_RDONLY)) < 0) {
|
if ((fd=open("/etc/passwd", O_RDONLY)) < 0) {
|
||||||
perror("Failure opening /etc/passwd");
|
perror("Failure opening /etc/passwd");
|
||||||
_exit(1);
|
_exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Verify that we can read /etc/passwd */
|
/* Verify that we can read /etc/passwd */
|
||||||
memset(&buf, 0, 10);
|
memset(&buf, 0, 10);
|
||||||
if (read(fd, &buf, 10) == -1) {
|
if (read(fd, &buf, 10) == -1) {
|
||||||
@@ -153,19 +153,19 @@ aa_stack_profile().
|
|||||||
printf("/etc/passwd: %s\n", buf);
|
printf("/etc/passwd: %s\n", buf);
|
||||||
close(fd);
|
close(fd);
|
||||||
}
|
}
|
||||||
|
|
||||||
int main(int argc, char * argv[])
|
int main(int argc, char * argv[])
|
||||||
{
|
{
|
||||||
printf("Before aa_stack_profile():\n");
|
printf("Before aa_stack_profile():\n");
|
||||||
read_passwd();
|
read_passwd();
|
||||||
|
|
||||||
/* stack the "i_cant_be_trusted_anymore" profile, which
|
/* stack the "i_cant_be_trusted_anymore" profile, which
|
||||||
* should not have read access to /etc/passwd. */
|
* should not have read access to /etc/passwd. */
|
||||||
if (aa_stack_profile("i_cant_be_trusted_anymore") < 0) {
|
if (aa_stack_profile("i_cant_be_trusted_anymore") < 0) {
|
||||||
perror("Failure changing profile -- aborting");
|
perror("Failure changing profile -- aborting");
|
||||||
_exit(1);
|
_exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
printf("After aa_stack_profile():\n");
|
printf("After aa_stack_profile():\n");
|
||||||
read_passwd();
|
read_passwd();
|
||||||
_exit(0);
|
_exit(0);
|
||||||
|
|||||||
Reference in New Issue
Block a user