This is the only language-dependent nontrivial portion of the SWIG
bindings, and this should be good enough for anyone who is still using the
Perl bindings now
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
The message being optional is apparently a C23 thing that was available as an extension on the systems I tested on previously
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
The previous code using intmax_t failed to build on armhf because
intmax_t was long long int instead of long int on that platform.
As to shrinking down to a long: not only does SWIG lack a
SWIG_AsVal_intmax_t, but aalogparse also assumes PIDs fit in a long
by storing them as unsigned longs in aa_log_record. Thus, we can
assume that sizeof(pid_t) <= sizeof(long) right now and deal with
the big headache that a change to pid_t would cause if it becomes
larger than a long in the future.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Unfortunately we are affected by the backwards-incompatible change introduced by https://github.com/swig/swig/pull/2907
These wrappers will be needed to fix tests on systems using SWIG 4.3 or later, e.g. Ubuntu Plucky.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
The prefix can be done in higher-level languages via slicing and having an explicit length exposes an out-of-bounds memory read footgun to those higher level languages
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Surprisingly, SWIG did not pick up the "typedef int pid_t" from the C headers.
As such, we need to provide our own wrapper. We don't just replicate the typdef
because we still support systems that have 16-bit PIDs.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
In Python, return status is signalled by exceptions (or lack thereof)
instead of int. Keep the typemap portable for any other languages we may
add in the future.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
This includes a custom typemap to handle (char **label, char **mode)
pairs and a cstring_output_allocate declaration for char **mnt.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
This is one of those functions that never worked anyways, because it
modified the passed-in label in place. Moreover, it is a low-level
interface that requires its callers to manually construct a binary query.
As such, it would be better not to expose it and to add wrappers like
aa_query_file_path for the other query classes if that functionality is
needed later.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
It doesn't make sense to expose the *_raw functions or the varg version
of aa_change_hatv to higher-level languages. While technically a breaking
change, the generated bindings for these functions never actually worked
anyways:
- aa_change_hat_vargs uses C varargs, which SWIG passes in NULL for by
default. It does not attempt to process the passed-in arguments at all
(and in fact caused an unused-argument compiler warning when compiling
the generated bindings).
- aa_getprocattr_raw and aa_getpeercon_raw both place output into a char
**mode pointer. SWIG by default generates these as opaque pointer
object arguments, rendering them unusable for getting output. Future
patches would be needed to fix char** arguments for the other functions
that use them. Moreover, these functions expect their caller to handle
memory allocation, which is also not possible from a higher-level
language point of view.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Swig generates a "thisown" attribute, which is an escape hatch in case
higher-level code does something weird and needs to tell SWIG whether to
free the C object when Python garbage collects it. Adding this attribute
is not a breaking change w.r.t access to the other attributes of the parsed
record.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Unfortunately SWIG_exception does not support throwing OSError, so this
still requires Python-specific code.
Unlike just returning NULL, this will clean up intermediate allocations.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
This change matches the names in the .c source and the man page for aa_query_label,
and also simplifies the typemap annotations needed to make the SWIG versions usable.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Based on the existing implementations of aa_change_profile(2) and
aa_change_onexec(2).
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Only use the special %exception directive for functions that return a
negative int and set errno upon error.
This prevents, for example, _aa_is_blacklisted() from raising an
exception when it returns -1. This is important because it doesn't set
errno so an exception based on the value of errno would be
unpredictable.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
When is_blacklisted() was internal to the parser, it would print an
error message when encountering some file names. If the path parameter
was non-null, the error message would include the file path instead of
the file name.
Now that the function has been moved to libapparmor, callers are
expected to print the appropriate error message if _aa_is_blacklisted()
returns -1. Since the error message printing no longer occurs inside of
_aa_is_blacklisted(), the path parameter can be removed.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Adjust the libapparmor function prototypes, variable names, and comments
that incorrectly used the name "con" when referring to the label.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Current libapparmor python bindings are very "unpythonic". Also lack
ability to access "why" information in case of failure.
In python when something fail the normal behaviour is exception
to occur. In case of apparmor functions die silently and require
user to verify returned value.
And here comes second problem. In C api when return value is -1
(and the same value is returned in python API) we can access errno
to get information why this occured. Unfortunately in python there
is no way to access the same information. Pythonic way of accessing
errno is via exception (which is never raised in python bindings
currently).
So the patch adds exceptions on failures. First %exception creates
a wrapper that swig adds to each function listed below. Empty %exception
causes that the rest of code (beside listed functions) won't be wrapped.
How this works? Example on apparmor disabled system:
Before:
>>> LibAppArmor.aa_change_hat(hat, random.randint(1, sys.maxint))
-1
After:
>>> LibAppArmor.aa_change_hat(hat, random.randint(1, sys.maxint))
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OSError: [Errno 22] Invalid argument
so pythonic way of accessing "why":
>>> try:
... LibAppArmor.aa_change_hat(hat, random.randint(1, sys.maxint))
... except OSError, e:
... print e.errno
...
22
Signed-off-by: Arkadiusz Miśkiewicz <arekm@maven.pl>
Acked-by: Steve Beattie <steve@nxnw.org>
This patch moves the apparmor.h and aalogparse.h headers
from the libapparmor/src/ directory to a new directory
libapparmor/include/. The apparmor.h header is stored in a sys/
directory within libapparmor/include/ to match its usual install
location in /usr/include/sys/, simplifying the #include statements of
source that wishes to include either the in-tree or system installed
version of the header (i.e. #include <sys/apparmor.h> can be used
everywhere).
The patch size is inflated by the movements of the header files, which
are unchanged except for their locations. Otherwise, the rest of the
changes are to modify the include search path or to stop looking in
$CWD for one of the headers.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Add an interface for trusted applications to use when they need to query
AppArmor kernel policy to determine if an action should be allowed.
This is a simplified interface that tries to make it as easy as possible
for applications to use. They provide a permissions mask and query
string and they get a pair of booleans back that let them know if the
action should be allowed and/or audited.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The parameter names are slightly different in the two functions. Rename
buffer to buf and rename size to len to make the two function prototypes
look similar.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
functions
The functions that return the confinement information of a peer socket
connection should parse and return the mode like the task-based
functions.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
