mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-02 15:25:27 +00:00
Code Issues Releases Wiki Activity

Compare commits

base: mir:git-conversion
Branches Tags
mir:master mir:apparmor-4.0 mir:apparmor-4.1 mir:apparmor-3.1 mir:apparmor-3.0 mir:apparmor-2.13 mir:fix-priority2 mir:apparmor-2.12 mir:apparmor-2.11 mir:fix-dirtest mir:check-if-systemd-detect-virt-is-present mir:250-what-is-the-minimum-kernel-version-required-for-apparmor-3 mir:160-the-trash-abstraction mir:apparmor-2.10 mir:cherry-pick-d257afd3 mir:cherry-pick-d4296d21 mir:apparmor-2.9 mir:apparmor-2.8 mir:apparmor-2.7 mir:apparmor-2.6 mir:apparmor-2.5 mir:apparmor-2.3 mir:apparmor-2.1
mir:v5.0.0-alpha1 mir:v4.1.1 mir:v4.1.0 mir:v4.1.0-cherry-pick-point mir:v4.1.0-beta5 mir:v4.1.0-beta4 mir:v4.1.0-beta3 mir:v4.1.0-beta2 mir:v4.1.0-beta1 mir:v4.0.3 mir:v4.0.2 mir:v4.0.1 mir:v4.0.0 mir:v4.0.0-beta4 mir:v4.0.0-beta3 mir:v4.0.0-beta2 mir:v4.0.0-beta1 mir:v2.13.11 mir:v3.0.13 mir:v3.1.7 mir:v4.0.0-alpha4 mir:v4.0.0-alpha3 mir:v4.0.0-alpha2 mir:v4.0.0-alpha1 mir:v2.13.10 mir:v3.0.12 mir:v3.1.6 mir:v3.1.5 mir:v3.0.11 mir:v2.13.9 mir:v2.13.8 mir:v3.0.10 mir:v3.1.4 mir:v3.0.9 mir:v3.1.3 mir:v3.0.8 mir:v2.13.7 mir:v2.12.4 mir:v3.1.2 mir:v3.1.1 mir:v3.1.0 mir:v3.0.7 mir:v3.0.6 mir:v3.0.5 mir:v3.0.4 mir:v3.0.3 mir:v3.0.2 mir:v2.10.6 mir:v2.13.6 mir:v3.0.1 mir:v2.13.5 mir:v3.0.0 mir:v2.13.4 mir:v2.10.5 mir:v2.11.3 mir:v2.12.3 mir:v2.13.3 mir:v2.10.4 mir:v2.11.2 mir:v2.12.2 mir:v2.13.2 mir:v2.12.1 mir:v2.13.1 mir:v2.13 mir:v2.12 mir:git-conversion mir:v2.11.95 mir:v2.11.1 mir:v2.10.3 mir:v2.9.5 mir:v2.8.5 mir:v2.11-branchpoint mir:v2.11.0 mir:v2.10.2 mir:v2.9.4 mir:v2.10.1 mir:v2.9.3 mir:v2.10.95 mir:v2.10-branchpoint mir:v2.10 mir:v2.9.2 mir:v2.9.1 mir:v2.9.0 mir:v2.8.98 mir:v2.9-beta4 mir:v2.8.4 mir:v2.9-beta3 mir:v2.8.97 mir:v2.9-beta2 mir:v2.8.95 mir:v2.8.3 mir:v2.8.2 mir:v2.8.1 mir:v2.8.0 mir:v2.8-beta5 mir:v2.8-beta4 mir:v2.8-beta3 mir:v2.8-beta2 mir:v2.7.99 mir:v2.7.1 mir:v2.7.0 mir:v2.7.0-rc2 mir:v2.7.0-rc1 mir:v2.7.0-beta2 mir:v2.7.0-beta1 mir:v2.6.1 mir:v2.6.1-rc1 mir:v2.6-branchpoint mir:v2.5.2 mir:v2.6.0 mir:v2.6.0-rc1 mir:v2.5.2-rc1 mir:v2.5.1
..
compare: mir:apparmor-2.1
Branches Tags
mir:master mir:apparmor-4.0 mir:apparmor-4.1 mir:apparmor-3.1 mir:apparmor-3.0 mir:apparmor-2.13 mir:fix-priority2 mir:apparmor-2.12 mir:apparmor-2.11 mir:fix-dirtest mir:check-if-systemd-detect-virt-is-present mir:250-what-is-the-minimum-kernel-version-required-for-apparmor-3 mir:160-the-trash-abstraction mir:apparmor-2.10 mir:cherry-pick-d257afd3 mir:cherry-pick-d4296d21 mir:apparmor-2.9 mir:apparmor-2.8 mir:apparmor-2.7 mir:apparmor-2.6 mir:apparmor-2.5 mir:apparmor-2.3 mir:apparmor-2.1
mir:v5.0.0-alpha1 mir:v4.1.1 mir:v4.1.0 mir:v4.1.0-cherry-pick-point mir:v4.1.0-beta5 mir:v4.1.0-beta4 mir:v4.1.0-beta3 mir:v4.1.0-beta2 mir:v4.1.0-beta1 mir:v4.0.3 mir:v4.0.2 mir:v4.0.1 mir:v4.0.0 mir:v4.0.0-beta4 mir:v4.0.0-beta3 mir:v4.0.0-beta2 mir:v4.0.0-beta1 mir:v2.13.11 mir:v3.0.13 mir:v3.1.7 mir:v4.0.0-alpha4 mir:v4.0.0-alpha3 mir:v4.0.0-alpha2 mir:v4.0.0-alpha1 mir:v2.13.10 mir:v3.0.12 mir:v3.1.6 mir:v3.1.5 mir:v3.0.11 mir:v2.13.9 mir:v2.13.8 mir:v3.0.10 mir:v3.1.4 mir:v3.0.9 mir:v3.1.3 mir:v3.0.8 mir:v2.13.7 mir:v2.12.4 mir:v3.1.2 mir:v3.1.1 mir:v3.1.0 mir:v3.0.7 mir:v3.0.6 mir:v3.0.5 mir:v3.0.4 mir:v3.0.3 mir:v3.0.2 mir:v2.10.6 mir:v2.13.6 mir:v3.0.1 mir:v2.13.5 mir:v3.0.0 mir:v2.13.4 mir:v2.10.5 mir:v2.11.3 mir:v2.12.3 mir:v2.13.3 mir:v2.10.4 mir:v2.11.2 mir:v2.12.2 mir:v2.13.2 mir:v2.12.1 mir:v2.13.1 mir:v2.13 mir:v2.12 mir:git-conversion mir:v2.11.95 mir:v2.11.1 mir:v2.10.3 mir:v2.9.5 mir:v2.8.5 mir:v2.11-branchpoint mir:v2.11.0 mir:v2.10.2 mir:v2.9.4 mir:v2.10.1 mir:v2.9.3 mir:v2.10.95 mir:v2.10-branchpoint mir:v2.10 mir:v2.9.2 mir:v2.9.1 mir:v2.9.0 mir:v2.8.98 mir:v2.9-beta4 mir:v2.8.4 mir:v2.9-beta3 mir:v2.8.97 mir:v2.9-beta2 mir:v2.8.95 mir:v2.8.3 mir:v2.8.2 mir:v2.8.1 mir:v2.8.0 mir:v2.8-beta5 mir:v2.8-beta4 mir:v2.8-beta3 mir:v2.8-beta2 mir:v2.7.99 mir:v2.7.1 mir:v2.7.0 mir:v2.7.0-rc2 mir:v2.7.0-rc1 mir:v2.7.0-beta2 mir:v2.7.0-beta1 mir:v2.6.1 mir:v2.6.1-rc1 mir:v2.6-branchpoint mir:v2.5.2 mir:v2.6.0 mir:v2.6.0-rc1 mir:v2.5.2-rc1 mir:v2.5.1

31 Commits
git-conver ... apparmor-2

Author SHA1 Message Date
John Johansen
2d31f4dbc4 merge -r 1158 - fix fatal errors so that they have an exit with an exit code 
of 127
 2008-03-28 07:19:57 +00:00
John Johansen
ee8e0b66bc merge over -r 1156 update of the ptrace regression tests 2008-03-27 17:30:09 +00:00
John Johansen
bbe9d667f7 Merge over r1117 making the longpath test a default test done 2008-03-27 01:22:28 +00:00
John Johansen
10edcd1a70 merge over r1151 - fix to exex.sh test to allow it to run on 64 bit 
platforms where there is a /lib64
 2008-03-27 01:15:20 +00:00
John Johansen
8ce5b856e4 Backport setattr fix that fixes a bug where fuse unconditionally uses 
the ia_file if present, which is a problem for special files.
 2008-03-19 15:47:34 +00:00
John Johansen
ad02836ede merge over revision 1115 - add missing sysctl files 2008-03-08 03:07:56 +00:00
John Johansen
d6c3414323 Fix bug where log parsing could not handle append (a) and lock (k) perms. 
Also rework mode parsing to include x modifier placement restrictions
 2008-02-26 04:43:55 +00:00
John Johansen
ee16add79d update base opera profile 2008-02-19 10:30:52 +00:00
John Johansen
3fbbd135a6 merge over fix from r1075 - fix init script so that it doesn't result in a regex with a null alternation ie. |apparmor 2008-02-19 10:15:30 +00:00
John Johansen
cd18ed811b merge over fix from r1074 - update init functions to work with the apparmor module being a built in to the kernel 2008-02-19 10:13:24 +00:00
John Johansen
0a41b283f2 add missing link_subset test 2008-02-18 11:20:41 +00:00
John Johansen
a01af6df93 bump release version to 2.1.2 2008-02-15 06:17:57 +00:00
John Johansen
fb27600681 add patches to support unionfs in apparmor 2.1 kernel 2008-02-15 06:14:01 +00:00
John Johansen
74dfd04db2 Update profiles for bugs that have been reported by various people 2008-02-15 05:44:35 +00:00
John Johansen
004a646010 Fix setting the apparmor enabled flag at boot. 2008-02-15 05:37:07 +00:00
John Johansen
5d90f3763e Add patch from S.Çağlar Onur, to enable apparmor_status to work when module is 
built into kernel
 2008-02-15 04:50:48 +00:00
John Johansen
6263944095 Add descriptive of append, lock and network rules to man page 2008-02-15 04:49:14 +00:00
John Johansen
ad6613c960 Add patch series for 2.6.24 kernel, remove old for-mainline series 
Patch series refreshed against 2.6.24 +
- fix-rcu-deref.diff: change way rcu cast is done
- fix-name-errorpath.diff: fix bug in failed pathname reporting
- fix-net.diff: fix bug in network mediation
- apparmor-fix-sysctl-refcount.diff - fix ref count bug in sysctl mediation
- apparmor-bootdisable.diff - allow apparmor to be disabled at boot
- apparmor-builtin-only.diff - apparmor as a builtin only
- split_init.diff - split apparmor initialization into early & apparmorfs
 2008-02-08 06:11:09 +00:00
John Johansen
7fd451d28b Make rpc-xml optional (only needed if repository is used) 2008-01-30 00:03:31 +00:00
John Johansen
81dd6df013 update .spec %changes 2008-01-25 09:35:09 +00:00
John Johansen
31c01e7af3 update parser .spec change log 2008-01-25 00:50:25 +00:00
John Johansen
108fd60aad bump revision to 2.1.1 2008-01-24 23:40:19 +00:00
John Johansen
76d1e01919 Fix parser to be able to load policy for multiple versions of AppArmor. 
2_0 AppArmor before match string (pcre)
2_0 AppArmor with match string (pcre & dfa)
2_1 AppArmor with match string (dfa)
   - includes SLES10-SP2 variant with 2_0 semantics
 2008-01-24 23:38:55 +00:00
John Johansen
c35a417dee copy updated 2_1 tests over from main branch 2007-12-23 01:19:21 +00:00
John Johansen
50d62e88a5 remove the tests from 2_1 branch as they were not properly updated for 2_1 2007-12-23 01:18:25 +00:00
John Johansen
b6eaf32985 Move deprecated code into the deprecated branch 2007-11-13 08:33:09 +00:00
Dominic Reynolds
804e4b424c (Merged from trunk -r1015) 
Added handling to correctly check the result of the profile development
run and reset the profile mode to enforce when the profile development
run exits without an error.
Addresses novell bug: https://bugzilla.novell.com/show_bug.cgi?id=328045
 2007-11-06 18:24:32 +00:00
Dominic Reynolds
5ea383712c (Merged from trunk -r1014) 
Ignore complain flags when up|down loading profiles to|from the
repository. This makes the repository agnostic to profile mode
(complain/enforce) - users must manage this locally via
aa-complain/aa-enforce.
Addresses novell bug: https://bugzilla.novell.com/show_bug.cgi?id=328033
 2007-11-06 18:23:30 +00:00
Dominic Reynolds
47bb365c0a (Merged from trunk -r 1013) 
Modified code to check the repository for new profile when:
   - processing an unknown hat/execute rejection if its not already in
     the profile
   - at the start of processing all the remain events for the profile
Addresses novell bug: https://bugzilla.novell.com/show_bug.cgi?id=328707
 2007-11-06 18:22:03 +00:00
Dominic Reynolds
bf10352fad (Merged from trunk) 
Updated regex used to detect syslog messages (from bug reported against
Ubuntu gutsy)
 2007-11-06 18:10:21 +00:00
Dominic Reynolds
03e0d482d3 Maintenance branch for AppArmor 2.1 2007-10-18 02:41:45 +00:00
3559 changed files with 194768 additions and 208166 deletions
Expand all files Collapse all files

187
.bzrignore
View File

@@ -1,187 +0,0 @@
apparmor-*
parser/po/*.mo
parser/af_names.h
parser/cap_names.h
parser/tst_lib
parser/tst_misc
parser/tst_regex
parser/tst_symtab
parser/tst_variable
parser/tst/simple_tests/generated_*/*
parser/parser_lex.c
parser/parser_version.h
parser/parser_yacc.c
parser/parser_yacc.h
parser/pod2htm*.tmp
parser/*.7
parser/*.5
parser/*.8
parser/*.7.html
parser/*.5.html
parser/*.8.html
parser/apparmor_parser
parser/libapparmor_re/parse.cc
parser/libapparmor_re/regexp.cc
parser/techdoc.aux
parser/techdoc.log
parser/techdoc.pdf
parser/techdoc.toc
profiles/apparmor.d/local/*.*
libraries/libapparmor/Makefile
libraries/libapparmor/Makefile.in
libraries/libapparmor/aclocal.m4
libraries/libapparmor/audit.log
libraries/libapparmor/autom4te.cache
libraries/libapparmor/compile
libraries/libapparmor/config.guess
libraries/libapparmor/config.log
libraries/libapparmor/config.status
libraries/libapparmor/config.sub
libraries/libapparmor/configure
libraries/libapparmor/depcomp
libraries/libapparmor/install-sh
libraries/libapparmor/libtool
libraries/libapparmor/ltmain.sh
libraries/libapparmor/missing
libraries/libapparmor/test-driver
libraries/libapparmor/ylwrap
libraries/libapparmor/doc/Makefile
libraries/libapparmor/doc/Makefile.in
libraries/libapparmor/doc/*.2
libraries/libapparmor/doc/aa_*.3
libraries/libapparmor/include/Makefile
libraries/libapparmor/include/Makefile.in
libraries/libapparmor/include/sys/Makefile
libraries/libapparmor/include/sys/Makefile.in
libraries/libapparmor/src/.deps
libraries/libapparmor/src/.libs
libraries/libapparmor/src/Makefile
libraries/libapparmor/src/Makefile.in
libraries/libapparmor/src/af_protos.h
libraries/libapparmor/src/change_hat.lo
libraries/libapparmor/src/features.lo
libraries/libapparmor/src/grammar.lo
libraries/libapparmor/src/kernel.lo
libraries/libapparmor/src/kernel_interface.lo
libraries/libapparmor/src/libaalogparse.lo
libraries/libapparmor/src/libimmunix_warning.lo
libraries/libapparmor/src/policy_cache.lo
libraries/libapparmor/src/private.lo
libraries/libapparmor/src/scanner.lo
libraries/libapparmor/src/libapparmor.pc
libraries/libapparmor/src/libapparmor.la
libraries/libapparmor/src/libimmunix.la
libraries/libapparmor/src/grammar.c
libraries/libapparmor/src/grammar.h
libraries/libapparmor/src/scanner.c
libraries/libapparmor/src/scanner.h
libraries/libapparmor/src/tst_aalogmisc
libraries/libapparmor/swig/Makefile
libraries/libapparmor/swig/Makefile.in
libraries/libapparmor/swig/perl/LibAppArmor.bs
libraries/libapparmor/swig/perl/LibAppArmor.pm
libraries/libapparmor/swig/perl/Makefile
libraries/libapparmor/swig/perl/Makefile.PL
libraries/libapparmor/swig/perl/Makefile.in
libraries/libapparmor/swig/perl/Makefile.perl
libraries/libapparmor/swig/perl/Makefile.perle
libraries/libapparmor/swig/perl/MYMETA.json
libraries/libapparmor/swig/perl/MYMETA.yml
libraries/libapparmor/swig/perl/blib
libraries/libapparmor/swig/perl/libapparmor_wrap.c
libraries/libapparmor/swig/perl/pm_to_blib
libraries/libapparmor/swig/python/LibAppArmor.py
libraries/libapparmor/swig/python/build/
libraries/libapparmor/swig/python/libapparmor_wrap.c
libraries/libapparmor/swig/python/Makefile
libraries/libapparmor/swig/python/Makefile.in
libraries/libapparmor/swig/python/setup.py
libraries/libapparmor/swig/python/test/Makefile
libraries/libapparmor/swig/python/test/Makefile.in
libraries/libapparmor/swig/ruby/Makefile
libraries/libapparmor/swig/ruby/Makefile.in
libraries/libapparmor/testsuite/.deps
libraries/libapparmor/testsuite/.libs
libraries/libapparmor/testsuite/Makefile
libraries/libapparmor/testsuite/Makefile.in
libraries/libapparmor/testsuite/libaalogparse.log
libraries/libapparmor/testsuite/libaalogparse.sum
libraries/libapparmor/testsuite/site.exp
libraries/libapparmor/testsuite/test_multi.multi
libraries/libapparmor/testsuite/config/Makefile
libraries/libapparmor/testsuite/config/Makefile.in
libraries/libapparmor/testsuite/lib/Makefile
libraries/libapparmor/testsuite/lib/Makefile.in
libraries/libapparmor/testsuite/libaalogparse.test/Makefile
libraries/libapparmor/testsuite/libaalogparse.test/Makefile.in
libraries/libapparmor/testsuite/test_multi/out
changehat/mod_apparmor/.libs
utils/*.8
utils/*.8.html
utils/*.5
utils/*.5.html
utils/*.tmp
utils/po/*.mo
tests/regression/apparmor/access
tests/regression/apparmor/changehat
tests/regression/apparmor/changehat_fail
tests/regression/apparmor/changehat_fork
tests/regression/apparmor/changehat_misc
tests/regression/apparmor/changehat_misc2
tests/regression/apparmor/changehat_pthread
tests/regression/apparmor/changehat_twice
tests/regression/apparmor/changehat_wrapper
tests/regression/apparmor/changeprofile
tests/regression/apparmor/chdir
tests/regression/apparmor/chgrp
tests/regression/apparmor/chmod
tests/regression/apparmor/chown
tests/regression/apparmor/clone
tests/regression/apparmor/deleted
tests/regression/apparmor/env_check
tests/regression/apparmor/environ
tests/regression/apparmor/exec
tests/regression/apparmor/exec_qual
tests/regression/apparmor/exec_qual2
tests/regression/apparmor/fchdir
tests/regression/apparmor/fchgrp
tests/regression/apparmor/fchmod
tests/regression/apparmor/fchown
tests/regression/apparmor/fork
tests/regression/apparmor/link
tests/regression/apparmor/link_subset
tests/regression/apparmor/mkdir
tests/regression/apparmor/mmap
tests/regression/apparmor/mount
tests/regression/apparmor/named_pipe
tests/regression/apparmor/net_raw
tests/regression/apparmor/open
tests/regression/apparmor/openat
tests/regression/apparmor/pipe
tests/regression/apparmor/ptrace
tests/regression/apparmor/ptrace_helper
tests/regression/apparmor/pwrite
tests/regression/apparmor/readdir
tests/regression/apparmor/rename
tests/regression/apparmor/rw
tests/regression/apparmor/swap
tests/regression/apparmor/symlink
tests/regression/apparmor/syscall_chroot
tests/regression/apparmor/syscall_mknod
tests/regression/apparmor/syscall_mlockall
tests/regression/apparmor/syscall_ptrace
tests/regression/apparmor/syscall_reboot
tests/regression/apparmor/syscall_setdomainname
tests/regression/apparmor/syscall_sethostname
tests/regression/apparmor/syscall_setpriority
tests/regression/apparmor/syscall_setscheduler
tests/regression/apparmor/syscall_sysctl
tests/regression/apparmor/sysctl_proc
tests/regression/apparmor/tcp
tests/regression/apparmor/unix_fd_client
tests/regression/apparmor/unix_fd_server
tests/regression/apparmor/unlink
tests/regression/apparmor/xattrs
tests/regression/apparmor/coredump
**/__pycache__/
*.orig

94
Makefile
View File

@@ -1,88 +1,38 @@
#
# $Id$
#
.PHONY: all
all:
@echo "*** See README for information how to build AppArmor ***"
exit 1
OVERRIDE_TARBALL=yes
COMMONDIR=common
include ${COMMONDIR}/Make.rules
include common/Make.rules
DIRS=libraries/libapparmor \
binutils \
parser \
DIRS=parser \
profiles \
utils \
changehat/libapparmor \
changehat/mod_apparmor \
changehat/pam_apparmor \
profiles \
management/apparmor-dbus \
management/applets/apparmorapplet-gnome \
management/yastui \
common \
tests
#REPO_URL?=lp:apparmor
# --per-file-timestamps is failing over SSH, https://bugs.launchpad.net/bzr/+bug/1257078
REPO_URL?=https://code.launchpad.net/~apparmor-dev/apparmor/master
# alternate possibilities to export from
#REPO_URL=.
#REPO_URL="bzr+ssh://bazaar.launchpad.net/~sbeattie/+junk/apparmor-dev/"
COVERITY_DIR=cov-int
RELEASE_DIR=apparmor-${VERSION}
__SETUP_DIR?=.
# We create a separate version for tags because git can't handle tags
# with embedded ~s in them. No spaces around '-' or they'll get
# embedded in ${VERSION}
TAG_VERSION=$(subst ~,-,${VERSION})
# Add exclusion entries arguments for tar here, of the form:
# --exclude dir_to_exclude --exclude other_dir
TAR_EXCLUSIONS=
RELEASE_DIR=apparmor-${VERSION}-${REPO_VERSION}
.PHONY: tarball
tarball: clean
REPO_VERSION=`$(value REPO_VERSION_CMD)` && \
make export_dir __EXPORT_DIR=${RELEASE_DIR} __REPO_VERSION=$${REPO_VERSION} && \
make setup __SETUP_DIR=${RELEASE_DIR} && \
tar ${TAR_EXCLUSIONS} -cvzf ${RELEASE_DIR}.tar.gz ${RELEASE_DIR}
tarball: _dist
tar cvzf ${RELEASE_DIR}.tar.gz ${RELEASE_DIR}
.PHONY: snapshot
snapshot: clean
$(eval REPO_VERSION:=$(shell $(value REPO_VERSION_CMD)))
$(eval SNAPSHOT_NAME=apparmor-$(VERSION)~$(REPO_VERSION))
make export_dir __EXPORT_DIR=${SNAPSHOT_NAME} __REPO_VERSION=${REPO_VERSION} && \
make setup __SETUP_DIR=${SNAPSHOT_NAME} && \
tar ${TAR_EXCLUSIONS} -cvzf ${SNAPSHOT_NAME}.tar.gz ${SNAPSHOT_NAME}
${RELEASE_DIR}:
mkdir ${RELEASE_DIR}
.PHONY: coverity
coverity: snapshot
cd $(SNAPSHOT_NAME)/libraries/libapparmor && ./configure --with-python
$(foreach dir, $(filter-out utils profiles tests, $(DIRS)), \
cov-build --dir $(COVERITY_DIR) -- make -C $(SNAPSHOT_NAME)/$(dir);)
tar -cvzf $(SNAPSHOT_NAME)-$(COVERITY_DIR).tar.gz $(COVERITY_DIR)
.PHONY: _dist
.PHONY: ${DIRS}
.PHONY: export_dir
export_dir:
mkdir $(__EXPORT_DIR)
/usr/bin/bzr export --per-file-timestamps -r $(__REPO_VERSION) $(__EXPORT_DIR) $(REPO_URL)
echo "$(REPO_URL) $(__REPO_VERSION)" > $(__EXPORT_DIR)/common/.stamp_rev
_dist: clean ${DIRS}
${DIRS}: ${RELEASE_DIR}
svn export -r $(REPO_VERSION) $(REPO_URL)/$@ $(RELEASE_DIR)/$@ ; \
.PHONY: clean
clean:
-rm -rf ${RELEASE_DIR} ./apparmor-${VERSION}~* ${COVERITY_DIR}
for dir in $(DIRS); do \
make -C $$dir clean; \
done
.PHONY: setup
setup:
cd $(__SETUP_DIR)/libraries/libapparmor && ./autogen.sh
# parser has an extra doc to build
make -C $(__SETUP_DIR)/parser extra_docs
# libraries/libapparmor needs configure to have run before
# building docs
$(foreach dir, $(filter-out libraries/libapparmor tests, $(DIRS)), \
make -C $(__SETUP_DIR)/$(dir) docs;)
.PHONY: tag
tag:
bzr tag apparmor_${TAG_VERSION}
-rm -rf ${RELEASE_DIR}

241
README
View File

@@ -1,241 +0,0 @@
------------
Introduction
------------
AppArmor protects systems from insecure or untrusted processes by
running them in restricted confinement, while still allowing processes
to share files, exercise privilege and communicate with other processes.
AppArmor is a Mandatory Access Control (MAC) mechanism which uses the
Linux Security Module (LSM) framework. The confinement's restrictions
are mandatory and are not bound to identity, group membership, or object
ownership. The protections provided are in addition to the kernel's
regular access control mechanisms (including DAC) and can be used to
restrict the superuser.
The AppArmor kernel module and accompanying user-space tools are
available under the GPL license (the exception is the libapparmor
library, available under the LGPL license, which allows change_hat(2)
and change_profile(2) to be used by non-GPL binaries).
For more information, you can read the techdoc.pdf (available after
building the parser) and by visiting the http://apparmor.net/ web
site.
-------------
Source Layout
-------------
AppArmor consists of several different parts:
binutils/ source for basic utilities written in compiled languages
changehat/ source for using changehat with Apache, PAM and Tomcat
common/ common makefile rules
desktop/ empty
kernel-patches/ compatibility patches for various kernel versions
libraries/ libapparmor source and language bindings
parser/ source for parser/loader and corresponding documentation
profiles/ configuration files, reference profiles and abstractions
tests/ regression and stress testsuites
utils/ high-level utilities for working with AppArmor
--------------------------------------
Important note on AppArmor kernel code
--------------------------------------
While most of the kernel AppArmor code has been accepted in the
upstream Linux kernel, a few important pieces were not included. These
missing pieces unfortunately are important bits for AppArmor userspace
and kernel interaction; therefore we have included compatibility
patches in the kernel-patches/ subdirectory, versioned by upstream
kernel (2.6.37 patches should apply cleanly to 2.6.38 source).
Without these patches applied to the kernel, the AppArmor userspace
will not function correctly.
------------------------------------------
Building and Installing AppArmor Userspace
------------------------------------------
To build and install AppArmor userspace on your system, build and install in
the following order.
libapparmor:
$ cd ./libraries/libapparmor
$ sh ./autogen.sh
$ sh ./configure --prefix=/usr --with-perl --with-python # see below
$ make
$ make check
$ make install
[an additional optional argument to libapparmor's configure is --with-ruby, to
generate Ruby bindings to libapparmor.]
Binary Utilities:
$ cd binutils
$ make
$ make check
$ make install
Utilities:
$ cd utils
$ make
$ make check
$ make install
parser:
$ cd parser
$ make # depends on libapparmor having been built first
$ make check
$ make install
Apache mod_apparmor:
$ cd changehat/mod_apparmor
$ make # depends on libapparmor having been built first
$ make install
PAM AppArmor:
$ cd changehat/pam_apparmor
$ make # depends on libapparmor having been built first
$ make install
Profiles:
$ cd profiles
$ make
$ make check # depends on the parser having been built first
$ make install
[Note that for the parser, binutils, and utils, if you only wish to build/use
some of the locale languages, you can override the default by passing
the LANGS arguments to make; e.g. make all install "LANGS=en_US fr".]
-------------------
AppArmor Testsuites
-------------------
A number of testsuites are in the AppArmor sources. Most have documentation on
usage and how to update and add tests. Below is a quick overview of their
location and how to run them.
Regression tests
----------------
For details on structure and adding tests, see
tests/regression/apparmor/README.
To run:
$ cd tests/regression/apparmor (requires root)
$ make
$ sudo make tests
$ sudo bash open.sh -r # runs and saves the last testcase from open.sh
Parser tests
------------
For details on structure and adding tests, see parser/tst/README.
To run:
$ cd parser/tst
$ make
$ make tests
Libapparmor
-----------
For details on structure and adding tests, see libraries/libapparmor/README.
$ cd libraries/libapparmor
$ make check
Utils
-----
Tests for the Python utilities exist in the test/ subdirectory.
$ cd utils
$ make check
The aa-decode utility to be tested can be overridden by
setting up environment variable APPARMOR_DECODE; e.g.:
$ APPARMOR_DECODE=/usr/bin/aa-decode make check
Profile checks
--------------
A basic consistency check to ensure that the parser and aa-logprof parse
successfully the current set of shipped profiles. The system or other
parser and logprof can be passed in by overriding the PARSER and LOGPROF
variables.
$ cd profiles
$ make && make check
Stress Tests
------------
To run AppArmor stress tests:
$ make all
Use these:
$ ./change_hat
$ ./child
$ ./kill.sh
$ ./open
$ ./s.sh
Or run all at once:
$ ./stress.sh
Please note that the above will stress the system so much it may end up
invoking the OOM killer.
To run parser stress tests (requires /usr/bin/ruby):
$ ./stress.sh
(see stress.sh -h for options)
Coverity Support
----------------
Coverity scans are available to AppArmor developers at
https://scan.coverity.com/projects/apparmor.
In order to submit a Coverity build for analysis, the cov-build binary
must be discoverable from your PATH. See the "To Setup" section of
https://scan.coverity.com/download?tab=cxx to obtain a pre-built copy of
cov-build.
To generate a compressed tarball of an intermediate Coverity directory:
$ make coverity
The compressed tarball is written to
apparmor-<SNAPSHOT_VERSION>-cov-int.tar.gz, where <SNAPSHOT_VERSION>
is something like 2.10.90~3328, and must be uploaded to
https://scan.coverity.com/projects/apparmor/builds/new for analysis. You must
include the snapshot version in Coverity's project build submission form, in
the "Project Version" field, so that it is quickly obvious to all AppArmor
developers what snapshot of the AppArmor repository was used for the analysis.
-----------------------------------------------
Building and Installing AppArmor Kernel Patches
-----------------------------------------------
TODO
-----------------
Required versions
-----------------
The AppArmor userspace utilities are written with some assumptions about
installed and available versions of other tools. This is a (possibly
incomplete) list of known version dependencies:
The Python utilities require a minimum of Python 2.7 (deprecated) or Python 3.3.
Python 3.x is recommended. Python 2.x support is deprecated since AppArmor 2.11.
Some utilities (aa-exec, aa-notify and aa-decode) require Perl 5.10.1 or newer.
Most shell scripts are written for POSIX-compatible sh. aa-decode expects
bash, probably version 3.2 and higher.

157
binutils/Makefile
View File

@@ -1,157 +0,0 @@
# ----------------------------------------------------------------------
# Copyright (c) 2015
# Canonical Ltd. (All rights reserved)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# ----------------------------------------------------------------------
NAME=aa-binutils
all:
COMMONDIR=../common/
include $(COMMONDIR)/Make.rules
DESTDIR=/
BINDIR=${DESTDIR}/usr/bin
LOCALEDIR=/usr/share/locale
MANPAGES=aa-enabled.1 aa-exec.1
WARNINGS = -Wall
EXTRA_WARNINGS = -Wsign-compare -Wmissing-field-initializers -Wformat-security -Wunused-parameter
CPP_WARNINGS =
ifndef CFLAGS
CFLAGS = -g -O2 -pipe
ifdef DEBUG
CFLAGS += -pg -D DEBUG
endif
ifdef COVERAGE
CFLAGS = -g -pg -fprofile-arcs -ftest-coverage
endif
endif #CFLAGS
EXTRA_CFLAGS = ${CFLAGS} ${CPPFLAGS} ${EXTRA_CXXFLAGS} ${CPP_WARNINGS}
#INCLUDEDIR = /usr/src/linux/include
INCLUDEDIR =
ifdef INCLUDEDIR
CFLAGS += -I$(INCLUDEDIR)
endif
# Internationalization support. Define a package and a LOCALEDIR
EXTRA_CFLAGS+=-DPACKAGE=\"${NAME}\" -DLOCALEDIR=\"${LOCALEDIR}\"
SRCS = aa_enabled.c
HDRS =
TOOLS = aa-enabled aa-exec
AALIB = -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread
ifdef USE_SYSTEM
# Using the system libapparmor so Makefile dependencies can't be used
LIBAPPARMOR_A =
INCLUDE_APPARMOR =
APPARMOR_H =
LIBAPPARMOR_LDFLAGS =
else
LIBAPPARMOR_SRC = ../libraries/libapparmor/
LOCAL_LIBAPPARMOR_INCLUDE = $(LIBAPPARMOR_SRC)/include
LOCAL_LIBAPPARMOR_LDPATH = $(LIBAPPARMOR_SRC)/src/.libs
LIBAPPARMOR_A = $(LOCAL_LIBAPPARMOR_LDPATH)/libapparmor.a
INCLUDE_APPARMOR = -I$(LOCAL_LIBAPPARMOR_INCLUDE)
APPARMOR_H = $(LOCAL_LIBAPPARMOR_INCLUDE)/sys/apparmor.h
LIBAPPARMOR_LDFLAGS = -L$(LOCAL_LIBAPPARMOR_LDPATH)
endif
EXTRA_CFLAGS += $(INCLUDE_APPARMOR)
LDFLAGS += $(LIBAPPARMOR_LDFLAGS)
ifdef V
VERBOSE = 1
endif
ifndef VERBOSE
VERBOSE = 0
endif
ifeq ($(VERBOSE),1)
BUILD_OUTPUT =
Q =
else
BUILD_OUTPUT = > /dev/null 2>&1
Q = @
endif
export Q VERBOSE BUILD_OUTPUT
po/%.pot: %.c
$(MAKE) -C po $(@F) NAME=$* SOURCES=$*.c
# targets arranged this way so that people who don't want full docs can
# pick specific targets they want.
arch: $(TOOLS)
manpages: $(MANPAGES)
docs: manpages
indep: docs
$(Q)$(MAKE) -C po all
all: arch indep
.PHONY: coverage
coverage:
$(MAKE) clean $(TOOLS) COVERAGE=1
ifndef USE_SYSTEM
$(LIBAPPARMOR_A):
@if [ ! -f $@ ]; then \
echo "error: $@ is missing. Pick one of these possible solutions:" 1>&2; \
echo " 1) Build against the in-tree libapparmor by building it first and then trying again. See the top-level README for help." 1>&2; \
echo " 2) Build against the system libapparmor by adding USE_SYSTEM=1 to your make command." 1>&2;\
return 1; \
fi
endif
aa-enabled: aa_enabled.c $(LIBAPPARMOR_A)
$(CC) $(LDFLAGS) $(EXTRA_CFLAGS) -o $@ $< $(LIBS) $(AALIB)
aa-exec: aa_exec.c $(LIBAPPARMOR_A)
$(CC) $(LDFLAGS) $(EXTRA_CFLAGS) -o $@ $< $(LIBS) $(AALIB)
.SILENT: check
.PHONY: check
check: check_pod_files tests
.SILENT: tests
tests: $(TOOLS) $(TESTS)
echo "no tests atm"
.PHONY: install
install: install-indep install-arch
.PHONY: install-arch
install-arch: arch
install -m 755 -d ${BINDIR}
install -m 755 ${TOOLS} ${BINDIR}
.PHONY: install-indep
install-indep: indep
$(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR}
$(MAKE) install_manpages DESTDIR=${DESTDIR}
ifndef VERBOSE
.SILENT: clean
endif
.PHONY: clean
clean: pod_clean
rm -f core core.* *.o *.s *.a *~ *.gcda *.gcno
rm -f gmon.out
rm -f $(TOOLS) $(TESTS)
$(MAKE) -s -C po clean

94
binutils/aa-enabled.pod
View File

@@ -1,94 +0,0 @@
# This publication is intellectual property of Canonical Ltd. Its contents
# can be duplicated, either in part or in whole, provided that a copyright
# label is visibly located on each copy.
#
# All information found in this book has been compiled with utmost
# attention to detail. However, this does not guarantee complete accuracy.
# Neither Canonical Ltd, the authors, nor the translators shall be held
# liable for possible errors or the consequences thereof.
#
# Many of the software and hardware descriptions cited in this book
# are registered trademarks. All trade names are subject to copyright
# restrictions and may be registered trade marks. Canonical Ltd
# essentially adheres to the manufacturer's spelling.
#
# Names of products and trademarks appearing in this book (with or without
# specific notation) are likewise subject to trademark and trade protection
# laws and may thus fall under copyright restrictions.
#
=pod
=head1 NAME
aa-enabled - test whether AppArmor is enabled
=head1 SYNOPSIS
B<aa-enabled> [options]
=head1 DESCRIPTION
B<aa-enabled> is used to determine if AppArmor is enabled.
=head1 OPTIONS
B<aa-enabled> accepts the following arguments:
=over 4
=item -h, --help
Display a brief usage guide.
=item -q, --quiet
Do not output anything to stdout. This option is intended to be used by
scripts that simply want to use the exit code to determine if AppArmor is
enabled.
=back
=head1 EXIT STATUS
Upon exiting, B<aa-enabled> will set its exit status to the following values:
=over 4
=item B<0>
if AppArmor is enabled.
=item B<1>
if AppArmor is not enabled/loaded.
=item B<2>
intentionally not used as an B<aa-enabled> exit status.
=item B<3>
if the AppArmor control files aren't available under /sys/kernel/security/.
=item B<4>
if B<aa-enabled> doesn't have enough privileges to read the apparmor control files.
=item B<64>
if any unexpected error or condition is encountered.
=back
=head1 BUGS
If you find any bugs, please report them at
L<https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
apparmor(7), apparmor.d(5), aa_is_enabled(2), and L<http://wiki.apparmor.net>.
=cut

93
binutils/aa-exec.pod
View File

@@ -1,93 +0,0 @@
# This publication is intellectual property of Canonical Ltd. Its contents
# can be duplicated, either in part or in whole, provided that a copyright
# label is visibly located on each copy.
#
# All information found in this book has been compiled with utmost
# attention to detail. However, this does not guarantee complete accuracy.
# Neither Canonical Ltd, the authors, nor the translators shall be held
# liable for possible errors or the consequences thereof.
#
# Many of the software and hardware descriptions cited in this book
# are registered trademarks. All trade names are subject to copyright
# restrictions and may be registered trade marks. Canonical Ltd
# essentially adheres to the manufacturer's spelling.
#
# Names of products and trademarks appearing in this book (with or without
# specific notation) are likewise subject to trademark and trade protection
# laws and may thus fall under copyright restrictions.
#
=pod
=head1 NAME
aa-exec - confine a program with the specified AppArmor profile
=head1 SYNOPSIS
B<aa-exec> [options] [--] [I<E<lt>commandE<gt>> ...]
=head1 DESCRIPTION
B<aa-exec> is used to launch a program confined by the specified profile
and or namespace. If both a profile and namespace are specified command
will be confined by profile in the new policy namespace. If only a namespace
is specified, the profile name of the current confinement will be used. If
neither a profile or namespace is specified command will be run using
standard profile attachment (ie. as if run without the aa-exec command).
If the arguments are to be pasted to the I<E<lt>commandE<gt>> being invoked
by aa-exec then -- should be used to separate aa-exec arguments from the
command.
aa-exec -p profile1 -- ls -l
=head1 OPTIONS
B<aa-exec> accepts the following arguments:
=over 4
=item -p PROFILE, --profile=PROFILE
confine I<E<lt>commandE<gt>> with PROFILE. If the PROFILE is not specified
use the current profile name (likely unconfined).
=item -n NAMESPACE, --namespace=NAMESPACE
use profiles in NAMESPACE. This will result in confinement transitioning
to using the new profile namespace.
=item -i, --immediate
transition to PROFILE before doing executing I<E<lt>commandE<gt>>. This
subjects the running of I<E<lt>commandE<gt>> to the exec transition rules
of the current profile.
=item -v, --verbose
show commands being performed
=item -d, --debug
show commands and error codes
=item --
Signal the end of options and disables further option processing. Any
arguments after the -- are treated as arguments of the command. This is
useful when passing arguments to the I<E<lt>commandE<gt>> being invoked by
aa-exec.
=back
=head1 BUGS
If you find any bugs, please report them at
L<https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
aa-stack(8), aa-namespace(8), apparmor(7), apparmor.d(5), aa_change_profile(3),
aa_change_onexec(3) and L<http://wiki.apparmor.net>.
=cut

92
binutils/aa_enabled.c
View File

@@ -1,92 +0,0 @@
/*
* Copyright (C) 2015 Canonical Ltd.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of version 2 of the GNU General Public
* License published by the Free Software Foundation.
*/
#include <errno.h>
#include <locale.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <libintl.h>
#define _(s) gettext(s)
#include <sys/apparmor.h>
void print_help(const char *command)
{
printf(_("%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"),
command);
exit(1);
}
/* Exit statuses and meanings are documented in the aa-enabled.pod file */
static void exit_with_error(int saved_errno, int quiet)
{
int err;
switch(saved_errno) {
case ENOSYS:
if (!quiet)
printf(_("No - not available on this system.\n"));
exit(1);
case ECANCELED:
if (!quiet)
printf(_("No - disabled at boot.\n"));
exit(1);
case ENOENT:
if (!quiet)
printf(_("Maybe - policy interface not available.\n"));
exit(3);
case EPERM:
case EACCES:
if (!quiet)
printf(_("Maybe - insufficient permissions to determine availability.\n"));
exit(4);
}
if (!quiet)
printf(_("Error - %s\n"), strerror(saved_errno));
exit(64);
}
int main(int argc, char **argv)
{
int enabled;
int quiet = 0;
setlocale(LC_MESSAGES, "");
bindtextdomain(PACKAGE, LOCALEDIR);
textdomain(PACKAGE);
if (argc > 2) {
printf(_("unknown or incompatible options\n"));
print_help(argv[0]);
} else if (argc == 2) {
if (strcmp(argv[1], "--quiet") == 0 ||
strcmp(argv[1], "-q") == 0) {
quiet = 1;
} else if (strcmp(argv[1], "--help") == 0 ||
strcmp(argv[1], "-h") == 0) {
print_help(argv[0]);
} else {
printf(_("unknown option '%s'\n"), argv[1]);
print_help(argv[0]);
}
}
enabled = aa_is_enabled();
if (!enabled)
exit_with_error(errno, quiet);
if (!quiet)
printf(_("Yes\n"));
exit(0);
}

218
binutils/aa_exec.c
View File

@@ -1,218 +0,0 @@
/*
* Copyright (c) 2015
* Canonical, Ltd. (All rights reserved)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of version 2 of the GNU General Public
* License published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, contact Novell, Inc. or Canonical
* Ltd.
*/
#include <errno.h>
#include <getopt.h>
#include <libintl.h>
#include <limits.h>
#include <stdio.h>
#include <stdarg.h>
#include <stdlib.h>
#include <string.h>
#include <sys/apparmor.h>
#include <unistd.h>
#define _(s) gettext(s)
static const char *opt_profile = NULL;
static const char *opt_namespace = NULL;
static bool opt_debug = false;
static bool opt_immediate = false;
static bool opt_verbose = false;
static void usage(const char *name, bool error)
{
FILE *stream = stdout;
int status = EXIT_SUCCESS;
if (error) {
stream = stderr;
status = EXIT_FAILURE;
}
fprintf(stream,
_("USAGE: %s [OPTIONS] <prog> <args>\n"
"\n"
"Confine <prog> with the specified PROFILE.\n"
"\n"
"OPTIONS:\n"
" -p PROFILE, --profile=PROFILE PROFILE to confine <prog> with\n"
" -n NAMESPACE, --namespace=NAMESPACE NAMESPACE to confine <prog> in\n"
" -d, --debug show messages with debugging information\n"
" -i, --immediate change profile immediately instead of at exec\n"
" -v, --verbose show messages with stats\n"
" -h, --help display this help\n"
"\n"), name);
exit(status);
}
#define error(fmt, args...) _error(_("aa-exec: ERROR: " fmt "\n"), ## args)
static void _error(const char *fmt, ...)
{
va_list args;
va_start(args, fmt);
vfprintf(stderr, fmt, args);
va_end(args);
exit(EXIT_FAILURE);
}
#define debug(fmt, args...) _debug(_("aa-exec: DEBUG: " fmt "\n"), ## args)
static void _debug(const char *fmt, ...)
{
va_list args;
if (!opt_debug)
return;
va_start(args, fmt);
vfprintf(stderr, fmt, args);
va_end(args);
}
#define verbose(fmt, args...) _verbose(_(fmt "\n"), ## args)
static void _verbose(const char *fmt, ...)
{
va_list args;
if (!opt_verbose)
return;
va_start(args, fmt);
vfprintf(stderr, fmt, args);
va_end(args);
}
static void verbose_print_argv(char **argv)
{
if (!opt_verbose)
return;
fprintf(stderr, _("exec"));
for (; *argv; argv++)
fprintf(stderr, " %s", *argv);
fprintf(stderr, "\n");
}
static char **parse_args(int argc, char **argv)
{
int opt;
struct option long_opts[] = {
{"debug", no_argument, 0, 'd'},
{"help", no_argument, 0, 'h'},
{"profile", required_argument, 0, 'p'},
{"namespace", required_argument, 0, 'n'},
{"immediate", no_argument, 0, 'i'},
{"verbose", no_argument, 0, 'v'},
};
while ((opt = getopt_long(argc, argv, "+dhp:n:iv", long_opts, NULL)) != -1) {
switch (opt) {
case 'd':
opt_debug = true;
break;
case 'h':
usage(argv[0], false);
break;
case 'p':
opt_profile = optarg;
break;
case 'n':
opt_namespace = optarg;
break;
case 'i':
opt_immediate = true;
break;
case 'v':
opt_verbose = true;
break;
default:
usage(argv[0], true);
break;
}
}
if (optind >= argc)
usage(argv[0], true);
return argv + optind;
}
static void build_name(char *name, size_t name_len,
const char *namespace, const char *profile)
{
size_t required_len = 1; /* reserve 1 byte for NUL-terminator */
if (namespace)
required_len += 1 + strlen(namespace) + 3; /* :<NAMESPACE>:// */
if (profile)
required_len += strlen(profile);
if (required_len > name_len)
error("name too long (%zu > %zu)", required_len, name_len);
name[0] = '\0';
if (namespace) {
strcat(name, ":");
strcat(name, namespace);
strcat(name, "://");
}
if (profile)
strcat(name, profile);
}
int main(int argc, char **argv)
{
char name[PATH_MAX];
int rc = 0;
argv = parse_args(argc, argv);
if (opt_namespace || opt_profile)
build_name(name, sizeof(name), opt_namespace, opt_profile);
else
goto exec;
if (opt_immediate) {
verbose("aa_change_profile(\"%s\")", name);
rc = aa_change_profile(name);
debug("%d = aa_change_profile(\"%s\")", rc, name);
} else {
verbose("aa_change_onexec(\"%s\")", name);
rc = aa_change_onexec(name);
debug("%d = aa_change_onexec(\"%s\")", rc, name);
}
if (rc) {
if (errno == ENOENT || errno == EACCES) {
error("%s '%s' does not exist\n",
opt_profile ? "profile" : "namespace", name);
} else if (errno == EINVAL) {
error("AppArmor interface not available");
} else {
error("%m");
}
}
exec:
verbose_print_argv(argv);
execvp(argv[0], argv);
error("Failed to execute \"%s\": %m", argv[0]);
}

19
binutils/po/Makefile
View File

@@ -1,19 +0,0 @@
# ----------------------------------------------------------------------
# Copyright (C) 2015 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
# ----------------------------------------------------------------------
all:
# As translations get added, they will automatically be included, unless
# the lang is explicitly added to DISABLED_LANGS; e.g. DISABLED_LANGS=en es
DISABLED_LANGS=
COMMONDIR=../../common
include $(COMMONDIR)/Make-po.rules
XGETTEXT_ARGS+=--language=C --keyword=_ $(shell if [ -f ${NAME}.pot ] ; then echo -n -j ; fi)

66
binutils/po/aa-enabled.pot
View File

@@ -1,66 +0,0 @@
# Copyright (C) 2015 Canonical Ltd
# This file is distributed under the same license as the AppArmor package.
# John Johansen <john.johansen@canonical.com>, 2015.
#
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Language: \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=CHARSET\n"
"Content-Transfer-Encoding: 8bit\n"
#: ../aa_enabled.c:26
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
#: ../aa_enabled.c:45
#, c-format
msgid "unknown or incompatible options\n"
msgstr ""
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr ""
#: ../aa_enabled.c:64
#, c-format
msgid "Yes\n"
msgstr ""
#: ../aa_enabled.c:71
#, c-format
msgid "No - not available on this system.\n"
msgstr ""
#: ../aa_enabled.c:74
#, c-format
msgid "No - disabled at boot.\n"
msgstr ""
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr ""
#: ../aa_enabled.c:81
#, c-format
msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr ""
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr ""

68
binutils/po/de.po
View File

@@ -1,68 +0,0 @@
# German translation for apparmor
# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
# This file is distributed under the same license as the apparmor package.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
#
msgid ""
msgstr ""
"Project-Id-Version: apparmor\n"
"Report-Msgid-Bugs-To: AppArmor list <apparmor@lists.ubuntu.com>\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: 2017-03-31 10:44+0000\n"
"Last-Translator: Tobias Bannert <tobannert@gmail.com>\n"
"Language-Team: German <de@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Launchpad-Export-Date: 2017-04-05 05:23+0000\n"
"X-Generator: Launchpad (build 18335)\n"
"Language: de\n"
#: ../aa_enabled.c:26
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
#: ../aa_enabled.c:45
#, c-format
msgid "unknown or incompatible options\n"
msgstr "unbekannte oder nicht kompatible Optionen\n"
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr "unbekannte Option »%s«\n"
#: ../aa_enabled.c:64
#, c-format
msgid "Yes\n"
msgstr "Ja\n"
#: ../aa_enabled.c:71
#, c-format
msgid "No - not available on this system.\n"
msgstr "Nein auf diesem System nicht verfügbar.\n"
#: ../aa_enabled.c:74
#, c-format
msgid "No - disabled at boot.\n"
msgstr "Nein beim Start deaktiviert.\n"
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr ""
#: ../aa_enabled.c:81
#, c-format
msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr ""
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr "Fehler - »%s«\n"

72
binutils/po/en_GB.po
View File

@@ -1,72 +0,0 @@
# English (United Kingdom) translation for apparmor
# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
# This file is distributed under the same license as the apparmor package.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
#
msgid ""
msgstr ""
"Project-Id-Version: apparmor\n"
"Report-Msgid-Bugs-To: AppArmor list <apparmor@lists.ubuntu.com>\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: 2016-02-18 06:22+0000\n"
"Last-Translator: Andi Chandler <Unknown>\n"
"Language-Team: English (United Kingdom) <en_GB@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Launchpad-Export-Date: 2016-06-01 05:15+0000\n"
"X-Generator: Launchpad (build 18053)\n"
"Language: en_GB\n"
#: ../aa_enabled.c:26
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
#: ../aa_enabled.c:45
#, c-format
msgid "unknown or incompatible options\n"
msgstr "unknown or incompatible options\n"
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr "unknown option '%s'\n"
#: ../aa_enabled.c:64
#, c-format
msgid "Yes\n"
msgstr "Yes\n"
#: ../aa_enabled.c:71
#, c-format
msgid "No - not available on this system.\n"
msgstr "No - not available on this system.\n"
#: ../aa_enabled.c:74
#, c-format
msgid "No - disabled at boot.\n"
msgstr "No - disabled at boot.\n"
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr "Maybe - policy interface not available.\n"
#: ../aa_enabled.c:81
#, c-format
msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr "Maybe - insufficient permissions to determine availability.\n"
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr "Error - '%s'\n"

72
binutils/po/id.po
View File

@@ -1,72 +0,0 @@
# Indonesian translation for apparmor
# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
# This file is distributed under the same license as the apparmor package.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
#
msgid ""
msgstr ""
"Project-Id-Version: apparmor\n"
"Report-Msgid-Bugs-To: AppArmor list <apparmor@lists.ubuntu.com>\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: 2016-01-20 08:59+0000\n"
"Last-Translator: Ari Setyo Wibowo <mr.a.contact@gmail.com>\n"
"Language-Team: Indonesian <id@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Launchpad-Export-Date: 2016-06-01 05:15+0000\n"
"X-Generator: Launchpad (build 18053)\n"
"Language: id\n"
#: ../aa_enabled.c:26
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
"%s: [options]\n"
" pilihan:\n"
" -q | --quiet Jangan tampilkan pesan apapun\n"
" -h | --help Tampilkan bantuan\n"
#: ../aa_enabled.c:45
#, c-format
msgid "unknown or incompatible options\n"
msgstr "pilihan yang tidak dikenali atau tidak kompatibel\n"
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr "pilihan tidak dikenali '%s'\n"
#: ../aa_enabled.c:64
#, c-format
msgid "Yes\n"
msgstr "Ya\n"
#: ../aa_enabled.c:71
#, c-format
msgid "No - not available on this system.\n"
msgstr "Tidak - tidak tersedia di sistem ini.\n"
#: ../aa_enabled.c:74
#, c-format
msgid "No - disabled at boot.\n"
msgstr "Tidak - nonaktifkan saat boot.\n"
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr "Mungkin - kebijakan antarmuka tidak tersedia.\n"
#: ../aa_enabled.c:81
#, c-format
msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr "Mungkin - izin tidak memadai untuk menentukan ketersediaan.\n"
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr "Kesalahan - '%s'\n"

72
binutils/po/pt.po
View File

@@ -1,72 +0,0 @@
# Portuguese translation for apparmor
# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
# This file is distributed under the same license as the apparmor package.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
#
msgid ""
msgstr ""
"Project-Id-Version: apparmor\n"
"Report-Msgid-Bugs-To: AppArmor list <apparmor@lists.ubuntu.com>\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: 2016-03-03 08:34+0000\n"
"Last-Translator: Ivo Xavier <ivoxavier.8@gmail.com>\n"
"Language-Team: Portuguese <pt@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Launchpad-Export-Date: 2016-06-01 05:15+0000\n"
"X-Generator: Launchpad (build 18053)\n"
"Language: pt\n"
#: ../aa_enabled.c:26
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
"%s: [opções]\n"
" opções:\n"
" -q | --silencioso Não mostrar mensagens\n"
" -h | --ajuda Mostar ajuda\n"
#: ../aa_enabled.c:45
#, c-format
msgid "unknown or incompatible options\n"
msgstr "opções desconhecidas ou incompatíveis\n"
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr "opção desconhecida '%s'\n"
#: ../aa_enabled.c:64
#, c-format
msgid "Yes\n"
msgstr "Sim\n"
#: ../aa_enabled.c:71
#, c-format
msgid "No - not available on this system.\n"
msgstr "Não - não disponível neste sistema.\n"
#: ../aa_enabled.c:74
#, c-format
msgid "No - disabled at boot.\n"
msgstr "Não - desligado ao iniciar.\n"
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr "Talvez - política de interface não disponível.\n"
#: ../aa_enabled.c:81
#, c-format
msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr "Talvez - permissões insuficientes para determinar disponibilidade.\n"
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr "Erro - '%s'\n"

72
binutils/po/ru.po
View File

@@ -1,72 +0,0 @@
# Russian translation for apparmor
# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
# This file is distributed under the same license as the apparmor package.
# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
#
msgid ""
msgstr ""
"Project-Id-Version: apparmor\n"
"Report-Msgid-Bugs-To: AppArmor list <apparmor@lists.ubuntu.com>\n"
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
"PO-Revision-Date: 2016-03-29 14:46+0000\n"
"Last-Translator: Eugene Marshal <Unknown>\n"
"Language-Team: Russian <ru@li.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"X-Launchpad-Export-Date: 2016-06-01 05:15+0000\n"
"X-Generator: Launchpad (build 18053)\n"
"Language: ru\n"
#: ../aa_enabled.c:26
#, c-format
msgid ""
"%s: [options]\n"
" options:\n"
" -q | --quiet Don't print out any messages\n"
" -h | --help Print help\n"
msgstr ""
"%s: [параметры]\n"
" параметры:\n"
" -q | --quiet не выводить никакие сообщения\n"
" -h | --help вывести справку\n"
#: ../aa_enabled.c:45
#, c-format
msgid "unknown or incompatible options\n"
msgstr "неизвестные или несовместимые параметры\n"
#: ../aa_enabled.c:55
#, c-format
msgid "unknown option '%s'\n"
msgstr "неизвестный параметр '%s'\n"
#: ../aa_enabled.c:64
#, c-format
msgid "Yes\n"
msgstr "Да\n"
#: ../aa_enabled.c:71
#, c-format
msgid "No - not available on this system.\n"
msgstr "Нет - недоступно на этой системе.\n"
#: ../aa_enabled.c:74
#, c-format
msgid "No - disabled at boot.\n"
msgstr "Нет - выключено при загрузке.\n"
#: ../aa_enabled.c:77
#, c-format
msgid "Maybe - policy interface not available.\n"
msgstr "Возможно - интерфейс политики недоступен.\n"
#: ../aa_enabled.c:81
#, c-format
msgid "Maybe - insufficient permissions to determine availability.\n"
msgstr "Возможно - недостаточно разрешений для определения доступности.\n"
#: ../aa_enabled.c:84
#, c-format
msgid "Error - '%s'\n"
msgstr "Ошибка - '%s'\n"

2
changehat/libapparmor/AUTHORS Normal file
View File

@@ -0,0 +1,2 @@
Steve Beattie <sbeattie@suse.de>
Matt Barringer <mbarringer@suse.de>

0
libraries/libapparmor/COPYING.LGPL → changehat/libapparmor/COPYING.LGPL
View File

0
libraries/libapparmor/ChangeLog → changehat/libapparmor/ChangeLog
View File

0
libraries/libapparmor/INSTALL → changehat/libapparmor/INSTALL
View File

25
changehat/libapparmor/Makefile.am Normal file
View File

@@ -0,0 +1,25 @@
AUTOMAKE_OPTIONS = foreign 1.4
NAME = libapparmor
SRCDIR = src
SUBDIRS = doc src swig testsuite
REPO_VERSION=$(shell if [ -x /usr/bin/svn ] ; then \
/usr/bin/svn info . 2> /dev/null | grep "^Last Changed Rev:" | sed "s/^Last Changed Rev: //" ; \
fi)
REPO_URL=$(shell if [ -x /usr/bin/svn ] ; then \
/usr/bin/svn info . 2> /dev/null | grep "^URL:" | sed "s/^URL: //" ; \
fi)
RELEASE_DIR = $(NAME)-$(VERSION)-${REPO_VERSION}
SVNTARBALL = $(NAME)-$(VERSION)-${REPO_VERSION}.tar.gz
SVNTAR = /bin/tar czvp -h --exclude .svn --exclude CVS --exclude .cvsignore --exclude ${SVNTARBALL} --exclude ${RELEASE_DIR}/${RELEASE_DIR} $(shell test -f ${NAME}.exclude && echo "-X ${NAME}.exclude")
distball: clean
rm -rf $(RELEASE_DIR)
svn export -r $(REPO_VERSION) $(REPO_URL) $(RELEASE_DIR)
$(SVNTAR) -f $(SVNTARBALL) $(RELEASE_DIR)
rm -rf $(RELEASE_DIR)
EXTRA_DIST = AUTHORS ChangeLog COPYING.LGPL INSTALL NEWS README

0
libraries/libapparmor/NEWS → changehat/libapparmor/NEWS
View File

1
changehat/libapparmor/README Normal file
View File

@@ -0,0 +1 @@
What little documentation exists is in src/aalogparse.h. Please file bugs using http://bugzilla.novell.com under the AppArmor product.

42
changehat/libapparmor/autogen.sh Executable file
View File

@@ -0,0 +1,42 @@
#!/bin/sh
DIE=0
(autoconf --version) < /dev/null > /dev/null 2>&1 || {
echo
echo "You must have autoconf installed to compile $package."
echo "Download the appropriate package for your distribution,"
echo "or get the source tarball at ftp://ftp.gnu.org/pub/gnu/"
DIE=1
}
(automake --version) < /dev/null > /dev/null 2>&1 || {
echo
echo "You must have automake installed to compile $package."
echo "Download the appropriate package for your system,"
echo "or get the source from one of the GNU ftp sites"
echo "listed in http://www.gnu.org/order/ftp.html"
DIE=1
}
(libtool --version) < /dev/null > /dev/null 2>&1 || {
echo
echo "You must have libtool installed to compile $package."
echo "Download the appropriate package for your system,"
echo "or get the source from one of the GNU ftp sites"
echo "listed in http://www.gnu.org/order/ftp.html"
DIE=1
}
if test "$DIE" -eq 1; then
exit 1
fi
echo "Running aclocal"
aclocal
echo "Running autoconf"
autoconf --force
echo "Running libtoolize"
libtoolize --automake
echo "Running automake -ac"
automake -ac

77
changehat/libapparmor/configure.in Normal file
View File

@@ -0,0 +1,77 @@
AC_INIT(configure.in)
AM_INIT_AUTOMAKE(libapparmor1, 2.2)
AM_PROG_LEX
AC_PROG_YACC
AC_PATH_PROG([SWIG], [swig])
PROG_POD2MAN
AC_MSG_CHECKING(Checking for Python)
AC_ARG_WITH(python,
[ --with-python enable the python wrapper [[default=no]]],
[AC_MSG_RESULT($withval)], [AC_MSG_RESULT(no)])
if test "$with_python" = "yes"; then
AC_PATH_PROG(PYTHON, python, no)
if test x$PYTHON = xno; then
enable_python = no
else
sinclude(m4/ac_python_devel.m4)
AC_PYTHON_DEVEL
AM_PATH_PYTHON
fi
fi
AC_MSG_CHECKING(Checking for perl)
AC_ARG_WITH(perl,
[ --with-perl enable the perl wrapper [[default=no]]],
[AC_MSG_RESULT($withval)], [AC_MSG_RESULT(no)])
if test "$with_perl" = "yes"; then
AC_PATH_PROG(PERL, perl, no)
if test x$PERL = xno; then
enable_perl=no
else
perl_includedir="`$PERL -e 'use Config; print $Config{archlib}'`/CORE"
AC_CHECK_FILE($perl_includedir/perl.h, enable_perl=yes, enable_perl=no)
fi
fi
AC_MSG_CHECKING(Checking for ruby)
AC_ARG_WITH(ruby,
[ --with-ruby enable the ruby wrapper [[default=no]]],
[AC_MSG_RESULT($withval)], [AC_MSG_RESULT(no)])
if test "$with_ruby" = "yes"; then
AC_PATH_PROG([RUBY], [ruby])
fi
AM_CONDITIONAL(HAVE_PYTHON, test x$with_python = xyes)
AM_CONDITIONAL(HAVE_PERL, test x$with_perl = xyes)
AM_CONDITIONAL(HAVE_RUBY, test x$with_ruby = xyes)
AM_CONDITIONAL(BUILD_ROOTLIB, test x$enable_rootlib = xyes)
AC_HEADER_STDC
AC_CHECK_HEADERS(unistd.h stdint.h)
AC_CHECK_FUNCS(asprintf)
AM_PROG_CC_C_O
AC_C_CONST
AM_PROG_LIBTOOL
AC_OUTPUT(
Makefile
doc/Makefile
src/Makefile
swig/Makefile
swig/perl/Makefile
swig/python/Makefile
swig/ruby/Makefile
testsuite/Makefile
testsuite/config/Makefile
testsuite/libaalogparse.test/Makefile
testsuite/lib/Makefile
)

21
changehat/libapparmor/doc/Makefile.am Normal file
View File

@@ -0,0 +1,21 @@
## Process this file with automake to produce Makefile.in
POD2MAN = pod2man
man_MANS = aa_change_hat.2
PODS = $(subst .2,.pod,$(man_MANS))
EXTRA_DIST = $(man_MANS) $(PODS)
## delete man pages at maintainer-clean
BUILT_SOURCES = $(man_MANS)
%.2: %.pod
$(POD2MAN) \
--section=2 \
--release="NOVELL/SUSE" \
--center="AppArmor" \
--date="2007-07-27" \
$< > $@
$

233
changehat/libapparmor/doc/aa_change_hat.pod Normal file
View File

@@ -0,0 +1,233 @@
# $Id: change_hat.pod 534 2007-04-03 20:08:50Z steve-beattie $
# This publication is intellectual property of Novell Inc. Its contents
# can be duplicated, either in part or in whole, provided that a copyright
# label is visibly located on each copy.
#
# All information found in this book has been compiled with utmost
# attention to detail. However, this does not guarantee complete accuracy.
# Neither SUSE LINUX GmbH, the authors, nor the translators shall be held
# liable for possible errors or the consequences thereof.
#
# Many of the software and hardware descriptions cited in this book
# are registered trademarks. All trade names are subject to copyright
# restrictions and may be registered trade marks. SUSE LINUX GmbH
# essentially adheres to the manufacturer's spelling.
#
# Names of products and trademarks appearing in this book (with or without
# specific notation) are likewise subject to trademark and trade protection
# laws and may thus fall under copyright restrictions.
#
# Please direct suggestions and comments to apparmor-general@forge.novell.com.
=pod
=head1 NAME
aa_change_hat - change to or from a "hat" within a AppArmor profile
=head1 SYNOPSIS
B<#include E<lt>sys/apparmor.hE<gt>>
B<int aa_change_hat (char *subprofile, unsigned long magic_token);>
Link with B<-lapparmor> when compiling.
=head1 DESCRIPTION
An AppArmor profile applies to an executable program; if a portion of
the program needs different access permissions than other portions,
the program can "change hats" to a different role, also known as a
subprofile. To change into a new hat, it calls the aa_change_hat()
function to do so. It passes in a pointer to the I<subprofile> which it
wants to change into, and a 64bit I<magic_token>. The I<magic_token>
is used to return out of the subprofile at a later time.
If a program wants to return out of the current subprofile to the
original profile, it calls aa_change_hat() with a pointer to NULL as
the I<subprofile>, and the original I<magic_token> value. If the
I<magic_token> does not match the original I<magic_token> passed into the
kernel when the program entered the subprofile, the change back to the
original profile will not happen, and the current task will be killed.
If the I<magic_token> matches the original token, then the process will
change back to the original profile.
If the program wants to change to a subprofile that it can never
change back out of, the application should call aa_change_hat() with a
I<magic_token> of I<0>.
As both read(2) and write(2) are mediated, a file must be listed in a
subprofile definition if the file is to be accessed while the process
is in a "hat".
=head1 RETURN VALUE
On success zero is returned. On error, -1 is returned, and
errno(3) is set appropriately.
=head1 ERRORS
=over 4
=item B<EINVAL>
The apparmor kernel module is not loaded or the communication via the
F</proc/*/attr/current> file did not conform to protocol.
=item B<ENOMEM>
Insufficient kernel memory was available.
=item B<EPERM>
The calling application is not confined by apparmor.
=item B<ECHILD>
The application's profile has no hats defined for it.
=item B<EACCES>
The specified I<subprofile> does not exist in this profile or the
process tried to change another process's domain.
=back
=head1 EXAMPLE
The following code examples shows simple, if contrived, uses of
aa_change_hat(); a typical use of aa_change_hat() will separate
privileged portions of a process from unprivileged portions of a process,
such as keeping unauthenticated network traffic handling separate
from authenticated network traffic handling in OpenSSH or executing
user-supplied CGI scripts in apache.
The use of random(3) is simply illustrative. Use of F</dev/urandom> is
recommended.
First, a simple high-level overview of aa_change_hat() use:
void foo (void) {
unsigned long magic_token;
/* get a random magic token value
from our huge entropy pool */
magic_token = random_function();
/* change into the subprofile while
* we do stuff we don't trust */
aa_change_hat("stuff_we_dont_trust", magic_token);
/* Go do stuff we don't trust -- this is all
* done in *this* process space, no separate
* fork()/exec()'s are done. */
interpret_perl_stuff(stuff_from_user);
/* now change back to our original profile */
aa_change_hat(NULL, magic_token);
}
Second, an example to show that files not listed in a subprofile ("hat")
aren't accessible after an aa_change_hat() call:
#include <stdlib.h>
#include <string.h>
#include <sys/apparmor.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
int main(int argc, char *argv[]) {
int fd;
unsigned long tok;
char buf[10];
/* random() is a poor choice */
tok = random();
/* open /etc/passwd outside of any hat */
if ((fd=open("/etc/passwd", O_RDONLY)) < 0)
perror("Failure opening /etc/passwd");
/* confirm for ourselves that we can really read /etc/passwd */
memset(&buf, 0, 10);
if (read(fd, &buf, 10) == -1) {
perror("Failure reading /etc/passwd pre-hat");
_exit(1);
}
buf[9] = '\0';
printf("/etc/passwd: %s\n", buf);
/* change hat to the "hat" subprofile, which should not have
* read access to /etc/passwd -- even though we have a valid
* file descriptor at the time of the aa_change_hat() call. */
if (aa_change_hat("hat", tok)) {
perror("Failure changing hat -- aborting");
_exit(1);
}
/* confirm that we cannot read /etc/passwd */
lseek(fd,0,SEEK_SET);
memset(&buf, 0, 10);
if (read(fd, &buf, 10) == -1)
perror("Failure reading /etc/passwd post-hat");
buf[9] = '\0';
printf("/etc/passwd: %s\n", buf);
return 0;
}
This code example requires the following profile to be loaded with
apparmor_parser(8):
/tmp/ch {
/etc/ld.so.cache mr,
/etc/locale/** r,
/etc/localtime r,
/usr/share/locale/** r,
/usr/share/zoneinfo/** r,
/usr/lib/locale/** mr,
/usr/lib/gconv/*.so mr,
/usr/lib/gconv/gconv-modules* mr,
/lib/ld-*.so* mrix,
/lib/libc*.so* mr,
/lib/libapparmor*.so* mr,
/dev/pts/* rw,
/tmp/ch mr,
/etc/passwd r,
^hat {
/dev/pts/* rw,
}
}
The output when run:
$ /tmp/ch
/etc/passwd: root:x:0:
Failure reading /etc/passwd post-hat: Permission denied
/etc/passwd:
$
=head1 BUGS
None known. If you find any, please report them to bugzilla at
L<http://bugzilla.novell.com>. Note that aa_change_hat(2) provides no
memory barriers between different areas of a program; if address space
separation is required, then separate processes should be used.
=head1 SEE ALSO
apparmor(7), apparmor.d(5), apparmor_parser(8), and
L<http://forge.novell.com/modules/xfmod/project/?apparmor>.
=cut

178
changehat/libapparmor/libapparmor1.spec Normal file
View File

@@ -0,0 +1,178 @@
#
# spec file for package libapparmor
#
# norootforbuild
%define _unpackaged_files_terminate_build 0
Name: libapparmor1
Version: 2.2
Release: 3.20070916
License: LGPL
Group: Development/Libraries/C and C++
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Source0: %{name}-%{version}.tar.bz2
BuildRequires: swig gcc perl
Provides: libapparmor
Provides: libimmunix
Obsoletes: libapparmor
Obsoletes: libimmunix
Summary: A utility library for AppArmor
%define aalibversion 1.0.2
%description
-
%package -n libapparmor-devel
Requires: %{name} = %{version}-%{release}
Group: Development/Libraries/C and C++
Provides: libapparmor:/usr/include/sys/apparmor.h
Summary: -
%description -n libapparmor-devel
-
%post -n libapparmor-devel
/sbin/ldconfig
%postun -n libapparmor-devel
/sbin/ldconfig
%package -n perl-libapparmor
Requires: %{name} = %{version}
Requires: perl = %{perl_version}
Group: Development/Libraries/Perl
Summary: -
%description -n perl-libapparmor
-
%prep
%setup -q
%build
./configure --prefix=%{_prefix} --libdir=%{_libdir} --with-perl
make CFLAGS="${RPM_OPT_FLAGS}"
%install
make install DESTDIR="$RPM_BUILD_ROOT"
mkdir ${RPM_BUILD_ROOT}/%{_lib}
# this is really hacky
rm ${RPM_BUILD_ROOT}/%{_libdir}/libapparmor.so
rm ${RPM_BUILD_ROOT}/%{_libdir}/libimmunix.so
cp ${RPM_BUILD_ROOT}/%{_libdir}/libapparmor.so.%{aalibversion} ${RPM_BUILD_ROOT}/%{_lib}
cp ${RPM_BUILD_ROOT}/%{_libdir}/libimmunix.so.%{aalibversion} ${RPM_BUILD_ROOT}/%{_lib}
ln -s /%{_lib}/libapparmor.so.%{aalibversion} ${RPM_BUILD_ROOT}/%{_libdir}/libapparmor.so
find $RPM_BUILD_ROOT -name .packlist -exec rm -f {} \;
find $RPM_BUILD_ROOT -name perllocal.pod -exec rm -f {} \;
# create symlink for old change_hat(2) manpage
ln -s aa_change_hat.2 ${RPM_BUILD_ROOT}/%{_mandir}/man2/change_hat.2
%clean
rm -rf "$RPM_BUILD_ROOT"
%post
/sbin/ldconfig
%postun
/sbin/ldconfig
%files
%defattr(-,root,root)
/%{_lib}/libapparmor.so.*
/%{_lib}/libimmunix.so.*
%files -n libapparmor-devel
%defattr(-,root,root)
%{_libdir}/libapparmor.so
%{_libdir}/libapparmor.la
%{_libdir}/libapparmor.a
%{_libdir}/libimmunix.la
%{_libdir}/libimmunix.a
%doc %{_mandir}/man*/*
%dir %{_includedir}/aalogparse
%{_includedir}/sys/apparmor.h
%{_includedir}/aalogparse/*
%files -n perl-libapparmor
%defattr(-,root,root)
%dir %{perl_vendorarch}/auto/LibAppArmor
%{perl_vendorarch}/auto/LibAppArmor/*
%{perl_vendorarch}/LibAppArmor.pm
%changelog
* Sun Sep 16 2007 - sbeattie@suse.de
- aalogparse: add support for type=15xx audit field
- aalogparse: add support for audit messages thru syslog
- aalogparse: reduce noise to stdout on syntax errors
- aalogparse: add support for more missing message types
- aalogparse: parse messages w/safe (hex) string encodings
* Fri Aug 17 2007 - sbeattie@suse.de
- Fix broken symlink for old change_hat(2) manpage
* Wed Aug 15 2007 - sbeattie@suse.de
- fix braindead symbol versioning issue with old version name
- re-enable CFLAGS=RPM_OPT_FLAGS for build
- convert change_hat(2) to aa_change_hat(2)
- use 64bit magic token
- add aa_change_profile(2) interface
* Sat Jul 28 2007 - mbarringer@suse.de
- Merged in libaalogparse to the library/package
* Tue Apr 7 2007 - sbeattie@suse.de
- Add change_hat manpage to package
* Thu Jan 18 2007 - sbeattie@suse.de
- Add a clean stage to remove buildroot to specfile
* Fri Feb 17 2006 Seth Arnold <seth.arnold@suse.de> 2.0-4.1
- use gettid() instead of /proc/self
* Fri Feb 10 2006 Steve Beattie <sbeattie@suse.de> 2.0-3.2
- Use RPM_OPT_FLAGS
- Fix installed library version to match specfile version
* Wed Feb 1 2006 Steve Beattie <sbeattie@suse.de> 2.0-3.1
- Fix prototype to match change_hat(2) manpage
* Mon Jan 23 2006 Steve Beattie <sbeattie@suse.de> 2.0-3
- Rename to libapparmor.so and apparmor.h
* Thu Jan 5 2006 Steve Beattie <sbeattie@suse.de> 2.0-2
- Add svn repo number to tarball
* Wed Dec 7 2005 Steve Beattie <sbeattie@suse.de> 2.0-1
- Reset version for inclusion is SUSE autobuild
* Wed Dec 7 2005 Steve Beattie <sbeattie@suse.de> 1.99-8
- Disable 32bit builds on 64bit platforms for now
* Mon Dec 5 2005 Steve Beattie <sbeattie@suse.de> 1.99-7
- Rename package to libapparmor
* Wed Aug 10 2005 Steve Beattie <sbeattie@suse.de> 1.99-6_imnx
- Cleanup some of the deprecated exported symbols
* Thu Aug 4 2005 John Johansen <jjohansen@novell.com> 1.99-5_imnx
- and -m31 flag for s390
* Mon Jul 11 2005 Steve Beattie <sbeattie@novell.com> 1.99-4_imnx
- get rid of libimmunix_post_upgrade
- Re-license to LGPL
- update description
* Fri May 27 2005 Steve Beattie <steve@immunix.com> 1.99-3_imnx
- Clear token buffer before freeing.
- Error handling cleanup.
* Fri Feb 18 2005 Steve Beattie <steve@immunix.com> 1.99-2_imnx
- Use the right command for the 32bit env on 64bit platforms
- Support for 64bit builds on systems with combined 32/64 support
* Fri Feb 4 2005 Seth Arnold <sarnold@immunix.com> 1.99-1_imnx
- Reversion to 1.99
* Mon Nov 8 2004 Steve Beattie <steve@immunix.com> 1.2-3_imnx
- Finish conversion to slack-capable infrastructure.
* Thu Oct 28 2004 Steve Beattie <steve@immunix.com> 1.2-2_imnx
- Added a 'make install' target for prelim slack support
* Tue Oct 12 2004 Steve Beattie <steve@immunix.com> 1.2-1_imnx
- Bump version after shass-1.1 branched off
* Thu Sep 23 2004 Steve Beattie <steve@immunix.com> 1.0-13_imnx
- Vastly simplify the string handling in change_hat().
* Thu Sep 9 2004 Steve Beattie <steve@immunix.com> 1.0-12_imnx
- Conditionalize group the package shows up in.
* Thu Sep 9 2004 Steve Beattie <steve@immunix.com> 1.0-11_imnx
- Fix so change_hat functions correctly even when the token is zero.
* Thu Sep 2 2004 Steve Beattie <steve@immunix.com> 1.0-10_imnx
- Added that it provides %{_prefix}/sbin/libimmunix_post_upgrade, this
was somehow breaking yast.
* Mon Aug 30 2004 Steve Beattie <steve@immunix.com> 1.0-9_imnx
- Copyright cleanups.
* Wed Jul 21 2004 Steve Beattie <steve@immunix.com> 1.0-8_imnx
- add basis for conditional distro support
* Thu May 28 2004 Tony Jones <tony@immunix.com> 1.0-7_imnx
- Add "changehat" command word to start of string written to /proc/pid/attr

16
changehat/libapparmor/m4/ac_pod2man.m4 Normal file
View File

@@ -0,0 +1,16 @@
AC_DEFUN(PROG_POD2MAN,[
AC_CHECK_PROG(POD2MAN,pod2man,pod2man,no)
if test "$POD2MAN" = "no"; then
AC_MSG_ERROR([
The pod2man program was not found in the default path. pod2man is part of
Perl, which can be retrieved from:
http://www.perl.com/
The latest version at this time is 5.6.1; it is available packaged as the
following archive:
http://www.perl.com/CPAN/src/stable.tar.gz
])
fi
])

54
libraries/libapparmor/m4/ac_python_devel.m4 → changehat/libapparmor/m4/ac_python_devel.m4
View File

@@ -17,9 +17,9 @@ AC_DEFUN([AC_PYTHON_DEVEL],[
# Check for a version of Python >= 2.1.0
#
AC_MSG_CHECKING([for a version of Python >= '2.1.0'])
ac_supports_python_ver=`$PYTHON -c "import sys; \
ver = sys.version.split()[[0]]; \
sys.stdout.write(str(ver >= '2.1.0'))"`
ac_supports_python_ver=`$PYTHON -c "import sys, string; \
ver = string.split(sys.version)[[0]]; \
print ver >= '2.1.0'"`
if test "$ac_supports_python_ver" != "True"; then
if test -z "$PYTHON_NOVERSIONCHECK"; then
AC_MSG_RESULT([no])
@@ -44,9 +44,9 @@ to something else than an empty string.
#
if test -n "$1"; then
AC_MSG_CHECKING([for a version of Python $1])
ac_supports_python_ver=`$PYTHON -c "import sys; \
ver = sys.version.split()[[0]]; \
sys.stdout.write("%s\n" % (ver == $1))"`
ac_supports_python_ver=`$PYTHON -c "import sys, string; \
ver = string.split(sys.version)[[0]]; \
print ver $1"`
if test "$ac_supports_python_ver" = "True"; then
AC_MSG_RESULT([yes])
else
@@ -79,12 +79,9 @@ $ac_distutils_result])
# Check for Python include path
#
AC_MSG_CHECKING([for Python include path])
if type $PYTHON-config; then
PYTHON_CPPFLAGS=`$PYTHON-config --includes`
fi
if test -z "$PYTHON_CPPFLAGS"; then
python_path=`$PYTHON -c "import sys; import distutils.sysconfig;\
sys.stdout.write('%s\n' % distutils.sysconfig.get_python_inc());"`
python_path=`$PYTHON -c "import distutils.sysconfig; \
print distutils.sysconfig.get_python_inc();"`
if test -n "${python_path}"; then
python_path="-I$python_path"
fi
@@ -97,26 +94,25 @@ sys.stdout.write('%s\n' % distutils.sysconfig.get_python_inc());"`
# Check for Python library path
#
AC_MSG_CHECKING([for Python library path])
if type $PYTHON-config; then
PYTHON_LDFLAGS=`$PYTHON-config --ldflags`
fi
if test -z "$PYTHON_LDFLAGS"; then
# (makes two attempts to ensure we've got a version number
# from the interpreter)
py_version=`$PYTHON -c "import sys; from distutils.sysconfig import *; \
sys.stdout.write('%s\n' % ''.join(get_config_vars('VERSION')))"`
py_version=`$PYTHON -c "from distutils.sysconfig import *; \
from string import join; \
print join(get_config_vars('VERSION'))"`
if test "$py_version" == "[None]"; then
if test -n "$PYTHON_VERSION"; then
py_version=$PYTHON_VERSION
else
py_version=`$PYTHON -c "import sys; \
sys.stdout.write("%s\n" % sys.version[[:3]])"`
print sys.version[[:3]]"`
fi
fi
PYTHON_LDFLAGS=`$PYTHON -c "import sys; from distutils.sysconfig import *; \
sys.stdout.write('-L' + get_python_lib(0,1) + ' -lpython\n')"`$py_version`$PYTHON -c \
"import sys; sys.stdout.write('%s' % getattr(sys,'abiflags',''))"`
PYTHON_LDFLAGS=`$PYTHON -c "from distutils.sysconfig import *; \
from string import join; \
print '-L' + get_python_lib(0,1), \
'-lpython';"`$py_version
fi
AC_MSG_RESULT([$PYTHON_LDFLAGS])
AC_SUBST([PYTHON_LDFLAGS])
@@ -126,8 +122,8 @@ sys.stdout.write('-L' + get_python_lib(0,1) + ' -lpython\n')"`$py_version`$PYTHO
#
AC_MSG_CHECKING([for Python site-packages path])
if test -z "$PYTHON_SITE_PKG"; then
PYTHON_SITE_PKG=`$PYTHON -c "import sys; import distutils.sysconfig; \
sys.stdout.write('%s\n' % distutils.sysconfig.get_python_lib(0,0));"`
PYTHON_SITE_PKG=`$PYTHON -c "import distutils.sysconfig; \
print distutils.sysconfig.get_python_lib(0,0);"`
fi
AC_MSG_RESULT([$PYTHON_SITE_PKG])
AC_SUBST([PYTHON_SITE_PKG])
@@ -137,9 +133,9 @@ sys.stdout.write('%s\n' % distutils.sysconfig.get_python_lib(0,0));"`
#
AC_MSG_CHECKING(python extra libraries)
if test -z "$PYTHON_EXTRA_LIBS"; then
PYTHON_EXTRA_LIBS=`$PYTHON -c "import sys; import distutils.sysconfig; \
conf = distutils.sysconfig.get_config_var; \
sys.stdout.write('%s %s\n' % (conf('LOCALMODLIBS'), conf('LIBS')))"`
PYTHON_EXTRA_LIBS=`$PYTHON -c "import distutils.sysconfig; \
conf = distutils.sysconfig.get_config_var; \
print conf('LOCALMODLIBS'), conf('LIBS')"`
fi
AC_MSG_RESULT([$PYTHON_EXTRA_LIBS])
AC_SUBST(PYTHON_EXTRA_LIBS)
@@ -149,9 +145,9 @@ sys.stdout.write('%s %s\n' % (conf('LOCALMODLIBS'), conf('LIBS')))"`
#
AC_MSG_CHECKING(python extra linking flags)
if test -z "$PYTHON_EXTRA_LDFLAGS"; then
PYTHON_EXTRA_LDFLAGS=`$PYTHON -c "import sys; import distutils.sysconfig; \
conf = distutils.sysconfig.get_config_var; \
sys.stdout.write('%s\n' % conf('LINKFORSHARED'))"`
PYTHON_EXTRA_LDFLAGS=`$PYTHON -c "import distutils.sysconfig; \
conf = distutils.sysconfig.get_config_var; \
print conf('LINKFORSHARED')"`
fi
AC_MSG_RESULT([$PYTHON_EXTRA_LDFLAGS])
AC_SUBST(PYTHON_EXTRA_LDFLAGS)
@@ -162,8 +158,6 @@ sys.stdout.write('%s\n' % conf('LINKFORSHARED'))"`
AC_MSG_CHECKING([consistency of all components of python development environment])
AC_LANG_PUSH([C])
# save current global flags
ac_save_LIBS="$LIBS"
ac_save_CPPFLAGS="$CPPFLAGS"
LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
AC_TRY_LINK([

33
changehat/libapparmor/src/Makefile.am Normal file
View File

@@ -0,0 +1,33 @@
INCLUDES = $(all_includes)
BUILT_SOURCES = grammar.h scanner.h
AM_LFLAGS = -v
AM_YFLAGS = -d -p aalogparse_
AM_CFLAGS = @CFLAGS@ -D_GNU_SOURCE -Wall
scanner.h: scanner.l
$(LEX) -v $<
scanner.c: scanner.l
changehatdir = $(includedir)/sys
changehat_HEADERS = apparmor.h
aalogparsedir = $(includedir)/aalogparse
aalogparse_HEADERS = aalogparse.h
lib_LTLIBRARIES = libapparmor.la libimmunix.la
noinst_HEADERS = grammar.h parser.h scanner.h
libapparmor_la_SOURCES = grammar.y libaalogparse.c change_hat.c scanner.c
libapparmor_la_LDFLAGS = -version-info 1:2:0 -XCClinker -dynamic \
-Wl,--version-script=libapparmor.map -Wl,-soname=libapparmor.so.1
libimmunix_la_SOURCES = change_hat.c libimmunix_warning.c
libimmunix_la_LDFLAGS = -version-info 1:2:0 -Wl,--version-script=libapparmor.map -Wl,-soname=libimmunix.so.1
tst_aalogmisc_SOURCES = tst_aalogmisc.c
tst_aalogmisc_LDADD = .libs/libapparmor.a
check_PROGRAMS = tst_aalogmisc
TESTS = $(check_PROGRAMS)
EXTRA_DIST = grammar.y scanner.l libapparmor.map

159
changehat/libapparmor/src/aalogparse.h Normal file
View File

@@ -0,0 +1,159 @@
/*
* Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
* NOVELL (All rights reserved)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of version 2 of the GNU General Public
* License published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, contact Novell, Inc.
*/
#ifndef __LIBAALOGPARSE_H_
#define __LIBAALOGPARSE_H_
#define AA_RECORD_EXEC_MMAP 1
#define AA_RECORD_READ 2
#define AA_RECORD_WRITE 4
#define AA_RECORD_EXEC 8
#define AA_RECORD_LINK 16
/**
* This is just for convenience now that we have two
* wildly different grammars.
*/
typedef enum
{
AA_RECORD_SYNTAX_V1,
AA_RECORD_SYNTAX_V2,
AA_RECORD_SYNTAX_UNKNOWN
} aa_record_syntax_version;
typedef enum
{
AA_RECORD_INVALID, /* Default event type */
AA_RECORD_ERROR, /* Internal AA error */
AA_RECORD_AUDIT, /* Audited event */
AA_RECORD_ALLOWED, /* Complain mode event */
AA_RECORD_DENIED, /* Denied access event */
AA_RECORD_HINT, /* Process tracking info */
AA_RECORD_STATUS /* Configuration change */
} aa_record_event_type;
/**
* With the sole exception of active_hat, this is a 1:1
* mapping from the keys that the new syntax uses.
*
* Some examples of the old syntax and how they're mapped with the aa_log_record struct:
*
* "PERMITTING r access to /path (program_name(12345) profile /profile active hat)"
* - operation: access
* - requested_mask: r
* - pid: 12345
* - profile: /profile
* - name: /path
* - info: program_name
* - active_hat: hat
*
* "REJECTING mkdir on /path/to/something (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out"
* - operation: mkdir
* - name: /path/to/something
* - info: bash
* - pid: 23415
* - profile: /bin/freak-aa-out
* - active_hat: /bin/freak-aa-out
*
* "REJECTING xattr set on /path/to/something (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
* - operation: xattr
* - attribute: set
* - name: /path/to/something
* - info: bash
* - pid: 23415
* - profile: /bin/freak-aa-out
* - active_hat: /bin/freak-aa-out
*
* "PERMITTING attribute (something) change to /else (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
* - operation: setattr
* - attribute: something
* - name: /else
* - info: bash
* - pid: 23415
* - profile: /bin/freak-aa-out
* - active_hat: /bin/freak-aa-out
*
* "PERMITTING access to capability 'cap' (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
* - operation: capability
* - name: cap
* - info: bash
* - pid: 23415
* - profile: /bin/freak-aa-out
* - active_hat: /bin/freak-aa-out
*
* "LOGPROF-HINT unknown_hat TESTHAT pid=27764 profile=/change_hat_test/test_hat active=/change_hat_test/test_hat"
* - operation: change_hat
* - name: TESTHAT
* - info: unknown_hat
* - pid: 27764
* - profile: /change_hat_test/test_hat
* - active_hat: /change_hat_test/test_hat
*
* "LOGPROF-HINT fork pid=27764 child=38229"
* - operation: clone
* - task: 38229
* - pid: 27764
**/
typedef struct
{
aa_record_syntax_version version;
aa_record_event_type event; /* Event type */
unsigned long pid; /* PID of the program logging the message */
unsigned long task;
unsigned long magic_token;
long epoch; /* example: 12345679 */
unsigned int audit_sub_id; /* example: 12 */
int bitmask; /* Bitmask containing "r" "w" "x" etc */
char *audit_id; /* example: 12345679.1234:12 */
char *operation; /* "Exec" "Ptrace", etc. */
char *denied_mask; /* "r", "w", etc. */
char *requested_mask;
char *profile; /* The name of the profile */
char *name;
char *name2;
char *attribute;
unsigned long parent;
char *info;
char *active_hat;
char *net_family;
char *net_protocol;
char *net_sock_type;
} aa_log_record;
/**
* Parses a single log record string and returns a pointer to the parsed
* data. It is the calling program's responsibility to free that struct
* with free_record();
* @param[in] Record to parse.
* @return Parsed data.
*/
aa_log_record *
parse_record(char *str);
/**
* Frees all struct data.
* @param[in] Data to free.
*/
void
free_record(aa_log_record *record);
#endif

27
changehat/libapparmor/src/apparmor.h Normal file
View File

@@ -0,0 +1,27 @@
/* $Id: apparmor.h 132 2006-09-28 07:45:55Z steve-beattie $
Copyright (c) 2003-2007 Novell, Inc. (All rights reserved)
The libapparmor library is licensed under the terms of the GNU
Lesser General Public License, version 2.1. Please see the file
COPYING.LGPL.
*/
#ifndef _SYS_APPARMOR_H_
#define _SYS_APPARMOR_H 1
__BEGIN_DECLS
/* Prototype for change_hat as defined by the AppArmor project
<http://forge.novell.com/modules/xfmod/project/?apparmor>
Please see the change_hat(2) manpage for information. */
extern int (change_hat)(const char *subprofile, unsigned int magic_token);
extern int aa_change_hat(const char *subprofile, unsigned long magic_token);
extern int aa_change_profile(const char *profile);
#define change_hat(X, Y) aa_change_hat((X), (Y))
__END_DECLS
#endif /* sys/apparmor.h */

134
changehat/libapparmor/src/change_hat.c Normal file
View File

@@ -0,0 +1,134 @@
/* $Id: change_hat.c 13 2006-04-12 21:43:34Z steve-beattie $
Copyright (c) 2003-2007 Novell, Inc. (All rights reserved)
The libapparmor library is licensed under the terms of the GNU
Lesser General Public License, version 2.1. Please see the file
COPYING.LGPL.
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <fcntl.h>
#include <errno.h>
#include <limits.h>
#define symbol_version(real, name, version) \
__asm__ (".symver " #real "," #name "@" #version)
#define default_symbol_version(real, name, version) \
__asm__ (".symver " #real "," #name "@@" #version)
static int setprocattr(const char *buf, int len)
{
int rc = -1;
int fd, ret, ctlerr = 0;
char *ctl = NULL;
pid_t tid = syscall(SYS_gettid);
if (!buf) {
errno = EINVAL;
goto out;
}
ctlerr = asprintf(&ctl, "/proc/%d/attr/current", tid);
if (ctlerr < 0) {
goto out;
}
fd = open(ctl, O_WRONLY);
if (fd == -1) {
goto out;
}
ret = write(fd, buf, len);
if (ret != len) {
int saved;
if (ret != -1) {
errno = EPROTO;
}
saved = errno;
(void)close(fd);
errno = saved;
goto out;
}
rc = 0;
(void)close(fd);
out:
if (ctl) {
free(ctl);
}
return rc;
}
int aa_change_hat(const char *subprofile, unsigned long token)
{
int rc = -1;
int len = 0;
char *buf = NULL;
const char *fmt = "changehat %016x^%s";
/* both may not be null */
if (!(token || subprofile)) {
errno = EINVAL;
goto out;
}
if (subprofile && strnlen(subprofile, PATH_MAX + 1) > PATH_MAX) {
errno = EPROTO;
goto out;
}
len = asprintf(&buf, fmt, token, subprofile ? subprofile : "");
if (len < 0) {
goto out;
}
rc = setprocattr(buf, len);
out:
if (buf) {
/* clear local copy of magic token before freeing */
memset(buf, '\0', len);
free(buf);
}
return rc;
}
/* original change_hat interface */
int __change_hat(char *subprofile, unsigned int token)
{
return aa_change_hat(subprofile, (unsigned long) token);
}
int aa_change_profile(const char *profile)
{
char *buf = NULL;
int len;
int rc;
if (!profile) {
errno = EINVAL;
return -1;
}
len = asprintf(&buf, "changeprofile %s", profile);
if (len < 0)
return -1;
rc = setprocattr(buf, len);
free(buf);
return rc;
}
/* create an alias for the old change_hat@IMMUNIX_1.0 symbol */
extern typeof((__change_hat)) __old_change_hat __attribute__((alias ("__change_hat")));
symbol_version(__old_change_hat, change_hat, IMMUNIX_1.0);
default_symbol_version(__change_hat, change_hat, APPARMOR_1.0);

438
changehat/libapparmor/src/grammar.y Normal file
View File

@@ -0,0 +1,438 @@
/*
* Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
* NOVELL (All rights reserved)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of version 2 of the GNU General Public
* License published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, contact Novell, Inc.
*/
%{
#define YYDEBUG 0
#include <string.h>
#include "aalogparse.h"
#include "parser.h"
#include "grammar.h"
#include "scanner.h"
aa_log_record *ret_record;
/* Since we're a library, on any errors we don't want to print out any
* error messages. We should probably add a debug interface that does
* emit messages when asked for. */
void aalogparse_error(void *scanner, char const *s)
{
/* printf("Error: %s\n", s); */
ret_record->event = AA_RECORD_INVALID;
}
struct aa_type_table {
unsigned int audit_type;
aa_record_event_type event;
};
static struct aa_type_table aa_type_table[] = {
{AUDIT_APPARMOR_AUDIT, AA_RECORD_AUDIT},
{AUDIT_APPARMOR_ALLOWED, AA_RECORD_ALLOWED},
{AUDIT_APPARMOR_DENIED, AA_RECORD_DENIED},
{AUDIT_APPARMOR_HINT, AA_RECORD_HINT},
{AUDIT_APPARMOR_STATUS, AA_RECORD_STATUS},
{AUDIT_APPARMOR_ERROR, AA_RECORD_ERROR},
{0, AA_RECORD_INVALID},
};
aa_record_event_type lookup_aa_event(unsigned int type)
{
int i;
for (i = 0; aa_type_table[i].audit_type != 0; i++)
if (type == aa_type_table[i].audit_type)
break;
return aa_type_table[i].event;
}
%}
%defines
%pure_parser
%lex-param{void *scanner}
%parse-param{void *scanner}
%union
{
char *t_str;
long t_long;
}
%type <t_str> old_profile safe_string protocol
%token <t_long> TOK_DIGITS TOK_TYPE_UNKNOWN
%token <t_str> TOK_QUOTED_STRING TOK_PATH TOK_ID TOK_NULL_COMPLAIN TOK_MODE TOK_DMESG_STAMP
%token <t_str> TOK_SINGLE_QUOTED_STRING TOK_AUDIT_DIGITS TOK_DATE_MONTH TOK_DATE_TIME
%token <t_str> TOK_HEXSTRING TOK_TYPE_OTHER TOK_MSG_REST
%token TOK_EQUALS
%token TOK_COLON
%token TOK_OPEN_PAREN
%token TOK_CLOSE_PAREN
%token TOK_PERIOD
%token TOK_TYPE_REJECT
%token TOK_TYPE_AUDIT
%token TOK_TYPE_COMPLAIN
%token TOK_TYPE_HINT
%token TOK_TYPE_STATUS
%token TOK_TYPE_ERROR
%token TOK_OLD_TYPE_APPARMOR
%token TOK_OLD_APPARMOR_REJECT
%token TOK_OLD_APPARMOR_PERMIT
%token TOK_OLD_APPARMOR_AUDIT
%token TOK_OLD_APPARMOR_LOGPROF_HINT
%token TOK_OLD_UNKNOWN_HAT
%token TOK_OLD_ACTIVE
%token TOK_OLD_UNKNOWN_PROFILE
%token TOK_OLD_MISSING_PROFILE
%token TOK_OLD_CHANGING_PROFILE
%token TOK_OLD_ACCESS
%token TOK_OLD_TO
%token TOK_OLD_FROM
%token TOK_OLD_PIPE
%token TOK_OLD_EXTENDED
%token TOK_OLD_ATTRIBUTE
%token TOK_OLD_ON
%token TOK_OLD_MKDIR
%token TOK_OLD_RMDIR
%token TOK_OLD_XATTR
%token TOK_OLD_CHANGE
%token TOK_OLD_CAPABILITY
%token TOK_OLD_SYSCALL
%token TOK_OLD_LINK
%token TOK_OLD_FORK
%token TOK_OLD_CHILD
%token TOK_KEY_TYPE
%token TOK_KEY_MSG
%token TOK_KEY_OPERATION
%token TOK_KEY_NAME
%token TOK_KEY_NAME2
%token TOK_KEY_DENIED_MASK
%token TOK_KEY_REQUESTED_MASK
%token TOK_KEY_ATTRIBUTE
%token TOK_KEY_TASK
%token TOK_KEY_PARENT
%token TOK_KEY_MAGIC_TOKEN
%token TOK_KEY_INFO
%token TOK_KEY_PID
%token TOK_KEY_PROFILE
%token TOK_AUDIT
%token TOK_KEY_IMAGE
%token TOK_KEY_FAMILY
%token TOK_KEY_SOCK_TYPE
%token TOK_KEY_PROTOCOL
%token TOK_SYSLOG_KERNEL
%%
log_message: audit_type
| syslog_type
;
audit_type: TOK_KEY_TYPE TOK_EQUALS type_syntax ;
type_syntax: old_syntax { ret_record->version = AA_RECORD_SYNTAX_V1; }
| new_syntax { ret_record->version = AA_RECORD_SYNTAX_V2; }
| other_audit
;
old_syntax: TOK_OLD_TYPE_APPARMOR audit_msg old_msg
| TOK_TYPE_UNKNOWN audit_msg old_msg
;
new_syntax:
TOK_TYPE_REJECT audit_msg key_list { ret_record->event = AA_RECORD_DENIED; }
| TOK_TYPE_AUDIT audit_msg key_list { ret_record->event = AA_RECORD_AUDIT; }
| TOK_TYPE_COMPLAIN audit_msg key_list { ret_record->event = AA_RECORD_ALLOWED; }
| TOK_TYPE_HINT audit_msg key_list { ret_record->event = AA_RECORD_HINT; }
| TOK_TYPE_STATUS audit_msg key_list { ret_record->event = AA_RECORD_STATUS; }
| TOK_TYPE_ERROR audit_msg key_list { ret_record->event = AA_RECORD_ERROR; }
| TOK_TYPE_UNKNOWN audit_msg key_list { ret_record->event = lookup_aa_event($1); }
;
other_audit: TOK_TYPE_OTHER audit_msg TOK_MSG_REST
{
ret_record->operation = $1;
ret_record->event = AA_RECORD_INVALID;
ret_record->info = $3;
}
;
syslog_type:
syslog_date TOK_ID TOK_SYSLOG_KERNEL audit_id old_msg
{ ret_record->version = AA_RECORD_SYNTAX_V1; }
| syslog_date TOK_ID TOK_SYSLOG_KERNEL audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; }
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP audit_id key_list
{ ret_record->version = AA_RECORD_SYNTAX_V2; }
;
old_msg:
old_permit_reject_type old_permit_reject_syntax
| TOK_OLD_APPARMOR_LOGPROF_HINT old_logprof_syntax { ret_record->event = AA_RECORD_HINT; }
;
old_permit_reject_type:
TOK_OLD_APPARMOR_REJECT { ret_record->event = AA_RECORD_DENIED; }
| TOK_OLD_APPARMOR_PERMIT { ret_record->event = AA_RECORD_ALLOWED; }
| TOK_OLD_APPARMOR_AUDIT { ret_record->event = AA_RECORD_AUDIT; }
;
old_permit_reject_syntax:
TOK_MODE TOK_OLD_ACCESS old_permit_reject_path_pipe_extended
TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
{
ret_record->requested_mask = $1;
ret_record->operation = strdup("access");
}
| dir_action TOK_OLD_ON TOK_PATH
TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
{
ret_record->name = $3;
}
| TOK_OLD_XATTR TOK_ID TOK_OLD_ON TOK_PATH
TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
{
ret_record->operation = strdup("xattr");
ret_record->attribute = $2;
ret_record->name = $4;
}
| TOK_KEY_ATTRIBUTE TOK_OPEN_PAREN TOK_ID TOK_CLOSE_PAREN
TOK_OLD_CHANGE TOK_OLD_TO TOK_PATH
TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
{
ret_record->operation = strdup("setattr");
ret_record->attribute = $3;
ret_record->name = $7;
}
| TOK_OLD_ACCESS TOK_OLD_TO TOK_OLD_CAPABILITY TOK_SINGLE_QUOTED_STRING
TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
{
ret_record->operation = strdup("capability");
ret_record->name = $4;
}
| TOK_OLD_ACCESS TOK_OLD_TO TOK_OLD_SYSCALL TOK_SINGLE_QUOTED_STRING
TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
{
ret_record->operation = strdup("syscall");
ret_record->name = $4;
}
| TOK_OLD_LINK TOK_OLD_ACCESS TOK_OLD_FROM TOK_PATH TOK_OLD_TO TOK_PATH
TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
{
ret_record->requested_mask = strdup("l");
ret_record->name = $4;
ret_record->name2 = $6;
}
;
dir_action:
TOK_OLD_MKDIR { ret_record->operation = strdup("mkdir"); }
| TOK_OLD_RMDIR { ret_record->operation = strdup("rmdir"); }
;
old_process_state:
TOK_ID TOK_OPEN_PAREN TOK_ID TOK_CLOSE_PAREN old_profile_names
{
ret_record->info = $1;
ret_record->pid = atol($3);
free($3);
}
;
old_profile_names:
TOK_KEY_PROFILE old_profile TOK_OLD_ACTIVE old_profile
{ ret_record->profile = $2;
ret_record->active_hat = $4;
}
;
old_permit_reject_path_pipe_extended:
TOK_OLD_TO TOK_PATH
{
ret_record->name = $2;
}
| TOK_OLD_TO TOK_OLD_PIPE /* Frankly, I don't think this is used */
{
ret_record->info = strdup("pipe");
}
| TOK_OLD_EXTENDED TOK_KEY_ATTRIBUTE /* Nor this */
{
ret_record->info = strdup("extended attribute");
}
;
old_logprof_syntax:
old_logprof_syntax2 key_pid
TOK_KEY_PROFILE TOK_EQUALS old_profile TOK_OLD_ACTIVE TOK_EQUALS old_profile
{
ret_record->profile = strdup($5);
free($5);
ret_record->active_hat = strdup($8);
free($8);
}
| old_logprof_fork_syntax
| TOK_OLD_CHANGING_PROFILE key_pid
{ ret_record->profile = strdup("null-complain-profile"); }
;
old_logprof_syntax2:
TOK_OLD_UNKNOWN_PROFILE TOK_KEY_IMAGE TOK_EQUALS TOK_ID
{
ret_record->operation = strdup("profile_set");
ret_record->info = strdup("unknown profile");
ret_record->name = strdup($4);
free($4);
}
| TOK_OLD_MISSING_PROFILE TOK_KEY_IMAGE TOK_EQUALS TOK_ID
{
ret_record->operation = strdup("exec");
ret_record->info = strdup("mandatory profile missing");
ret_record->name = strdup($4);
free($4);
}
| TOK_OLD_UNKNOWN_HAT TOK_ID
{
ret_record->operation = strdup("change_hat");
ret_record->name = strdup($2);
free($2);
ret_record->info = strdup("unknown_hat");
}
;
/* TODO: Clean this up */
old_logprof_fork_syntax:
TOK_OLD_FORK key_pid
TOK_OLD_CHILD TOK_EQUALS TOK_DIGITS old_logprof_fork_addition
{
ret_record->operation = strdup("clone");
ret_record->task = $5;
}
;
old_logprof_fork_addition:
/* Nothin */
| TOK_KEY_PROFILE TOK_EQUALS old_profile TOK_OLD_ACTIVE TOK_EQUALS old_profile
{
ret_record->profile = $3;
ret_record->active_hat = $6;
}
;
old_profile:
TOK_PATH { $$ = $1; }
| TOK_ID { $$ = $1; }
| TOK_NULL_COMPLAIN { $$ = strdup("null-complain-profile"); }
;
audit_msg: TOK_KEY_MSG TOK_EQUALS audit_id
;
audit_id: TOK_AUDIT TOK_OPEN_PAREN TOK_AUDIT_DIGITS TOK_PERIOD TOK_AUDIT_DIGITS TOK_COLON TOK_AUDIT_DIGITS TOK_CLOSE_PAREN TOK_COLON
{
asprintf(&ret_record->audit_id, "%s.%s:%s", $3, $5, $7);
ret_record->epoch = atol($3);
ret_record->audit_sub_id = atoi($7);
free($3);
free($5);
free($7);
} ;
syslog_date: TOK_DATE_MONTH TOK_DIGITS TOK_DATE_TIME { /* do nothing? */ }
;
key_list: key
| key_list key
;
key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->operation = $3;}
| TOK_KEY_NAME TOK_EQUALS safe_string
{ ret_record->name = $3;}
| TOK_KEY_NAME2 TOK_EQUALS safe_string
{ ret_record->name2 = $3;}
| TOK_KEY_DENIED_MASK TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->denied_mask = $3;}
| TOK_KEY_REQUESTED_MASK TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->requested_mask = $3;}
| TOK_KEY_ATTRIBUTE TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->attribute = $3;}
| TOK_KEY_TASK TOK_EQUALS TOK_DIGITS
{ ret_record->task = $3;}
| TOK_KEY_PARENT TOK_EQUALS TOK_DIGITS
{ ret_record->parent = $3;}
| TOK_KEY_MAGIC_TOKEN TOK_EQUALS TOK_DIGITS
{ ret_record->magic_token = $3;}
| TOK_KEY_INFO TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->info = $3;}
| key_pid
| TOK_KEY_PROFILE TOK_EQUALS safe_string
{ ret_record->profile = $3;}
| TOK_KEY_FAMILY TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->net_family = $3;}
| TOK_KEY_SOCK_TYPE TOK_EQUALS TOK_QUOTED_STRING
{ ret_record->net_sock_type = $3;}
| TOK_KEY_PROTOCOL TOK_EQUALS protocol
{ ret_record->net_protocol = $3;}
| TOK_KEY_TYPE TOK_EQUALS TOK_DIGITS
{ ret_record->event = lookup_aa_event($3);}
;
key_pid: TOK_KEY_PID TOK_EQUALS TOK_DIGITS { ret_record->pid = $3; }
;
safe_string: TOK_QUOTED_STRING
| TOK_HEXSTRING
;
protocol: TOK_QUOTED_STRING
| TOK_DIGITS
{ /* FIXME: this should probably convert back to a string proto name */
char *ret = NULL;
if (asprintf(&ret, "%ld", $1) < 0)
yyerror(NULL, "Unable to allocate protocol string");
$$ = ret;
}
;
%%
aa_log_record *
_parse_yacc(char *str)
{
/* yydebug = 1; */
YY_BUFFER_STATE lex_buf;
yyscan_t scanner;
int parser_return;
ret_record = NULL;
ret_record = (aa_log_record *) malloc(sizeof(aa_log_record));
_init_log_record(ret_record);
if (ret_record == NULL)
return NULL;
aalogparse_lex_init(&scanner);
lex_buf = aalogparse__scan_string(str, scanner);
parser_return = aalogparse_parse(scanner);
aalogparse__delete_buffer(lex_buf, scanner);
aalogparse_lex_destroy(scanner);
return ret_record;
}

139
changehat/libapparmor/src/libaalogparse.c Normal file
View File

@@ -0,0 +1,139 @@
/*
* Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
* NOVELL (All rights reserved)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of version 2 of the GNU General Public
* License published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, contact Novell, Inc.
*
*/
/*
* @author Matt Barringer <mbarringer@suse.de>
*/
/*
* TODO:
*
* - Convert the text permission mask into a bitmask
* - Clean up parser grammar
*/
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include "aalogparse.h"
#include "parser.h"
/* This is mostly just a wrapper around the code in grammar.y */
aa_log_record *parse_record(char *str)
{
if (str == NULL)
return NULL;
return _parse_yacc(str);
}
void free_record(aa_log_record *record)
{
if (record != NULL)
{
if (record->operation != NULL)
free(record->operation);
if (record->requested_mask != NULL)
free(record->requested_mask);
if (record->denied_mask != NULL)
free(record->denied_mask);
if (record->profile != NULL)
free(record->profile);
if (record->name != NULL)
free(record->name);
if (record->name2 != NULL)
free(record->name2);
if (record->attribute != NULL)
free(record->attribute);
if (record->info != NULL)
free(record->info);
if (record->active_hat != NULL)
free(record->active_hat);
if (record->audit_id != NULL)
free(record->audit_id);
if (record->net_family != NULL)
free(record->net_family);
if (record->net_protocol != NULL)
free(record->net_protocol);
if (record->net_sock_type != NULL)
free(record->net_sock_type);
free(record);
}
return;
}
/* Set all of the fields to appropriate values */
void _init_log_record(aa_log_record *record)
{
if (record == NULL)
return;
record->version = AA_RECORD_SYNTAX_UNKNOWN;
record->event = AA_RECORD_INVALID;
record->pid = 0;
record->bitmask = 0;
record->task = 0;
record->magic_token = 0;
record->epoch = 0;
record->audit_sub_id = 0;
record->audit_id = NULL;
record->operation = NULL;
record->denied_mask = NULL;
record->requested_mask = NULL;
record->profile = NULL;
record->name = NULL;
record->name2 = NULL;
record->attribute = NULL;
record->parent = 0;
record->info = NULL;
record->active_hat = NULL;
record->net_family = NULL;
record->net_protocol = NULL;
record->net_sock_type = NULL;
return;
}
/* convert a hex-encoded string to its char* version */
char *hex_to_string(char *hexstring)
{
char *ret = NULL;
char buf[3], *endptr;
size_t len;
int i;
if (!hexstring)
goto out;
len = strlen(hexstring) / 2;
ret = malloc(len + 1);
if (!ret)
goto out;
for (i = 0; i < len; i++) {
sprintf(buf, "%.2s", hexstring);
hexstring += 2;
ret[i] = (unsigned char) strtoul(buf, &endptr, 16);
}
ret[len] = '\0';
out:
return ret;
}

25
changehat/libapparmor/src/libapparmor.map Normal file
View File

@@ -0,0 +1,25 @@
IMMUNIX_1.0 {
global:
change_hat;
local:
*;
};
APPARMOR_1.0 {
global:
change_hat;
parse_record;
free_record;
local:
*;
} IMMUNIX_1.0;
APPARMOR_1.1 {
global:
aa_change_hat;
aa_change_profile;
parse_record;
free_record;
local:
*;
} APPARMOR_1.0;

23
changehat/libapparmor/src/libimmunix_warning.c Normal file
View File

@@ -0,0 +1,23 @@
/* $Id: libimmunix_warning.c 13 2006-04-12 21:43:34Z steve-beattie $
Copyright (c) 2006 Novell, Inc. (All rights reserved)
The libimmunix library is licensed under the terms of the GNU
Lesser General Public License, version 2.1. Please see the file
COPYING.LGPL.
*/
#include <syslog.h>
void __libimmunix_warning(void) __attribute__ ((constructor));
void __libimmunix_warning(void)
{
extern const char *__progname; /* global from linux crt0 */
openlog (__progname, LOG_PID|LOG_PERROR, LOG_USER);
syslog(LOG_NOTICE,
"%s links against libimmunix.so, which is deprecated. "
"Please link against libapparmor instead\n",
__progname);
closelog();
}

36
changehat/libapparmor/src/parser.h Normal file
View File

@@ -0,0 +1,36 @@
/*
* Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
* NOVELL (All rights reserved)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of version 2 of the GNU General Public
* License published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, contact Novell, Inc.
*/
#ifndef __AA_LOG_PARSER_H__
#define __AA_LOG_PARSER_H__
extern void _init_log_record(aa_log_record *record);
extern aa_log_record *_parse_yacc(char *str);
extern char *hex_to_string(char *str);
/* FIXME: this ought to be pulled from <linux/audit.h> but there's no
* guarantee these will exist there. */
#define AUDIT_APPARMOR_AUDIT 1501 /* AppArmor audited grants */
#define AUDIT_APPARMOR_ALLOWED 1502 /* Allowed Access for learning */
#define AUDIT_APPARMOR_DENIED 1503
#define AUDIT_APPARMOR_HINT 1504 /* Process Tracking information */
#define AUDIT_APPARMOR_STATUS 1505 /* Changes in config */
#define AUDIT_APPARMOR_ERROR 1506 /* Internal AppArmor Errors */
#endif

320
changehat/libapparmor/src/scanner.l Normal file
View File

@@ -0,0 +1,320 @@
/*
* Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
* NOVELL (All rights reserved)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of version 2 of the GNU General Public
* License published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, contact Novell, Inc.
*/
%option noyywrap
%option reentrant
%option prefix="aalogparse_"
%option bison-bridge
%option header-file="scanner.h"
%option outfile="scanner.c"
%option stack
%{
#include "grammar.h"
#include "aalogparse.h"
#include "parser.h"
%}
ws [ \t\r\n]
equals "="
digits [0-9]+
hex [A-F0-9]
colon ":"
open_paren "("
close_paren ")"
ID [^ \t\n\(\)="'!]
path "/"{ID}*
hexstring ({hex}{hex})+
period "\."
mode_chars ([RrWwLalMmkXx])|([Pp][Xx])|([Uu][Xx])|([Ii][Xx])
modes {mode_chars}+
/* New message types */
reject_type "APPARMOR_DENIED"
audit_type "APPARMOR_AUDIT"
complain_type "APPARMOR_ALLOWED"
hint_type "APPARMOR_HINT"
status_type "APPARMOR_STATUS"
error_type "APPARMOR_ERROR"
unknown_type UNKNOWN\[{digits}+\]
other_audit_type [[:alnum:]\[\]_-]+
/* Old message tokens */
old_apparmor_type "APPARMOR"
old_apparmor_reject "REJECTING"
old_apparmor_permit "PERMITTING"
old_apparmor_audit "AUDITING"
old_apparmor_logprof "LOGPROF-HINT"
old_unknown_hat "unknown_hat"
old_unknown_profile "unknown_profile"
old_missing_profile "missing_mandatory_profile"
old_changing_profile "changing_profile"
old_active "active"
old_access "access"
old_from "from"
old_to "to"
old_pipe "pipe"
old_extended "extended"
old_rmdir "rmdir"
old_mkdir "mkdir"
old_on "on"
old_xattr "xattr"
old_change "change"
old_capability "capability"
old_syscall "syscall"
old_link "link"
old_fork "fork"
old_child "child"
null_complain "null-complain-profile"
/* Key tokens */
key_type "type"
key_msg "msg"
key_operation "operation"
key_name "name"
key_name2 "name2"
key_denied_mask "denied_mask"
key_requested_mask "requested_mask"
key_attribute "attribute"
key_task "task"
key_parent "parent"
key_magic_token "magic_token"
key_info "info"
key_pid "pid"
key_profile "profile"
key_image "image"
key_family "family"
key_sock_type "sock_type"
key_protocol "protocol"
audit "audit"
/* syslog tokens */
syslog_kernel kernel{colon}
syslog_month Jan(uary)?|Feb(ruary)?|Mar(ch)?|Apr(il)?|May|Jun(e)?|Jul(y)?|Aug(ust)?|Sep(tember)?|Oct(ober)?|Nov(ember)?|Dec(ember)?
syslog_time {digits}{digits}{colon}{digits}{digits}{colon}{digits}{digits}
syslog_hostname [[:alnum:]_-]+
dmesg_timestamp \[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]
%x quoted_string
%x sub_id
%x audit_id
%x single_quoted_string
%x hostname
%x dmesg_timestamp
%x safe_string
%x audit_types
%x other_audit
%x unknown_message
%%
%{
char string_buf[512];
char *string_buf_ptr = string_buf; /* assignment to quiet gcc warning */
/* yy_flex_debug = 1; */
%}
{ws}+ { /* Skip whitespace */ }
<audit_id>{
{digits} { yylval->t_str = strdup(yytext); return(TOK_AUDIT_DIGITS);}
{colon} { return(TOK_COLON); }
{period} { return(TOK_PERIOD); }
{open_paren} { return(TOK_OPEN_PAREN); }
{close_paren} { yy_pop_state(yyscanner); return(TOK_CLOSE_PAREN); }
}
<sub_id>{
{open_paren} { return(TOK_OPEN_PAREN); }
{close_paren} { BEGIN(INITIAL); return(TOK_CLOSE_PAREN); }
"'" { string_buf_ptr = string_buf; BEGIN(single_quoted_string); }
{ws} { }
\" { string_buf_ptr = string_buf; BEGIN(quoted_string); }
{ID}+ {
yylval->t_str = strdup(yytext);
BEGIN(INITIAL);
return(TOK_ID);
}
{equals} { return(TOK_EQUALS); }
}
"'" { string_buf_ptr = string_buf; BEGIN(single_quoted_string); }
<single_quoted_string>"'" { /* End of the quoted string */
BEGIN(INITIAL);
*string_buf_ptr = '\0';
yylval->t_str = strdup(string_buf);
return(TOK_SINGLE_QUOTED_STRING);
}
<single_quoted_string>\\(.|\n) { *string_buf_ptr++ = yytext[1]; }
<single_quoted_string>[^\\\n\'\"]+ {
char *yptr = yytext;
while (*yptr)
{
*string_buf_ptr++ = *yptr++;
}
}
\" { string_buf_ptr = string_buf; BEGIN(quoted_string); }
<quoted_string>\" { /* End of the quoted string */
BEGIN(INITIAL);
*string_buf_ptr = '\0';
yylval->t_str = strdup(string_buf);
return(TOK_QUOTED_STRING);
}
<quoted_string>\\(.|\n) { *string_buf_ptr++ = yytext[1]; }
<quoted_string>[^\\\n\"]+ {
char *yptr = yytext;
while (*yptr)
{
*string_buf_ptr++ = *yptr++;
}
}
<safe_string>{
"'" { string_buf_ptr = string_buf; BEGIN(single_quoted_string); }
\" { string_buf_ptr = string_buf; BEGIN(quoted_string); }
{hexstring} { yylval->t_str = hex_to_string(yytext); BEGIN(INITIAL); return(TOK_HEXSTRING);}
{equals} { return(TOK_EQUALS); }
. { /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
}
<audit_types>{
{equals} { return(TOK_EQUALS); }
{digits} { yylval->t_long = atol(yytext); BEGIN(INITIAL); return(TOK_DIGITS); }
{reject_type} { BEGIN(INITIAL); return(TOK_TYPE_REJECT); }
{audit_type} { BEGIN(INITIAL); return(TOK_TYPE_AUDIT); }
{complain_type} { BEGIN(INITIAL); return(TOK_TYPE_COMPLAIN); }
{hint_type} { BEGIN(INITIAL); return(TOK_TYPE_HINT); }
{status_type} { BEGIN(INITIAL); return(TOK_TYPE_STATUS); }
{error_type} { BEGIN(INITIAL); return(TOK_TYPE_ERROR); }
{unknown_type} { char *yptr = yytext;
while (*yptr && *yptr != '[')
yptr++;
if (*yptr)
yylval->t_long = atol(yptr + 1); /* skip '[' */
BEGIN(INITIAL);
return(TOK_TYPE_UNKNOWN);
}
{old_apparmor_type} { BEGIN(INITIAL); return(TOK_OLD_TYPE_APPARMOR); }
{other_audit_type} { yylval->t_str = strdup(yytext);
BEGIN(other_audit);
return(TOK_TYPE_OTHER);
}
}
{equals} { return(TOK_EQUALS); }
{digits} { yylval->t_long = atol(yytext); return(TOK_DIGITS); }
{colon} { return(TOK_COLON); }
{open_paren} {
BEGIN(sub_id);
return(TOK_OPEN_PAREN);
}
{close_paren} { return(TOK_CLOSE_PAREN); }
{path} { yylval->t_str = strdup(yytext); return(TOK_PATH); }
{period} { return(TOK_PERIOD); }
{old_apparmor_reject} { return(TOK_OLD_APPARMOR_REJECT); }
{old_apparmor_permit} { return(TOK_OLD_APPARMOR_PERMIT); }
{old_apparmor_audit} { return(TOK_OLD_APPARMOR_AUDIT); }
{old_apparmor_logprof} { return(TOK_OLD_APPARMOR_LOGPROF_HINT); }
{old_unknown_hat} { BEGIN(sub_id); return(TOK_OLD_UNKNOWN_HAT); }
{old_unknown_profile} { return(TOK_OLD_UNKNOWN_PROFILE); }
{old_missing_profile} { return(TOK_OLD_MISSING_PROFILE); }
{old_changing_profile} { return(TOK_OLD_CHANGING_PROFILE); }
{old_active} { BEGIN(sub_id); return(TOK_OLD_ACTIVE); }
{old_access} { return(TOK_OLD_ACCESS); }
{old_to} { return(TOK_OLD_TO); }
{old_from} { return(TOK_OLD_FROM); }
{old_pipe} { return(TOK_OLD_PIPE); }
{old_extended} { return(TOK_OLD_EXTENDED); }
{old_mkdir} { return(TOK_OLD_MKDIR); }
{old_rmdir} { return(TOK_OLD_RMDIR); }
{old_on} { return(TOK_OLD_ON); }
{old_xattr} { BEGIN(sub_id); return(TOK_OLD_XATTR); }
{old_change} { return(TOK_OLD_CHANGE); }
{old_capability} { BEGIN(sub_id); return(TOK_OLD_CAPABILITY); }
{old_syscall} { return(TOK_OLD_SYSCALL); }
{old_link} { return(TOK_OLD_LINK); }
{old_fork} { return(TOK_OLD_FORK); }
{old_child} { return(TOK_OLD_CHILD); }
{modes} { yylval->t_str = strdup(yytext); return(TOK_MODE); }
{key_type} { BEGIN(audit_types); return(TOK_KEY_TYPE); }
{key_msg} { return(TOK_KEY_MSG); }
{key_operation} { return(TOK_KEY_OPERATION); }
{key_name} { BEGIN(safe_string); return(TOK_KEY_NAME); }
{key_name2} { BEGIN(safe_string); return(TOK_KEY_NAME2); }
{key_denied_mask} { return(TOK_KEY_DENIED_MASK); }
{key_requested_mask} { return(TOK_KEY_REQUESTED_MASK); }
{key_attribute} { BEGIN(sub_id); return(TOK_KEY_ATTRIBUTE); }
{key_task} { return(TOK_KEY_TASK); }
{key_parent} { return(TOK_KEY_PARENT); }
{key_magic_token} { return(TOK_KEY_MAGIC_TOKEN); }
{key_info} { return(TOK_KEY_INFO); }
{key_pid} { return(TOK_KEY_PID); }
{key_profile} { BEGIN(safe_string); return(TOK_KEY_PROFILE); }
{key_family} { return(TOK_KEY_FAMILY); }
{key_sock_type} { return(TOK_KEY_SOCK_TYPE); }
{key_protocol} { return(TOK_KEY_PROTOCOL); }
{syslog_kernel} { BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
{syslog_month} { yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
{syslog_time} { yylval->t_str = strdup(yytext); BEGIN(hostname); return(TOK_DATE_TIME); }
{audit} { yy_push_state(audit_id, yyscanner); return(TOK_AUDIT); }
{null_complain} { return(TOK_NULL_COMPLAIN); }
{key_image} { BEGIN(sub_id); return(TOK_KEY_IMAGE); }
<hostname>{
{ws}+ { /* eat whitespace */ }
{syslog_hostname} { yylval->t_str = strdup(yytext); BEGIN(INITIAL); return(TOK_ID); }
}
<dmesg_timestamp>{
{ws}+ { /* eat whitespace */ }
{dmesg_timestamp} { yylval->t_str = strdup(yytext); BEGIN(INITIAL); return(TOK_DMESG_STAMP); }
. { /* no timestamp in this message */ BEGIN(INITIAL); yyless(0); }
}
<other_audit>{
{ws}+ { /* eat whitespace */ }
{audit} { yy_push_state(audit_id, yyscanner); return(TOK_AUDIT); }
{key_msg} { return(TOK_KEY_MSG); }
{equals} { return(TOK_EQUALS); }
{colon} { return(TOK_COLON); }
. { BEGIN(unknown_message); yyless(0); /* dump the rest */ }
}
<unknown_message>{
.* { yylval->t_str = strdup(yytext); return(TOK_MSG_REST); }
\n { /* not sure why needed here and not elsewhere */ }
}
%%

35
changehat/libapparmor/src/tst_aalogmisc.c Normal file
View File

@@ -0,0 +1,35 @@
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include "aalogparse.h"
#include "parser.h"
#define MY_TEST(statement, error) \
if (!(statement)) { \
fprintf(stderr, "FAIL: %s\n", error); \
rc = 1; \
}
int main(void)
{
int rc = 0;
char *retstr = NULL;
retstr = hex_to_string(NULL);
MY_TEST(!retstr, "basic NULL test");
retstr = hex_to_string("2F746D702F646F6573206E6F74206578697374");
MY_TEST(retstr, "basic allocation");
MY_TEST(strcmp(retstr, "/tmp/does not exist") == 0, "basic dehex 1");
retstr = hex_to_string("61");
MY_TEST(strcmp(retstr, "a") == 0, "basic dehex 2");
retstr = hex_to_string("");
MY_TEST(strcmp(retstr, "") == 0, "empty string");
return rc;
}

0
libraries/libapparmor/swig/Makefile.am → changehat/libapparmor/swig/Makefile.am
View File

14
changehat/libapparmor/swig/SWIG/libapparmor.i Normal file
View File

@@ -0,0 +1,14 @@
%module LibAppArmor
%{
#include "aalogparse.h"
extern int aa_change_hat(const char *subprofile, unsigned long magic_token);
extern int aa_change_profile(const char *profile, unsigned long magic_token);
%}
%include "typemaps.i"
%include "aalogparse.h"
extern int aa_change_hat(const char *subprofile, unsigned long magic_token);
extern int aa_change_profile(const char *profile, unsigned long magic_token);

0
libraries/libapparmor/swig/java/Makefile.am → changehat/libapparmor/swig/java/Makefile.am
View File

9
changehat/libapparmor/swig/perl/Makefile.PL Normal file
View File

@@ -0,0 +1,9 @@
use ExtUtils::MakeMaker;
use vars qw($CCFLAGS $OBJECT $VERSION $OPTIMIZE);
WriteMakefile(
'NAME' => 'LibAppArmor',
'MAKEFILE' => 'Makefile.perl',
'FIRST_MAKEFILE' => 'Makefile.perl',
);

34
changehat/libapparmor/swig/perl/Makefile.am Normal file
View File

@@ -0,0 +1,34 @@
if HAVE_PERL
PERL_MAKEFILE = Makefile.perl
WRAPPER_SOURCES = libapparmor_wrap.c LibAppArmor.pm
all-local: .build-stamp
.build-stamp: $(WRAPPER_SOURCES) $(PERL_MAKEFILE)
make -f $(PERL_MAKEFILE)
touch .build-stamp
check-local: .build-stamp
make -f $(PERL_MAKEFILE) test
install-exec-local: .build-stamp
make -f $(PERL_MAKEFILE) install_vendor
clean-local: $(PERL_MAKEFILE)
make -f $(PERL_MAKEFILE) clean
rm -f $(PERL_MAKEFILE).old
rm -rf build
$(PERL_MAKEFILE): Makefile.PL
$(PERL) Makefile.PL VERSION="0.1" OBJECT="../../src/.libs/libapparmor.so libapparmor_wrap.o" CCFLAGS="-I../../src -D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -fno-strict-aliasing -pipe -Wdeclaration-after-statement" OPTIMIZE="$(CFLAGS) -shared -I$(includedir) -D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -fno-strict-aliasing -pipe -Wdeclaration-after-statement"
$(WRAPPER_SOURCES): ../SWIG/*.i
$(SWIG) -perl -I../../src -I../SWIG -o libapparmor_wrap.c libapparmor.i
endif
EXTRA_DIST = Makefile.PL $(WRAPPER_SOURCES) examples/*.pl

15
changehat/libapparmor/swig/perl/examples/example.pl Normal file
View File

@@ -0,0 +1,15 @@
require LibAppArmor;
$msg = "type=APPARMOR msg=audit(1168662182.495:58): PERMITTING r access to /home/matt/projects/change_hat_test/test (test_hat(27871) profile /home/matt/projects/change_hat_test/test_hat active null-complain-profile)";
my($test) = AppArmorLogRecordParser::parse_record($msg);
if (AppArmorLogRecordParser::aa_log_record::swig_event_get($test) == $AppArmorLogRecordParser::AA_RECORD_ALLOWED )
{
print "AA_RECORD_ALLOWED\n";
}
print "Audit ID: " . AppArmorLogRecordParser::aa_log_record::swig_audit_id_get($test) . "\n";
print "PID: " . AppArmorLogRecordParser::aa_log_record::swig_pid_get($test) . "\n";
AppArmorLogRecordParser::free_record($test);

17
changehat/libapparmor/swig/python/Makefile.am Normal file
View File

@@ -0,0 +1,17 @@
if HAVE_PYTHON
BUILT_SOURCES = libapparmor_wrap.c
SWIG_SOURCES = ../SWIG/libapparmor.i
pkgpython_PYTHON = LibAppArmor.py
pkgpyexec_LTLIBRARIES = _libapparmor.la
_libapparmor_la_SOURCES = libapparmor_wrap.c $(SWIG_SOURCES)
_libapparmor_la_CPPFLAGS = $(SWIG_PYTHON_CFLAGS) -I$(top_srcdir)/src -I/usr/include/python
_libapparmor_la_LDFLAGS = -module
_libapparmor_la_LIBADD = ../../src/.libs/libapparmor.so
libapparmor_wrap.c: $(SWIG_SOURCES)
$(SWIG) -python -I$(top_srcdir)/src -o $@ $<
endif

24
changehat/libapparmor/swig/ruby/Makefile.am Normal file
View File

@@ -0,0 +1,24 @@
if HAVE_RUBY
RUBY_MAKEFILE = Makefile.ruby
WRAPPER_FILES = LibAppArmor_wrap.* LibAppArmor.so extension.mak .build-stamp
BUILT_SOURCES = LibAppArmor_wrap.c
all-local: .build-stamp
.build-stamp: LibAppArmor_wrap.c
CFLAGS="$(CFLAGS) -I../../src" $(RUBY) extconf.rb build
touch .build-stamp
install-exec-local: .build-stamp
make -f $(RUBY_MAKEFILE) install
LibAppArmor_wrap.c: ../SWIG/*.i
$(SWIG) -ruby -I../SWIG -I../../src -o ./LibAppArmor_wrap.c libapparmor.i
endif
EXTRA_DIST = extconf.rb $(BUILT_SOURCES) examples/*.rb

0
libraries/libapparmor/swig/ruby/examples/example.rb → changehat/libapparmor/swig/ruby/examples/example.rb
View File

76
changehat/libapparmor/swig/ruby/extconf.rb Normal file
View File

@@ -0,0 +1,76 @@
require 'mkmf'
require 'ftools'
$CFLAGS += " " + (ENV['CFLAGS'] || "") + (ENV['CXXFLAGS'] || "")
$LDFLAGS = "../../src/.libs/libapparmor.so"
def usage
puts <<EOF
Usage: ruby extconf.rb command
build Build the extension
clean Clean the source directory
install Install the extention
test Test the extension
wrap Generate SWIG wrappers
EOF
exit
end
cmd = ARGV.shift or usage()
cmd = cmd.downcase
usage() unless ['build', 'clean', 'install', 'test', 'wrap'].member? cmd
usage() if ARGV.shift
class Commands
def initialize(&block)
@block = block
end
def execute
@block.call
end
end
Build = Commands.new {
# I don't think we can tell mkmf to generate a makefile with a different name
if File.exists?("Makefile")
File.rename("Makefile", "Makefile.old")
end
create_makefile('LibAppArmor')
File.rename("Makefile", "Makefile.ruby")
if File.exists?("Makefile.old")
File.rename("Makefile.old", "Makefile")
end
system("make -f Makefile.ruby")
}
Install = Commands.new {
Build.execute
if defined? Prefix
# strip old prefix and add the new one
oldPrefix = Config::CONFIG["prefix"]
if defined? Debian
archDir = Config::CONFIG["archdir"]
libDir = Config::CONFIG["rubylibdir"]
else
archDir = Config::CONFIG["sitearchdir"]
libDir = Config::CONFIG["sitelibdir"]
end
archDir = Prefix + archDir.gsub(/^#{oldPrefix}/,"")
libDir = Prefix + libDir.gsub(/^#{oldPrefix}/,"")
else
archDir = Config::CONFIG["sitearchdir"]
libDir = Config::CONFIG["sitelibdir"]
end
[archDir,libDir].each { |path| File.makedirs path }
binary = 'LibAppArmor.so'
File.install "./"+binary, archDir+"/"+binary, 0555, true
File.install "./LibAppArmor.so", libDir+"/LibAppArmor.so", 0555, true
}
availableCommands = {
"build" => Build,
"install" => Install
}
availableCommands[cmd].execute

20
changehat/libapparmor/testsuite/Makefile.am Normal file
View File

@@ -0,0 +1,20 @@
SUBDIRS = lib config libaalogparse.test
PACKAGE = libaalogparse
AUTOMAKE_OPTIONS = dejagnu
INCLUDES = -I. -I$(top_srcdir)/src
AM_CPPFLAGS = $(DEBUG_FLAGS) -DLOCALEDIR=\"${localedir}\"
AM_CFLAGS = -Wall
noinst_PROGRAMS = test_multi.multi
test_multi_multi_SOURCES = test_multi.c
test_multi_multi_CFLAGS = $(CFLAGS) -Wall
test_multi_multi_LDFLAGS = $(LDFLAGS)
test_multi_multi_LDADD = ../src/.libs/libapparmor.a
clean-local:
rm -f tmp.err.* tmp.out.* site.exp site.bak
EXTRA_DIST = test_multi/*.in test_multi/*.out test_multi/*.err

0
libraries/libapparmor/testsuite/config/Makefile.am → changehat/libapparmor/testsuite/config/Makefile.am
View File

0
libraries/libapparmor/testsuite/config/default.exp → changehat/libapparmor/testsuite/config/default.exp
View File

0
libraries/libapparmor/testsuite/config/unix.exp → changehat/libapparmor/testsuite/config/unix.exp
View File

0
libraries/libapparmor/testsuite/config/unknown.exp → changehat/libapparmor/testsuite/config/unknown.exp
View File

0
libraries/libapparmor/testsuite/lib/Makefile.am → changehat/libapparmor/testsuite/lib/Makefile.am
View File

0
libraries/libapparmor/testsuite/lib/libaalogparse_init.exp → changehat/libapparmor/testsuite/lib/libaalogparse_init.exp
View File

0
libraries/libapparmor/testsuite/libaalogparse.test/Makefile.am → changehat/libapparmor/testsuite/libaalogparse.test/Makefile.am
View File

0
libraries/libapparmor/testsuite/libaalogparse.test/multi_test.exp → changehat/libapparmor/testsuite/libaalogparse.test/multi_test.exp
View File

171
changehat/libapparmor/testsuite/test_multi.c Normal file
View File

@@ -0,0 +1,171 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include "aalogparse.h"
int print_results(aa_log_record *record);
int main(int argc, char **argv)
{
FILE *testcase;
char log_line[1024];
aa_log_record *test = NULL;
int ret = -1;
if (argc != 2)
{
fprintf(stderr, "Usage: test_multi.multi <filename>\n");
return(1);
}
printf("START\n");
printf("File: %s\n", argv[1]);
testcase = fopen(argv[1], "r");
if (testcase == NULL)
{
perror("Could not open testcase: ");
return(1);
}
if (fgets(log_line, 1023, testcase) == NULL)
{
fprintf(stderr, "Could not read testcase.\n");
fclose(testcase);
return(1);
}
fclose(testcase);
test = parse_record(log_line);
if (test == NULL)
{
fprintf(stderr,"Parsing failed.\n");
return(1);
}
ret = print_results(test);
free_record(test);
return ret;
}
int print_results(aa_log_record *record)
{
printf("Event type: ");
switch(record->event)
{
case AA_RECORD_ERROR:
{
printf("AA_RECORD_ERROR\n");
break;
}
case AA_RECORD_INVALID:
{
printf("AA_RECORD_INVALID\n");
break;
}
case AA_RECORD_AUDIT:
{
printf("AA_RECORD_AUDIT\n");
break;
}
case AA_RECORD_ALLOWED:
{
printf("AA_RECORD_ALLOWED\n");
break;
}
case AA_RECORD_DENIED:
{
printf("AA_RECORD_DENIED\n");
break;
}
case AA_RECORD_HINT:
{
printf("AA_RECORD_HINT\n");
break;
}
case AA_RECORD_STATUS:
{
printf("AA_RECORD_STATUS\n");
break;
}
default:
{
printf("UNKNOWN EVENT TYPE\n");
break;
}
}
if (record->audit_id != NULL)
{
printf("Audit ID: %s\n", record->audit_id);
}
if (record->operation != NULL)
{
printf("Operation: %s\n", record->operation);
}
if (record->requested_mask != NULL)
{
printf("Mask: %s\n", record->requested_mask);
}
if (record->denied_mask != NULL)
{
printf("Denied Mask: %s\n", record->denied_mask);
}
if (record->profile != NULL)
{
printf("Profile: %s\n", record->profile);
}
if (record->name != NULL)
{
printf("Name: %s\n", record->name);
}
if (record->name2 != NULL)
{
printf("Name2: %s\n", record->name2);
}
if (record->attribute != NULL)
{
printf("Attribute: %s\n", record->attribute);
}
if (record->task != 0)
{
printf("Task: %ld\n", record->task);
}
if (record->parent != 0)
{
printf("Parent: %ld\n", record->parent);
}
if (record->magic_token != 0)
{
printf("Token: %lu\n", record->magic_token);
}
if (record->info != NULL)
{
printf("Info: %s\n", record->info);
}
if (record->pid != 0)
{
printf("PID: %ld\n", record->pid);
}
if (record->active_hat != NULL)
{
printf("Active hat: %s\n", record->active_hat);
}
if (record->net_family != NULL)
{
printf("Network family: %s\n", record->net_family);
}
if (record->net_sock_type != NULL)
{
printf("Socket type: %s\n", record->net_sock_type);
}
if (record->net_protocol != NULL)
{
printf("Protocol: %s\n", record->net_protocol);
}
printf("Epoch: %lu\n", record->epoch);
printf("Audit subid: %u\n", record->audit_sub_id);
return(0);
}

0
libraries/libapparmor/testsuite/test_multi/avc_audit_01.err → changehat/libapparmor/testsuite/test_multi/testcase1.err
View File

0
libraries/libapparmor/testsuite/test_multi/testcase01.in → changehat/libapparmor/testsuite/test_multi/testcase1.in
View File

21
changehat/libapparmor/testsuite/test_multi/testcase1.out Normal file
View File

@@ -0,0 +1,21 @@
START
File: test_multi/testcase1.in
Event type: AA_RECORD_DENIED
Audit ID: 1181057184.959:7
Operation: exec
Mask: rwx
Denied Mask: x
Profile: /bin/ping
Name: /bin/ping
Name2: ping2
Attribute: attr
Task: 1
Parent: 1
Token: 29493
Info: Information
PID: 31938
Network family: family
Socket type: unknown(1234)
Protocol: tcp
Epoch: 1181057184
Audit subid: 7

0
libraries/libapparmor/testsuite/test_multi/testcase10.err → changehat/libapparmor/testsuite/test_multi/testcase10.err
View File

0
libraries/libapparmor/testsuite/test_multi/old_style_log_15.in → changehat/libapparmor/testsuite/test_multi/testcase10.in
View File

11
changehat/libapparmor/testsuite/test_multi/testcase10.out Normal file
View File

@@ -0,0 +1,11 @@
START
File: test_multi/testcase10.in
Event type: AA_RECORD_HINT
Audit ID: 1168661976.062:55
Operation: clone
Profile: /home/matt/projects/change_hat_test/test_hat
Task: 38229
PID: 27764
Active hat: /home/matt/projects/change_hat_test/test_hat
Epoch: 1168661976
Audit subid: 55

0
libraries/libapparmor/testsuite/test_multi/testcase11.err → changehat/libapparmor/testsuite/test_multi/testcase11.err
View File

0
libraries/libapparmor/testsuite/test_multi/old_style_log_16.in → changehat/libapparmor/testsuite/test_multi/testcase11.in
View File

9
changehat/libapparmor/testsuite/test_multi/testcase11.out Normal file
View File

@@ -0,0 +1,9 @@
START
File: test_multi/testcase11.in
Event type: AA_RECORD_HINT
Audit ID: 1168661976.062:55
Operation: clone
Task: 38229
PID: 27764
Epoch: 1168661976
Audit subid: 55

0
libraries/libapparmor/testsuite/test_multi/testcase12.err → changehat/libapparmor/testsuite/test_multi/testcase12.err
View File

0
libraries/libapparmor/testsuite/test_multi/testcase12.in → changehat/libapparmor/testsuite/test_multi/testcase12.in
View File

2
libraries/libapparmor/testsuite/test_multi/testcase12.out → changehat/libapparmor/testsuite/test_multi/testcase12.out
View File

@@ -1,5 +1,5 @@
START
File: testcase12.in
File: test_multi/testcase12.in
Event type: AA_RECORD_DENIED
Audit ID: 1181057184.959:7
Operation: exec

0
libraries/libapparmor/testsuite/test_multi/testcase13.err → changehat/libapparmor/testsuite/test_multi/testcase13.err
View File

0
libraries/libapparmor/testsuite/test_multi/testcase13.in → changehat/libapparmor/testsuite/test_multi/testcase13.in
View File

2
libraries/libapparmor/testsuite/test_multi/testcase13.out → changehat/libapparmor/testsuite/test_multi/testcase13.out
View File

@@ -1,5 +1,5 @@
START
File: testcase13.in
File: test_multi/testcase13.in
Event type: AA_RECORD_DENIED
Audit ID: 1181057184.959:7
Operation: exec

0
libraries/libapparmor/testsuite/test_multi/testcase14.err → changehat/libapparmor/testsuite/test_multi/testcase14.err
View File

0
libraries/libapparmor/testsuite/test_multi/testcase14.in → changehat/libapparmor/testsuite/test_multi/testcase14.in
View File

2
libraries/libapparmor/testsuite/test_multi/testcase14.out → changehat/libapparmor/testsuite/test_multi/testcase14.out
View File

@@ -1,5 +1,5 @@
START
File: testcase14.in
File: test_multi/testcase14.in
Event type: AA_RECORD_DENIED
Audit ID: 1189201672.746:537
Operation: file_lock

0
libraries/libapparmor/testsuite/test_multi/testcase15.err → changehat/libapparmor/testsuite/test_multi/testcase15.err
View File

0
libraries/libapparmor/testsuite/test_multi/testcase15.in → changehat/libapparmor/testsuite/test_multi/testcase15.in
View File

2
libraries/libapparmor/testsuite/test_multi/testcase15.out → changehat/libapparmor/testsuite/test_multi/testcase15.out
View File

@@ -1,5 +1,5 @@
START
File: testcase15.in
File: test_multi/testcase15.in
Event type: AA_RECORD_DENIED
Audit ID: 1189201672.746:537
Operation: file_lock

0
libraries/libapparmor/testsuite/test_multi/testcase16.err → changehat/libapparmor/testsuite/test_multi/testcase16.err
View File

0
libraries/libapparmor/testsuite/test_multi/testcase16.in → changehat/libapparmor/testsuite/test_multi/testcase16.in
View File

2
libraries/libapparmor/testsuite/test_multi/testcase16.out → changehat/libapparmor/testsuite/test_multi/testcase16.out
View File

@@ -1,5 +1,5 @@
START
File: testcase16.in
File: test_multi/testcase16.in
Event type: AA_RECORD_DENIED
Audit ID: 1189201672.746:537
Operation: file_lock

0
libraries/libapparmor/testsuite/test_multi/testcase17.err → changehat/libapparmor/testsuite/test_multi/testcase17.err
View File

0
libraries/libapparmor/testsuite/test_multi/testcase17.in → changehat/libapparmor/testsuite/test_multi/testcase17.in
View File

2
libraries/libapparmor/testsuite/test_multi/testcase17.out → changehat/libapparmor/testsuite/test_multi/testcase17.out
View File

@@ -1,5 +1,5 @@
START
File: testcase17.in
File: test_multi/testcase17.in
Event type: AA_RECORD_DENIED
Audit ID: 1189201672.746:537
Operation: file_lock

0
libraries/libapparmor/testsuite/test_multi/testcase18.err → changehat/libapparmor/testsuite/test_multi/testcase18.err
View File

0
libraries/libapparmor/testsuite/test_multi/old_style_log_01.in → changehat/libapparmor/testsuite/test_multi/testcase18.in
View File

13
changehat/libapparmor/testsuite/test_multi/testcase18.out Normal file
View File

@@ -0,0 +1,13 @@
START
File: test_multi/testcase18.in
Event type: AA_RECORD_DENIED
Audit ID: 1157215966.604:46
Operation: access
Mask: r
Profile: /usr/sbin/httpd2-prefork
Name: /bin/df
Info: sh
PID: 7902
Active hat: SYSINFO
Epoch: 1157215966
Audit subid: 46

0
libraries/libapparmor/testsuite/test_multi/testcase19.err → changehat/libapparmor/testsuite/test_multi/testcase19.err
View File

0
libraries/libapparmor/testsuite/test_multi/old_style_log_17.in → changehat/libapparmor/testsuite/test_multi/testcase19.in
View File

8
changehat/libapparmor/testsuite/test_multi/testcase19.out Normal file
View File

@@ -0,0 +1,8 @@
START
File: test_multi/testcase19.in
Event type: AA_RECORD_HINT
Audit ID: 1164007073.953:518
Profile: null-complain-profile
PID: 29420
Epoch: 1164007073
Audit subid: 518

0
libraries/libapparmor/testsuite/test_multi/avc_audit_02.err → changehat/libapparmor/testsuite/test_multi/testcase2.err
View File

0
libraries/libapparmor/testsuite/test_multi/old_style_log_08.in → changehat/libapparmor/testsuite/test_multi/testcase2.in
View File

13
changehat/libapparmor/testsuite/test_multi/testcase2.out Normal file
View File

@@ -0,0 +1,13 @@
START
File: test_multi/testcase2.in
Event type: AA_RECORD_ALLOWED
Audit ID: 1168662182.495:58
Operation: access
Mask: r
Profile: /home/matt/projects/change_hat_test/test_hat
Name: /home/matt/projects/change_hat_test/test
Info: test_hat
PID: 27871
Active hat: null-complain-profile
Epoch: 1168662182
Audit subid: 58

0
libraries/libapparmor/testsuite/test_multi/avc_audit_03.err → changehat/libapparmor/testsuite/test_multi/testcase20.err
View File

0
libraries/libapparmor/testsuite/test_multi/old_style_log_02.in → changehat/libapparmor/testsuite/test_multi/testcase20.in
View File

13
changehat/libapparmor/testsuite/test_multi/testcase20.out Normal file
View File

@@ -0,0 +1,13 @@
START
File: test_multi/testcase20.in
Event type: AA_RECORD_DENIED
Audit ID: 1167188680.127:54
Operation: access
Mask: r
Profile: /bin/freak-aa-out
Name: /bin/freak-aa-out
Info: bash
PID: 23415
Active hat: /bin/freak-aa-out
Epoch: 1167188680
Audit subid: 54

0
libraries/libapparmor/testsuite/test_multi/testcase21.err → changehat/libapparmor/testsuite/test_multi/testcase21.err
View File

Some files were not shown because too many files have changed in this diff Show More