mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-31 14:25:52 +00:00
Compare commits
31 Commits
v4.0.0-bet
...
apparmor-2
Author | SHA1 | Date | |
---|---|---|---|
|
2d31f4dbc4 | ||
|
ee8e0b66bc | ||
|
bbe9d667f7 | ||
|
10edcd1a70 | ||
|
8ce5b856e4 | ||
|
ad02836ede | ||
|
d6c3414323 | ||
|
ee16add79d | ||
|
3fbbd135a6 | ||
|
cd18ed811b | ||
|
0a41b283f2 | ||
|
a01af6df93 | ||
|
fb27600681 | ||
|
74dfd04db2 | ||
|
004a646010 | ||
|
5d90f3763e | ||
|
6263944095 | ||
|
ad6613c960 | ||
|
7fd451d28b | ||
|
81dd6df013 | ||
|
31c01e7af3 | ||
|
108fd60aad | ||
|
76d1e01919 | ||
|
c35a417dee | ||
|
50d62e88a5 | ||
|
b6eaf32985 | ||
|
804e4b424c | ||
|
5ea383712c | ||
|
47bb365c0a | ||
|
bf10352fad | ||
|
03e0d482d3 |
317
.gitignore
vendored
317
.gitignore
vendored
@@ -1,317 +0,0 @@
|
||||
apparmor-*
|
||||
cscope.*
|
||||
binutils/aa-enabled
|
||||
binutils/aa-enabled.1
|
||||
binutils/aa-exec
|
||||
binutils/aa-exec.1
|
||||
binutils/aa-features-abi
|
||||
binutils/aa-features-abi.1
|
||||
binutils/aa-load
|
||||
binutils/aa-status
|
||||
binutils/aa-status.8
|
||||
binutils/cJSON.o
|
||||
binutils/po/*.mo
|
||||
parser/po/*.mo
|
||||
parser/af_names.h
|
||||
parser/cap_names.h
|
||||
parser/generated_cap_names.h
|
||||
parser/generated_af_names.h
|
||||
parser/tst_lib
|
||||
parser/tst_misc
|
||||
parser/tst_regex
|
||||
parser/tst_symtab
|
||||
parser/tst_variable
|
||||
parser/tst/simple_tests/generated_*/*
|
||||
parser/parser_lex.c
|
||||
parser/parser_version.h
|
||||
parser/parser_yacc.c
|
||||
parser/parser_yacc.h
|
||||
parser/pod2htm*.tmp
|
||||
parser/af_rule.o
|
||||
parser/af_unix.o
|
||||
parser/all_rule.o
|
||||
parser/common_optarg.o
|
||||
parser/dbus.o
|
||||
parser/default_features.o
|
||||
parser/lib.o
|
||||
parser/libapparmor_re/aare_rules.o
|
||||
parser/libapparmor_re/chfa.o
|
||||
parser/libapparmor_re/expr-tree.o
|
||||
parser/libapparmor_re/hfa.o
|
||||
parser/libapparmor_re/libapparmor_re.a
|
||||
parser/libapparmor_re/parse.o
|
||||
parser/mount.o
|
||||
parser/mqueue.o
|
||||
parser/network.o
|
||||
parser/parser_alias.o
|
||||
parser/parser_common.o
|
||||
parser/parser_include.o
|
||||
parser/parser_interface.o
|
||||
parser/parser_lex.o
|
||||
parser/parser_main.o
|
||||
parser/parser_merge.o
|
||||
parser/parser_misc.o
|
||||
parser/parser_policy.o
|
||||
parser/parser_regex.o
|
||||
parser/parser_symtab.o
|
||||
parser/parser_variable.o
|
||||
parser/parser_yacc.o
|
||||
parser/policy_cache.o
|
||||
parser/profile.o
|
||||
parser/ptrace.o
|
||||
parser/rule.o
|
||||
parser/signal.o
|
||||
parser/userns.o
|
||||
parser/io_uring.o
|
||||
parser/*.7
|
||||
parser/*.5
|
||||
parser/*.8
|
||||
parser/*.7.html
|
||||
parser/*.5.html
|
||||
parser/*.8.html
|
||||
parser/apparmor_parser
|
||||
parser/libapparmor_re/parse.cc
|
||||
parser/libapparmor_re/regexp.cc
|
||||
parser/techdoc.aux
|
||||
parser/techdoc.log
|
||||
parser/techdoc.pdf
|
||||
parser/techdoc.toc
|
||||
profiles/apparmor.d/local/*
|
||||
!profiles/apparmor.d/local/README
|
||||
libraries/libapparmor/Makefile
|
||||
libraries/libapparmor/Makefile.in
|
||||
libraries/libapparmor/aclocal.m4
|
||||
libraries/libapparmor/audit.log
|
||||
libraries/libapparmor/autom4te.cache
|
||||
libraries/libapparmor/compile
|
||||
libraries/libapparmor/config.guess
|
||||
libraries/libapparmor/config.log
|
||||
libraries/libapparmor/config.status
|
||||
libraries/libapparmor/config.sub
|
||||
libraries/libapparmor/configure
|
||||
libraries/libapparmor/depcomp
|
||||
libraries/libapparmor/install-sh
|
||||
libraries/libapparmor/libtool
|
||||
libraries/libapparmor/ltmain.sh
|
||||
libraries/libapparmor/missing
|
||||
libraries/libapparmor/test-driver
|
||||
libraries/libapparmor/ylwrap
|
||||
libraries/libapparmor/doc/Makefile
|
||||
libraries/libapparmor/doc/Makefile.in
|
||||
libraries/libapparmor/doc/*.2
|
||||
libraries/libapparmor/doc/aa_*.3
|
||||
libraries/libapparmor/include/Makefile
|
||||
libraries/libapparmor/include/Makefile.in
|
||||
libraries/libapparmor/include/sys/Makefile
|
||||
libraries/libapparmor/include/sys/Makefile.in
|
||||
libraries/libapparmor/src/.deps
|
||||
libraries/libapparmor/src/.libs
|
||||
libraries/libapparmor/src/Makefile
|
||||
libraries/libapparmor/src/Makefile.in
|
||||
libraries/libapparmor/src/PMurHash.lo
|
||||
libraries/libapparmor/src/PMurHash.o
|
||||
libraries/libapparmor/src/af_protos.h
|
||||
libraries/libapparmor/src/change_hat.lo
|
||||
libraries/libapparmor/src/features.lo
|
||||
libraries/libapparmor/src/features.o
|
||||
libraries/libapparmor/src/grammar.lo
|
||||
libraries/libapparmor/src/grammar.o
|
||||
libraries/libapparmor/src/kernel.lo
|
||||
libraries/libapparmor/src/kernel.o
|
||||
libraries/libapparmor/src/kernel_interface.lo
|
||||
libraries/libapparmor/src/kernel_interface.o
|
||||
libraries/libapparmor/src/libaalogparse.lo
|
||||
libraries/libapparmor/src/libaalogparse.o
|
||||
libraries/libapparmor/src/libimmunix_warning.lo
|
||||
libraries/libapparmor/src/policy_cache.lo
|
||||
libraries/libapparmor/src/policy_cache.o
|
||||
libraries/libapparmor/src/private.lo
|
||||
libraries/libapparmor/src/private.o
|
||||
libraries/libapparmor/src/scanner.lo
|
||||
libraries/libapparmor/src/scanner.o
|
||||
libraries/libapparmor/src/libapparmor.pc
|
||||
libraries/libapparmor/src/libapparmor.la
|
||||
libraries/libapparmor/src/libimmunix.la
|
||||
libraries/libapparmor/src/grammar.c
|
||||
libraries/libapparmor/src/grammar.h
|
||||
libraries/libapparmor/src/scanner.c
|
||||
libraries/libapparmor/src/scanner.h
|
||||
libraries/libapparmor/src/test-suite.log
|
||||
libraries/libapparmor/src/tst_aalogmisc
|
||||
libraries/libapparmor/src/tst_aalogmisc.log
|
||||
libraries/libapparmor/src/tst_aalogmisc.o
|
||||
libraries/libapparmor/src/tst_aalogmisc.trs
|
||||
libraries/libapparmor/src/tst_features
|
||||
libraries/libapparmor/src/tst_features.log
|
||||
libraries/libapparmor/src/tst_features.o
|
||||
libraries/libapparmor/src/tst_features.trs
|
||||
libraries/libapparmor/src/tst_kernel
|
||||
libraries/libapparmor/src/tst_kernel.log
|
||||
libraries/libapparmor/src/tst_kernel.o
|
||||
libraries/libapparmor/src/tst_kernel.trs
|
||||
libraries/libapparmor/swig/Makefile
|
||||
libraries/libapparmor/swig/Makefile.in
|
||||
libraries/libapparmor/swig/perl/LibAppArmor.bs
|
||||
libraries/libapparmor/swig/perl/LibAppArmor.pm
|
||||
libraries/libapparmor/swig/perl/Makefile
|
||||
libraries/libapparmor/swig/perl/Makefile.PL
|
||||
libraries/libapparmor/swig/perl/Makefile.in
|
||||
libraries/libapparmor/swig/perl/Makefile.perl
|
||||
libraries/libapparmor/swig/perl/Makefile.perle
|
||||
libraries/libapparmor/swig/perl/MYMETA.json
|
||||
libraries/libapparmor/swig/perl/MYMETA.yml
|
||||
libraries/libapparmor/swig/perl/blib
|
||||
libraries/libapparmor/swig/perl/libapparmor_wrap.c
|
||||
libraries/libapparmor/swig/perl/libapparmor_wrap.o
|
||||
libraries/libapparmor/swig/perl/pm_to_blib
|
||||
libraries/libapparmor/swig/python/LibAppArmor.py
|
||||
libraries/libapparmor/swig/python/LibAppArmor.egg-info/
|
||||
libraries/libapparmor/swig/python/build/
|
||||
libraries/libapparmor/swig/python/libapparmor_wrap.c
|
||||
libraries/libapparmor/swig/python/Makefile
|
||||
libraries/libapparmor/swig/python/Makefile.in
|
||||
libraries/libapparmor/swig/python/setup.py
|
||||
libraries/libapparmor/swig/python/test/Makefile
|
||||
libraries/libapparmor/swig/python/test/Makefile.in
|
||||
libraries/libapparmor/swig/python/test/test-suite.log
|
||||
libraries/libapparmor/swig/python/test/test_python.py
|
||||
libraries/libapparmor/swig/python/test/test_python.py.log
|
||||
libraries/libapparmor/swig/python/test/test_python.py.trs
|
||||
libraries/libapparmor/swig/ruby/LibAppArmor.so
|
||||
libraries/libapparmor/swig/ruby/LibAppArmor_wrap.c
|
||||
libraries/libapparmor/swig/ruby/LibAppArmor_wrap.o
|
||||
libraries/libapparmor/swig/ruby/Makefile
|
||||
libraries/libapparmor/swig/ruby/Makefile.in
|
||||
libraries/libapparmor/swig/ruby/Makefile.bak
|
||||
libraries/libapparmor/swig/ruby/Makefile.ruby
|
||||
libraries/libapparmor/swig/ruby/mkmf.log
|
||||
libraries/libapparmor/testsuite/.deps
|
||||
libraries/libapparmor/testsuite/.libs
|
||||
libraries/libapparmor/testsuite/Makefile
|
||||
libraries/libapparmor/testsuite/Makefile.in
|
||||
libraries/libapparmor/testsuite/libaalogparse.log
|
||||
libraries/libapparmor/testsuite/libaalogparse.sum
|
||||
libraries/libapparmor/testsuite/site.exp
|
||||
libraries/libapparmor/testsuite/test_multi.multi
|
||||
libraries/libapparmor/testsuite/config/Makefile
|
||||
libraries/libapparmor/testsuite/config/Makefile.in
|
||||
libraries/libapparmor/testsuite/lib/Makefile
|
||||
libraries/libapparmor/testsuite/lib/Makefile.in
|
||||
libraries/libapparmor/testsuite/libaalogparse.test/Makefile
|
||||
libraries/libapparmor/testsuite/libaalogparse.test/Makefile.in
|
||||
libraries/libapparmor/testsuite/test_multi/out
|
||||
libraries/libapparmor/testsuite/test_multi_multi-test_multi.o
|
||||
changehat/mod_apparmor/.libs
|
||||
utils/*.8
|
||||
utils/*.8.html
|
||||
utils/*.5
|
||||
utils/*.5.html
|
||||
utils/*.tmp
|
||||
utils/po/*.mo
|
||||
utils/apparmor/*.pyc
|
||||
utils/apparmor/rule/*.pyc
|
||||
utils/apparmor.egg-info/
|
||||
utils/build/
|
||||
utils/htmlcov/
|
||||
utils/test/common_test.pyc
|
||||
utils/test/.coverage
|
||||
utils/test/coverage-report.txt
|
||||
utils/test/htmlcov/
|
||||
utils/vim/apparmor.vim
|
||||
utils/vim/apparmor.vim.5
|
||||
utils/vim/apparmor.vim.5.html
|
||||
utils/vim/pod2htmd.tmp
|
||||
tests/regression/apparmor/*.o
|
||||
tests/regression/apparmor/aa_policy_cache
|
||||
tests/regression/apparmor/access
|
||||
tests/regression/apparmor/at_secure
|
||||
tests/regression/apparmor/attach_disconnected
|
||||
tests/regression/apparmor/changehat
|
||||
tests/regression/apparmor/changehat_fail
|
||||
tests/regression/apparmor/changehat_fork
|
||||
tests/regression/apparmor/changehat_misc
|
||||
tests/regression/apparmor/changehat_misc2
|
||||
tests/regression/apparmor/changehat_pthread
|
||||
tests/regression/apparmor/changehat_twice
|
||||
tests/regression/apparmor/changehat_wrapper
|
||||
tests/regression/apparmor/changeprofile
|
||||
tests/regression/apparmor/chdir
|
||||
tests/regression/apparmor/chgrp
|
||||
tests/regression/apparmor/chmod
|
||||
tests/regression/apparmor/chown
|
||||
tests/regression/apparmor/clone
|
||||
tests/regression/apparmor/dbus_eavesdrop
|
||||
tests/regression/apparmor/dbus_message
|
||||
tests/regression/apparmor/dbus_service
|
||||
tests/regression/apparmor/dbus_unrequested_reply
|
||||
tests/regression/apparmor/deleted
|
||||
tests/regression/apparmor/env_check
|
||||
tests/regression/apparmor/environ
|
||||
tests/regression/apparmor/exec
|
||||
tests/regression/apparmor/exec_qual
|
||||
tests/regression/apparmor/exec_qual2
|
||||
tests/regression/apparmor/fchdir
|
||||
tests/regression/apparmor/fchgrp
|
||||
tests/regression/apparmor/fchmod
|
||||
tests/regression/apparmor/fchown
|
||||
tests/regression/apparmor/fd_inheritance
|
||||
tests/regression/apparmor/fd_inheritor
|
||||
tests/regression/apparmor/fork
|
||||
tests/regression/apparmor/introspect
|
||||
tests/regression/apparmor/io_uring
|
||||
tests/regression/apparmor/link
|
||||
tests/regression/apparmor/link_subset
|
||||
tests/regression/apparmor/mkdir
|
||||
tests/regression/apparmor/mmap
|
||||
tests/regression/apparmor/mount
|
||||
tests/regression/apparmor/move_mount
|
||||
tests/regression/apparmor/named_pipe
|
||||
tests/regression/apparmor/net_finegrained_rcv
|
||||
tests/regression/apparmor/net_finegrained_snd
|
||||
tests/regression/apparmor/net_raw
|
||||
tests/regression/apparmor/open
|
||||
tests/regression/apparmor/openat
|
||||
tests/regression/apparmor/pipe
|
||||
tests/regression/apparmor/pivot_root
|
||||
tests/regression/apparmor/posix_mq_rcv
|
||||
tests/regression/apparmor/posix_mq_snd
|
||||
tests/regression/apparmor/ptrace
|
||||
tests/regression/apparmor/ptrace_helper
|
||||
tests/regression/apparmor/pwrite
|
||||
tests/regression/apparmor/query_label
|
||||
tests/regression/apparmor/readdir
|
||||
tests/regression/apparmor/rename
|
||||
tests/regression/apparmor/rw
|
||||
tests/regression/apparmor/socketpair
|
||||
tests/regression/apparmor/swap
|
||||
tests/regression/apparmor/symlink
|
||||
tests/regression/apparmor/syscall_chroot
|
||||
tests/regression/apparmor/syscall_ioperm
|
||||
tests/regression/apparmor/syscall_iopl
|
||||
tests/regression/apparmor/syscall_mknod
|
||||
tests/regression/apparmor/syscall_mlockall
|
||||
tests/regression/apparmor/syscall_ptrace
|
||||
tests/regression/apparmor/syscall_reboot
|
||||
tests/regression/apparmor/syscall_setdomainname
|
||||
tests/regression/apparmor/syscall_sethostname
|
||||
tests/regression/apparmor/syscall_setpriority
|
||||
tests/regression/apparmor/syscall_setscheduler
|
||||
tests/regression/apparmor/syscall_sysctl
|
||||
tests/regression/apparmor/sysctl_proc
|
||||
tests/regression/apparmor/sysv_mq_rcv
|
||||
tests/regression/apparmor/sysv_mq_snd
|
||||
tests/regression/apparmor/tcp
|
||||
tests/regression/apparmor/transition
|
||||
tests/regression/apparmor/unix_fd_client
|
||||
tests/regression/apparmor/unix_fd_server
|
||||
tests/regression/apparmor/unix_socket
|
||||
tests/regression/apparmor/unix_socket_client
|
||||
tests/regression/apparmor/unlink
|
||||
tests/regression/apparmor/userns
|
||||
tests/regression/apparmor/userns_setns
|
||||
tests/regression/apparmor/uservars.inc
|
||||
tests/regression/apparmor/xattrs
|
||||
tests/regression/apparmor/xattrs_profile
|
||||
tests/regression/apparmor/coredump
|
||||
**/__pycache__/
|
||||
*.orig
|
166
.gitlab-ci.yml
166
.gitlab-ci.yml
@@ -1,166 +0,0 @@
|
||||
---
|
||||
image: ubuntu:latest
|
||||
|
||||
# XXX - add a deploy stage to publish man pages, docs, and coverage
|
||||
# reports
|
||||
|
||||
stages:
|
||||
- build
|
||||
- test
|
||||
|
||||
.ubuntu-before_script:
|
||||
before_script:
|
||||
- export DEBIAN_FRONTEND=noninteractive
|
||||
- apt-get update -qq
|
||||
- apt-get install --no-install-recommends -y gcc perl liblocale-gettext-perl linux-libc-dev lsb-release make
|
||||
- lsb_release -a
|
||||
- uname -a
|
||||
|
||||
.install-c-build-deps: &install-c-build-deps
|
||||
- apt-get install --no-install-recommends -y build-essential apache2-dev autoconf autoconf-archive automake bison dejagnu flex libpam-dev libtool pkg-config python3-all-dev python3-setuptools ruby-dev swig zlib1g-dev
|
||||
|
||||
build-all:
|
||||
stage: build
|
||||
extends:
|
||||
- .ubuntu-before_script
|
||||
artifacts:
|
||||
name: ${CI_COMMIT_REF_NAME}-${CI_COMMIT_SHA}
|
||||
expire_in: 30 days
|
||||
untracked: true
|
||||
paths:
|
||||
- libraries/libapparmor/
|
||||
- parser/
|
||||
- binutils/
|
||||
- utils/
|
||||
- changehat/mod_apparmor/
|
||||
- changehat/pam_apparmor/
|
||||
- profiles/
|
||||
script:
|
||||
- *install-c-build-deps
|
||||
- cd libraries/libapparmor && ./autogen.sh && ./configure --with-perl --with-python --prefix=/usr && make && cd ../.. || { cat config.log ; exit 1 ; }
|
||||
- make -C parser
|
||||
- make -C binutils
|
||||
- make -C utils
|
||||
- make -C changehat/mod_apparmor
|
||||
- make -C changehat/pam_apparmor
|
||||
- make -C profiles
|
||||
|
||||
test-libapparmor:
|
||||
stage: test
|
||||
needs: ["build-all"]
|
||||
extends:
|
||||
- .ubuntu-before_script
|
||||
script:
|
||||
- *install-c-build-deps
|
||||
- make -C libraries/libapparmor check
|
||||
|
||||
test-parser:
|
||||
stage: test
|
||||
needs: ["build-all"]
|
||||
extends:
|
||||
- .ubuntu-before_script
|
||||
script:
|
||||
- *install-c-build-deps
|
||||
- make -C parser check
|
||||
|
||||
test-binutils:
|
||||
stage: test
|
||||
needs: ["build-all"]
|
||||
extends:
|
||||
- .ubuntu-before_script
|
||||
script:
|
||||
- make -C binutils check
|
||||
|
||||
test-utils:
|
||||
stage: test
|
||||
needs: ["build-all"]
|
||||
extends:
|
||||
- .ubuntu-before_script
|
||||
script:
|
||||
- apt-get install --no-install-recommends -y libc6-dev libjs-jquery libjs-jquery-throttle-debounce libjs-jquery-isonscreen libjs-jquery-tablesorter pyflakes3 python3-coverage python3-notify2 python3-psutil python3-setuptools
|
||||
# See apparmor/apparmor#221
|
||||
- make -C parser/tst gen_dbus
|
||||
- make -C parser/tst gen_xtrans
|
||||
- make -C utils check
|
||||
- make -C utils/test coverage-regression
|
||||
artifacts:
|
||||
paths:
|
||||
- utils/test/htmlcov/
|
||||
when: always
|
||||
|
||||
test-mod-apparmor:
|
||||
stage: test
|
||||
needs: ["build-all"]
|
||||
extends:
|
||||
- .ubuntu-before_script
|
||||
script:
|
||||
- make -C changehat/mod_apparmor check
|
||||
|
||||
test-profiles:
|
||||
stage: test
|
||||
needs: ["build-all"]
|
||||
extends:
|
||||
- .ubuntu-before_script
|
||||
script:
|
||||
- make -C profiles check-parser
|
||||
- make -C profiles check-abstractions.d
|
||||
- make -C profiles check-extras
|
||||
|
||||
shellcheck:
|
||||
stage: test
|
||||
needs: []
|
||||
extends:
|
||||
- .ubuntu-before_script
|
||||
script:
|
||||
- apt-get install --no-install-recommends -y file shellcheck xmlstarlet
|
||||
- shellcheck --version
|
||||
- './tests/bin/shellcheck-tree --format=checkstyle
|
||||
| xmlstarlet tr tests/checkstyle2junit.xslt
|
||||
> shellcheck.xml'
|
||||
artifacts:
|
||||
when: always
|
||||
reports:
|
||||
junit: shellcheck.xml
|
||||
|
||||
# Disabled due to aa-logprof dependency on /sbin/apparmor_parser existing
|
||||
# - make -C profiles check-profiles
|
||||
|
||||
# test-pam_apparmor:
|
||||
# - stage: test
|
||||
# - script:
|
||||
# - cd changehat/pam_apparmor && make check
|
||||
|
||||
include:
|
||||
- template: SAST.gitlab-ci.yml
|
||||
- template: Secret-Detection.gitlab-ci.yml
|
||||
|
||||
variables:
|
||||
SAST_EXCLUDED_ANALYZERS: "eslint,flawfinder,semgrep,spotbugs"
|
||||
SAST_BANDIT_EXCLUDED_PATHS: "*/tst/*, */test/*"
|
||||
|
||||
.send-to-coverity: &send-to-coverity
|
||||
- curl https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME
|
||||
--form token=$COVERITY_SCAN_TOKEN --form email=$GITLAB_USER_EMAIL
|
||||
--form file=@$(ls apparmor-*-cov-int.tar.gz) --form version="$(git describe --tags)"
|
||||
--form description="$(git describe --tags) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID"
|
||||
|
||||
coverity:
|
||||
stage: .post
|
||||
extends:
|
||||
- .ubuntu-before_script
|
||||
only:
|
||||
refs:
|
||||
- master
|
||||
script:
|
||||
- apt-get install --no-install-recommends -y curl git texlive-latex-recommended
|
||||
- *install-c-build-deps
|
||||
- curl -o /tmp/cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64
|
||||
--form project=$COVERITY_SCAN_PROJECT_NAME --form token=$COVERITY_SCAN_TOKEN
|
||||
- tar xfz /tmp/cov-analysis-linux64.tgz
|
||||
- COV_VERSION=$(ls -dt cov-analysis-linux64-* | head -1)
|
||||
- PATH=$PATH:$(pwd)/$COV_VERSION/bin
|
||||
- make coverity
|
||||
- *send-to-coverity
|
||||
artifacts:
|
||||
paths:
|
||||
- "apparmor-*.tar.gz"
|
@@ -1,10 +0,0 @@
|
||||
# Don't follow source'd scripts
|
||||
disable=SC1090
|
||||
disable=SC1091
|
||||
|
||||
# dash supports 'local'
|
||||
disable=SC2039
|
||||
disable=SC3043
|
||||
|
||||
# dash supports 'echo -n'
|
||||
disable=SC3037
|
96
Makefile
96
Makefile
@@ -1,90 +1,38 @@
|
||||
#
|
||||
# $Id$
|
||||
#
|
||||
.PHONY: all
|
||||
all:
|
||||
@echo "*** See README for information how to build AppArmor ***"
|
||||
exit 1
|
||||
OVERRIDE_TARBALL=yes
|
||||
|
||||
COMMONDIR=common
|
||||
include ${COMMONDIR}/Make.rules
|
||||
include common/Make.rules
|
||||
|
||||
DIRS=libraries/libapparmor \
|
||||
binutils \
|
||||
parser \
|
||||
DIRS=parser \
|
||||
profiles \
|
||||
utils \
|
||||
changehat/libapparmor \
|
||||
changehat/mod_apparmor \
|
||||
changehat/pam_apparmor \
|
||||
profiles \
|
||||
management/apparmor-dbus \
|
||||
management/applets/apparmorapplet-gnome \
|
||||
management/yastui \
|
||||
common \
|
||||
tests
|
||||
|
||||
# with conversion to git, we don't export from the remote
|
||||
REPO_URL?=git@gitlab.com:apparmor/apparmor.git
|
||||
REPO_BRANCH?=master
|
||||
|
||||
COVERITY_DIR=cov-int
|
||||
RELEASE_DIR=apparmor-${VERSION}
|
||||
__SETUP_DIR?=.
|
||||
|
||||
# We create a separate version for tags because git can't handle tags
|
||||
# with embedded ~s in them. No spaces around '-' or they'll get
|
||||
# embedded in ${VERSION}
|
||||
# apparmor version tag format 'vX.Y.ZZ'
|
||||
# apparmor branch name format 'apparmor-X.Y'
|
||||
TAG_VERSION="v$(subst ~,-,${VERSION})"
|
||||
|
||||
# Add exclusion entries arguments for tar here, of the form:
|
||||
# --exclude dir_to_exclude --exclude other_dir
|
||||
TAR_EXCLUSIONS=
|
||||
RELEASE_DIR=apparmor-${VERSION}-${REPO_VERSION}
|
||||
|
||||
.PHONY: tarball
|
||||
tarball: clean
|
||||
REPO_VERSION=`$(value REPO_VERSION_CMD)` && \
|
||||
$(MAKE) export_dir __EXPORT_DIR=${RELEASE_DIR} __REPO_VERSION=$${REPO_VERSION} && \
|
||||
$(MAKE) setup __SETUP_DIR=${RELEASE_DIR} && \
|
||||
tar ${TAR_EXCLUSIONS} -cvzf ${RELEASE_DIR}.tar.gz ${RELEASE_DIR}
|
||||
tarball: _dist
|
||||
tar cvzf ${RELEASE_DIR}.tar.gz ${RELEASE_DIR}
|
||||
|
||||
.PHONY: snapshot
|
||||
snapshot: clean
|
||||
$(eval REPO_VERSION:=$(shell $(value REPO_VERSION_CMD)))
|
||||
$(eval SNAPSHOT_NAME=apparmor-$(VERSION)~$(shell echo $(REPO_VERSION) | cut -d '-' -f 2-))
|
||||
$(MAKE) export_dir __EXPORT_DIR=${SNAPSHOT_NAME} __REPO_VERSION=${REPO_VERSION} && \
|
||||
$(MAKE) setup __SETUP_DIR=${SNAPSHOT_NAME} && \
|
||||
tar ${TAR_EXCLUSIONS} -cvzf ${SNAPSHOT_NAME}.tar.gz ${SNAPSHOT_NAME}
|
||||
${RELEASE_DIR}:
|
||||
mkdir ${RELEASE_DIR}
|
||||
|
||||
.PHONY: coverity
|
||||
coverity: snapshot
|
||||
cd $(SNAPSHOT_NAME)/libraries/libapparmor && ./configure --with-python
|
||||
$(foreach dir, libraries/libapparmor utils, \
|
||||
cov-build --dir $(COVERITY_DIR) --no-command --fs-capture-search $(SNAPSHOT_NAME)/$(dir); \
|
||||
mv $(COVERITY_DIR)/build-log.txt $(COVERITY_DIR)/build-log-python-$(subst /,.,$(dir)).txt ;)
|
||||
cov-build --dir $(COVERITY_DIR) -- sh -c \
|
||||
"$(foreach dir, $(filter-out utils profiles tests, $(DIRS)), \
|
||||
$(MAKE) -C $(SNAPSHOT_NAME)/$(dir);) "
|
||||
tar -cvzf $(SNAPSHOT_NAME)-$(COVERITY_DIR).tar.gz $(COVERITY_DIR)
|
||||
.PHONY: _dist
|
||||
.PHONY: ${DIRS}
|
||||
|
||||
.PHONY: export_dir
|
||||
export_dir:
|
||||
mkdir $(__EXPORT_DIR)
|
||||
/usr/bin/git archive --prefix=$(__EXPORT_DIR)/ --format tar $(__REPO_VERSION) | tar xv
|
||||
echo "$(REPO_URL) $(REPO_BRANCH) $(__REPO_VERSION)" > $(__EXPORT_DIR)/common/.stamp_rev
|
||||
_dist: clean ${DIRS}
|
||||
|
||||
${DIRS}: ${RELEASE_DIR}
|
||||
svn export -r $(REPO_VERSION) $(REPO_URL)/$@ $(RELEASE_DIR)/$@ ; \
|
||||
|
||||
.PHONY: clean
|
||||
clean:
|
||||
-rm -rf ${RELEASE_DIR} ./apparmor-${VERSION}~* ${COVERITY_DIR}
|
||||
for dir in $(DIRS); do \
|
||||
$(MAKE) -C $$dir clean; \
|
||||
done
|
||||
|
||||
.PHONY: setup
|
||||
setup:
|
||||
cd $(__SETUP_DIR)/libraries/libapparmor && ./autogen.sh
|
||||
# parser has an extra doc to build
|
||||
$(MAKE) -C $(__SETUP_DIR)/parser extra_docs
|
||||
# libraries/libapparmor needs configure to have run before
|
||||
# building docs
|
||||
$(foreach dir, $(filter-out libraries/libapparmor tests, $(DIRS)), \
|
||||
$(MAKE) -C $(__SETUP_DIR)/$(dir) docs;)
|
||||
|
||||
.PHONY: tag
|
||||
tag:
|
||||
git tag -m 'AppArmor $(VERSION)' -s $(TAG_VERSION)
|
||||
-rm -rf ${RELEASE_DIR}
|
||||
|
362
README.md
362
README.md
@@ -1,362 +0,0 @@
|
||||
# AppArmor
|
||||
|
||||
[](https://gitlab.com/apparmor/apparmor/commits/master)
|
||||
[](https://gitlab.com/apparmor/apparmor/pipelines)
|
||||
[](https://bestpractices.coreinfrastructure.org/projects/1699)
|
||||
|
||||
------------
|
||||
Introduction
|
||||
------------
|
||||
AppArmor protects systems from insecure or untrusted processes by
|
||||
running them in restricted confinement, while still allowing processes
|
||||
to share files, exercise privilege and communicate with other processes.
|
||||
AppArmor is a Mandatory Access Control (MAC) mechanism which uses the
|
||||
Linux Security Module (LSM) framework. The confinement's restrictions
|
||||
are mandatory and are not bound to identity, group membership, or object
|
||||
ownership. The protections provided are in addition to the kernel's
|
||||
regular access control mechanisms (including DAC) and can be used to
|
||||
restrict the superuser.
|
||||
|
||||
The AppArmor kernel module and accompanying user-space tools are
|
||||
available under the GPL license (the exception is the libapparmor
|
||||
library, available under the LGPL license, which allows change_hat(2)
|
||||
and change_profile(2) to be used by non-GPL binaries).
|
||||
|
||||
For more information, you can read the techdoc.pdf (available after
|
||||
building the parser) and by visiting the https://apparmor.net/ web
|
||||
site.
|
||||
|
||||
----------------
|
||||
Getting in Touch
|
||||
----------------
|
||||
|
||||
Please send all complaints, feature requests, rants about the software,
|
||||
and questions to the
|
||||
[AppArmor mailing list](https://lists.ubuntu.com/mailman/listinfo/apparmor).
|
||||
|
||||
Bug reports can be filed against the AppArmor project on
|
||||
[GitLab](https://gitlab.com/apparmor/apparmor/-/issues) or reported to the mailing
|
||||
list directly for those who wish not to register for an account on
|
||||
GitLab. See the
|
||||
[wiki page](https://gitlab.com/apparmor/apparmor/wikis/home#reporting-bugs)
|
||||
for more information.
|
||||
|
||||
Security issues can be filed in GitLab by opening up a new [issue](https://gitlab.com/apparmor/apparmor/-/issues) and selecting the tick box ```This issue is confidential and should only be visible to team members with at least Reporter access.``` or directed to `security@apparmor.net`. Additional details can be found
|
||||
in the [wiki](https://gitlab.com/apparmor/apparmor/wikis/home#reporting-security-vulnerabilities).
|
||||
|
||||
|
||||
--------------
|
||||
Privacy Policy
|
||||
--------------
|
||||
|
||||
The AppArmor security project respects users privacy and data and does not collect data from or on its users beyond what is required for a given component to function.
|
||||
|
||||
The AppArmor kernel security module will log violations to the audit subsystem, and those will be logged/forwarded/recorded on the user's system(s) according to how the administrator has logging configured. Again this is not forwarded to or collected by the AppArmor project.
|
||||
|
||||
The AppArmor userspace tools do not collect information on the system user beyond the logs and information needed to interact with the user. This is not forwarded to, nor collected by the AppArmor project.
|
||||
|
||||
Users may submit information as part of an email, bug report or merge request, etc. and that will be recorded as part of the mailing list, bug/issue tracker, or code repository but only as part of a user initiated action.
|
||||
|
||||
The AppArmor project does not collect information from contributors beyond their interactions with the AppArmor project, code, and community. However contributors are subject to the terms and conditions and privacy policy of the individual platforms (currently GitLab) should they choose to contribute through those platforms. And those platforms may collect data on the user that the AppArmor project does not.
|
||||
|
||||
Currently GitLab requires a user account to submit patches or report bugs and issues. If a contributor does not wish to create an account for these platforms the mailing list is available. Membership in the list is not required. Content from non-list members will be sent to moderation, to ensure that it is on topic, so there may be a delay in choosing to interact in this way.
|
||||
|
||||
|
||||
-------------
|
||||
Source Layout
|
||||
-------------
|
||||
|
||||
AppArmor consists of several different parts:
|
||||
|
||||
```
|
||||
binutils/ source for basic utilities written in compiled languages
|
||||
changehat/ source for using changehat with Apache, PAM and Tomcat
|
||||
common/ common makefile rules
|
||||
desktop/ empty
|
||||
kernel-patches/ compatibility patches for various kernel versions
|
||||
libraries/ libapparmor source and language bindings
|
||||
parser/ source for parser/loader and corresponding documentation
|
||||
profiles/ configuration files, reference profiles and abstractions
|
||||
tests/ regression and stress testsuites
|
||||
utils/ high-level utilities for working with AppArmor
|
||||
```
|
||||
|
||||
--------------------------------------
|
||||
Important note on AppArmor kernel code
|
||||
--------------------------------------
|
||||
|
||||
While most of the kernel AppArmor code has been accepted in the
|
||||
upstream Linux kernel, a few important pieces were not included. These
|
||||
missing pieces unfortunately are important bits for AppArmor userspace
|
||||
and kernel interaction; therefore we have included compatibility
|
||||
patches in the kernel-patches/ subdirectory, versioned by upstream
|
||||
kernel (2.6.37 patches should apply cleanly to 2.6.38 source).
|
||||
|
||||
Without these patches applied to the kernel, the AppArmor userspace
|
||||
will not function correctly.
|
||||
|
||||
------------------------------------------
|
||||
Building and Installing AppArmor Userspace
|
||||
------------------------------------------
|
||||
|
||||
To build and install AppArmor userspace on your system, build and install in
|
||||
the following order. Some systems may need to export various python-related
|
||||
environment variables to complete the build. For example, before building
|
||||
anything on these systems, use something along the lines of:
|
||||
|
||||
```
|
||||
$ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python)
|
||||
$ export PYTHON=/usr/bin/python3
|
||||
$ export PYTHON_VERSION=3
|
||||
$ export PYTHON_VERSIONS=python3
|
||||
```
|
||||
|
||||
### libapparmor:
|
||||
|
||||
```
|
||||
$ cd ./libraries/libapparmor
|
||||
$ sh ./autogen.sh
|
||||
$ sh ./configure --prefix=/usr --with-perl --with-python # see below
|
||||
$ make
|
||||
$ make check
|
||||
$ make install
|
||||
```
|
||||
|
||||
[an additional optional argument to libapparmor's configure is --with-ruby, to
|
||||
generate Ruby bindings to libapparmor.]
|
||||
|
||||
|
||||
### Binary Utilities:
|
||||
|
||||
```
|
||||
$ cd binutils
|
||||
$ make
|
||||
$ make check
|
||||
$ make install
|
||||
```
|
||||
|
||||
### Parser:
|
||||
|
||||
```
|
||||
$ cd parser
|
||||
$ make # depends on libapparmor having been built first
|
||||
$ make check
|
||||
$ make install
|
||||
```
|
||||
|
||||
|
||||
### Utilities:
|
||||
|
||||
```
|
||||
$ cd utils
|
||||
$ make
|
||||
$ make check PYFLAKES=/usr/bin/pyflakes3
|
||||
$ make install
|
||||
```
|
||||
|
||||
### Apache mod_apparmor:
|
||||
|
||||
```
|
||||
$ cd changehat/mod_apparmor
|
||||
$ make # depends on libapparmor having been built first
|
||||
$ make install
|
||||
```
|
||||
|
||||
|
||||
### PAM AppArmor:
|
||||
|
||||
```
|
||||
$ cd changehat/pam_apparmor
|
||||
$ make # depends on libapparmor having been built first
|
||||
$ make install
|
||||
```
|
||||
|
||||
|
||||
### Profiles:
|
||||
|
||||
```
|
||||
$ cd profiles
|
||||
$ make
|
||||
$ make check # depends on the parser having been built first
|
||||
$ make install
|
||||
```
|
||||
|
||||
Note that the empty local/* profile sniplets no longer get created by default.
|
||||
If you want them, run `make local` before running `make check`.
|
||||
|
||||
[Note that for the parser, binutils, and utils, if you only wish to build/use
|
||||
some of the locale languages, you can override the default by passing
|
||||
the LANGS arguments to make; e.g. make all install "LANGS=en_US fr".]
|
||||
|
||||
-------------------
|
||||
AppArmor Testsuites
|
||||
-------------------
|
||||
|
||||
A number of testsuites are in the AppArmor sources. Most have documentation on
|
||||
usage and how to update and add tests. Below is a quick overview of their
|
||||
location and how to run them.
|
||||
|
||||
|
||||
Regression tests
|
||||
----------------
|
||||
For details on structure and adding tests, see
|
||||
tests/regression/apparmor/README.
|
||||
|
||||
To run:
|
||||
|
||||
### Regression tests - using apparmor userspace installed on host
|
||||
```
|
||||
$ cd tests/regression/apparmor (requires root)
|
||||
$ make USE_SYSTEM=1
|
||||
$ sudo make tests USE_SYSTEM=1
|
||||
$ sudo bash open.sh -r # runs and saves the last testcase from open.sh
|
||||
```
|
||||
|
||||
### Regression tests - using apparmor userspace from the tree.
|
||||
- [build libapparmor](#libapparmor)
|
||||
- [build binutils](#binary-utilities)
|
||||
- [build apparmor parser](#parser)
|
||||
- [build Pam apparmor](#pam-apparmor)
|
||||
|
||||
```
|
||||
$ cd tests/regression/apparmor (requires root)
|
||||
$ make
|
||||
$ sudo make tests
|
||||
$ sudo bash open.sh -r # runs and saves the last testcase from open.sh
|
||||
```
|
||||
|
||||
Parser tests
|
||||
------------
|
||||
For details on structure and adding tests, see parser/tst/README.
|
||||
|
||||
To run:
|
||||
|
||||
```
|
||||
$ cd parser/tst
|
||||
$ make
|
||||
$ make tests
|
||||
```
|
||||
|
||||
Libapparmor
|
||||
-----------
|
||||
For details on structure and adding tests, see libraries/libapparmor/README.
|
||||
|
||||
```
|
||||
$ cd libraries/libapparmor
|
||||
$ make check
|
||||
```
|
||||
|
||||
Utils
|
||||
-----
|
||||
Tests for the Python utilities exist in the test/ subdirectory.
|
||||
|
||||
```
|
||||
$ cd utils
|
||||
$ make check
|
||||
```
|
||||
|
||||
The aa-decode utility to be tested can be overridden by
|
||||
setting up environment variable APPARMOR_DECODE; e.g.:
|
||||
|
||||
```
|
||||
$ APPARMOR_DECODE=/usr/bin/aa-decode make check
|
||||
```
|
||||
|
||||
Profile checks
|
||||
--------------
|
||||
A basic consistency check to ensure that the parser and aa-logprof parse
|
||||
successfully the current set of shipped profiles. The system or other
|
||||
parser and logprof can be passed in by overriding the PARSER and LOGPROF
|
||||
variables.
|
||||
|
||||
```
|
||||
$ cd profiles
|
||||
$ make && make check
|
||||
```
|
||||
|
||||
Stress Tests
|
||||
------------
|
||||
To run AppArmor stress tests:
|
||||
|
||||
```
|
||||
$ make all
|
||||
```
|
||||
|
||||
Use these:
|
||||
|
||||
```
|
||||
$ ./change_hat
|
||||
$ ./child
|
||||
$ ./kill.sh
|
||||
$ ./open
|
||||
$ ./s.sh
|
||||
```
|
||||
|
||||
Or run all at once:
|
||||
|
||||
```
|
||||
$ ./stress.sh
|
||||
```
|
||||
|
||||
Please note that the above will stress the system so much it may end up
|
||||
invoking the OOM killer.
|
||||
|
||||
To run parser stress tests (requires /usr/bin/ruby):
|
||||
|
||||
```
|
||||
$ ./stress.sh
|
||||
```
|
||||
|
||||
(see stress.sh -h for options)
|
||||
|
||||
Coverity Support
|
||||
----------------
|
||||
Coverity scans are available to AppArmor developers at
|
||||
https://scan.coverity.com/projects/apparmor.
|
||||
|
||||
In order to submit a Coverity build for analysis, the cov-build binary
|
||||
must be discoverable from your PATH. See the "To Setup" section of
|
||||
https://scan.coverity.com/download?tab=cxx to obtain a pre-built copy of
|
||||
cov-build.
|
||||
|
||||
To generate a compressed tarball of an intermediate Coverity directory:
|
||||
|
||||
```
|
||||
$ make coverity
|
||||
```
|
||||
|
||||
The compressed tarball is written to
|
||||
apparmor-<SNAPSHOT_VERSION>-cov-int.tar.gz, where <SNAPSHOT_VERSION>
|
||||
is something like 2.10.90~3328, and must be uploaded to
|
||||
https://scan.coverity.com/projects/apparmor/builds/new for analysis. You must
|
||||
include the snapshot version in Coverity's project build submission form, in
|
||||
the "Project Version" field, so that it is quickly obvious to all AppArmor
|
||||
developers what snapshot of the AppArmor repository was used for the analysis.
|
||||
|
||||
-----------------------------------------------
|
||||
Building and Installing AppArmor Kernel Patches
|
||||
-----------------------------------------------
|
||||
|
||||
TODO
|
||||
|
||||
|
||||
-----------------
|
||||
Required versions
|
||||
-----------------
|
||||
|
||||
The AppArmor userspace utilities are written with some assumptions about
|
||||
installed and available versions of other tools. This is a (possibly
|
||||
incomplete) list of known version dependencies:
|
||||
|
||||
The Python utilities require a minimum of Python 3.3.
|
||||
|
||||
The aa-notify tool's Python dependencies can be satisfied by installing the
|
||||
following packages (Debian package names, other distros may vary):
|
||||
* python3-notify2
|
||||
* python3-psutil
|
||||
|
||||
Perl is no longer needed since none of the utilities shipped to end users depend
|
||||
on it anymore.
|
||||
|
||||
Most shell scripts are written for POSIX-compatible sh. aa-decode expects
|
||||
bash, probably version 3.2 and higher.
|
@@ -1,178 +0,0 @@
|
||||
# ----------------------------------------------------------------------
|
||||
# Copyright (c) 2015
|
||||
# Canonical Ltd. (All rights reserved)
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
# ----------------------------------------------------------------------
|
||||
NAME=aa-binutils
|
||||
all:
|
||||
COMMONDIR=../common/
|
||||
|
||||
include $(COMMONDIR)/Make.rules
|
||||
|
||||
DESTDIR=/
|
||||
BINDIR=${DESTDIR}/usr/bin
|
||||
SBINDIR=${DESTDIR}/usr/sbin
|
||||
LOCALEDIR=/usr/share/locale
|
||||
MANPAGES=aa-enabled.1 aa-exec.1 aa-features-abi.1 aa-status.8
|
||||
|
||||
WARNINGS = -Wall
|
||||
CPP_WARNINGS =
|
||||
ifndef CFLAGS
|
||||
CFLAGS = -g -O2 -pipe
|
||||
|
||||
ifdef DEBUG
|
||||
CFLAGS += -pg -D DEBUG
|
||||
endif
|
||||
ifdef COVERAGE
|
||||
CFLAGS = -g -pg -fprofile-arcs -ftest-coverage
|
||||
endif
|
||||
endif #CFLAGS
|
||||
|
||||
EXTRA_CFLAGS = ${CFLAGS} ${CPPFLAGS} ${EXTRA_CXXFLAGS} ${CPP_WARNINGS} $(EXTRA_WARNINGS)
|
||||
|
||||
#INCLUDEDIR = /usr/src/linux/include
|
||||
INCLUDEDIR =
|
||||
|
||||
ifdef INCLUDEDIR
|
||||
CFLAGS += -I$(INCLUDEDIR)
|
||||
endif
|
||||
|
||||
# Internationalization support. Define a package and a LOCALEDIR
|
||||
EXTRA_CFLAGS+=-DPACKAGE=\"${NAME}\" -DLOCALEDIR=\"${LOCALEDIR}\"
|
||||
|
||||
SRCS = aa_enabled.c aa_load.c
|
||||
HDRS =
|
||||
BINTOOLS = aa-enabled aa-exec aa-features-abi
|
||||
SBINTOOLS = aa-status aa-load
|
||||
|
||||
AALIB = -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread
|
||||
|
||||
ifdef WITH_LIBINTL
|
||||
AALIB += -lintl
|
||||
endif
|
||||
|
||||
ifdef USE_SYSTEM
|
||||
# Using the system libapparmor so Makefile dependencies can't be used
|
||||
LIBAPPARMOR_A =
|
||||
INCLUDE_APPARMOR =
|
||||
APPARMOR_H =
|
||||
LIBAPPARMOR_LDFLAGS =
|
||||
else
|
||||
LIBAPPARMOR_SRC = ../libraries/libapparmor/
|
||||
LOCAL_LIBAPPARMOR_INCLUDE = $(LIBAPPARMOR_SRC)/include
|
||||
LOCAL_LIBAPPARMOR_LDPATH = $(LIBAPPARMOR_SRC)/src/.libs
|
||||
|
||||
LIBAPPARMOR_A = $(LOCAL_LIBAPPARMOR_LDPATH)/libapparmor.a
|
||||
INCLUDE_APPARMOR = -I$(LOCAL_LIBAPPARMOR_INCLUDE)
|
||||
APPARMOR_H = $(LOCAL_LIBAPPARMOR_INCLUDE)/sys/apparmor.h
|
||||
LIBAPPARMOR_LDFLAGS = -L$(LOCAL_LIBAPPARMOR_LDPATH)
|
||||
endif
|
||||
EXTRA_CFLAGS += $(INCLUDE_APPARMOR)
|
||||
LDFLAGS += $(LIBAPPARMOR_LDFLAGS)
|
||||
|
||||
ifdef V
|
||||
VERBOSE = 1
|
||||
endif
|
||||
ifndef VERBOSE
|
||||
VERBOSE = 0
|
||||
endif
|
||||
ifeq ($(VERBOSE),1)
|
||||
BUILD_OUTPUT =
|
||||
Q =
|
||||
else
|
||||
BUILD_OUTPUT = > /dev/null 2>&1
|
||||
Q = @
|
||||
endif
|
||||
export Q VERBOSE BUILD_OUTPUT
|
||||
|
||||
po/%.pot: %.c
|
||||
$(MAKE) -C po $(@F) NAME=$* SOURCES=$*.c
|
||||
|
||||
# targets arranged this way so that people who don't want full docs can
|
||||
# pick specific targets they want.
|
||||
arch: $(BINTOOLS) $(SBINTOOLS)
|
||||
|
||||
manpages: $(MANPAGES)
|
||||
|
||||
docs: manpages
|
||||
|
||||
indep: docs
|
||||
$(Q)$(MAKE) -C po all
|
||||
|
||||
all: arch indep
|
||||
|
||||
.PHONY: coverage
|
||||
coverage:
|
||||
$(MAKE) clean $(BINTOOLS) $(SBINTOOLS) COVERAGE=1
|
||||
|
||||
ifndef USE_SYSTEM
|
||||
$(LIBAPPARMOR_A):
|
||||
@if [ ! -f $@ ]; then \
|
||||
echo "error: $@ is missing. Pick one of these possible solutions:" 1>&2; \
|
||||
echo " 1) Build against the in-tree libapparmor by building it first and then trying again. See the top-level README for help." 1>&2; \
|
||||
echo " 2) Build against the system libapparmor by adding USE_SYSTEM=1 to your make command." 1>&2;\
|
||||
exit 1; \
|
||||
fi
|
||||
endif
|
||||
|
||||
aa-features-abi: aa_features_abi.c $(LIBAPPARMOR_A)
|
||||
$(CC) $(LDFLAGS) $(EXTRA_CFLAGS) -o $@ $< $(LIBS) $(AALIB)
|
||||
|
||||
aa-load: aa_load.c $(LIBAPPARMOR_A)
|
||||
$(CC) $(LDFLAGS) $(EXTRA_CFLAGS) -o $@ $< $(LIBS) $(AALIB)
|
||||
|
||||
aa-enabled: aa_enabled.c $(LIBAPPARMOR_A)
|
||||
$(CC) $(LDFLAGS) $(EXTRA_CFLAGS) -o $@ $< $(LIBS) $(AALIB)
|
||||
|
||||
aa-exec: aa_exec.c $(LIBAPPARMOR_A)
|
||||
$(CC) $(LDFLAGS) $(EXTRA_CFLAGS) -o $@ $< $(LIBS) $(AALIB)
|
||||
|
||||
aa-status: aa_status.c cJSON.o $(LIBAPPARMOR_A)
|
||||
$(CC) $(LDFLAGS) $(EXTRA_CFLAGS) -o $@ $< $(LIBS) $(AALIB) cJSON.o
|
||||
|
||||
cJSON.o: cJSON.c cJSON.h
|
||||
$(CC) $(EXTRA_CFLAGS) -c -o $@ $<
|
||||
|
||||
.SILENT: check
|
||||
.PHONY: check
|
||||
check: check_pod_files tests
|
||||
|
||||
.SILENT: tests
|
||||
tests: $(BINTOOLS) $(SBINTOOLS) $(TESTS)
|
||||
echo "no tests atm"
|
||||
|
||||
.PHONY: install
|
||||
install: install-indep install-arch
|
||||
|
||||
.PHONY: install-arch
|
||||
install-arch: arch
|
||||
install -m 755 -d ${BINDIR}
|
||||
install -m 755 ${BINTOOLS} ${BINDIR}
|
||||
install -m 755 -d ${SBINDIR}
|
||||
ln -sf aa-status ${SBINDIR}/apparmor_status
|
||||
install -m 755 ${SBINTOOLS} ${SBINDIR}
|
||||
|
||||
.PHONY: install-indep
|
||||
install-indep: indep
|
||||
$(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR}
|
||||
$(MAKE) install_manpages DESTDIR=${DESTDIR}
|
||||
ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8
|
||||
|
||||
ifndef VERBOSE
|
||||
.SILENT: clean
|
||||
endif
|
||||
.PHONY: clean
|
||||
clean: pod_clean
|
||||
rm -f core core.* *.o *.s *.a *~ *.gcda *.gcno
|
||||
rm -f gmon.out
|
||||
rm -f $(BINTOOLS) $(SBINTOOLS) $(TESTS)
|
||||
$(MAKE) -s -C po clean
|
||||
|
@@ -1,103 +0,0 @@
|
||||
# This publication is intellectual property of Canonical Ltd. Its contents
|
||||
# can be duplicated, either in part or in whole, provided that a copyright
|
||||
# label is visibly located on each copy.
|
||||
#
|
||||
# All information found in this book has been compiled with utmost
|
||||
# attention to detail. However, this does not guarantee complete accuracy.
|
||||
# Neither Canonical Ltd, the authors, nor the translators shall be held
|
||||
# liable for possible errors or the consequences thereof.
|
||||
#
|
||||
# Many of the software and hardware descriptions cited in this book
|
||||
# are registered trademarks. All trade names are subject to copyright
|
||||
# restrictions and may be registered trade marks. Canonical Ltd
|
||||
# essentially adheres to the manufacturer's spelling.
|
||||
#
|
||||
# Names of products and trademarks appearing in this book (with or without
|
||||
# specific notation) are likewise subject to trademark and trade protection
|
||||
# laws and may thus fall under copyright restrictions.
|
||||
#
|
||||
|
||||
|
||||
=pod
|
||||
|
||||
=head1 NAME
|
||||
|
||||
aa-enabled - test whether AppArmor is enabled
|
||||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
B<aa-enabled> [options]
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
B<aa-enabled> is used to determine if AppArmor is enabled.
|
||||
|
||||
=head1 OPTIONS
|
||||
|
||||
B<aa-enabled> accepts the following arguments:
|
||||
|
||||
=over 4
|
||||
|
||||
=item -h, --help
|
||||
|
||||
Display a brief usage guide.
|
||||
|
||||
=item -q, --quiet
|
||||
|
||||
Do not output anything to stdout. This option is intended to be used by
|
||||
scripts that simply want to use the exit code to determine if AppArmor is
|
||||
enabled.
|
||||
|
||||
=item -x, --exclusive
|
||||
|
||||
Require AppArmor to have exclusive access to shared LSM interfaces to
|
||||
be considered enabled.
|
||||
|
||||
=back
|
||||
|
||||
=head1 EXIT STATUS
|
||||
|
||||
Upon exiting, B<aa-enabled> will set its exit status to the following values:
|
||||
|
||||
=over 4
|
||||
|
||||
=item B<0>
|
||||
|
||||
if AppArmor is enabled.
|
||||
|
||||
=item B<1>
|
||||
|
||||
if AppArmor is not enabled/loaded.
|
||||
|
||||
=item B<2>
|
||||
|
||||
intentionally not used as an B<aa-enabled> exit status.
|
||||
|
||||
=item B<3>
|
||||
|
||||
if the AppArmor control files aren't available under /sys/kernel/security/.
|
||||
|
||||
=item B<4>
|
||||
|
||||
if B<aa-enabled> doesn't have enough privileges to read the apparmor control files.
|
||||
|
||||
=item B<10>
|
||||
|
||||
AppArmor is enabled but does not have access to shared LSM interfaces.
|
||||
|
||||
=item B<64>
|
||||
|
||||
if any unexpected error or condition is encountered.
|
||||
|
||||
=back
|
||||
|
||||
=head1 BUGS
|
||||
|
||||
If you find any bugs, please report them at
|
||||
L<https://gitlab.com/apparmor/apparmor/-/issues>.
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
apparmor(7), apparmor.d(5), aa_is_enabled(2), and L<https://wiki.apparmor.net>.
|
||||
|
||||
=cut
|
@@ -1,93 +0,0 @@
|
||||
# This publication is intellectual property of Canonical Ltd. Its contents
|
||||
# can be duplicated, either in part or in whole, provided that a copyright
|
||||
# label is visibly located on each copy.
|
||||
#
|
||||
# All information found in this book has been compiled with utmost
|
||||
# attention to detail. However, this does not guarantee complete accuracy.
|
||||
# Neither Canonical Ltd, the authors, nor the translators shall be held
|
||||
# liable for possible errors or the consequences thereof.
|
||||
#
|
||||
# Many of the software and hardware descriptions cited in this book
|
||||
# are registered trademarks. All trade names are subject to copyright
|
||||
# restrictions and may be registered trade marks. Canonical Ltd
|
||||
# essentially adheres to the manufacturer's spelling.
|
||||
#
|
||||
# Names of products and trademarks appearing in this book (with or without
|
||||
# specific notation) are likewise subject to trademark and trade protection
|
||||
# laws and may thus fall under copyright restrictions.
|
||||
#
|
||||
|
||||
|
||||
=pod
|
||||
|
||||
=head1 NAME
|
||||
|
||||
aa-exec - confine a program with the specified AppArmor profile
|
||||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
B<aa-exec> [options] [--] [I<E<lt>commandE<gt>> ...]
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
B<aa-exec> is used to launch a program confined by the specified profile
|
||||
and or namespace. If both a profile and namespace are specified command
|
||||
will be confined by profile in the new policy namespace. If only a namespace
|
||||
is specified, the profile name of the current confinement will be used. If
|
||||
neither a profile or namespace is specified command will be run using
|
||||
standard profile attachment (ie. as if run without the aa-exec command).
|
||||
|
||||
If the arguments are to be pasted to the I<E<lt>commandE<gt>> being invoked
|
||||
by aa-exec then -- should be used to separate aa-exec arguments from the
|
||||
command.
|
||||
aa-exec -p profile1 -- ls -l
|
||||
|
||||
=head1 OPTIONS
|
||||
B<aa-exec> accepts the following arguments:
|
||||
|
||||
=over 4
|
||||
|
||||
=item -p PROFILE, --profile=PROFILE
|
||||
|
||||
confine I<E<lt>commandE<gt>> with PROFILE. If the PROFILE is not specified
|
||||
use the current profile name (likely unconfined).
|
||||
|
||||
=item -n NAMESPACE, --namespace=NAMESPACE
|
||||
|
||||
use profiles in NAMESPACE. This will result in confinement transitioning
|
||||
to using the new profile namespace.
|
||||
|
||||
=item -i, --immediate
|
||||
|
||||
transition to PROFILE before doing executing I<E<lt>commandE<gt>>. This
|
||||
subjects the running of I<E<lt>commandE<gt>> to the exec transition rules
|
||||
of the current profile.
|
||||
|
||||
=item -v, --verbose
|
||||
|
||||
show commands being performed
|
||||
|
||||
=item -d, --debug
|
||||
|
||||
show commands and error codes
|
||||
|
||||
=item --
|
||||
|
||||
Signal the end of options and disables further option processing. Any
|
||||
arguments after the -- are treated as arguments of the command. This is
|
||||
useful when passing arguments to the I<E<lt>commandE<gt>> being invoked by
|
||||
aa-exec.
|
||||
|
||||
=back
|
||||
|
||||
=head1 BUGS
|
||||
|
||||
If you find any bugs, please report them at
|
||||
L<https://gitlab.com/apparmor/apparmor/-/issues>
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
aa-stack(8), aa-namespace(8), apparmor(7), apparmor.d(5), aa_change_profile(3),
|
||||
aa_change_onexec(3) and L<https://wiki.apparmor.net>.
|
||||
|
||||
=cut
|
@@ -1,97 +0,0 @@
|
||||
# This publication is intellectual property of Canonical Ltd. Its contents
|
||||
# can be duplicated, either in part or in whole, provided that a copyright
|
||||
# label is visibly located on each copy.
|
||||
#
|
||||
# All information found in this book has been compiled with utmost
|
||||
# attention to detail. However, this does not guarantee complete accuracy.
|
||||
# Neither Canonical Ltd, the authors, nor the translators shall be held
|
||||
# liable for possible errors or the consequences thereof.
|
||||
#
|
||||
# Many of the software and hardware descriptions cited in this book
|
||||
# are registered trademarks. All trade names are subject to copyright
|
||||
# restrictions and may be registered trade marks. Canonical Ltd
|
||||
# essentially adheres to the manufacturer's spelling.
|
||||
#
|
||||
# Names of products and trademarks appearing in this book (with or without
|
||||
# specific notation) are likewise subject to trademark and trade protection
|
||||
# laws and may thus fall under copyright restrictions.
|
||||
#
|
||||
|
||||
|
||||
=pod
|
||||
|
||||
=head1 NAME
|
||||
|
||||
aa-features-abi - Extract, validate and manipulate AppArmor feature abis
|
||||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
B<aa-features-abi> [OPTIONS] <SOURCE> [OUTPUT OPTIONS]
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
B<aa-features-abi> is used to extract a features abi and output to
|
||||
either stdout or a specified file. A SOURCE_OPTION must be specified.
|
||||
If an output option is not specified the features abi is written to
|
||||
stdout.
|
||||
|
||||
=head1 OPTIONS
|
||||
|
||||
B<aa-features-abi> accepts the following arguments:
|
||||
|
||||
=over 4
|
||||
|
||||
=item -h, --help
|
||||
|
||||
Display a brief usage guide.
|
||||
|
||||
=item -d, --debug
|
||||
|
||||
show messages with debugging information
|
||||
|
||||
=item -v, --verbose
|
||||
|
||||
show messages with stats
|
||||
|
||||
=back
|
||||
|
||||
=head1 SOURCE
|
||||
|
||||
=over 4
|
||||
|
||||
=item -x, --extract
|
||||
|
||||
Extract the features abi for the kernel
|
||||
|
||||
=item -f FILE, --file=FILE
|
||||
|
||||
Load the features abi from FILE and send it to OUTPUT OPTIONS.
|
||||
|
||||
=back
|
||||
|
||||
=head1 OUTPUT OPTIONS
|
||||
|
||||
=over 4
|
||||
|
||||
=item --stdout
|
||||
|
||||
Write the features abi to I<stdout>, this is the default if no output option
|
||||
is specified.
|
||||
|
||||
=item -w FILE, --write FILE
|
||||
|
||||
Write the features abi to I<FILE>.
|
||||
|
||||
=back
|
||||
|
||||
|
||||
=head1 BUGS
|
||||
|
||||
If you find any bugs, please report them at
|
||||
L<https://gitlab.com/apparmor/apparmor/-/issues>.
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
apparmor(7), apparmor.d(5), aa_features(3), and L<https://wiki.apparmor.net>.
|
||||
|
||||
=cut
|
@@ -1,197 +0,0 @@
|
||||
# This publication is intellectual property of Novell Inc. and Canonical
|
||||
# Ltd. Its contents can be duplicated, either in part or in whole, provided
|
||||
# that a copyright label is visibly located on each copy.
|
||||
#
|
||||
# All information found in this book has been compiled with utmost
|
||||
# attention to detail. However, this does not guarantee complete accuracy.
|
||||
# Neither SUSE LINUX GmbH, Canonical Ltd, the authors, nor the translators
|
||||
# shall be held liable for possible errors or the consequences thereof.
|
||||
#
|
||||
# Many of the software and hardware descriptions cited in this book
|
||||
# are registered trademarks. All trade names are subject to copyright
|
||||
# restrictions and may be registered trade marks. SUSE LINUX GmbH
|
||||
# and Canonical Ltd. essentially adhere to the manufacturer's spelling.
|
||||
#
|
||||
# Names of products and trademarks appearing in this book (with or without
|
||||
# specific notation) are likewise subject to trademark and trade protection
|
||||
# laws and may thus fall under copyright restrictions.
|
||||
#
|
||||
|
||||
|
||||
=pod
|
||||
|
||||
=head1 NAME
|
||||
|
||||
aa-status - display various information about the current AppArmor
|
||||
policy.
|
||||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
B<aa-status> [option]
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
B<aa-status> will report various aspects of the current state of
|
||||
AppArmor confinement. By default, it displays the same information as if
|
||||
the I<--verbose> argument were given. A sample of what this looks like
|
||||
is:
|
||||
|
||||
apparmor module is loaded.
|
||||
110 profiles are loaded.
|
||||
102 profiles are in enforce mode.
|
||||
8 profiles are in complain mode.
|
||||
Out of 129 processes running:
|
||||
13 processes have profiles defined.
|
||||
8 processes have profiles in enforce mode.
|
||||
5 processes have profiles in complain mode.
|
||||
|
||||
Other argument options are provided to report individual aspects, to
|
||||
support being used in scripts.
|
||||
|
||||
=head1 OPTIONS
|
||||
|
||||
B<aa-status> accepts only one argument at a time out of:
|
||||
|
||||
=over 4
|
||||
|
||||
=item --enabled
|
||||
|
||||
returns error code if AppArmor is not enabled.
|
||||
|
||||
=item --profiled
|
||||
|
||||
displays the number of loaded AppArmor policies.
|
||||
|
||||
=item --enforced
|
||||
|
||||
displays the number of loaded enforcing AppArmor policies.
|
||||
|
||||
=item --complaining
|
||||
|
||||
displays the number of loaded non-enforcing AppArmor policies.
|
||||
|
||||
=item --kill
|
||||
|
||||
displays the number of loaded enforcing AppArmor policies that will
|
||||
kill tasks on policy violations.
|
||||
|
||||
=item --prompt
|
||||
|
||||
displays the number of loaded enforcing AppArmor policies, with
|
||||
fallback to userspace mediation.
|
||||
|
||||
=item --special-unconfined
|
||||
|
||||
displays the number of loaded non-enforcing AppArmor policies that are
|
||||
in the special unconfined mode.
|
||||
|
||||
=item --process-mixed
|
||||
displays the number of processes confined by profile stacks with
|
||||
profiles in different modes.
|
||||
|
||||
=item --verbose
|
||||
|
||||
displays multiple data points about loaded AppArmor policy
|
||||
set (the default action if no arguments are given).
|
||||
|
||||
=item --json
|
||||
|
||||
displays multiple data points about loaded AppArmor policy
|
||||
set in a JSON format, fit for machine consumption.
|
||||
|
||||
=item --pretty-json
|
||||
|
||||
same as --json, formatted to be readable by humans as well
|
||||
as by machines.
|
||||
|
||||
=item --show
|
||||
|
||||
what data sets to show information about. Currently I<processes>,
|
||||
I<profiles>, I<all> for both processes and profiles. The default is
|
||||
I<all>.
|
||||
|
||||
=item --count
|
||||
|
||||
display only counts for selected information.
|
||||
|
||||
=item --filter.mode=filter
|
||||
|
||||
Allows specifying a posix regular expression filter that will be
|
||||
applied against the displayed processess and profiles apparmor profile
|
||||
mode, reducing the output.
|
||||
|
||||
=item --filter.profiles=filter
|
||||
|
||||
Allows specifying a posix regular expression filter that will be
|
||||
applied against the displayed processess and profiles confining
|
||||
profile, reducing the output.
|
||||
|
||||
=item --filter.pid=filter
|
||||
|
||||
Allows specifying a posix regular expression filter that will be
|
||||
applied against the displayed processes, so that only processes pids
|
||||
matching the expression will be displayed.
|
||||
|
||||
=item --filter.exe=filter
|
||||
|
||||
Allows specifying a posix regular expression filter that will be
|
||||
applied against the displayed processes, so that only processes
|
||||
executable name matching the expression will be displayed.
|
||||
|
||||
=item --help
|
||||
|
||||
displays a short usage statement.
|
||||
|
||||
=back
|
||||
|
||||
=head1 EXIT STATUS
|
||||
|
||||
Upon exiting, B<aa-status> will set its exit status to the
|
||||
following values:
|
||||
|
||||
=over 4
|
||||
|
||||
=item B<0>
|
||||
|
||||
if apparmor is enabled and policy is loaded.
|
||||
|
||||
=item B<1>
|
||||
|
||||
if apparmor is not enabled/loaded.
|
||||
|
||||
=item B<2>
|
||||
|
||||
if apparmor is enabled but no policy is loaded.
|
||||
|
||||
=item B<3>
|
||||
|
||||
if the apparmor control files aren't available under
|
||||
/sys/kernel/security/.
|
||||
|
||||
=item B<4>
|
||||
|
||||
if the user running the script doesn't have enough privileges to read
|
||||
the apparmor control files.
|
||||
|
||||
=item B<42>
|
||||
|
||||
if an internal error occurred.
|
||||
|
||||
=back
|
||||
|
||||
=head1 BUGS
|
||||
|
||||
B<aa-status> must be run as root to read the state of the loaded
|
||||
policy from the apparmor module. It uses the /proc filesystem to
|
||||
determine which processes are confined and so is susceptible to race
|
||||
conditions.
|
||||
|
||||
If you find any additional bugs, please report them at
|
||||
L<https://gitlab.com/apparmor/apparmor/-/issues>.
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
apparmor(7), apparmor.d(5), and
|
||||
L<https://wiki.apparmor.net>.
|
||||
|
||||
=cut
|
@@ -1,100 +0,0 @@
|
||||
/*
|
||||
* Copyright (C) 2015 Canonical Ltd.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of version 2 of the GNU General Public
|
||||
* License published by the Free Software Foundation.
|
||||
*/
|
||||
|
||||
#include <errno.h>
|
||||
#include <locale.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <libintl.h>
|
||||
#define _(s) gettext(s)
|
||||
|
||||
#include <sys/apparmor.h>
|
||||
|
||||
void print_help(const char *command)
|
||||
{
|
||||
printf(_("%s: [options]\n"
|
||||
" options:\n"
|
||||
" -x | --exclusive Shared interfaces must be available\n"
|
||||
" -q | --quiet Don't print out any messages\n"
|
||||
" -h | --help Print help\n"),
|
||||
command);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
||||
/* Exit statuses and meanings are documented in the aa-enabled.pod file */
|
||||
static void exit_with_error(int saved_errno, int quiet)
|
||||
{
|
||||
switch(saved_errno) {
|
||||
case ENOSYS:
|
||||
if (!quiet)
|
||||
printf(_("No - not available on this system.\n"));
|
||||
exit(1);
|
||||
case ECANCELED:
|
||||
if (!quiet)
|
||||
printf(_("No - disabled at boot.\n"));
|
||||
exit(1);
|
||||
case ENOENT:
|
||||
if (!quiet)
|
||||
printf(_("Maybe - policy interface not available.\n"));
|
||||
exit(3);
|
||||
case EPERM:
|
||||
case EACCES:
|
||||
if (!quiet)
|
||||
printf(_("Maybe - insufficient permissions to determine availability.\n"));
|
||||
exit(4);
|
||||
case EBUSY:
|
||||
if (!quiet)
|
||||
printf(_("Partially - public shared interfaces are not available.\n"));
|
||||
exit(10);
|
||||
}
|
||||
if (!quiet)
|
||||
printf(_("Error - %s\n"), strerror(saved_errno));
|
||||
exit(64);
|
||||
}
|
||||
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
int i, enabled;
|
||||
int quiet = 0;
|
||||
int require_shared = 0;
|
||||
|
||||
setlocale(LC_MESSAGES, "");
|
||||
bindtextdomain(PACKAGE, LOCALEDIR);
|
||||
textdomain(PACKAGE);
|
||||
|
||||
if (argc > 3) {
|
||||
printf(_("unknown or incompatible options\n"));
|
||||
print_help(argv[0]);
|
||||
}
|
||||
for (i = 1; i < argc; i++) {
|
||||
if (strcmp(argv[i], "--quiet") == 0 ||
|
||||
strcmp(argv[i], "-q") == 0) {
|
||||
quiet = 1;
|
||||
} else if (strcmp(argv[i], "--exclusive") == 0 ||
|
||||
strcmp(argv[i], "-x") == 0) {
|
||||
require_shared = 1;
|
||||
} else if (strcmp(argv[i], "--help") == 0 ||
|
||||
strcmp(argv[i], "-h") == 0) {
|
||||
print_help(argv[0]);
|
||||
} else {
|
||||
printf(_("unknown option '%s'\n"), argv[1]);
|
||||
print_help(argv[0]);
|
||||
}
|
||||
}
|
||||
|
||||
enabled = aa_is_enabled();
|
||||
if (!enabled) {
|
||||
if (require_shared || errno != EBUSY)
|
||||
exit_with_error(errno, quiet);
|
||||
}
|
||||
if (!quiet)
|
||||
printf(_("Yes\n"));
|
||||
exit(0);
|
||||
}
|
@@ -1,232 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2015
|
||||
* Canonical, Ltd. (All rights reserved)
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of version 2 of the GNU General Public
|
||||
* License published by the Free Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, contact Novell, Inc. or Canonical
|
||||
* Ltd.
|
||||
*/
|
||||
|
||||
#include <errno.h>
|
||||
#include <getopt.h>
|
||||
#include <libintl.h>
|
||||
#include <limits.h>
|
||||
#include <stdio.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <sys/apparmor.h>
|
||||
#include <sys/types.h>
|
||||
#include <unistd.h>
|
||||
#define _(s) gettext(s)
|
||||
|
||||
static const char *opt_profile = NULL;
|
||||
static const char *opt_namespace = NULL;
|
||||
static bool opt_debug = false;
|
||||
static bool opt_immediate = false;
|
||||
static bool opt_verbose = false;
|
||||
static pid_t pid = 0;
|
||||
|
||||
static void usage(const char *name, bool error)
|
||||
{
|
||||
FILE *stream = stdout;
|
||||
int status = EXIT_SUCCESS;
|
||||
|
||||
if (error) {
|
||||
stream = stderr;
|
||||
status = EXIT_FAILURE;
|
||||
}
|
||||
|
||||
fprintf(stream,
|
||||
_("USAGE: %s [OPTIONS] <prog> <args>\n"
|
||||
"\n"
|
||||
"Confine <prog> with the specified PROFILE.\n"
|
||||
"\n"
|
||||
"OPTIONS:\n"
|
||||
" -p PROFILE, --profile=PROFILE PROFILE to confine <prog> with\n"
|
||||
" -n NAMESPACE, --namespace=NAMESPACE NAMESPACE to confine <prog> in\n"
|
||||
" -d, --debug show messages with debugging information\n"
|
||||
" -i, --immediate change profile immediately instead of at exec\n"
|
||||
" -v, --verbose show messages with stats\n"
|
||||
" -h, --help display this help\n"
|
||||
"\n"), name);
|
||||
exit(status);
|
||||
}
|
||||
|
||||
#define error(fmt, args...) _error(_("[%ld] aa-exec: ERROR: " fmt "\n"), (long)pid, ## args)
|
||||
static void _error(const char *fmt, ...)
|
||||
{
|
||||
va_list args;
|
||||
|
||||
va_start(args, fmt);
|
||||
vfprintf(stderr, fmt, args);
|
||||
va_end(args);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
#define debug(fmt, args...) _debug(_("[%ld] aa-exec: DEBUG: " fmt "\n"), (long)pid, ## args)
|
||||
static void _debug(const char *fmt, ...)
|
||||
{
|
||||
va_list args;
|
||||
|
||||
if (!opt_debug)
|
||||
return;
|
||||
|
||||
va_start(args, fmt);
|
||||
vfprintf(stderr, fmt, args);
|
||||
va_end(args);
|
||||
}
|
||||
|
||||
#define verbose(fmt, args...) _verbose(_("[%ld] " fmt "\n"), (long)pid, ## args)
|
||||
static void _verbose(const char *fmt, ...)
|
||||
{
|
||||
va_list args;
|
||||
|
||||
if (!opt_verbose)
|
||||
return;
|
||||
|
||||
va_start(args, fmt);
|
||||
vfprintf(stderr, fmt, args);
|
||||
va_end(args);
|
||||
}
|
||||
|
||||
static void verbose_print_argv(char **argv)
|
||||
{
|
||||
if (!opt_verbose)
|
||||
return;
|
||||
|
||||
fprintf(stderr, _("[%ld] exec"), (long)pid);
|
||||
for (; *argv; argv++)
|
||||
fprintf(stderr, " %s", *argv);
|
||||
fprintf(stderr, "\n");
|
||||
}
|
||||
|
||||
static char **parse_args(int argc, char **argv)
|
||||
{
|
||||
int opt;
|
||||
struct option long_opts[] = {
|
||||
{"debug", no_argument, 0, 'd'},
|
||||
{"help", no_argument, 0, 'h'},
|
||||
{"profile", required_argument, 0, 'p'},
|
||||
{"namespace", required_argument, 0, 'n'},
|
||||
{"immediate", no_argument, 0, 'i'},
|
||||
{"verbose", no_argument, 0, 'v'},
|
||||
};
|
||||
|
||||
while ((opt = getopt_long(argc, argv, "+dhp:n:iv", long_opts, NULL)) != -1) {
|
||||
switch (opt) {
|
||||
case 'd':
|
||||
opt_debug = true;
|
||||
break;
|
||||
case 'h':
|
||||
usage(argv[0], false);
|
||||
break;
|
||||
case 'p':
|
||||
if (opt_profile)
|
||||
error("Multiple -p/--profile parameters given");
|
||||
opt_profile = optarg;
|
||||
break;
|
||||
case 'n':
|
||||
if (opt_namespace)
|
||||
error("Multiple -n/--namespace parameters given");
|
||||
opt_namespace = optarg;
|
||||
break;
|
||||
case 'i':
|
||||
opt_immediate = true;
|
||||
break;
|
||||
case 'v':
|
||||
opt_verbose = true;
|
||||
break;
|
||||
default:
|
||||
usage(argv[0], true);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (optind >= argc)
|
||||
usage(argv[0], true);
|
||||
|
||||
return argv + optind;
|
||||
}
|
||||
|
||||
static void build_name(char *name, size_t name_len,
|
||||
const char *namespace, const char *profile)
|
||||
{
|
||||
size_t required_len = 1; /* reserve 1 byte for NUL-terminator */
|
||||
|
||||
if (namespace)
|
||||
required_len += 1 + strlen(namespace) + 3; /* :<NAMESPACE>:// */
|
||||
|
||||
if (profile)
|
||||
required_len += strlen(profile);
|
||||
|
||||
if (required_len > name_len)
|
||||
error("name too long (%zu > %zu)", required_len, name_len);
|
||||
|
||||
name[0] = '\0';
|
||||
|
||||
if (namespace) {
|
||||
strcat(name, ":");
|
||||
strcat(name, namespace);
|
||||
strcat(name, "://");
|
||||
}
|
||||
|
||||
if (profile)
|
||||
strcat(name, profile);
|
||||
}
|
||||
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
char name[PATH_MAX];
|
||||
int rc = 0;
|
||||
|
||||
/* IMPORTANT: pid must be initialized before doing anything else since
|
||||
* it is used in a global context when printing messages
|
||||
*/
|
||||
pid = getpid();
|
||||
|
||||
argv = parse_args(argc, argv);
|
||||
|
||||
if (opt_namespace || opt_profile)
|
||||
build_name(name, sizeof(name), opt_namespace, opt_profile);
|
||||
else
|
||||
goto exec;
|
||||
|
||||
if (opt_immediate) {
|
||||
verbose("aa_change_profile(\"%s\")", name);
|
||||
rc = aa_change_profile(name);
|
||||
debug("%d = aa_change_profile(\"%s\")", rc, name);
|
||||
} else {
|
||||
verbose("aa_change_onexec(\"%s\")", name);
|
||||
rc = aa_change_onexec(name);
|
||||
debug("%d = aa_change_onexec(\"%s\")", rc, name);
|
||||
}
|
||||
|
||||
if (rc) {
|
||||
if (errno == ENOENT) {
|
||||
error("%s '%s' does not exist",
|
||||
opt_profile ? "profile" : "namespace", name);
|
||||
} else if (errno == EACCES) {
|
||||
error("insufficient permissions to change to the %s '%s'",
|
||||
opt_profile ? "profile" : "namespace", name);
|
||||
} else if (errno == EINVAL) {
|
||||
error("AppArmor interface not available");
|
||||
} else {
|
||||
error("%m");
|
||||
}
|
||||
}
|
||||
|
||||
exec:
|
||||
verbose_print_argv(argv);
|
||||
execvp(argv[0], argv);
|
||||
error("Failed to execute \"%s\": %m", argv[0]);
|
||||
}
|
@@ -1,207 +0,0 @@
|
||||
/*
|
||||
* Copyright (c) 2020
|
||||
* Canonical, Ltd. (All rights reserved)
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of version 2 of the GNU General Public
|
||||
* License published by the Free Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, contact Canonical Ltd.
|
||||
*/
|
||||
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <getopt.h>
|
||||
#include <libintl.h>
|
||||
#include <limits.h>
|
||||
#include <stdio.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <sys/apparmor.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/types.h>
|
||||
#include <unistd.h>
|
||||
#define _(s) gettext(s)
|
||||
|
||||
#include "../libraries/libapparmor/src/private.h"
|
||||
|
||||
static const char *progname = NULL;
|
||||
static const char *opt_file = NULL;
|
||||
static const char *opt_write = NULL;
|
||||
static bool opt_debug = false;
|
||||
static bool opt_verbose = false;
|
||||
static bool opt_extract = false;
|
||||
|
||||
static void usage(const char *name, bool error)
|
||||
{
|
||||
FILE *stream = stdout;
|
||||
int status = EXIT_SUCCESS;
|
||||
|
||||
if (error) {
|
||||
stream = stderr;
|
||||
status = EXIT_FAILURE;
|
||||
}
|
||||
|
||||
fprintf(stream,
|
||||
_("USAGE: %s [OPTIONS] <SOURCE> [OUTPUT OPTIONS]\n"
|
||||
"\n"
|
||||
"Output AppArmor feature abi from SOURCE to OUTPUT"
|
||||
"\n"
|
||||
"OPTIONS:\n"
|
||||
#if 0
|
||||
" -d, --debug show messages with debugging information\n"
|
||||
" -v, --verbose show messages with stats\n"
|
||||
#endif
|
||||
" -h, --help display this help\n"
|
||||
"SOURCE:\n"
|
||||
" -f F, --file=F load features abi from file F\n"
|
||||
" -x, --extract extract features abi from the kernel\n"
|
||||
"OUTPUT OPTIONS:\n"
|
||||
" --stdout default, write features to stdout\n"
|
||||
" -w F, --write=F write features abi to the file F instead of stdout\n"
|
||||
"\n"), name);
|
||||
exit(status);
|
||||
}
|
||||
|
||||
#define error(fmt, args...) _error(_("%s: ERROR: " fmt " - %m\n"), progname, ## args)
|
||||
static void _error(const char *fmt, ...)
|
||||
{
|
||||
va_list args;
|
||||
|
||||
va_start(args, fmt);
|
||||
vfprintf(stderr, fmt, args);
|
||||
va_end(args);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
#if 0
|
||||
#define debug(fmt, args...) _debug(_("%s: DEBUG: " fmt "\n"), progname, ## args)
|
||||
static void _debug(const char *fmt, ...)
|
||||
{
|
||||
va_list args;
|
||||
|
||||
if (!opt_debug)
|
||||
return;
|
||||
|
||||
va_start(args, fmt);
|
||||
vfprintf(stderr, fmt, args);
|
||||
va_end(args);
|
||||
}
|
||||
|
||||
#define verbose(fmt, args...) _verbose(_(fmt "\n"), ## args)
|
||||
static void _verbose(const char *fmt, ...)
|
||||
{
|
||||
va_list args;
|
||||
|
||||
if (!opt_verbose)
|
||||
return;
|
||||
|
||||
va_start(args, fmt);
|
||||
vfprintf(stderr, fmt, args);
|
||||
va_end(args);
|
||||
}
|
||||
#endif
|
||||
|
||||
#define ARG_STDOUT 128
|
||||
|
||||
static char **parse_args(int argc, char **argv)
|
||||
{
|
||||
int opt;
|
||||
struct option long_opts[] = {
|
||||
{"debug", no_argument, 0, 'd'},
|
||||
{"verbose", no_argument, 0, 'v'},
|
||||
{"help", no_argument, 0, 'h'},
|
||||
{"extract", no_argument, 0, 'x'},
|
||||
{"file", required_argument, 0, 'f'},
|
||||
{"write", required_argument, 0, 'w'},
|
||||
{"stdout", no_argument, 0, ARG_STDOUT},
|
||||
};
|
||||
|
||||
while ((opt = getopt_long(argc, argv, "+dvhxf:l:w:", long_opts, NULL)) != -1) {
|
||||
switch (opt) {
|
||||
case 'd':
|
||||
opt_debug = true;
|
||||
break;
|
||||
case 'v':
|
||||
opt_verbose = true;
|
||||
break;
|
||||
case 'h':
|
||||
usage(argv[0], false);
|
||||
break;
|
||||
case 'x':
|
||||
opt_extract = true;
|
||||
break;
|
||||
case 'f':
|
||||
opt_file = optarg;
|
||||
break;
|
||||
case 'w':
|
||||
opt_write = optarg;
|
||||
break;
|
||||
case ARG_STDOUT:
|
||||
opt_write = NULL;
|
||||
break;
|
||||
default:
|
||||
usage(argv[0], true);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
return argv + optind;
|
||||
}
|
||||
|
||||
|
||||
/* TODO: add features intersection and testing */
|
||||
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
struct aa_features *features;
|
||||
autoclose int in = -1;
|
||||
autoclose int out = -1;
|
||||
int rc = 0;
|
||||
|
||||
progname = argv[0];
|
||||
|
||||
argv = parse_args(argc, argv);
|
||||
|
||||
if (!opt_extract && !opt_file)
|
||||
usage(argv[0], true);
|
||||
if (opt_extract && opt_file) {
|
||||
error("options --extract and --file are mutually exclusive");
|
||||
}
|
||||
if (opt_extract) {
|
||||
rc = aa_features_new_from_kernel(&features);
|
||||
if (rc == -1)
|
||||
error("failed to extract features abi from the kernel");
|
||||
}
|
||||
if (opt_file) {
|
||||
in = open(opt_file, O_RDONLY);
|
||||
if (in == -1)
|
||||
error("failed to open file '%s'", opt_file);
|
||||
rc = aa_features_new_from_file(&features, in);
|
||||
if (rc == -1)
|
||||
error("failed to load features abi from file '%s'", opt_file);
|
||||
}
|
||||
|
||||
|
||||
if (opt_write) {
|
||||
out = open(opt_write, O_WRONLY | O_CREAT, 00600);
|
||||
if (out == -1)
|
||||
error("failed to open output file '%s'", opt_write);
|
||||
} else {
|
||||
out = fileno(stdout);
|
||||
if (out == -1)
|
||||
error("failed to get stdout");
|
||||
}
|
||||
rc = aa_features_write_to_fd(features, out);
|
||||
if (rc == -1)
|
||||
error("failed to write features abi");
|
||||
|
||||
return 0;
|
||||
}
|
@@ -1,408 +0,0 @@
|
||||
/*
|
||||
* Copyright (C) 2020 Canonical Ltd.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of version 2 of the GNU General Public
|
||||
* License published by the Free Software Foundation.
|
||||
*/
|
||||
|
||||
#define _GNU_SOURCE /* for asprintf() */
|
||||
#include <stdio.h>
|
||||
#include <errno.h>
|
||||
#include <getopt.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <stdarg.h>
|
||||
#include <stddef.h>
|
||||
#include <fcntl.h>
|
||||
#include <string.h>
|
||||
#include <dirent.h>
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
|
||||
#include <sys/apparmor.h>
|
||||
|
||||
#include <libintl.h>
|
||||
#define _(s) gettext(s)
|
||||
|
||||
/* TODO: implement config locations - value can change */
|
||||
#define DEFAULT_CONFIG_LOCATIONS "/etc/apparmor/parser.conf"
|
||||
#define DEFAULT_POLICY_LOCATIONS "/var/cache/apparmor:/etc/apparmor.d/cache.d:/etc/apparmor.d/cache"
|
||||
#define CACHE_FEATURES_FILE ".features"
|
||||
|
||||
bool opt_debug = false;
|
||||
bool opt_verbose = false;
|
||||
bool opt_dryrun = false;
|
||||
bool opt_force = false;
|
||||
bool opt_config = false;
|
||||
|
||||
#define warning(fmt, args...) _error(_("aa-load: WARN: " fmt "\n"), ## args)
|
||||
#define error(fmt, args...) _error(_("aa-load: ERROR: " fmt "\n"), ## args)
|
||||
static void _error(const char *fmt, ...)
|
||||
{
|
||||
va_list args;
|
||||
|
||||
va_start(args, fmt);
|
||||
vfprintf(stderr, fmt, args);
|
||||
va_end(args);
|
||||
}
|
||||
|
||||
#define verbose(fmt, args...) _debug(opt_verbose, _(fmt "\n"), ## args)
|
||||
#define debug(fmt, args...) _debug(opt_debug, _("aa-load: DEBUG: " fmt "\n"), ## args)
|
||||
static void _debug(bool opt_displayit, const char *fmt, ...)
|
||||
{
|
||||
va_list args;
|
||||
|
||||
if (!opt_displayit)
|
||||
return;
|
||||
|
||||
va_start(args, fmt);
|
||||
vfprintf(stderr, fmt, args);
|
||||
va_end(args);
|
||||
}
|
||||
|
||||
static int have_enough_privilege(const char *command)
|
||||
{
|
||||
uid_t uid, euid;
|
||||
|
||||
uid = getuid();
|
||||
euid = geteuid();
|
||||
|
||||
if (uid != 0 && euid != 0) {
|
||||
error("%s: Sorry. You need root privileges to run this program.\n",
|
||||
command);
|
||||
return EPERM;
|
||||
}
|
||||
|
||||
if (uid != 0 && euid == 0) {
|
||||
error("%s: Aborting! You've set this program setuid root.\n"
|
||||
"Anybody who can run this program can update "
|
||||
"your AppArmor profiles.\n", command);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
static int load_config(const char *file)
|
||||
{
|
||||
/* TODO */
|
||||
return ENOENT;
|
||||
}
|
||||
|
||||
/**
|
||||
* load a single policy cache file to the kernel
|
||||
*/
|
||||
static int load_policy_file(const char *file)
|
||||
{
|
||||
int rc = 0;
|
||||
|
||||
struct aa_kernel_interface *kernel_interface;
|
||||
|
||||
if (aa_kernel_interface_new(&kernel_interface, NULL, NULL)) {
|
||||
rc = -errno;
|
||||
error("Failed to open kernel interface '%s': %m", file);
|
||||
return rc;
|
||||
}
|
||||
if (!opt_dryrun &&
|
||||
aa_kernel_interface_replace_policy_from_file(kernel_interface,
|
||||
AT_FDCWD, file)) {
|
||||
rc = -errno;
|
||||
error("Failed to load policy into kernel '%s': %m", file);
|
||||
}
|
||||
aa_kernel_interface_unref(kernel_interface);
|
||||
|
||||
return rc;
|
||||
}
|
||||
|
||||
static void validate_features(const char *dir_path)
|
||||
{
|
||||
aa_features *kernel_features;
|
||||
|
||||
if (aa_features_new_from_kernel(&kernel_features) == -1) {
|
||||
error("Failed to obtain features: %m");
|
||||
return;
|
||||
}
|
||||
|
||||
if (aa_features_check(AT_FDCWD, dir_path, kernel_features) == -1) {
|
||||
if (errno == ENOENT) {
|
||||
/* features file does not exist
|
||||
* not an issue when loading cache policies from dir
|
||||
*/
|
||||
}
|
||||
else if (errno == EEXIST) {
|
||||
warning("Overlay features do not match kernel features");
|
||||
}
|
||||
}
|
||||
aa_features_unref(kernel_features);
|
||||
}
|
||||
|
||||
/**
|
||||
* load a directory of policy cache files to the kernel
|
||||
* This does not do a subdir search to find the kernel match but
|
||||
* tries to load the dir regardless of whether its features match
|
||||
*
|
||||
* The hierarchy looks like
|
||||
*
|
||||
* dir/
|
||||
* .features
|
||||
* profile1
|
||||
* ...
|
||||
*/
|
||||
|
||||
static int load_policy_dir(const char *dir_path)
|
||||
{
|
||||
DIR *d;
|
||||
struct dirent *dir;
|
||||
int rc = 0;
|
||||
char *file;
|
||||
size_t len;
|
||||
|
||||
validate_features(dir_path);
|
||||
|
||||
d = opendir(dir_path);
|
||||
if (!d) {
|
||||
rc = -errno;
|
||||
error("Failed to open directory '%s': %m", dir_path);
|
||||
return rc;
|
||||
}
|
||||
|
||||
while ((dir = readdir(d)) != NULL) {
|
||||
/* Only check regular files for now */
|
||||
if (dir->d_type == DT_REG) {
|
||||
len = strnlen(dir->d_name, PATH_MAX);
|
||||
/* Ignores .features */
|
||||
if (strncmp(dir->d_name, CACHE_FEATURES_FILE, len) == 0) {
|
||||
continue;
|
||||
}
|
||||
if (asprintf(&file, "%s/%s", dir_path, dir->d_name) == -1) {
|
||||
error("Failure allocating memory");
|
||||
closedir(d);
|
||||
return -1;
|
||||
}
|
||||
load_policy_file(file);
|
||||
free(file);
|
||||
file = NULL;
|
||||
}
|
||||
}
|
||||
closedir(d);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* load_hashed_policy - find policy hashed dir and load it
|
||||
*
|
||||
* load/replace all policy from a policy hierarchy directory
|
||||
*
|
||||
* Returns: 0 on success < -errno
|
||||
*
|
||||
* It will find the subdir that matches the kernel and load all
|
||||
* precompiled policy files from it.
|
||||
*
|
||||
* The hierarchy looks something like
|
||||
*
|
||||
* location/
|
||||
* kernel_hash1.0/
|
||||
* .features
|
||||
* profile1
|
||||
* ...
|
||||
* kernel_hash2.0/
|
||||
* .features
|
||||
* profile1
|
||||
* ...
|
||||
*/
|
||||
static int load_policy_by_hash(const char *location)
|
||||
{
|
||||
aa_policy_cache *policy_cache = NULL;
|
||||
int rc;
|
||||
|
||||
if ((rc = aa_policy_cache_new(&policy_cache, NULL, AT_FDCWD, location, 0))) {
|
||||
rc = -errno;
|
||||
error("Failed to open policy cache '%s': %m", location);
|
||||
return rc;
|
||||
}
|
||||
|
||||
if (opt_debug) {
|
||||
/* show hash directory under location that matches the
|
||||
* current kernel
|
||||
*/
|
||||
char *cache_loc = aa_policy_cache_dir_path_preview(NULL, AT_FDCWD, location);
|
||||
if (!cache_loc) {
|
||||
rc = -errno;
|
||||
error("Failed to find cache location '%s': %m", location);
|
||||
goto out;
|
||||
}
|
||||
debug("Loading cache from '%s'\n", cache_loc);
|
||||
free(cache_loc);
|
||||
}
|
||||
|
||||
if (!opt_dryrun) {
|
||||
if ((rc = aa_policy_cache_replace_all(policy_cache, NULL)) < 0) {
|
||||
error("Failed to load policy cache '%s': %m", location);
|
||||
} else {
|
||||
verbose("Success - Loaded policy cache '%s'", location);
|
||||
}
|
||||
}
|
||||
|
||||
out:
|
||||
aa_policy_cache_unref(policy_cache);
|
||||
|
||||
return rc;
|
||||
}
|
||||
|
||||
/**
|
||||
* load_arg - calls specific load functions for files and directories
|
||||
*
|
||||
* load/replace all policy files/dir in arg
|
||||
*
|
||||
* Returns: 0 on success, 1 on failure.
|
||||
*
|
||||
* It will load by hash subtree first, and fallback to a cache dir
|
||||
* If not a directory, it will try to load it as a cache file
|
||||
*/
|
||||
static int load_arg(char *arg)
|
||||
{
|
||||
char **location = NULL;
|
||||
int i, n, rc = 0;
|
||||
|
||||
|
||||
/* arg can specify an overlay of multiple cache locations */
|
||||
if ((n = aa_split_overlay_str(arg, &location, 0, true)) == -1) {
|
||||
error("Failed to parse overlay locations: %m");
|
||||
return 1;
|
||||
}
|
||||
|
||||
for (i = 0; i < n; i++) {
|
||||
struct stat st;
|
||||
debug("Trying to open %s", location[i]);
|
||||
if (stat(location[i], &st) == -1) {
|
||||
error("Failed stat of '%s': %m", location[i]);
|
||||
rc = 1;
|
||||
continue;
|
||||
}
|
||||
if (S_ISDIR(st.st_mode)) {
|
||||
/* try hash dir subtree first */
|
||||
if (load_policy_by_hash(location[i]) < 0) {
|
||||
error("Failed load policy by hash '%s': %m", location[i]);
|
||||
rc = 1;
|
||||
}
|
||||
/* fall back to cache dir */
|
||||
if (load_policy_dir(location[i]) < 0) {
|
||||
error("Failed load policy by directory '%s': %m", location[i]);
|
||||
rc = 1;
|
||||
}
|
||||
|
||||
} else if (load_policy_file(location[i]) < 0) {
|
||||
rc = 1;
|
||||
}
|
||||
}
|
||||
|
||||
for (i = 0; i < n; i++)
|
||||
free(location[i]);
|
||||
free(location);
|
||||
return rc;
|
||||
}
|
||||
|
||||
static void print_usage(const char *command)
|
||||
{
|
||||
printf("Usage: %s [OPTIONS] (cache file|cache dir|cache base dir)]*\n"
|
||||
"Load Precompiled AppArmor policy from a cache location or \n"
|
||||
"locations.\n\n"
|
||||
"Options:\n"
|
||||
" -f, --force load policy even if abi does not match the kernel\n"
|
||||
" -d, --debug display debug messages\n"
|
||||
" -v, --verbose display progress and error messages\n"
|
||||
" -n, --dry-run do everything except actual load\n"
|
||||
" -h, --help this message\n",
|
||||
command);
|
||||
}
|
||||
|
||||
static const char *short_options = "c:dfvnh";
|
||||
struct option long_options[] = {
|
||||
{"config", 1, 0, 'c'},
|
||||
{"debug", 0, 0, 'd'},
|
||||
{"force", 0, 0, 'f'},
|
||||
{"verbose", 0, 0, 'v'},
|
||||
{"dry-run", 0, 0, 'n'},
|
||||
{"help", 0, 0, 'h'},
|
||||
{NULL, 0, 0, 0},
|
||||
};
|
||||
|
||||
static int process_args(int argc, char **argv)
|
||||
{
|
||||
int c, o;
|
||||
|
||||
opterr = 1;
|
||||
while ((c = getopt_long(argc, argv, short_options, long_options, &o)) != -1) {
|
||||
switch(c) {
|
||||
case 0:
|
||||
error("error in argument processing\n");
|
||||
exit(1);
|
||||
break;
|
||||
case 'd':
|
||||
opt_debug = true;
|
||||
break;
|
||||
case 'f':
|
||||
opt_force = true;
|
||||
break;
|
||||
case 'v':
|
||||
opt_verbose = true;
|
||||
break;
|
||||
case 'n':
|
||||
opt_dryrun = true;
|
||||
break;
|
||||
case 'h':
|
||||
print_usage(argv[0]);
|
||||
exit(0);
|
||||
break;
|
||||
case 'c':
|
||||
/* TODO: reserved config location,
|
||||
* act as a bad arg for now, when added update usage
|
||||
*/
|
||||
//opt_config = true; uncomment when implemented
|
||||
/* Fall through */
|
||||
default:
|
||||
error("unknown argument: '%s'\n\n", optarg);
|
||||
print_usage(argv[1]);
|
||||
exit(1);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
return optind;
|
||||
}
|
||||
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
int i, rc = 0;
|
||||
|
||||
optind = process_args(argc, argv);
|
||||
|
||||
if (!opt_dryrun && have_enough_privilege(argv[0]))
|
||||
return 1;
|
||||
|
||||
/* if no location use the default one */
|
||||
if (optind == argc) {
|
||||
if (!opt_config && load_config(DEFAULT_CONFIG_LOCATIONS) == 0) {
|
||||
verbose("Loaded policy config");
|
||||
}
|
||||
if ((rc = load_arg(DEFAULT_POLICY_LOCATIONS)))
|
||||
verbose("Loading policy from default location '%s'", DEFAULT_POLICY_LOCATIONS);
|
||||
else
|
||||
debug("No policy specified, and no policy config or policy in default locations");
|
||||
}
|
||||
for (i = optind; i < argc; i++) {
|
||||
/* Try to load all policy locations even if one fails
|
||||
* but always return an error if any fail
|
||||
*/
|
||||
|
||||
int tmp = load_arg(argv[i]);
|
||||
if (!rc)
|
||||
rc = tmp;
|
||||
}
|
||||
|
||||
return rc;
|
||||
}
|
1095
binutils/aa_status.c
1095
binutils/aa_status.c
File diff suppressed because it is too large
Load Diff
3074
binutils/cJSON.c
3074
binutils/cJSON.c
File diff suppressed because it is too large
Load Diff
293
binutils/cJSON.h
293
binutils/cJSON.h
@@ -1,293 +0,0 @@
|
||||
/*
|
||||
Copyright (c) 2009-2017 Dave Gamble and cJSON contributors
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in
|
||||
all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
THE SOFTWARE.
|
||||
*/
|
||||
|
||||
#ifndef cJSON__h
|
||||
#define cJSON__h
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C"
|
||||
{
|
||||
#endif
|
||||
|
||||
#if !defined(__WINDOWS__) && (defined(WIN32) || defined(WIN64) || defined(_MSC_VER) || defined(_WIN32))
|
||||
#define __WINDOWS__
|
||||
#endif
|
||||
|
||||
#ifdef __WINDOWS__
|
||||
|
||||
/* When compiling for windows, we specify a specific calling convention to avoid issues where we are being called from a project with a different default calling convention. For windows you have 3 define options:
|
||||
|
||||
CJSON_HIDE_SYMBOLS - Define this in the case where you don't want to ever dllexport symbols
|
||||
CJSON_EXPORT_SYMBOLS - Define this on library build when you want to dllexport symbols (default)
|
||||
CJSON_IMPORT_SYMBOLS - Define this if you want to dllimport symbol
|
||||
|
||||
For *nix builds that support visibility attribute, you can define similar behavior by
|
||||
|
||||
setting default visibility to hidden by adding
|
||||
-fvisibility=hidden (for gcc)
|
||||
or
|
||||
-xldscope=hidden (for sun cc)
|
||||
to CFLAGS
|
||||
|
||||
then using the CJSON_API_VISIBILITY flag to "export" the same symbols the way CJSON_EXPORT_SYMBOLS does
|
||||
|
||||
*/
|
||||
|
||||
#define CJSON_CDECL __cdecl
|
||||
#define CJSON_STDCALL __stdcall
|
||||
|
||||
/* export symbols by default, this is necessary for copy pasting the C and header file */
|
||||
#if !defined(CJSON_HIDE_SYMBOLS) && !defined(CJSON_IMPORT_SYMBOLS) && !defined(CJSON_EXPORT_SYMBOLS)
|
||||
#define CJSON_EXPORT_SYMBOLS
|
||||
#endif
|
||||
|
||||
#if defined(CJSON_HIDE_SYMBOLS)
|
||||
#define CJSON_PUBLIC(type) type CJSON_STDCALL
|
||||
#elif defined(CJSON_EXPORT_SYMBOLS)
|
||||
#define CJSON_PUBLIC(type) __declspec(dllexport) type CJSON_STDCALL
|
||||
#elif defined(CJSON_IMPORT_SYMBOLS)
|
||||
#define CJSON_PUBLIC(type) __declspec(dllimport) type CJSON_STDCALL
|
||||
#endif
|
||||
#else /* !__WINDOWS__ */
|
||||
#define CJSON_CDECL
|
||||
#define CJSON_STDCALL
|
||||
|
||||
#if (defined(__GNUC__) || defined(__SUNPRO_CC) || defined (__SUNPRO_C)) && defined(CJSON_API_VISIBILITY)
|
||||
#define CJSON_PUBLIC(type) __attribute__((visibility("default"))) type
|
||||
#else
|
||||
#define CJSON_PUBLIC(type) type
|
||||
#endif
|
||||
#endif
|
||||
|
||||
/* project version */
|
||||
#define CJSON_VERSION_MAJOR 1
|
||||
#define CJSON_VERSION_MINOR 7
|
||||
#define CJSON_VERSION_PATCH 13
|
||||
|
||||
#include <stddef.h>
|
||||
|
||||
/* cJSON Types: */
|
||||
#define cJSON_Invalid (0)
|
||||
#define cJSON_False (1 << 0)
|
||||
#define cJSON_True (1 << 1)
|
||||
#define cJSON_NULL (1 << 2)
|
||||
#define cJSON_Number (1 << 3)
|
||||
#define cJSON_String (1 << 4)
|
||||
#define cJSON_Array (1 << 5)
|
||||
#define cJSON_Object (1 << 6)
|
||||
#define cJSON_Raw (1 << 7) /* raw json */
|
||||
|
||||
#define cJSON_IsReference 256
|
||||
#define cJSON_StringIsConst 512
|
||||
|
||||
/* The cJSON structure: */
|
||||
typedef struct cJSON
|
||||
{
|
||||
/* next/prev allow you to walk array/object chains. Alternatively, use GetArraySize/GetArrayItem/GetObjectItem */
|
||||
struct cJSON *next;
|
||||
struct cJSON *prev;
|
||||
/* An array or object item will have a child pointer pointing to a chain of the items in the array/object. */
|
||||
struct cJSON *child;
|
||||
|
||||
/* The type of the item, as above. */
|
||||
int type;
|
||||
|
||||
/* The item's string, if type==cJSON_String and type == cJSON_Raw */
|
||||
char *valuestring;
|
||||
/* writing to valueint is DEPRECATED, use cJSON_SetNumberValue instead */
|
||||
int valueint;
|
||||
/* The item's number, if type==cJSON_Number */
|
||||
double valuedouble;
|
||||
|
||||
/* The item's name string, if this item is the child of, or is in the list of subitems of an object. */
|
||||
char *string;
|
||||
} cJSON;
|
||||
|
||||
typedef struct cJSON_Hooks
|
||||
{
|
||||
/* malloc/free are CDECL on Windows regardless of the default calling convention of the compiler, so ensure the hooks allow passing those functions directly. */
|
||||
void *(CJSON_CDECL *malloc_fn)(size_t sz);
|
||||
void (CJSON_CDECL *free_fn)(void *ptr);
|
||||
} cJSON_Hooks;
|
||||
|
||||
typedef int cJSON_bool;
|
||||
|
||||
/* Limits how deeply nested arrays/objects can be before cJSON rejects to parse them.
|
||||
* This is to prevent stack overflows. */
|
||||
#ifndef CJSON_NESTING_LIMIT
|
||||
#define CJSON_NESTING_LIMIT 1000
|
||||
#endif
|
||||
|
||||
/* returns the version of cJSON as a string */
|
||||
CJSON_PUBLIC(const char*) cJSON_Version(void);
|
||||
|
||||
/* Supply malloc, realloc and free functions to cJSON */
|
||||
CJSON_PUBLIC(void) cJSON_InitHooks(cJSON_Hooks* hooks);
|
||||
|
||||
/* Memory Management: the caller is always responsible to free the results from all variants of cJSON_Parse (with cJSON_Delete) and cJSON_Print (with stdlib free, cJSON_Hooks.free_fn, or cJSON_free as appropriate). The exception is cJSON_PrintPreallocated, where the caller has full responsibility of the buffer. */
|
||||
/* Supply a block of JSON, and this returns a cJSON object you can interrogate. */
|
||||
CJSON_PUBLIC(cJSON *) cJSON_Parse(const char *value);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_ParseWithLength(const char *value, size_t buffer_length);
|
||||
/* ParseWithOpts allows you to require (and check) that the JSON is null terminated, and to retrieve the pointer to the final byte parsed. */
|
||||
/* If you supply a ptr in return_parse_end and parsing fails, then return_parse_end will contain a pointer to the error so will match cJSON_GetErrorPtr(). */
|
||||
CJSON_PUBLIC(cJSON *) cJSON_ParseWithOpts(const char *value, const char **return_parse_end, cJSON_bool require_null_terminated);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_ParseWithLengthOpts(const char *value, size_t buffer_length, const char **return_parse_end, cJSON_bool require_null_terminated);
|
||||
|
||||
/* Render a cJSON entity to text for transfer/storage. */
|
||||
CJSON_PUBLIC(char *) cJSON_Print(const cJSON *item);
|
||||
/* Render a cJSON entity to text for transfer/storage without any formatting. */
|
||||
CJSON_PUBLIC(char *) cJSON_PrintUnformatted(const cJSON *item);
|
||||
/* Render a cJSON entity to text using a buffered strategy. prebuffer is a guess at the final size. guessing well reduces reallocation. fmt=0 gives unformatted, =1 gives formatted */
|
||||
CJSON_PUBLIC(char *) cJSON_PrintBuffered(const cJSON *item, int prebuffer, cJSON_bool fmt);
|
||||
/* Render a cJSON entity to text using a buffer already allocated in memory with given length. Returns 1 on success and 0 on failure. */
|
||||
/* NOTE: cJSON is not always 100% accurate in estimating how much memory it will use, so to be safe allocate 5 bytes more than you actually need */
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_PrintPreallocated(cJSON *item, char *buffer, const int length, const cJSON_bool format);
|
||||
/* Delete a cJSON entity and all subentities. */
|
||||
CJSON_PUBLIC(void) cJSON_Delete(cJSON *item);
|
||||
|
||||
/* Returns the number of items in an array (or object). */
|
||||
CJSON_PUBLIC(int) cJSON_GetArraySize(const cJSON *array);
|
||||
/* Retrieve item number "index" from array "array". Returns NULL if unsuccessful. */
|
||||
CJSON_PUBLIC(cJSON *) cJSON_GetArrayItem(const cJSON *array, int index);
|
||||
/* Get item "string" from object. Case insensitive. */
|
||||
CJSON_PUBLIC(cJSON *) cJSON_GetObjectItem(const cJSON * const object, const char * const string);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_GetObjectItemCaseSensitive(const cJSON * const object, const char * const string);
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_HasObjectItem(const cJSON *object, const char *string);
|
||||
/* For analysing failed parses. This returns a pointer to the parse error. You'll probably need to look a few chars back to make sense of it. Defined when cJSON_Parse() returns 0. 0 when cJSON_Parse() succeeds. */
|
||||
CJSON_PUBLIC(const char *) cJSON_GetErrorPtr(void);
|
||||
|
||||
/* Check item type and return its value */
|
||||
CJSON_PUBLIC(char *) cJSON_GetStringValue(cJSON *item);
|
||||
CJSON_PUBLIC(double) cJSON_GetNumberValue(cJSON *item);
|
||||
|
||||
/* These functions check the type of an item */
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_IsInvalid(const cJSON * const item);
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_IsFalse(const cJSON * const item);
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_IsTrue(const cJSON * const item);
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_IsBool(const cJSON * const item);
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_IsNull(const cJSON * const item);
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_IsNumber(const cJSON * const item);
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_IsString(const cJSON * const item);
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_IsArray(const cJSON * const item);
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_IsObject(const cJSON * const item);
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_IsRaw(const cJSON * const item);
|
||||
|
||||
/* These calls create a cJSON item of the appropriate type. */
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateNull(void);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateTrue(void);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateFalse(void);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateBool(cJSON_bool boolean);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateNumber(double num);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateString(const char *string);
|
||||
/* raw json */
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateRaw(const char *raw);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateArray(void);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateObject(void);
|
||||
|
||||
/* Create a string where valuestring references a string so
|
||||
* it will not be freed by cJSON_Delete */
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateStringReference(const char *string);
|
||||
/* Create an object/array that only references it's elements so
|
||||
* they will not be freed by cJSON_Delete */
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateObjectReference(const cJSON *child);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateArrayReference(const cJSON *child);
|
||||
|
||||
/* These utilities create an Array of count items.
|
||||
* The parameter count cannot be greater than the number of elements in the number array, otherwise array access will be out of bounds.*/
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateIntArray(const int *numbers, int count);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateFloatArray(const float *numbers, int count);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateDoubleArray(const double *numbers, int count);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_CreateStringArray(const char *const *strings, int count);
|
||||
|
||||
/* Append item to the specified array/object. */
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_AddItemToArray(cJSON *array, cJSON *item);
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_AddItemToObject(cJSON *object, const char *string, cJSON *item);
|
||||
/* Use this when string is definitely const (i.e. a literal, or as good as), and will definitely survive the cJSON object.
|
||||
* WARNING: When this function was used, make sure to always check that (item->type & cJSON_StringIsConst) is zero before
|
||||
* writing to `item->string` */
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_AddItemToObjectCS(cJSON *object, const char *string, cJSON *item);
|
||||
/* Append reference to item to the specified array/object. Use this when you want to add an existing cJSON to a new cJSON, but don't want to corrupt your existing cJSON. */
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_AddItemReferenceToArray(cJSON *array, cJSON *item);
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_AddItemReferenceToObject(cJSON *object, const char *string, cJSON *item);
|
||||
|
||||
/* Remove/Detach items from Arrays/Objects. */
|
||||
CJSON_PUBLIC(cJSON *) cJSON_DetachItemViaPointer(cJSON *parent, cJSON * const item);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_DetachItemFromArray(cJSON *array, int which);
|
||||
CJSON_PUBLIC(void) cJSON_DeleteItemFromArray(cJSON *array, int which);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_DetachItemFromObject(cJSON *object, const char *string);
|
||||
CJSON_PUBLIC(cJSON *) cJSON_DetachItemFromObjectCaseSensitive(cJSON *object, const char *string);
|
||||
CJSON_PUBLIC(void) cJSON_DeleteItemFromObject(cJSON *object, const char *string);
|
||||
CJSON_PUBLIC(void) cJSON_DeleteItemFromObjectCaseSensitive(cJSON *object, const char *string);
|
||||
|
||||
/* Update array items. */
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_InsertItemInArray(cJSON *array, int which, cJSON *newitem); /* Shifts pre-existing items to the right. */
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemViaPointer(cJSON * const parent, cJSON * const item, cJSON * replacement);
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemInArray(cJSON *array, int which, cJSON *newitem);
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemInObject(cJSON *object,const char *string,cJSON *newitem);
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemInObjectCaseSensitive(cJSON *object,const char *string,cJSON *newitem);
|
||||
|
||||
/* Duplicate a cJSON item */
|
||||
CJSON_PUBLIC(cJSON *) cJSON_Duplicate(const cJSON *item, cJSON_bool recurse);
|
||||
/* Duplicate will create a new, identical cJSON item to the one you pass, in new memory that will
|
||||
* need to be released. With recurse!=0, it will duplicate any children connected to the item.
|
||||
* The item->next and ->prev pointers are always zero on return from Duplicate. */
|
||||
/* Recursively compare two cJSON items for equality. If either a or b is NULL or invalid, they will be considered unequal.
|
||||
* case_sensitive determines if object keys are treated case sensitive (1) or case insensitive (0) */
|
||||
CJSON_PUBLIC(cJSON_bool) cJSON_Compare(const cJSON * const a, const cJSON * const b, const cJSON_bool case_sensitive);
|
||||
|
||||
/* Minify a strings, remove blank characters(such as ' ', '\t', '\r', '\n') from strings.
|
||||
* The input pointer json cannot point to a read-only address area, such as a string constant,
|
||||
* but should point to a readable and writable adress area. */
|
||||
CJSON_PUBLIC(void) cJSON_Minify(char *json);
|
||||
|
||||
/* Helper functions for creating and adding items to an object at the same time.
|
||||
* They return the added item or NULL on failure. */
|
||||
CJSON_PUBLIC(cJSON*) cJSON_AddNullToObject(cJSON * const object, const char * const name);
|
||||
CJSON_PUBLIC(cJSON*) cJSON_AddTrueToObject(cJSON * const object, const char * const name);
|
||||
CJSON_PUBLIC(cJSON*) cJSON_AddFalseToObject(cJSON * const object, const char * const name);
|
||||
CJSON_PUBLIC(cJSON*) cJSON_AddBoolToObject(cJSON * const object, const char * const name, const cJSON_bool boolean);
|
||||
CJSON_PUBLIC(cJSON*) cJSON_AddNumberToObject(cJSON * const object, const char * const name, const double number);
|
||||
CJSON_PUBLIC(cJSON*) cJSON_AddStringToObject(cJSON * const object, const char * const name, const char * const string);
|
||||
CJSON_PUBLIC(cJSON*) cJSON_AddRawToObject(cJSON * const object, const char * const name, const char * const raw);
|
||||
CJSON_PUBLIC(cJSON*) cJSON_AddObjectToObject(cJSON * const object, const char * const name);
|
||||
CJSON_PUBLIC(cJSON*) cJSON_AddArrayToObject(cJSON * const object, const char * const name);
|
||||
|
||||
/* When assigning an integer value, it needs to be propagated to valuedouble too. */
|
||||
#define cJSON_SetIntValue(object, number) ((object) ? (object)->valueint = (object)->valuedouble = (number) : (number))
|
||||
/* helper for the cJSON_SetNumberValue macro */
|
||||
CJSON_PUBLIC(double) cJSON_SetNumberHelper(cJSON *object, double number);
|
||||
#define cJSON_SetNumberValue(object, number) ((object != NULL) ? cJSON_SetNumberHelper(object, (double)number) : (number))
|
||||
/* Change the valuestring of a cJSON_String object, only takes effect when type of object is cJSON_String */
|
||||
CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring);
|
||||
|
||||
/* Macro for iterating over an array or object */
|
||||
#define cJSON_ArrayForEach(element, array) for(element = (array != NULL) ? (array)->child : NULL; element != NULL; element = element->next)
|
||||
|
||||
/* malloc/free objects using the malloc/free functions that have been set with cJSON_InitHooks */
|
||||
CJSON_PUBLIC(void *) cJSON_malloc(size_t size);
|
||||
CJSON_PUBLIC(void) cJSON_free(void *object);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif
|
@@ -1,19 +0,0 @@
|
||||
# ----------------------------------------------------------------------
|
||||
# Copyright (C) 2015 Canonical Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
# License published by the Free Software Foundation.
|
||||
# ----------------------------------------------------------------------
|
||||
all:
|
||||
|
||||
# As translations get added, they will automatically be included, unless
|
||||
# the lang is explicitly added to DISABLED_LANGS; e.g. DISABLED_LANGS=en es
|
||||
|
||||
DISABLED_LANGS=
|
||||
|
||||
COMMONDIR=../../common
|
||||
include $(COMMONDIR)/Make-po.rules
|
||||
|
||||
XGETTEXT_ARGS+=--language=C --keyword=_ $(shell if [ -f ${NAME}.pot ] ; then echo -n -j ; fi)
|
||||
|
@@ -1,66 +0,0 @@
|
||||
# Copyright (C) 2015 Canonical Ltd
|
||||
# This file is distributed under the same license as the AppArmor package.
|
||||
# John Johansen <john.johansen@canonical.com>, 2015.
|
||||
#
|
||||
#, fuzzy
|
||||
msgid ""
|
||||
msgstr ""
|
||||
"Project-Id-Version: PACKAGE VERSION\n"
|
||||
"Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
|
||||
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
|
||||
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
|
||||
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
|
||||
"Language-Team: LANGUAGE <LL@li.org>\n"
|
||||
"Language: \n"
|
||||
"MIME-Version: 1.0\n"
|
||||
"Content-Type: text/plain; charset=CHARSET\n"
|
||||
"Content-Transfer-Encoding: 8bit\n"
|
||||
|
||||
#: ../aa_enabled.c:26
|
||||
#, c-format
|
||||
msgid ""
|
||||
"%s: [options]\n"
|
||||
" options:\n"
|
||||
" -q | --quiet Don't print out any messages\n"
|
||||
" -h | --help Print help\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:45
|
||||
#, c-format
|
||||
msgid "unknown or incompatible options\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:55
|
||||
#, c-format
|
||||
msgid "unknown option '%s'\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:64
|
||||
#, c-format
|
||||
msgid "Yes\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:71
|
||||
#, c-format
|
||||
msgid "No - not available on this system.\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:74
|
||||
#, c-format
|
||||
msgid "No - disabled at boot.\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:77
|
||||
#, c-format
|
||||
msgid "Maybe - policy interface not available.\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:81
|
||||
#, c-format
|
||||
msgid "Maybe - insufficient permissions to determine availability.\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:84
|
||||
#, c-format
|
||||
msgid "Error - '%s'\n"
|
||||
msgstr ""
|
@@ -1,73 +0,0 @@
|
||||
# SOME DESCRIPTIVE TITLE.
|
||||
# Copyright (C) YEAR Canonical Ltd
|
||||
# This file is distributed under the same license as the PACKAGE package.
|
||||
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
|
||||
#
|
||||
#, fuzzy
|
||||
msgid ""
|
||||
msgstr ""
|
||||
"Project-Id-Version: PACKAGE VERSION\n"
|
||||
"Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
|
||||
"POT-Creation-Date: 2020-10-14 03:52-0700\n"
|
||||
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
|
||||
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
|
||||
"Language-Team: LANGUAGE <LL@li.org>\n"
|
||||
"Language: \n"
|
||||
"MIME-Version: 1.0\n"
|
||||
"Content-Type: text/plain; charset=CHARSET\n"
|
||||
"Content-Transfer-Encoding: 8bit\n"
|
||||
|
||||
#: ../aa_enabled.c:21
|
||||
#, c-format
|
||||
msgid ""
|
||||
"%s: [options]\n"
|
||||
" options:\n"
|
||||
" -x | --exclusive Shared interfaces must be available\n"
|
||||
" -q | --quiet Don't print out any messages\n"
|
||||
" -h | --help Print help\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:37
|
||||
#, c-format
|
||||
msgid "No - not available on this system.\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:41
|
||||
#, c-format
|
||||
msgid "No - disabled at boot.\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:45
|
||||
#, c-format
|
||||
msgid "Maybe - policy interface not available.\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:50
|
||||
#, c-format
|
||||
msgid "Maybe - insufficient permissions to determine availability.\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:54
|
||||
#, c-format
|
||||
msgid "Partially - public shared interfaces are not available.\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:58
|
||||
#, c-format
|
||||
msgid "Error - %s\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:73
|
||||
#, c-format
|
||||
msgid "unknown or incompatible options\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:87
|
||||
#, c-format
|
||||
msgid "unknown option '%s'\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:98
|
||||
#, c-format
|
||||
msgid "Yes\n"
|
||||
msgstr ""
|
@@ -1,55 +0,0 @@
|
||||
# SOME DESCRIPTIVE TITLE.
|
||||
# Copyright (C) YEAR Canonical Ltd
|
||||
# This file is distributed under the same license as the PACKAGE package.
|
||||
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
|
||||
#
|
||||
#, fuzzy
|
||||
msgid ""
|
||||
msgstr ""
|
||||
"Project-Id-Version: PACKAGE VERSION\n"
|
||||
"Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
|
||||
"POT-Creation-Date: 2020-10-14 03:52-0700\n"
|
||||
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
|
||||
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
|
||||
"Language-Team: LANGUAGE <LL@li.org>\n"
|
||||
"Language: \n"
|
||||
"MIME-Version: 1.0\n"
|
||||
"Content-Type: text/plain; charset=CHARSET\n"
|
||||
"Content-Transfer-Encoding: 8bit\n"
|
||||
|
||||
#: ../aa_exec.c:50
|
||||
#, c-format
|
||||
msgid ""
|
||||
"USAGE: %s [OPTIONS] <prog> <args>\n"
|
||||
"\n"
|
||||
"Confine <prog> with the specified PROFILE.\n"
|
||||
"\n"
|
||||
"OPTIONS:\n"
|
||||
" -p PROFILE, --profile=PROFILE\t\tPROFILE to confine <prog> with\n"
|
||||
" -n NAMESPACE, --namespace=NAMESPACE\tNAMESPACE to confine <prog> in\n"
|
||||
" -d, --debug\t\t\t\tshow messages with debugging information\n"
|
||||
" -i, --immediate\t\t\tchange profile immediately instead of at exec\n"
|
||||
" -v, --verbose\t\t\t\tshow messages with stats\n"
|
||||
" -h, --help\t\t\t\tdisplay this help\n"
|
||||
"\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_exec.c:65
|
||||
#, c-format
|
||||
msgid "[%ld] aa-exec: ERROR: "
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_exec.c:76
|
||||
#, c-format
|
||||
msgid "[%ld] aa-exec: DEBUG: "
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_exec.c:89
|
||||
#, c-format
|
||||
msgid "[%ld] "
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_exec.c:107
|
||||
#, c-format
|
||||
msgid "[%ld] exec"
|
||||
msgstr ""
|
@@ -1,51 +0,0 @@
|
||||
# SOME DESCRIPTIVE TITLE.
|
||||
# Copyright (C) YEAR Canonical Ltd
|
||||
# This file is distributed under the same license as the PACKAGE package.
|
||||
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
|
||||
#
|
||||
#, fuzzy
|
||||
msgid ""
|
||||
msgstr ""
|
||||
"Project-Id-Version: PACKAGE VERSION\n"
|
||||
"Report-Msgid-Bugs-To: apparmor@lists.ubuntu.com\n"
|
||||
"POT-Creation-Date: 2020-10-14 03:52-0700\n"
|
||||
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
|
||||
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
|
||||
"Language-Team: LANGUAGE <LL@li.org>\n"
|
||||
"Language: \n"
|
||||
"MIME-Version: 1.0\n"
|
||||
"Content-Type: text/plain; charset=CHARSET\n"
|
||||
"Content-Transfer-Encoding: 8bit\n"
|
||||
|
||||
#: ../aa_features_abi.c:53
|
||||
#, c-format
|
||||
msgid ""
|
||||
"USAGE: %s [OPTIONS] <SOURCE> [OUTPUT OPTIONS]\n"
|
||||
"\n"
|
||||
"Output AppArmor feature abi from SOURCE to OUTPUT\n"
|
||||
"OPTIONS:\n"
|
||||
" -d, --debug show messages with debugging information\n"
|
||||
" -v, --verbose show messages with stats\n"
|
||||
" -h, --help display this help\n"
|
||||
"SOURCE:\n"
|
||||
" -f F, --file=F load features abi from file F\n"
|
||||
" -x, --extract extract features abi from the kernel\n"
|
||||
"OUTPUT OPTIONS:\n"
|
||||
" --stdout default, write features to stdout\n"
|
||||
" -w F, --write=F write features abi to the file F instead of stdout\n"
|
||||
"\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_features_abi.c:73
|
||||
#, c-format
|
||||
msgid "%s: ERROR: "
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_features_abi.c:85
|
||||
#, c-format
|
||||
msgid "%s: DEBUG: "
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_features_abi.c:98
|
||||
msgid "\n"
|
||||
msgstr ""
|
@@ -1,71 +0,0 @@
|
||||
# Afrikaans translation for apparmor
|
||||
# Copyright (c) 2020 Rosetta Contributors and Canonical Ltd 2020
|
||||
# This file is distributed under the same license as the apparmor package.
|
||||
# FIRST AUTHOR <EMAIL@ADDRESS>, 2020.
|
||||
#
|
||||
msgid ""
|
||||
msgstr ""
|
||||
"Project-Id-Version: apparmor\n"
|
||||
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
|
||||
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
|
||||
"PO-Revision-Date: 2020-03-04 17:55+0000\n"
|
||||
"Last-Translator: bernard stafford <Unknown>\n"
|
||||
"Language-Team: Afrikaans <af@li.org>\n"
|
||||
"MIME-Version: 1.0\n"
|
||||
"Content-Type: text/plain; charset=UTF-8\n"
|
||||
"Content-Transfer-Encoding: 8bit\n"
|
||||
"X-Launchpad-Export-Date: 2020-03-05 05:40+0000\n"
|
||||
"X-Generator: Launchpad (build e0878392dc799b267dea80578fa65500a5d74155)\n"
|
||||
|
||||
#: ../aa_enabled.c:26
|
||||
#, c-format
|
||||
msgid ""
|
||||
"%s: [options]\n"
|
||||
" options:\n"
|
||||
" -q | --quiet Don't print out any messages\n"
|
||||
" -h | --help Print help\n"
|
||||
msgstr ""
|
||||
"%s: [opsies]\n"
|
||||
" opsies:\n"
|
||||
" -q | --quiet Moenie druk uit enige boodskappe\n"
|
||||
" -h | --help Afdruk hulp\n"
|
||||
|
||||
#: ../aa_enabled.c:45
|
||||
#, c-format
|
||||
msgid "unknown or incompatible options\n"
|
||||
msgstr "onbekende of onversoenbare opsies\n"
|
||||
|
||||
#: ../aa_enabled.c:55
|
||||
#, c-format
|
||||
msgid "unknown option '%s'\n"
|
||||
msgstr "onbekende opsie '%s'\n"
|
||||
|
||||
#: ../aa_enabled.c:64
|
||||
#, c-format
|
||||
msgid "Yes\n"
|
||||
msgstr "Ja\n"
|
||||
|
||||
#: ../aa_enabled.c:71
|
||||
#, c-format
|
||||
msgid "No - not available on this system.\n"
|
||||
msgstr "Geen - nie beskikbaar op hierdie stelsel.\n"
|
||||
|
||||
#: ../aa_enabled.c:74
|
||||
#, c-format
|
||||
msgid "No - disabled at boot.\n"
|
||||
msgstr "Nee - gestremde by stewel.\n"
|
||||
|
||||
#: ../aa_enabled.c:77
|
||||
#, c-format
|
||||
msgid "Maybe - policy interface not available.\n"
|
||||
msgstr "Miskien - beleid koppelvlak nie beskikbaar.\n"
|
||||
|
||||
#: ../aa_enabled.c:81
|
||||
#, c-format
|
||||
msgid "Maybe - insufficient permissions to determine availability.\n"
|
||||
msgstr "Miskien - onvoldoende toestemmings om beskikbaarheid te bepaal.\n"
|
||||
|
||||
#: ../aa_enabled.c:84
|
||||
#, c-format
|
||||
msgid "Error - '%s'\n"
|
||||
msgstr "Fout - '%s'\n"
|
@@ -1,73 +0,0 @@
|
||||
# German translation for apparmor
|
||||
# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
|
||||
# This file is distributed under the same license as the apparmor package.
|
||||
# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
|
||||
#
|
||||
msgid ""
|
||||
msgstr ""
|
||||
"Project-Id-Version: apparmor\n"
|
||||
"Report-Msgid-Bugs-To: AppArmor list <apparmor@lists.ubuntu.com>\n"
|
||||
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
|
||||
"PO-Revision-Date: 2018-02-09 23:55+0000\n"
|
||||
"Last-Translator: Tobias Bannert <tobannert@gmail.com>\n"
|
||||
"Language-Team: German <de@li.org>\n"
|
||||
"MIME-Version: 1.0\n"
|
||||
"Content-Type: text/plain; charset=UTF-8\n"
|
||||
"Content-Transfer-Encoding: 8bit\n"
|
||||
"X-Launchpad-Export-Date: 2019-04-18 05:33+0000\n"
|
||||
"X-Generator: Launchpad (build 18928)\n"
|
||||
"Language: de\n"
|
||||
|
||||
#: ../aa_enabled.c:26
|
||||
#, c-format
|
||||
msgid ""
|
||||
"%s: [options]\n"
|
||||
" options:\n"
|
||||
" -q | --quiet Don't print out any messages\n"
|
||||
" -h | --help Print help\n"
|
||||
msgstr ""
|
||||
"%s: [Optionen]\n"
|
||||
" Optionen:\n"
|
||||
" -q | --quiet Keine Nachrichten anzeigen\n"
|
||||
" -h | --help Hilfetext anzeigen\n"
|
||||
|
||||
#: ../aa_enabled.c:45
|
||||
#, c-format
|
||||
msgid "unknown or incompatible options\n"
|
||||
msgstr "unbekannte oder nicht kompatible Optionen\n"
|
||||
|
||||
#: ../aa_enabled.c:55
|
||||
#, c-format
|
||||
msgid "unknown option '%s'\n"
|
||||
msgstr "unbekannte Option »%s«\n"
|
||||
|
||||
#: ../aa_enabled.c:64
|
||||
#, c-format
|
||||
msgid "Yes\n"
|
||||
msgstr "Ja\n"
|
||||
|
||||
#: ../aa_enabled.c:71
|
||||
#, c-format
|
||||
msgid "No - not available on this system.\n"
|
||||
msgstr "Nein – auf diesem System nicht verfügbar.\n"
|
||||
|
||||
#: ../aa_enabled.c:74
|
||||
#, c-format
|
||||
msgid "No - disabled at boot.\n"
|
||||
msgstr "Nein – beim Start deaktiviert.\n"
|
||||
|
||||
#: ../aa_enabled.c:77
|
||||
#, c-format
|
||||
msgid "Maybe - policy interface not available.\n"
|
||||
msgstr "Vielleicht – Richtlinienschnittstelle nicht verfügbar.\n"
|
||||
|
||||
#: ../aa_enabled.c:81
|
||||
#, c-format
|
||||
msgid "Maybe - insufficient permissions to determine availability.\n"
|
||||
msgstr ""
|
||||
"Vielleicht – ungenügende Berechtigungen, um die Verfügbarkeit zu prüfen\n"
|
||||
|
||||
#: ../aa_enabled.c:84
|
||||
#, c-format
|
||||
msgid "Error - '%s'\n"
|
||||
msgstr "Fehler – »%s«\n"
|
@@ -1,72 +0,0 @@
|
||||
# English (United Kingdom) translation for apparmor
|
||||
# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
|
||||
# This file is distributed under the same license as the apparmor package.
|
||||
# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
|
||||
#
|
||||
msgid ""
|
||||
msgstr ""
|
||||
"Project-Id-Version: apparmor\n"
|
||||
"Report-Msgid-Bugs-To: AppArmor list <apparmor@lists.ubuntu.com>\n"
|
||||
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
|
||||
"PO-Revision-Date: 2016-02-18 06:22+0000\n"
|
||||
"Last-Translator: Andi Chandler <Unknown>\n"
|
||||
"Language-Team: English (United Kingdom) <en_GB@li.org>\n"
|
||||
"MIME-Version: 1.0\n"
|
||||
"Content-Type: text/plain; charset=UTF-8\n"
|
||||
"Content-Transfer-Encoding: 8bit\n"
|
||||
"X-Launchpad-Export-Date: 2019-04-18 05:33+0000\n"
|
||||
"X-Generator: Launchpad (build 18928)\n"
|
||||
"Language: en_GB\n"
|
||||
|
||||
#: ../aa_enabled.c:26
|
||||
#, c-format
|
||||
msgid ""
|
||||
"%s: [options]\n"
|
||||
" options:\n"
|
||||
" -q | --quiet Don't print out any messages\n"
|
||||
" -h | --help Print help\n"
|
||||
msgstr ""
|
||||
"%s: [options]\n"
|
||||
" options:\n"
|
||||
" -q | --quiet Don't print out any messages\n"
|
||||
" -h | --help Print help\n"
|
||||
|
||||
#: ../aa_enabled.c:45
|
||||
#, c-format
|
||||
msgid "unknown or incompatible options\n"
|
||||
msgstr "unknown or incompatible options\n"
|
||||
|
||||
#: ../aa_enabled.c:55
|
||||
#, c-format
|
||||
msgid "unknown option '%s'\n"
|
||||
msgstr "unknown option '%s'\n"
|
||||
|
||||
#: ../aa_enabled.c:64
|
||||
#, c-format
|
||||
msgid "Yes\n"
|
||||
msgstr "Yes\n"
|
||||
|
||||
#: ../aa_enabled.c:71
|
||||
#, c-format
|
||||
msgid "No - not available on this system.\n"
|
||||
msgstr "No - not available on this system.\n"
|
||||
|
||||
#: ../aa_enabled.c:74
|
||||
#, c-format
|
||||
msgid "No - disabled at boot.\n"
|
||||
msgstr "No - disabled at boot.\n"
|
||||
|
||||
#: ../aa_enabled.c:77
|
||||
#, c-format
|
||||
msgid "Maybe - policy interface not available.\n"
|
||||
msgstr "Maybe - policy interface not available.\n"
|
||||
|
||||
#: ../aa_enabled.c:81
|
||||
#, c-format
|
||||
msgid "Maybe - insufficient permissions to determine availability.\n"
|
||||
msgstr "Maybe - insufficient permissions to determine availability.\n"
|
||||
|
||||
#: ../aa_enabled.c:84
|
||||
#, c-format
|
||||
msgid "Error - '%s'\n"
|
||||
msgstr "Error - '%s'\n"
|
@@ -1,71 +0,0 @@
|
||||
# Spanish translation for apparmor
|
||||
# Copyright (c) 2019 Rosetta Contributors and Canonical Ltd 2019
|
||||
# This file is distributed under the same license as the apparmor package.
|
||||
# FIRST AUTHOR <EMAIL@ADDRESS>, 2019.
|
||||
#
|
||||
msgid ""
|
||||
msgstr ""
|
||||
"Project-Id-Version: apparmor\n"
|
||||
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
|
||||
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
|
||||
"PO-Revision-Date: 2019-06-09 14:01+0000\n"
|
||||
"Last-Translator: Adolfo Jayme <fitoschido@gmail.com>\n"
|
||||
"Language-Team: Spanish <es@li.org>\n"
|
||||
"MIME-Version: 1.0\n"
|
||||
"Content-Type: text/plain; charset=UTF-8\n"
|
||||
"Content-Transfer-Encoding: 8bit\n"
|
||||
"X-Launchpad-Export-Date: 2019-06-10 04:32+0000\n"
|
||||
"X-Generator: Launchpad (build 18978)\n"
|
||||
|
||||
#: ../aa_enabled.c:26
|
||||
#, c-format
|
||||
msgid ""
|
||||
"%s: [options]\n"
|
||||
" options:\n"
|
||||
" -q | --quiet Don't print out any messages\n"
|
||||
" -h | --help Print help\n"
|
||||
msgstr ""
|
||||
"%s: [opciones]\n"
|
||||
" opciones:\n"
|
||||
" -q | --quiet No emitir ningún mensaje\n"
|
||||
" -h | --help Mostrar la ayuda\n"
|
||||
|
||||
#: ../aa_enabled.c:45
|
||||
#, c-format
|
||||
msgid "unknown or incompatible options\n"
|
||||
msgstr "opciones desconocidas o incompatibles\n"
|
||||
|
||||
#: ../aa_enabled.c:55
|
||||
#, c-format
|
||||
msgid "unknown option '%s'\n"
|
||||
msgstr "se desconoce la opción «%s»\n"
|
||||
|
||||
#: ../aa_enabled.c:64
|
||||
#, c-format
|
||||
msgid "Yes\n"
|
||||
msgstr "Sí\n"
|
||||
|
||||
#: ../aa_enabled.c:71
|
||||
#, c-format
|
||||
msgid "No - not available on this system.\n"
|
||||
msgstr "No; no disponible en este sistema.\n"
|
||||
|
||||
#: ../aa_enabled.c:74
|
||||
#, c-format
|
||||
msgid "No - disabled at boot.\n"
|
||||
msgstr "No; desactivado durante el arranque.\n"
|
||||
|
||||
#: ../aa_enabled.c:77
|
||||
#, c-format
|
||||
msgid "Maybe - policy interface not available.\n"
|
||||
msgstr "Quizá; interfaz de directiva no disponible.\n"
|
||||
|
||||
#: ../aa_enabled.c:81
|
||||
#, c-format
|
||||
msgid "Maybe - insufficient permissions to determine availability.\n"
|
||||
msgstr "Quizá; permisos insuficientes para determinar disponibilidad.\n"
|
||||
|
||||
#: ../aa_enabled.c:84
|
||||
#, c-format
|
||||
msgid "Error - '%s'\n"
|
||||
msgstr "Error: «%s»\n"
|
@@ -1,67 +0,0 @@
|
||||
# Persian translation for apparmor
|
||||
# Copyright (c) 2019 Rosetta Contributors and Canonical Ltd 2019
|
||||
# This file is distributed under the same license as the apparmor package.
|
||||
# FIRST AUTHOR <EMAIL@ADDRESS>, 2019.
|
||||
#
|
||||
msgid ""
|
||||
msgstr ""
|
||||
"Project-Id-Version: apparmor\n"
|
||||
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
|
||||
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
|
||||
"PO-Revision-Date: 2019-12-27 08:16+0000\n"
|
||||
"Last-Translator: VahidNameni <Unknown>\n"
|
||||
"Language-Team: Persian <fa@li.org>\n"
|
||||
"MIME-Version: 1.0\n"
|
||||
"Content-Type: text/plain; charset=UTF-8\n"
|
||||
"Content-Transfer-Encoding: 8bit\n"
|
||||
"X-Launchpad-Export-Date: 2019-12-28 05:38+0000\n"
|
||||
"X-Generator: Launchpad (build bceb5ef013b87ef7aafe0755545ceb689ca7ac60)\n"
|
||||
|
||||
#: ../aa_enabled.c:26
|
||||
#, c-format
|
||||
msgid ""
|
||||
"%s: [options]\n"
|
||||
" options:\n"
|
||||
" -q | --quiet Don't print out any messages\n"
|
||||
" -h | --help Print help\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:45
|
||||
#, c-format
|
||||
msgid "unknown or incompatible options\n"
|
||||
msgstr "تنظیم نامعلوم یا ناسازگار\n"
|
||||
|
||||
#: ../aa_enabled.c:55
|
||||
#, c-format
|
||||
msgid "unknown option '%s'\n"
|
||||
msgstr "تنظیم '%s' ناشناخته است\n"
|
||||
|
||||
#: ../aa_enabled.c:64
|
||||
#, c-format
|
||||
msgid "Yes\n"
|
||||
msgstr "بله\n"
|
||||
|
||||
#: ../aa_enabled.c:71
|
||||
#, c-format
|
||||
msgid "No - not available on this system.\n"
|
||||
msgstr "خیر- در این سیستم موجود نیست.\n"
|
||||
|
||||
#: ../aa_enabled.c:74
|
||||
#, c-format
|
||||
msgid "No - disabled at boot.\n"
|
||||
msgstr "خیر - غیرفعال در زمان boot.\n"
|
||||
|
||||
#: ../aa_enabled.c:77
|
||||
#, c-format
|
||||
msgid "Maybe - policy interface not available.\n"
|
||||
msgstr "شاید - رابط سیاست گذاری در دسترس نیست.\n"
|
||||
|
||||
#: ../aa_enabled.c:81
|
||||
#, c-format
|
||||
msgid "Maybe - insufficient permissions to determine availability.\n"
|
||||
msgstr "شاید - دسترسی ناکافی جهت شناسایی در دسترس پذیری.\n"
|
||||
|
||||
#: ../aa_enabled.c:84
|
||||
#, c-format
|
||||
msgid "Error - '%s'\n"
|
||||
msgstr "خطا - '%s'\n"
|
@@ -1,67 +0,0 @@
|
||||
# Finnish translation for apparmor
|
||||
# Copyright (c) 2020 Rosetta Contributors and Canonical Ltd 2020
|
||||
# This file is distributed under the same license as the apparmor package.
|
||||
# FIRST AUTHOR <EMAIL@ADDRESS>, 2020.
|
||||
#
|
||||
msgid ""
|
||||
msgstr ""
|
||||
"Project-Id-Version: apparmor\n"
|
||||
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
|
||||
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
|
||||
"PO-Revision-Date: 2020-01-29 07:44+0000\n"
|
||||
"Last-Translator: Jiri Grönroos <Unknown>\n"
|
||||
"Language-Team: Finnish <fi@li.org>\n"
|
||||
"MIME-Version: 1.0\n"
|
||||
"Content-Type: text/plain; charset=UTF-8\n"
|
||||
"Content-Transfer-Encoding: 8bit\n"
|
||||
"X-Launchpad-Export-Date: 2020-01-30 05:40+0000\n"
|
||||
"X-Generator: Launchpad (build b8d1327fd820d6bf500589d6da587d5037c7d88e)\n"
|
||||
|
||||
#: ../aa_enabled.c:26
|
||||
#, c-format
|
||||
msgid ""
|
||||
"%s: [options]\n"
|
||||
" options:\n"
|
||||
" -q | --quiet Don't print out any messages\n"
|
||||
" -h | --help Print help\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:45
|
||||
#, c-format
|
||||
msgid "unknown or incompatible options\n"
|
||||
msgstr "tuntemattomat tai yhteensopimattomat valinnat\n"
|
||||
|
||||
#: ../aa_enabled.c:55
|
||||
#, c-format
|
||||
msgid "unknown option '%s'\n"
|
||||
msgstr "tuntematon valinta '%s'\n"
|
||||
|
||||
#: ../aa_enabled.c:64
|
||||
#, c-format
|
||||
msgid "Yes\n"
|
||||
msgstr "Kyllä\n"
|
||||
|
||||
#: ../aa_enabled.c:71
|
||||
#, c-format
|
||||
msgid "No - not available on this system.\n"
|
||||
msgstr "Ei - ei käytettävissä tässä järjestelmässä.\n"
|
||||
|
||||
#: ../aa_enabled.c:74
|
||||
#, c-format
|
||||
msgid "No - disabled at boot.\n"
|
||||
msgstr "Ei - poistettu käytöstä käynnistyksen yhteydessä.\n"
|
||||
|
||||
#: ../aa_enabled.c:77
|
||||
#, c-format
|
||||
msgid "Maybe - policy interface not available.\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:81
|
||||
#, c-format
|
||||
msgid "Maybe - insufficient permissions to determine availability.\n"
|
||||
msgstr ""
|
||||
|
||||
#: ../aa_enabled.c:84
|
||||
#, c-format
|
||||
msgid "Error - '%s'\n"
|
||||
msgstr "Virhe - '%s'\n"
|
@@ -1,72 +0,0 @@
|
||||
# Indonesian translation for apparmor
|
||||
# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
|
||||
# This file is distributed under the same license as the apparmor package.
|
||||
# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
|
||||
#
|
||||
msgid ""
|
||||
msgstr ""
|
||||
"Project-Id-Version: apparmor\n"
|
||||
"Report-Msgid-Bugs-To: AppArmor list <apparmor@lists.ubuntu.com>\n"
|
||||
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
|
||||
"PO-Revision-Date: 2016-01-20 08:59+0000\n"
|
||||
"Last-Translator: Ari Setyo Wibowo <mr.a.contact@gmail.com>\n"
|
||||
"Language-Team: Indonesian <id@li.org>\n"
|
||||
"MIME-Version: 1.0\n"
|
||||
"Content-Type: text/plain; charset=UTF-8\n"
|
||||
"Content-Transfer-Encoding: 8bit\n"
|
||||
"X-Launchpad-Export-Date: 2019-04-18 05:33+0000\n"
|
||||
"X-Generator: Launchpad (build 18928)\n"
|
||||
"Language: id\n"
|
||||
|
||||
#: ../aa_enabled.c:26
|
||||
#, c-format
|
||||
msgid ""
|
||||
"%s: [options]\n"
|
||||
" options:\n"
|
||||
" -q | --quiet Don't print out any messages\n"
|
||||
" -h | --help Print help\n"
|
||||
msgstr ""
|
||||
"%s: [options]\n"
|
||||
" pilihan:\n"
|
||||
" -q | --quiet Jangan tampilkan pesan apapun\n"
|
||||
" -h | --help Tampilkan bantuan\n"
|
||||
|
||||
#: ../aa_enabled.c:45
|
||||
#, c-format
|
||||
msgid "unknown or incompatible options\n"
|
||||
msgstr "pilihan yang tidak dikenali atau tidak kompatibel\n"
|
||||
|
||||
#: ../aa_enabled.c:55
|
||||
#, c-format
|
||||
msgid "unknown option '%s'\n"
|
||||
msgstr "pilihan tidak dikenali '%s'\n"
|
||||
|
||||
#: ../aa_enabled.c:64
|
||||
#, c-format
|
||||
msgid "Yes\n"
|
||||
msgstr "Ya\n"
|
||||
|
||||
#: ../aa_enabled.c:71
|
||||
#, c-format
|
||||
msgid "No - not available on this system.\n"
|
||||
msgstr "Tidak - tidak tersedia di sistem ini.\n"
|
||||
|
||||
#: ../aa_enabled.c:74
|
||||
#, c-format
|
||||
msgid "No - disabled at boot.\n"
|
||||
msgstr "Tidak - nonaktifkan saat boot.\n"
|
||||
|
||||
#: ../aa_enabled.c:77
|
||||
#, c-format
|
||||
msgid "Maybe - policy interface not available.\n"
|
||||
msgstr "Mungkin - kebijakan antarmuka tidak tersedia.\n"
|
||||
|
||||
#: ../aa_enabled.c:81
|
||||
#, c-format
|
||||
msgid "Maybe - insufficient permissions to determine availability.\n"
|
||||
msgstr "Mungkin - izin tidak memadai untuk menentukan ketersediaan.\n"
|
||||
|
||||
#: ../aa_enabled.c:84
|
||||
#, c-format
|
||||
msgid "Error - '%s'\n"
|
||||
msgstr "Kesalahan - '%s'\n"
|
@@ -1,72 +0,0 @@
|
||||
# Portuguese translation for apparmor
|
||||
# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
|
||||
# This file is distributed under the same license as the apparmor package.
|
||||
# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
|
||||
#
|
||||
msgid ""
|
||||
msgstr ""
|
||||
"Project-Id-Version: apparmor\n"
|
||||
"Report-Msgid-Bugs-To: AppArmor list <apparmor@lists.ubuntu.com>\n"
|
||||
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
|
||||
"PO-Revision-Date: 2016-03-03 08:34+0000\n"
|
||||
"Last-Translator: Ivo Xavier <ivofernandes12@gmail.com>\n"
|
||||
"Language-Team: Portuguese <pt@li.org>\n"
|
||||
"MIME-Version: 1.0\n"
|
||||
"Content-Type: text/plain; charset=UTF-8\n"
|
||||
"Content-Transfer-Encoding: 8bit\n"
|
||||
"X-Launchpad-Export-Date: 2019-04-18 05:33+0000\n"
|
||||
"X-Generator: Launchpad (build 18928)\n"
|
||||
"Language: pt\n"
|
||||
|
||||
#: ../aa_enabled.c:26
|
||||
#, c-format
|
||||
msgid ""
|
||||
"%s: [options]\n"
|
||||
" options:\n"
|
||||
" -q | --quiet Don't print out any messages\n"
|
||||
" -h | --help Print help\n"
|
||||
msgstr ""
|
||||
"%s: [opções]\n"
|
||||
" opções:\n"
|
||||
" -q | --silencioso Não mostrar mensagens\n"
|
||||
" -h | --ajuda Mostar ajuda\n"
|
||||
|
||||
#: ../aa_enabled.c:45
|
||||
#, c-format
|
||||
msgid "unknown or incompatible options\n"
|
||||
msgstr "opções desconhecidas ou incompatíveis\n"
|
||||
|
||||
#: ../aa_enabled.c:55
|
||||
#, c-format
|
||||
msgid "unknown option '%s'\n"
|
||||
msgstr "opção desconhecida '%s'\n"
|
||||
|
||||
#: ../aa_enabled.c:64
|
||||
#, c-format
|
||||
msgid "Yes\n"
|
||||
msgstr "Sim\n"
|
||||
|
||||
#: ../aa_enabled.c:71
|
||||
#, c-format
|
||||
msgid "No - not available on this system.\n"
|
||||
msgstr "Não - não disponível neste sistema.\n"
|
||||
|
||||
#: ../aa_enabled.c:74
|
||||
#, c-format
|
||||
msgid "No - disabled at boot.\n"
|
||||
msgstr "Não - desligado ao iniciar.\n"
|
||||
|
||||
#: ../aa_enabled.c:77
|
||||
#, c-format
|
||||
msgid "Maybe - policy interface not available.\n"
|
||||
msgstr "Talvez - política de interface não disponível.\n"
|
||||
|
||||
#: ../aa_enabled.c:81
|
||||
#, c-format
|
||||
msgid "Maybe - insufficient permissions to determine availability.\n"
|
||||
msgstr "Talvez - permissões insuficientes para determinar disponibilidade.\n"
|
||||
|
||||
#: ../aa_enabled.c:84
|
||||
#, c-format
|
||||
msgid "Error - '%s'\n"
|
||||
msgstr "Erro - '%s'\n"
|
@@ -1,72 +0,0 @@
|
||||
# Romanian translation for apparmor
|
||||
# Copyright (c) 2020 Rosetta Contributors and Canonical Ltd 2020
|
||||
# This file is distributed under the same license as the apparmor package.
|
||||
# FIRST AUTHOR <EMAIL@ADDRESS>, 2020.
|
||||
#
|
||||
msgid ""
|
||||
msgstr ""
|
||||
"Project-Id-Version: apparmor\n"
|
||||
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
|
||||
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
|
||||
"PO-Revision-Date: 2020-02-20 21:47+0000\n"
|
||||
"Last-Translator: Daniel Slavu <Unknown>\n"
|
||||
"Language-Team: Romanian <ro@li.org>\n"
|
||||
"MIME-Version: 1.0\n"
|
||||
"Content-Type: text/plain; charset=UTF-8\n"
|
||||
"Content-Transfer-Encoding: 8bit\n"
|
||||
"X-Launchpad-Export-Date: 2020-02-21 05:39+0000\n"
|
||||
"X-Generator: Launchpad (build 19413b719a8df7423ab1390528edadce9e0e4aca)\n"
|
||||
|
||||
#: ../aa_enabled.c:26
|
||||
#, c-format
|
||||
msgid ""
|
||||
"%s: [options]\n"
|
||||
" options:\n"
|
||||
" -q | --quiet Don't print out any messages\n"
|
||||
" -h | --help Print help\n"
|
||||
msgstr ""
|
||||
"%s: [opțiuni]\n"
|
||||
" opțiuni:\n"
|
||||
" -q | --calm Nu imprima niciun mesaj\n"
|
||||
" -h | - ajutor Imprimare ajutor\n"
|
||||
|
||||
#: ../aa_enabled.c:45
|
||||
#, c-format
|
||||
msgid "unknown or incompatible options\n"
|
||||
msgstr "opțiuni necunoscute sau incompatibile\n"
|
||||
|
||||
#: ../aa_enabled.c:55
|
||||
#, c-format
|
||||
msgid "unknown option '%s'\n"
|
||||
msgstr "opțiune necunoscută '%s'\n"
|
||||
|
||||
#: ../aa_enabled.c:64
|
||||
#, c-format
|
||||
msgid "Yes\n"
|
||||
msgstr "Da\n"
|
||||
|
||||
#: ../aa_enabled.c:71
|
||||
#, c-format
|
||||
msgid "No - not available on this system.\n"
|
||||
msgstr "Nu - nu este disponibil pe acest sistem.\n"
|
||||
|
||||
#: ../aa_enabled.c:74
|
||||
#, c-format
|
||||
msgid "No - disabled at boot.\n"
|
||||
msgstr "Nu - dezactivat la pornire.\n"
|
||||
|
||||
#: ../aa_enabled.c:77
|
||||
#, c-format
|
||||
msgid "Maybe - policy interface not available.\n"
|
||||
msgstr "Poate - interfața politică nu este disponibilă.\n"
|
||||
|
||||
#: ../aa_enabled.c:81
|
||||
#, c-format
|
||||
msgid "Maybe - insufficient permissions to determine availability.\n"
|
||||
msgstr ""
|
||||
"Poate - permisiuni insuficiente pentru a determina disponibilitatea.\n"
|
||||
|
||||
#: ../aa_enabled.c:84
|
||||
#, c-format
|
||||
msgid "Error - '%s'\n"
|
||||
msgstr "Eroare - '%s'\n"
|
@@ -1,72 +0,0 @@
|
||||
# Russian translation for apparmor
|
||||
# Copyright (c) 2016 Rosetta Contributors and Canonical Ltd 2016
|
||||
# This file is distributed under the same license as the apparmor package.
|
||||
# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
|
||||
#
|
||||
msgid ""
|
||||
msgstr ""
|
||||
"Project-Id-Version: apparmor\n"
|
||||
"Report-Msgid-Bugs-To: AppArmor list <apparmor@lists.ubuntu.com>\n"
|
||||
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
|
||||
"PO-Revision-Date: 2016-03-29 14:46+0000\n"
|
||||
"Last-Translator: Eugene Roskin <Unknown>\n"
|
||||
"Language-Team: Russian <ru@li.org>\n"
|
||||
"MIME-Version: 1.0\n"
|
||||
"Content-Type: text/plain; charset=UTF-8\n"
|
||||
"Content-Transfer-Encoding: 8bit\n"
|
||||
"X-Launchpad-Export-Date: 2019-04-18 05:33+0000\n"
|
||||
"X-Generator: Launchpad (build 18928)\n"
|
||||
"Language: ru\n"
|
||||
|
||||
#: ../aa_enabled.c:26
|
||||
#, c-format
|
||||
msgid ""
|
||||
"%s: [options]\n"
|
||||
" options:\n"
|
||||
" -q | --quiet Don't print out any messages\n"
|
||||
" -h | --help Print help\n"
|
||||
msgstr ""
|
||||
"%s: [параметры]\n"
|
||||
" параметры:\n"
|
||||
" -q | --quiet не выводить никакие сообщения\n"
|
||||
" -h | --help вывести справку\n"
|
||||
|
||||
#: ../aa_enabled.c:45
|
||||
#, c-format
|
||||
msgid "unknown or incompatible options\n"
|
||||
msgstr "неизвестные или несовместимые параметры\n"
|
||||
|
||||
#: ../aa_enabled.c:55
|
||||
#, c-format
|
||||
msgid "unknown option '%s'\n"
|
||||
msgstr "неизвестный параметр '%s'\n"
|
||||
|
||||
#: ../aa_enabled.c:64
|
||||
#, c-format
|
||||
msgid "Yes\n"
|
||||
msgstr "Да\n"
|
||||
|
||||
#: ../aa_enabled.c:71
|
||||
#, c-format
|
||||
msgid "No - not available on this system.\n"
|
||||
msgstr "Нет - недоступно на этой системе.\n"
|
||||
|
||||
#: ../aa_enabled.c:74
|
||||
#, c-format
|
||||
msgid "No - disabled at boot.\n"
|
||||
msgstr "Нет - выключено при загрузке.\n"
|
||||
|
||||
#: ../aa_enabled.c:77
|
||||
#, c-format
|
||||
msgid "Maybe - policy interface not available.\n"
|
||||
msgstr "Возможно - интерфейс политики недоступен.\n"
|
||||
|
||||
#: ../aa_enabled.c:81
|
||||
#, c-format
|
||||
msgid "Maybe - insufficient permissions to determine availability.\n"
|
||||
msgstr "Возможно - недостаточно разрешений для определения доступности.\n"
|
||||
|
||||
#: ../aa_enabled.c:84
|
||||
#, c-format
|
||||
msgid "Error - '%s'\n"
|
||||
msgstr "Ошибка - '%s'\n"
|
@@ -1,72 +0,0 @@
|
||||
# Swedish translation for apparmor
|
||||
# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
|
||||
# This file is distributed under the same license as the apparmor package.
|
||||
# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
|
||||
#
|
||||
msgid ""
|
||||
msgstr ""
|
||||
"Project-Id-Version: apparmor\n"
|
||||
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
|
||||
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
|
||||
"PO-Revision-Date: 2018-09-08 03:51+0000\n"
|
||||
"Last-Translator: Jonatan Nyberg <Unknown>\n"
|
||||
"Language-Team: Swedish <sv@li.org>\n"
|
||||
"MIME-Version: 1.0\n"
|
||||
"Content-Type: text/plain; charset=UTF-8\n"
|
||||
"Content-Transfer-Encoding: 8bit\n"
|
||||
"X-Launchpad-Export-Date: 2019-04-18 05:33+0000\n"
|
||||
"X-Generator: Launchpad (build 18928)\n"
|
||||
|
||||
#: ../aa_enabled.c:26
|
||||
#, c-format
|
||||
msgid ""
|
||||
"%s: [options]\n"
|
||||
" options:\n"
|
||||
" -q | --quiet Don't print out any messages\n"
|
||||
" -h | --help Print help\n"
|
||||
msgstr ""
|
||||
"%s: [options]\n"
|
||||
" flaggor:\n"
|
||||
" -q | --quiet Skriv inte ut några meddelanden\n"
|
||||
" -h | --help Skriv ut hjälp\n"
|
||||
|
||||
#: ../aa_enabled.c:45
|
||||
#, c-format
|
||||
msgid "unknown or incompatible options\n"
|
||||
msgstr "okända eller inkompatibla flaggor\n"
|
||||
|
||||
#: ../aa_enabled.c:55
|
||||
#, c-format
|
||||
msgid "unknown option '%s'\n"
|
||||
msgstr "okänd flagga '%s'\n"
|
||||
|
||||
#: ../aa_enabled.c:64
|
||||
#, c-format
|
||||
msgid "Yes\n"
|
||||
msgstr "Ja\n"
|
||||
|
||||
#: ../aa_enabled.c:71
|
||||
#, c-format
|
||||
msgid "No - not available on this system.\n"
|
||||
msgstr "Nej - inte tillgänglig på detta system.\n"
|
||||
|
||||
#: ../aa_enabled.c:74
|
||||
#, c-format
|
||||
msgid "No - disabled at boot.\n"
|
||||
msgstr "Nej - inaktiverad vid uppstart.\n"
|
||||
|
||||
#: ../aa_enabled.c:77
|
||||
#, c-format
|
||||
msgid "Maybe - policy interface not available.\n"
|
||||
msgstr "Kanske - policy gränssnitt inte tillgängliga.\n"
|
||||
|
||||
#: ../aa_enabled.c:81
|
||||
#, c-format
|
||||
msgid "Maybe - insufficient permissions to determine availability.\n"
|
||||
msgstr ""
|
||||
"Kanske - otillräckliga behörigheter för att bestämma tillgängligheten.\n"
|
||||
|
||||
#: ../aa_enabled.c:84
|
||||
#, c-format
|
||||
msgid "Error - '%s'\n"
|
||||
msgstr "Fel - '%s'\n"
|
@@ -1,71 +0,0 @@
|
||||
# Swahili translation for apparmor
|
||||
# Copyright (c) 2019 Rosetta Contributors and Canonical Ltd 2019
|
||||
# This file is distributed under the same license as the apparmor package.
|
||||
# FIRST AUTHOR <EMAIL@ADDRESS>, 2019.
|
||||
#
|
||||
msgid ""
|
||||
msgstr ""
|
||||
"Project-Id-Version: apparmor\n"
|
||||
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
|
||||
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
|
||||
"PO-Revision-Date: 2019-11-14 12:33+0000\n"
|
||||
"Last-Translator: Swahilinux Administration <admin@swahilinux.org>\n"
|
||||
"Language-Team: Swahili <sw@li.org>\n"
|
||||
"MIME-Version: 1.0\n"
|
||||
"Content-Type: text/plain; charset=UTF-8\n"
|
||||
"Content-Transfer-Encoding: 8bit\n"
|
||||
"X-Launchpad-Export-Date: 2019-11-15 04:30+0000\n"
|
||||
"X-Generator: Launchpad (build c597c3229eb023b1e626162d5947141bf7befb13)\n"
|
||||
|
||||
#: ../aa_enabled.c:26
|
||||
#, c-format
|
||||
msgid ""
|
||||
"%s: [options]\n"
|
||||
" options:\n"
|
||||
" -q | --quiet Don't print out any messages\n"
|
||||
" -h | --help Print help\n"
|
||||
msgstr ""
|
||||
"%s: [chaguzi]\n"
|
||||
" chaguzi:\n"
|
||||
" -q | --quiet Usichapishe jumbe yoyote\n"
|
||||
" -h | --help Chapisha msaada\n"
|
||||
|
||||
#: ../aa_enabled.c:45
|
||||
#, c-format
|
||||
msgid "unknown or incompatible options\n"
|
||||
msgstr "chaguo lisilojulikana au lisilofaa\n"
|
||||
|
||||
#: ../aa_enabled.c:55
|
||||
#, c-format
|
||||
msgid "unknown option '%s'\n"
|
||||
msgstr "chaguo lisilojulikana '%s'\n"
|
||||
|
||||
#: ../aa_enabled.c:64
|
||||
#, c-format
|
||||
msgid "Yes\n"
|
||||
msgstr "Ndio\n"
|
||||
|
||||
#: ../aa_enabled.c:71
|
||||
#, c-format
|
||||
msgid "No - not available on this system.\n"
|
||||
msgstr "La - haipo kwenye mfumo huu.\n"
|
||||
|
||||
#: ../aa_enabled.c:74
|
||||
#, c-format
|
||||
msgid "No - disabled at boot.\n"
|
||||
msgstr "La - ilizimwa kwenye washi.\n"
|
||||
|
||||
#: ../aa_enabled.c:77
|
||||
#, c-format
|
||||
msgid "Maybe - policy interface not available.\n"
|
||||
msgstr "Labda - kiolesura cha faragha hakipo.\n"
|
||||
|
||||
#: ../aa_enabled.c:81
|
||||
#, c-format
|
||||
msgid "Maybe - insufficient permissions to determine availability.\n"
|
||||
msgstr "Labda - hamna ruhusa ya kutosha ili kuamua kama ipo.\n"
|
||||
|
||||
#: ../aa_enabled.c:84
|
||||
#, c-format
|
||||
msgid "Error - '%s'\n"
|
||||
msgstr "Dosari - '%s'\n"
|
@@ -1,72 +0,0 @@
|
||||
# Turkish translation for apparmor
|
||||
# Copyright (c) 2018 Rosetta Contributors and Canonical Ltd 2018
|
||||
# This file is distributed under the same license as the apparmor package.
|
||||
# FIRST AUTHOR <EMAIL@ADDRESS>, 2018.
|
||||
#
|
||||
msgid ""
|
||||
msgstr ""
|
||||
"Project-Id-Version: apparmor\n"
|
||||
"Report-Msgid-Bugs-To: FULL NAME <EMAIL@ADDRESS>\n"
|
||||
"POT-Creation-Date: 2015-11-28 10:23-0800\n"
|
||||
"PO-Revision-Date: 2018-05-19 23:10+0000\n"
|
||||
"Last-Translator: Kudret EMRE <kudretemre@hotmail.com>\n"
|
||||
"Language-Team: Turkish <tr@li.org>\n"
|
||||
"MIME-Version: 1.0\n"
|
||||
"Content-Type: text/plain; charset=UTF-8\n"
|
||||
"Content-Transfer-Encoding: 8bit\n"
|
||||
"X-Launchpad-Export-Date: 2019-04-18 05:33+0000\n"
|
||||
"X-Generator: Launchpad (build 18928)\n"
|
||||
|
||||
#: ../aa_enabled.c:26
|
||||
#, c-format
|
||||
msgid ""
|
||||
"%s: [options]\n"
|
||||
" options:\n"
|
||||
" -q | --quiet Don't print out any messages\n"
|
||||
" -h | --help Print help\n"
|
||||
msgstr ""
|
||||
"%s: [seçenekler]\n"
|
||||
" seçenekler:\n"
|
||||
" -q | --quiet Hiçbir mesajı gösterme\n"
|
||||
" -h | --help Yardımı görüntüler\n"
|
||||
|
||||
#: ../aa_enabled.c:45
|
||||
#, c-format
|
||||
msgid "unknown or incompatible options\n"
|
||||
msgstr "bilinmeyen veya uyumsuz seçenekler\n"
|
||||
|
||||
#: ../aa_enabled.c:55
|
||||
#, c-format
|
||||
msgid "unknown option '%s'\n"
|
||||
msgstr "bilinmeyen seçenek '%s'\n"
|
||||
|
||||
#: ../aa_enabled.c:64
|
||||
#, c-format
|
||||
msgid "Yes\n"
|
||||
msgstr "Evet\n"
|
||||
|
||||
#: ../aa_enabled.c:71
|
||||
#, c-format
|
||||
msgid "No - not available on this system.\n"
|
||||
msgstr "Hayır - Bu sistemde kullanılabilir değil.\n"
|
||||
|
||||
#: ../aa_enabled.c:74
|
||||
#, c-format
|
||||
msgid "No - disabled at boot.\n"
|
||||
msgstr "Hayır - önyüklemede devredışı bırakıldı.\n"
|
||||
|
||||
#: ../aa_enabled.c:77
|
||||
#, c-format
|
||||
msgid "Maybe - policy interface not available.\n"
|
||||
msgstr "Belki - policy arayüzü kullanılabilir değil.\n"
|
||||
|
||||
#: ../aa_enabled.c:81
|
||||
#, c-format
|
||||
msgid "Maybe - insufficient permissions to determine availability.\n"
|
||||
msgstr ""
|
||||
"Belki - kullanılabilir olup olmadığını denetlemek için yetersiz yetki.\n"
|
||||
|
||||
#: ../aa_enabled.c:84
|
||||
#, c-format
|
||||
msgid "Error - '%s'\n"
|
||||
msgstr "Hata - '%s'\n"
|
2
changehat/libapparmor/AUTHORS
Normal file
2
changehat/libapparmor/AUTHORS
Normal file
@@ -0,0 +1,2 @@
|
||||
Steve Beattie <sbeattie@suse.de>
|
||||
Matt Barringer <mbarringer@suse.de>
|
25
changehat/libapparmor/Makefile.am
Normal file
25
changehat/libapparmor/Makefile.am
Normal file
@@ -0,0 +1,25 @@
|
||||
AUTOMAKE_OPTIONS = foreign 1.4
|
||||
NAME = libapparmor
|
||||
SRCDIR = src
|
||||
|
||||
SUBDIRS = doc src swig testsuite
|
||||
|
||||
REPO_VERSION=$(shell if [ -x /usr/bin/svn ] ; then \
|
||||
/usr/bin/svn info . 2> /dev/null | grep "^Last Changed Rev:" | sed "s/^Last Changed Rev: //" ; \
|
||||
fi)
|
||||
|
||||
REPO_URL=$(shell if [ -x /usr/bin/svn ] ; then \
|
||||
/usr/bin/svn info . 2> /dev/null | grep "^URL:" | sed "s/^URL: //" ; \
|
||||
fi)
|
||||
RELEASE_DIR = $(NAME)-$(VERSION)-${REPO_VERSION}
|
||||
|
||||
SVNTARBALL = $(NAME)-$(VERSION)-${REPO_VERSION}.tar.gz
|
||||
SVNTAR = /bin/tar czvp -h --exclude .svn --exclude CVS --exclude .cvsignore --exclude ${SVNTARBALL} --exclude ${RELEASE_DIR}/${RELEASE_DIR} $(shell test -f ${NAME}.exclude && echo "-X ${NAME}.exclude")
|
||||
|
||||
distball: clean
|
||||
rm -rf $(RELEASE_DIR)
|
||||
svn export -r $(REPO_VERSION) $(REPO_URL) $(RELEASE_DIR)
|
||||
$(SVNTAR) -f $(SVNTARBALL) $(RELEASE_DIR)
|
||||
rm -rf $(RELEASE_DIR)
|
||||
|
||||
EXTRA_DIST = AUTHORS ChangeLog COPYING.LGPL INSTALL NEWS README
|
1
changehat/libapparmor/README
Normal file
1
changehat/libapparmor/README
Normal file
@@ -0,0 +1 @@
|
||||
What little documentation exists is in src/aalogparse.h. Please file bugs using http://bugzilla.novell.com under the AppArmor product.
|
42
changehat/libapparmor/autogen.sh
Executable file
42
changehat/libapparmor/autogen.sh
Executable file
@@ -0,0 +1,42 @@
|
||||
#!/bin/sh
|
||||
|
||||
DIE=0
|
||||
|
||||
(autoconf --version) < /dev/null > /dev/null 2>&1 || {
|
||||
echo
|
||||
echo "You must have autoconf installed to compile $package."
|
||||
echo "Download the appropriate package for your distribution,"
|
||||
echo "or get the source tarball at ftp://ftp.gnu.org/pub/gnu/"
|
||||
DIE=1
|
||||
}
|
||||
|
||||
(automake --version) < /dev/null > /dev/null 2>&1 || {
|
||||
echo
|
||||
echo "You must have automake installed to compile $package."
|
||||
echo "Download the appropriate package for your system,"
|
||||
echo "or get the source from one of the GNU ftp sites"
|
||||
echo "listed in http://www.gnu.org/order/ftp.html"
|
||||
DIE=1
|
||||
}
|
||||
|
||||
(libtool --version) < /dev/null > /dev/null 2>&1 || {
|
||||
echo
|
||||
echo "You must have libtool installed to compile $package."
|
||||
echo "Download the appropriate package for your system,"
|
||||
echo "or get the source from one of the GNU ftp sites"
|
||||
echo "listed in http://www.gnu.org/order/ftp.html"
|
||||
DIE=1
|
||||
}
|
||||
|
||||
if test "$DIE" -eq 1; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Running aclocal"
|
||||
aclocal
|
||||
echo "Running autoconf"
|
||||
autoconf --force
|
||||
echo "Running libtoolize"
|
||||
libtoolize --automake
|
||||
echo "Running automake -ac"
|
||||
automake -ac
|
77
changehat/libapparmor/configure.in
Normal file
77
changehat/libapparmor/configure.in
Normal file
@@ -0,0 +1,77 @@
|
||||
AC_INIT(configure.in)
|
||||
|
||||
AM_INIT_AUTOMAKE(libapparmor1, 2.2)
|
||||
|
||||
AM_PROG_LEX
|
||||
AC_PROG_YACC
|
||||
|
||||
AC_PATH_PROG([SWIG], [swig])
|
||||
|
||||
PROG_POD2MAN
|
||||
|
||||
AC_MSG_CHECKING(Checking for Python)
|
||||
AC_ARG_WITH(python,
|
||||
[ --with-python enable the python wrapper [[default=no]]],
|
||||
[AC_MSG_RESULT($withval)], [AC_MSG_RESULT(no)])
|
||||
if test "$with_python" = "yes"; then
|
||||
AC_PATH_PROG(PYTHON, python, no)
|
||||
if test x$PYTHON = xno; then
|
||||
enable_python = no
|
||||
else
|
||||
sinclude(m4/ac_python_devel.m4)
|
||||
AC_PYTHON_DEVEL
|
||||
AM_PATH_PYTHON
|
||||
fi
|
||||
fi
|
||||
|
||||
AC_MSG_CHECKING(Checking for perl)
|
||||
AC_ARG_WITH(perl,
|
||||
[ --with-perl enable the perl wrapper [[default=no]]],
|
||||
[AC_MSG_RESULT($withval)], [AC_MSG_RESULT(no)])
|
||||
if test "$with_perl" = "yes"; then
|
||||
AC_PATH_PROG(PERL, perl, no)
|
||||
if test x$PERL = xno; then
|
||||
enable_perl=no
|
||||
else
|
||||
perl_includedir="`$PERL -e 'use Config; print $Config{archlib}'`/CORE"
|
||||
AC_CHECK_FILE($perl_includedir/perl.h, enable_perl=yes, enable_perl=no)
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
AC_MSG_CHECKING(Checking for ruby)
|
||||
AC_ARG_WITH(ruby,
|
||||
[ --with-ruby enable the ruby wrapper [[default=no]]],
|
||||
[AC_MSG_RESULT($withval)], [AC_MSG_RESULT(no)])
|
||||
if test "$with_ruby" = "yes"; then
|
||||
AC_PATH_PROG([RUBY], [ruby])
|
||||
fi
|
||||
|
||||
|
||||
AM_CONDITIONAL(HAVE_PYTHON, test x$with_python = xyes)
|
||||
AM_CONDITIONAL(HAVE_PERL, test x$with_perl = xyes)
|
||||
AM_CONDITIONAL(HAVE_RUBY, test x$with_ruby = xyes)
|
||||
AM_CONDITIONAL(BUILD_ROOTLIB, test x$enable_rootlib = xyes)
|
||||
|
||||
AC_HEADER_STDC
|
||||
AC_CHECK_HEADERS(unistd.h stdint.h)
|
||||
|
||||
AC_CHECK_FUNCS(asprintf)
|
||||
|
||||
AM_PROG_CC_C_O
|
||||
AC_C_CONST
|
||||
AM_PROG_LIBTOOL
|
||||
|
||||
AC_OUTPUT(
|
||||
Makefile
|
||||
doc/Makefile
|
||||
src/Makefile
|
||||
swig/Makefile
|
||||
swig/perl/Makefile
|
||||
swig/python/Makefile
|
||||
swig/ruby/Makefile
|
||||
testsuite/Makefile
|
||||
testsuite/config/Makefile
|
||||
testsuite/libaalogparse.test/Makefile
|
||||
testsuite/lib/Makefile
|
||||
)
|
21
changehat/libapparmor/doc/Makefile.am
Normal file
21
changehat/libapparmor/doc/Makefile.am
Normal file
@@ -0,0 +1,21 @@
|
||||
## Process this file with automake to produce Makefile.in
|
||||
|
||||
POD2MAN = pod2man
|
||||
|
||||
man_MANS = aa_change_hat.2
|
||||
|
||||
PODS = $(subst .2,.pod,$(man_MANS))
|
||||
|
||||
EXTRA_DIST = $(man_MANS) $(PODS)
|
||||
|
||||
## delete man pages at maintainer-clean
|
||||
BUILT_SOURCES = $(man_MANS)
|
||||
|
||||
%.2: %.pod
|
||||
$(POD2MAN) \
|
||||
--section=2 \
|
||||
--release="NOVELL/SUSE" \
|
||||
--center="AppArmor" \
|
||||
--date="2007-07-27" \
|
||||
$< > $@
|
||||
$
|
233
changehat/libapparmor/doc/aa_change_hat.pod
Normal file
233
changehat/libapparmor/doc/aa_change_hat.pod
Normal file
@@ -0,0 +1,233 @@
|
||||
# $Id: change_hat.pod 534 2007-04-03 20:08:50Z steve-beattie $
|
||||
# This publication is intellectual property of Novell Inc. Its contents
|
||||
# can be duplicated, either in part or in whole, provided that a copyright
|
||||
# label is visibly located on each copy.
|
||||
#
|
||||
# All information found in this book has been compiled with utmost
|
||||
# attention to detail. However, this does not guarantee complete accuracy.
|
||||
# Neither SUSE LINUX GmbH, the authors, nor the translators shall be held
|
||||
# liable for possible errors or the consequences thereof.
|
||||
#
|
||||
# Many of the software and hardware descriptions cited in this book
|
||||
# are registered trademarks. All trade names are subject to copyright
|
||||
# restrictions and may be registered trade marks. SUSE LINUX GmbH
|
||||
# essentially adheres to the manufacturer's spelling.
|
||||
#
|
||||
# Names of products and trademarks appearing in this book (with or without
|
||||
# specific notation) are likewise subject to trademark and trade protection
|
||||
# laws and may thus fall under copyright restrictions.
|
||||
#
|
||||
# Please direct suggestions and comments to apparmor-general@forge.novell.com.
|
||||
|
||||
|
||||
=pod
|
||||
|
||||
=head1 NAME
|
||||
|
||||
aa_change_hat - change to or from a "hat" within a AppArmor profile
|
||||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
B<#include E<lt>sys/apparmor.hE<gt>>
|
||||
|
||||
B<int aa_change_hat (char *subprofile, unsigned long magic_token);>
|
||||
|
||||
Link with B<-lapparmor> when compiling.
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
An AppArmor profile applies to an executable program; if a portion of
|
||||
the program needs different access permissions than other portions,
|
||||
the program can "change hats" to a different role, also known as a
|
||||
subprofile. To change into a new hat, it calls the aa_change_hat()
|
||||
function to do so. It passes in a pointer to the I<subprofile> which it
|
||||
wants to change into, and a 64bit I<magic_token>. The I<magic_token>
|
||||
is used to return out of the subprofile at a later time.
|
||||
|
||||
If a program wants to return out of the current subprofile to the
|
||||
original profile, it calls aa_change_hat() with a pointer to NULL as
|
||||
the I<subprofile>, and the original I<magic_token> value. If the
|
||||
I<magic_token> does not match the original I<magic_token> passed into the
|
||||
kernel when the program entered the subprofile, the change back to the
|
||||
original profile will not happen, and the current task will be killed.
|
||||
If the I<magic_token> matches the original token, then the process will
|
||||
change back to the original profile.
|
||||
|
||||
If the program wants to change to a subprofile that it can never
|
||||
change back out of, the application should call aa_change_hat() with a
|
||||
I<magic_token> of I<0>.
|
||||
|
||||
As both read(2) and write(2) are mediated, a file must be listed in a
|
||||
subprofile definition if the file is to be accessed while the process
|
||||
is in a "hat".
|
||||
|
||||
=head1 RETURN VALUE
|
||||
|
||||
On success zero is returned. On error, -1 is returned, and
|
||||
errno(3) is set appropriately.
|
||||
|
||||
=head1 ERRORS
|
||||
|
||||
=over 4
|
||||
|
||||
=item B<EINVAL>
|
||||
|
||||
The apparmor kernel module is not loaded or the communication via the
|
||||
F</proc/*/attr/current> file did not conform to protocol.
|
||||
|
||||
=item B<ENOMEM>
|
||||
|
||||
Insufficient kernel memory was available.
|
||||
|
||||
=item B<EPERM>
|
||||
|
||||
The calling application is not confined by apparmor.
|
||||
|
||||
=item B<ECHILD>
|
||||
|
||||
The application's profile has no hats defined for it.
|
||||
|
||||
=item B<EACCES>
|
||||
|
||||
The specified I<subprofile> does not exist in this profile or the
|
||||
process tried to change another process's domain.
|
||||
|
||||
=back
|
||||
|
||||
=head1 EXAMPLE
|
||||
|
||||
The following code examples shows simple, if contrived, uses of
|
||||
aa_change_hat(); a typical use of aa_change_hat() will separate
|
||||
privileged portions of a process from unprivileged portions of a process,
|
||||
such as keeping unauthenticated network traffic handling separate
|
||||
from authenticated network traffic handling in OpenSSH or executing
|
||||
user-supplied CGI scripts in apache.
|
||||
|
||||
The use of random(3) is simply illustrative. Use of F</dev/urandom> is
|
||||
recommended.
|
||||
|
||||
First, a simple high-level overview of aa_change_hat() use:
|
||||
|
||||
void foo (void) {
|
||||
unsigned long magic_token;
|
||||
|
||||
/* get a random magic token value
|
||||
from our huge entropy pool */
|
||||
magic_token = random_function();
|
||||
|
||||
/* change into the subprofile while
|
||||
* we do stuff we don't trust */
|
||||
aa_change_hat("stuff_we_dont_trust", magic_token);
|
||||
|
||||
/* Go do stuff we don't trust -- this is all
|
||||
* done in *this* process space, no separate
|
||||
* fork()/exec()'s are done. */
|
||||
interpret_perl_stuff(stuff_from_user);
|
||||
|
||||
/* now change back to our original profile */
|
||||
aa_change_hat(NULL, magic_token);
|
||||
}
|
||||
|
||||
Second, an example to show that files not listed in a subprofile ("hat")
|
||||
aren't accessible after an aa_change_hat() call:
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <sys/apparmor.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <fcntl.h>
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
|
||||
|
||||
int main(int argc, char *argv[]) {
|
||||
int fd;
|
||||
unsigned long tok;
|
||||
char buf[10];
|
||||
|
||||
/* random() is a poor choice */
|
||||
tok = random();
|
||||
|
||||
/* open /etc/passwd outside of any hat */
|
||||
if ((fd=open("/etc/passwd", O_RDONLY)) < 0)
|
||||
perror("Failure opening /etc/passwd");
|
||||
|
||||
/* confirm for ourselves that we can really read /etc/passwd */
|
||||
memset(&buf, 0, 10);
|
||||
if (read(fd, &buf, 10) == -1) {
|
||||
perror("Failure reading /etc/passwd pre-hat");
|
||||
_exit(1);
|
||||
}
|
||||
buf[9] = '\0';
|
||||
printf("/etc/passwd: %s\n", buf);
|
||||
|
||||
/* change hat to the "hat" subprofile, which should not have
|
||||
* read access to /etc/passwd -- even though we have a valid
|
||||
* file descriptor at the time of the aa_change_hat() call. */
|
||||
if (aa_change_hat("hat", tok)) {
|
||||
perror("Failure changing hat -- aborting");
|
||||
_exit(1);
|
||||
}
|
||||
|
||||
/* confirm that we cannot read /etc/passwd */
|
||||
lseek(fd,0,SEEK_SET);
|
||||
memset(&buf, 0, 10);
|
||||
if (read(fd, &buf, 10) == -1)
|
||||
perror("Failure reading /etc/passwd post-hat");
|
||||
buf[9] = '\0';
|
||||
printf("/etc/passwd: %s\n", buf);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
This code example requires the following profile to be loaded with
|
||||
apparmor_parser(8):
|
||||
|
||||
/tmp/ch {
|
||||
/etc/ld.so.cache mr,
|
||||
/etc/locale/** r,
|
||||
/etc/localtime r,
|
||||
/usr/share/locale/** r,
|
||||
/usr/share/zoneinfo/** r,
|
||||
/usr/lib/locale/** mr,
|
||||
/usr/lib/gconv/*.so mr,
|
||||
/usr/lib/gconv/gconv-modules* mr,
|
||||
|
||||
/lib/ld-*.so* mrix,
|
||||
/lib/libc*.so* mr,
|
||||
/lib/libapparmor*.so* mr,
|
||||
/dev/pts/* rw,
|
||||
/tmp/ch mr,
|
||||
|
||||
/etc/passwd r,
|
||||
|
||||
^hat {
|
||||
/dev/pts/* rw,
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
The output when run:
|
||||
|
||||
$ /tmp/ch
|
||||
/etc/passwd: root:x:0:
|
||||
Failure reading /etc/passwd post-hat: Permission denied
|
||||
/etc/passwd:
|
||||
$
|
||||
|
||||
|
||||
=head1 BUGS
|
||||
|
||||
None known. If you find any, please report them to bugzilla at
|
||||
L<http://bugzilla.novell.com>. Note that aa_change_hat(2) provides no
|
||||
memory barriers between different areas of a program; if address space
|
||||
separation is required, then separate processes should be used.
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
apparmor(7), apparmor.d(5), apparmor_parser(8), and
|
||||
L<http://forge.novell.com/modules/xfmod/project/?apparmor>.
|
||||
|
||||
=cut
|
178
changehat/libapparmor/libapparmor1.spec
Normal file
178
changehat/libapparmor/libapparmor1.spec
Normal file
@@ -0,0 +1,178 @@
|
||||
#
|
||||
# spec file for package libapparmor
|
||||
#
|
||||
# norootforbuild
|
||||
%define _unpackaged_files_terminate_build 0
|
||||
|
||||
Name: libapparmor1
|
||||
Version: 2.2
|
||||
Release: 3.20070916
|
||||
License: LGPL
|
||||
Group: Development/Libraries/C and C++
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
Source0: %{name}-%{version}.tar.bz2
|
||||
BuildRequires: swig gcc perl
|
||||
Provides: libapparmor
|
||||
Provides: libimmunix
|
||||
Obsoletes: libapparmor
|
||||
Obsoletes: libimmunix
|
||||
Summary: A utility library for AppArmor
|
||||
|
||||
%define aalibversion 1.0.2
|
||||
|
||||
%description
|
||||
-
|
||||
|
||||
%package -n libapparmor-devel
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
Group: Development/Libraries/C and C++
|
||||
Provides: libapparmor:/usr/include/sys/apparmor.h
|
||||
Summary: -
|
||||
|
||||
%description -n libapparmor-devel
|
||||
-
|
||||
|
||||
%post -n libapparmor-devel
|
||||
/sbin/ldconfig
|
||||
|
||||
%postun -n libapparmor-devel
|
||||
/sbin/ldconfig
|
||||
|
||||
%package -n perl-libapparmor
|
||||
Requires: %{name} = %{version}
|
||||
Requires: perl = %{perl_version}
|
||||
Group: Development/Libraries/Perl
|
||||
Summary: -
|
||||
|
||||
%description -n perl-libapparmor
|
||||
-
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
|
||||
%build
|
||||
./configure --prefix=%{_prefix} --libdir=%{_libdir} --with-perl
|
||||
make CFLAGS="${RPM_OPT_FLAGS}"
|
||||
|
||||
%install
|
||||
make install DESTDIR="$RPM_BUILD_ROOT"
|
||||
mkdir ${RPM_BUILD_ROOT}/%{_lib}
|
||||
# this is really hacky
|
||||
rm ${RPM_BUILD_ROOT}/%{_libdir}/libapparmor.so
|
||||
rm ${RPM_BUILD_ROOT}/%{_libdir}/libimmunix.so
|
||||
cp ${RPM_BUILD_ROOT}/%{_libdir}/libapparmor.so.%{aalibversion} ${RPM_BUILD_ROOT}/%{_lib}
|
||||
cp ${RPM_BUILD_ROOT}/%{_libdir}/libimmunix.so.%{aalibversion} ${RPM_BUILD_ROOT}/%{_lib}
|
||||
ln -s /%{_lib}/libapparmor.so.%{aalibversion} ${RPM_BUILD_ROOT}/%{_libdir}/libapparmor.so
|
||||
|
||||
find $RPM_BUILD_ROOT -name .packlist -exec rm -f {} \;
|
||||
find $RPM_BUILD_ROOT -name perllocal.pod -exec rm -f {} \;
|
||||
|
||||
# create symlink for old change_hat(2) manpage
|
||||
ln -s aa_change_hat.2 ${RPM_BUILD_ROOT}/%{_mandir}/man2/change_hat.2
|
||||
%clean
|
||||
rm -rf "$RPM_BUILD_ROOT"
|
||||
|
||||
%post
|
||||
/sbin/ldconfig
|
||||
|
||||
%postun
|
||||
/sbin/ldconfig
|
||||
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
/%{_lib}/libapparmor.so.*
|
||||
/%{_lib}/libimmunix.so.*
|
||||
|
||||
%files -n libapparmor-devel
|
||||
%defattr(-,root,root)
|
||||
%{_libdir}/libapparmor.so
|
||||
%{_libdir}/libapparmor.la
|
||||
%{_libdir}/libapparmor.a
|
||||
%{_libdir}/libimmunix.la
|
||||
%{_libdir}/libimmunix.a
|
||||
%doc %{_mandir}/man*/*
|
||||
%dir %{_includedir}/aalogparse
|
||||
%{_includedir}/sys/apparmor.h
|
||||
%{_includedir}/aalogparse/*
|
||||
|
||||
%files -n perl-libapparmor
|
||||
%defattr(-,root,root)
|
||||
%dir %{perl_vendorarch}/auto/LibAppArmor
|
||||
%{perl_vendorarch}/auto/LibAppArmor/*
|
||||
%{perl_vendorarch}/LibAppArmor.pm
|
||||
|
||||
%changelog
|
||||
* Sun Sep 16 2007 - sbeattie@suse.de
|
||||
- aalogparse: add support for type=15xx audit field
|
||||
- aalogparse: add support for audit messages thru syslog
|
||||
- aalogparse: reduce noise to stdout on syntax errors
|
||||
- aalogparse: add support for more missing message types
|
||||
- aalogparse: parse messages w/safe (hex) string encodings
|
||||
* Fri Aug 17 2007 - sbeattie@suse.de
|
||||
- Fix broken symlink for old change_hat(2) manpage
|
||||
* Wed Aug 15 2007 - sbeattie@suse.de
|
||||
- fix braindead symbol versioning issue with old version name
|
||||
- re-enable CFLAGS=RPM_OPT_FLAGS for build
|
||||
- convert change_hat(2) to aa_change_hat(2)
|
||||
- use 64bit magic token
|
||||
- add aa_change_profile(2) interface
|
||||
* Sat Jul 28 2007 - mbarringer@suse.de
|
||||
- Merged in libaalogparse to the library/package
|
||||
* Tue Apr 7 2007 - sbeattie@suse.de
|
||||
- Add change_hat manpage to package
|
||||
* Thu Jan 18 2007 - sbeattie@suse.de
|
||||
- Add a clean stage to remove buildroot to specfile
|
||||
* Fri Feb 17 2006 Seth Arnold <seth.arnold@suse.de> 2.0-4.1
|
||||
- use gettid() instead of /proc/self
|
||||
* Fri Feb 10 2006 Steve Beattie <sbeattie@suse.de> 2.0-3.2
|
||||
- Use RPM_OPT_FLAGS
|
||||
- Fix installed library version to match specfile version
|
||||
* Wed Feb 1 2006 Steve Beattie <sbeattie@suse.de> 2.0-3.1
|
||||
- Fix prototype to match change_hat(2) manpage
|
||||
* Mon Jan 23 2006 Steve Beattie <sbeattie@suse.de> 2.0-3
|
||||
- Rename to libapparmor.so and apparmor.h
|
||||
* Thu Jan 5 2006 Steve Beattie <sbeattie@suse.de> 2.0-2
|
||||
- Add svn repo number to tarball
|
||||
* Wed Dec 7 2005 Steve Beattie <sbeattie@suse.de> 2.0-1
|
||||
- Reset version for inclusion is SUSE autobuild
|
||||
* Wed Dec 7 2005 Steve Beattie <sbeattie@suse.de> 1.99-8
|
||||
- Disable 32bit builds on 64bit platforms for now
|
||||
* Mon Dec 5 2005 Steve Beattie <sbeattie@suse.de> 1.99-7
|
||||
- Rename package to libapparmor
|
||||
* Wed Aug 10 2005 Steve Beattie <sbeattie@suse.de> 1.99-6_imnx
|
||||
- Cleanup some of the deprecated exported symbols
|
||||
* Thu Aug 4 2005 John Johansen <jjohansen@novell.com> 1.99-5_imnx
|
||||
- and -m31 flag for s390
|
||||
* Mon Jul 11 2005 Steve Beattie <sbeattie@novell.com> 1.99-4_imnx
|
||||
- get rid of libimmunix_post_upgrade
|
||||
- Re-license to LGPL
|
||||
- update description
|
||||
* Fri May 27 2005 Steve Beattie <steve@immunix.com> 1.99-3_imnx
|
||||
- Clear token buffer before freeing.
|
||||
- Error handling cleanup.
|
||||
* Fri Feb 18 2005 Steve Beattie <steve@immunix.com> 1.99-2_imnx
|
||||
- Use the right command for the 32bit env on 64bit platforms
|
||||
- Support for 64bit builds on systems with combined 32/64 support
|
||||
* Fri Feb 4 2005 Seth Arnold <sarnold@immunix.com> 1.99-1_imnx
|
||||
- Reversion to 1.99
|
||||
* Mon Nov 8 2004 Steve Beattie <steve@immunix.com> 1.2-3_imnx
|
||||
- Finish conversion to slack-capable infrastructure.
|
||||
* Thu Oct 28 2004 Steve Beattie <steve@immunix.com> 1.2-2_imnx
|
||||
- Added a 'make install' target for prelim slack support
|
||||
* Tue Oct 12 2004 Steve Beattie <steve@immunix.com> 1.2-1_imnx
|
||||
- Bump version after shass-1.1 branched off
|
||||
* Thu Sep 23 2004 Steve Beattie <steve@immunix.com> 1.0-13_imnx
|
||||
- Vastly simplify the string handling in change_hat().
|
||||
* Thu Sep 9 2004 Steve Beattie <steve@immunix.com> 1.0-12_imnx
|
||||
- Conditionalize group the package shows up in.
|
||||
* Thu Sep 9 2004 Steve Beattie <steve@immunix.com> 1.0-11_imnx
|
||||
- Fix so change_hat functions correctly even when the token is zero.
|
||||
* Thu Sep 2 2004 Steve Beattie <steve@immunix.com> 1.0-10_imnx
|
||||
- Added that it provides %{_prefix}/sbin/libimmunix_post_upgrade, this
|
||||
was somehow breaking yast.
|
||||
* Mon Aug 30 2004 Steve Beattie <steve@immunix.com> 1.0-9_imnx
|
||||
- Copyright cleanups.
|
||||
* Wed Jul 21 2004 Steve Beattie <steve@immunix.com> 1.0-8_imnx
|
||||
- add basis for conditional distro support
|
||||
* Thu May 28 2004 Tony Jones <tony@immunix.com> 1.0-7_imnx
|
||||
- Add "changehat" command word to start of string written to /proc/pid/attr
|
16
changehat/libapparmor/m4/ac_pod2man.m4
Normal file
16
changehat/libapparmor/m4/ac_pod2man.m4
Normal file
@@ -0,0 +1,16 @@
|
||||
AC_DEFUN(PROG_POD2MAN,[
|
||||
AC_CHECK_PROG(POD2MAN,pod2man,pod2man,no)
|
||||
if test "$POD2MAN" = "no"; then
|
||||
AC_MSG_ERROR([
|
||||
The pod2man program was not found in the default path. pod2man is part of
|
||||
Perl, which can be retrieved from:
|
||||
|
||||
http://www.perl.com/
|
||||
|
||||
The latest version at this time is 5.6.1; it is available packaged as the
|
||||
following archive:
|
||||
|
||||
http://www.perl.com/CPAN/src/stable.tar.gz
|
||||
])
|
||||
fi
|
||||
])
|
193
changehat/libapparmor/m4/ac_python_devel.m4
Normal file
193
changehat/libapparmor/m4/ac_python_devel.m4
Normal file
@@ -0,0 +1,193 @@
|
||||
AC_DEFUN([AC_PYTHON_DEVEL],[
|
||||
#
|
||||
# Allow the use of a (user set) custom python version
|
||||
#
|
||||
AC_ARG_VAR([PYTHON_VERSION],[The installed Python
|
||||
version to use, for example '2.3'. This string
|
||||
will be appended to the Python interpreter
|
||||
canonical name.])
|
||||
|
||||
AC_PATH_PROG([PYTHON],[python[$PYTHON_VERSION]])
|
||||
if test -z "$PYTHON"; then
|
||||
AC_MSG_ERROR([Cannot find python$PYTHON_VERSION in your system path])
|
||||
PYTHON_VERSION=""
|
||||
fi
|
||||
|
||||
#
|
||||
# Check for a version of Python >= 2.1.0
|
||||
#
|
||||
AC_MSG_CHECKING([for a version of Python >= '2.1.0'])
|
||||
ac_supports_python_ver=`$PYTHON -c "import sys, string; \
|
||||
ver = string.split(sys.version)[[0]]; \
|
||||
print ver >= '2.1.0'"`
|
||||
if test "$ac_supports_python_ver" != "True"; then
|
||||
if test -z "$PYTHON_NOVERSIONCHECK"; then
|
||||
AC_MSG_RESULT([no])
|
||||
AC_MSG_FAILURE([
|
||||
This version of the AC@&t@_PYTHON_DEVEL macro
|
||||
doesn't work properly with versions of Python before
|
||||
2.1.0. You may need to re-run configure, setting the
|
||||
variables PYTHON_CPPFLAGS, PYTHON_LDFLAGS, PYTHON_SITE_PKG,
|
||||
PYTHON_EXTRA_LIBS and PYTHON_EXTRA_LDFLAGS by hand.
|
||||
Moreover, to disable this check, set PYTHON_NOVERSIONCHECK
|
||||
to something else than an empty string.
|
||||
])
|
||||
else
|
||||
AC_MSG_RESULT([skip at user request])
|
||||
fi
|
||||
else
|
||||
AC_MSG_RESULT([yes])
|
||||
fi
|
||||
|
||||
#
|
||||
# if the macro parameter ``version'' is set, honour it
|
||||
#
|
||||
if test -n "$1"; then
|
||||
AC_MSG_CHECKING([for a version of Python $1])
|
||||
ac_supports_python_ver=`$PYTHON -c "import sys, string; \
|
||||
ver = string.split(sys.version)[[0]]; \
|
||||
print ver $1"`
|
||||
if test "$ac_supports_python_ver" = "True"; then
|
||||
AC_MSG_RESULT([yes])
|
||||
else
|
||||
AC_MSG_RESULT([no])
|
||||
AC_MSG_ERROR([this package requires Python $1.
|
||||
If you have it installed, but it isn't the default Python
|
||||
interpreter in your system path, please pass the PYTHON_VERSION
|
||||
variable to configure. See ``configure --help'' for reference.
|
||||
])
|
||||
PYTHON_VERSION=""
|
||||
fi
|
||||
fi
|
||||
|
||||
#
|
||||
# Check if you have distutils, else fail
|
||||
#
|
||||
AC_MSG_CHECKING([for the distutils Python package])
|
||||
ac_distutils_result=`$PYTHON -c "import distutils" 2>&1`
|
||||
if test -z "$ac_distutils_result"; then
|
||||
AC_MSG_RESULT([yes])
|
||||
else
|
||||
AC_MSG_RESULT([no])
|
||||
AC_MSG_ERROR([cannot import Python module "distutils".
|
||||
Please check your Python installation. The error was:
|
||||
$ac_distutils_result])
|
||||
PYTHON_VERSION=""
|
||||
fi
|
||||
|
||||
#
|
||||
# Check for Python include path
|
||||
#
|
||||
AC_MSG_CHECKING([for Python include path])
|
||||
if test -z "$PYTHON_CPPFLAGS"; then
|
||||
python_path=`$PYTHON -c "import distutils.sysconfig; \
|
||||
print distutils.sysconfig.get_python_inc();"`
|
||||
if test -n "${python_path}"; then
|
||||
python_path="-I$python_path"
|
||||
fi
|
||||
PYTHON_CPPFLAGS=$python_path
|
||||
fi
|
||||
AC_MSG_RESULT([$PYTHON_CPPFLAGS])
|
||||
AC_SUBST([PYTHON_CPPFLAGS])
|
||||
|
||||
#
|
||||
# Check for Python library path
|
||||
#
|
||||
AC_MSG_CHECKING([for Python library path])
|
||||
if test -z "$PYTHON_LDFLAGS"; then
|
||||
# (makes two attempts to ensure we've got a version number
|
||||
# from the interpreter)
|
||||
py_version=`$PYTHON -c "from distutils.sysconfig import *; \
|
||||
from string import join; \
|
||||
print join(get_config_vars('VERSION'))"`
|
||||
if test "$py_version" == "[None]"; then
|
||||
if test -n "$PYTHON_VERSION"; then
|
||||
py_version=$PYTHON_VERSION
|
||||
else
|
||||
py_version=`$PYTHON -c "import sys; \
|
||||
print sys.version[[:3]]"`
|
||||
fi
|
||||
fi
|
||||
|
||||
PYTHON_LDFLAGS=`$PYTHON -c "from distutils.sysconfig import *; \
|
||||
from string import join; \
|
||||
print '-L' + get_python_lib(0,1), \
|
||||
'-lpython';"`$py_version
|
||||
fi
|
||||
AC_MSG_RESULT([$PYTHON_LDFLAGS])
|
||||
AC_SUBST([PYTHON_LDFLAGS])
|
||||
|
||||
#
|
||||
# Check for site packages
|
||||
#
|
||||
AC_MSG_CHECKING([for Python site-packages path])
|
||||
if test -z "$PYTHON_SITE_PKG"; then
|
||||
PYTHON_SITE_PKG=`$PYTHON -c "import distutils.sysconfig; \
|
||||
print distutils.sysconfig.get_python_lib(0,0);"`
|
||||
fi
|
||||
AC_MSG_RESULT([$PYTHON_SITE_PKG])
|
||||
AC_SUBST([PYTHON_SITE_PKG])
|
||||
|
||||
#
|
||||
# libraries which must be linked in when embedding
|
||||
#
|
||||
AC_MSG_CHECKING(python extra libraries)
|
||||
if test -z "$PYTHON_EXTRA_LIBS"; then
|
||||
PYTHON_EXTRA_LIBS=`$PYTHON -c "import distutils.sysconfig; \
|
||||
conf = distutils.sysconfig.get_config_var; \
|
||||
print conf('LOCALMODLIBS'), conf('LIBS')"`
|
||||
fi
|
||||
AC_MSG_RESULT([$PYTHON_EXTRA_LIBS])
|
||||
AC_SUBST(PYTHON_EXTRA_LIBS)
|
||||
|
||||
#
|
||||
# linking flags needed when embedding
|
||||
#
|
||||
AC_MSG_CHECKING(python extra linking flags)
|
||||
if test -z "$PYTHON_EXTRA_LDFLAGS"; then
|
||||
PYTHON_EXTRA_LDFLAGS=`$PYTHON -c "import distutils.sysconfig; \
|
||||
conf = distutils.sysconfig.get_config_var; \
|
||||
print conf('LINKFORSHARED')"`
|
||||
fi
|
||||
AC_MSG_RESULT([$PYTHON_EXTRA_LDFLAGS])
|
||||
AC_SUBST(PYTHON_EXTRA_LDFLAGS)
|
||||
|
||||
#
|
||||
# final check to see if everything compiles alright
|
||||
#
|
||||
AC_MSG_CHECKING([consistency of all components of python development environment])
|
||||
AC_LANG_PUSH([C])
|
||||
# save current global flags
|
||||
LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
|
||||
CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
|
||||
AC_TRY_LINK([
|
||||
#include <Python.h>
|
||||
],[
|
||||
Py_Initialize();
|
||||
],[pythonexists=yes],[pythonexists=no])
|
||||
|
||||
AC_MSG_RESULT([$pythonexists])
|
||||
|
||||
if test ! "$pythonexists" = "yes"; then
|
||||
AC_MSG_ERROR([
|
||||
Could not link test program to Python. Maybe the main Python library has been
|
||||
installed in some non-standard library path. If so, pass it to configure,
|
||||
via the LDFLAGS environment variable.
|
||||
Example: ./configure LDFLAGS="-L/usr/non-standard-path/python/lib"
|
||||
============================================================================
|
||||
ERROR!
|
||||
You probably have to install the development version of the Python package
|
||||
for your distribution. The exact name of this package varies among them.
|
||||
============================================================================
|
||||
])
|
||||
PYTHON_VERSION=""
|
||||
fi
|
||||
AC_LANG_POP
|
||||
# turn back to default flags
|
||||
CPPFLAGS="$ac_save_CPPFLAGS"
|
||||
LIBS="$ac_save_LIBS"
|
||||
|
||||
#
|
||||
# all done!
|
||||
#
|
||||
])
|
33
changehat/libapparmor/src/Makefile.am
Normal file
33
changehat/libapparmor/src/Makefile.am
Normal file
@@ -0,0 +1,33 @@
|
||||
INCLUDES = $(all_includes)
|
||||
|
||||
BUILT_SOURCES = grammar.h scanner.h
|
||||
AM_LFLAGS = -v
|
||||
AM_YFLAGS = -d -p aalogparse_
|
||||
AM_CFLAGS = @CFLAGS@ -D_GNU_SOURCE -Wall
|
||||
scanner.h: scanner.l
|
||||
$(LEX) -v $<
|
||||
|
||||
scanner.c: scanner.l
|
||||
|
||||
changehatdir = $(includedir)/sys
|
||||
changehat_HEADERS = apparmor.h
|
||||
|
||||
aalogparsedir = $(includedir)/aalogparse
|
||||
aalogparse_HEADERS = aalogparse.h
|
||||
|
||||
lib_LTLIBRARIES = libapparmor.la libimmunix.la
|
||||
noinst_HEADERS = grammar.h parser.h scanner.h
|
||||
|
||||
libapparmor_la_SOURCES = grammar.y libaalogparse.c change_hat.c scanner.c
|
||||
libapparmor_la_LDFLAGS = -version-info 1:2:0 -XCClinker -dynamic \
|
||||
-Wl,--version-script=libapparmor.map -Wl,-soname=libapparmor.so.1
|
||||
|
||||
libimmunix_la_SOURCES = change_hat.c libimmunix_warning.c
|
||||
libimmunix_la_LDFLAGS = -version-info 1:2:0 -Wl,--version-script=libapparmor.map -Wl,-soname=libimmunix.so.1
|
||||
|
||||
tst_aalogmisc_SOURCES = tst_aalogmisc.c
|
||||
tst_aalogmisc_LDADD = .libs/libapparmor.a
|
||||
check_PROGRAMS = tst_aalogmisc
|
||||
TESTS = $(check_PROGRAMS)
|
||||
|
||||
EXTRA_DIST = grammar.y scanner.l libapparmor.map
|
159
changehat/libapparmor/src/aalogparse.h
Normal file
159
changehat/libapparmor/src/aalogparse.h
Normal file
@@ -0,0 +1,159 @@
|
||||
/*
|
||||
* Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
|
||||
* NOVELL (All rights reserved)
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of version 2 of the GNU General Public
|
||||
* License published by the Free Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, contact Novell, Inc.
|
||||
*/
|
||||
|
||||
|
||||
#ifndef __LIBAALOGPARSE_H_
|
||||
#define __LIBAALOGPARSE_H_
|
||||
|
||||
#define AA_RECORD_EXEC_MMAP 1
|
||||
#define AA_RECORD_READ 2
|
||||
#define AA_RECORD_WRITE 4
|
||||
#define AA_RECORD_EXEC 8
|
||||
#define AA_RECORD_LINK 16
|
||||
|
||||
/**
|
||||
* This is just for convenience now that we have two
|
||||
* wildly different grammars.
|
||||
*/
|
||||
|
||||
typedef enum
|
||||
{
|
||||
AA_RECORD_SYNTAX_V1,
|
||||
AA_RECORD_SYNTAX_V2,
|
||||
AA_RECORD_SYNTAX_UNKNOWN
|
||||
} aa_record_syntax_version;
|
||||
|
||||
typedef enum
|
||||
{
|
||||
AA_RECORD_INVALID, /* Default event type */
|
||||
AA_RECORD_ERROR, /* Internal AA error */
|
||||
AA_RECORD_AUDIT, /* Audited event */
|
||||
AA_RECORD_ALLOWED, /* Complain mode event */
|
||||
AA_RECORD_DENIED, /* Denied access event */
|
||||
AA_RECORD_HINT, /* Process tracking info */
|
||||
AA_RECORD_STATUS /* Configuration change */
|
||||
} aa_record_event_type;
|
||||
|
||||
/**
|
||||
* With the sole exception of active_hat, this is a 1:1
|
||||
* mapping from the keys that the new syntax uses.
|
||||
*
|
||||
* Some examples of the old syntax and how they're mapped with the aa_log_record struct:
|
||||
*
|
||||
* "PERMITTING r access to /path (program_name(12345) profile /profile active hat)"
|
||||
* - operation: access
|
||||
* - requested_mask: r
|
||||
* - pid: 12345
|
||||
* - profile: /profile
|
||||
* - name: /path
|
||||
* - info: program_name
|
||||
* - active_hat: hat
|
||||
*
|
||||
* "REJECTING mkdir on /path/to/something (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out"
|
||||
* - operation: mkdir
|
||||
* - name: /path/to/something
|
||||
* - info: bash
|
||||
* - pid: 23415
|
||||
* - profile: /bin/freak-aa-out
|
||||
* - active_hat: /bin/freak-aa-out
|
||||
*
|
||||
* "REJECTING xattr set on /path/to/something (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
|
||||
* - operation: xattr
|
||||
* - attribute: set
|
||||
* - name: /path/to/something
|
||||
* - info: bash
|
||||
* - pid: 23415
|
||||
* - profile: /bin/freak-aa-out
|
||||
* - active_hat: /bin/freak-aa-out
|
||||
*
|
||||
* "PERMITTING attribute (something) change to /else (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
|
||||
* - operation: setattr
|
||||
* - attribute: something
|
||||
* - name: /else
|
||||
* - info: bash
|
||||
* - pid: 23415
|
||||
* - profile: /bin/freak-aa-out
|
||||
* - active_hat: /bin/freak-aa-out
|
||||
*
|
||||
* "PERMITTING access to capability 'cap' (bash(23415) profile /bin/freak-aa-out active /bin/freak-aa-out)"
|
||||
* - operation: capability
|
||||
* - name: cap
|
||||
* - info: bash
|
||||
* - pid: 23415
|
||||
* - profile: /bin/freak-aa-out
|
||||
* - active_hat: /bin/freak-aa-out
|
||||
*
|
||||
* "LOGPROF-HINT unknown_hat TESTHAT pid=27764 profile=/change_hat_test/test_hat active=/change_hat_test/test_hat"
|
||||
* - operation: change_hat
|
||||
* - name: TESTHAT
|
||||
* - info: unknown_hat
|
||||
* - pid: 27764
|
||||
* - profile: /change_hat_test/test_hat
|
||||
* - active_hat: /change_hat_test/test_hat
|
||||
*
|
||||
* "LOGPROF-HINT fork pid=27764 child=38229"
|
||||
* - operation: clone
|
||||
* - task: 38229
|
||||
* - pid: 27764
|
||||
**/
|
||||
|
||||
typedef struct
|
||||
{
|
||||
aa_record_syntax_version version;
|
||||
aa_record_event_type event; /* Event type */
|
||||
unsigned long pid; /* PID of the program logging the message */
|
||||
unsigned long task;
|
||||
unsigned long magic_token;
|
||||
long epoch; /* example: 12345679 */
|
||||
unsigned int audit_sub_id; /* example: 12 */
|
||||
|
||||
int bitmask; /* Bitmask containing "r" "w" "x" etc */
|
||||
char *audit_id; /* example: 12345679.1234:12 */
|
||||
char *operation; /* "Exec" "Ptrace", etc. */
|
||||
char *denied_mask; /* "r", "w", etc. */
|
||||
char *requested_mask;
|
||||
char *profile; /* The name of the profile */
|
||||
char *name;
|
||||
char *name2;
|
||||
char *attribute;
|
||||
unsigned long parent;
|
||||
char *info;
|
||||
char *active_hat;
|
||||
char *net_family;
|
||||
char *net_protocol;
|
||||
char *net_sock_type;
|
||||
} aa_log_record;
|
||||
|
||||
/**
|
||||
* Parses a single log record string and returns a pointer to the parsed
|
||||
* data. It is the calling program's responsibility to free that struct
|
||||
* with free_record();
|
||||
* @param[in] Record to parse.
|
||||
* @return Parsed data.
|
||||
*/
|
||||
aa_log_record *
|
||||
parse_record(char *str);
|
||||
|
||||
/**
|
||||
* Frees all struct data.
|
||||
* @param[in] Data to free.
|
||||
*/
|
||||
void
|
||||
free_record(aa_log_record *record);
|
||||
|
||||
#endif
|
||||
|
27
changehat/libapparmor/src/apparmor.h
Normal file
27
changehat/libapparmor/src/apparmor.h
Normal file
@@ -0,0 +1,27 @@
|
||||
/* $Id: apparmor.h 132 2006-09-28 07:45:55Z steve-beattie $
|
||||
|
||||
Copyright (c) 2003-2007 Novell, Inc. (All rights reserved)
|
||||
|
||||
The libapparmor library is licensed under the terms of the GNU
|
||||
Lesser General Public License, version 2.1. Please see the file
|
||||
COPYING.LGPL.
|
||||
*/
|
||||
|
||||
#ifndef _SYS_APPARMOR_H_
|
||||
#define _SYS_APPARMOR_H 1
|
||||
|
||||
__BEGIN_DECLS
|
||||
|
||||
/* Prototype for change_hat as defined by the AppArmor project
|
||||
<http://forge.novell.com/modules/xfmod/project/?apparmor>
|
||||
Please see the change_hat(2) manpage for information. */
|
||||
|
||||
extern int (change_hat)(const char *subprofile, unsigned int magic_token);
|
||||
extern int aa_change_hat(const char *subprofile, unsigned long magic_token);
|
||||
extern int aa_change_profile(const char *profile);
|
||||
|
||||
#define change_hat(X, Y) aa_change_hat((X), (Y))
|
||||
|
||||
__END_DECLS
|
||||
|
||||
#endif /* sys/apparmor.h */
|
134
changehat/libapparmor/src/change_hat.c
Normal file
134
changehat/libapparmor/src/change_hat.c
Normal file
@@ -0,0 +1,134 @@
|
||||
/* $Id: change_hat.c 13 2006-04-12 21:43:34Z steve-beattie $
|
||||
|
||||
Copyright (c) 2003-2007 Novell, Inc. (All rights reserved)
|
||||
|
||||
The libapparmor library is licensed under the terms of the GNU
|
||||
Lesser General Public License, version 2.1. Please see the file
|
||||
COPYING.LGPL.
|
||||
|
||||
*/
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/syscall.h>
|
||||
#include <fcntl.h>
|
||||
#include <errno.h>
|
||||
#include <limits.h>
|
||||
|
||||
#define symbol_version(real, name, version) \
|
||||
__asm__ (".symver " #real "," #name "@" #version)
|
||||
#define default_symbol_version(real, name, version) \
|
||||
__asm__ (".symver " #real "," #name "@@" #version)
|
||||
|
||||
static int setprocattr(const char *buf, int len)
|
||||
{
|
||||
int rc = -1;
|
||||
int fd, ret, ctlerr = 0;
|
||||
char *ctl = NULL;
|
||||
pid_t tid = syscall(SYS_gettid);
|
||||
|
||||
if (!buf) {
|
||||
errno = EINVAL;
|
||||
goto out;
|
||||
}
|
||||
|
||||
ctlerr = asprintf(&ctl, "/proc/%d/attr/current", tid);
|
||||
if (ctlerr < 0) {
|
||||
goto out;
|
||||
}
|
||||
|
||||
fd = open(ctl, O_WRONLY);
|
||||
if (fd == -1) {
|
||||
goto out;
|
||||
}
|
||||
|
||||
ret = write(fd, buf, len);
|
||||
if (ret != len) {
|
||||
int saved;
|
||||
if (ret != -1) {
|
||||
errno = EPROTO;
|
||||
}
|
||||
saved = errno;
|
||||
(void)close(fd);
|
||||
errno = saved;
|
||||
goto out;
|
||||
}
|
||||
|
||||
rc = 0;
|
||||
(void)close(fd);
|
||||
|
||||
out:
|
||||
if (ctl) {
|
||||
free(ctl);
|
||||
}
|
||||
return rc;
|
||||
}
|
||||
|
||||
int aa_change_hat(const char *subprofile, unsigned long token)
|
||||
{
|
||||
int rc = -1;
|
||||
int len = 0;
|
||||
char *buf = NULL;
|
||||
const char *fmt = "changehat %016x^%s";
|
||||
|
||||
/* both may not be null */
|
||||
if (!(token || subprofile)) {
|
||||
errno = EINVAL;
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (subprofile && strnlen(subprofile, PATH_MAX + 1) > PATH_MAX) {
|
||||
errno = EPROTO;
|
||||
goto out;
|
||||
}
|
||||
|
||||
len = asprintf(&buf, fmt, token, subprofile ? subprofile : "");
|
||||
if (len < 0) {
|
||||
goto out;
|
||||
}
|
||||
|
||||
rc = setprocattr(buf, len);
|
||||
out:
|
||||
if (buf) {
|
||||
/* clear local copy of magic token before freeing */
|
||||
memset(buf, '\0', len);
|
||||
free(buf);
|
||||
}
|
||||
return rc;
|
||||
}
|
||||
|
||||
/* original change_hat interface */
|
||||
int __change_hat(char *subprofile, unsigned int token)
|
||||
{
|
||||
return aa_change_hat(subprofile, (unsigned long) token);
|
||||
}
|
||||
|
||||
int aa_change_profile(const char *profile)
|
||||
{
|
||||
char *buf = NULL;
|
||||
int len;
|
||||
int rc;
|
||||
|
||||
if (!profile) {
|
||||
errno = EINVAL;
|
||||
return -1;
|
||||
}
|
||||
|
||||
len = asprintf(&buf, "changeprofile %s", profile);
|
||||
if (len < 0)
|
||||
return -1;
|
||||
|
||||
rc = setprocattr(buf, len);
|
||||
|
||||
free(buf);
|
||||
return rc;
|
||||
}
|
||||
|
||||
/* create an alias for the old change_hat@IMMUNIX_1.0 symbol */
|
||||
extern typeof((__change_hat)) __old_change_hat __attribute__((alias ("__change_hat")));
|
||||
symbol_version(__old_change_hat, change_hat, IMMUNIX_1.0);
|
||||
default_symbol_version(__change_hat, change_hat, APPARMOR_1.0);
|
438
changehat/libapparmor/src/grammar.y
Normal file
438
changehat/libapparmor/src/grammar.y
Normal file
@@ -0,0 +1,438 @@
|
||||
/*
|
||||
* Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
|
||||
* NOVELL (All rights reserved)
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of version 2 of the GNU General Public
|
||||
* License published by the Free Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, contact Novell, Inc.
|
||||
*/
|
||||
|
||||
|
||||
%{
|
||||
|
||||
#define YYDEBUG 0
|
||||
#include <string.h>
|
||||
#include "aalogparse.h"
|
||||
#include "parser.h"
|
||||
#include "grammar.h"
|
||||
#include "scanner.h"
|
||||
|
||||
aa_log_record *ret_record;
|
||||
|
||||
/* Since we're a library, on any errors we don't want to print out any
|
||||
* error messages. We should probably add a debug interface that does
|
||||
* emit messages when asked for. */
|
||||
void aalogparse_error(void *scanner, char const *s)
|
||||
{
|
||||
/* printf("Error: %s\n", s); */
|
||||
ret_record->event = AA_RECORD_INVALID;
|
||||
}
|
||||
|
||||
struct aa_type_table {
|
||||
unsigned int audit_type;
|
||||
aa_record_event_type event;
|
||||
};
|
||||
|
||||
static struct aa_type_table aa_type_table[] = {
|
||||
{AUDIT_APPARMOR_AUDIT, AA_RECORD_AUDIT},
|
||||
{AUDIT_APPARMOR_ALLOWED, AA_RECORD_ALLOWED},
|
||||
{AUDIT_APPARMOR_DENIED, AA_RECORD_DENIED},
|
||||
{AUDIT_APPARMOR_HINT, AA_RECORD_HINT},
|
||||
{AUDIT_APPARMOR_STATUS, AA_RECORD_STATUS},
|
||||
{AUDIT_APPARMOR_ERROR, AA_RECORD_ERROR},
|
||||
{0, AA_RECORD_INVALID},
|
||||
};
|
||||
|
||||
aa_record_event_type lookup_aa_event(unsigned int type)
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i = 0; aa_type_table[i].audit_type != 0; i++)
|
||||
if (type == aa_type_table[i].audit_type)
|
||||
break;
|
||||
|
||||
return aa_type_table[i].event;
|
||||
}
|
||||
%}
|
||||
|
||||
%defines
|
||||
%pure_parser
|
||||
%lex-param{void *scanner}
|
||||
%parse-param{void *scanner}
|
||||
|
||||
%union
|
||||
{
|
||||
char *t_str;
|
||||
long t_long;
|
||||
}
|
||||
|
||||
%type <t_str> old_profile safe_string protocol
|
||||
%token <t_long> TOK_DIGITS TOK_TYPE_UNKNOWN
|
||||
%token <t_str> TOK_QUOTED_STRING TOK_PATH TOK_ID TOK_NULL_COMPLAIN TOK_MODE TOK_DMESG_STAMP
|
||||
%token <t_str> TOK_SINGLE_QUOTED_STRING TOK_AUDIT_DIGITS TOK_DATE_MONTH TOK_DATE_TIME
|
||||
%token <t_str> TOK_HEXSTRING TOK_TYPE_OTHER TOK_MSG_REST
|
||||
|
||||
%token TOK_EQUALS
|
||||
%token TOK_COLON
|
||||
%token TOK_OPEN_PAREN
|
||||
%token TOK_CLOSE_PAREN
|
||||
%token TOK_PERIOD
|
||||
|
||||
%token TOK_TYPE_REJECT
|
||||
%token TOK_TYPE_AUDIT
|
||||
%token TOK_TYPE_COMPLAIN
|
||||
%token TOK_TYPE_HINT
|
||||
%token TOK_TYPE_STATUS
|
||||
%token TOK_TYPE_ERROR
|
||||
%token TOK_OLD_TYPE_APPARMOR
|
||||
%token TOK_OLD_APPARMOR_REJECT
|
||||
%token TOK_OLD_APPARMOR_PERMIT
|
||||
%token TOK_OLD_APPARMOR_AUDIT
|
||||
%token TOK_OLD_APPARMOR_LOGPROF_HINT
|
||||
%token TOK_OLD_UNKNOWN_HAT
|
||||
%token TOK_OLD_ACTIVE
|
||||
%token TOK_OLD_UNKNOWN_PROFILE
|
||||
%token TOK_OLD_MISSING_PROFILE
|
||||
%token TOK_OLD_CHANGING_PROFILE
|
||||
%token TOK_OLD_ACCESS
|
||||
%token TOK_OLD_TO
|
||||
%token TOK_OLD_FROM
|
||||
%token TOK_OLD_PIPE
|
||||
%token TOK_OLD_EXTENDED
|
||||
%token TOK_OLD_ATTRIBUTE
|
||||
%token TOK_OLD_ON
|
||||
%token TOK_OLD_MKDIR
|
||||
%token TOK_OLD_RMDIR
|
||||
%token TOK_OLD_XATTR
|
||||
%token TOK_OLD_CHANGE
|
||||
%token TOK_OLD_CAPABILITY
|
||||
%token TOK_OLD_SYSCALL
|
||||
%token TOK_OLD_LINK
|
||||
%token TOK_OLD_FORK
|
||||
%token TOK_OLD_CHILD
|
||||
|
||||
%token TOK_KEY_TYPE
|
||||
%token TOK_KEY_MSG
|
||||
%token TOK_KEY_OPERATION
|
||||
%token TOK_KEY_NAME
|
||||
%token TOK_KEY_NAME2
|
||||
%token TOK_KEY_DENIED_MASK
|
||||
%token TOK_KEY_REQUESTED_MASK
|
||||
%token TOK_KEY_ATTRIBUTE
|
||||
%token TOK_KEY_TASK
|
||||
%token TOK_KEY_PARENT
|
||||
%token TOK_KEY_MAGIC_TOKEN
|
||||
%token TOK_KEY_INFO
|
||||
%token TOK_KEY_PID
|
||||
%token TOK_KEY_PROFILE
|
||||
%token TOK_AUDIT
|
||||
%token TOK_KEY_IMAGE
|
||||
%token TOK_KEY_FAMILY
|
||||
%token TOK_KEY_SOCK_TYPE
|
||||
%token TOK_KEY_PROTOCOL
|
||||
|
||||
%token TOK_SYSLOG_KERNEL
|
||||
|
||||
%%
|
||||
|
||||
log_message: audit_type
|
||||
| syslog_type
|
||||
;
|
||||
|
||||
audit_type: TOK_KEY_TYPE TOK_EQUALS type_syntax ;
|
||||
|
||||
type_syntax: old_syntax { ret_record->version = AA_RECORD_SYNTAX_V1; }
|
||||
| new_syntax { ret_record->version = AA_RECORD_SYNTAX_V2; }
|
||||
| other_audit
|
||||
;
|
||||
|
||||
old_syntax: TOK_OLD_TYPE_APPARMOR audit_msg old_msg
|
||||
| TOK_TYPE_UNKNOWN audit_msg old_msg
|
||||
;
|
||||
|
||||
new_syntax:
|
||||
TOK_TYPE_REJECT audit_msg key_list { ret_record->event = AA_RECORD_DENIED; }
|
||||
| TOK_TYPE_AUDIT audit_msg key_list { ret_record->event = AA_RECORD_AUDIT; }
|
||||
| TOK_TYPE_COMPLAIN audit_msg key_list { ret_record->event = AA_RECORD_ALLOWED; }
|
||||
| TOK_TYPE_HINT audit_msg key_list { ret_record->event = AA_RECORD_HINT; }
|
||||
| TOK_TYPE_STATUS audit_msg key_list { ret_record->event = AA_RECORD_STATUS; }
|
||||
| TOK_TYPE_ERROR audit_msg key_list { ret_record->event = AA_RECORD_ERROR; }
|
||||
| TOK_TYPE_UNKNOWN audit_msg key_list { ret_record->event = lookup_aa_event($1); }
|
||||
;
|
||||
|
||||
other_audit: TOK_TYPE_OTHER audit_msg TOK_MSG_REST
|
||||
{
|
||||
ret_record->operation = $1;
|
||||
ret_record->event = AA_RECORD_INVALID;
|
||||
ret_record->info = $3;
|
||||
}
|
||||
;
|
||||
|
||||
syslog_type:
|
||||
syslog_date TOK_ID TOK_SYSLOG_KERNEL audit_id old_msg
|
||||
{ ret_record->version = AA_RECORD_SYNTAX_V1; }
|
||||
| syslog_date TOK_ID TOK_SYSLOG_KERNEL audit_id key_list
|
||||
{ ret_record->version = AA_RECORD_SYNTAX_V2; }
|
||||
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP audit_id key_list
|
||||
{ ret_record->version = AA_RECORD_SYNTAX_V2; }
|
||||
;
|
||||
|
||||
old_msg:
|
||||
old_permit_reject_type old_permit_reject_syntax
|
||||
| TOK_OLD_APPARMOR_LOGPROF_HINT old_logprof_syntax { ret_record->event = AA_RECORD_HINT; }
|
||||
;
|
||||
|
||||
old_permit_reject_type:
|
||||
TOK_OLD_APPARMOR_REJECT { ret_record->event = AA_RECORD_DENIED; }
|
||||
| TOK_OLD_APPARMOR_PERMIT { ret_record->event = AA_RECORD_ALLOWED; }
|
||||
| TOK_OLD_APPARMOR_AUDIT { ret_record->event = AA_RECORD_AUDIT; }
|
||||
;
|
||||
|
||||
old_permit_reject_syntax:
|
||||
TOK_MODE TOK_OLD_ACCESS old_permit_reject_path_pipe_extended
|
||||
TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
|
||||
{
|
||||
ret_record->requested_mask = $1;
|
||||
ret_record->operation = strdup("access");
|
||||
}
|
||||
| dir_action TOK_OLD_ON TOK_PATH
|
||||
TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
|
||||
{
|
||||
ret_record->name = $3;
|
||||
}
|
||||
| TOK_OLD_XATTR TOK_ID TOK_OLD_ON TOK_PATH
|
||||
TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
|
||||
{
|
||||
ret_record->operation = strdup("xattr");
|
||||
ret_record->attribute = $2;
|
||||
ret_record->name = $4;
|
||||
}
|
||||
| TOK_KEY_ATTRIBUTE TOK_OPEN_PAREN TOK_ID TOK_CLOSE_PAREN
|
||||
TOK_OLD_CHANGE TOK_OLD_TO TOK_PATH
|
||||
TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
|
||||
{
|
||||
ret_record->operation = strdup("setattr");
|
||||
ret_record->attribute = $3;
|
||||
ret_record->name = $7;
|
||||
}
|
||||
| TOK_OLD_ACCESS TOK_OLD_TO TOK_OLD_CAPABILITY TOK_SINGLE_QUOTED_STRING
|
||||
TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
|
||||
{
|
||||
ret_record->operation = strdup("capability");
|
||||
ret_record->name = $4;
|
||||
}
|
||||
| TOK_OLD_ACCESS TOK_OLD_TO TOK_OLD_SYSCALL TOK_SINGLE_QUOTED_STRING
|
||||
TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
|
||||
{
|
||||
ret_record->operation = strdup("syscall");
|
||||
ret_record->name = $4;
|
||||
}
|
||||
| TOK_OLD_LINK TOK_OLD_ACCESS TOK_OLD_FROM TOK_PATH TOK_OLD_TO TOK_PATH
|
||||
TOK_OPEN_PAREN old_process_state TOK_CLOSE_PAREN
|
||||
{
|
||||
ret_record->requested_mask = strdup("l");
|
||||
ret_record->name = $4;
|
||||
ret_record->name2 = $6;
|
||||
}
|
||||
;
|
||||
|
||||
dir_action:
|
||||
TOK_OLD_MKDIR { ret_record->operation = strdup("mkdir"); }
|
||||
| TOK_OLD_RMDIR { ret_record->operation = strdup("rmdir"); }
|
||||
;
|
||||
|
||||
old_process_state:
|
||||
TOK_ID TOK_OPEN_PAREN TOK_ID TOK_CLOSE_PAREN old_profile_names
|
||||
{
|
||||
ret_record->info = $1;
|
||||
ret_record->pid = atol($3);
|
||||
free($3);
|
||||
}
|
||||
;
|
||||
|
||||
old_profile_names:
|
||||
TOK_KEY_PROFILE old_profile TOK_OLD_ACTIVE old_profile
|
||||
{ ret_record->profile = $2;
|
||||
ret_record->active_hat = $4;
|
||||
}
|
||||
;
|
||||
|
||||
old_permit_reject_path_pipe_extended:
|
||||
TOK_OLD_TO TOK_PATH
|
||||
{
|
||||
ret_record->name = $2;
|
||||
}
|
||||
| TOK_OLD_TO TOK_OLD_PIPE /* Frankly, I don't think this is used */
|
||||
{
|
||||
ret_record->info = strdup("pipe");
|
||||
}
|
||||
| TOK_OLD_EXTENDED TOK_KEY_ATTRIBUTE /* Nor this */
|
||||
{
|
||||
ret_record->info = strdup("extended attribute");
|
||||
}
|
||||
;
|
||||
old_logprof_syntax:
|
||||
old_logprof_syntax2 key_pid
|
||||
TOK_KEY_PROFILE TOK_EQUALS old_profile TOK_OLD_ACTIVE TOK_EQUALS old_profile
|
||||
{
|
||||
ret_record->profile = strdup($5);
|
||||
free($5);
|
||||
ret_record->active_hat = strdup($8);
|
||||
free($8);
|
||||
}
|
||||
| old_logprof_fork_syntax
|
||||
| TOK_OLD_CHANGING_PROFILE key_pid
|
||||
{ ret_record->profile = strdup("null-complain-profile"); }
|
||||
;
|
||||
|
||||
old_logprof_syntax2:
|
||||
TOK_OLD_UNKNOWN_PROFILE TOK_KEY_IMAGE TOK_EQUALS TOK_ID
|
||||
{
|
||||
ret_record->operation = strdup("profile_set");
|
||||
ret_record->info = strdup("unknown profile");
|
||||
ret_record->name = strdup($4);
|
||||
free($4);
|
||||
}
|
||||
| TOK_OLD_MISSING_PROFILE TOK_KEY_IMAGE TOK_EQUALS TOK_ID
|
||||
{
|
||||
ret_record->operation = strdup("exec");
|
||||
ret_record->info = strdup("mandatory profile missing");
|
||||
ret_record->name = strdup($4);
|
||||
free($4);
|
||||
}
|
||||
| TOK_OLD_UNKNOWN_HAT TOK_ID
|
||||
{
|
||||
ret_record->operation = strdup("change_hat");
|
||||
ret_record->name = strdup($2);
|
||||
free($2);
|
||||
ret_record->info = strdup("unknown_hat");
|
||||
}
|
||||
;
|
||||
|
||||
/* TODO: Clean this up */
|
||||
old_logprof_fork_syntax:
|
||||
TOK_OLD_FORK key_pid
|
||||
TOK_OLD_CHILD TOK_EQUALS TOK_DIGITS old_logprof_fork_addition
|
||||
{
|
||||
ret_record->operation = strdup("clone");
|
||||
ret_record->task = $5;
|
||||
}
|
||||
;
|
||||
|
||||
old_logprof_fork_addition:
|
||||
/* Nothin */
|
||||
| TOK_KEY_PROFILE TOK_EQUALS old_profile TOK_OLD_ACTIVE TOK_EQUALS old_profile
|
||||
{
|
||||
ret_record->profile = $3;
|
||||
ret_record->active_hat = $6;
|
||||
}
|
||||
;
|
||||
|
||||
old_profile:
|
||||
TOK_PATH { $$ = $1; }
|
||||
| TOK_ID { $$ = $1; }
|
||||
| TOK_NULL_COMPLAIN { $$ = strdup("null-complain-profile"); }
|
||||
;
|
||||
|
||||
audit_msg: TOK_KEY_MSG TOK_EQUALS audit_id
|
||||
;
|
||||
|
||||
audit_id: TOK_AUDIT TOK_OPEN_PAREN TOK_AUDIT_DIGITS TOK_PERIOD TOK_AUDIT_DIGITS TOK_COLON TOK_AUDIT_DIGITS TOK_CLOSE_PAREN TOK_COLON
|
||||
{
|
||||
asprintf(&ret_record->audit_id, "%s.%s:%s", $3, $5, $7);
|
||||
ret_record->epoch = atol($3);
|
||||
ret_record->audit_sub_id = atoi($7);
|
||||
free($3);
|
||||
free($5);
|
||||
free($7);
|
||||
} ;
|
||||
|
||||
syslog_date: TOK_DATE_MONTH TOK_DIGITS TOK_DATE_TIME { /* do nothing? */ }
|
||||
;
|
||||
|
||||
key_list: key
|
||||
| key_list key
|
||||
;
|
||||
|
||||
key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
|
||||
{ ret_record->operation = $3;}
|
||||
| TOK_KEY_NAME TOK_EQUALS safe_string
|
||||
{ ret_record->name = $3;}
|
||||
| TOK_KEY_NAME2 TOK_EQUALS safe_string
|
||||
{ ret_record->name2 = $3;}
|
||||
| TOK_KEY_DENIED_MASK TOK_EQUALS TOK_QUOTED_STRING
|
||||
{ ret_record->denied_mask = $3;}
|
||||
| TOK_KEY_REQUESTED_MASK TOK_EQUALS TOK_QUOTED_STRING
|
||||
{ ret_record->requested_mask = $3;}
|
||||
| TOK_KEY_ATTRIBUTE TOK_EQUALS TOK_QUOTED_STRING
|
||||
{ ret_record->attribute = $3;}
|
||||
| TOK_KEY_TASK TOK_EQUALS TOK_DIGITS
|
||||
{ ret_record->task = $3;}
|
||||
| TOK_KEY_PARENT TOK_EQUALS TOK_DIGITS
|
||||
{ ret_record->parent = $3;}
|
||||
| TOK_KEY_MAGIC_TOKEN TOK_EQUALS TOK_DIGITS
|
||||
{ ret_record->magic_token = $3;}
|
||||
| TOK_KEY_INFO TOK_EQUALS TOK_QUOTED_STRING
|
||||
{ ret_record->info = $3;}
|
||||
| key_pid
|
||||
| TOK_KEY_PROFILE TOK_EQUALS safe_string
|
||||
{ ret_record->profile = $3;}
|
||||
| TOK_KEY_FAMILY TOK_EQUALS TOK_QUOTED_STRING
|
||||
{ ret_record->net_family = $3;}
|
||||
| TOK_KEY_SOCK_TYPE TOK_EQUALS TOK_QUOTED_STRING
|
||||
{ ret_record->net_sock_type = $3;}
|
||||
| TOK_KEY_PROTOCOL TOK_EQUALS protocol
|
||||
{ ret_record->net_protocol = $3;}
|
||||
| TOK_KEY_TYPE TOK_EQUALS TOK_DIGITS
|
||||
{ ret_record->event = lookup_aa_event($3);}
|
||||
;
|
||||
|
||||
key_pid: TOK_KEY_PID TOK_EQUALS TOK_DIGITS { ret_record->pid = $3; }
|
||||
;
|
||||
|
||||
safe_string: TOK_QUOTED_STRING
|
||||
| TOK_HEXSTRING
|
||||
;
|
||||
|
||||
protocol: TOK_QUOTED_STRING
|
||||
| TOK_DIGITS
|
||||
{ /* FIXME: this should probably convert back to a string proto name */
|
||||
char *ret = NULL;
|
||||
if (asprintf(&ret, "%ld", $1) < 0)
|
||||
yyerror(NULL, "Unable to allocate protocol string");
|
||||
$$ = ret;
|
||||
}
|
||||
;
|
||||
%%
|
||||
|
||||
aa_log_record *
|
||||
_parse_yacc(char *str)
|
||||
{
|
||||
/* yydebug = 1; */
|
||||
YY_BUFFER_STATE lex_buf;
|
||||
yyscan_t scanner;
|
||||
int parser_return;
|
||||
|
||||
ret_record = NULL;
|
||||
ret_record = (aa_log_record *) malloc(sizeof(aa_log_record));
|
||||
|
||||
_init_log_record(ret_record);
|
||||
|
||||
if (ret_record == NULL)
|
||||
return NULL;
|
||||
|
||||
aalogparse_lex_init(&scanner);
|
||||
lex_buf = aalogparse__scan_string(str, scanner);
|
||||
parser_return = aalogparse_parse(scanner);
|
||||
aalogparse__delete_buffer(lex_buf, scanner);
|
||||
aalogparse_lex_destroy(scanner);
|
||||
return ret_record;
|
||||
}
|
139
changehat/libapparmor/src/libaalogparse.c
Normal file
139
changehat/libapparmor/src/libaalogparse.c
Normal file
@@ -0,0 +1,139 @@
|
||||
/*
|
||||
* Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
|
||||
* NOVELL (All rights reserved)
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of version 2 of the GNU General Public
|
||||
* License published by the Free Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, contact Novell, Inc.
|
||||
*
|
||||
*/
|
||||
|
||||
/*
|
||||
* @author Matt Barringer <mbarringer@suse.de>
|
||||
*/
|
||||
|
||||
/*
|
||||
* TODO:
|
||||
*
|
||||
* - Convert the text permission mask into a bitmask
|
||||
* - Clean up parser grammar
|
||||
*/
|
||||
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
#include "aalogparse.h"
|
||||
#include "parser.h"
|
||||
|
||||
/* This is mostly just a wrapper around the code in grammar.y */
|
||||
aa_log_record *parse_record(char *str)
|
||||
{
|
||||
if (str == NULL)
|
||||
return NULL;
|
||||
|
||||
return _parse_yacc(str);
|
||||
}
|
||||
|
||||
void free_record(aa_log_record *record)
|
||||
{
|
||||
if (record != NULL)
|
||||
{
|
||||
if (record->operation != NULL)
|
||||
free(record->operation);
|
||||
if (record->requested_mask != NULL)
|
||||
free(record->requested_mask);
|
||||
if (record->denied_mask != NULL)
|
||||
free(record->denied_mask);
|
||||
if (record->profile != NULL)
|
||||
free(record->profile);
|
||||
if (record->name != NULL)
|
||||
free(record->name);
|
||||
if (record->name2 != NULL)
|
||||
free(record->name2);
|
||||
if (record->attribute != NULL)
|
||||
free(record->attribute);
|
||||
if (record->info != NULL)
|
||||
free(record->info);
|
||||
if (record->active_hat != NULL)
|
||||
free(record->active_hat);
|
||||
if (record->audit_id != NULL)
|
||||
free(record->audit_id);
|
||||
if (record->net_family != NULL)
|
||||
free(record->net_family);
|
||||
if (record->net_protocol != NULL)
|
||||
free(record->net_protocol);
|
||||
if (record->net_sock_type != NULL)
|
||||
free(record->net_sock_type);
|
||||
|
||||
free(record);
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
/* Set all of the fields to appropriate values */
|
||||
void _init_log_record(aa_log_record *record)
|
||||
{
|
||||
if (record == NULL)
|
||||
return;
|
||||
|
||||
record->version = AA_RECORD_SYNTAX_UNKNOWN;
|
||||
record->event = AA_RECORD_INVALID;
|
||||
record->pid = 0;
|
||||
record->bitmask = 0;
|
||||
record->task = 0;
|
||||
record->magic_token = 0;
|
||||
record->epoch = 0;
|
||||
record->audit_sub_id = 0;
|
||||
|
||||
record->audit_id = NULL;
|
||||
record->operation = NULL;
|
||||
record->denied_mask = NULL;
|
||||
record->requested_mask = NULL;
|
||||
record->profile = NULL;
|
||||
record->name = NULL;
|
||||
record->name2 = NULL;
|
||||
record->attribute = NULL;
|
||||
record->parent = 0;
|
||||
record->info = NULL;
|
||||
record->active_hat = NULL;
|
||||
record->net_family = NULL;
|
||||
record->net_protocol = NULL;
|
||||
record->net_sock_type = NULL;
|
||||
return;
|
||||
}
|
||||
|
||||
/* convert a hex-encoded string to its char* version */
|
||||
char *hex_to_string(char *hexstring)
|
||||
{
|
||||
char *ret = NULL;
|
||||
char buf[3], *endptr;
|
||||
size_t len;
|
||||
int i;
|
||||
|
||||
if (!hexstring)
|
||||
goto out;
|
||||
|
||||
len = strlen(hexstring) / 2;
|
||||
ret = malloc(len + 1);
|
||||
if (!ret)
|
||||
goto out;
|
||||
|
||||
for (i = 0; i < len; i++) {
|
||||
sprintf(buf, "%.2s", hexstring);
|
||||
hexstring += 2;
|
||||
ret[i] = (unsigned char) strtoul(buf, &endptr, 16);
|
||||
}
|
||||
ret[len] = '\0';
|
||||
|
||||
out:
|
||||
return ret;
|
||||
}
|
25
changehat/libapparmor/src/libapparmor.map
Normal file
25
changehat/libapparmor/src/libapparmor.map
Normal file
@@ -0,0 +1,25 @@
|
||||
IMMUNIX_1.0 {
|
||||
global:
|
||||
change_hat;
|
||||
local:
|
||||
*;
|
||||
};
|
||||
|
||||
APPARMOR_1.0 {
|
||||
global:
|
||||
change_hat;
|
||||
parse_record;
|
||||
free_record;
|
||||
local:
|
||||
*;
|
||||
} IMMUNIX_1.0;
|
||||
|
||||
APPARMOR_1.1 {
|
||||
global:
|
||||
aa_change_hat;
|
||||
aa_change_profile;
|
||||
parse_record;
|
||||
free_record;
|
||||
local:
|
||||
*;
|
||||
} APPARMOR_1.0;
|
23
changehat/libapparmor/src/libimmunix_warning.c
Normal file
23
changehat/libapparmor/src/libimmunix_warning.c
Normal file
@@ -0,0 +1,23 @@
|
||||
/* $Id: libimmunix_warning.c 13 2006-04-12 21:43:34Z steve-beattie $
|
||||
|
||||
Copyright (c) 2006 Novell, Inc. (All rights reserved)
|
||||
The libimmunix library is licensed under the terms of the GNU
|
||||
Lesser General Public License, version 2.1. Please see the file
|
||||
COPYING.LGPL.
|
||||
|
||||
*/
|
||||
|
||||
#include <syslog.h>
|
||||
|
||||
void __libimmunix_warning(void) __attribute__ ((constructor));
|
||||
void __libimmunix_warning(void)
|
||||
{
|
||||
extern const char *__progname; /* global from linux crt0 */
|
||||
openlog (__progname, LOG_PID|LOG_PERROR, LOG_USER);
|
||||
syslog(LOG_NOTICE,
|
||||
"%s links against libimmunix.so, which is deprecated. "
|
||||
"Please link against libapparmor instead\n",
|
||||
__progname);
|
||||
closelog();
|
||||
|
||||
}
|
36
changehat/libapparmor/src/parser.h
Normal file
36
changehat/libapparmor/src/parser.h
Normal file
@@ -0,0 +1,36 @@
|
||||
/*
|
||||
* Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
|
||||
* NOVELL (All rights reserved)
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of version 2 of the GNU General Public
|
||||
* License published by the Free Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, contact Novell, Inc.
|
||||
*/
|
||||
|
||||
|
||||
#ifndef __AA_LOG_PARSER_H__
|
||||
#define __AA_LOG_PARSER_H__
|
||||
|
||||
extern void _init_log_record(aa_log_record *record);
|
||||
extern aa_log_record *_parse_yacc(char *str);
|
||||
extern char *hex_to_string(char *str);
|
||||
|
||||
/* FIXME: this ought to be pulled from <linux/audit.h> but there's no
|
||||
* guarantee these will exist there. */
|
||||
#define AUDIT_APPARMOR_AUDIT 1501 /* AppArmor audited grants */
|
||||
#define AUDIT_APPARMOR_ALLOWED 1502 /* Allowed Access for learning */
|
||||
#define AUDIT_APPARMOR_DENIED 1503
|
||||
#define AUDIT_APPARMOR_HINT 1504 /* Process Tracking information */
|
||||
#define AUDIT_APPARMOR_STATUS 1505 /* Changes in config */
|
||||
#define AUDIT_APPARMOR_ERROR 1506 /* Internal AppArmor Errors */
|
||||
|
||||
#endif
|
||||
|
320
changehat/libapparmor/src/scanner.l
Normal file
320
changehat/libapparmor/src/scanner.l
Normal file
@@ -0,0 +1,320 @@
|
||||
/*
|
||||
* Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
|
||||
* NOVELL (All rights reserved)
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of version 2 of the GNU General Public
|
||||
* License published by the Free Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, contact Novell, Inc.
|
||||
*/
|
||||
|
||||
%option noyywrap
|
||||
%option reentrant
|
||||
%option prefix="aalogparse_"
|
||||
%option bison-bridge
|
||||
%option header-file="scanner.h"
|
||||
%option outfile="scanner.c"
|
||||
%option stack
|
||||
%{
|
||||
|
||||
#include "grammar.h"
|
||||
#include "aalogparse.h"
|
||||
#include "parser.h"
|
||||
%}
|
||||
|
||||
ws [ \t\r\n]
|
||||
|
||||
equals "="
|
||||
digits [0-9]+
|
||||
hex [A-F0-9]
|
||||
colon ":"
|
||||
open_paren "("
|
||||
close_paren ")"
|
||||
ID [^ \t\n\(\)="'!]
|
||||
path "/"{ID}*
|
||||
hexstring ({hex}{hex})+
|
||||
period "\."
|
||||
mode_chars ([RrWwLalMmkXx])|([Pp][Xx])|([Uu][Xx])|([Ii][Xx])
|
||||
modes {mode_chars}+
|
||||
|
||||
/* New message types */
|
||||
|
||||
reject_type "APPARMOR_DENIED"
|
||||
audit_type "APPARMOR_AUDIT"
|
||||
complain_type "APPARMOR_ALLOWED"
|
||||
hint_type "APPARMOR_HINT"
|
||||
status_type "APPARMOR_STATUS"
|
||||
error_type "APPARMOR_ERROR"
|
||||
unknown_type UNKNOWN\[{digits}+\]
|
||||
other_audit_type [[:alnum:]\[\]_-]+
|
||||
|
||||
/* Old message tokens */
|
||||
|
||||
old_apparmor_type "APPARMOR"
|
||||
old_apparmor_reject "REJECTING"
|
||||
old_apparmor_permit "PERMITTING"
|
||||
old_apparmor_audit "AUDITING"
|
||||
old_apparmor_logprof "LOGPROF-HINT"
|
||||
old_unknown_hat "unknown_hat"
|
||||
old_unknown_profile "unknown_profile"
|
||||
old_missing_profile "missing_mandatory_profile"
|
||||
old_changing_profile "changing_profile"
|
||||
old_active "active"
|
||||
old_access "access"
|
||||
old_from "from"
|
||||
old_to "to"
|
||||
old_pipe "pipe"
|
||||
old_extended "extended"
|
||||
old_rmdir "rmdir"
|
||||
old_mkdir "mkdir"
|
||||
old_on "on"
|
||||
old_xattr "xattr"
|
||||
old_change "change"
|
||||
old_capability "capability"
|
||||
old_syscall "syscall"
|
||||
old_link "link"
|
||||
old_fork "fork"
|
||||
old_child "child"
|
||||
|
||||
null_complain "null-complain-profile"
|
||||
|
||||
/* Key tokens */
|
||||
|
||||
key_type "type"
|
||||
key_msg "msg"
|
||||
key_operation "operation"
|
||||
key_name "name"
|
||||
key_name2 "name2"
|
||||
key_denied_mask "denied_mask"
|
||||
key_requested_mask "requested_mask"
|
||||
key_attribute "attribute"
|
||||
key_task "task"
|
||||
key_parent "parent"
|
||||
key_magic_token "magic_token"
|
||||
key_info "info"
|
||||
key_pid "pid"
|
||||
key_profile "profile"
|
||||
key_image "image"
|
||||
key_family "family"
|
||||
key_sock_type "sock_type"
|
||||
key_protocol "protocol"
|
||||
audit "audit"
|
||||
|
||||
/* syslog tokens */
|
||||
syslog_kernel kernel{colon}
|
||||
syslog_month Jan(uary)?|Feb(ruary)?|Mar(ch)?|Apr(il)?|May|Jun(e)?|Jul(y)?|Aug(ust)?|Sep(tember)?|Oct(ober)?|Nov(ember)?|Dec(ember)?
|
||||
syslog_time {digits}{digits}{colon}{digits}{digits}{colon}{digits}{digits}
|
||||
syslog_hostname [[:alnum:]_-]+
|
||||
dmesg_timestamp \[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]
|
||||
|
||||
%x quoted_string
|
||||
%x sub_id
|
||||
%x audit_id
|
||||
%x single_quoted_string
|
||||
%x hostname
|
||||
%x dmesg_timestamp
|
||||
%x safe_string
|
||||
%x audit_types
|
||||
%x other_audit
|
||||
%x unknown_message
|
||||
|
||||
%%
|
||||
%{
|
||||
char string_buf[512];
|
||||
char *string_buf_ptr = string_buf; /* assignment to quiet gcc warning */
|
||||
|
||||
/* yy_flex_debug = 1; */
|
||||
%}
|
||||
|
||||
{ws}+ { /* Skip whitespace */ }
|
||||
|
||||
<audit_id>{
|
||||
{digits} { yylval->t_str = strdup(yytext); return(TOK_AUDIT_DIGITS);}
|
||||
{colon} { return(TOK_COLON); }
|
||||
{period} { return(TOK_PERIOD); }
|
||||
{open_paren} { return(TOK_OPEN_PAREN); }
|
||||
{close_paren} { yy_pop_state(yyscanner); return(TOK_CLOSE_PAREN); }
|
||||
}
|
||||
|
||||
<sub_id>{
|
||||
{open_paren} { return(TOK_OPEN_PAREN); }
|
||||
{close_paren} { BEGIN(INITIAL); return(TOK_CLOSE_PAREN); }
|
||||
"'" { string_buf_ptr = string_buf; BEGIN(single_quoted_string); }
|
||||
{ws} { }
|
||||
\" { string_buf_ptr = string_buf; BEGIN(quoted_string); }
|
||||
{ID}+ {
|
||||
yylval->t_str = strdup(yytext);
|
||||
BEGIN(INITIAL);
|
||||
return(TOK_ID);
|
||||
}
|
||||
{equals} { return(TOK_EQUALS); }
|
||||
}
|
||||
|
||||
|
||||
"'" { string_buf_ptr = string_buf; BEGIN(single_quoted_string); }
|
||||
<single_quoted_string>"'" { /* End of the quoted string */
|
||||
BEGIN(INITIAL);
|
||||
*string_buf_ptr = '\0';
|
||||
yylval->t_str = strdup(string_buf);
|
||||
return(TOK_SINGLE_QUOTED_STRING);
|
||||
}
|
||||
|
||||
|
||||
<single_quoted_string>\\(.|\n) { *string_buf_ptr++ = yytext[1]; }
|
||||
|
||||
<single_quoted_string>[^\\\n\'\"]+ {
|
||||
char *yptr = yytext;
|
||||
while (*yptr)
|
||||
{
|
||||
*string_buf_ptr++ = *yptr++;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
\" { string_buf_ptr = string_buf; BEGIN(quoted_string); }
|
||||
<quoted_string>\" { /* End of the quoted string */
|
||||
BEGIN(INITIAL);
|
||||
*string_buf_ptr = '\0';
|
||||
yylval->t_str = strdup(string_buf);
|
||||
return(TOK_QUOTED_STRING);
|
||||
}
|
||||
|
||||
|
||||
<quoted_string>\\(.|\n) { *string_buf_ptr++ = yytext[1]; }
|
||||
|
||||
<quoted_string>[^\\\n\"]+ {
|
||||
char *yptr = yytext;
|
||||
while (*yptr)
|
||||
{
|
||||
*string_buf_ptr++ = *yptr++;
|
||||
}
|
||||
}
|
||||
|
||||
<safe_string>{
|
||||
"'" { string_buf_ptr = string_buf; BEGIN(single_quoted_string); }
|
||||
\" { string_buf_ptr = string_buf; BEGIN(quoted_string); }
|
||||
{hexstring} { yylval->t_str = hex_to_string(yytext); BEGIN(INITIAL); return(TOK_HEXSTRING);}
|
||||
{equals} { return(TOK_EQUALS); }
|
||||
. { /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
|
||||
}
|
||||
|
||||
<audit_types>{
|
||||
{equals} { return(TOK_EQUALS); }
|
||||
{digits} { yylval->t_long = atol(yytext); BEGIN(INITIAL); return(TOK_DIGITS); }
|
||||
{reject_type} { BEGIN(INITIAL); return(TOK_TYPE_REJECT); }
|
||||
{audit_type} { BEGIN(INITIAL); return(TOK_TYPE_AUDIT); }
|
||||
{complain_type} { BEGIN(INITIAL); return(TOK_TYPE_COMPLAIN); }
|
||||
{hint_type} { BEGIN(INITIAL); return(TOK_TYPE_HINT); }
|
||||
{status_type} { BEGIN(INITIAL); return(TOK_TYPE_STATUS); }
|
||||
{error_type} { BEGIN(INITIAL); return(TOK_TYPE_ERROR); }
|
||||
{unknown_type} { char *yptr = yytext;
|
||||
while (*yptr && *yptr != '[')
|
||||
yptr++;
|
||||
if (*yptr)
|
||||
yylval->t_long = atol(yptr + 1); /* skip '[' */
|
||||
BEGIN(INITIAL);
|
||||
return(TOK_TYPE_UNKNOWN);
|
||||
}
|
||||
{old_apparmor_type} { BEGIN(INITIAL); return(TOK_OLD_TYPE_APPARMOR); }
|
||||
{other_audit_type} { yylval->t_str = strdup(yytext);
|
||||
BEGIN(other_audit);
|
||||
return(TOK_TYPE_OTHER);
|
||||
}
|
||||
}
|
||||
|
||||
{equals} { return(TOK_EQUALS); }
|
||||
{digits} { yylval->t_long = atol(yytext); return(TOK_DIGITS); }
|
||||
{colon} { return(TOK_COLON); }
|
||||
{open_paren} {
|
||||
BEGIN(sub_id);
|
||||
return(TOK_OPEN_PAREN);
|
||||
}
|
||||
{close_paren} { return(TOK_CLOSE_PAREN); }
|
||||
{path} { yylval->t_str = strdup(yytext); return(TOK_PATH); }
|
||||
{period} { return(TOK_PERIOD); }
|
||||
|
||||
{old_apparmor_reject} { return(TOK_OLD_APPARMOR_REJECT); }
|
||||
{old_apparmor_permit} { return(TOK_OLD_APPARMOR_PERMIT); }
|
||||
{old_apparmor_audit} { return(TOK_OLD_APPARMOR_AUDIT); }
|
||||
{old_apparmor_logprof} { return(TOK_OLD_APPARMOR_LOGPROF_HINT); }
|
||||
{old_unknown_hat} { BEGIN(sub_id); return(TOK_OLD_UNKNOWN_HAT); }
|
||||
{old_unknown_profile} { return(TOK_OLD_UNKNOWN_PROFILE); }
|
||||
{old_missing_profile} { return(TOK_OLD_MISSING_PROFILE); }
|
||||
{old_changing_profile} { return(TOK_OLD_CHANGING_PROFILE); }
|
||||
{old_active} { BEGIN(sub_id); return(TOK_OLD_ACTIVE); }
|
||||
{old_access} { return(TOK_OLD_ACCESS); }
|
||||
{old_to} { return(TOK_OLD_TO); }
|
||||
{old_from} { return(TOK_OLD_FROM); }
|
||||
{old_pipe} { return(TOK_OLD_PIPE); }
|
||||
{old_extended} { return(TOK_OLD_EXTENDED); }
|
||||
{old_mkdir} { return(TOK_OLD_MKDIR); }
|
||||
{old_rmdir} { return(TOK_OLD_RMDIR); }
|
||||
{old_on} { return(TOK_OLD_ON); }
|
||||
{old_xattr} { BEGIN(sub_id); return(TOK_OLD_XATTR); }
|
||||
{old_change} { return(TOK_OLD_CHANGE); }
|
||||
{old_capability} { BEGIN(sub_id); return(TOK_OLD_CAPABILITY); }
|
||||
{old_syscall} { return(TOK_OLD_SYSCALL); }
|
||||
{old_link} { return(TOK_OLD_LINK); }
|
||||
{old_fork} { return(TOK_OLD_FORK); }
|
||||
{old_child} { return(TOK_OLD_CHILD); }
|
||||
{modes} { yylval->t_str = strdup(yytext); return(TOK_MODE); }
|
||||
|
||||
{key_type} { BEGIN(audit_types); return(TOK_KEY_TYPE); }
|
||||
{key_msg} { return(TOK_KEY_MSG); }
|
||||
{key_operation} { return(TOK_KEY_OPERATION); }
|
||||
{key_name} { BEGIN(safe_string); return(TOK_KEY_NAME); }
|
||||
{key_name2} { BEGIN(safe_string); return(TOK_KEY_NAME2); }
|
||||
{key_denied_mask} { return(TOK_KEY_DENIED_MASK); }
|
||||
{key_requested_mask} { return(TOK_KEY_REQUESTED_MASK); }
|
||||
{key_attribute} { BEGIN(sub_id); return(TOK_KEY_ATTRIBUTE); }
|
||||
{key_task} { return(TOK_KEY_TASK); }
|
||||
{key_parent} { return(TOK_KEY_PARENT); }
|
||||
{key_magic_token} { return(TOK_KEY_MAGIC_TOKEN); }
|
||||
{key_info} { return(TOK_KEY_INFO); }
|
||||
{key_pid} { return(TOK_KEY_PID); }
|
||||
{key_profile} { BEGIN(safe_string); return(TOK_KEY_PROFILE); }
|
||||
{key_family} { return(TOK_KEY_FAMILY); }
|
||||
{key_sock_type} { return(TOK_KEY_SOCK_TYPE); }
|
||||
{key_protocol} { return(TOK_KEY_PROTOCOL); }
|
||||
|
||||
{syslog_kernel} { BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
|
||||
{syslog_month} { yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
|
||||
{syslog_time} { yylval->t_str = strdup(yytext); BEGIN(hostname); return(TOK_DATE_TIME); }
|
||||
|
||||
{audit} { yy_push_state(audit_id, yyscanner); return(TOK_AUDIT); }
|
||||
{null_complain} { return(TOK_NULL_COMPLAIN); }
|
||||
{key_image} { BEGIN(sub_id); return(TOK_KEY_IMAGE); }
|
||||
|
||||
<hostname>{
|
||||
{ws}+ { /* eat whitespace */ }
|
||||
{syslog_hostname} { yylval->t_str = strdup(yytext); BEGIN(INITIAL); return(TOK_ID); }
|
||||
}
|
||||
|
||||
<dmesg_timestamp>{
|
||||
{ws}+ { /* eat whitespace */ }
|
||||
{dmesg_timestamp} { yylval->t_str = strdup(yytext); BEGIN(INITIAL); return(TOK_DMESG_STAMP); }
|
||||
. { /* no timestamp in this message */ BEGIN(INITIAL); yyless(0); }
|
||||
}
|
||||
|
||||
<other_audit>{
|
||||
{ws}+ { /* eat whitespace */ }
|
||||
{audit} { yy_push_state(audit_id, yyscanner); return(TOK_AUDIT); }
|
||||
{key_msg} { return(TOK_KEY_MSG); }
|
||||
{equals} { return(TOK_EQUALS); }
|
||||
{colon} { return(TOK_COLON); }
|
||||
. { BEGIN(unknown_message); yyless(0); /* dump the rest */ }
|
||||
}
|
||||
|
||||
<unknown_message>{
|
||||
.* { yylval->t_str = strdup(yytext); return(TOK_MSG_REST); }
|
||||
\n { /* not sure why needed here and not elsewhere */ }
|
||||
}
|
||||
|
||||
%%
|
35
changehat/libapparmor/src/tst_aalogmisc.c
Normal file
35
changehat/libapparmor/src/tst_aalogmisc.c
Normal file
@@ -0,0 +1,35 @@
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
#include "aalogparse.h"
|
||||
#include "parser.h"
|
||||
|
||||
|
||||
#define MY_TEST(statement, error) \
|
||||
if (!(statement)) { \
|
||||
fprintf(stderr, "FAIL: %s\n", error); \
|
||||
rc = 1; \
|
||||
}
|
||||
|
||||
int main(void)
|
||||
{
|
||||
int rc = 0;
|
||||
char *retstr = NULL;
|
||||
|
||||
retstr = hex_to_string(NULL);
|
||||
MY_TEST(!retstr, "basic NULL test");
|
||||
|
||||
retstr = hex_to_string("2F746D702F646F6573206E6F74206578697374");
|
||||
MY_TEST(retstr, "basic allocation");
|
||||
MY_TEST(strcmp(retstr, "/tmp/does not exist") == 0, "basic dehex 1");
|
||||
|
||||
retstr = hex_to_string("61");
|
||||
MY_TEST(strcmp(retstr, "a") == 0, "basic dehex 2");
|
||||
|
||||
retstr = hex_to_string("");
|
||||
MY_TEST(strcmp(retstr, "") == 0, "empty string");
|
||||
|
||||
return rc;
|
||||
}
|
||||
|
||||
|
14
changehat/libapparmor/swig/SWIG/libapparmor.i
Normal file
14
changehat/libapparmor/swig/SWIG/libapparmor.i
Normal file
@@ -0,0 +1,14 @@
|
||||
%module LibAppArmor
|
||||
|
||||
%{
|
||||
#include "aalogparse.h"
|
||||
extern int aa_change_hat(const char *subprofile, unsigned long magic_token);
|
||||
extern int aa_change_profile(const char *profile, unsigned long magic_token);
|
||||
|
||||
%}
|
||||
|
||||
%include "typemaps.i"
|
||||
%include "aalogparse.h"
|
||||
extern int aa_change_hat(const char *subprofile, unsigned long magic_token);
|
||||
extern int aa_change_profile(const char *profile, unsigned long magic_token);
|
||||
|
9
changehat/libapparmor/swig/perl/Makefile.PL
Normal file
9
changehat/libapparmor/swig/perl/Makefile.PL
Normal file
@@ -0,0 +1,9 @@
|
||||
use ExtUtils::MakeMaker;
|
||||
|
||||
use vars qw($CCFLAGS $OBJECT $VERSION $OPTIMIZE);
|
||||
|
||||
WriteMakefile(
|
||||
'NAME' => 'LibAppArmor',
|
||||
'MAKEFILE' => 'Makefile.perl',
|
||||
'FIRST_MAKEFILE' => 'Makefile.perl',
|
||||
);
|
34
changehat/libapparmor/swig/perl/Makefile.am
Normal file
34
changehat/libapparmor/swig/perl/Makefile.am
Normal file
@@ -0,0 +1,34 @@
|
||||
if HAVE_PERL
|
||||
|
||||
PERL_MAKEFILE = Makefile.perl
|
||||
|
||||
WRAPPER_SOURCES = libapparmor_wrap.c LibAppArmor.pm
|
||||
|
||||
all-local: .build-stamp
|
||||
|
||||
.build-stamp: $(WRAPPER_SOURCES) $(PERL_MAKEFILE)
|
||||
make -f $(PERL_MAKEFILE)
|
||||
touch .build-stamp
|
||||
|
||||
check-local: .build-stamp
|
||||
make -f $(PERL_MAKEFILE) test
|
||||
|
||||
install-exec-local: .build-stamp
|
||||
make -f $(PERL_MAKEFILE) install_vendor
|
||||
|
||||
clean-local: $(PERL_MAKEFILE)
|
||||
make -f $(PERL_MAKEFILE) clean
|
||||
rm -f $(PERL_MAKEFILE).old
|
||||
rm -rf build
|
||||
|
||||
$(PERL_MAKEFILE): Makefile.PL
|
||||
$(PERL) Makefile.PL VERSION="0.1" OBJECT="../../src/.libs/libapparmor.so libapparmor_wrap.o" CCFLAGS="-I../../src -D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -fno-strict-aliasing -pipe -Wdeclaration-after-statement" OPTIMIZE="$(CFLAGS) -shared -I$(includedir) -D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -fno-strict-aliasing -pipe -Wdeclaration-after-statement"
|
||||
|
||||
|
||||
$(WRAPPER_SOURCES): ../SWIG/*.i
|
||||
$(SWIG) -perl -I../../src -I../SWIG -o libapparmor_wrap.c libapparmor.i
|
||||
|
||||
endif
|
||||
|
||||
EXTRA_DIST = Makefile.PL $(WRAPPER_SOURCES) examples/*.pl
|
||||
|
15
changehat/libapparmor/swig/perl/examples/example.pl
Normal file
15
changehat/libapparmor/swig/perl/examples/example.pl
Normal file
@@ -0,0 +1,15 @@
|
||||
require LibAppArmor;
|
||||
|
||||
$msg = "type=APPARMOR msg=audit(1168662182.495:58): PERMITTING r access to /home/matt/projects/change_hat_test/test (test_hat(27871) profile /home/matt/projects/change_hat_test/test_hat active null-complain-profile)";
|
||||
|
||||
my($test) = AppArmorLogRecordParser::parse_record($msg);
|
||||
|
||||
if (AppArmorLogRecordParser::aa_log_record::swig_event_get($test) == $AppArmorLogRecordParser::AA_RECORD_ALLOWED )
|
||||
{
|
||||
print "AA_RECORD_ALLOWED\n";
|
||||
}
|
||||
|
||||
print "Audit ID: " . AppArmorLogRecordParser::aa_log_record::swig_audit_id_get($test) . "\n";
|
||||
print "PID: " . AppArmorLogRecordParser::aa_log_record::swig_pid_get($test) . "\n";
|
||||
|
||||
AppArmorLogRecordParser::free_record($test);
|
17
changehat/libapparmor/swig/python/Makefile.am
Normal file
17
changehat/libapparmor/swig/python/Makefile.am
Normal file
@@ -0,0 +1,17 @@
|
||||
if HAVE_PYTHON
|
||||
BUILT_SOURCES = libapparmor_wrap.c
|
||||
|
||||
SWIG_SOURCES = ../SWIG/libapparmor.i
|
||||
|
||||
|
||||
pkgpython_PYTHON = LibAppArmor.py
|
||||
pkgpyexec_LTLIBRARIES = _libapparmor.la
|
||||
_libapparmor_la_SOURCES = libapparmor_wrap.c $(SWIG_SOURCES)
|
||||
_libapparmor_la_CPPFLAGS = $(SWIG_PYTHON_CFLAGS) -I$(top_srcdir)/src -I/usr/include/python
|
||||
_libapparmor_la_LDFLAGS = -module
|
||||
_libapparmor_la_LIBADD = ../../src/.libs/libapparmor.so
|
||||
|
||||
libapparmor_wrap.c: $(SWIG_SOURCES)
|
||||
$(SWIG) -python -I$(top_srcdir)/src -o $@ $<
|
||||
|
||||
endif
|
24
changehat/libapparmor/swig/ruby/Makefile.am
Normal file
24
changehat/libapparmor/swig/ruby/Makefile.am
Normal file
@@ -0,0 +1,24 @@
|
||||
if HAVE_RUBY
|
||||
|
||||
RUBY_MAKEFILE = Makefile.ruby
|
||||
|
||||
WRAPPER_FILES = LibAppArmor_wrap.* LibAppArmor.so extension.mak .build-stamp
|
||||
|
||||
BUILT_SOURCES = LibAppArmor_wrap.c
|
||||
|
||||
all-local: .build-stamp
|
||||
|
||||
.build-stamp: LibAppArmor_wrap.c
|
||||
CFLAGS="$(CFLAGS) -I../../src" $(RUBY) extconf.rb build
|
||||
touch .build-stamp
|
||||
|
||||
install-exec-local: .build-stamp
|
||||
make -f $(RUBY_MAKEFILE) install
|
||||
|
||||
LibAppArmor_wrap.c: ../SWIG/*.i
|
||||
$(SWIG) -ruby -I../SWIG -I../../src -o ./LibAppArmor_wrap.c libapparmor.i
|
||||
|
||||
endif
|
||||
|
||||
EXTRA_DIST = extconf.rb $(BUILT_SOURCES) examples/*.rb
|
||||
|
76
changehat/libapparmor/swig/ruby/extconf.rb
Normal file
76
changehat/libapparmor/swig/ruby/extconf.rb
Normal file
@@ -0,0 +1,76 @@
|
||||
require 'mkmf'
|
||||
require 'ftools'
|
||||
|
||||
$CFLAGS += " " + (ENV['CFLAGS'] || "") + (ENV['CXXFLAGS'] || "")
|
||||
$LDFLAGS = "../../src/.libs/libapparmor.so"
|
||||
|
||||
def usage
|
||||
puts <<EOF
|
||||
Usage: ruby extconf.rb command
|
||||
build Build the extension
|
||||
clean Clean the source directory
|
||||
install Install the extention
|
||||
test Test the extension
|
||||
wrap Generate SWIG wrappers
|
||||
EOF
|
||||
exit
|
||||
end
|
||||
|
||||
cmd = ARGV.shift or usage()
|
||||
cmd = cmd.downcase
|
||||
|
||||
usage() unless ['build', 'clean', 'install', 'test', 'wrap'].member? cmd
|
||||
usage() if ARGV.shift
|
||||
|
||||
class Commands
|
||||
def initialize(&block)
|
||||
@block = block
|
||||
end
|
||||
|
||||
def execute
|
||||
@block.call
|
||||
end
|
||||
end
|
||||
|
||||
Build = Commands.new {
|
||||
# I don't think we can tell mkmf to generate a makefile with a different name
|
||||
if File.exists?("Makefile")
|
||||
File.rename("Makefile", "Makefile.old")
|
||||
end
|
||||
create_makefile('LibAppArmor')
|
||||
File.rename("Makefile", "Makefile.ruby")
|
||||
if File.exists?("Makefile.old")
|
||||
File.rename("Makefile.old", "Makefile")
|
||||
end
|
||||
system("make -f Makefile.ruby")
|
||||
}
|
||||
Install = Commands.new {
|
||||
Build.execute
|
||||
if defined? Prefix
|
||||
# strip old prefix and add the new one
|
||||
oldPrefix = Config::CONFIG["prefix"]
|
||||
if defined? Debian
|
||||
archDir = Config::CONFIG["archdir"]
|
||||
libDir = Config::CONFIG["rubylibdir"]
|
||||
else
|
||||
archDir = Config::CONFIG["sitearchdir"]
|
||||
libDir = Config::CONFIG["sitelibdir"]
|
||||
end
|
||||
archDir = Prefix + archDir.gsub(/^#{oldPrefix}/,"")
|
||||
libDir = Prefix + libDir.gsub(/^#{oldPrefix}/,"")
|
||||
else
|
||||
archDir = Config::CONFIG["sitearchdir"]
|
||||
libDir = Config::CONFIG["sitelibdir"]
|
||||
end
|
||||
[archDir,libDir].each { |path| File.makedirs path }
|
||||
binary = 'LibAppArmor.so'
|
||||
File.install "./"+binary, archDir+"/"+binary, 0555, true
|
||||
File.install "./LibAppArmor.so", libDir+"/LibAppArmor.so", 0555, true
|
||||
}
|
||||
|
||||
availableCommands = {
|
||||
"build" => Build,
|
||||
"install" => Install
|
||||
}
|
||||
|
||||
availableCommands[cmd].execute
|
20
changehat/libapparmor/testsuite/Makefile.am
Normal file
20
changehat/libapparmor/testsuite/Makefile.am
Normal file
@@ -0,0 +1,20 @@
|
||||
SUBDIRS = lib config libaalogparse.test
|
||||
PACKAGE = libaalogparse
|
||||
AUTOMAKE_OPTIONS = dejagnu
|
||||
|
||||
INCLUDES = -I. -I$(top_srcdir)/src
|
||||
|
||||
AM_CPPFLAGS = $(DEBUG_FLAGS) -DLOCALEDIR=\"${localedir}\"
|
||||
AM_CFLAGS = -Wall
|
||||
|
||||
noinst_PROGRAMS = test_multi.multi
|
||||
|
||||
test_multi_multi_SOURCES = test_multi.c
|
||||
test_multi_multi_CFLAGS = $(CFLAGS) -Wall
|
||||
test_multi_multi_LDFLAGS = $(LDFLAGS)
|
||||
test_multi_multi_LDADD = ../src/.libs/libapparmor.a
|
||||
|
||||
clean-local:
|
||||
rm -f tmp.err.* tmp.out.* site.exp site.bak
|
||||
|
||||
EXTRA_DIST = test_multi/*.in test_multi/*.out test_multi/*.err
|
@@ -0,0 +1,24 @@
|
||||
# Runs all tests with the extention "multi" for several times.
|
||||
# Each testprogram <programname>.multi has an own subdirectory
|
||||
# <programmname> in which several testcases are defined for this program
|
||||
# Each testcase has 3 files:
|
||||
#
|
||||
# <programname>.in
|
||||
# <programname>.out
|
||||
# <programname>.err
|
||||
#
|
||||
# The program "<programname>.multi" will be called with the argument
|
||||
# "<programname>.in". The standard output will be compared with the
|
||||
# files "<programname>.out" and "<programname>.err".
|
||||
# The testcase is successful if the program returns 0 AND the outputs
|
||||
# are identically equal to the files "<programname>.out" and
|
||||
# "<programname>.err".
|
||||
|
||||
if { [catch { set filenames [glob $srcdir/*.multi] } ] } {
|
||||
puts "No .multi files found"
|
||||
} else {
|
||||
# foreach file, call multi-run (from testsuite/lib)
|
||||
|
||||
foreach file $filenames { multi-run $file }
|
||||
}
|
||||
|
171
changehat/libapparmor/testsuite/test_multi.c
Normal file
171
changehat/libapparmor/testsuite/test_multi.c
Normal file
@@ -0,0 +1,171 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <errno.h>
|
||||
|
||||
#include "aalogparse.h"
|
||||
|
||||
int print_results(aa_log_record *record);
|
||||
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
FILE *testcase;
|
||||
char log_line[1024];
|
||||
aa_log_record *test = NULL;
|
||||
int ret = -1;
|
||||
|
||||
if (argc != 2)
|
||||
{
|
||||
fprintf(stderr, "Usage: test_multi.multi <filename>\n");
|
||||
return(1);
|
||||
}
|
||||
|
||||
printf("START\n");
|
||||
printf("File: %s\n", argv[1]);
|
||||
|
||||
testcase = fopen(argv[1], "r");
|
||||
if (testcase == NULL)
|
||||
{
|
||||
perror("Could not open testcase: ");
|
||||
return(1);
|
||||
}
|
||||
|
||||
if (fgets(log_line, 1023, testcase) == NULL)
|
||||
{
|
||||
fprintf(stderr, "Could not read testcase.\n");
|
||||
fclose(testcase);
|
||||
return(1);
|
||||
}
|
||||
|
||||
fclose(testcase);
|
||||
|
||||
test = parse_record(log_line);
|
||||
|
||||
if (test == NULL)
|
||||
{
|
||||
fprintf(stderr,"Parsing failed.\n");
|
||||
return(1);
|
||||
}
|
||||
ret = print_results(test);
|
||||
free_record(test);
|
||||
return ret;
|
||||
}
|
||||
|
||||
int print_results(aa_log_record *record)
|
||||
{
|
||||
printf("Event type: ");
|
||||
switch(record->event)
|
||||
{
|
||||
case AA_RECORD_ERROR:
|
||||
{
|
||||
printf("AA_RECORD_ERROR\n");
|
||||
break;
|
||||
}
|
||||
case AA_RECORD_INVALID:
|
||||
{
|
||||
printf("AA_RECORD_INVALID\n");
|
||||
break;
|
||||
}
|
||||
case AA_RECORD_AUDIT:
|
||||
{
|
||||
printf("AA_RECORD_AUDIT\n");
|
||||
break;
|
||||
}
|
||||
case AA_RECORD_ALLOWED:
|
||||
{
|
||||
printf("AA_RECORD_ALLOWED\n");
|
||||
break;
|
||||
}
|
||||
case AA_RECORD_DENIED:
|
||||
{
|
||||
printf("AA_RECORD_DENIED\n");
|
||||
break;
|
||||
}
|
||||
case AA_RECORD_HINT:
|
||||
{
|
||||
printf("AA_RECORD_HINT\n");
|
||||
break;
|
||||
}
|
||||
case AA_RECORD_STATUS:
|
||||
{
|
||||
printf("AA_RECORD_STATUS\n");
|
||||
break;
|
||||
}
|
||||
default:
|
||||
{
|
||||
printf("UNKNOWN EVENT TYPE\n");
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (record->audit_id != NULL)
|
||||
{
|
||||
printf("Audit ID: %s\n", record->audit_id);
|
||||
}
|
||||
if (record->operation != NULL)
|
||||
{
|
||||
printf("Operation: %s\n", record->operation);
|
||||
}
|
||||
if (record->requested_mask != NULL)
|
||||
{
|
||||
printf("Mask: %s\n", record->requested_mask);
|
||||
}
|
||||
if (record->denied_mask != NULL)
|
||||
{
|
||||
printf("Denied Mask: %s\n", record->denied_mask);
|
||||
}
|
||||
if (record->profile != NULL)
|
||||
{
|
||||
printf("Profile: %s\n", record->profile);
|
||||
}
|
||||
if (record->name != NULL)
|
||||
{
|
||||
printf("Name: %s\n", record->name);
|
||||
}
|
||||
if (record->name2 != NULL)
|
||||
{
|
||||
printf("Name2: %s\n", record->name2);
|
||||
}
|
||||
if (record->attribute != NULL)
|
||||
{
|
||||
printf("Attribute: %s\n", record->attribute);
|
||||
}
|
||||
if (record->task != 0)
|
||||
{
|
||||
printf("Task: %ld\n", record->task);
|
||||
}
|
||||
if (record->parent != 0)
|
||||
{
|
||||
printf("Parent: %ld\n", record->parent);
|
||||
}
|
||||
if (record->magic_token != 0)
|
||||
{
|
||||
printf("Token: %lu\n", record->magic_token);
|
||||
}
|
||||
if (record->info != NULL)
|
||||
{
|
||||
printf("Info: %s\n", record->info);
|
||||
}
|
||||
if (record->pid != 0)
|
||||
{
|
||||
printf("PID: %ld\n", record->pid);
|
||||
}
|
||||
if (record->active_hat != NULL)
|
||||
{
|
||||
printf("Active hat: %s\n", record->active_hat);
|
||||
}
|
||||
if (record->net_family != NULL)
|
||||
{
|
||||
printf("Network family: %s\n", record->net_family);
|
||||
}
|
||||
if (record->net_sock_type != NULL)
|
||||
{
|
||||
printf("Socket type: %s\n", record->net_sock_type);
|
||||
}
|
||||
if (record->net_protocol != NULL)
|
||||
{
|
||||
printf("Protocol: %s\n", record->net_protocol);
|
||||
}
|
||||
printf("Epoch: %lu\n", record->epoch);
|
||||
printf("Audit subid: %u\n", record->audit_sub_id);
|
||||
return(0);
|
||||
}
|
21
changehat/libapparmor/testsuite/test_multi/testcase1.out
Normal file
21
changehat/libapparmor/testsuite/test_multi/testcase1.out
Normal file
@@ -0,0 +1,21 @@
|
||||
START
|
||||
File: test_multi/testcase1.in
|
||||
Event type: AA_RECORD_DENIED
|
||||
Audit ID: 1181057184.959:7
|
||||
Operation: exec
|
||||
Mask: rwx
|
||||
Denied Mask: x
|
||||
Profile: /bin/ping
|
||||
Name: /bin/ping
|
||||
Name2: ping2
|
||||
Attribute: attr
|
||||
Task: 1
|
||||
Parent: 1
|
||||
Token: 29493
|
||||
Info: Information
|
||||
PID: 31938
|
||||
Network family: family
|
||||
Socket type: unknown(1234)
|
||||
Protocol: tcp
|
||||
Epoch: 1181057184
|
||||
Audit subid: 7
|
11
changehat/libapparmor/testsuite/test_multi/testcase10.out
Normal file
11
changehat/libapparmor/testsuite/test_multi/testcase10.out
Normal file
@@ -0,0 +1,11 @@
|
||||
START
|
||||
File: test_multi/testcase10.in
|
||||
Event type: AA_RECORD_HINT
|
||||
Audit ID: 1168661976.062:55
|
||||
Operation: clone
|
||||
Profile: /home/matt/projects/change_hat_test/test_hat
|
||||
Task: 38229
|
||||
PID: 27764
|
||||
Active hat: /home/matt/projects/change_hat_test/test_hat
|
||||
Epoch: 1168661976
|
||||
Audit subid: 55
|
@@ -0,0 +1,9 @@
|
||||
START
|
||||
File: test_multi/testcase11.in
|
||||
Event type: AA_RECORD_HINT
|
||||
Audit ID: 1168661976.062:55
|
||||
Operation: clone
|
||||
Task: 38229
|
||||
PID: 27764
|
||||
Epoch: 1168661976
|
||||
Audit subid: 55
|
@@ -1,5 +1,5 @@
|
||||
START
|
||||
File: testcase12.in
|
||||
File: test_multi/testcase12.in
|
||||
Event type: AA_RECORD_DENIED
|
||||
Audit ID: 1181057184.959:7
|
||||
Operation: exec
|
@@ -1,5 +1,5 @@
|
||||
START
|
||||
File: testcase13.in
|
||||
File: test_multi/testcase13.in
|
||||
Event type: AA_RECORD_DENIED
|
||||
Audit ID: 1181057184.959:7
|
||||
Operation: exec
|
@@ -1,5 +1,5 @@
|
||||
START
|
||||
File: testcase14.in
|
||||
File: test_multi/testcase14.in
|
||||
Event type: AA_RECORD_DENIED
|
||||
Audit ID: 1189201672.746:537
|
||||
Operation: file_lock
|
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user