[systemd-devel] [PATCH 2/2] Add AppArmor profile switching
misc at zarb.org
misc at zarb.org
Fri Jan 3 08:22:43 PST 2014
From: Michael Scherer <misc at zarb.org>
This permit to switch to a specific apparmor profile when starting a daemon. This
will result in a non operation if apparmor is disabled.
---
man/systemd.exec.xml | 12 ++++++++++++
src/core/dbus-execute.c | 1 +
src/core/execute.c | 19 +++++++++++++++++++
src/core/execute.h | 2 ++
src/core/load-fragment-gperf.gperf.m4 | 3 ++-
src/shared/exit-status.c | 3 +++
src/shared/exit-status.h | 3 ++-
7 files changed, 41 insertions(+), 2 deletions(-)
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 17748d4..250de13 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -931,6 +931,18 @@
</varlistentry>
<varlistentry>
+ <term><varname>AppArmorProfile=</varname></term>
+
+ <listitem><para>Take a profile name as argument.
+ The process executed by the unit will switch to
+ this profile when started. Profiles must already
+ be loaded in the kernel, or the unit will fail.
+ This result in a non operation if AppArmor is not
+ enabled.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><varname>IgnoreSIGPIPE=</varname></term>
<listitem><para>Takes a boolean
diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
index b79a456..df55fd0 100644
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@@ -422,6 +422,7 @@ const sd_bus_vtable bus_exec_vtable[] = {
SD_BUS_PROPERTY("PrivateNetwork", "b", bus_property_get_bool, offsetof(ExecContext, private_network), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("SameProcessGroup", "b", bus_property_get_bool, offsetof(ExecContext, same_pgrp), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("UtmpIdentifier", "s", NULL, offsetof(ExecContext, utmp_id), SD_BUS_VTABLE_PROPERTY_CONST),
+ SD_BUS_PROPERTY("AppArmorProfile", "s", NULL, offsetof(ExecContext, apparmor_profile), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("IgnoreSIGPIPE", "b", bus_property_get_bool, offsetof(ExecContext, ignore_sigpipe), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("NoNewPrivileges", "b", bus_property_get_bool, offsetof(ExecContext, no_new_privileges), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("SystemCallFilter", "au", property_get_syscall_filter, 0, SD_BUS_VTABLE_PROPERTY_CONST),
diff --git a/src/core/execute.c b/src/core/execute.c
index 6ae9a5e..b0f4cd7 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -68,6 +68,7 @@
#include "fileio.h"
#include "unit.h"
#include "async.h"
+#include "apparmor-util.h"
#define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
#define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
@@ -1570,6 +1571,16 @@ int exec_spawn(ExecCommand *command,
goto fail_child;
}
}
+
+ if (context->apparmor_profile) {
+ if (use_apparmor()) {
+ err = switch_apparmor_profile(context->apparmor_profile);
+ if (err < 0) {
+ r = EXIT_APPARMOR;
+ goto fail_child;
+ }
+ }
+ }
}
err = build_environment(context, n_fds, watchdog_usec, home, username, shell, &our_env);
@@ -1728,6 +1739,9 @@ void exec_context_done(ExecContext *c) {
free(c->utmp_id);
c->utmp_id = NULL;
+ free(c->apparmor_profile);
+ c->apparmor_profile = NULL;
+
free(c->syscall_filter);
c->syscall_filter = NULL;
}
@@ -2096,6 +2110,11 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
fprintf(f,
"%sUtmpIdentifier: %s\n",
prefix, c->utmp_id);
+
+ if (c->apparmor_profile)
+ fprintf(f,
+ "%sAppArmorProfile: %s\n",
+ prefix, c->apparmor_profile);
}
void exec_status_start(ExecStatus *s, pid_t pid) {
diff --git a/src/core/execute.h b/src/core/execute.h
index 989373f..754f163 100644
--- a/src/core/execute.h
+++ b/src/core/execute.h
@@ -133,6 +133,8 @@ struct ExecContext {
char *utmp_id;
+ char *apparmor_profile;
+
char **read_write_dirs, **read_only_dirs, **inaccessible_dirs;
unsigned long mount_flags;
diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4
index a5033b2..d5d891e 100644
--- a/src/core/load-fragment-gperf.gperf.m4
+++ b/src/core/load-fragment-gperf.gperf.m4
@@ -75,7 +75,8 @@ $1.MountFlags, config_parse_exec_mount_flags, 0,
$1.TCPWrapName, config_parse_unit_string_printf, 0, offsetof($1, exec_context.tcpwrap_name)
$1.PAMName, config_parse_unit_string_printf, 0, offsetof($1, exec_context.pam_name)
$1.IgnoreSIGPIPE, config_parse_bool, 0, offsetof($1, exec_context.ignore_sigpipe)
-$1.UtmpIdentifier, config_parse_unit_string_printf, 0, offsetof($1, exec_context.utmp_id)'
+$1.UtmpIdentifier, config_parse_unit_string_printf, 0, offsetof($1, exec_context.utmp_id)
+$1.AppArmorProfile, config_parse_unit_string_printf, 0, offsetof($1, exec_context.apparmor_profile)'
)m4_dnl
m4_define(`KILL_CONTEXT_CONFIG_ITEMS',
`$1.SendSIGKILL, config_parse_bool, 0, offsetof($1, kill_context.send_sigkill)
diff --git a/src/shared/exit-status.c b/src/shared/exit-status.c
index 45131f2..74ea6d7 100644
--- a/src/shared/exit-status.c
+++ b/src/shared/exit-status.c
@@ -130,6 +130,9 @@ const char* exit_status_to_string(ExitStatus status, ExitStatusLevel level) {
case EXIT_SECCOMP:
return "SECCOMP";
+
+ case EXIT_APPARMOR:
+ return "APPARMOR";
}
}
diff --git a/src/shared/exit-status.h b/src/shared/exit-status.h
index 1f035a3..3c9a8ec 100644
--- a/src/shared/exit-status.h
+++ b/src/shared/exit-status.h
@@ -67,7 +67,8 @@ typedef enum ExitStatus {
EXIT_NETWORK,
EXIT_NAMESPACE,
EXIT_NO_NEW_PRIVILEGES,
- EXIT_SECCOMP
+ EXIT_SECCOMP,
+ EXIT_APPARMOR
} ExitStatus;
typedef enum ExitStatusLevel {
--
1.8.4.2
More information about the systemd-devel
mailing list