[systemd-devel] [PATCH 1/2] Add switch_apparmor_profile helper, to switch the profile of the next command to run. This can be used to load a custom apparmor profile for a unit.
Michael Scherer
misc at zarb.org
Mon Jan 6 02:41:33 PST 2014
Le lundi 06 janvier 2014 à 03:20 +0100, Zbigniew Jędrzejewski-Szmek a
écrit :
> On Fri, Jan 03, 2014 at 05:22:42PM +0100, misc at zarb.org wrote:
> > From: Michael Scherer <misc at zarb.org>
> >
> > ---
> > src/shared/apparmor-util.c | 15 +++++++++++++++
> > src/shared/apparmor-util.h | 1 +
> > 2 files changed, 16 insertions(+)
> >
> > diff --git a/src/shared/apparmor-util.c b/src/shared/apparmor-util.c
> > index 2b85da1..a75bec4 100644
> > --- a/src/shared/apparmor-util.c
> > +++ b/src/shared/apparmor-util.c
> > @@ -39,3 +39,18 @@ bool use_apparmor(void) {
> >
> > return use_apparmor_cached;
> > }
> > +
> > +int switch_apparmor_profile(const char * profile) {
> > + _cleanup_free_ char *filename = NULL;
> > + _cleanup_fclose_ FILE *proc = NULL;
> > +
> > + if (asprintf (&filename, "/proc/%d/attr/exec", getpid()) <0)
> > + return -ENOMEM;
> > +
> > + proc = fopen (filename, "w");
> > + if (! proc)
> > + return -errno;
> > +
> > + fprintf (proc, "exec %s\n", profile);
> > + return 0;
> > +}
> This should be something like
>
> int apparmor_switch_profile(const char *profile) {
> char *p, *t;
>
> p = procfs_file_alloca(0, "attr/exec");
> t = strappenda("exec ", profile);
>
> return write_string_file(p, t);
> }
>
> Totally untested, but there's no unnecessary malloc, and there's
> a meaningful error returned if the thing most likely to fail, i.e. the
> write, actually fails.
>
I rewrote this part using libapparmor, so the new patch is simpler
( didn't send yet, I am adding the support of ignoring with '-' and
doing a few more tests ), so please do not merge this one :).
I will also look at adding a test, but this requires kernel support to
work ( but I can test this is a no-op ).
--
Michael Scherer
More information about the systemd-devel
mailing list