Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add apparmor support #483

Closed
giampaolo opened this issue May 23, 2014 · 2 comments
Closed

add apparmor support #483

giampaolo opened this issue May 23, 2014 · 2 comments
Labels
enhancement imported linux

Comments

@giampaolo
Copy link
Owner

From ar...@maven.pl on February 21, 2014 12:24:36

Hi.
Please add apparmor (http://apparmor.wiki.kernel.org/) status reading support 
(at least):

# cat /proc/29752/attr/current 
/usr/sbin/httpd.prefork//HAT_owner_22753 (enforce)

which means that this process is using apparmor profile 
"/usr/sbin/httpd.prefork" and hat "HAT_owner_22753" in enforce mode.

Other possibilities of current are for example:
"unconfined" - so no policy loaded for the process

"/usr/sbin/httpd.prefork (enforce)" - only profile used, without apparmor 
activated (process can change its hats while running)


That info can be read from /proc or using libapparmor library: 
https://launchpad.net/apparmor/2.8/2.8.3/+download/apparmor-2.8.3.tar.gz

Original issue: http://code.google.com/p/psutil/issues/detail?id=483
@giampaolo
Copy link
Owner Author

From g.rodola on February 21, 2014 03:34:31

Mmm... I didn't know about this. 
My first impression is that this is too specific to belong into psutil.
Anyway, what API do you think this should have?
According to your example it seems this should return a (file, user) tuple or something.

@giampaolo
Copy link
Owner Author

From ar...@maven.pl on February 21, 2014 04:04:37

http://manpages.ubuntu.com/manpages/saucy/man2/aa_getcon.2.html and 
aa_gettaskcon is what interests us.

Such code:

#include <stdio.h>
#include <sys/apparmor.h>

int main() {
        char *b1, *b2;
        pid_t i;

        for (i=0; i<100000; i++) {
                if (aa_gettaskcon(i, &b1, &b2) != -1)
                        printf("[%s] [%s]\n", b1, b2);
        }
}

gets us:

[/usr/sbin/pure-ftpd] [enforce]
[unconfined] [(null)]
[unconfined] [(null)]
[unconfined] [(null)]
[/usr/sbin/httpd.prefork] [enforce]
[/usr/sbin/httpd.prefork//HANDLING_UNTRUSTED_INPUT] [enforce]

so API for this could be tuple (context, mode)
(terms from man page, it's not file, not profile according to man page, it's 
context and mode)

Note, on linux with apparmor disabled (# CONFIG_SECURITY_APPARMOR is not set) 
you can't access that file:

$ LC_ALL=C cat /proc/4393/attr/current 
cat: /proc/4393/attr/current: Invalid argument

apparmor is part of upstream linux kernel, so well... worth considering 
supporting it. Same for SELinux tags.

@giampaolo giampaolo added the linux label Jan 1, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement imported linux
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@giampaolo