Use aa_is_enabled() to determine if apparmor is enabled

This patch changes the apparmor support initialization routine to first call aa_is_enabled(). The rest of the code is tweaked for readability. Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
snapcore · Nov 30, 2016 · 850f224 · 850f224
1 parent dcac388
commit 850f224
Showing 1 changed file with 43 additions and 6 deletions.
diff --git a/src/apparmor-support.c b/src/apparmor-support.c
@@ -22,6 +22,7 @@
 #include "apparmor-support.h"
 
 #include <string.h>
+#include <errno.h>
 #ifdef HAVE_APPARMOR
 #include <sys/apparmor.h>
 #endif				// ifdef HAVE_APPARMOR
@@ -39,18 +40,54 @@
 void sc_init_apparmor_support(struct sc_apparmor *apparmor)
 {
 #ifdef HAVE_APPARMOR
+	// Use aa_is_enabled() to see if apparmor is available in the kernel and
+	// enabled at boot time. If it isn't log a diagnostic message and assume
+	// we're not confined.
+	if (aa_is_enabled() != true) {
+		switch (errno) {
+		case ENOSYS:
+			debug
+			    ("apparmor extensions to the system are not available");
+			break;
+		case ECANCELED:
+			debug
+			    ("apparmor is available on the system but has been disabled at boot");
+			break;
+		case ENOENT:
+			debug
+			    ("apparmor is available but the interface but the interface is not available");
+		case EPERM:
+			// NOTE: fall-through
+		case EACCES:
+			debug
+			    ("insufficient permissions to determine if apparmor is enabled");
+			break;
+		default:
+			debug("apparmor is not enabled: %s", strerror(errno));
+			break;
+		}
+		apparmor->is_confined = false;
+		apparmor->mode = SC_AA_NOT_APPLICABLE;
+		return;
+	}
+	// Use aa_getcon() to check the label of the current process and
+	// confinement type. Note that the returned label must be released with
+	// free() but the mode is a constant string that must not be freed.
 	char *label __attribute__ ((cleanup(sc_cleanup_string))) = NULL;
-	char *mode = NULL;	// mode cannot be free'd
+	char *mode = NULL;
 	if (aa_getcon(&label, &mode) < 0) {
 		die("cannot query current apparmor profile");
 	}
-	// Look at label, if it is non empty then we are confined. 
-	if (label != NULL && strcmp(label, SC_AA_UNCONFINED_STR) != 0) {
-		apparmor->is_confined = true;
-	} else {
+	// The label has a special value "unconfined" that is applied to all
+	// processes without a dedicated profile. If that label is used then the
+	// current process is not confined. All other labels imply confinement.
+	if (label != NULL && strcmp(label, SC_AA_UNCONFINED_STR) == 0) {
 		apparmor->is_confined = false;
+	} else {
+		apparmor->is_confined = true;
 	}
-	// Look at mode, it must be one of the well known strings.
+	// There are several possible results for the confinement type (mode) that
+	// are checked for below.
 	if (mode != NULL && strcmp(mode, SC_AA_COMPLAIN_STR) == 0) {
 		apparmor->mode = SC_AA_COMPLAIN;
 	} else if (mode != NULL && strcmp(mode, SC_AA_ENFORCE_STR) == 0) {