From 850f22473e77b58e2a64578bc8c1361b4fd3b6be Mon Sep 17 00:00:00 2001 From: Zygmunt Krynicki Date: Wed, 30 Nov 2016 10:49:15 +0100 Subject: [PATCH] Use aa_is_enabled() to determine if apparmor is enabled This patch changes the apparmor support initialization routine to first call aa_is_enabled(). The rest of the code is tweaked for readability. Signed-off-by: Zygmunt Krynicki --- src/apparmor-support.c | 49 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 43 insertions(+), 6 deletions(-) diff --git a/src/apparmor-support.c b/src/apparmor-support.c index 184a708..e325e7a 100644 --- a/src/apparmor-support.c +++ b/src/apparmor-support.c @@ -22,6 +22,7 @@ #include "apparmor-support.h" #include +#include #ifdef HAVE_APPARMOR #include #endif // ifdef HAVE_APPARMOR @@ -39,18 +40,54 @@ void sc_init_apparmor_support(struct sc_apparmor *apparmor) { #ifdef HAVE_APPARMOR + // Use aa_is_enabled() to see if apparmor is available in the kernel and + // enabled at boot time. If it isn't log a diagnostic message and assume + // we're not confined. + if (aa_is_enabled() != true) { + switch (errno) { + case ENOSYS: + debug + ("apparmor extensions to the system are not available"); + break; + case ECANCELED: + debug + ("apparmor is available on the system but has been disabled at boot"); + break; + case ENOENT: + debug + ("apparmor is available but the interface but the interface is not available"); + case EPERM: + // NOTE: fall-through + case EACCES: + debug + ("insufficient permissions to determine if apparmor is enabled"); + break; + default: + debug("apparmor is not enabled: %s", strerror(errno)); + break; + } + apparmor->is_confined = false; + apparmor->mode = SC_AA_NOT_APPLICABLE; + return; + } + // Use aa_getcon() to check the label of the current process and + // confinement type. Note that the returned label must be released with + // free() but the mode is a constant string that must not be freed. char *label __attribute__ ((cleanup(sc_cleanup_string))) = NULL; - char *mode = NULL; // mode cannot be free'd + char *mode = NULL; if (aa_getcon(&label, &mode) < 0) { die("cannot query current apparmor profile"); } - // Look at label, if it is non empty then we are confined. - if (label != NULL && strcmp(label, SC_AA_UNCONFINED_STR) != 0) { - apparmor->is_confined = true; - } else { + // The label has a special value "unconfined" that is applied to all + // processes without a dedicated profile. If that label is used then the + // current process is not confined. All other labels imply confinement. + if (label != NULL && strcmp(label, SC_AA_UNCONFINED_STR) == 0) { apparmor->is_confined = false; + } else { + apparmor->is_confined = true; } - // Look at mode, it must be one of the well known strings. + // There are several possible results for the confinement type (mode) that + // are checked for below. if (mode != NULL && strcmp(mode, SC_AA_COMPLAIN_STR) == 0) { apparmor->mode = SC_AA_COMPLAIN; } else if (mode != NULL && strcmp(mode, SC_AA_ENFORCE_STR) == 0) {