From 18c3bc9f4dd9d794e4728a84a1772571d0d8d17f Mon Sep 17 00:00:00 2001 From: Tyler Hicks Date: Thu, 17 Dec 2015 19:19:23 -0600 Subject: [PATCH] binutils: Replace Perl aa-exec with C aa-exec Remove the Perl aa-exec implementation, move the aa-exec(8) man page to binutils/, and point the regression test to the C based aa-exec in binutils/. Note that the new C aa-exec does not implement the --file option which was present in the Perl aa-exec. It encouraged running programs as root, since root privileges were required to load the specified profile. All other features of the Perl aa-exec are present in the C aa-exec. Signed-off-by: Tyler Hicks Acked-by: John Johansen --- binutils/Makefile | 2 +- {utils => binutils}/aa-exec.pod | 0 tests/regression/apparmor/Makefile | 6 +- tests/regression/apparmor/uservars.inc.source | 2 +- utils/Makefile | 2 +- utils/aa-exec | 122 ------------------ 6 files changed, 6 insertions(+), 128 deletions(-) rename {utils => binutils}/aa-exec.pod (100%) delete mode 100755 utils/aa-exec diff --git a/binutils/Makefile b/binutils/Makefile index 5f6f5403f..70aba452f 100644 --- a/binutils/Makefile +++ b/binutils/Makefile @@ -20,7 +20,7 @@ include $(COMMONDIR)/Make.rules DESTDIR=/ BINDIR=${DESTDIR}/usr/bin LOCALEDIR=/usr/share/locale -MANPAGES=aa-enabled.8 +MANPAGES=aa-enabled.8 aa-exec.8 WARNINGS = -Wall EXTRA_WARNINGS = -Wsign-compare -Wmissing-field-initializers -Wformat-security -Wunused-parameter diff --git a/utils/aa-exec.pod b/binutils/aa-exec.pod similarity index 100% rename from utils/aa-exec.pod rename to binutils/aa-exec.pod diff --git a/tests/regression/apparmor/Makefile b/tests/regression/apparmor/Makefile index d0e4b3547..892f1c5c8 100644 --- a/tests/regression/apparmor/Makefile +++ b/tests/regression/apparmor/Makefile @@ -52,12 +52,12 @@ libapparmor by adding USE_SYSTEM=1 to your make command.${nl}\ ************************************************************************${nl}) endif - UTILS_SRC := ../../../utils - AA_EXEC = $(UTILS_SRC)/aa-exec + BINUTILS_SRC := ../../../binutils + AA_EXEC = $(BINUTILS_SRC)/aa-exec ifeq ($(realpath $(AA_EXEC)),) AA_EXEC_ERROR_MESSAGE = $(error ${nl}\ ************************************************************************${nl}\ -$(AA_EXEC) is missing; either build the $(UTILS_SRC) directory${nl}\ +$(AA_EXEC) is missing; either build the $(BINUTILS_SRC) directory${nl}\ and then try again (see the top-level README for help) or use the${nl}\ system aa-exec by adding USE_SYSTEM=1 to your make command.${nl}\ ************************************************************************${nl}) diff --git a/tests/regression/apparmor/uservars.inc.source b/tests/regression/apparmor/uservars.inc.source index aff53d2d0..198df439f 100644 --- a/tests/regression/apparmor/uservars.inc.source +++ b/tests/regression/apparmor/uservars.inc.source @@ -14,4 +14,4 @@ tmpdir=/tmp/sdtest.$$-$RANDOM sys_profiles=/sys/kernel/security/apparmor/profiles # 5. Location of aa-exec -aa_exec=${PWD}/../../../utils/aa-exec +aa_exec=${PWD}/../../../binutils/aa-exec diff --git a/utils/Makefile b/utils/Makefile index 47622622b..acfddbaec 100644 --- a/utils/Makefile +++ b/utils/Makefile @@ -20,7 +20,7 @@ COMMONDIR=../common/ include $(COMMONDIR)/Make.rules -PERLTOOLS = aa-exec aa-notify +PERLTOOLS = aa-notify PYTOOLS = aa-easyprof aa-genprof aa-logprof aa-cleanprof aa-mergeprof \ aa-autodep aa-audit aa-complain aa-enforce aa-disable \ aa-status aa-unconfined diff --git a/utils/aa-exec b/utils/aa-exec deleted file mode 100755 index 23bd3aca3..000000000 --- a/utils/aa-exec +++ /dev/null @@ -1,122 +0,0 @@ -#!/usr/bin/perl -# ------------------------------------------------------------------ -# -# Copyright (C) 2011-2013 Canonical Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ - -use strict; -use warnings; -use Errno; - -require LibAppArmor; -require POSIX; - -my $opt_d = ''; -my $opt_h = ''; -my $opt_p = ''; -my $opt_n = ''; -my $opt_i = ''; -my $opt_v = ''; -my $opt_f = ''; - -sub _warn { - my $msg = $_[0]; - print STDERR "aa-exec: WARN: $msg\n"; -} -sub _error { - my $msg = $_[0]; - print STDERR "aa-exec: ERROR: $msg\n"; - exit 1 -} - -sub _debug { - $opt_d or return; - my $msg = $_[0]; - print STDERR "aa-exec: DEBUG: $msg\n"; -} - -sub _verbose { - $opt_v or return; - my $msg = $_[0]; - print STDERR "$msg\n"; -} - -sub usage() { - my $s = <<'EOF'; -USAGE: aa-exec [OPTIONS] - -Confine with the specified PROFILE. - -OPTIONS: - -p PROFILE, --profile=PROFILE PROFILE to confine with - -n NAMESPACE, --namespace=NAMESPACE NAMESPACE to confine in - -f FILE, --file FILE profile file to load - -i, --immediate change profile immediately instead of at exec - -v, --verbose show messages with stats - -h, --help display this help - -EOF - print $s; -} - -use Getopt::Long; - -GetOptions( - 'debug|d' => \$opt_d, - 'help|h' => \$opt_h, - 'profile|p=s' => \$opt_p, - 'namespace|n=s' => \$opt_n, - 'file|f=s' => \$opt_f, - 'immediate|i' => \$opt_i, - 'verbose|v' => \$opt_v, -); - -if ($opt_h) { - usage(); - exit(0); -} - -if ($opt_n || $opt_p) { - my $test; - my $prof; - - if ($opt_n) { - $prof = ":$opt_n:"; - } - - $prof .= $opt_p; - - if ($opt_f) { - system("apparmor_parser", "-r", "$opt_f") == 0 - or _error("\'aborting could not load $opt_f\'"); - } - - if ($opt_i) { - _verbose("aa_change_profile(\"$prof\")"); - $test = LibAppArmor::aa_change_profile($prof); - _debug("$test = aa_change_profile(\"$prof\"); $!"); - } else { - _verbose("aa_change_onexec(\"$prof\")"); - $test = LibAppArmor::aa_change_onexec($prof); - _debug("$test = aa_change_onexec(\"$prof\"); $!"); - } - - if ($test != 0) { - if ($!{ENOENT} || $!{EACCESS}) { - my $pre = ($opt_p) ? "profile" : "namespace"; - _error("$pre \'$prof\' does not exist\n"); - } elsif ($!{EINVAL}) { - _error("AppArmor interface not available\n"); - } else { - _error("$!\n"); - } - } -} - -_verbose("exec @ARGV"); -exec @ARGV;