libapparmor: Implement aa_stack_profile and aa_stack_onexec

Based on the existing implementations of aa_change_profile(2) and
aa_change_onexec(2).

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>

libraries/libapparmor/include/sys/apparmor.h

@@ -78,6 +78,8 @@ extern int aa_change_onexec(const char *profile);
 
 extern int aa_change_hatv(const char *subprofiles[], unsigned long token);
 extern int (aa_change_hat_vargs)(unsigned long token, int count, ...);
+extern int aa_stack_profile(const char *profile);
+extern int aa_stack_onexec(const char *profile);
 
 extern char *aa_splitcon(char *con, char **mode);
 /* Protypes for introspecting task confinement

libraries/libapparmor/src/kernel.c

@@ -594,6 +594,48 @@ int (aa_change_hat_vargs)(unsigned long token, int nhats, ...)
 	return aa_change_hatv(argv, token);
 }
 
+int aa_stack_profile(const char *profile)
+{
+	char *buf = NULL;
+	int len;
+	int rc;
+
+	if (!profile) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	len = asprintf(&buf, "stack %s", profile);
+	if (len < 0)
+		return -1;
+
+	rc = setprocattr(aa_gettid(), "current", buf, len);
+
+	free(buf);
+	return rc;
+}
+
+int aa_stack_onexec(const char *profile)
+{
+	char *buf = NULL;
+	int len;
+	int rc;
+
+	if (!profile) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	len = asprintf(&buf, "stack %s", profile);
+	if (len < 0)
+		return -1;
+
+	rc = setprocattr(aa_gettid(), "exec", buf, len);
+
+	free(buf);
+	return rc;
+}
+
 /**
  * aa_gettaskcon - get the confinement context for task @target in an allocated buffer
  * @target: task to query

libraries/libapparmor/src/libapparmor.map

@@ -87,6 +87,14 @@ APPARMOR_2.10 {
         *;
 } APPARMOR_2.9;
 
+APPARMOR_2.11 {
+  global:
+        aa_stack_profile;
+        aa_stack_onexec;
+  local:
+        *;
+} APPARMOR_2.10;
+
 PRIVATE {
 	global:
 		_aa_is_blacklisted;

libraries/libapparmor/swig/SWIG/libapparmor.i

@@ -48,6 +48,8 @@ extern int aa_change_profile(const char *profile);
 extern int aa_change_onexec(const char *profile);
 extern int aa_change_hatv(const char *subprofiles[], unsigned long token);
 extern int aa_change_hat_vargs(unsigned long token, int count, ...);
+extern int aa_stack_profile(const char *profile);
+extern int aa_stack_onexec(const char *profile);
 extern int aa_getprocattr_raw(pid_t tid, const char *attr, char *buf, int len,
 			      char **mode);
 extern int aa_getprocattr(pid_t tid, const char *attr, char **buf, char **mode);