libapparmor: aa_policy_cache function to preview cache dir path

Add and export aa_policy_cache_dir_path_preview() which allows the parser to know exactly where the policy cache binaries, for the specified aa_policy_cache and aa_features objects, would be stored. This function may be useful to preview the policy cache dir without having sufficient permissions or desires to create a policy cache dir. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com>
2025-03-04 08:24:42 +01:00 · 2017-11-02 18:11:32 +00:00 · 2017-11-02 18:11:32 +00:00 · b950c76d66
commit b950c76d66
parent 95912e41bf
4 changed files with 66 additions and 2 deletions
--- a/libraries/libapparmor/doc/aa_policy_cache.pod
+++ b/libraries/libapparmor/doc/aa_policy_cache.pod
@ -36,6 +36,8 @@ aa_policy_cache_replace_all - performs a kernel policy replacement of all cached

 aa_policy_cache_dir_path - returns the path to the aa_policy_cache directory

+aa_policy_cache_dir_path_preview - returns a preview of the path to the aa_policy_cache directory without an existing aa_policy_cache object
+
 =head1 SYNOPSIS

 B<#include E<lt>sys/apparmor.hE<gt>>
@ -54,6 +56,8 @@ B<int aa_policy_cache_replace_all(aa_policy_cache *policy_cache, aa_kernel_inter

 B<char *aa_policy_cache_dir_path(aa_policy_cache *policy_cache);>

+B<char *aa_policy_cache_dir_path_preview(aa_features *kernel_features, int dirfd, const char *path);>
+
 Link with B<-lapparmor> when compiling.

 =head1 DESCRIPTION
@ -115,6 +119,12 @@ aa_policy_cache_remove() and aa_policy_cache_replace_all() return 0 on success.
 aa_policy_cache_dir_path() returns a path string which must be freed by the
 caller. NULL is returned on error, with errnor set appropriately.

+aa_policy_cache_dir_path_preview() is the same as
+aa_policy_cache_dir_path() except that it doesn't require an existing
+I<aa_policy_cache> object. This is useful if the calling program cannot
+create an I<aa_policy_cache> object due to lack of privileges needed to
+create the cache directory.
+
 =head1 ERRORS

 The errno value will be set according to the underlying error in the
@ -123,8 +133,10 @@ I<aa_policy_cache> family of functions that return -1 or NULL on error.
 =head1 NOTES

 All aa_policy_cache functions described above, except for
-aa_policy_cache_dir_path(), are present in libapparmor version 2.10. The
-aa_policy_cache_dir_path() function can be found in libapparmor version 2.12.
+aa_policy_cache_dir_path() and aa_policy_cache_dir_path_preview(), are
+present in libapparmor version 2.10. The aa_policy_cache_dir_path() and
+aa_policy_cache_dir_path_preview() functions can be found in libapparmor
+version 2.12.

 aa_policy_cache_unref() saves the value of errno when called and restores errno
 before exiting in libapparmor version 2.12 and newer.
--- a/libraries/libapparmor/include/sys/apparmor.h
+++ b/libraries/libapparmor/include/sys/apparmor.h
@ -193,6 +193,8 @@ extern int aa_policy_cache_remove(int dirfd, const char *path);
 extern int aa_policy_cache_replace_all(aa_policy_cache *policy_cache,
 				       aa_kernel_interface *kernel_interface);
 extern char *aa_policy_cache_dir_path(aa_policy_cache *policy_cache);
+extern char *aa_policy_cache_dir_path_preview(aa_features *kernel_features,
+					      int dirfd, const char *path);

 #ifdef __cplusplus
 }
--- a/libraries/libapparmor/src/libapparmor.map
+++ b/libraries/libapparmor/src/libapparmor.map
@ -98,6 +98,7 @@ APPARMOR_2.11 {
 APPARMOR_2.12 {
  global:
        aa_policy_cache_dir_path;
+        aa_policy_cache_dir_path_preview;
  local:
        *;
 } APPARMOR_2.11;
--- a/libraries/libapparmor/src/policy_cache.c
+++ b/libraries/libapparmor/src/policy_cache.c
@ -329,3 +329,52 @@ char *aa_policy_cache_dir_path(aa_policy_cache *policy_cache)

 	return path;
 }
+
+/**
+ * aa_policy_cache_dir_path_preview - returns the path to the aa_policy_cache directory
+ * @kernel_features: features representing a kernel (may be NULL if you want to
+ *                   use the features of the currently running kernel)
+ * @dirfd: directory file descriptor or AT_FDCWD (see openat(2))
+ * @path: path to the policy cache
+ *
+ * Returns: The path to the policy cache directory on success, NULL on
+ * error with errno set.
+ */
+char *aa_policy_cache_dir_path_preview(aa_features *kernel_features,
+				       int dirfd, const char *path)
+{
+	autofree char *cache_loc = NULL;
+	char *dir_path;
+
+	if (kernel_features) {
+		aa_features_ref(kernel_features);
+	} else if (aa_features_new_from_kernel(&kernel_features) == -1) {
+		return NULL;
+	}
+
+	/**
+	 * Leave cache_loc set to NULL if dirfd is AT_FDCWD and handle a
+	 * NULL cache_loc in the asprintf() below
+	 */
+	if (dirfd != AT_FDCWD) {
+		cache_loc = path_from_fd(dirfd);
+		if (!cache_loc) {
+			int save = errno;
+
+			PERROR("Can't return the path to the aa_policy_cache cache location: %m\n");
+			aa_features_unref(kernel_features);
+			errno = save;
+			return NULL;
+		}
+	}
+
+	aa_features_unref(kernel_features);
+
+	if (asprintf(&dir_path, "%s%s%s",
+		     cache_loc ? : "", cache_loc ? "/" : "", path) == -1) {
+		errno = ENOMEM;
+		return NULL;
+	}
+
+	return dir_path;
+}