Create a new libapparmor public function that allows external code to
split an AppArmor confinement context.
This is immediately useful for code that retrieves a D-Bus peer's
AppArmor confinement context using the
org.freedesktop.DBus.GetConnectionCredentials bus method.
https://launchpad.net/bugs/1430532
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The correct usage of the terms context and label is not clear in the
aa_getcon(2) man page. The aa_getcon(2) family of functions are also
prototyped incorrectly since the *con parameter represents a label and
not a context.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
(The broken URLs were introduced in r1582.)
for utils/*.pod:
Acked-by: Steve Beattie <steve@nxnw.org>
for the other directories:
Patch by Steve Beattie
Acked-by: Christian Boltz <apparmor@cboltz.de>
The aa_getcon man page only implies that the *mode strings returned by
aa_getprocattr(), aa_gettaskcon(), aa_getcon(), and aa_getpeercon()
should not be freed. A developer using the man page to build against
libapparmor may miss that subtlety and end up hitting double free issues.
This patch makes the man page more clear, makes the function comments
more clear, and changes the aa_getprocattr() *buf param to *con. The use
of *buf should reserved for the aa_get*_raw() functions that do not
allocate a buffer for the confinement context and all documents now
clearly mention that *con must be freed.
Additionally, this patch removes the line wrapping of the
aa_getprocattr_raw() prototype in the aa_getcon man page source. The
line wrapping caused incorrect formatting of the function prototype when
viewing the man page.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Add aa_getpeercon_raw() to the man page and adjust aa_getpeercon()
prototype to include the new mode parameter.
Also, explain the significance of ERANGE for aa_getpeercon_raw() and fix
a misspelling in the meaning of ERANGE.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
aa_getprocattr is returning the size of the buffer not the size of the
data read that it is supposed to return. Also update the man page to
reflect the return value as documented in the functions, and update
the test cases to check the return value.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Steve Beattie <sbeattie@ubuntu.com>
From: Kees Cook <kees@ubuntu.com>
This is a trivial manpage fix that makes pod2man stop yelling at me.
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
From: Steve Beattie <sbeattie@ubuntu.com>
This patch adds --stderr to pod2man to make it report errors, as well as
fixes a few other minor text issues I noticed.
Acked-by: Kees Cook <kees@ubuntu.com>
This documentation should have been checked in as part of the patches
that added aa_is_confined and aa_get_con.
Signed-off-by: John Johansen <john.johansen@canonical.com>
