mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
6476 commits 23 branches 109 tags 32 MiB
Commit graph

8 commits

Author SHA1 Message Date
Christian Boltz
02df146f31
Error out on conflicting aa-exec parameters 
If multiple -p/--profile or -n/--namespace parameters are given to
aa-exec, they are handled on a "last one wins" base.

This probably isn't expected behaviour, and erroring out in case of
conflicting parameters probably makes more sense.
 2020-05-21 17:04:40 +02:00
Tyler Hicks
d038eea1be Merge branch 'aa-exec-fixups' into 'master' 
aa-exec fixups

See merge request apparmor/apparmor!129
 2018-05-31 17:51:36 +00:00
Tyler Hicks
95286bb9e7 aa-exec: Clarify ENOENT and EACCES errors when changing profiles 
The aa-exec tool was indicating, in an error message, that a profile
didn't exist in cases where aa_change_profile() failed with errno set to
ENOENT or EACCES. However, the EACCES error means that changing to the
target profile is not allowed. This patch fixes the error message in the
cause of EACCES:

 $ ./aa-exec -p dne -- true
 aa-exec: ERROR: profile 'dne' does not exist

 $ ./aa-exec -p /usr/sbin/tcpdump -- ./aa-exec -p unconfined -- true
 aa-exec: ERROR: insufficient permissions to change to the profile 'unconfined'

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
 2018-05-31 17:37:55 +00:00
Tyler Hicks
652dac0cec aa-exec: Remove extra newline when profile changes fail 
An extra newline was being printed when aa_change_profile() failed and
errno was ENOENT or EACCES.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
 2018-05-31 17:27:00 +00:00
Tyler Hicks
00800cb905 aa-exec: Prepend [PID] to all error, debug, and verbose messages 
Add the pid of the process to the error, debug, and verbose output. This
is useful for debugging.

For example,

 $ aa-exec -v -- whoami
 [30389] exec whoami
 tyhicks

 $ aa-exec -p dne -- true
 [30390] aa-exec: ERROR: profile 'dne' does not exist

 $ aa-exec -d -p unconfined -- true
 [30409] aa-exec: DEBUG: 0 = aa_change_onexec("unconfined")

It can also help when multiple aa-exec invocations are used across a
fork and exec. Here's a contrived example:

 $ aa-exec -v -- \
   sh -c 'aa-exec -vp /usr/sbin/tcpdump -- aa-exec -p unconfined -- true'
 [3424] exec sh -c aa-exec -vp /usr/sbin/tcpdump -- aa-exec -p unconfined -- true
 [3425] aa_change_onexec("/usr/sbin/tcpdump")
 [3425] exec aa-exec -p unconfined -- true
 [3425] aa-exec: ERROR: profile 'unconfined' does not exist

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
 2018-05-31 17:04:20 +00:00
Tyler Hicks
b75cbff332 binutils: Add the --namespace option to C based aa-exec 
Switch to the policy in the namespace specified by the --namespace
option.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
 2015-12-17 19:18:37 -06:00
Tyler Hicks
897fa17b0d binutils: Add --immediate option to C based aa-exec 
Call aa_change_profile(), instead of aa_change_onexec(), when
--immediate is passed in.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
 2015-12-17 19:18:12 -06:00
Tyler Hicks
984a696ed3 binutils: Initial implementation of aa-exec in C 
Create a simple aa-exec implementation, written in C, matching the
--help, --debug, --verbose, and --profile options present in the current
Perl implementation.

The new aa-exec sources reside in the binutils/ directory.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
 2015-12-17 19:17:30 -06:00