summaryrefslogtreecommitdiff
path: root/src/core/execute.c
diff options
context:
space:
mode:
authorMichael Scherer <misc@zarb.org>2014-02-20 16:19:44 +0100
committerLennart Poettering <lennart@poettering.net>2014-02-21 03:44:20 +0100
commiteef65bf3ee6f73afa4a5de23ae3a794a279f30c0 (patch)
tree366b91cc8b993595fec85469317e1351c98d8ee7 /src/core/execute.c
parent37f78db2f4a33474fc349f406b0a0a48e9c573a2 (diff)
core: Add AppArmor profile switching
This permit to switch to a specific apparmor profile when starting a daemon. This will result in a non operation if apparmor is disabled. It also add a new build requirement on libapparmor for using this feature.
Diffstat (limited to 'src/core/execute.c')
-rw-r--r--src/core/execute.c23
1 files changed, 23 insertions, 0 deletions
diff --git a/src/core/execute.c b/src/core/execute.c
index f8b7521ff9..a328fc265f 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -55,6 +55,10 @@
#include <seccomp.h>
#endif
+#ifdef HAVE_APPARMOR
+#include <sys/apparmor.h>
+#endif
+
#include "execute.h"
#include "strv.h"
#include "macro.h"
@@ -77,6 +81,7 @@
#include "async.h"
#include "selinux-util.h"
#include "errno-list.h"
+#include "apparmor-util.h"
#ifdef HAVE_SECCOMP
#include "seccomp-util.h"
@@ -1597,6 +1602,16 @@ int exec_spawn(ExecCommand *command,
}
}
#endif
+
+#ifdef HAVE_APPARMOR
+ if (context->apparmor_profile && use_apparmor()) {
+ err = aa_change_onexec(context->apparmor_profile);
+ if (err < 0 && !context->apparmor_profile_ignore) {
+ r = EXIT_APPARMOR_PROFILE;
+ goto fail_child;
+ }
+ }
+#endif
}
err = build_environment(context, n_fds, watchdog_usec, home, username, shell, &our_env);
@@ -1759,6 +1774,9 @@ void exec_context_done(ExecContext *c) {
free(c->selinux_context);
c->selinux_context = NULL;
+ free(c->apparmor_profile);
+ c->apparmor_profile = NULL;
+
#ifdef HAVE_SECCOMP
set_free(c->syscall_filter);
c->syscall_filter = NULL;
@@ -2188,6 +2206,11 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
fprintf(f,
"%sSystemCallErrorNumber: %s\n",
prefix, strna(errno_to_name(c->syscall_errno)));
+
+ if (c->apparmor_profile)
+ fprintf(f,
+ "%sAppArmorProfile: %s%s\n",
+ prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
}
void exec_status_start(ExecStatus *s, pid_t pid) {