core: Add AppArmor profile switching

This permit to switch to a specific apparmor profile when starting a daemon. This will result in a non operation if apparmor is disabled. It also add a new build requirement on libapparmor for using this feature.
author: Michael Scherer <misc@zarb.org> 2014-02-20 16:19:44 +0100
committer: Lennart Poettering <lennart@poettering.net> 2014-02-21 03:44:20 +0100
commit: eef65bf3ee6f73afa4a5de23ae3a794a279f30c0 (patch)
tree: 366b91cc8b993595fec85469317e1351c98d8ee7 /src/core/execute.c
parent: 37f78db2f4a33474fc349f406b0a0a48e9c573a2 (diff)
1 files changed, 23 insertions, 0 deletions
diff --git a/src/core/execute.c b/src/core/execute.c
index f8b7521ff9..a328fc265f 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -55,6 +55,10 @@
 #include <seccomp.h>
 #endif
 
+#ifdef HAVE_APPARMOR
+#include <sys/apparmor.h>
+#endif
+
 #include "execute.h"
 #include "strv.h"
 #include "macro.h"
@@ -77,6 +81,7 @@
 #include "async.h"
 #include "selinux-util.h"
 #include "errno-list.h"
+#include "apparmor-util.h"
 
 #ifdef HAVE_SECCOMP
 #include "seccomp-util.h"
@@ -1597,6 +1602,16 @@ int exec_spawn(ExecCommand *command,
                                 }
                         }
 #endif
+
+#ifdef HAVE_APPARMOR
+                        if (context->apparmor_profile && use_apparmor()) {
+                                err = aa_change_onexec(context->apparmor_profile);
+                                if (err < 0 && !context->apparmor_profile_ignore) {
+                                        r = EXIT_APPARMOR_PROFILE;
+                                        goto fail_child;
+                                }
+                        }
+#endif
                 }
 
                 err = build_environment(context, n_fds, watchdog_usec, home, username, shell, &our_env);
@@ -1759,6 +1774,9 @@ void exec_context_done(ExecContext *c) {
         free(c->selinux_context);
         c->selinux_context = NULL;
 
+        free(c->apparmor_profile);
+        c->apparmor_profile = NULL;
+
 #ifdef HAVE_SECCOMP
         set_free(c->syscall_filter);
         c->syscall_filter = NULL;
@@ -2188,6 +2206,11 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
                 fprintf(f,
                         "%sSystemCallErrorNumber: %s\n",
                         prefix, strna(errno_to_name(c->syscall_errno)));
+
+        if (c->apparmor_profile)
+                fprintf(f,
+                        "%sAppArmorProfile: %s%s\n",
+                        prefix, c->apparmor_profile_ignore ? "-" : "", c->apparmor_profile);
 }
 
 void exec_status_start(ExecStatus *s, pid_t pid) {
author	Michael Scherer <misc@zarb.org>	2014-02-20 16:19:44 +0100
committer	Lennart Poettering <lennart@poettering.net>	2014-02-21 03:44:20 +0100
commit	eef65bf3ee6f73afa4a5de23ae3a794a279f30c0 (patch)
tree	366b91cc8b993595fec85469317e1351c98d8ee7 /src/core/execute.c
parent	37f78db2f4a33474fc349f406b0a0a48e9c573a2 (diff)