"Fossies" - the Fresh Open Source Software Archive 
Member "sudo-1.9.11p3/src/apparmor.c" (12 Jun 2022, 3353 Bytes) of package /linux/misc/sudo-1.9.11p3.tar.gz:
As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style:
standard) with prefixed line numbers and
code folding option.
Alternatively you can here
view or
download the uninterpreted source code file.
For more information about "apparmor.c" see the
Fossies "Dox" file reference documentation.
1 /*
2 * SPDX-License-Identifier: ISC
3 *
4 * Copyright (c) 2022 Will Shand <wss2ec@virginia.edu>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19 #include <config.h>
20
21 #ifdef HAVE_APPARMOR
22
23 # include <stdio.h>
24 # include <stdlib.h>
25 # include <sys/apparmor.h>
26
27 # include "sudo.h"
28 # include "sudo_debug.h"
29
30 /**
31 * @brief Check whether AppArmor is enabled.
32 *
33 * @return 1 if AppArmor is enabled, 0 otherwise.
34 */
35 int
36 apparmor_is_enabled(void)
37 {
38 int ret;
39 FILE *fd;
40 debug_decl(apparmor_is_enabled, SUDO_DEBUG_APPARMOR);
41
42 /* Check whether AppArmor is enabled by reading
43 * /sys/module/apparmor/parameters/enabled
44 *
45 * When this file exists and its contents are equal to "Y", AppArmor
46 * is enabled. This is a little more reliable than using
47 * aa_is_enabled(2), which performs an additional check on securityfs
48 * that will fail in settings where securityfs isn't available
49 * (e.g. inside a container).
50 */
51
52 fd = fopen("/sys/module/apparmor/parameters/enabled", "r");
53 if (fd == NULL)
54 debug_return_int(0);
55
56 ret = (fgetc(fd) == 'Y');
57
58 fclose(fd);
59 debug_return_int(ret);
60 }
61
62 /**
63 * @brief Prepare to transition into a new AppArmor profile.
64 *
65 * @param new_profile The AppArmor profile to transition into on the
66 * next exec.
67 *
68 * @return 0 on success, and a nonzero value on failure.
69 */
70 int
71 apparmor_prepare(const char *new_profile)
72 {
73 int ret;
74 char *mode, *old_profile;
75 debug_decl(apparmor_prepare, SUDO_DEBUG_APPARMOR);
76
77 /* Determine the current AppArmor confinement status */
78 if ((ret = aa_getcon(&old_profile, &mode)) == -1) {
79 sudo_warn("%s", U_("failed to determine AppArmor confinement"));
80 old_profile = NULL;
81 goto done;
82 }
83
84 /* Tell AppArmor to transition into the new profile on the
85 * next exec */
86 if ((ret = aa_change_onexec(new_profile)) != 0) {
87 sudo_warn(U_("unable to change AppArmor profile to %s"), new_profile);
88 goto done;
89 }
90
91 if (mode == NULL)
92 sudo_debug_printf(SUDO_DEBUG_INFO,
93 "%s: changing AppArmor profile: %s -> %s", __func__,
94 old_profile, new_profile ? new_profile : "?"
95 );
96 else
97 sudo_debug_printf(SUDO_DEBUG_INFO,
98 "%s: changing AppArmor profile: %s (%s) -> %s", __func__,
99 old_profile, mode, new_profile ? new_profile : "?"
100 );
101
102 done:
103 /* The profile string returned by aa_getcon must be free'd, while the
104 * mode string must _not_ be free'd */
105 if (old_profile != NULL)
106 free(old_profile);
107
108 debug_return_int(ret);
109 }
110
111 #endif /* HAVE_APPARMOR */