"Fossies" - the Fresh Open Source Software Archive

Member "sudo-1.9.11p3/src/apparmor.c" (12 Jun 2022, 3353 Bytes) of package /linux/misc/sudo-1.9.11p3.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "apparmor.c" see the Fossies "Dox" file reference documentation.

    1 /*
    2  * SPDX-License-Identifier: ISC
    3  *
    4  * Copyright (c) 2022 Will Shand <wss2ec@virginia.edu>
    5  *
    6  * Permission to use, copy, modify, and distribute this software for any
    7  * purpose with or without fee is hereby granted, provided that the above
    8  * copyright notice and this permission notice appear in all copies.
    9  *
   10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
   11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
   12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
   13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
   14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
   15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
   16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
   17  */
   18 
   19 #include <config.h>
   20 
   21 #ifdef HAVE_APPARMOR
   22 
   23 # include <stdio.h>
   24 # include <stdlib.h>
   25 # include <sys/apparmor.h>
   26 
   27 # include "sudo.h"
   28 # include "sudo_debug.h"
   29 
   30 /**
   31  * @brief Check whether AppArmor is enabled.
   32  *
   33  * @return 1 if AppArmor is enabled, 0 otherwise.
   34  */
   35 int
   36 apparmor_is_enabled(void)
   37 {
   38     int ret;
   39     FILE *fd;
   40     debug_decl(apparmor_is_enabled, SUDO_DEBUG_APPARMOR);
   41 
   42     /* Check whether AppArmor is enabled by reading
   43      * /sys/module/apparmor/parameters/enabled
   44      *
   45      * When this file exists and its contents are equal to "Y", AppArmor
   46      * is enabled. This is a little more reliable than using
   47      * aa_is_enabled(2), which performs an additional check on securityfs
   48      * that will fail in settings where securityfs isn't available
   49      * (e.g. inside a container).
   50      */
   51 
   52     fd = fopen("/sys/module/apparmor/parameters/enabled", "r");
   53     if (fd == NULL)
   54         debug_return_int(0);
   55 
   56     ret = (fgetc(fd) == 'Y');
   57 
   58     fclose(fd);
   59     debug_return_int(ret);
   60 }
   61 
   62 /**
   63  * @brief Prepare to transition into a new AppArmor profile.
   64  *
   65  * @param new_profile The AppArmor profile to transition into on the
   66  *                    next exec.
   67  *
   68  * @return 0 on success, and a nonzero value on failure.
   69  */
   70 int
   71 apparmor_prepare(const char *new_profile)
   72 {
   73     int ret;
   74     char *mode, *old_profile;
   75     debug_decl(apparmor_prepare, SUDO_DEBUG_APPARMOR);
   76 
   77     /* Determine the current AppArmor confinement status */
   78     if ((ret = aa_getcon(&old_profile, &mode)) == -1) {
   79         sudo_warn("%s", U_("failed to determine AppArmor confinement"));
   80         old_profile = NULL;
   81         goto done;
   82     }
   83 
   84     /* Tell AppArmor to transition into the new profile on the
   85      * next exec */
   86     if ((ret = aa_change_onexec(new_profile)) != 0) {
   87         sudo_warn(U_("unable to change AppArmor profile to %s"), new_profile);
   88         goto done;
   89     }
   90 
   91     if (mode == NULL)
   92         sudo_debug_printf(SUDO_DEBUG_INFO,
   93                 "%s: changing AppArmor profile: %s -> %s", __func__,
   94                 old_profile, new_profile ? new_profile : "?"
   95                 );
   96     else
   97         sudo_debug_printf(SUDO_DEBUG_INFO,
   98                 "%s: changing AppArmor profile: %s (%s) -> %s", __func__,
   99                 old_profile, mode, new_profile ? new_profile : "?"
  100                 );
  101 
  102 done:
  103     /* The profile string returned by aa_getcon must be free'd, while the
  104      * mode string must _not_ be free'd */
  105     if (old_profile != NULL)
  106         free(old_profile);
  107 
  108     debug_return_int(ret);
  109 }
  110 
  111 #endif /* HAVE_APPARMOR */