procenv

Merge lp:~kees/procenv/add-apparmor into lp:procenv

  1. add-apparmor
  2. Merge into trunk
Proposed by Kees Cook
Status: Merged
Merged at revision: 12
Proposed branch: lp:~kees/procenv/add-apparmor
Merge into: lp:procenv
Diff against target: 203 lines (+85/-16)
6 files modified
Makefile.am (+1/-1)
configure.ac (+3/-0)
reconf (+1/-0)
src/Makefile.am (+3/-0)
src/procenv.c (+69/-14)
src/procenv.h (+8/-1)
To merge this branch: bzr merge lp:~kees/procenv/add-apparmor
Reviewer Review Type Date Requested Status
James Hunt Pending
Review via email: mp+132176@code.launchpad.net

Description of the change

  Add support for AppArmor

  This fixes the name of the LSM context (it is not exclusive to SELinux),
  and attempts to report the name of the running LSM.

  (Also cleans up whitespace in src/Makefile.am and adds missing mkdir in
  reconf.)

To post a comment you must log in.
lp:~kees/procenv/add-apparmor updated
12. By Kees Cook

Add missing capabilities details

This adds the securebits and KEEPCAPS settings to the capabilities report.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'Makefile.am'
2--- Makefile.am 2012-10-26 19:52:13 +0000
3+++ Makefile.am 2012-10-30 18:58:19 +0000
4@@ -3,4 +3,4 @@
5
6 ACLOCAL_AMFLAGS = -I m4
7
8-EXTRA_DIST = m4/ChangeLog man/procenv.1
9+EXTRA_DIST = m4/ChangeLog man/procenv.1
10
11=== modified file 'configure.ac'
12--- configure.ac 2012-10-27 19:28:51 +0000
13+++ configure.ac 2012-10-30 18:58:19 +0000
14@@ -39,6 +39,9 @@
15 AC_SEARCH_LIBS([getpidcon], [selinux], [HAVE_SELINUX=true])
16 AM_CONDITIONAL([HAVE_SELINUX], [test x$HAVE_SELINUX = xtrue])
17
18+AC_SEARCH_LIBS([aa_gettaskcon], [apparmor], [HAVE_APPARMOR=true])
19+AM_CONDITIONAL([HAVE_APPARMOR], [test x$HAVE_APPARMOR = xtrue])
20+
21 # Other checks
22
23 AM_INIT_AUTOMAKE
24
25=== modified file 'reconf'
26--- reconf 2012-10-25 21:38:48 +0000
27+++ reconf 2012-10-30 18:58:19 +0000
28@@ -1,5 +1,6 @@
29 #!/bin/sh
30
31+mkdir -p config
32 rm -f config.cache
33 aclocal -I m4
34 autoconf
35
36=== modified file 'src/Makefile.am'
37--- src/Makefile.am 2012-10-25 21:38:48 +0000
38+++ src/Makefile.am 2012-10-30 18:58:19 +0000
39@@ -6,5 +6,8 @@
40 if HAVE_SELINUX
41 procenv_CPPFLAGS += -DHAVE_SELINUX
42 endif
43+if HAVE_APPARMOR
44+ procenv_CPPFLAGS += -DHAVE_APPARMOR
45+endif
46
47 TESTS = procenv
48
49=== modified file 'src/procenv.c'
50--- src/procenv.c 2012-10-27 13:57:54 +0000
51+++ src/procenv.c 2012-10-30 18:58:19 +0000
52@@ -873,7 +873,8 @@
53 #endif
54 show ("chroot: %s", in_chroot () ? YES_STR : NO_STR);
55 #if defined (PROCENV_LINUX)
56- show_linux_selinux_context ();
57+ show_linux_security_module ();
58+ show_linux_security_module_context ();
59 #endif
60 show ("container: %s", container_type ());
61
62@@ -2382,8 +2383,6 @@
63
64 #define show_capability(cap) \
65 { \
66- int ret; \
67- \
68 ret = prctl (PR_CAPBSET_READ, cap, 0, 0, 0); \
69 \
70 if (ret < 0) \
71@@ -2395,6 +2394,8 @@
72 void
73 show_capabilities (void)
74 {
75+ int ret;
76+
77 header ("capabilities(linux)");
78
79 show_capability (CAP_CHOWN);
80@@ -2437,29 +2438,83 @@
81 #ifdef CAP_WAKE_ALARM
82 show_capability (CAP_WAKE_ALARM);
83 #endif
84-}
85-
86-void
87-show_linux_selinux_context (void)
88-{
89- char *context;
90+
91+#ifdef PR_GET_KEEPCAPS
92+ ret = prctl (PR_GET_KEEPCAPS, 0, 0, 0, 0);
93+ if (ret < 0 && errno != ENOSYS)
94+ die ("prctl failed for PR_GET_KEEPCAPS");
95+ if (ret >= 0)
96+ show ("keep=%s", ret ? YES_STR : NO_STR);
97+#endif
98+
99+#ifdef PR_GET_SECUREBITS
100+ ret = prctl (PR_GET_SECUREBITS, 0, 0, 0, 0);
101+ if (ret < 0 && errno != ENOSYS)
102+ die ("prctl failed for PR_GET_SECUREBITS");
103+ if (ret >= 0) {
104+ struct securebits_t {
105+ unsigned int securebits;
106+ } flags;
107+ flags.securebits = (unsigned int)ret;
108+ show ("securebits=0x%x", flags.securebits);
109+
110+ show_const (flags, securebits, SECBIT_KEEP_CAPS);
111+ show_const (flags, securebits, SECBIT_NO_SETUID_FIXUP);
112+ show_const (flags, securebits, SECBIT_NOROOT);
113+ }
114+#endif
115+}
116+
117+void
118+show_linux_security_module (void)
119+{
120+ char *lsm = UNKNOWN_STR;
121+#if defined(HAVE_APPARMOR)
122+ if (aa_is_enabled ())
123+ lsm = "AppArmor";
124+#endif
125+#if defined(HAVE_SELINUX)
126+ if (is_selinux_enabled ())
127+ lsm = "SELinux";
128+#endif
129+ show ("Linux Security Module: %s", lsm);
130+}
131+
132+void
133+show_linux_security_module_context (void)
134+{
135+ char *context = NULL;
136+ char *mode = NULL;
137 size_t len;
138
139-#ifdef HAVE_SELINUX
140+#if defined(HAVE_APPARMOR)
141+ if (aa_gettaskcon (user.pid, &context, &mode) < 0)
142+ die ("failed to query AppArmor context");
143+
144+ if (context) {
145+ if (mode)
146+ show ("LSM context: %s (%s)", context, mode);
147+ else
148+ show ("LSM context: %s", context);
149+ } else
150+ show ("LSM context: %s", UNKNOWN_STR);
151+
152+#elif defined(HAVE_SELINUX)
153 if (getpidcon (user.pid, &context) < 0)
154 die ("failed to query SELinux context");
155
156 len = strlen (context);
157
158 /* don't show trailing NL */
159- show ("selinux context: %.*s",
160+ show ("LSM context: %.*s",
161 len - 1,
162 context);
163
164+#else
165+ show ("LSM context: %s", UNKNOWN_STR);
166+#endif
167 free (context);
168-#else
169- show ("selinux context: %s", UNKNOWN_STR);
170-#endif
171+ free (mode);
172
173 }
174
175
176=== modified file 'src/procenv.h'
177--- src/procenv.h 2012-10-27 13:39:54 +0000
178+++ src/procenv.h 2012-10-30 18:58:19 +0000
179@@ -54,8 +54,14 @@
180 #include <execinfo.h>
181 #include <sys/inotify.h>
182 #include <sys/prctl.h>
183+#ifdef PR_GET_SECUREBITS
184+#include <linux/securebits.h>
185+#endif
186 #include <linux/capability.h>
187 #include <linux/vt.h>
188+#ifdef HAVE_APPARMOR
189+#include <sys/apparmor.h>
190+#endif
191 #ifdef HAVE_SELINUX
192 #include <selinux/selinux.h>
193 #endif
194@@ -362,7 +368,8 @@
195 void show_linux_cgroups (void);
196 void show_oom (void);
197 void show_capabilities (void);
198-void show_linux_selinux_context (void);
199+void show_linux_security_module (void);
200+void show_linux_security_module_context (void);
201 void show_linux_mounts (ShowMountType what);
202 void show_linux_proc_branch (void);
203 void show_linux_cpu (void);

Subscribers

People subscribed via source and target branches

to all changes: