handlers: Implement AppArmor handler

This passes all the "hard" work off to aa-lsm-hook to perform AoT compilation of AppArmor profiles. Signed-off-by: Ikey Doherty <[email protected]>
solus-project · Feb 2, 2018 · 7b1a3ea · 7b1a3ea
1 parent a1835ff
commit 7b1a3ea
Show file tree

Hide file tree

Showing 6 changed files with 94 additions and 0 deletions.
diff --git a/meson.build b/meson.build
@@ -67,6 +67,10 @@ with_qol = get_option('with-qol-assist')
 if with_qol == true
     cdata.set('HAVE_QOL_ASSIST', '1')
 endif
+with_apparmor = get_option('with-apparmor')
+if with_apparmor == true
+    cdata.set('HAVE_APPARMOR', '1')
+endif
 
 # Work out systemd support
 with_systemd = get_option('with-systemd')
@@ -156,6 +160,7 @@ report = [
     '    linux-driver-management:                @0@'.format(with_ldm),
     '    qol-assist:                             @0@'.format(with_qol),
     '    systemd support:                        @0@'.format(with_systemd),
+    '    apparmor (aa-lsm-hook)                  @0@'.format(with_apparmor),
     '',
     '    Kernel configuration:',
     '    =====================',

diff --git a/meson_options.txt b/meson_options.txt
@@ -17,3 +17,5 @@ option('with-log-dir', type: 'string', value: '/var/log', description: 'Logging
 
 # This is useful for virtualbox upgrades
 option('with-vbox-restart', type: 'boolean', value: 'false', description: 'Automatically restart vboxdrv service on update')
+
+option('with-apparmor', type: 'boolean', value: 'true', description: 'Enable AppArmor integration via aa-lsm-hook')
diff --git a/src/context.c b/src/context.c
@@ -71,6 +71,10 @@ static const UscHandler *usc_handlers[] = {
 #endif
 #endif
 
+#ifdef HAVE_APPARMOR
+        &usc_handler_apparmor,
+#endif
+
         /** Enter userspace. */
         &usc_handler_glib2,
         &usc_handler_fonts,

diff --git a/src/handlers.h b/src/handlers.h
@@ -45,6 +45,10 @@ extern UscHandler usc_handler_vbox_restart;
 #endif
 #endif
 
+#ifdef HAVE_APPARMOR
+extern UscHandler usc_handler_apparmor;
+#endif
+
 extern UscHandler usc_handler_glib2;
 extern UscHandler usc_handler_fonts;
 extern UscHandler usc_handler_mime;

diff --git a/src/handlers/kernel/apparmor.c b/src/handlers/kernel/apparmor.c
@@ -0,0 +1,75 @@
+/*
+ * This file is part of usysconf.
+ *
+ * Copyright © 2017-2018 Solus Project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+#define _GNU_SOURCE
+
+#include <dirent.h>
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "config.h"
+#include "context.h"
+#include "files.h"
+#include "util.h"
+
+static const char *apparmor_paths[] = {
+        "/etc/apparmor.d",
+};
+
+/**
+ * Update the apparmor cache within the kernel directory to ensure new apparmors
+ * are readily available.
+ */
+static UscHandlerStatus usc_handler_apparmor_exec(UscContext *ctx, __usc_unused__ const char *path)
+{
+        char *command[] = {
+                "/usr/sbin/aa-lsm-hook-compile", NULL, /* Terminator */
+        };
+
+        usc_context_emit_task_start(ctx, "Compiling AppArmor profiles");
+        if (usc_context_has_flag(ctx, USC_FLAGS_CHROOTED)) {
+                usc_context_emit_task_finish(ctx, USC_HANDLER_SKIP);
+                return USC_HANDLER_SKIP | USC_HANDLER_BREAK;
+        }
+
+        int ret = usc_exec_command(command);
+        if (ret != 0) {
+                usc_context_emit_task_finish(ctx, USC_HANDLER_FAIL);
+                return USC_HANDLER_FAIL;
+        }
+        usc_context_emit_task_finish(ctx, USC_HANDLER_SUCCESS);
+
+        /* Only run once */
+        return USC_HANDLER_SUCCESS | USC_HANDLER_BREAK;
+}
+
+const UscHandler usc_handler_apparmor = {
+        .name = "apparmor",
+        .description = "Compile AppArmor profiles",
+        .required_bin = "/usr/sbin/aa-lsm-hook-compile",
+        .exec = usc_handler_apparmor_exec,
+        .paths = apparmor_paths,
+        .n_paths = ARRAY_SIZE(apparmor_paths),
+};
+
+/*
+ * Editor modelines  -  https://www.wireshark.org/tools/modelines.html
+ *
+ * Local variables:
+ * c-basic-offset: 8
+ * tab-width: 8
+ * indent-tabs-mode: nil
+ * End:
+ *
+ * vi: set shiftwidth=8 tabstop=8 expandtab:
+ * :indentSize=8:tabSize=8:noTabs=true:
+ */
diff --git a/src/meson.build b/src/meson.build
@@ -34,6 +34,10 @@ if with_ldm == true
     handlers += 'linux-driver-management'
 endif
 
+if with_apparmor == true
+    kernel_handlers += 'apparmor'
+endif
+
 # We'll still enable hwdb but alter for udev path if not using systemd
 if with_systemd == true
     handlers += [
Original file line number	Diff line number	Diff line change
Expand Up		@@ -17,3 +17,5 @@ option('with-log-dir', type: 'string', value: '/var/log', description: 'Logging

		# This is useful for virtualbox upgrades
		option('with-vbox-restart', type: 'boolean', value: 'false', description: 'Automatically restart vboxdrv service on update')

		option('with-apparmor', type: 'boolean', value: 'true', description: 'Enable AppArmor integration via aa-lsm-hook')