File: apparmor.c

package info (click to toggle)
uwsgi-apparmor 0.0.0%2Bgit.2014.09.15.7d6d7bd7eb-6
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 60 kB
  • sloc: ansic: 63; makefile: 10; python: 3
file content (72 lines) | stat: -rw-r--r-- 2,228 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
 
#include <uwsgi.h>
#include <sys/apparmor.h>

#if !defined(UWSGI_PLUGIN_API) || UWSGI_PLUGIN_API < 1
#error "this plugin requires version 1 of the uWSGI api"
#endif

static struct uwsgi_apparmor {
	char *profile;
#if UWSGI_PLUGIN_API > 1
	char *emperor_apparmor_attr;
#endif
	char *emperor_apparmor;
} uapparmor;

static struct uwsgi_option apparmor_options[] = {
	{"apparmor-profile", required_argument, 0, "set apparmor profile before privileges drop", uwsgi_opt_set_str, &uapparmor.profile, 0},
#if UWSGI_PLUGIN_API > 1
	{"emperor-apparmor-attr", required_argument, 0, "set vassal apparmor profile using the specified attr", uwsgi_opt_set_str, &uapparmor.emperor_apparmor_attr, 0},
#endif
	{"emperor-apparmor", required_argument, 0, "set vassals apparmor profile", uwsgi_opt_set_str, &uapparmor.emperor_apparmor, 0},
	UWSGI_END_OF_OPTIONS
};

#if UWSGI_PLUGIN_API > 1
static void vassal_apply_apparmor(struct uwsgi_instance *ui, char **argv) {
#else
static void vassal_apply_apparmor(struct uwsgi_instance *ui) {
#endif
	char *profile = uapparmor.emperor_apparmor;
#if UWSGI_PLUGIN_API > 1
	if (uapparmor.emperor_apparmor_attr) {
		profile = vassal_attr_get(ui, uapparmor.emperor_apparmor_attr);
	}
#endif
	if (!profile) return;

	uwsgi_log("[apparmor] setting profile \"%s\" ...\n", profile);
	if (aa_change_profile(profile)) {
                uwsgi_error("vassal_apply_apparmor()/aa_change_profile()");
                exit(1);
        }
}

static void apply_apparmor_before_privileges_drop() {
	if (!uapparmor.profile) return;
	uwsgi_log("[apparmor] setting profile \"%s\" ...\n", uapparmor.profile);
	if (aa_change_profile(uapparmor.profile)) {
		uwsgi_error("apply_apparmor_before_privileges_drop()/aa_change_profile()");
		exit(1);
	}
}

static int apparmor_hook(char *arg) {
	int ret = aa_change_profile(arg);
	if (ret) {
		uwsgi_error("apparmor_hook()/aa_change_profile()");
	}
	return ret;
}

static void apparmor_register() {
	uwsgi_register_hook("apparmor", apparmor_hook);
}

struct uwsgi_plugin apparmor_plugin = {
	.name = "apparmor",
	.on_load = apparmor_register,
	.options = apparmor_options,
	.before_privileges_drop = apply_apparmor_before_privileges_drop,
	.vassal_before_exec = vassal_apply_apparmor,
};