/usr/sbin/aa-exec is in apparmor 2.9.0-3.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 | #!/usr/bin/perl
# ------------------------------------------------------------------
#
# Copyright (C) 2011-2013 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
use strict;
use warnings;
use Errno;
require LibAppArmor;
require POSIX;
my $opt_d = '';
my $opt_h = '';
my $opt_p = '';
my $opt_n = '';
my $opt_i = '';
my $opt_v = '';
my $opt_f = '';
sub _warn {
my $msg = $_[0];
print STDERR "aa-exec: WARN: $msg\n";
}
sub _error {
my $msg = $_[0];
print STDERR "aa-exec: ERROR: $msg\n";
exit 1
}
sub _debug {
$opt_d or return;
my $msg = $_[0];
print STDERR "aa-exec: DEBUG: $msg\n";
}
sub _verbose {
$opt_v or return;
my $msg = $_[0];
print STDERR "$msg\n";
}
sub usage() {
my $s = <<'EOF';
USAGE: aa-exec [OPTIONS] <prog> <args>
Confine <prog> with the specified PROFILE.
OPTIONS:
-p PROFILE, --profile=PROFILE PROFILE to confine <prog> with
-n NAMESPACE, --namespace=NAMESPACE NAMESPACE to confine <prog> in
-f FILE, --file FILE profile file to load
-i, --immediate change profile immediately instead of at exec
-v, --verbose show messages with stats
-h, --help display this help
EOF
print $s;
}
use Getopt::Long;
GetOptions(
'debug|d' => \$opt_d,
'help|h' => \$opt_h,
'profile|p=s' => \$opt_p,
'namespace|n=s' => \$opt_n,
'file|f=s' => \$opt_f,
'immediate|i' => \$opt_i,
'verbose|v' => \$opt_v,
);
if ($opt_h) {
usage();
exit(0);
}
if ($opt_n || $opt_p) {
my $test;
my $prof;
if ($opt_n) {
$prof = ":$opt_n:";
}
$prof .= $opt_p;
if ($opt_f) {
system("apparmor_parser", "-r", "$opt_f") == 0
or _error("\'aborting could not load $opt_f\'");
}
if ($opt_i) {
_verbose("aa_change_profile(\"$prof\")");
$test = LibAppArmor::aa_change_profile($prof);
_debug("$test = aa_change_profile(\"$prof\"); $!");
} else {
_verbose("aa_change_onexec(\"$prof\")");
$test = LibAppArmor::aa_change_onexec($prof);
_debug("$test = aa_change_onexec(\"$prof\"); $!");
}
if ($test != 0) {
if ($!{ENOENT} || $!{EACCESS}) {
my $pre = ($opt_p) ? "profile" : "namespace";
_error("$pre \'$prof\' does not exist\n");
} elsif ($!{EINVAL}) {
_error("AppArmor interface not available\n");
} else {
_error("$!\n");
}
}
}
_verbose("exec @ARGV");
exec @ARGV;
|