/usr/bin/aa-clickhook is in click-apparmor 0.3.13.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 | #!/usr/bin/python3
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# FIXME: apparmor package from apparmor-utils is not a namespace package
import apparmor
from apparmor import click
from apparmor.common import AppArmorException
import fcntl
import optparse
import os
import sys
# Where easyprof generated profiles are stored
apparmor_profiles = '/var/lib/apparmor/profiles'
# Where apparmor caches its profiles
apparmor_cache = '/var/cache/apparmor'
# Where the apparmor click hook registers its click entries to be stored
apparmor_clicks = '/var/lib/apparmor/clicks'
# Blocking lockfile
clickhook_lockfile = '/run/aa-clickhook.lock'
def generate_profiles(clicks, include=[]):
'''Generate profiles from click manifests'''
if len(include) > 0:
for f in include:
if not os.path.exists(f):
raise AppArmorException("Could not find '%s'" % f)
else:
warn("--include specified, including '%s' in all profiles" % f)
files = []
for missing in clicks:
try:
click_manifest = click.ClickManifest(os.path.join(apparmor_clicks,
missing))
except click.AppArmorExceptionClickFrameworkNotFound:
error("Could not find framework for '%s'. Skipping" %
missing, do_exit=False)
continue
except Exception:
error("Could not parse click manifest. Skipping '%s'" % missing,
do_exit=False)
continue
try:
easyprof_manifest = apparmor.click.transform(click_manifest)
except click.AppArmorExceptionClickInvalidPolicyVersion:
error("Invalid policy version for '%s'. Skipping" %
missing, do_exit=False)
continue
except Exception:
error("Could not transform '%s' to AppArmor easyprof. Skipping" %
missing, do_exit=False)
continue
try:
# Generate the policy, but don't verify it. It will error on load
# (and apps will correctly still not load). This saves a bit of
# time, which is important when processing lots of files.
files.extend(click.to_profiles(easyprof_manifest,
apparmor_profiles,
include,
no_verify=True))
except Exception:
error("Could not generate AppArmor profile for '%s'. Skipping" %
missing, do_exit=False)
continue
return files
def error(out, exit_code=1, do_exit=True):
'''Print error message and exit'''
try:
sys.stderr.write("ERROR: %s\n" % (out))
except IOError:
pass
if do_exit:
sys.exit(exit_code)
def warn(out):
'''Print warning message'''
try:
sys.stderr.write("WARN: %s\n" % (out))
except IOError:
pass
def main():
parser = optparse.OptionParser()
parser.add_option("-f", "--force", "--force-regenerate",
dest='force',
help='force regeneration of all click profiles',
action='store_true',
default=False)
parser.add_option("-d", "--debug",
dest='debug',
help='emit debugging information',
action='store_true',
default=False)
parser.add_option("--include",
dest='include',
help='add \'#include "PATH"\' to generated profiles',
action='append',
metavar="PATH",
default=[])
(opt, args) = parser.parse_args()
if not len(args) == 0:
sys.exit(1)
lock = open(clickhook_lockfile, 'w')
fcntl.lockf(lock, fcntl.LOCK_EX)
if not os.path.exists(apparmor_profiles):
# FIXME log this
os.makedirs(apparmor_profiles)
if not os.path.exists(apparmor_cache):
# FIXME log this
os.makedirs(apparmor_cache)
if opt.force:
missing_profiles = []
for p in os.listdir(apparmor_clicks):
if p.endswith(".override"):
continue
elif p.endswith(".additional"):
continue
missing_profiles.append(p)
else:
missing_profiles = click.get_missing_profiles(apparmor_clicks,
apparmor_profiles)
missing_clicks = click.get_missing_clickhooks(apparmor_clicks,
apparmor_profiles)
load_profiles = generate_profiles(missing_profiles, opt.include)
# Don't try to load/unload profiles if apparmor isn't available, but be
# sure to fail if there are problems when it is
is_available = False
try:
click.apparmor_available()
is_available = True
except AppArmorException:
warn("AppArmor not available when processing AppArmor hook")
if is_available:
# LP: #1383858 - expr tree simplification is too slow for click policy
# so disable it for now
click.load_profiles(load_profiles,
args=['-r', '--write-cache',
'-O', 'no-expr-simplify',
'--cache-loc=%s' % apparmor_cache])
# missing_clicks has the profile filename so we need to find the
# profile name to unload from the kernel.
# TODO: when click/application lifecycle guarantees the app is not
# running, then we can remove the profile. For now leave the
# profile in place since the app may still be running
# removed_profiles = []
# for fn in missing_clicks:
# p = click.AppName(profile_filename=fn).profile_name
# removed_profiles.append(p)
# click.unload_profiles(removed_profiles)
for m in missing_clicks:
try:
os.remove(os.path.join(apparmor_profiles, m))
except Exception:
error("Error removing '%s'" % os.path.join(apparmor_profiles, m),
do_exit=False)
try:
os.remove(os.path.join(apparmor_cache, m))
except Exception:
error("Error removing '%s'" % os.path.join(apparmor_cache, m),
do_exit=False)
# Unlock and close the file, but don't remove it so we can properly
# handle 3 or more processes contending for the lock
fcntl.lockf(lock, fcntl.LOCK_UN)
lock.close()
return 0
if __name__ == "__main__":
sys.exit(main())
|