github.com/kubiko/snapd@v0.0.0-20201013125620-d4f3094d9ddf/cmd/libsnap-confine-private/apparmor-support.h

github.com/kubiko/snapd@v0.0.0-20201013125620-d4f3094d9ddf/cmd/libsnap-confine-private/apparmor-support.h (about)

     1  /*
     2   * Copyright (C) 2016 Canonical Ltd
     3   *
     4   * This program is free software: you can redistribute it and/or modify
     5   * it under the terms of the GNU General Public License version 3 as
     6   * published by the Free Software Foundation.
     7   *
     8   * This program is distributed in the hope that it will be useful,
     9   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    10   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    11   * GNU General Public License for more details.
    12   *
    13   * You should have received a copy of the GNU General Public License
    14   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    15   *
    16   */
    17  
    18  #ifndef SNAP_CONFINE_APPARMOR_SUPPORT_H
    19  #define SNAP_CONFINE_APPARMOR_SUPPORT_H
    20  
    21  #include <stdbool.h>
    22  
    23  /**
    24   * Type of apparmor confinement.
    25   **/
    26  enum sc_apparmor_mode {
    27  	// The enforcement mode was not recognized.
    28  	SC_AA_INVALID = -1,
    29  	// The enforcement mode is not applicable because apparmor is disabled.
    30  	SC_AA_NOT_APPLICABLE = 0,
    31  	// The enforcement mode is "enforcing"
    32  	SC_AA_ENFORCE = 1,
    33  	// The enforcement mode is "complain"
    34  	SC_AA_COMPLAIN,
    35  	// The enforcement mode is "mixed"
    36  	SC_AA_MIXED,
    37  };
    38  
    39  /**
    40   * Data required to manage apparmor wrapper.
    41   **/
    42  struct sc_apparmor {
    43  	// The mode of enforcement. In addition to the two apparmor defined modes
    44  	// can be also SC_AA_INVALID (unknown mode reported by apparmor) and
    45  	// SC_AA_NOT_APPLICABLE (when we're not linked with apparmor).
    46  	enum sc_apparmor_mode mode;
    47  	// Flag indicating that the current process is confined.
    48  	bool is_confined;
    49  };
    50  
    51  /**
    52   * Initialize apparmor support.
    53   *
    54   * This operation should be done even when apparmor support is disabled at
    55   * compile time. Internally the supplied structure is initialized based on the
    56   * information returned from aa_getcon(2) or if apparmor is disabled at compile
    57   * time, with built-in constants.
    58   *
    59   * The main action performed here is to check if snap-confine is currently
    60   * confined, this information is used later in sc_maybe_change_apparmor_hat()
    61   *
    62   * As with many functions in the snap-confine tree, all errors result in
    63   * process termination.
    64   **/
    65  void sc_init_apparmor_support(struct sc_apparmor *apparmor);
    66  
    67  /**
    68   * Maybe call aa_change_onexec(2)
    69   *
    70   * This function does nothing when apparmor support is not enabled at compile
    71   * time. If apparmor is enabled then profile change request is attempted.
    72   *
    73   * As with many functions in the snap-confine tree, all errors result in
    74   * process termination. As an exception, when SNAPPY_LAUNCHER_INSIDE_TESTS
    75   * environment variable is set then the process is not terminated.
    76   **/
    77  void
    78  sc_maybe_aa_change_onexec(struct sc_apparmor *apparmor, const char *profile);
    79  
    80  /**
    81   * Maybe call aa_change_hat(2)
    82   *
    83   * This function does nothing when apparmor support is not enabled at compile
    84   * time. If apparmor is enabled then hat change is attempted.
    85   *
    86   * As with many functions in the snap-confine tree, all errors result in
    87   * process termination.
    88   **/
    89  void
    90  sc_maybe_aa_change_hat(struct sc_apparmor *apparmor,
    91  		       const char *subprofile, unsigned long magic_token);
    92  
    93  #endif