Issue 483 in psutil: add apparmor support

[psu...@googlecode.com]

Status: New
Owner: ----
Labels: Type-Enhancement Priority-Medium

New issue 483 by ar...@maven.pl: add apparmor support
http://code.google.com/p/psutil/issues/detail?id=483


Hi.

Please add apparmor (http://apparmor.wiki.kernel.org/)
status reading support (at least):

# cat /proc/29752/attr/current
/usr/sbin/httpd.prefork//HAT_owner_22753 (enforce)

which means that this process is using apparmor
profile "/usr/sbin/httpd.prefork" and hat "HAT_owner_22753" in enforce mode.

Other possibilities of current are for example:
"unconfined" - so no policy loaded for the process

"/usr/sbin/httpd.prefork (enforce)" - only profile used, without apparmor
activated (process can change its hats while running)


That info can be read from /proc or using libapparmor library:
https://launchpad.net/apparmor/2.8/2.8.3/+download/apparmor-2.8.3.tar.gz



--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

[psu...@googlecode.com]

Comment #1 on issue 483 by g.rodola: add apparmor support
http://code.google.com/p/psutil/issues/detail?id=483

Mmm... I didn't know about this.
My first impression is that this is too specific to belong into psutil.
Anyway, what API do you think this should have?
According to your example it seems this should return a (file, user) tuple
or something.

[psu...@googlecode.com]

Comment #2 on issue 483 by ar...@maven.pl: add apparmor support
http://code.google.com/p/psutil/issues/detail?id=483


http://manpages.ubuntu.com/manpages/saucy/man2/aa_getcon.2.html and
aa_gettaskcon is what interests us.

Such code:
#include <stdio.h>
#include <sys/apparmor.h>

int main() {
char *b1, *b2;
pid_t i;

for (i=0; i<100000; i++) {
if (aa_gettaskcon(i, &b1, &b2) != -1)
printf("[%s] [%s]\n", b1, b2);
}
}

gets us:

[/usr/sbin/pure-ftpd] [enforce]
[unconfined] [(null)]
[unconfined] [(null)]
[unconfined] [(null)]
[/usr/sbin/httpd.prefork] [enforce]
[/usr/sbin/httpd.prefork//HANDLING_UNTRUSTED_INPUT] [enforce]

so API for this could be tuple (context, mode)
(terms from man page, it's not file, not profile according to man page,
it's context and mode)

Note, on linux with apparmor disabled (# CONFIG_SECURITY_APPARMOR is not
set) you can't access that file:
$ LC_ALL=C cat /proc/4393/attr/current
cat: /proc/4393/attr/current: Invalid argument


apparmor is part of upstream linux kernel, so well... worth considering
supporting it. Same for SELinux tags.

[psu...@googlecode.com]

Comment #3 on issue 483 by g.rodola: add apparmor support
http://code.google.com/p/psutil/issues/detail?id=483

psutil has been migrated from Google Code to Github (see:
http://grodola.blogspot.com/2014/05/goodbye-google-code-im-moving-to-github.html).
Please do NOT reply here but use this instead:
https://github.com/giampaolo/psutil/issues/483