Affected by 
Documentation
¶
Overview ¶
Package notify implements high-level notify interface to a subset of AppArmor features
Index ¶
- Variables
- func ExtractFirstMsg(data []byte) (first []byte, rest []byte, err error)
- func Ioctl(fd uintptr, req IoctlRequest, buf IoctlRequestBuffer) ([]byte, error)
- func MsgLength(data []byte) (int, error)
- func SetIoctlDump(value bool) bool
- func SupportAvailable() bool
- type FilePermission
- type IoctlRequest
- type IoctlRequestBuffer
- type MediationClass
- type ModeSet
- type MsgHeader
- type MsgNotification
- type MsgNotificationFile
- type MsgNotificationFilter
- type MsgNotificationOp
- type MsgNotificationResponse
- type NotificationType
Constants ¶
This section is empty.
Variables ¶
var ErrIoctlReturnInvalid = errors.New("IOCTL request returned invalid bufsize")
var SysPath string
Functions ¶
func ExtractFirstMsg ¶
ExtractFirstMsg splits the given data buffer after the first message, assuming that it begins with a MsgHeader. If it is too short to be a MsgHeader, or if the encoded length exceeds the remaining data length, returns an error.
func Ioctl ¶
func Ioctl(fd uintptr, req IoctlRequest, buf IoctlRequestBuffer) ([]byte, error)
Ioctl performs a ioctl(2) on the given file descriptor.
Returns a []byte with the contents of buf.Bytes() after the syscall, set to the size returned by the syscall, indicating how many bytes were written. The size of buf.Bytes() is left unchanged, so buf may be re-used for future Ioctl calls. If the ioctl syscall returns an error, the buffer contents are those filled by the syscall, but the size of the buffer is unchanged, and the complete buffer and error are returned.
func MsgLength ¶
MsgLength returns the length of the first message in the given data buffer, assuming that it begins with a MsgHeader. If it does not, returns an error.
func SetIoctlDump ¶
SetIoctlDump enables or disables dumping the return value and buffer from ioctl(2).
Returns the previous ioctl dump value.
func SupportAvailable ¶
func SupportAvailable() bool
SupportAvailable returns true if SysPath exists, indicating that apparmor prompting messages may be received from SysPath.
Types ¶
type FilePermission ¶
type FilePermission uint32
FilePermission is a bit-mask of apparmor permissions in relation to files. It is applicable to messages with the class of AA_CLASS_FILE.
const ( // AA_MAY_EXEC implies that a process has a permission to execute another // program. The specific details of the program are not conveyed. AA_MAY_EXEC FilePermission = 1 << iota // AA_MAY_WRITE implies that a process may write to a file or socket, or // may modify directory contents. AA_MAY_WRITE // AA_MAY_READ implies that a process may read from a file or socket, or // may enumerate directory contents. AA_MAY_READ // AA_MAY_APPEND implies that a process may open a file in append mode. AA_MAY_APPEND // AA_MAY_CREATE implies that a process may create a new file. AA_MAY_CREATE // AA_MAY_DELETE implies that a process may delete a file, directory, // symbolic link or socket. AA_MAY_DELETE // AA_MAY_OPEN implies that a process may open a file or directory. The // additional presence of AA_MAY_WRITE or AA_MAY_READ grants specific type // of access. AA_MAY_OPEN // AA_MAY_RENAME implies that a process may rename a file. AA_MAY_RENAME // AA_MAY_SETATTR implies that a process may modify file attributes. AA_MAY_SETATTR // AA_MAY_GETATTR implies that a process may read file attributes. AA_MAY_GETATTR // AA_MAY_SETCRED is not used in the kernel. AA_MAY_SETCRED // AA_MAY_GETCRED is not used in the kernel. AA_MAY_GETCRED // AA_MAY_CHMOD implies that a process may change UNIX file permissions. AA_MAY_CHMOD // AA_MAY_CHOWN implies that a process may change file ownership. AA_MAY_CHOWN // AA_MAY_CHGRP implies that a process may change the group ownership of a // file. The C-level macro is not defined in any userspace header but is // already supported and reported by the kernel. AA_MAY_CHGRP // AA_MAY_LOCK implies that a process may perform fcntl locking operations // on a file. AA_MAY_LOCK // AA_EXEC_MMAP implies that a process may execute code from an page // memory-mapped from a file. AA_EXEC_MMAP // AA_MAY_LINK implies that a process may create a hard link. Their // associated file information describes the hard link name, not the // original file. AA_MAY_LINK FilePermission = 1 << 18 // AA_MAY_ONEXEC implies that a process may change the apparmor profile on // the next exec call. AA_MAY_ONEXEC FilePermission = 1 << 29 // AA_MAY_CHANGE_PROFILE implies that a process may change the apparmor // profile on demand. AA_MAY_CHANGE_PROFILE FilePermission = 1 << 30 )
func (FilePermission) IsValid ¶
func (p FilePermission) IsValid() bool
IsValid returns true if the given file permission contains only known bits set.
func (FilePermission) String ¶
func (p FilePermission) String() string
String returns readable representation of the file permission value.
type IoctlRequest ¶
type IoctlRequest uintptr
IoctlRequest is the type of ioctl(2) request numbers used by apparmor .notify file.
const ( APPARMOR_NOTIF_SET_FILTER IoctlRequest = 0x4008F800 APPARMOR_NOTIF_GET_FILTER IoctlRequest = 0x8008F801 APPARMOR_NOTIF_IS_ID_VALID IoctlRequest = 0x8008F803 APPARMOR_NOTIF_RECV IoctlRequest = 0xC008F804 APPARMOR_NOTIF_SEND IoctlRequest = 0xC008F805 )
Available ioctl(2) requests for .notify file. Those are not documented beyond the implementeation in the kernel.
func (IoctlRequest) String ¶
func (req IoctlRequest) String() string
String returns the string representation of an IoctlRequest.
type IoctlRequestBuffer ¶
type IoctlRequestBuffer []byte
IoctlRequestBuffer is a buffer with a constructor method which prepares a buffer to be passed into ioctl(2), along with other useful methods.
func NewIoctlRequestBuffer ¶
func NewIoctlRequestBuffer() IoctlRequestBuffer
NewIoctlRequestBuffer returns a new buffer for communication with the kernel.
The buffer contains encoded information about its size and protocol version.
func (IoctlRequestBuffer) Pointer ¶
func (b IoctlRequestBuffer) Pointer() uintptr
Pointer returns a pointer to the first element of an IoctlRequestBuffer.
This is intended to be used to simplify passing the buffer into ioctl(2).
type MediationClass ¶
type MediationClass uint16
MediationClass is an enumeration of mediation ttypes in the apparmor policy.
const ( AA_CLASS_FILE MediationClass = 2 AA_CLASS_DBUS MediationClass = 32 )
func (MediationClass) String ¶
func (mcls MediationClass) String() string
type ModeSet ¶
type ModeSet uint32
ModeSet is a bit mask of apparmor "modes".
type MsgHeader ¶
type MsgHeader struct {
// Length is the length of the entire message, including any more
// specialized messages appended after the header and any variable-length
// objects referenced by any such message.
Length uint16
// Version is the version of the communication protocol.
// Currently version 3 is implemented in the kernel, but other versions may
// be used in the future.
Version uint16
}
MsgHeader is the header of all apparmor notification messages.
The header encodes the size of the entire message, including variable-size components and the version of the notification protocol.
This structure corresponds to the kernel type struct apparmor_notif_common described below.
struct apparmor_notif_common {
__u16 len; /* actual len data */
__u16 version; /* interface version */
}
func (*MsgHeader) UnmarshalBinary ¶
UnmarshalBinary unmarshals the header from binary form.
type MsgNotification ¶
type MsgNotification struct {
MsgHeader
// NotificationType describes the kind of notification message used.
// Currently the kernel only sends APPARMOR_NOTIF_OP messages.
// Responses to the kernel should be APPARMOR_NOTIF_RESP messages.
NotificationType NotificationType
// Signaled is unused, but previously used for interrupt information.
Signalled uint8
// Set NoCache to 1 to NOT cache.
NoCache uint8
// ID is an opaque kernel identifier of the notification message. It must be
// repeated in the MsgNotificationResponse if one is sent back.
ID uint64
// Error is the error the kernel will return to the application if the
// notification is denied. In version 3, this is ignored in responses.
Error int32
}
MsgNotification describes a kernel notification message.
This structure corresponds to the kernel type struct apparmor_notif described below.
struct apparmor_notif {
struct apparmor_notif_common base;
__u16 ntype; /* notify type */
__u8 signalled;
__u8 no_cache;
__u64 id; /* unique id, not globally unique*/
__s32 error; /* error if unchanged */
} __attribute__((packed));
func (*MsgNotification) MarshalBinary ¶
func (msg *MsgNotification) MarshalBinary() ([]byte, error)
MarshalBinary marshals the message into binary form.
func (*MsgNotification) UnmarshalBinary ¶
func (msg *MsgNotification) UnmarshalBinary(data []byte) error
UnmarshalBinary unmarshals the message from binary form.
func (*MsgNotification) Validate ¶
func (msg *MsgNotification) Validate() error
Validate returns an error if the mssage contains invalid data.
type MsgNotificationFile ¶
type MsgNotificationFile struct {
MsgNotificationOp
SUID uint32
OUID uint32
// Name of the file being accessed.
// This is the path from the point of view of the process being mediated.
// In the future, this should be mapped to the point of view of snapd, but
// this is not always possible yet.
Name string
}
MsgNotificationFile describes a prompt to a specific file.
func (*MsgNotificationFile) MarshalBinary ¶
func (msg *MsgNotificationFile) MarshalBinary() ([]byte, error)
func (*MsgNotificationFile) UnmarshalBinary ¶
func (msg *MsgNotificationFile) UnmarshalBinary(data []byte) error
UnmarshalBinary unmarshals the message from binary form.
type MsgNotificationFilter ¶
type MsgNotificationFilter struct {
MsgHeader
// ModeSet is a bitmask. Specifying APPARMOR_MODESET_USER allows to
// receive notification messages in userspace.
ModeSet ModeSet
// NameSpace is only used if the namespace does not match the monitoring task.
NameSpace string
// Filter is a binary state machine in a specific format.
Filter []byte
}
MsgNotificationFilter describes the configuration of kernel-side message filtering.
This structure can be marshaled and unmarshaled to binary form and transmitted to the kernel using Ioctl along with APPARMOR_NOTIF_GET_FILTER and APPARMOR_NOTIF_SET_FILTER.
func (*MsgNotificationFilter) MarshalBinary ¶
func (msg *MsgNotificationFilter) MarshalBinary() (data []byte, err error)
MarshalBinary marshals the message into binary form.
func (*MsgNotificationFilter) UnmarshalBinary ¶
func (msg *MsgNotificationFilter) UnmarshalBinary(data []byte) error
UnmarshalBinary unmarshals the message from binary form.
func (*MsgNotificationFilter) Validate ¶
func (msg *MsgNotificationFilter) Validate() error
Validate returns an error if the mssage contains invalid data.
type MsgNotificationOp ¶
type MsgNotificationOp struct {
MsgNotification
// Allow describes the permissions the process, attempting to perform some
// an operation, already possessed. Use DecodeFilePermissions to decode it,
// if the mediation class is AA_CLASS_FILE.
Allow uint32
// Deny describes the permissions the process, attempting to perform some
// operation, currently lacks. Use DecodeFilePermissions to decode it, if
// the mediation class is AA_CLASS_FILE.
Deny uint32
// Pid of the process triggering the notification.
Pid uint32
// Label is the apparmor label of the process triggering the notification.
Label string
// Class of the mediation operation.
// Currently only AA_CLASS_FILE is implemented in the kernel.
Class MediationClass
// Op provides supplemental information about the operation which caused
// the notification. It may be set for notifications, but is ignored in
// responses. At the moment, just used for debugging, and can be ignored.
Op uint16
}
MsgNotificationOp describes a prompt request.
The actual information about the prompted object is not encoded here. The mediation class can be used to deduce the type message that was actually sent and decode.
func (*MsgNotificationOp) DecodeFilePermissions ¶
func (msg *MsgNotificationOp) DecodeFilePermissions() (allow, deny FilePermission, err error)
DecodeFilePermissions returns a pair of permissions describing the state of a process attempting to perform an operation.
func (*MsgNotificationOp) UnmarshalBinary ¶
func (msg *MsgNotificationOp) UnmarshalBinary(data []byte) error
UnmarshalBinary unmarshals the message from binary form.
type MsgNotificationResponse ¶
type MsgNotificationResponse struct {
MsgNotification
// In version 3, both the Error in MsgNotificationResponse and the
// embedded MsgNotification are ignored in responses.
Error int32
// Allow encodes the allowed operation mask.
Allow uint32
// Deny encodes the denied operation mask.
Deny uint32
}
MsgNotificationResponse describes a response to a MsgNotification.
This structure corresponds to the kernel type struct apparmor_notif described below.
struct apparmor_notif_resp {
struct apparmor_notif base;
__s32 error; /* error if unchanged */
__u32 allow;
__u32 deny;
} __attribute__((packed));
func ResponseForRequest ¶
func ResponseForRequest(req *MsgNotification) MsgNotificationResponse
ResponseForRequest returns a response message for a given request.
func (*MsgNotificationResponse) MarshalBinary ¶
func (msg *MsgNotificationResponse) MarshalBinary() ([]byte, error)
MarshalBinary marshals the message into binary form.
type NotificationType ¶
type NotificationType uint16
NotificationType denotes the type of response message.
const ( APPARMOR_NOTIF_RESP NotificationType = iota APPARMOR_NOTIF_CANCEL APPARMOR_NOTIF_INTERRUPT APPARMOR_NOTIF_ALIVE APPARMOR_NOTIF_OP )
func (NotificationType) IsValid ¶
func (ntype NotificationType) IsValid() bool
IsValid returns true if the notification type has a valid value.
func (NotificationType) String ¶
func (ntype NotificationType) String() string
String returns readable representation of a notification type.
Source Files
Directories