Ubuntu Pastebin

Paste from matteo at Wed, 15 Jun 2016 15:40:46 +0000

Download as text 
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
--- src/Makefile	2016-03-22 12:17:03 +0000
+++ src/Makefile	2016-06-14 18:04:25 +0000
@@ -1,13 +1,13 @@
 
 CFLAGS= -D_GNU_SOURCE -O2 -Wall -Werror $(shell dpkg-buildflags --get CFLAGS)
 LD_FLAGS = $(shell dpkg-buildflags --get LDFLAGS)
-LIBS = -lapparmor -lseccomp -ludev
+#LIBS = -lapparmor -lseccomp -ludev
 TMPDIR = ./tmp
 FMT = indent -linux
 
 BIN = ubuntu-core-launcher
 HDRS = $(wildcard *.h)
-SRCS = $(wildcard *.c)
+SRCS = main.c utils.c
 OBJS = $(SRCS:.c=.o)
 
 ubuntu-core-launcher: $(OBJS)

--- src/main.c	2016-04-29 16:58:48 +0000
+++ src/main.c	2016-06-14 18:04:10 +0000
@@ -24,7 +24,9 @@
 #include <limits.h>
 #include <linux/sched.h>
 #include <sys/mount.h>
+#ifdef STRICT_CONFINEMENT
 #include <sys/apparmor.h>
+#endif
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/wait.h>
@@ -39,10 +41,12 @@
 
 #include <ctype.h>
 
+#include "utils.h"
+
+#ifdef STRICT_CONFINEMENT
 #include "libudev.h"
-
-#include "utils.h"
 #include "seccomp.h"
+#endif
 
 #define MAX_BUF 1000
 
@@ -72,6 +76,7 @@
 	return (status == 0);
 }
 
+#ifdef STRICT_CONFINEMENT
 void run_snappy_app_dev_add(struct snappy_udev *udev_s, const char *path)
 {
 	if (udev_s == NULL)
@@ -249,6 +254,7 @@
 		udev_s->assigned = udev_list_entry_get_next(udev_s->assigned);
 	}
 }
+#endif
 
 bool is_running_on_classic_ubuntu()
 {
@@ -483,7 +489,9 @@
 		die("Usage: %s <appname> <apparmor> <binary>", argv[0]);
 
 	const char *appname = argv[1];
+#ifdef STRICT_CONFINEMENT
 	const char *aa_profile = argv[2];
+#endif
 	const char *binary = argv[3];
 	uid_t real_uid = getuid();
 	gid_t real_gid = getgid();
@@ -516,6 +524,7 @@
 		if (is_running_on_classic_ubuntu()) {
 			setup_snappy_os_mounts();
 		}
+#ifdef STRICT_CONFINEMENT
 		// set up private mounts
 		setup_private_mount(appname);
 
@@ -527,6 +536,7 @@
 		if (snappy_udev_init(appname, &udev_s) == 0)
 			setup_devices_cgroup(appname, &udev_s);
 		snappy_udev_cleanup(&udev_s);
+#endif
 
 		// the rest does not so temporarily drop privs back to calling
 		// user (we'll permanently drop after loading seccomp)
@@ -545,6 +555,7 @@
 
 	// https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement
 
+#ifdef STRICT_CONFINEMENT
 	int rc = 0;
 	// set apparmor rules
 	rc = aa_change_onexec(aa_profile);
@@ -554,6 +565,7 @@
 	}
 	// set seccomp (note: seccomp_load_filters die()s on all failures)
 	seccomp_load_filters(aa_profile);
+#endif
 
 	// Permanently drop if not root
 	if (geteuid() == 0) {
Download as text