plucky (3) aa_kernel_interface.3.gz

Provided by: libapparmor-dev_4.1.0~beta5-0ubuntu5_amd64 bug

NAME

       aa_kernel_interface - an opaque object representing the AppArmor kernel interface for policy loading,
       replacing, and removing

       aa_kernel_interface_new - create a new aa_kernel_interface object from an optional path

       aa_kernel_interface_ref - increments the ref count of an aa_kernel_interface object

       aa_kernel_interface_unref - decrements the ref count and frees the aa_kernel_interface object when 0

       aa_kernel_interface_load_policy - load a policy from a buffer into the kernel

       aa_kernel_interface_load_policy_from_file - load a policy from a file into the kernel

       aa_kernel_interface_load_policy_from_fd - load a policy from a file descriptor into the kernel

       aa_kernel_interface_replace_policy - replace a policy in the kernel with a policy from a buffer

       aa_kernel_interface_replace_policy_from_file - replace a policy in the kernel with a policy from a file

       aa_kernel_interface_replace_policy_from_fd - replace a policy in the kernel with a policy from a file
       descriptor

       aa_kernel_interface_remove_policy - remove a policy from the kernel

       aa_kernel_interface_write_policy - write a policy to a file descriptor

SYNOPSIS

       #include <sys/apparmor.h>

       typedef struct aa_kernel_interface aa_kernel_interface;

       int aa_kernel_interface_new(aa_kernel_interface **kernel_interface, aa_features *kernel_features, const
       char *apparmorfs);

       aa_kernel_interface *aa_kernel_interface_ref(aa_kernel_interface *kernel_interface);

       void aa_kernel_interface_unref(aa_kernel_interface *kernel_interface);

       int aa_kernel_interface_load_policy(aa_kernel_interface *kernel_interface, const char *buffer, size_t
       size);

       int aa_kernel_interface_load_policy_from_file(aa_kernel_interface *kernel_interface, int dirfd, const
       char *path);

       int aa_kernel_interface_load_policy_from_fd(aa_kernel_interface *kernel_interface, int fd);

       int aa_kernel_interface_replace_policy(aa_kernel_interface *kernel_interface, const char *buffer, size_t
       size);

       int aa_kernel_interface_replace_policy_from_file(aa_kernel_interface *kernel_interface, int dirfd, const
       char *path);

       int aa_kernel_interface_replace_policy_from_fd(aa_kernel_interface *kernel_interface, int fd);

       int aa_kernel_interface_remove_policy(aa_kernel_interface *kernel_interface, const char *fqname);

       int aa_kernel_interface_write_policy(int fd, const char *buffer, size_t size);

       Link with -lapparmor when compiling.

DESCRIPTION

       The aa_kernel_interface object contains information about the AppArmor kernel interface for policy
       loading, replacing, and removing.

       The aa_kernel_interface_new() function creates an aa_kernel_interface object based on an optional
       aa_features object and an optional path to the apparmor directory of securityfs, which is typically found
       at "/sys/kernel/security/apparmor/". If kernel_features is NULL, then the features of the current kernel
       are used. When specifying a valid kernel_features object, it must be compatible with the features of the
       currently running kernel. If apparmorfs is NULL, then the default location is used. The allocated
       kernel_interface object must be freed using aa_kernel_interface_unref().

       aa_kernel_interface_ref() increments the reference count on the kernel_interface object.

       aa_kernel_interface_unref() decrements the reference count on the kernel_interface object and releases
       all corresponding resources when the reference count reaches zero.

       The aa_kernel_interface_load() family of functions load a policy into the kernel. The operation will fail
       if a policy of the same name is already loaded.  Use the aa_kernel_interface_replace() family of
       functions if you wish to replace a previously loaded policy with a new policy of the same name. The
       aa_kernel_interface_replace() functions can also be used to load a policy that does not correspond to a
       previously loaded policy.

       When loading or replacing from a buffer, the buffer will contain binary data. The size argument must
       specify the size of the buffer argument.

       When loading or replacing from a file, the dirfd and path combination are used to specify the location of
       the file. See the openat(2) man page for examples of dirfd and path.

       It is also possible to load or replace from a file descriptor specified by the fd argument. The file must
       be open for reading and the file offset must be set appropriately.

       The aa_kernel_interface_remove_policy() function can be used to unload a previously loaded policy. The
       fully qualified policy name must be specified with the fqname argument. The operation will fail if a
       policy matching fqname is not found.

       The aa_kernel_interface_write_policy() function allows for a policy, which is stored in buffer and
       consists of size bytes, to be written to a file descriptor. The fd must be open for writing and the file
       offset must be set appropriately.

RETURN VALUE

       The aa_kernel_interface_new() function returns 0 on success and *kernel_interface will point to an
       aa_kernel_interface object that must be freed by aa_kernel_interface_unref(). -1 is returned on error,
       with errno set appropriately, and *kernel_interface will be set to NULL.

       aa_kernel_interface_ref() returns the value of kernel_interface.

       The aa_kernel_interface_load() family of functions, the aa_kernel_interface_replace() family of
       functions, aa_kernel_interface_remove(), and aa_kernel_interface_write_policy() return 0 on success. -1
       is returned on error, with errno set appropriately.

ERRORS

       The errno value will be set according to the underlying error in the aa_kernel_interface family of
       functions that return -1 on error.

NOTES

       All aa_kernel_interface functions described above are present in libapparmor version 2.10 and newer.

       aa_kernel_interface_unref() saves the value of errno when called and restores errno before exiting in
       libapparmor version 2.12 and newer.

BUGS

       None known. If you find any, please report them at <https://gitlab.com/apparmor/apparmor/-/issues>.

SEE ALSO

       aa_features(3), openat(2) and <https://wiki.apparmor.net>.