NAME¶
aa_policy_cache - an opaque object representing an AppArmor policy cache
aa_policy_cache_new - create a new aa_policy_cache object from a path
aa_policy_cache_ref - increments the ref count of an aa_policy_cache object
aa_policy_cache_unref - decrements the ref count and frees the aa_policy_cache
object when 0
aa_policy_cache_remove - removes all policy cache files under a path
aa_policy_cache_replace_all - performs a kernel policy replacement of all cached
policies
SYNOPSIS¶
#include <sys/apparmor.h>
typedef struct aa_policy_cache aa_policy_cache;
int aa_policy_cache_new(aa_policy_cache **policy_cache, aa_features
*kernel_features, int dirfd, const char *path, uint16_t max_caches);
aa_policy_cache *aa_policy_cache_ref(aa_policy_cache *policy_cache);
void aa_policy_cache_unref(aa_policy_cache *policy_cache);
int aa_policy_cache_remove(int dirfd, const char *path);
int aa_policy_cache_replace_all(aa_policy_cache *policy_cache,
aa_kernel_interface *kernel_interface);
Link with
-lapparmor when compiling.
DESCRIPTION¶
The
aa_policy_cache object contains information about a set of AppArmor
policy cache files. The policy cache files are the binary representation of a
human-readable AppArmor profile. The binary representation is the form that is
loaded into the kernel.
The
aa_policy_cache_new() function creates an
aa_policy_cache
object based upon a directory file descriptor and path. The
path must
point to a directory. See the
openat(2) man page for examples of
dirfd and
path. If
kernel_features is NULL, then the
features of the current kernel are used. When specifying a valid
kernel_features object, it must be the compatible with the features of
the kernel of interest. The value of
max_caches should be equal to the
number of caches that should be allowed before old caches are automatically
reaped. The definition of what is considered to be an old cache is private to
libapparmor. Specifying 0 means that no new caches should be created and only
existing, valid caches may be used. Specifying UINT16_MAX means that a new
cache may be created and that the reaping of old caches is disabled. The
allocated
aa_policy_cache object must be freed using
aa_policy_cache_unref().
aa_policy_cache_ref() increments the reference count on the
policy_cache object.
aa_policy_cache_unref() decrements the reference count on the
policy_cache object and releases all corresponding resources when the
reference count reaches zero.
The
aa_policy_cache_remove() function deletes all of the policy cache
files based upon a directory file descriptor and path. The
path must
point to a directory. See the
openat(2) man page for examples of
dirfd and
path.
The
aa_policy_cache_replace_all() function can be used to perform a
policy replacement of all of the cache policies in the cache directory
represented by the
policy_cache object. If
kernel_interface is
NULL, then the current kernel interface is used. When specifying a valid
kernel_interface object, it must be the interface of the currently
running kernel.
RETURN VALUE¶
The
aa_policy_cache_new() function returns 0 on success and
*policy_cache will point to an
aa_policy_cache object that must
be freed by
aa_policy_cache_unref(). -1 is returned on error, with
errno set appropriately, and
*policy_cache will be set to NULL.
aa_policy_cache_ref() returns the value of
policy_cache.
aa_policy_cache_remove() and
aa_policy_cache_replace_all() return
0 on success. -1 is returned on error, with errno set appropriately.
ERRORS¶
The errno value will be set according to the underlying error in the
aa_policy_cache family of functions that return -1 on error.
NOTES¶
All aa_policy_cache functions described above are present in libapparmor version
2.10 and newer.
BUGS¶
None known. If you find any, please report them at
<
https://bugs.launchpad.net/apparmor/+filebug>.
SEE ALSO¶
aa_features(3),
aa_kernel_interface(3),
openat(2) and
<
http://wiki.apparmor.net>.