mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

parser: add support for exposing a debug flag to policy

Browse source 
Allowing access to a debug flag can greatly improve policy debugging.
This is different than the debug mode of old, that was removed. It only
will trigger additional messages to the kernel ring buffer, not
the audit log, and it does not change mediation.

Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2023-06-30 10:48:22 -07:00
parent 271f0e2366
commit 367babf9cb
11 changed files with 26 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
parser/apparmor.d.pod
View file

@ -113,7 +113,7 @@ B<XATTR VALUE FILEGLOB> = I<FILEGLOB>
B<PROFILE FLAG CONDS> = [ 'flags=' ] '(' comma or white space separated list of I<PROFILE FLAGS> ')'
B<PROFILE FLAGS> = I<PROFILE MODE> | I<AUDIT_MODE> | 'mediate_deleted' | 'attach_disconnected' | 'chroot_relative'
B<PROFILE FLAGS> = I<PROFILE MODE> | I<AUDIT_MODE> | 'mediate_deleted' | 'attach_disconnected' | 'chroot_relative' | 'debug'
B<PROFILE MODE> = 'enforce' | 'complain' | 'kill' | 'unconfined'
@ -489,6 +489,12 @@ allowed. Its intent is a debug and policy development tool.
=item B<chroot_relative> This forces file names to be relative to a
chroot and behave as if the chroot is a mount namespace.
=item B<debug> This flag allows turning on kernel debug messages on
a per profile basis. It works in conjunction with other kernel debug
flags to control what messages will be output. Its effect is kernel
dependent, and it should never appear in policy except when trying
to debug kernel or policy problems.
=back
=head2 Access Modes

5
parser/parser_yacc.y
View file

@ -631,8 +631,9 @@ flagval: TOK_VALUE
enum profile_mode mode;
if (strcmp($1, "debug") == 0) {
yyerror(_("Profile flag 'debug' is no longer valid."));
} if ((mode = str_to_mode($1))) {
/* DEBUG2 is left for internal compiler use atm */
fv.flags |= FLAG_DEBUG1;
} else if ((mode = str_to_mode($1))) {
fv.mode = mode;
} else if (strcmp($1, "audit") == 0) {
fv.audit = 1;

4
parser/tst/simple_tests/profile/flags/flags_bad18.sd → parser/tst/simple_tests/profile/flags/flags_ok19.sd
View file

@ -1,6 +1,6 @@
#
#=DESCRIPTION Ensure debug flag is no longer accepted
#=EXRESULT FAIL
#=DESCRIPTION check debug flag is supported
#=EXRESULT PASS
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#

4
parser/tst/simple_tests/profile/flags/flags_bad19.sd → parser/tst/simple_tests/profile/flags/flags_ok20.sd
View file

@ -1,6 +1,6 @@
#
#=DESCRIPTION Ensure debug flag is no longer accepted
#=EXRESULT FAIL
#=DESCRIPTION check debug flag is accepted
#=EXRESULT PASS
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#

4
parser/tst/simple_tests/profile/flags/flags_bad5.sd → parser/tst/simple_tests/profile/flags/flags_ok21.sd
View file

@ -1,6 +1,6 @@
#
#=DESCRIPTION Ensure debug flag is no longer accepted
#=EXRESULT FAIL
#=DESCRIPTION check debug flag is accepted
#=EXRESULT PASS
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#

4
parser/tst/simple_tests/profile/flags/flags_bad_debug_1.sd → parser/tst/simple_tests/profile/flags/flags_ok22.sd
View file

@ -1,6 +1,6 @@
#
#=DESCRIPTION Ensure debug flag is no longer accepted
#=EXRESULT FAIL
#=DESCRIPTION check debug flag is accepted
#=EXRESULT PASS
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#

4
parser/tst/simple_tests/profile/flags/flags_bad_debug_2.sd → parser/tst/simple_tests/profile/flags/flags_ok23.sd
View file

@ -1,6 +1,6 @@
#
#=DESCRIPTION Ensure debug flag is no longer accepted
#=EXRESULT FAIL
#=DESCRIPTION check debug flag is accepted
#=EXRESULT PASS
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#

4
parser/tst/simple_tests/profile/flags/flags_bad_debug_3.sd → parser/tst/simple_tests/profile/flags/flags_ok24.sd
View file

@ -1,6 +1,6 @@
#
#=DESCRIPTION Ensure debug flag is no longer accepted
#=EXRESULT FAIL
#=DESCRIPTION check debug flag is accepted
#=EXRESULT PASS
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#

4
parser/tst/simple_tests/profile/flags/flags_bad20.sd → parser/tst/simple_tests/profile/flags/flags_ok25.sd
View file

@ -1,6 +1,6 @@
#
#=DESCRIPTION Ensure debug flag is no longer accepted (even if it's inside a hat)
#=EXRESULT FAIL
#=DESCRIPTION Ensure debug flag is accepted (even if it's inside a hat)
#=EXRESULT PASS
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#

4
parser/tst/simple_tests/profile/flags/flags_bad_debug_4.sd → parser/tst/simple_tests/profile/flags/flags_ok26.sd
View file

@ -1,6 +1,6 @@
#
#=DESCRIPTION Ensure debug flag is no longer accepted
#=EXRESULT FAIL
#=DESCRIPTION Ensure debug flag is accepted in hat
#=EXRESULT PASS
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#

2
utils/test/test-parser-simple-tests.py
View file

@ -126,7 +126,6 @@ exception_not_raised = (
'profile/flags/flags_bad15.sd',
'profile/flags/flags_bad18.sd',
'profile/flags/flags_bad19.sd',
'profile/flags/flags_bad20.sd',
'profile/flags/flags_bad2.sd',
'profile/flags/flags_bad3.sd',
'profile/flags/flags_bad4.sd',
@ -137,7 +136,6 @@ exception_not_raised = (
'profile/flags/flags_bad_debug_1.sd',
'profile/flags/flags_bad_debug_2.sd',
'profile/flags/flags_bad_debug_3.sd',
'profile/flags/flags_bad_debug_4.sd',
# detection of conflicting flags not supported
'profile/flags/flags_bad30.sd',
'profile/flags/flags_bad31.sd',