mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
Merge parser: fix unix for all rule
By specifying 0 in the unix type, all rules were allowing only the "none" type, when it wanted to allow all types, so replace it by 0xffffffff. Also, add this testcase to the unix regression tests. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/410 I propose this fix for master and apparmor-4.0 Closes #410 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1273 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
This commit is contained in:
John Johansen
commit
5b44e33d25
18 changed files with 151 additions and 7 deletions
|
|
@ -39,7 +39,7 @@ void all_rule::add_implied_rules(Profile &prof)
|
|||
prefix_rule_t *rule;
|
||||
const prefixes *prefix = this;
|
||||
|
||||
rule = new unix_rule(0, audit, rule_mode);
|
||||
rule = new unix_rule(0xffffffff, audit, rule_mode);
|
||||
(void) rule->add_prefix(*prefix);
|
||||
prof.rule_ents.push_back(rule);
|
||||
|
||||
|
|
@ -67,7 +67,7 @@ void all_rule::add_implied_rules(Profile &prof)
|
|||
(void) rule->add_prefix(*prefix);
|
||||
prof.rule_ents.push_back(rule);
|
||||
|
||||
rule = new mnt_rule(NULL, NULL, NULL, NULL, 0);
|
||||
rule = new mnt_rule(NULL, NULL, NULL, NULL, AA_MAY_MOUNT);
|
||||
(void) rule->add_prefix(*prefix);
|
||||
prof.rule_ents.push_back(rule);
|
||||
|
||||
|
|
|
|||
|
|
@ -79,3 +79,16 @@ runchecktest "complain (--namespace=${ns})" pass "$aa_exec -n $ns -p $test" "$te
|
|||
|
||||
genprofile_aa_exec "$test" 0
|
||||
runchecktest "negative test: bad ns (--namespace=${ns}XXX)" fail "$aa_exec -n ${ns}XXX -p $test" "$test (enforce)"
|
||||
|
||||
if [ "$(parser_supports 'all,')" = "true" ]; then
|
||||
genprofile --stdin <<EOF
|
||||
$test {
|
||||
all,
|
||||
}
|
||||
|
||||
:${ns}:${test} {
|
||||
all,
|
||||
}
|
||||
EOF
|
||||
runchecktest "allow all" pass "$aa_exec -p $test" "$test (enforce)"
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -28,7 +28,14 @@ wxperm=wix
|
|||
touch $file
|
||||
chmod 777 $file # full perms so discretionary access checks succeed
|
||||
|
||||
# PASS TEST
|
||||
# PASS TEST
|
||||
if [ "$(parser_supports 'all,')" = "true" ]; then
|
||||
genprofile "all"
|
||||
runchecktest "ACCESS allow all r (rwx)" pass $file r
|
||||
runchecktest "ACCESS allow all rx (rwx)" pass $file rx
|
||||
runchecktest "ACCESS allow all rwx (rwx)" pass $file rwx
|
||||
fi
|
||||
|
||||
genprofile $file:$rwxperm
|
||||
runchecktest "ACCESS file r (rwx)" pass $file r
|
||||
runchecktest "ACCESS file rx (rwx)" pass $file rx
|
||||
|
|
|
|||
|
|
@ -105,6 +105,15 @@ do_test "attach_disconnected" pass $file $att_dis_client $socket $loop_device $n
|
|||
|
||||
# TODO: adding attach_disconnected.path to a replaced unconfined
|
||||
|
||||
# ALLOW ALL does not include attach_disconnected
|
||||
if [ "$(parser_supports 'all,')" = "true" ]; then
|
||||
genprofile "all" flag:attach_disconnected -- image=$att_dis_client "all"
|
||||
do_test "attach_disconnected allow all" pass $file $att_dis_client $socket $loop_device $new_root $put_old
|
||||
|
||||
genprofile "all" -- image=$att_dis_client "all"
|
||||
do_test "attach_disconnected allow all no flag" fail $file $att_dis_client $socket $loop_device $new_root $put_old
|
||||
fi
|
||||
|
||||
genprofile $file_perm unix:create $socket_perm $att_dis_client:px -- image=$att_dis_client $file_perm unix:create $socket_perm $create_dir $cap "pivot_root:ALL" "mount:ALL" flag:attach_disconnected
|
||||
|
||||
do_test "attach_disconnected" pass $file $att_dis_client $socket $loop_device $new_root $put_old
|
||||
|
|
|
|||
|
|
@ -45,6 +45,11 @@ run_tests()
|
|||
|
||||
# Make sure we're okay when confined with appropriate permissions
|
||||
|
||||
if [ "$(parser_supports 'all,')" = "true" ]; then
|
||||
gendbusprofile "all,"
|
||||
runchecktest "eavesdrop (allow all)" pass $args
|
||||
fi
|
||||
|
||||
gendbusprofile "dbus,"
|
||||
runchecktest "eavesdrop (dbus allowed)" pass $args
|
||||
|
||||
|
|
|
|||
|
|
@ -60,6 +60,12 @@ run_tests()
|
|||
|
||||
# Make sure send is allowed when confined with appropriate permissions
|
||||
|
||||
if [ "$(parser_supports 'all,')" = "true" ]; then
|
||||
message_gendbusprofile "all,"
|
||||
runtestfg "message (allow all)" pass $confined_args
|
||||
checktestfg "compare_logs $unconfined_log eq $confined_log"
|
||||
fi
|
||||
|
||||
message_gendbusprofile "dbus,"
|
||||
runtestfg "message (dbus allowed)" pass $confined_args
|
||||
checktestfg "compare_logs $unconfined_log eq $confined_log"
|
||||
|
|
|
|||
|
|
@ -92,6 +92,14 @@ run_tests()
|
|||
|
||||
# Make sure we're okay when confined with appropriate permissions
|
||||
|
||||
if [ "$(parser_supports 'all,')" = "true" ]; then
|
||||
service_gendbusprofile "all,"
|
||||
service_runtestbg "service (allow all)" pass $unconfined_log
|
||||
sendmethod
|
||||
sendsignal
|
||||
service_checktestbg "compare_logs $unconfined_log eq $confined_log"
|
||||
fi
|
||||
|
||||
service_gendbusprofile "dbus,"
|
||||
service_runtestbg "service (dbus allowed)" pass $unconfined_log
|
||||
sendmethod
|
||||
|
|
|
|||
|
|
@ -80,6 +80,14 @@ run_tests()
|
|||
sendmethodreturn
|
||||
ur_checktestbg
|
||||
|
||||
if [ "$(parser_supports 'all,')" = "true" ]; then
|
||||
# All perms are granted so the logs should be equal
|
||||
ur_gendbusprofile "all,"
|
||||
ur_runtestbg "unrequested_reply (method_return, dbus allowed)" pass $confined_log
|
||||
sendmethodreturn
|
||||
ur_checktestbg "compare_logs $unconfined_log eq $confined_log"
|
||||
fi
|
||||
|
||||
# All dbus perms are granted so the logs should be equal
|
||||
ur_gendbusprofile "dbus,"
|
||||
ur_runtestbg "unrequested_reply (method_return, dbus allowed)" pass $confined_log
|
||||
|
|
|
|||
|
|
@ -55,6 +55,11 @@ do_tests "no perms" fail fail
|
|||
genprofile $required_perms "qual=deny:io_uring"
|
||||
do_tests "deny perms" fail fail
|
||||
|
||||
if [ "$(parser_supports 'all,')" = "true" ]; then
|
||||
genprofile "all"
|
||||
do_tests "allow all" pass pass
|
||||
fi
|
||||
|
||||
genprofile $required_perms "io_uring"
|
||||
do_tests "generic perms" pass pass
|
||||
|
||||
|
|
|
|||
|
|
@ -424,6 +424,34 @@ fsmount_tests() {
|
|||
fsmount_test " fsmount deny att_dis" "qual=deny:" "flag:attach_disconnected" ${should_fail}
|
||||
}
|
||||
|
||||
all_rule() {
|
||||
if [ "$(parser_supports 'all,')" != "true" ]; then
|
||||
echo " not supported by parser - skipping allow all,"
|
||||
return
|
||||
fi
|
||||
|
||||
settest mount
|
||||
genprofile "all"
|
||||
|
||||
runchecktest "MOUNT (confined allow all)" pass mount ${loop_device} ${mount_point}
|
||||
|
||||
runchecktest "UMOUNT (confined allow all)" pass umount ${loop_device} ${mount_point}
|
||||
|
||||
runchecktest "MOUNT (confined allow all remount setup)" pass mount ${loop_device} ${mount_point}
|
||||
runchecktest "MOUNT (confined allow all remount)" pass mount ${loop_device} ${mount_point} -o remount
|
||||
remove_mnt
|
||||
|
||||
settest move_mount
|
||||
genprofile "all"
|
||||
|
||||
runchecktest "MOVE_MOUNT (confined fsmount: allow all)" pass fsmount ${loop_device} ${mount_point} ${fstype}
|
||||
remove_mnt
|
||||
|
||||
mount ${loop_device} ${mnt_source}
|
||||
runchecktest "MOVE_MOUNT (confined open_tree: allow all)" pass open_tree ${mount_point2} ${mount_point} ${fstype}
|
||||
remove_mnt
|
||||
}
|
||||
|
||||
# TEST 1. Make sure can mount and umount unconfined
|
||||
runchecktest "MOUNT (unconfined)" pass mount ${loop_device} ${mount_point}
|
||||
remove_mnt
|
||||
|
|
@ -569,6 +597,8 @@ else
|
|||
fsmount_tests tmpfs ${mount_point} tmpfs
|
||||
fsmount_tests ${loop_device} ${mount_point} ${fstype}
|
||||
open_tree_tests ${mount_point2} ${mount_point} ${fstype}
|
||||
|
||||
all_rule
|
||||
fi
|
||||
|
||||
#need tests for chroot
|
||||
|
|
|
|||
|
|
@ -97,8 +97,8 @@ generate_profile="genprofile network $sender:px -- image=$sender network"
|
|||
do_tests "ipv4 tcp no conds" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port tcp "$generate_profile"
|
||||
|
||||
setsockopt_rules="network;(setopt,getopt);ip=0.0.0.0;port=0" # INADDR_ANY
|
||||
rcv_rules="network;ip=$bind_ipv4;peer=(ip=anon)"
|
||||
snd_rules="network;ip=$remote_ipv4;peer=(ip=anon)"
|
||||
rcv_rules="network;ip=$bind_ipv4;peer=(ip=none)"
|
||||
snd_rules="network;ip=$remote_ipv4;peer=(ip=none)"
|
||||
|
||||
generate_profile="genprofile network;ip=$bind_ipv4;port=$bind_port;peer=(ip=$remote_ipv4,port=$remote_port) $setsockopt_rules $rcv_rules $sender:px -- image=$sender network;ip=$remote_ipv4;port=$remote_port;peer=(ip=$bind_ipv4,port=$bind_port) $setsockopt_rules $snd_rules"
|
||||
do_tests "ipv4 udp generic perms" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port udp "$generate_profile"
|
||||
|
|
@ -126,11 +126,26 @@ generate_profile="genprofile network $sender:px -- image=$sender network"
|
|||
do_tests "ipv6 tcp no conds" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port tcp "$generate_profile"
|
||||
|
||||
setsockopt_rules="network;(setopt,getopt);ip=::0;port=0" # IN6ADDR_ANY_INIT
|
||||
rcv_rules="network;ip=$bind_ipv6;peer=(ip=anon)"
|
||||
snd_rules="network;ip=$remote_ipv6;peer=(ip=anon)"
|
||||
rcv_rules="network;ip=$bind_ipv6;peer=(ip=none)"
|
||||
snd_rules="network;ip=$remote_ipv6;peer=(ip=none)"
|
||||
|
||||
generate_profile="genprofile network;ip=$bind_ipv6;port=$bind_port;peer=(ip=$remote_ipv6,port=$remote_port) $setsockopt_rules $rcv_rules $sender:px -- image=$sender network;ip=$remote_ipv6;port=$remote_port;peer=(ip=$bind_ipv6,port=$bind_port) $setsockopt_rules $snd_rules"
|
||||
do_tests "ipv6 udp generic perms" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port udp "$generate_profile"
|
||||
|
||||
generate_profile="genprofile network;ip=$bind_ipv6;port=$bind_port;peer=(ip=$remote_ipv6,port=$remote_port) $setsockopt_rules $rcv_rules $sender:px -- image=$sender network;ip=$remote_ipv6;port=$remote_port;peer=(ip=$bind_ipv6,port=$bind_port) $setsockopt_rules $snd_rules"
|
||||
do_tests "ipv6 tcp generic perms" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port tcp "$generate_profile"
|
||||
|
||||
|
||||
if [ "$(parser_supports 'all,')" = "true" ]; then
|
||||
generate_profile="genprofile all -- image=$sender all"
|
||||
do_tests "ipv4 udp allow all" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port udp "$generate_profile"
|
||||
|
||||
generate_profile="genprofile all -- image=$sender all"
|
||||
do_tests "ipv4 tcp allow all" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port tcp "$generate_profile"
|
||||
|
||||
generate_profile="genprofile all -- image=$sender all"
|
||||
do_tests "ipv6 udp allow all" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port udp "$generate_profile"
|
||||
|
||||
generate_profile="genprofile all -- image=$sender all"
|
||||
do_tests "ipv6 tcp allow all" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port tcp "$generate_profile"
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -29,3 +29,7 @@ runchecktest "RAW SOCKET (no cap)" fail
|
|||
genprofile cap:net_raw network:
|
||||
runchecktest "RAW SOCKET (cap net_raw)" pass
|
||||
|
||||
if [ "$(parser_supports 'all,')" = "true" ]; then
|
||||
genprofile "all"
|
||||
runchecktest "RAW SOCKET (allow all)" pass
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -120,6 +120,11 @@ if [ "$(kernel_features mount)" != "true" -o "$(parser_supports 'mount,')" != "t
|
|||
exit
|
||||
fi
|
||||
|
||||
if [ "$(parser_supports 'all,')" = "true" ]; then
|
||||
genprofile "all"
|
||||
do_test "allow all rule" pass "$put_old" "$new_root" "$test"
|
||||
fi
|
||||
|
||||
# Ensure failure when no pivot_root perms are granted
|
||||
genprofile $cur $cap
|
||||
do_test "cap only" fail "$put_old" "$new_root" "$test"
|
||||
|
|
|
|||
|
|
@ -95,6 +95,10 @@ for username in "root" "$userid" ; do
|
|||
genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "deny:mqueue" "$sender:px" "$pipe:rw" -- image=$sender "deny mqueue" "$pipe:rw"
|
||||
do_tests "confined $username - deny perms" fail fail fail fail $usercmd
|
||||
|
||||
if [ "$(parser_supports 'all,')" = "true" ]; then
|
||||
genprofile "all" -- image=$sender "all"
|
||||
do_tests "confined $username - allow all" pass pass pass pass $usercmd
|
||||
fi
|
||||
|
||||
# generic mqueue
|
||||
# 2 Potential failures caused by missing other x permission in path
|
||||
|
|
|
|||
|
|
@ -235,6 +235,15 @@ runchecktest "test 12p2 -hc" fail -h -c -n 100 $helper
|
|||
runchecktest "test 12p2 -h prog" fail -h -n 100 $helper ${bin_true}
|
||||
runchecktest "test 12p2 -hc prog" fail -h -c -n 100 $helper ${bin_true}
|
||||
|
||||
if [ "$(parser_supports 'all,')" = "true" ]; then
|
||||
genprofile "all"
|
||||
runchecktest "test allow all" pass -n 100 ${bin_true}
|
||||
runchecktest "test allow all -c" pass -c -n 100 ${bin_true}
|
||||
runchecktest "test allow all -h" pass -h -n 100 $helper
|
||||
runchecktest "test allow all -hc" pass -h -c -n 100 $helper
|
||||
runchecktest "test allow all -h prog" pass -h -n 100 $helper ${bin_true}
|
||||
runchecktest "test allow all -hc prog" pass -h -c -n 100 $helper ${bin_true}
|
||||
fi
|
||||
|
||||
#ptraced confined app traced by profile can px
|
||||
genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix
|
||||
|
|
|
|||
|
|
@ -35,6 +35,12 @@ runchecktest "TCP (no apparmor)" pass $port
|
|||
genprofile
|
||||
runchecktest "TCP (accept, connect) no network rules" fail $port
|
||||
|
||||
if [ "$(parser_supports 'all,')" = "true" ]; then
|
||||
# PASS TEST - allow all
|
||||
genprofile "all"
|
||||
runchecktest "TCP (allow all)" pass $port
|
||||
fi
|
||||
|
||||
# PASS TEST - allow tcp
|
||||
genprofile network:tcp
|
||||
runchecktest "TCP (accept, connect) allow tcp" pass $port
|
||||
|
|
|
|||
|
|
@ -71,6 +71,11 @@ do_test()
|
|||
|
||||
desc+=" confined $test_prog"
|
||||
|
||||
if [ "$(parser_supports 'all,')" = "true" ]; then
|
||||
$genprof "all"
|
||||
runchecktest "$desc (allow all)" pass $args
|
||||
fi
|
||||
|
||||
$genprof "unix:ALL"
|
||||
runchecktest "$desc (implicit perms)" pass $args
|
||||
|
||||
|
|
|
|||
|
|
@ -101,6 +101,11 @@ fi
|
|||
# confined tests should have the same results if apparmor_restrict_unprivileged_userns is enabled or not
|
||||
run_confined_tests()
|
||||
{
|
||||
if [ "$(parser_supports 'all,')" = "true" ]; then
|
||||
generate_profile="genprofile all"
|
||||
do_test "confined allow all $1" pass pass pass pass "$generate_profile"
|
||||
fi
|
||||
|
||||
generate_profile="genprofile userns"
|
||||
do_test "confined all perms $1" pass pass fail fail "$generate_profile"
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue