mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

parser: ignore feature abi rules

Browse source 
AppArmor 3.0 requires policy to use a feature abi rule for access to
new features. However some policy may start using abi rules even if
they don't have rules that require new features.  This is especially
true for out of tree policy being shipped in other packages.

Add enough support to older releases that the parser will ignore the
abi rule and warn that it is falling back to the apparmor 2.x
technique of using the system abi.

If the profile contains rules that the older parser does not
understand it will fail policy compilation at the unknown rule instead
of the abi rule.

PR: https://gitlab.com/apparmor/apparmor/merge_requests/196
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This commit is contained in:
John Johansen 2018-09-19 01:15:49 -07:00
parent 4153663c42
commit 83df7c4747
33 changed files with 298 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
parser/parser_lex.l
View file

@ -239,6 +239,8 @@ EQUALS =
ADD_ASSIGN \+=
ARROW ->
LT_EQUAL <=
LT <
GT >
/* IF adding new state please update state_names table at eof */
%x SUB_ID
@ -261,6 +263,7 @@ LT_EQUAL <=
%x CHANGE_PROFILE_MODE
%x INCLUDE
%x INCLUDE_EXISTS
%x ABI_MODE
%%
@ -277,15 +280,20 @@ LT_EQUAL <=
{WS}+ { DUMP_PREPROCESS; /* Ignoring whitespace */ }
}
<INCLUDE,INCLUDE_EXISTS>{
<INCLUDE,INCLUDE_EXISTS,ABI_MODE>{
(\<(([^"\>\t\r\n]+)|{QUOTED_ID})\>|{QUOTED_ID}|{IDS}) { /* <filename> | <"filename"> | "filename" | filename */
int lt = *yytext == '<' ? 1 : 0;
autofree char *filename = processid(yytext + lt, yyleng - lt*2);
char *filename = processid(yytext + lt, yyleng - lt*2);
bool exists = YYSTATE == INCLUDE_EXISTS;
if (!filename)
yyerror(_("Failed to process filename\n"));
if (YYSTATE == ABI_MODE) {
yylval.id = filename;
POP_AND_RETURN(TOK_ID);
}
include_filename(filename, lt, exists);
free(filename);
POP_NODUMP();
}
}
@ -641,6 +649,9 @@ include/{WS} {
case TOK_UNIX:
state = UNIX_MODE;
break;
case TOK_ABI:
state = ABI_MODE;
break;
default: /* nothing */
break;
}
@ -694,4 +705,5 @@ unordered_map<int, string> state_names = {
STATE_TABLE_ENT(CHANGE_PROFILE_MODE),
STATE_TABLE_ENT(INCLUDE),
STATE_TABLE_ENT(INCLUDE_EXISTS),
STATE_TABLE_ENT(ABI_MODE),
};

1
parser/parser_misc.c
View file

@ -111,6 +111,7 @@ static struct keyword_table keyword_table[] = {
{"trace", TOK_TRACE},
{"tracedby", TOK_TRACEDBY},
{"readby", TOK_READBY},
{"abi", TOK_ABI},
/* terminate */
{NULL, 0}

10
parser/parser_yacc.y
View file

@ -152,6 +152,7 @@ void add_local_entry(Profile *prof);
%token TOK_TRACE
%token TOK_TRACEDBY
%token TOK_READBY
%token TOK_ABI
/* rlimits */
%token TOK_RLIMIT
@ -400,6 +401,7 @@ hat: hat_start profile_base
preamble: { /* nothing */ }
| preamble alias { /* nothing */ };
| preamble varassign { /* nothing */ };
| preamble abi_rule { /* nothing */ };
alias: TOK_ALIAS TOK_ID TOK_ARROW TOK_ID TOK_END_OF_RULE
{
@ -615,6 +617,8 @@ rules: { /* nothing */
$$ = prof;
};
rules: rules abi_rule { /* nothing */ }
rules: rules opt_prefix rule
{
PDEBUG("matched: rules rule\n");
@ -1065,6 +1069,12 @@ opt_named_transition: { /* nothing */ $$ = NULL; }
rule: file_rule { $$ = $1; }
| link_rule { $$ = $1; }
abi_rule: TOK_ABI TOK_ID TOK_END_OF_RULE
{
pwarn(_("%s: Profile abi not supported, falling back to system abi.\n"), progname);
free($2);
};
opt_exec_mode: { /* nothing */ $$ = EXEC_MODE_EMPTY; }
| TOK_UNSAFE { $$ = EXEC_MODE_UNSAFE; };
| TOK_SAFE { $$ = EXEC_MODE_SAFE; };

9
parser/tst/simple_tests/abi/bad_1.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi relative path in quotes
#=EXRESULT FAIL
#=TODO
abi "abi/4.19,
/does/not/exist {
}

9
parser/tst/simple_tests/abi/bad_10.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi path quotes in <> with spaces
#=EXRESULT FAIL
#
abi < "abi/4.19">,
/does/not/exist {
}

9
parser/tst/simple_tests/abi/bad_11.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi path quotes in <> with spaces
#=EXRESULT FAIL
#
abi <"abi/4.19" >,
/does/not/exist {
}

9
parser/tst/simple_tests/abi/bad_12.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi path quotes in <> with spaces
#=EXRESULT FAIL
#
abi < "abi/4.19" >,
/does/not/exist {
}

9
parser/tst/simple_tests/abi/bad_2.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi relative path in quotes with spaces
#=EXRESULT FAIL
#
abi abi/4.19",
/does/not/exist {
}

9
parser/tst/simple_tests/abi/bad_3.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi abs path in quotes
#=EXRESULT FAIL
#
abi "/abi/4.19"
/does/not/exist {
}

9
parser/tst/simple_tests/abi/bad_4.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi abs path in quotes with space
#=EXRESULT FAIL
#
abi "/abi/4.19 ubuntu,
/does/not/exist {
}

9
parser/tst/simple_tests/abi/bad_5.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi relative path no quotes missing ,
#=EXRESULT FAIL
#
abi abi/4.19
/does/not/exist {
}

9
parser/tst/simple_tests/abi/bad_6.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi path
#=EXRESULT FAIL
#=TODO
abi <abi/4.19,
/does/not/exist {
}

9
parser/tst/simple_tests/abi/ok_1.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi relative path in quotes
#=EXRESULT PASS
#
abi "abi/4.19",
/does/not/exist {
}

9
parser/tst/simple_tests/abi/ok_10.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi path quotes in <> with spaces
#=EXRESULT PASS
#=TODO
abi < "abi/4.19">,
/does/not/exist {
}

9
parser/tst/simple_tests/abi/ok_11.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi path quotes in <> with spaces
#=EXRESULT PASS
#=DISABLED
abi <"abi/4.19" >,
/does/not/exist {
}

9
parser/tst/simple_tests/abi/ok_12.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi path quotes in <> with spaces
#=EXRESULT PASS
#=TODO
abi < "abi/4.19" >,
/does/not/exist {
}

9
parser/tst/simple_tests/abi/ok_13.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi path quotes in <> with spaces
#=EXRESULT PASS
#
abi <"abi/4.19 ubuntu">,
/does/not/exist {
}

9
parser/tst/simple_tests/abi/ok_14.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi path with space between path and ,
#=EXRESULT PASS
#
abi <abi/4.19> ,
/does/not/exist {
}

9
parser/tst/simple_tests/abi/ok_15.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi path with space between path and ,
#=EXRESULT PASS
#
abi "abi/4.19" ,
/does/not/exist {
}

9
parser/tst/simple_tests/abi/ok_16.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi path with space between path and ,
#=EXRESULT PASS
#
abi abi/4.19 ,
/does/not/exist {
}

9
parser/tst/simple_tests/abi/ok_17.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi path no space between and and path
#=EXRESULT PASS
#
abi<abi/4.19>,
/does/not/exist {
}

9
parser/tst/simple_tests/abi/ok_18.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi path no space between and and path
#=EXRESULT PASS
#
abi"abi/4.19",
/does/not/exist {
}

9
parser/tst/simple_tests/abi/ok_2.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi relative path in quotes with spaces
#=EXRESULT PASS
#
abi "abi/4.19 ubuntu",
/does/not/exist {
}

10
parser/tst/simple_tests/abi/ok_20.sd Normal file
View file

@ -0,0 +1,10 @@
#
#=DESCRIPTION abi testing - abi path in profile
#=EXRESULT PASS
#
/does/not/exist {
abi <abi/4.19>,
}

10
parser/tst/simple_tests/abi/ok_21.sd Normal file
View file

@ -0,0 +1,10 @@
#
#=DESCRIPTION abi testing - abi path in profile
#=EXRESULT PASS
#
/does/not/exist {
abi "abi/4.19",
}

10
parser/tst/simple_tests/abi/ok_22.sd Normal file
View file

@ -0,0 +1,10 @@
#
#=DESCRIPTION abi testing - abi path in profile
#=EXRESULT PASS
#
/does/not/exist {
abi abi/4.19,
}

9
parser/tst/simple_tests/abi/ok_3.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi abs path in quotes
#=EXRESULT PASS
#
abi "/abi/4.19",
/does/not/exist {
}

9
parser/tst/simple_tests/abi/ok_4.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi abs path in quotes with space
#=EXRESULT PASS
#
abi "/abi/4.19 ubuntu",
/does/not/exist {
}

9
parser/tst/simple_tests/abi/ok_5.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi relative path no quotes
#=EXRESULT PASS
#
abi abi/4.19,
/does/not/exist {
}

9
parser/tst/simple_tests/abi/ok_6.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi path
#=EXRESULT PASS
#
abi <abi/4.19>,
/does/not/exist {
}

9
parser/tst/simple_tests/abi/ok_7.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi path spaces
#=EXRESULT PASS
#
abi < abi/4.19>,
/does/not/exist {
}

9
parser/tst/simple_tests/abi/ok_8.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi path spaces
#=EXRESULT PASS
#
abi <abi/4.19 >,
/does/not/exist {
}

9
parser/tst/simple_tests/abi/ok_9.sd Normal file
View file

@ -0,0 +1,9 @@
#
#=DESCRIPTION abi testing - abi path spaces
#=EXRESULT PASS
#
abi < abi/4.19 >,
/does/not/exist {
}