mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 16:35:02 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

parser: add kill.signal=XXX flag support

Browse source 
Add a flag that allows setting the signal used to kill the process.
This should not be normally used but can be very useful when
debugging applications, interaction with apparmor.

Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2023-08-21 11:51:42 -07:00
parent 57985480ca
commit a9494f5523
24 changed files with 187 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
parser/apparmor.d.pod
View file

@ -115,7 +115,7 @@ B<PROFILE FLAG CONDS> = [ 'flags=' ] '(' comma or white space separated list of
B<PROFILE FLAGS> = I<PROFILE MODE> | I<AUDIT_MODE> | 'mediate_deleted' B<PROFILE FLAGS> = I<PROFILE MODE> | I<AUDIT_MODE> | 'mediate_deleted'
| 'attach_disconnected' | 'attach_disconneced.path='I<ABS PATH> | 'chroot_relative' | 'attach_disconnected' | 'attach_disconneced.path='I<ABS PATH> | 'chroot_relative'
| 'debug' | 'interruptible' | 'debug' | 'interruptible' | 'kill.signal='I<SIGNAL>
B<PROFILE MODE> = 'enforce' | 'complain' | 'kill' | 'unconfined' | 'prompt' B<PROFILE MODE> = 'enforce' | 'complain' | 'kill' | 'unconfined' | 'prompt'
@ -508,6 +508,9 @@ to debug kernel or policy problems.
=item B<interruptible> Enables interrupts for prompt upcall to userspace. =item B<interruptible> Enables interrupts for prompt upcall to userspace.
=item B<kill.signal>=I<SIGNALS> This changes the signal that will be
sent by AppArmor when in kill mode or a kill rule has been violated.
=back =back
=head2 Access Modes =head2 Access Modes

1
parser/parser.h
View file

@ -354,6 +354,7 @@ extern int features_supports_posix_mqueue;
extern int features_supports_sysv_mqueue; extern int features_supports_sysv_mqueue;
extern int features_supports_io_uring; extern int features_supports_io_uring;
extern int features_supports_flag_interruptible; extern int features_supports_flag_interruptible;
extern int features_supports_flag_signal;
extern int kernel_supports_oob; extern int kernel_supports_oob;
extern int conf_verbose; extern int conf_verbose;
extern int conf_quiet; extern int conf_quiet;

1
parser/parser_common.c
View file

@ -83,6 +83,7 @@ int features_supports_posix_mqueue = 0; /* kernel supports mqueue rules */
int features_supports_sysv_mqueue = 0; /* kernel supports mqueue rules */ int features_supports_sysv_mqueue = 0; /* kernel supports mqueue rules */
int features_supports_io_uring = 0; /* kernel supports io_uring rules */ int features_supports_io_uring = 0; /* kernel supports io_uring rules */
int features_supports_flag_interruptible = 0; int features_supports_flag_interruptible = 0;
int features_supports_flag_signal = 0;
int kernel_supports_oob = 0; /* out of band transitions */ int kernel_supports_oob = 0; /* out of band transitions */
int conf_verbose = 0; int conf_verbose = 0;
int conf_quiet = 0; int conf_quiet = 0;

4
parser/parser_interface.c
View file

@ -426,6 +426,10 @@ void sd_serialize_profile(std::ostringstream &buf, Profile *profile,
"disconnected"); "disconnected");
} }
if (profile->flags.signal && features_supports_flag_signal) {
sd_write_name(buf, "kill");
sd_write_uint32(buf, profile->flags.signal);
}
sd_write_struct(buf, "flags"); sd_write_struct(buf, "flags");
/* used to be flags.debug, but that's no longer supported */ /* used to be flags.debug, but that's no longer supported */
sd_write_uint32(buf, profile->flags.flags); sd_write_uint32(buf, profile->flags.flags);

3
parser/parser_main.c
View file

@ -954,6 +954,9 @@ void set_supported_features()
features_supports_flag_interruptible = features_intersect(kernel_features, features_supports_flag_interruptible = features_intersect(kernel_features,
policy_features, policy_features,
"policy/profile/interruptible"); "policy/profile/interruptible");
features_supports_flag_signal = features_intersect(kernel_features,
policy_features,
"policy/profile/kill.signal");
} }
static bool do_print_cache_dir(aa_features *features, int dirfd, const char *path) static bool do_print_cache_dir(aa_features *features, int dirfd, const char *path)

5
parser/profile.cc
View file

@ -355,6 +355,11 @@ void Profile::post_parse_profile(void)
flags.flags &= ~FLAG_INTERRUPTIBLE; flags.flags &= ~FLAG_INTERRUPTIBLE;
} }
} }
if (flags.signal) {
if (!features_supports_flag_signal) {
warn_once(name, "kill.signal not supported. Ignoring");
}
}
post_process_file_entries(this); post_process_file_entries(this);
post_process_rule_entries(this); post_process_rule_entries(this);
} }

20
parser/profile.h
View file

@ -23,6 +23,7 @@
#include "rule.h" #include "rule.h"
#include "libapparmor_re/aare_rules.h" #include "libapparmor_re/aare_rules.h"
#include "network.h" #include "network.h"
#include "signal.h"
class Profile; class Profile;
@ -124,6 +125,7 @@ public:
int audit; int audit;
int path; int path;
char *disconnected_path; char *disconnected_path;
int signal;
// stupid not constructor constructors // stupid not constructor constructors
void init(void) void init(void)
@ -133,6 +135,7 @@ public:
audit = 0; audit = 0;
path = 0; path = 0;
disconnected_path = NULL; disconnected_path = NULL;
signal = 0;
} }
void init(const char *str) void init(const char *str)
{ {
@ -166,6 +169,11 @@ public:
/* TODO: make this a proper parse */ /* TODO: make this a proper parse */
path |= PATH_ATTACH; path |= PATH_ATTACH;
disconnected_path = strdup(str + 25); disconnected_path = strdup(str + 25);
} else if (strncmp(str, "kill.signal=", 12) == 0) {
/* TODO: make this a proper parse */
signal = find_signal_mapping(str + 12);
if (signal == -1)
yyerror("unknown signal specified for kill.signal=\'%s\'\n", str + 12);
} else if (strcmp(str, "interruptible") == 0) { } else if (strcmp(str, "interruptible") == 0) {
flags |= FLAG_INTERRUPTIBLE; flags |= FLAG_INTERRUPTIBLE;
} else { } else {
@ -185,6 +193,8 @@ public:
if (disconnected_path) if (disconnected_path)
os << ", attach_disconnected.path=" << disconnected_path; os << ", attach_disconnected.path=" << disconnected_path;
if (signal)
os << ", kill.signal=" << signal;
os << "\n"; os << "\n";
return os; return os;
@ -235,6 +245,16 @@ public:
disconnected_path = rhs.disconnected_path; disconnected_path = rhs.disconnected_path;
} }
} }
if (rhs.signal) {
if (signal) {
if (signal != rhs.signal) {
yyerror(_("Profile flag kill.signal set to conflicting values: '%d' and '%d'"), signal, rhs.signal);
}
// same so do nothing
} else {
signal = rhs.signal;
}
}
/* if we move to dupping disconnected_path will need to have /* if we move to dupping disconnected_path will need to have
* an assignment and copy constructor and a destructor * an assignment and copy constructor and a destructor

2
parser/signal.cc
View file

@ -121,7 +121,7 @@ int parse_signal_perms(const char *str_perms, perms_t *perms, int fail)
return parse_X_perms("signal", AA_VALID_SIGNAL_PERMS, str_perms, perms, fail); return parse_X_perms("signal", AA_VALID_SIGNAL_PERMS, str_perms, perms, fail);
} }
static int find_signal_mapping(const char *sig) int find_signal_mapping(const char *sig)
{ {
if (strncmp("rtmin+", sig, 6) == 0) { if (strncmp("rtmin+", sig, 6) == 0) {
char *end; char *end;

1
parser/signal.h
View file

@ -31,6 +31,7 @@
typedef set<int> Signals; typedef set<int> Signals;
int find_signal_mapping(const char *sig);
int parse_signal_perms(const char *str_perms, perms_t *perms, int fail); int parse_signal_perms(const char *str_perms, perms_t *perms, int fail);
class signal_rule: public perms_rule_t { class signal_rule: public perms_rule_t {

10
parser/tst/simple_tests/profile/flags/flags_bad67.sd Normal file
View file

@ -0,0 +1,10 @@
#
#=DESCRIPTION Ensure bad signal value
#=EXRESULT FAIL
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist flags=(kill.signal=0) {
/usr/X11R6/lib/lib*so* r,
/does/not/exist r,
}

10
parser/tst/simple_tests/profile/flags/flags_bad68.sd Normal file
View file

@ -0,0 +1,10 @@
#
#=DESCRIPTION Ensure bad signal value
#=EXRESULT FAIL
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist flags=(kill.signal=foo) {
/usr/X11R6/lib/lib*so* r,
/does/not/exist r,
}

10
parser/tst/simple_tests/profile/flags/flags_bad69.sd Normal file
View file

@ -0,0 +1,10 @@
#
#=DESCRIPTION Ensure bad signal value
#=EXRESULT FAIL
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist flags=(kill.signal=hup.) {
/usr/X11R6/lib/lib*so* r,
/does/not/exist r,
}

10
parser/tst/simple_tests/profile/flags/flags_ok40.sd Normal file
View file

@ -0,0 +1,10 @@
#
#=DESCRIPTION Ensure conflicting mode flags cause an error
#=EXRESULT PASS
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist flags=(prompt, kill.signal=hup) {
/usr/X11R6/lib/lib*so* r,
/does/not/exist r,
}

10
parser/tst/simple_tests/profile/flags/flags_ok41.sd Normal file
View file

@ -0,0 +1,10 @@
#
#=DESCRIPTION Ensure signal.kill works with different flags and signals
#=EXRESULT PASS
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist flags=(enforce, kill.signal=kill) {
/usr/X11R6/lib/lib*so* r,
/does/not/exist r,
}

10
parser/tst/simple_tests/profile/flags/flags_ok42.sd Normal file
View file

@ -0,0 +1,10 @@
#
#=DESCRIPTION Ensure kill.signal works with different flags and signals
#=EXRESULT PASS
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist flags=(kill.signal=int, unconfined) {
/usr/X11R6/lib/lib*so* r,
/does/not/exist r,
}

10
parser/tst/simple_tests/profile/flags/flags_ok43.sd Normal file
View file

@ -0,0 +1,10 @@
#
#=DESCRIPTION Ensure kill.signal works with different modes and signals
#=EXRESULT PASS
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist flags=(kill.signal=quit, kill) {
/usr/X11R6/lib/lib*so* r,
/does/not/exist r,
}

10
parser/tst/simple_tests/profile/flags/flags_ok44.sd Normal file
View file

@ -0,0 +1,10 @@
#
#=DESCRIPTION Ensure kill.signal works with different modes and signals
#=EXRESULT PASS
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist flags=(kill.signal=hup, complain) {
/usr/X11R6/lib/lib*so* r,
/does/not/exist r,
}

10
parser/tst/simple_tests/profile/flags/flags_ok45.sd Normal file
View file

@ -0,0 +1,10 @@
#
#=DESCRIPTION Ensure kill.signal works with different modes and signals
#=EXRESULT PASS
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist flags=(kill.signal=ill, enforce) {
/usr/X11R6/lib/lib*so* r,
/does/not/exist r,
}

10
parser/tst/simple_tests/profile/flags/flags_ok46.sd Normal file
View file

@ -0,0 +1,10 @@
#
#=DESCRIPTION Ensure kill.signal works with different modes and signals
#=EXRESULT PASS
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist flags=(kill, kill.signal=trap) {
/usr/X11R6/lib/lib*so* r,
/does/not/exist r,
}

10
parser/tst/simple_tests/profile/flags/flags_ok47.sd Normal file
View file

@ -0,0 +1,10 @@
#
#=DESCRIPTION Ensure kill.signal works with different modes and signals
#=EXRESULT PASS
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist flags=(complain, kill.signal=bus) {
/usr/X11R6/lib/lib*so* r,
/does/not/exist r,
}

10
parser/tst/simple_tests/profile/flags/flags_ok48.sd Normal file
View file

@ -0,0 +1,10 @@
#
#=DESCRIPTION Ensure kill.signal works with different flags and signals
#=EXRESULT PASS
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist flags=(enforce, kill.signal=usr1) {
/usr/X11R6/lib/lib*so* r,
/does/not/exist r,
}

12
parser/tst/simple_tests/profile/flags/flags_ok49.sd Normal file
View file

@ -0,0 +1,12 @@
#
#=DESCRIPTION Ensure kill.signals works with different flags and signals
#=EXRESULT PASS
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist flags=(kill.signal=stop audit) {
#include <includes/base>
/usr/X11R6/lib/lib*so* r,
/does/not/exist r,
}

12
parser/tst/simple_tests/profile/flags/flags_ok50.sd Normal file
View file

@ -0,0 +1,12 @@
#
#=DESCRIPTION Ensure kill.signal works with different flags and signals
#=EXRESULT PASS
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist flags=(kill.signal=emt) {
#include <includes/base>
/usr/X11R6/lib/lib*so* r,
/does/not/exist r,
}

3
utils/test/test-parser-simple-tests.py
View file

@ -167,6 +167,9 @@ exception_not_raised = (
'profile/flags/flags_bad64.sd', 'profile/flags/flags_bad64.sd',
'profile/flags/flags_bad65.sd', 'profile/flags/flags_bad65.sd',
'profile/flags/flags_bad66.sd', 'profile/flags/flags_bad66.sd',
'profile/flags/flags_bad67.sd',
'profile/flags/flags_bad68.sd',
'profile/flags/flags_bad69.sd',
'profile/flags/flags_bad_disconnected_path1.sd', 'profile/flags/flags_bad_disconnected_path1.sd',
'profile/flags/flags_bad_disconnected_path2.sd', 'profile/flags/flags_bad_disconnected_path2.sd',
'profile/flags/flags_bad_disconnected_path3.sd', 'profile/flags/flags_bad_disconnected_path3.sd',