mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge Add policy feature abi support

Browse source 
AppArmor 3.0 tags policy with the feature abi it was developed under. This fixes issues with kernel upgrades that add new mediation features and reduces the need to pin policy.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/491
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
This commit is contained in:
John Johansen 2020-05-29 08:27:34 +00:00
commit bf8aa7809d
298 changed files with 1360 additions and 143 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
libraries/libapparmor/doc/aa_features.pod
View file

@ -50,6 +50,8 @@ B<typedef struct aa_features aa_features;>
B<int aa_features_new(aa_features **features, int dirfd, const char *path);>
B<int aa_features_new_from_file(aa_features **features, int fd);>
B<int aa_features_new_from_string(aa_features **features, const char *string, size_t size);>
B<int aa_features_new_from_kernel(aa_features **features);>
@ -82,6 +84,10 @@ directory file descriptor and path. The I<path> can point to a file or
directory. See the openat(2) man page for examples of I<dirfd> and I<path>. The
allocated I<features> object must be freed using aa_features_unref().
The aa_features_new_from_file() function is similar except that it
accepts an open file as the argument. The allocated I<features> object
must be freed using aa_features_unref().
The aa_features_new_from_string() function is similar except that it accepts a
NUL-terminated string representation of the AppArmor features as the I<string>
argument. The length of the features string, not counting the NUL-terminator,

1
libraries/libapparmor/include/sys/apparmor.h
View file

@ -143,6 +143,7 @@ extern int aa_query_link_path(const char *label, const char *target,
typedef struct aa_features aa_features;
extern int aa_features_new(aa_features **features, int dirfd, const char *path);
extern int aa_features_new_from_file(aa_features **features, int file);
extern int aa_features_new_from_string(aa_features **features,
const char *string, size_t size);
extern int aa_features_new_from_kernel(aa_features **features);

99
libraries/libapparmor/src/features.c
View file

@ -98,9 +98,8 @@ static int features_snprintf(struct features_struct *fst, const char *fmt, ...)
return 0;
}
/* load_features_file - opens and reads a file into @buffer and then NUL-terminates @buffer
* @dirfd: a directory file descriptory or AT_FDCWD (see openat(2))
* @path: name of the file
/* load_features_file - reads a file into @buffer and then NUL-terminates @buffer
* @file: file to read the features from
* @buffer: the buffer to read the features file into (will be NUL-terminated on success)
* @size: the size of @buffer
*
@ -110,25 +109,11 @@ static int features_snprintf(struct features_struct *fst, const char *fmt, ...)
* ENOBUFS indicating that @buffer was not large enough to contain all of the
* file contents.
*/
static ssize_t load_features_file(int dirfd, const char *path,
char *buffer, size_t size)
static ssize_t load_features_file(int file, char *buffer, size_t size)
{
autoclose int file = -1;
char *pos = buffer;
ssize_t len;
file = openat(dirfd, path, O_RDONLY);
if (file < 0) {
PDEBUG("Could not open '%s'\n", path);
return -1;
}
PDEBUG("Opened features \"%s\"\n", path);
if (!size) {
errno = ENOBUFS;
return -1;
}
/* Save room for a NUL-terminator at the end of @buffer */
size--;
@ -161,6 +146,38 @@ static ssize_t load_features_file(int dirfd, const char *path,
return pos - buffer;
}
/* open_and_load_features_file - opens and reads a file into @buffer and then NUL-terminates @buffer
* @dirfd: a directory file descriptory or AT_FDCWD (see openat(2))
* @path: name of the file
* @buffer: the buffer to read the features file into (will be NUL-terminated on success)
* @size: the size of @buffer
*
* Returns: The number of bytes copied into @buffer on success (not counting
* the NUL-terminator), else -1 and errno is set. Note that @size must be
* larger than the size of the file or -1 will be returned with errno set to
* ENOBUFS indicating that @buffer was not large enough to contain all of the
* file contents.
*/
static ssize_t open_and_load_features_file(int dirfd, const char *path,
char *buffer, size_t size)
{
autoclose int file = -1;
file = openat(dirfd, path, O_RDONLY);
if (file < 0) {
PDEBUG("Could not open '%s': %m\n", path);
return -1;
}
PDEBUG("Opened features '%s': %m\n", path);
if (!size) {
errno = ENOBUFS;
return -1;
}
return load_features_file(file, buffer, size);
}
static int features_dir_cb(int dirfd, const char *name, struct stat *st,
void *data)
{
@ -180,7 +197,7 @@ static int features_dir_cb(int dirfd, const char *name, struct stat *st,
if (features_buffer_remaining(fst, &remaining) == -1)
return -1;
len = load_features_file(dirfd, name, fst->pos, remaining);
len = open_and_load_features_file(dirfd, name, fst->pos, remaining);
if (len < 0)
return -1;
@ -429,7 +446,7 @@ int aa_features_new(aa_features **features, int dirfd, const char *path)
retval = S_ISDIR(stat_file.st_mode) ?
load_features_dir(dirfd, path, f->string, STRING_SIZE) :
load_features_file(dirfd, path, f->string, STRING_SIZE);
open_and_load_features_file(dirfd, path, f->string, STRING_SIZE);
if (retval == -1) {
aa_features_unref(f);
return -1;
@ -492,6 +509,48 @@ int aa_features_new_from_string(aa_features **features,
return 0;
}
/**
* aa_features_new_from_file - create a new aa_features object based on an open file
* @features: will point to the address of an allocated and initialized
* aa_features object upon success
* @file: file to load features from
*
* Returns: 0 on success, -1 on error with errno set and *@features pointing to
* NULL
*/
int aa_features_new_from_file(aa_features **features, int file)
{
aa_features *f;
ssize_t retval;
*features = NULL;
f = calloc(1, sizeof(*f));
if (!f) {
errno = ENOMEM;
return -1;
}
aa_features_ref(f);
retval = load_features_file(file, f->string, STRING_SIZE);
if (retval == -1) {
aa_features_unref(f);
return -1;
}
if (init_features_hash(f) == -1) {
int save = errno;
aa_features_unref(f);
errno = save;
return -1;
}
*features = f;
return 0;
}
/**
* aa_features_new_from_kernel - create a new aa_features object based on the current kernel
* @features: will point to the address of an allocated and initialized

5
parser/Makefile
View file

@ -77,7 +77,7 @@ SRCS = parser_common.c parser_include.c parser_interface.c parser_lex.c \
parser_yacc.c parser_regex.c parser_variable.c parser_policy.c \
parser_alias.c common_optarg.c lib.c network.c \
mount.cc dbus.cc profile.cc rule.cc signal.cc ptrace.cc \
af_rule.cc af_unix.cc policy_cache.c
af_rule.cc af_unix.cc policy_cache.c default_features.c
HDRS = parser.h parser_include.h immunix.h mount.h dbus.h lib.h profile.h \
rule.h common_optarg.h signal.h ptrace.h network.h af_rule.h af_unix.h \
policy_cache.h
@ -262,6 +262,9 @@ ptrace.o: ptrace.cc ptrace.h parser.h immunix.h parser_yacc.h rule.h $(APPARMOR_
network.o: network.c network.h parser.h immunix.h parser_yacc.h rule.h af_names.h $(APPARMOR_H)
$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
default_features.o: default_features.c parser.h
$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
af_rule.o: af_rule.cc af_rule.h network.h parser.h profile.h immunix.h parser_yacc.h rule.h $(APPARMOR_H)
$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

4
parser/af_unix.cc
View file

@ -322,8 +322,8 @@ int unix_rule::gen_policy_re(Profile &prof)
* rules ability
*/
downgrade_rule(prof);
if (!kernel_supports_unix) {
if (kernel_supports_network) {
if (!features_supports_unix) {
if (features_supports_network) {
/* only warn if we are building against a kernel
* that requires downgrading */
if (warnflags & WARN_RULE_DOWNGRADED)

29
parser/apparmor.d.pod
View file

@ -69,7 +69,7 @@ to the policy; this behaviour is modelled after cpp(1).
B<PROFILE FILE> = ( [ I<PREAMBLE> ] [ I<PROFILE> ] )*
B<PREAMBLE> = ( I<COMMENT> | I<VARIABLE ASSIGNMENT> | I<ALIAS RULE> | I<INCLUDE> )*
B<PREAMBLE> = ( I<COMMENT> | I<VARIABLE ASSIGNMENT> | I<ALIAS RULE> | I<INCLUDE> | I<ABI> )*
Variable assignment and alias rules must come before the profile.
B<VARIABLE ASSIGNMENT> = I<VARIABLE> ('=' | '+=') (space separated values)
@ -80,6 +80,8 @@ B<ALIAS RULE> = 'alias' I<ABS PATH> '-E<gt>' I<REWRITTEN ABS PATH> ','
B<INCLUDE> = ( '#include' | 'include' ) [ 'if exists' ] ( I<ABS PATH> | I<MAGIC PATH> )
B<ABI> = ( 'abi' ) ( I<ABS PATH> | I<MAGIC PATH> ) ','
B<ABS PATH> = '"' path '"' (the path is passed to open(2))
B<MAGIC PATH> = 'E<lt>' relative path 'E<gt>'
@ -1692,10 +1694,35 @@ starting the profile definition. The aa-autodep(8) and aa-genprof(8) utilities
will automatically emit B<#include E<lt>tunables/globalE<gt>> in
generated profiles.
=head2 Feature ABI
The feature abi tells AppArmor which feature set the policy was
developed under. This is important to ensure that kernels with a
different feature set don't enforce features that the policy doesn't
support, which can result in unexpected application failures.
When policy is compiled both the kernel feature abi and policy feature
abi are consulted to build a policy that will work for the system's
kernel.
If the kernel supports a feature not supported by the policy then
policy will be built so that the kernel does NOT enforce that feature.
If the policy supports a feature not supported by the kernel the
compile may downgrade the rule with the feature to something the
kernel supports, drop the rule completely, or fail the compile.
If the policy abi is specified as B<kernel> then the running kernel's
abi will be used. This should never be used in shipped policy as it
can cause system breakage when a new kernel is installed.
=head1 EXAMPLE
An example AppArmor profile:
# which feature abi the policy was developed with
abi <abi/3.0>,
# a variable definition in the preamble
@{HOME} = /home/*/ /root/

14
parser/apparmor_parser.pod
View file

@ -184,16 +184,30 @@ defined as an absolute paths.
Set the location of the apparmor security filesystem (default is
"/sys/kernel/security/apparmor").
=item --policy-features n
Specify the feature set that the policy was developed under.
=item --kernel-features n
Specify the feature set of the kernel that the policy is being compiled for. If not specified this will be determined by the system's kernel.
=item -M n, --features-file n
Use the features file located at path "n" (default is
/etc/apparmor.d/cache/.features). If the --cache-loc option is present, the
".features" file in the specified cache directory is used.
Note: this sets both the --kernel-features and --policy-features to be the
same.
=item -m n, --match-string n
Only use match features "n".
Note: this sets both the --kernel-features and --policy-features to be the
same.
=item -n n, --namespace-string n
Force a profile to load in the namespace "n".

2
parser/dbus.cc
View file

@ -219,7 +219,7 @@ int dbus_rule::gen_policy_re(Profile &prof)
pattern_t ptype;
int pos;
if (!kernel_supports_dbus) {
if (!features_supports_dbus) {
warn_once(prof.name);
return RULE_NOT_SUPPORTED;
}

193
parser/default_features.c Normal file
View file

@ -0,0 +1,193 @@
/*
* This file contains a set of old feature files that are used under different
* circumstances.
*
* match_n_abi: feature abi for oldest match_file (pre features) abi.
*
* match_c_abi: features abi for match_file (pre features) abi that supports
* create.
*
* match_cn_abi: features abi for match_file (pre features) abi that supports
* create and network.
*
* default_features_abi: is the feature abi used when policy is not tagged
* with an abi and no featuere-abi was specified to the
* parser.
*/
#include "parser.h"
const char *match_n_abi =
"caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read\
}\
}\
rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime\
}\
}\
capability {0xffffff\
}\
network {af_unix {yes\
}\
af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp\
}\
}\
file {mask {read write exec append mmap_exec link lock\
}\
}\
domain {change_profile {yes\
}\
change_onexec {yes\
}\
change_hatv {yes\
}\
change_hat {yes\
}\
}\
policy {\
v6 {yes\
}\
v5 {yes\
}\
}\
}\
";
/****************************** match_c_abi *******************************/
const char *match_c_abi =
"caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read\
}\
}\
rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime\
}\
}\
capability {0xffffff\
}\
file {mask {create read write exec append mmap_exec link lock\
}\
}\
domain {change_profile {yes\
}\
change_onexec {yes\
}\
change_hatv {yes\
}\
change_hat {yes\
}\
}\
policy {\
v6 {yes\
}\
v5 {yes\
}\
}\
}\
";
/****************************** match_cn_abi ******************************/
const char *match_cn_abi =
"caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read\
}\
}\
rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime\
}\
}\
capability {0xffffff\
}\
network {af_unix {yes\
}\
af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp\
}\
}\
file {mask {create read write exec append mmap_exec link lock\
}\
}\
domain {change_profile {yes\
}\
change_onexec {yes\
}\
change_hatv {yes\
}\
change_hat {yes\
}\
}\
policy {\
v6 {yes\
}\
v5 {yes\
}\
}\
}\
";
/************************** deafult_features_abi ***************************/
const char *default_features_abi =
"query {label {multi_transaction {yes\
}\
data {yes\
}\
perms {allow deny audit quiet\
}\
}\
}\
signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost\
}\
}\
ptrace {mask {read trace\
}\
}\
caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read\
}\
}\
rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime\
}\
}\
capability {0xffffff\
}\
namespaces {pivot_root {no\
}\
profile {yes\
}\
}\
mount {mask {mount umount pivot_root\
}\
}\
file {mask {create read write exec append mmap_exec link lock\
}\
}\
domain {version {1.2\
}\
}\
computed_longest_left {yes\
}\
post_nnp_subset {yes\
}\
fix_binfmt_elf_mmap {yes\
}\
stack {yes\
}\
change_profile {yes\
}\
change_onexec {yes\
}\
change_hatv {yes\
}\
change_hat {yes\
}\
}\
policy {set_load {yes\
}\
versions {v8 {yes\
}\
v7 {yes\
}\
v6 {yes\
}\
v5 {yes\
}\
}\
}\
";

2
parser/mount.cc
View file

@ -593,7 +593,7 @@ int mnt_rule::gen_policy_re(Profile &prof)
int count = 0;
unsigned int tmpflags, tmpinv_flags;
if (!kernel_supports_mount) {
if (!features_supports_mount) {
warn_once(prof.name);
return RULE_NOT_SUPPORTED;
}

28
parser/parser.h
View file

@ -295,21 +295,24 @@ extern uint32_t policy_version;
extern uint32_t parser_abi_version;
extern uint32_t kernel_abi_version;
extern aa_features *policy_features;
extern aa_features *kernel_features;
extern int force_complain;
extern int perms_create;
extern int net_af_max_override;
extern int kernel_load;
extern int kernel_supports_setload;
extern int kernel_supports_network;
extern int features_supports_network;
extern int kernel_supports_policydb;
extern int kernel_supports_diff_encode;
extern int kernel_supports_mount;
extern int kernel_supports_dbus;
extern int kernel_supports_signal;
extern int kernel_supports_ptrace;
extern int kernel_supports_unix;
extern int kernel_supports_stacking;
extern int kernel_supports_domain_xattr;
extern int features_supports_mount;
extern int features_supports_dbus;
extern int features_supports_signal;
extern int features_supports_ptrace;
extern int features_supports_unix;
extern int features_supports_stacking;
extern int features_supports_domain_xattr;
extern int kernel_supports_oob;
extern int conf_verbose;
extern int conf_quiet;
@ -474,4 +477,13 @@ void dump_policy(void);
void free_policies(void);
/* parser_main.c */
extern void set_supported_features();
/* default_features.c */
extern const char *match_n_abi;
extern const char *match_c_abi;
extern const char *match_cn_abi;
extern const char *default_features_abi;
#endif /** __AA_PARSER_H */

16
parser/parser_common.c
View file

@ -65,16 +65,16 @@ int perms_create = 0; /* perms contain create flag */
int net_af_max_override = -1; /* use kernel to determine af_max */
int kernel_load = 1;
int kernel_supports_setload = 0; /* kernel supports atomic set loads */
int kernel_supports_network = 0; /* kernel supports network rules */
int kernel_supports_unix = 0; /* kernel supports unix socket rules */
int features_supports_network = 0; /* kernel supports network rules */
int features_supports_unix = 0; /* kernel supports unix socket rules */
int kernel_supports_policydb = 0; /* kernel supports new policydb */
int kernel_supports_mount = 0; /* kernel supports mount rules */
int kernel_supports_dbus = 0; /* kernel supports dbus rules */
int features_supports_mount = 0; /* kernel supports mount rules */
int features_supports_dbus = 0; /* kernel supports dbus rules */
int kernel_supports_diff_encode = 0; /* kernel supports diff_encode */
int kernel_supports_signal = 0; /* kernel supports signal rules */
int kernel_supports_ptrace = 0; /* kernel supports ptrace rules */
int kernel_supports_stacking = 0; /* kernel supports stacking */
int kernel_supports_domain_xattr = 0; /* x attachment cond */
int features_supports_signal = 0; /* kernel supports signal rules */
int features_supports_ptrace = 0; /* kernel supports ptrace rules */
int features_supports_stacking = 0; /* kernel supports stacking */
int features_supports_domain_xattr = 0; /* x attachment cond */
int kernel_supports_oob = 0; /* out of band transitions */
int conf_verbose = 0;
int conf_quiet = 0;

3
parser/parser_interface.c
View file

@ -458,7 +458,8 @@ void sd_serialize_profile(std::ostringstream &buf, Profile *profile,
sd_serialize_rlimits(buf, &profile->rlimits);
if (profile->net.allow && kernel_supports_network) {
/* choice to support / downgrade needs to already have been made */
if (profile->net.allow && features_supports_network) {
size_t i;
sd_write_array(buf, "net_allowed_af", get_af_max());
for (i = 0; i < get_af_max(); i++) {

37
parser/parser_lex.l
View file

@ -189,6 +189,25 @@ void include_filename(char *filename, int search, bool if_exists)
}
}
static char *lsntrim(char *s, int l)
{
const char *end = s + l;
while (s <= end && isspace(*s))
s++;
return s;
}
static int rsntrim(const char *s, int l)
{
const char *r = s + l;
while (r > s && isspace(*--r))
l--;
return l;
}
%}
CARET "^"
@ -207,6 +226,8 @@ NUMBER [[:digit:]]+
ID_CHARS [^ \t\r\n"!,]
ID {ID_CHARS}|(,{ID_CHARS}|\\[ ]|\\\t|\\\"|\\!|\\,)
IDS {ID}+
INC_ID [^ \t\r\n"!,<>]|(,[^ \t\r\n"!,<>]|\\[ ]|\\\t|\\\"|\\!|\\,)
INC_IDS {INC_ID}+
POST_VAR_ID_CHARS [^ \t\n"!,]{-}[=\+]
POST_VAR_ID {POST_VAR_ID_CHARS}|(,{POST_VAR_ID_CHARS}|\\[ ]|\\\t|\\\"|\\!|\\,|\\\(|\\\))
LIST_VALUE_ID_CHARS ([^ \t\n"!,]{-}[()]|\\[ ]|\\\t|\\\"|\\!|\\,|\\\(|\\\))
@ -277,21 +298,27 @@ GT >
}
%}
<INITIAL,SUB_ID_WS,INCLUDE,INCLUDE_EXISTS,LIST_VAL_MODE,EXTCOND_MODE,LIST_COND_VAL,LIST_COND_PAREN_VAL,LIST_COND_MODE,EXTCONDLIST_MODE,ASSIGN_MODE,NETWORK_MODE,CHANGE_PROFILE_MODE,RLIMIT_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE>{
<INITIAL,SUB_ID_WS,INCLUDE,INCLUDE_EXISTS,LIST_VAL_MODE,EXTCOND_MODE,LIST_COND_VAL,LIST_COND_PAREN_VAL,LIST_COND_MODE,EXTCONDLIST_MODE,ASSIGN_MODE,NETWORK_MODE,CHANGE_PROFILE_MODE,RLIMIT_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE,ABI_MODE>{
{WS}+ { DUMP_PREPROCESS; /* Ignoring whitespace */ }
}
<INCLUDE,INCLUDE_EXISTS,ABI_MODE>{
(\<(([^"\>\t\r\n]+)|{QUOTED_ID})\>|{QUOTED_ID}|{IDS}) { /* <filename> | <"filename"> | "filename" | filename */
(\<((([^"\>\t\r\n])+)|{QUOTED_ID})\>|{QUOTED_ID}|({INC_IDS})) { /* <filename> | <"filename"> | "filename" | filename */
int lt = *yytext == '<' ? 1 : 0;
char *filename = processid(yytext + lt, yyleng - lt*2);
int len = yyleng - lt*2;
char *s = yytext + lt;
char * filename = lsntrim(s, yyleng);
bool exists = YYSTATE == INCLUDE_EXISTS;
filename = processid(filename, rsntrim(filename, len - (filename - s)));
if (!filename)
yyerror(_("Failed to process filename\n"));
if (YYSTATE == ABI_MODE) {
yylval.id = filename;
POP_AND_RETURN(TOK_ID);
if (lt)
RETURN_TOKEN(TOK_ID);
else
RETURN_TOKEN(TOK_VALUE);
}
include_filename(filename, lt, exists);
free(filename);
@ -659,7 +686,7 @@ include/{WS} {
PUSH_AND_RETURN(state, token);
}
<INITIAL,NETWORK_MODE,RLIMIT_MODE,CHANGE_PROFILE_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE>{
<INITIAL,NETWORK_MODE,RLIMIT_MODE,CHANGE_PROFILE_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE,ABI_MODE>{
{END_OF_RULE} {
if (YY_START != INITIAL)
POP_NODUMP();

160
parser/parser_main.c
View file

@ -19,6 +19,7 @@
* Ltd.
*/
#include <assert.h>
#include <ctype.h>
#include <stdio.h>
#include <string.h>
@ -108,8 +109,9 @@ static const char *cacheloc[MAX_CACHE_LOCS];
static int cacheloc_n = 0;
static bool print_cache_dir = false;
static aa_features *compile_features = NULL;
static aa_features *kernel_features = NULL;
aa_features *policy_features = NULL;
bool specified_policy_features = false;
aa_features *kernel_features = NULL;
static const char *config_file = "/etc/apparmor/parser.conf";
@ -161,7 +163,8 @@ struct option long_options[] = {
{"max-jobs", 1, 0, 136}, /* no short option */
{"print-cache-dir", 0, 0, 137}, /* no short option */
{"kernel-features", 1, 0, 138}, /* no short option */
{"compile-features", 1, 0, 139}, /* no short option */
{"policy-features", 1, 0, 139}, /* no short option */
{"compile-features", 1, 0, 139}, /* original name of policy-features */
{"print-config-file", 0, 0, 140}, /* no short option */
{"config-file", 1, 0, EARLY_ARG_CONFIG_FILE}, /* early option, no short option */
@ -195,7 +198,7 @@ static void display_usage(const char *command)
"-f n, --subdomainfs n Set location of apparmor filesystem\n"
"-m n, --match-string n Use only features n\n"
"-M n, --features-file n Set compile & kernel features to file n\n"
"--compile-features n Compile features set in file n\n"
"--policy-features n Policy features set in file n\n"
"--kernel-features n Kernel features set in file n\n"
"-n n, --namespace n Set Namespace for the profile\n"
"-X, --readimpliesX Map profile read permissions to mr\n"
@ -526,25 +529,32 @@ static int process_arg(int c, char *optarg)
}
break;
case 'm':
if (aa_features_new_from_string(&compile_features,
if (policy_features)
aa_features_unref(policy_features);
if (kernel_features)
aa_features_unref(kernel_features);
if (aa_features_new_from_string(&policy_features,
optarg, strlen(optarg))) {
fprintf(stderr,
"Failed to parse features string: %m\n");
exit(1);
}
kernel_features = aa_features_ref(policy_features);
specified_policy_features = true;
break;
case 'M':
if (compile_features)
aa_features_unref(compile_features);
if (policy_features)
aa_features_unref(policy_features);
if (kernel_features)
aa_features_unref(kernel_features);
if (aa_features_new(&compile_features, AT_FDCWD, optarg)) {
if (aa_features_new(&policy_features, AT_FDCWD, optarg)) {
fprintf(stderr,
"Failed to load features from '%s': %m\n",
optarg);
exit(1);
}
kernel_features = aa_features_ref(compile_features);
kernel_features = aa_features_ref(policy_features);
specified_policy_features = true;
break;
case 138:
if (kernel_features)
@ -557,14 +567,21 @@ static int process_arg(int c, char *optarg)
}
break;
case 139:
if (compile_features)
aa_features_unref(compile_features);
if (aa_features_new(&compile_features, AT_FDCWD, optarg)) {
if (policy_features)
aa_features_unref(policy_features);
if (strcmp(optarg, "<kernel>") == 0) {
if (aa_features_new_from_kernel(&policy_features)) {
fprintf(stderr,
"Failed to load kernel features into the policy-features abi: %m\n");
exit(1);
}
} else if (aa_features_new(&policy_features, AT_FDCWD, optarg)) {
fprintf(stderr,
"Failed to load compile features from '%s': %m\n",
"Failed to load policy-features from '%s': %m\n",
optarg);
exit(1);
}
specified_policy_features = true;
break;
case 'q':
conf_verbose = 0;
@ -743,7 +760,12 @@ int have_enough_privilege(void)
return 0;
}
static void set_features_by_match_file(void)
int features_intersect(aa_features *a, aa_features *b, const char *str)
{
return aa_features_supports(a, str) && aa_features_supports(b, str);
}
static bool set_features_by_match_file(struct aa_features **features)
{
autofclose FILE *ms = fopen(MATCH_FILE, "r");
if (ms) {
@ -753,20 +775,29 @@ static void set_features_by_match_file(void)
if (!fgets(match_string, 1000, ms))
goto no_match;
if (strstr(match_string, " perms=c"))
perms_create = 1;
kernel_supports_network = 1;
return;
return aa_features_new_from_string(features,
match_cn_abi,
strlen(match_cn_abi)) == 0;
return aa_features_new_from_string(features, match_n_abi,
strlen(match_n_abi)) == 0;
}
no_match:
perms_create = 1;
/* either extremely old kernel or a container without the interfaces
* mounted
*/
return aa_features_new_from_string(features, match_c_abi,
strlen(match_c_abi)) == 0;
}
static void set_supported_features(aa_features *kernel_features unused)
void set_supported_features()
{
assert(kernel_features != NULL);
/* has process_args() already assigned a match string? */
if (!compile_features && aa_features_new_from_kernel(&compile_features) == -1) {
set_features_by_match_file();
return;
if (!policy_features) {
policy_features = aa_features_ref(kernel_features);
}
/*
@ -774,33 +805,29 @@ static void set_supported_features(aa_features *kernel_features unused)
* rule down grades for a give kernel
*/
perms_create = 1;
kernel_supports_policydb = aa_features_supports(compile_features, "file");
kernel_supports_network = aa_features_supports(compile_features, "network");
kernel_supports_unix = aa_features_supports(compile_features,
features_supports_network = features_intersect(kernel_features,
policy_features,
"network");
features_supports_unix = features_intersect(kernel_features,
policy_features,
"network/af_unix");
kernel_supports_mount = aa_features_supports(compile_features, "mount");
kernel_supports_dbus = aa_features_supports(compile_features, "dbus");
kernel_supports_signal = aa_features_supports(compile_features, "signal");
kernel_supports_ptrace = aa_features_supports(compile_features, "ptrace");
kernel_supports_setload = aa_features_supports(compile_features,
"policy/set_load");
kernel_supports_diff_encode = aa_features_supports(compile_features,
"policy/diff_encode");
kernel_supports_stacking = aa_features_supports(compile_features,
features_supports_mount = features_intersect(kernel_features,
policy_features,
"mount");
features_supports_dbus = features_intersect(kernel_features,
policy_features, "dbus");
features_supports_signal = features_intersect(kernel_features,
policy_features,
"signal");
features_supports_ptrace = features_intersect(kernel_features,
policy_features,
"ptrace");
features_supports_stacking = features_intersect(kernel_features,
policy_features,
"domain/stack");
kernel_supports_domain_xattr = aa_features_supports(compile_features,
"domain/attach_conditions/xattr");
kernel_supports_oob = aa_features_supports(compile_features,
"policy/outofband");
if (aa_features_supports(compile_features, "policy/versions/v7"))
kernel_abi_version = 7;
else if (aa_features_supports(compile_features, "policy/versions/v6"))
kernel_abi_version = 6;
if (!kernel_supports_diff_encode)
/* clear diff_encode because it is not supported */
dfaflags &= ~DFA_CONTROL_DIFF_ENCODE;
features_supports_domain_xattr = features_intersect(kernel_features,
policy_features,
"domain/attach_conditions/xattr");
}
static bool do_print_cache_dir(aa_features *features, int dirfd, const char *path)
@ -893,6 +920,10 @@ void reset_parser(const char *filename)
free_symtabs();
free_policies();
reset_include_stack(filename);
if (!specified_policy_features) {
aa_features_unref(policy_features);
policy_features = NULL;
}
}
int test_for_dir_mode(const char *basename, const char *linkdir)
@ -1254,19 +1285,39 @@ static int binary_dir_cb(int dirfd unused, const char *name, struct stat *st,
return rc;
}
static void setup_flags(void)
static bool get_kernel_features(struct aa_features **features)
{
/* Gracefully handle AppArmor kernel without compatibility patch */
if (!kernel_features && aa_features_new_from_kernel(&kernel_features) == -1) {
if (!kernel_features && aa_features_new_from_kernel(features) == -1) {
PERROR("Cache read/write disabled: interface file missing. "
"(Kernel needs AppArmor 2.4 compatibility patch.)\n");
write_cache = 0;
skip_read_cache = 1;
return;
/* Fall back to older match file */
if (!set_features_by_match_file(features))
return false;
}
/* Get the match string to determine type of regex support needed */
set_supported_features(kernel_features);
/* At this point we have features, extra commonly used values */
kernel_supports_policydb = aa_features_supports(*features, "file");
kernel_supports_setload = aa_features_supports(*features,
"policy/set_load");
kernel_supports_diff_encode = aa_features_supports(*features,
"policy/diff_encode");
kernel_supports_oob = aa_features_supports(*features,
"policy/outofband");
if (aa_features_supports(*features, "policy/versions/v7"))
kernel_abi_version = 7;
else if (aa_features_supports(*features, "policy/versions/v6"))
kernel_abi_version = 6;
if (!kernel_supports_diff_encode)
/* clear diff_encode because it is not supported */
dfaflags &= ~DFA_CONTROL_DIFF_ENCODE;
return true;
}
int main(int argc, char *argv[])
@ -1300,7 +1351,10 @@ int main(int argc, char *argv[])
if (!binary_input) parse_default_paths();
setup_flags();
if (!get_kernel_features(&kernel_features)) {
PERROR(_("Kernel features abi not found"));
return 1;
}
if (!(UNPRIVILEGED_OPS) &&
aa_kernel_interface_new(&kernel_interface, kernel_features, apparmorfs) == -1) {

14
parser/parser_regex.c
View file

@ -524,7 +524,7 @@ static int process_profile_name_xmatch(Profile *prof)
}
}
if (prof->xattrs.list) {
if (!(kernel_supports_domain_xattr && kernel_supports_oob)) {
if (!(features_supports_domain_xattr && kernel_supports_oob)) {
warn_once_xattr(name);
free_cond_entry_list(prof->xattrs);
goto build;
@ -689,7 +689,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
/* allow change_profile for all execs */
vec[0] = "/[^/\\x00][^\\x00]*";
if (!kernel_supports_stacking) {
if (!features_supports_stacking) {
bool stack;
if (!parse_label(&stack, &ns, &name,
@ -881,19 +881,19 @@ int process_profile_policydb(Profile *prof)
if (kernel_abi_version > 5 &&
!prof->policy.rules->add_rule(mediates_file, 0, AA_MAY_READ, 0, dfaflags))
goto out;
if (kernel_supports_mount &&
if (features_supports_mount &&
!prof->policy.rules->add_rule(mediates_mount, 0, AA_MAY_READ, 0, dfaflags))
goto out;
if (kernel_supports_dbus &&
if (features_supports_dbus &&
!prof->policy.rules->add_rule(mediates_dbus, 0, AA_MAY_READ, 0, dfaflags))
goto out;
if (kernel_supports_signal &&
if (features_supports_signal &&
!prof->policy.rules->add_rule(mediates_signal, 0, AA_MAY_READ, 0, dfaflags))
goto out;
if (kernel_supports_ptrace &&
if (features_supports_ptrace &&
!prof->policy.rules->add_rule(mediates_ptrace, 0, AA_MAY_READ, 0, dfaflags))
goto out;
if (kernel_supports_unix &&
if (features_supports_unix &&
(!prof->policy.rules->add_rule(mediates_extended_net, 0, AA_MAY_READ, 0, dfaflags) ||
!prof->policy.rules->add_rule(mediates_net_unix, 0, AA_MAY_READ, 0, dfaflags)))
goto out;

89
parser/parser_yacc.y
View file

@ -32,6 +32,7 @@
/* #define DEBUG */
#include "lib.h"
#include "parser.h"
#include "profile.h"
#include "mount.h"
@ -81,6 +82,7 @@ mnt_rule *do_mnt_rule(struct cond_entry *src_conds, char *src,
int mode);
mnt_rule *do_pivot_rule(struct cond_entry *old, char *root,
char *transition);
static void abi_features(char *filename, bool search);
void add_local_entry(Profile *prof);
%}
@ -285,8 +287,22 @@ void add_local_entry(Profile *prof);
%%
list: preamble profilelist
{ /* nothing */ };
list: preamble
{
/* make sure abi is setup */
if (policy_features == NULL) {
/* use default feature abi */
if (aa_features_new_from_string(&policy_features,
default_features_abi,
strlen(default_features_abi))) {
yyerror(_("Failed to setup default policy feature abi"));
}
pwarn(_("%s: File '%s' missing feature abi, falling back to default policy feature abi\n"), progname, current_filename);
}
set_supported_features();
}
profilelist;
profilelist: { /* nothing */ };
@ -711,8 +727,10 @@ rules: rules opt_prefix network_rule
yyerror(_("Memory allocation error."));
list_for_each_safe($3, entry, tmp) {
/* map to extended mediation if available */
if (entry->family == AF_UNIX && kernel_supports_unix) {
/* map to extended mediation, let rule backend do
* downgrade if needed
*/
if (entry->family == AF_UNIX) {
unix_rule *rule = new unix_rule(entry->type, $2.audit, $2.deny);
if (!rule)
yyerror(_("Memory allocation error."));
@ -1087,9 +1105,16 @@ rule: file_rule { $$ = $1; }
abi_rule: TOK_ABI TOK_ID TOK_END_OF_RULE
{
pwarn(_("%s: Profile abi not supported, falling back to system abi.\n"), progname);
abi_features($2, true);
free($2);
};
/* $$ = nothing, not used */
}
| TOK_ABI TOK_VALUE TOK_END_OF_RULE
{
abi_features($2, false);
free($2);
/* $$ = nothing, not used */
}
opt_exec_mode: { /* nothing */ $$ = EXEC_MODE_EMPTY; }
| TOK_UNSAFE { $$ = EXEC_MODE_UNSAFE; };
@ -1531,7 +1556,7 @@ change_profile: TOK_CHANGE_PROFILE opt_exec_mode opt_id opt_named_transition TOK
if (exec_mode == EXEC_MODE_UNSAFE)
mode |= ALL_AA_EXEC_UNSAFE;
else if (exec_mode == EXEC_MODE_SAFE &&
!kernel_supports_stacking &&
!features_supports_stacking &&
warnflags & WARN_RULE_DOWNGRADED) {
pwarn("downgrading change_profile safe rule to unsafe due to lack of necessary kernel support\n");
/**
@ -1728,3 +1753,53 @@ mnt_rule *do_pivot_rule(struct cond_entry *old, char *root, char *transition)
return ent;
}
static int abi_features_base(struct aa_features **features, char *filename, bool search)
{
autofclose FILE *f = NULL;
struct stat my_stat;
char *fullpath = NULL;
if (search) {
if (strcmp(filename, "kernel") == 0)
return aa_features_new_from_kernel(features);
f = search_path(filename, &fullpath);
PDEBUG("abi lookup '%s' -> '%s' f %p\n", filename, fullpath, f);
} else {
f = fopen(filename, "r");
PDEBUG("abi relpath '%s' f %p\n", filename, f);
}
if (!f) {
yyerror(_("Could not open '%s': %m"),
fullpath ? fullpath: filename);
}
if (fstat(fileno(f), &my_stat))
yyerror(_("fstat failed for '%s': %m"), fullpath ? fullpath : filename);
if (S_ISREG(my_stat.st_mode)) {
return aa_features_new_from_file(features, fileno(f));
}
return -1;
}
static void abi_features(char *filename, bool search)
{
struct aa_features *tmp_features;
if (abi_features_base(&tmp_features, filename, search) == -1) {
yyerror(_("failed to find features abi '%s': %m"), filename);
}
if (policy_features) {
if (!aa_features_is_equal(tmp_features, policy_features)) {
pwarn(_("%s: %s features abi '%s' differes from policy declared feature abi, using the features abi declared in policy\n"), progname, current_filename, filename);
}
aa_features_unref(tmp_features);
} else {
/* first features abi declaration */
policy_features = tmp_features;
}
};

2
parser/ptrace.cc
View file

@ -128,7 +128,7 @@ int ptrace_rule::gen_policy_re(Profile &prof)
* the compile could be used on another kernel unchanged??
* Current caching doesn't support this but in the future maybe
*/
if (!kernel_supports_ptrace) {
if (!features_supports_ptrace) {
warn_once(prof.name);
return RULE_NOT_SUPPORTED;
}

2
parser/signal.cc
View file

@ -264,7 +264,7 @@ int signal_rule::gen_policy_re(Profile &prof)
* it. We may want to switch this so that a compile could be
* used for full support on kernels that don't support the feature
*/
if (!kernel_supports_signal) {
if (!features_supports_signal) {
warn_once(prof.name);
return RULE_NOT_SUPPORTED;
}

2
parser/tst/simple_tests/abi/bad_1.sd
View file

@ -3,7 +3,7 @@
#=EXRESULT FAIL
#=TODO
abi "abi/4.19,
abi "simple_tests/includes/abi/4.19,
/does/not/exist {
}

4
parser/tst/simple_tests/abi/bad_6.sd
View file

@ -1,9 +1,9 @@
#
#=DESCRIPTION abi testing - abi path
#=EXRESULT FAIL
#=TODO
#=
abi <abi/4.19,
abi <includes/abi/4.19,
/does/not/exist {
}

2
parser/tst/simple_tests/abi/ok_1.sd
View file

@ -3,7 +3,7 @@
#=EXRESULT PASS
#
abi "abi/4.19",
abi "simple_tests/includes/abi/4.19",
/does/not/exist {
}

2
parser/tst/simple_tests/abi/ok_10.sd
View file

@ -4,7 +4,7 @@
#=TODO
#=DISABLED - results in "superfluous TODO", but fails after removing TODO
abi < "abi/4.19">,
abi < "includes/abi/4.19">,
/does/not/exist {
}

2
parser/tst/simple_tests/abi/ok_11.sd
View file

@ -3,7 +3,7 @@
#=EXRESULT PASS
#=DISABLED
abi <"abi/4.19" >,
abi <"includes/abi/4.19" >,
/does/not/exist {
}

2
parser/tst/simple_tests/abi/ok_12.sd
View file

@ -4,7 +4,7 @@
#=TODO
#=DISABLED - results in "superfluous TODO", but fails after removing TODO
abi < "abi/4.19" >,
abi < "includes/abi/4.19" >,
/does/not/exist {
}

2
parser/tst/simple_tests/abi/ok_13.sd
View file

@ -3,7 +3,7 @@
#=EXRESULT PASS
#
abi <"abi/4.19 ubuntu">,
abi <"includes/abi/4.19 ubuntu">,
/does/not/exist {
}

2
parser/tst/simple_tests/abi/ok_14.sd
View file

@ -3,7 +3,7 @@
#=EXRESULT PASS
#
abi <abi/4.19> ,
abi <includes/abi/4.19> ,
/does/not/exist {
}

2
parser/tst/simple_tests/abi/ok_15.sd
View file

@ -3,7 +3,7 @@
#=EXRESULT PASS
#
abi "abi/4.19" ,
abi "simple_tests/includes/abi/4.19" ,
/does/not/exist {
}

2
parser/tst/simple_tests/abi/ok_16.sd
View file

@ -3,7 +3,7 @@
#=EXRESULT PASS
#
abi abi/4.19 ,
abi simple_tests/includes/abi/4.19 ,
/does/not/exist {
}

2
parser/tst/simple_tests/abi/ok_17.sd
View file

@ -3,7 +3,7 @@
#=EXRESULT PASS
#
abi<abi/4.19>,
abi<includes/abi/4.19>,
/does/not/exist {
}

2
parser/tst/simple_tests/abi/ok_18.sd
View file

@ -3,7 +3,7 @@
#=EXRESULT PASS
#
abi"abi/4.19",
abi"simple_tests/includes/abi/4.19",
/does/not/exist {
}

2
parser/tst/simple_tests/abi/ok_2.sd
View file

@ -3,7 +3,7 @@
#=EXRESULT PASS
#
abi "abi/4.19 ubuntu",
abi "simple_tests/includes/abi/4.19 ubuntu",
/does/not/exist {
}

2
parser/tst/simple_tests/abi/ok_20.sd
View file

@ -5,6 +5,6 @@
/does/not/exist {
abi <abi/4.19>,
abi <includes/abi/4.19>,
}

2
parser/tst/simple_tests/abi/ok_21.sd
View file

@ -5,6 +5,6 @@
/does/not/exist {
abi "abi/4.19",
abi "simple_tests/includes/abi/4.19",
}

2
parser/tst/simple_tests/abi/ok_22.sd
View file

@ -5,6 +5,6 @@
/does/not/exist {
abi abi/4.19,
abi simple_tests/includes/abi/4.19,
}

2
parser/tst/simple_tests/abi/ok_3.sd
View file

@ -3,7 +3,7 @@
#=EXRESULT PASS
#
abi "/abi/4.19",
abi "simple_tests/includes/abi/4.19",
/does/not/exist {
}

2
parser/tst/simple_tests/abi/ok_4.sd
View file

@ -3,7 +3,7 @@
#=EXRESULT PASS
#
abi "/abi/4.19 ubuntu",
abi "simple_tests/includes/abi/4.19 ubuntu",
/does/not/exist {
}

2
parser/tst/simple_tests/abi/ok_5.sd
View file

@ -3,7 +3,7 @@
#=EXRESULT PASS
#
abi abi/4.19,
abi simple_tests/includes/abi/4.19,
/does/not/exist {
}

2
parser/tst/simple_tests/abi/ok_6.sd
View file

@ -3,7 +3,7 @@
#=EXRESULT PASS
#
abi <abi/4.19>,
abi <includes/abi/4.19>,
/does/not/exist {
}

2
parser/tst/simple_tests/abi/ok_7.sd
View file

@ -3,7 +3,7 @@
#=EXRESULT PASS
#
abi < abi/4.19>,
abi < includes/abi/4.19>,
/does/not/exist {
}

2
parser/tst/simple_tests/abi/ok_8.sd
View file

@ -3,7 +3,7 @@
#=EXRESULT PASS
#
abi <abi/4.19 >,
abi <includes/abi/4.19 >,
/does/not/exist {
}

2
parser/tst/simple_tests/abi/ok_9.sd
View file

@ -3,7 +3,7 @@
#=EXRESULT PASS
#
abi < abi/4.19 >,
abi < includes/abi/4.19 >,
/does/not/exist {
}

78
parser/tst/simple_tests/includes/abi/4.19 Normal file
View file

@ -0,0 +1,78 @@
query {label {multi_transaction {yes
}
data {yes
}
perms {allow deny audit quiet
}
}
}
dbus {mask {acquire send receive
}
}
signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
}
}
ptrace {mask {read trace
}
}
caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
}
}
rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
}
}
capability {0xffffff
}
namespaces {pivot_root {no
}
profile {yes
}
}
mount {mask {mount umount pivot_root
}
}
network {af_unix {yes
}
af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
}
}
network_v8 {af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
}
}
file {mask {create read write exec append mmap_exec link lock
}
}
domain {version {1.2
}
attach_conditions {xattr {yes
}
}
computed_longest_left {yes
}
post_nnp_subset {yes
}
fix_binfmt_elf_mmap {yes
}
stack {yes
}
change_profile {yes
}
change_onexec {yes
}
change_hatv {yes
}
change_hat {yes
}
}
policy {set_load {yes
}
versions {v8 {yes
}
v7 {yes
}
v6 {yes
}
v5 {yes
}
}
}

78
parser/tst/simple_tests/includes/abi/4.19 ubuntu Normal file
View file

@ -0,0 +1,78 @@
query {label {multi_transaction {yes
}
data {yes
}
perms {allow deny audit quiet
}
}
}
dbus {mask {acquire send receive
}
}
signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
}
}
ptrace {mask {read trace
}
}
caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
}
}
rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
}
}
capability {0xffffff
}
namespaces {pivot_root {no
}
profile {yes
}
}
mount {mask {mount umount pivot_root
}
}
network {af_unix {yes
}
af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
}
}
network_v8 {af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
}
}
file {mask {create read write exec append mmap_exec link lock
}
}
domain {version {1.2
}
attach_conditions {xattr {yes
}
}
computed_longest_left {yes
}
post_nnp_subset {yes
}
fix_binfmt_elf_mmap {yes
}
stack {yes
}
change_profile {yes
}
change_onexec {yes
}
change_hatv {yes
}
change_hat {yes
}
}
policy {set_load {yes
}
versions {v8 {yes
}
v7 {yes
}
v6 {yes
}
v5 {yes
}
}
}

78
profiles/apparmor.d/abi/3.0 Normal file
View file

@ -0,0 +1,78 @@
query {label {multi_transaction {yes
}
data {yes
}
perms {allow deny audit quiet
}
}
}
dbus {mask {acquire send receive
}
}
signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
}
}
ptrace {mask {read trace
}
}
caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
}
}
rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
}
}
capability {0xffffff
}
namespaces {pivot_root {no
}
profile {yes
}
}
mount {mask {mount umount pivot_root
}
}
network {af_unix {yes
}
af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
}
}
network_v8 {af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
}
}
file {mask {create read write exec append mmap_exec link lock
}
}
domain {version {1.2
}
attach_conditions {xattr {yes
}
}
computed_longest_left {yes
}
post_nnp_subset {yes
}
fix_binfmt_elf_mmap {yes
}
stack {yes
}
change_profile {yes
}
change_onexec {yes
}
change_hatv {yes
}
change_hat {yes
}
}
policy {set_load {yes
}
versions {v8 {yes
}
v7 {yes
}
v6 {yes
}
v5 {yes
}
}
}

2
profiles/apparmor.d/abstractions/X
View file

@ -10,6 +10,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#include <abstractions/dri-common>

2
profiles/apparmor.d/abstractions/apache2-common
View file

@ -2,6 +2,8 @@
# This file contains basic permissions for Apache and every vHost
abi <abi/3.0>,
#include <abstractions/nameservice>
# Allow unconfined processes to send us signals by default

2
profiles/apparmor.d/abstractions/apparmor_api/change_profile
View file

@ -6,6 +6,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#include <abstractions/apparmor_api/introspect>
@{PROC}/@{tid}/attr/{current,exec} w,

2
profiles/apparmor.d/abstractions/apparmor_api/examine
View file

@ -9,4 +9,6 @@
# Make sure to include at least tunables/proc and tunables/kernelvars
# when using this abstraction, if not tunables/global.
abi <abi/3.0>,
@{PROC}/@{pids}/attr/{current,prev,exec} r,

2
profiles/apparmor.d/abstractions/apparmor_api/find_mountpoint
View file

@ -6,6 +6,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#permissions needed for aa_find_mountpoint
# Make sure to include at least tunables/proc and tunables/kernelvars

2
profiles/apparmor.d/abstractions/apparmor_api/introspect
View file

@ -6,6 +6,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# Make sure to include at least tunables/proc and tunables/kernelvars
# when using this abstraction, if not tunables/global.

2
profiles/apparmor.d/abstractions/apparmor_api/is_enabled
View file

@ -6,6 +6,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# permissions needed for aa_is_enabled
# Make sure to include tunables/apparmorfs and tunables/global

2
profiles/apparmor.d/abstractions/aspell
View file

@ -1,6 +1,8 @@
# vim:syntax=apparmor
# aspell permissions
abi <abi/3.0>,
# per-user settings and dictionaries
owner @{HOME}/.aspell.*.{pws,prepl} rwk,

1
profiles/apparmor.d/abstractions/audio
View file

@ -10,6 +10,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/dev/admmidi* rw,

1
profiles/apparmor.d/abstractions/authentication
View file

@ -10,6 +10,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# Some services need to perform authentication of users

1
profiles/apparmor.d/abstractions/base
View file

@ -10,6 +10,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# (Note that the ldd profile has inlined this file; if you make

2
profiles/apparmor.d/abstractions/bash
View file

@ -8,6 +8,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# user-specific bash files
@{HOMEDIRS} r,
@{HOME}/.bashrc r,

1
profiles/apparmor.d/abstractions/consoles
View file

@ -9,6 +9,7 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# there are three common ways to refer to consoles

2
profiles/apparmor.d/abstractions/cups-client
View file

@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# discoverable system configuration for non-local cupsd
/etc/cups/client.conf r,
# client should be able to talk the local cupsd

2
profiles/apparmor.d/abstractions/dbus
View file

@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# This abstraction grants full system bus access. Consider using the
# dbus-strict abstraction for fine-grained bus mediation.

2
profiles/apparmor.d/abstractions/dbus-accessibility
View file

@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# This abstraction grants full accessibility bus access. Consider using the
# dbus-accessibility-strict abstraction for fine-grained bus mediation.

2
profiles/apparmor.d/abstractions/dbus-accessibility-strict
View file

@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
dbus send
bus=accessibility
path=/org/freedesktop/DBus

2
profiles/apparmor.d/abstractions/dbus-network-manager-strict
View file

@ -1,5 +1,7 @@
# vim:syntax=apparmor
abi <abi/3.0>,
dbus send
bus=system
path=/org/freedesktop/NetworkManager

2
profiles/apparmor.d/abstractions/dbus-session
View file

@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# This abstraction grants full session bus access. Consider using the
# dbus-session-strict abstraction for fine-grained bus mediation.

2
profiles/apparmor.d/abstractions/dbus-session-strict
View file

@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# unique per-machine identifier
/etc/machine-id r,
/var/lib/dbus/machine-id r,

2
profiles/apparmor.d/abstractions/dbus-strict
View file

@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
@{run}/dbus/system_bus_socket rw,
dbus send

2
profiles/apparmor.d/abstractions/dconf
View file

@ -1,5 +1,7 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# permissions for querying dconf settings; granting write access should
# be specified in a specific application's profile.

2
profiles/apparmor.d/abstractions/dovecot-common
View file

@ -9,6 +9,8 @@
# ------------------------------------------------------------------
# used with dovecot/*
abi <abi/3.0>,
capability setgid,
deny capability block_suspend,

2
profiles/apparmor.d/abstractions/dri-common
View file

@ -1,5 +1,7 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# This file contains common DRI-specific rules useful for GUI applications
# (needed by libdrm and similar).

2
profiles/apparmor.d/abstractions/dri-enumerate
View file

@ -1,5 +1,7 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# This file contains common DRI-specific rules useful for GUI applications that
# needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from
# libdrm).

2
profiles/apparmor.d/abstractions/enchant
View file

@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# abstraction for Enchant spellchecking frontend
/usr/share/enchant/ r,

2
profiles/apparmor.d/abstractions/exo-open
View file

@ -1,5 +1,7 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via exo-open helper.
#

2
profiles/apparmor.d/abstractions/fcitx
View file

@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#include <abstractions/fcitx-strict>
dbus bus=fcitx,

2
profiles/apparmor.d/abstractions/fcitx-strict
View file

@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#include <abstractions/dbus-session-strict>
dbus send

2
profiles/apparmor.d/abstractions/fonts
View file

@ -10,6 +10,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/usr/share/AbiSuite/fonts/** r,
/usr/lib/xorg/modules/fonts/**.so* mr,

2
profiles/apparmor.d/abstractions/freedesktop.org
View file

@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# system configuration
@{system_share_dirs}/applications/{**,} r,
@{system_share_dirs}/icons/{**,} r,

2
profiles/apparmor.d/abstractions/gio-open
View file

@ -1,5 +1,7 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via gio helper.
#

3
profiles/apparmor.d/abstractions/gnome
View file

@ -9,6 +9,9 @@
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/X>

2
profiles/apparmor.d/abstractions/gnupg
View file

@ -1,6 +1,8 @@
# vim:syntax=apparmor
# gnupg sub-process running permissions
abi <abi/3.0>,
# user configurations
owner @{HOME}/.gnupg/options r,
owner @{HOME}/.gnupg/pubring.gpg r,

2
profiles/apparmor.d/abstractions/gvfs-open
View file

@ -1,5 +1,7 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via gvfs-open helper.
#

2
profiles/apparmor.d/abstractions/ibus
View file

@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# abstraction for ibus input methods
owner @{HOME}/.config/ibus/ r,
owner @{HOME}/.config/ibus/bus/ rw,

2
profiles/apparmor.d/abstractions/kde
View file

@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/X>

2
profiles/apparmor.d/abstractions/kde-globals-write
View file

@ -1,6 +1,8 @@
# vim:syntax=apparmor
# Rules for changing KDE settings (for KFileDialog and other).
abi <abi/3.0>,
# User files
owner @{HOME}/.config/#[0-9]* rw,

2
profiles/apparmor.d/abstractions/kde-icon-cache-write
View file

@ -1,6 +1,8 @@
# vim:syntax=apparmor
# Rules for writing KDE icon cache
abi <abi/3.0>,
# User files
owner @{HOME}/.cache/icon-cache.kcache rw, # for KIconLoader

3
profiles/apparmor.d/abstractions/kde-language-write
View file

@ -1,4 +1,7 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# Rules for changing per-application language settings on KDE. Some KDE
# applications have "Help -> Switch Application Language..." option, that needs
# write access to language settings file.

2
profiles/apparmor.d/abstractions/kde-open5
View file

@ -1,5 +1,7 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# This abstraction is designed to be used in a child profile to limit what
# confined application can invoke via kde-open5 helper.
#

2
profiles/apparmor.d/abstractions/kerberosclient
View file

@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# files required by kerberos client programs
/usr/lib{,32,64}/krb5/plugins/libkrb5/ r,
/usr/lib{,32,64}/krb5/plugins/libkrb5/* mr,

2
profiles/apparmor.d/abstractions/ldapclient
View file

@ -8,6 +8,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# files required by LDAP clients (e.g. nss_ldap/pam_ldap)
/etc/ldap.conf r,
/etc/ldap.secret r,

2
profiles/apparmor.d/abstractions/libpam-systemd
View file

@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
#include <abstractions/dbus-strict>
# libpam-systemd notifies systemd-logind about session logins/logouts

2
profiles/apparmor.d/abstractions/likewise
View file

@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/tmp/.lwidentity/pipe rw,
/var/lib/likewise-open/lwidentity_privileged/pipe rw,

2
profiles/apparmor.d/abstractions/mdns
View file

@ -8,6 +8,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# mdnsd
/etc/mdns.allow r,
/etc/nss_mdns.conf r,

2
profiles/apparmor.d/abstractions/mesa
View file

@ -1,6 +1,8 @@
# vim:syntax=apparmor
# Rules for Mesa implementation of the OpenGL API
abi <abi/3.0>,
# System files
/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()

2
profiles/apparmor.d/abstractions/mir
View file

@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# mir libraries sometimes do not have a lib prefix
# see LP: #1422521
/usr/lib/@{multiarch}/mir/*.so* mr,

2
profiles/apparmor.d/abstractions/mozc
View file

@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
unix (connect, receive, send) type=stream peer=(addr="@tmp/.mozc.*"),
# Include additions to the abstraction

2
profiles/apparmor.d/abstractions/mysql
View file

@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
/var/lib/mysql{,d}/mysql{,d}.sock rw,
@{run}/mysql{,d}/mysql{,d}.sock rw,
/usr/share/{mysql,mysql-community-server,mariadb}/charsets/ r,

2
profiles/apparmor.d/abstractions/nameservice
View file

@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# Many programs wish to perform nameservice-like operations, such as
# looking up users by name or id, groups by name or id, hosts by name
# or IP, etc. These operations may be performed through files, dns,

2
profiles/apparmor.d/abstractions/nis
View file

@ -8,6 +8,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# NIS rules
/var/yp/binding/* r,
# portmapper may ask root processes to do nis/ldap at low ports

2
profiles/apparmor.d/abstractions/nss-systemd
View file

@ -9,6 +9,8 @@
#
# ------------------------------------------------------------------
abi <abi/3.0>,
# libnss-systemd
#
# https://systemd.io/USER_GROUP_API/

4
profiles/apparmor.d/abstractions/nvidia
View file

@ -1,6 +1,8 @@
# vim:syntax=apparmor
# nvidia access requirements
abi <abi/3.0>,
# configuration queries
capability ipc_lock,

3
profiles/apparmor.d/abstractions/opencl
View file

@ -1,4 +1,7 @@
# vim:syntax=apparmor
abi <abi/3.0>,
# OpenCL access requirements
# TODO: use conditionals to select allowed implementations

Some files were not shown because too many files have changed in this diff Show more