The existing kernel_interface.c file collides with the expected file
name of the implementation of the aa_kernel_interface API.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The parser's copy of the two atomic operations will be removed once the
new API's (aa_features, aa_policy_cache, aa_kernel_interface) are moved
from the parser to libapparmor.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The function names must be prepended with "_aa_" since they're going to
be exported from libapparmor. The code bases using the _aa_autofree(),
_aa_autoclose(), and _aa_autofclose() will need to internally alias
those functions to the previously used autofree, autoclose, and
autofclose names.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch adds equivalents of the parser's PDEBUG() and PERROR()
functions to libapparmor.
It does not add gettext(3) support to libapparmor since these are
messages that only developers will see (debug builds with
LIBAPPARMOR_DEBUG=1) or messages that go to the syslog.
PDEBUG() does nothing unless libapparmor is built with --enable-debug.
It prints to stderr if libapparmor is built with --enable-debug and the
LIBAPPARMOR_DEBUG environment variable is set.
PERROR() uses syslog(LOG_ERR, ...) by default. The message is sent to
the syslog and to stderr if libapparmor is built with --enable-debug and
the LIBAPPARMOR_DEBUG environment variable is set.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch creates a private API in libapparmor in which upstream
provides no guarantees in regards to ABI stability.
A new header file, <sys/apparmor_private.h>, is created. The "_aa"
prefix will be used for symbols belonging to the private API.
To kick things off, a library friendly version of is_blacklisted() is
moved into libapparmor.
The purpose of a private libapparmor API is to prevent duplicated code
between the parser and libapparmor. This becomes an issue as we prepare
to move chunks of the parser into libapparmor.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Adjust the libapparmor function prototypes, variable names, and comments
that incorrectly used the name "con" when referring to the label.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch adjusts the bison grammer in libapparmor and the parser
to use the %define api.pure directive instead of the deprecated
%pure_parser and %pure-parser keywords. Bison had been warning about
the former:
libraries/libapparmor/src/grammar.y:71.1-12: warning: deprecated directive, use ‘%pure-parser’ [-Wdeprecated]
%pure_parser
^^^^^^^^^^^^
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch adds support for the mount and pivotroot related keywords,
fstype, flags, and srcname.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
When signals and ptrace mediation were added to apparmor, the aalogparse
routines were not adjusted to compensate. This patch adds support for
the signal and peer keywords.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The upstream kernel at some point between the 3.13 and 3.16 kernel
adjusted the output of audit messages to include an additional "audit:"
keyword. e.g. a 3.13 message would look like:
kernel: [182243.243324] type=1400 audit(1409684003.960:273342): [SNIP]
whereas in 3.16, it looks like:
kernel: [182243.243324] audit: type=1400 audit(1409684003.960:273342): [SNIP]
^^^^^^
This patch adjust the libapparmor aalogparse grammar and lexer to
compensate for this change.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch fixes some memory leaks in the libapparmor log parsing
functions, specifically around handling records obtained from syslog
and records containing network addresses.
Bug: https://bugs.launchpad.net/bugs/1340927
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
In the course of developing apparmor dbus mediation, the aa_query_label
symbol was added to libapparmor on trunk, and given the symbol version
(via libapparmor.map) of APPARMOR_3.0. As apparmor upstream, we have
not made a release where this would have been exported.
Unfortunately, in Ubuntu, a version was released in 13.10 that included
the aa_query_label() symbol with a version of APPARMOR_1.1. This
can cause a breakage on that platform with the incorporation of the
impending apparmor 2.9 release.
This patch provides both versions (APPARMOR_1.1 and APPARMOR_2.9)
of the aa_query_label() symbol. It requires the function name in
kernel_interface.c to be renamed (similar to how the deprecated
change_hat() symbol is named in the source as __change_hat()),
otherwise linking fails with duplicated symbols. The default symbol
used will still be the APPARMOR_2.9 version, but binaries linked with
the APPARMOR_1.1 version would still continue to work unchanged.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
This commit adjusts the trunk libtool versions in accordance
with the outlined rules. It also adds clarifying text to the
documentation comment to explain how to use the rules and what the
resulting outcome is. Finally, it removes a bogus argument to linker
to forcibly set the SONAME in the library, as libtool will do this
automatically (and override the passed argument).
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch fixes the format string for the magic token in aa_change_hat
to match the type of the magic token (long). Without this, on 64
bit platforms, only the bottom 32 bits of the token would be used.
aa_change_hatv() has the correct format string, so an aa_change_hatv()
call followed by an exiting aa_change_hat() call would result in the
latter having a different token, which would cause the process to be
killed by apparmor.
(Hat tip to John Johansen for spotting the actual bug.)
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch moves the apparmor.h and aalogparse.h headers
from the libapparmor/src/ directory to a new directory
libapparmor/include/. The apparmor.h header is stored in a sys/
directory within libapparmor/include/ to match its usual install
location in /usr/include/sys/, simplifying the #include statements of
source that wishes to include either the in-tree or system installed
version of the header (i.e. #include <sys/apparmor.h> can be used
everywhere).
The patch size is inflated by the movements of the header files, which
are unchanged except for their locations. Otherwise, the rest of the
changes are to modify the include search path or to stop looking in
$CWD for one of the headers.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Currently, D-Bus rules are the only type of policy that we expect to be
queried from userspace. Therefore, we do not need to export other
mediation types at this time.
This patch removes all AA_CLASS_* macros, except AA_CLASS_DBUS, from
libapparmor's apparmor.h header. These macros are already defined in the
parser's policydb.h header.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Now that the parser links against libapparmor, it makes sense to move
all public permission types and flags to libapparmor's apparmor.h. This
prevents duplication across header files for the parser and libapparmor.
Additionally, this patch breaks the connection between
AA_DBUS_{SEND,RECEIVE,BIND} and AA_MAY_{WRITE,READ,BIND} by using raw
values when defining the AA_DBUS_{SEND,RECEIVE,BIND} macros. This makes
sense because the two sets of permission flags are from two distinctly
different mediation types (AA_CLASS_DBUS and AA_CLASS_FILE). While it is
nice that they share some of the same values, the macros don't need to
be linked together. In other words, when you're creating a D-Bus rule,
it would be incorrect to use permission flags from the AA_CLASS_FILE
type.
The change mentioned above allows the AA_MAY_{WRITE,READ,BIND} macros
to be removed from public-facing apparmor.h header.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Allows for the policy writer to grant permission to eavesdrop on the
specified bus. Some example rules for granting the eavesdrop permission
are:
# Grant send, receive, bind, and eavesdrop
dbus,
# Grant send, receive, bind, and eavesdrop on the session bus
dbus bus=session,
# Grant send and eavesdrop on the system bus
dbus (send eavesdrop) bus=system,
# Grant eavesdrop on any bus
dbus eavesdrop,
Eavesdropping rules can contain the bus conditional. Any other
conditionals are not compatible with eavesdropping rules and the parser
will return an error.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This typo allowed apparmor.h to be pulled in multiple times.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The aa_getcon man page only implies that the *mode strings returned by
aa_getprocattr(), aa_gettaskcon(), aa_getcon(), and aa_getpeercon()
should not be freed. A developer using the man page to build against
libapparmor may miss that subtlety and end up hitting double free issues.
This patch makes the man page more clear, makes the function comments
more clear, and changes the aa_getprocattr() *buf param to *con. The use
of *buf should reserved for the aa_get*_raw() functions that do not
allocate a buffer for the confinement context and all documents now
clearly mention that *con must be freed.
Additionally, this patch removes the line wrapping of the
aa_getprocattr_raw() prototype in the aa_getcon man page source. The
line wrapping caused incorrect formatting of the function prototype when
viewing the man page.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
r2125 caused a regression in aa_getpeercon_raw() when a NULL pointer was
passed into the mode parameter. Instead of unconditionally
NUL-terminating the con string before the mode portion of the security
context, it made it to where the NUL byte was only put into place when
mode was non-NULL.
This resulted in the con string incorrectly containing the label and the
mode.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
In aa_query_label(), errors encountered during a write() to the AppArmor
filesystem's .access file results in an unintentional file descriptor
leak outside of aa_query_label(). Callers don't expect aa_query_label()
to return with a newly opened file descriptor so they can't be expected
to close the fd.
This flaw was introduced in r2147, which has not yet been included in an
official release.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
It may be useful to applications that do AppArmor queries to know if the
subject label in the query is unknown to the kernel. For example, the
corresponding profile may have been removed/renamed.
This patch eliminates all potential return locations of aa_query_label()
that may have errno set to ENOENT, except for the write() to
apparmorfs/.access that sets ENOENT when the subject label isn't found
by the kernel.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This requires libaalogparse to become aware of USER_AVC messages.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Add an interface for trusted applications to use when they need to query
AppArmor kernel policy to determine if an action should be allowed.
This is a simplified interface that tries to make it as easy as possible
for applications to use. They provide a permissions mask and query
string and they get a pair of booleans back that let them know if the
action should be allowed and/or audited.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The parameter names are slightly different in the two functions. Rename
buffer to buf and rename size to len to make the two function prototypes
look similar.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
functions
The functions that return the confinement information of a peer socket
connection should parse and return the mode like the task-based
functions.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The getpeercon functions need to parse the mode from the confinement
string. This patch creates a function that aa_getpeercon_raw() and
aa_getprocattr_raw() can both use.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Return the total size of the security context on success
as documented.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Protect against bugs in AppArmor's getsockopt() LSM hook from sending
aa_getpeercon() into an infinite loop.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The libimmunix library is a historical artifact and has generated a
deprecation warning when used to syslog for over 4 years. This patch
removes it entirely from the libapparmor tree.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
time formats.
currently the only supported format is
<Month> ## hh:mm:ss
extend this to
<Month> ## hh:mm:ss(.ms)?((+|-)timezone)?
yyyy-mm-dd hh:mm:ss(.ms)?((+|-)timezone)?
yyyy-mm-ddThh:mm:ss(.ms)?((+|-)timezone)?
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
mediation, file picker, etc.), making it easier for other source bases
to detect the presence of libapparmor would be beneficial. This patch
adds pkg-config support to the build infrastructure for libapparmor.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: Kees Cook <kees@ubuntu.com>
$CPPFLAGS. Additionally, do not repeat compiler flags for automake
targets that already include them, and pass more flags to the Perl build.
Signed-off-by: Kees Cook <kees@ubuntu.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Bugs: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/800826https://bugzilla.novell.com/show_bug.cgi?id=755923
This patch modifies the libapparmor log parsing code to add support
for the additional ip address and port keywords that can occur in
network rejection rules. The laddr and faddr keywords stand for local
address and foreign address respectively.
The regex used to match an ip address is not very strict, to hopefully
catch the formats that the kernel emits for ipv6 addresses; however,
because this is in a context triggered by the addr keywords, it should
not over-eagerly consume non-ip addresses. Said addresses are returned
as strings in the struct to be processed by the calling application.
Bug: https://launchpad.net/bugs/800826
aa_getprocattr is returning the size of the buffer not the size of the
data read that it is supposed to return. Also update the man page to
reflect the return value as documented in the functions, and update
the test cases to check the return value.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Steve Beattie <sbeattie@ubuntu.com>
While aa_getprocattr does return the documented error code on failure
the **buf and **mode parameters can point into the buffer that was
allocated and then discarded on failure.
Set them to null on failure so that even if the error code is ignored
they do not point to heap data.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
entries where the comm entry has been hex-encoded. This occurs when the
binary being confined contains a space or other problematic character in
its filename. A test case is included.
The define for pid_t is missing in apparmor.h so that if it is included
in programs that don't also include sys/types.h the compile will break.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees.cook@canonical.com>
