Instead of ignoring all exec events that happen in a hat/child profile,
only disallow child exec. ix and px are valid options inside a hat and
are now offered to the user.
(When the tools support nested child profiles one day, we can even allow
child exec again.)
Add support for a default_allow mode that facillitates writing profiles
in that allow everything by default. This is not normally recomended
but fascilitates creating basic profiles while working to transition
policy away from unconfined.
This mode is being added specifically to replace the use of the
unconfined flag in these transitional profiles as the use of unconfined
in policy is confusing and does not reflect the semantics of what is
being done.
Generally the goal for policy should be to remove all default_allow
profiles once the policy is fully developed.
Note: this patch only adds parsing of default_allow mode. Currently
it sets the unconfined flag to achieve default allow but this
prevents deny rules from being applied. Once dominance is fixed a
subsequent patch will transition default_allow away from using
the unconfined flag.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1109
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Add support for a default_allow mode that facillitates writing profiles
in that allow everything by default. This is not normally recomended
but fascilitates creating basic profiles while working to transition
policy away from unconfined.
This mode is being added specifically to replace the use of the
unconfined flag in these transitional profiles as the use of unconfined
in policy is confusing and does not reflect the semantics of what is
being done.
Generally the goal for policy should be to remove all default_allow
profiles once the policy is fully developed.
Note: this patch only adds parsing of default_allow mode. Currently
it sets the unconfined flag to achieve default allow but this
prevents deny rules from being applied. Once dominance is fixed a
subsequent patch will transition default_allow away from using
the unconfined flag.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Even if this is very unlikely to happen (because of the previously added
test, and because CapabilityRule only allows to specify known severity
keywords), ensure proper behaviour if an unknown severity gets rated.
- convert a string parameter to a list to avoid duplication of the
validation logic
- add separate check for empty cap_list
- remove check for empty strings - the previous commit already added
such a check to the for loop. Also, move the comment to that check.
... and error out if an unknown capability is given.
This also means recognizing bad capabilities in the parser simple_tests
now works (so remove these from the exception_not_raised list), and that
we can no longer hand over an unknown capability in test-capability.py
to test their severity.
... instead of non-existing ones.
This is a search-and-replace commit:
ptrace -> sys_ptrace
chgrp -> fowner (because fowner wasn't used in the test before)
This also means we can get rid of most cleanprof-specific conditions
without changing the behaviour (because the other functions don't use
'profile' yet).
Also hand over prof_filename to clean_profile() so that it doesn't need
to find it out itsself.
Before, the 'profile' return value was either a profile name or a
profile filename, depending on the active module (cleanprof vs.
everything else).
Separate the return values so that it's clear what we get.
Notes:
- This commit doesn't change functionality, only the number of return
values and some variable names.
- There's no guarantee that all return values are set. They can also be
None. (This might change in the future.)
Also adjust the callers of get_next_to_profile(), and rename 'profile'
to 'prof_filename' in calling functions that actually use the profile
filename.
This needed replacement of "program" with "profile" at various places in
tools.py (of course this description is over-simplified).
The changes in get_next_to_profile() (which is used by several aa-*
minitools) are restricted to cleanprof to avoid side effects in the
other aa-* minitools.
However, the other aa-* minitools possibly also suffer from problems
with named profiles, but checking and fixing that is left for another
commit ;-)
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/351
... to get the profile name for a given attachment.
Since this is not very different from filename_from_attachment(), move
most of the code into a thing_from_attachment() function, and make
{profile,filename}_from_attachment wrappers for it.
Also adjust the tests to the changed internal data structure, and add
tests for profile_from_attachment().
Extend the policy syntax to have a rule that allows specifying all
permissions for all rule types.
allow all,
This is useful for making blacklist based policy, but can also be
useful when combined with other rule prefixes, eg. to add audit
to all rules.
audit access all,
Signed-off-by: John Johansen <john.johansen@canonical.com>
This adds two new profile flags
* `interruptible` which can be used with prompt
* `kill.signal=XXX` which can be used to set the signal used by kill mode or the kill rule prefix
In addition it adds a few cleanups and fixes around profile flag handling
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1096
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Add a flag that allows setting the signal used to kill the process.
This should not be normally used but can be very useful when
debugging applications, interaction with apparmor.
Signed-off-by: John Johansen <john.johansen@canonical.com>
ask_exec() and ask_addhat() set
hashlog[aamode][full_profile]['final_name'].
While this was used to get profile and hat split, it was not used as key
for log_dict. This resulted in entries like
log_dict['PERMITTING']['foo//null-/usr/bin/cat']
which are obviously wrong.
Use final_name as log_dict key so that we end up with (assuming child
exec was selected)
log_dict['PERMITTING']['foo///usr/bin/cat']
This fixes a regression introduced in 3.1. Due to other changes in collapse_log() done in master, picking this into 3.1 isn't that easy. I'll submit a separate patch for 3.1.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1091
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Now that we have `final_name` as shortcut for
`hashlog[aamode][full_profile]['final_name']`, update the code that used
the long version to make it more readable.
ask_exec() and ask_addhat() set
hashlog[aamode][full_profile]['final_name'].
While this was used to get profile and hat split, it was not used as key
for log_dict. This resulted in entries like
log_dict['PERMITTING']['foo//null-/usr/bin/cat']
which are obviously wrong.
Use final_name as log_dict key so that we end up with (assuming child
exec was selected)
log_dict['PERMITTING']['foo///usr/bin/cat']
Ideally we'd update them to the chosen exec target - but until this is
implemented, it doesn't make sense to ask about adding a //null-* peer
to a profile.
On (terribly, but real-world) slow buid hosts, running test-logprof.py
fails with a timeout. Increase the timeout so that even those build
hosts get enough time to finish the aa-logprof tests.
Add support for specifying the path prefix used when attach disconnected
is specified.
TODO: add regression tests
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/661
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Add support for specifying the path prefix used when attach disconnected
is specified. The kernel supports prepending a different value than
/ when a path is disconnected. Expose through a profile flag.
Signed-off-by: John Johansen <john.johansen@canonical.com>
... and a simple test for a single (fake) event for ping.
Notes:
- to let aa-logprof work in the CI environment, we need to skip checking
for the AppArmor mountpoint. Introduce --no-check-mountpoint for this.
- PYTHONPATH and LD_LIBRARY_PATH need to be explicitely forwarded when
starting aa-logprof via subprocess.Popen()
- if the test runs with coverage enabled, it will also start aa-logprof
with coverage (parameters copied from Makefile).
Speaking about coverage - this test adds 4% overall coverage, and 10%
more coverage for apparmor/aa.py.
Add support for the prompt profile flag. That allows policy to do an upcall to userspace if supported by the kernel and if a userspace daemon is available.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1062
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Add a json_log option (default: disabled) to logprof.conf that enables
logging of all aa-logprof and aa-genprof input and output to a
/tmp/aa-jsonlog-* file.
This can be useful for debugging, and maybe also to create tests that do
a full aa-logprof run.
This patch introduces a minor behaviour change if aa-logprof errors out
on startup (for example if the config file is broken or the parser can't
be found):
Before:
```
$ aa-logprof --json
{"dialog": "apparmor-json-version","data": "2.12"}
ERROR: Can't find apparmor_parser at /sbin/apparmor_parser
```
After:
```
$ aa-logprof --json
ERROR: Can't find apparmor_parser at /sbin/apparmor_parser
```
Note that the json version line will not be printed if aa-logprof or
aa-genprof error out that early.
If there are no startup errors, the behaviour will not change.
Allowing access to a debug flag can greatly improve policy debugging.
This is different than the debug mode of old, that was removed. It only
will trigger additional messages to the kernel ring buffer, not
the audit log, and it does not change mediation.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1048
made it so rules like
mount slave /snap/bin/** -> /**,
mount /snap/bin/** -> /**,
would get passed into change_mount_type rule generation when they
shouldn't have been. This would result in two different errors.
1. If kernel mount flags were present on the rule. The error would
be caught causing an error to be returned, causing profile compilation
to fail.
2. If the rule did not contain explicit flags then rule would generate
change_mount_type permissions based on souly the mount point. And
the implied set of flags. However this is incorrect as it should
not generate change_mount permissions for this type of rule. Not
only does it ignore the source/device type condition but it
generates permissions that were never intended.
When used in combination with a deny prefix this overly broad
rule can result in almost all mount rules being denied, as the
denial takes priority over the allow mount rules.
Fixes: https://bugs.launchpad.net/apparmor/+bug/2023814
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1211989
Fixes: 9d3f8c6cc ("parser: fix parsing of source as mount point for propagation type flags")
Fixes: MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1048
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1054
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 86d193e183)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Historically, if you create a `profile foo /bin/foo` with aa-logprof (by
choosing "named exec"), it will be saved as `/etc/apparmor.d/profile_foo`
This patch drops the `profile_` filename prefix so that the filename
will be `/etc/apparmor.d/foo`
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1014
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Historically, if you create a `profile foo /bin/foo` with aa-logprof (by
choosing "named exec"), it will be saved as `/etc/apparmor.d/profile_foo`
This patch drops the `profile_` filename prefix so that the filename
will be `/etc/apparmor.d/foo`
