The post_process() method is misnamed, it fires when the profile is
finished parsing but fires before variable expansion. Rename it
to better reflect what it does and move the trigger code into
profile as a start of cleaning this stage up.
Also document the order the hooks fire in
Signed-off-by: John Johansen <john.johansen@canonical.com>
The previous patch enable the prefix based rules all to use the
same code pattern. Group them together
Signed-off-by: John Johansen <john.johansen@canonical.com>
Cleanup the parse code by making shared prefix and perms classes for
rules and convert rules to use them.
Signed-off-by: John Johansen <john.johansen@canonical.com>
This removes the struct wrapper used in the previous patch to ensure
that all uses are properly converted.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Audit control support is going to be extended to support allowing
policy to which rules should quiet auditing. Update the frontend
internals to prepare for this.
Signed-off-by: John Johansen <john.johansen@canonical.com>
This removes the struct wrapper used in the previous patch to ensure
that all uses are properly converted.
Signed-off-by: John Johansen <john.johansen@canonical.com>
This delays the convertion of the audit flag until passing to the
backend. This is a step towards fix the parser front end so that it
doesn't use encoded permission mappings.
Note: the patch embedds the bool conversion into a struct to ensure
the compiler will fail to build unless every use is fixed. The
struct is removed in the following patch.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Make mount permission set consistent with the other rule types. This
is a step towards refactoring.
Signed-off-by: John Johansen <john.johansen@canonical.com>
This is a step towards restructuring how "audit" is handled so we
can add quiet support and push mapping of audit bits later.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Move from using and int for permissions bit mask to a perms_t type.
Also move any perms mask that uses the name mode to perms to avoid
confusing it with other uses of mode.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Recent work on the parser has surfaced missing header dependencies
and other issues. Cleanup up and simplify the dependencies so it
is harder to break them.
Signed-off-by: John Johansen <john.johansen@canonical.com>
This is a partial fix for CVE-2016-1585, it address the frontend rule encoding problems particularly
- Permissions being given that shouldn't happen
- Multiple option conditionals in a single rule resulting in wider permission instead of multiple rules
- optional flags not being handled correctly
- multiple backend rules being created out of one frontend rule when they shouldn't be
it does not address the backend issue of short cut permissions not being correctly updated when deny rules carve out permissions on an allow rule that has a short cut permission in the encoding.
Thanks to the additional work by Alexander Mikhalitsyn for beating this MR into shape so we can land it
Alexander Changelog:
- rebased to an actual tree
- addressed review comments from @wbumiller and @setharnold
- fixed compiler warnings about class_mount_hdr is uninitialized
- infinite loop fix
- MS_MAKE_CMDS bitmask value fixed
- fixed condition in `gen_flag_rules` to cover cases like `mount options in (bind) /d -> /4,` when flags are empty and only opt_flags are present
- marked some tests as a FAIL case behavior was changed after `parser: add conflicting flags check for options= conditionals` commit
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/333
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
These tests contains incompatible mount options and broken
after ("parser: add conflicting flags check for options= conditionals")
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
gen_flag_rules has a boolean vs bit and case where parenthesis are
helpful to express the intended order of operations.
It also doesn't handle the case where there are no matches. Fix this
by causing that case to fail.
also improve the debug of option extraction.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Now that flag processing for mount rules with single option
conditionals are fixed e-enable multiple mount conditionals on a
single mount rule. The mount conditionals are equivalent to specifying
multiple rules.
mount options=(a,b,c) options=(c,d),
is the same as
mount options=(a,b,c),
mount options=(c,d),
and
mount options in (a,b,c) options in (c,d),
is the same as
mount options in (a,b,c),
mount options in (c,d),
when multiple options= and options in are combined in a single rule
it is the same as the cross product of the options.
where
mount options=(a,b,c) options in (d,e),
is a single rule.
mount options=(a,b,c) options=(d,e) options in (f),
is equivalent to
mount options=(a,b,c) options in (f),
mount options=(d,e) options in (f),
and while it is not recommended that multiple options= and options in
conditions be used in a single rule.
mount options=(a,b,c) options=(d,e) options in (f) options in (g),
is equivalent to
mount options=(a,b,c) options in (f),
mount options=(a,b,c) options in (g),
mount options=(d,e) options in (f),
mount options=(d,e) options in (g),
Bug Link: https://bugs.launchpad.net/apparmor/+bug/1597017
Signed-off-by: John Johansen <john.johansen@canonical.com>
- rebased to bba1a023bf
- fixed infinite loop in mnt_rule::gen_policy_re
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
- rebased to bba1a023bf
- after this commit tests mount/ok_[16-19].sd are failing,
but it's correct
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
The combined optional flag and exact match flag processing is problematic
separate out the optional flag processing so it is only combined during
match string generation.
While doing so we fix the flag output so that multiple rules are
not output when they shouldn't be.
In addition we temporarily break multiple options= and 'options in'
conditionals in a single rule, which we will fix in a separate patch.
Bug Link: https://bugs.launchpad.net/apparmor/+bug/1597017
Signed-off-by: John Johansen <john.johansen@canonical.com>
- rebased to bba1a023bf
- made tests happy by changing condition in gen_policy_re()
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Simplify flag masking and fix the MS_MAKE_CMDS flag set. This is a
step in fixing
Bug Link: https://bugs.launchpad.net/apparmor/+bug/1597017
Signed-off-by: John Johansen <john.johansen@canonical.com>
- rebased to bba1a023bf
- fixed MS_MAKE_CMDS definition to the correct one.
We shouldn't add (MS_ALL_FLAGS & ~(MNT_FLAGS)) to this bitmask.
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
A step in cleaning up mount rule generation, split out the handling
of mount rules that imply multiple rules to make it easier to
see what is going on.
Bug Link: https://bugs.launchpad.net/apparmor/+bug/1597017
Signed-off-by: John Johansen <john.johansen@canonical.com>
Do a minimal code refactoring (ie. no functional changes, just moving
code,adding boiler plate and glue) in preparation to fix
bug https://bugs.launchpad.net/apparmor/+bug/1597017
Bug Link: https://bugs.launchpad.net/apparmor/+bug/1597017
Signed-off-by: John Johansen <john.johansen@canonical.com>
- rebased to bba1a023bf
- fixed compiler warnings:
<built-in>: In member function ‘int mnt_rule::gen_policy_new_mount(Profile&, int&, unsigned int, unsigned int)’:
<built-in>: note: by argument 1 of type ‘const char*’ to ‘long unsigned int __builtin_strlen(const char*)’ declared here
mount.cc:880:14: note: ‘class_mount_hdr’ declared here
880 | char class_mount_hdr[64];
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
The key of SYSV message queues is an integer and the kernel uses an
integer to store the key. In order to improve performance when
travelling the DFA in the kernel, we should use an integer instead of
the string.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
States are not guaranteed to have transitions, but when inserting
a state into the chfa table there is an unconditional dereference
to the states first transition.
This will result in a bad reference and could result in an OOB
flag being set on the state when it shouldn't be.
Fixes: 16b67ddbd ("add ability to use out of band transitions"
Closes: https://gitlab.com/apparmor/apparmor/-/issues/290
Reported-by: Nobel Barakat <nobelbarakat@google.com>
Reported-by: Oleksandr Tymoshenko <ovt@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
This reverts commit 1aa474b25c.
This is a debug patch that unconditionally sets a profile debug flag
if mqueue rules are present. It should not be present in merged
code, and instead the user should set a debug flag on the profile if
that is desired.
This was merged with the patch to expedite the MR with the understanding
that this patch would be reverted.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The kernel will allow for a couple of debug flags on a profile that
can be used to trigger debug messages for only profiles/labels that
have the flag set. Add basic support for these to the parser.
Signed-off-by: John Johansen <john.johansen@canonical.com>
A single '$()' results in variable expansion, which makes
"$(rpm --eval ..)" always an empty string.
Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
by adding a warning flag that is disabled by default. This will enable
devs to find when and where #include is in use by adding the compile
flag
--warn=pound-include
and can even abort policy compiles by using
--warn=pound-include --Werror=pound-include
The resulting messages look like
Warning from /etc/apparmor.d/usr.sbin.cupsd (/etc/apparmor.d/usr.sbin.cupsd line 5): deprecated use of '#include'
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Time-out
