The enforce profile mode is the default but specifying it explicitly
has not been supported. Allow enforce to be specified as a mode. If
no mode is specified the default is still enforce.
The kernel has supported kill and unconfined profile modes for a
long time now. And support to the parser so that profiles can make
use of these modes.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/440
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/7
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
IncludeRule: sort files in included directory
... instead of relying on the filesystem(!) ordering, which will look
random to both users and unittests.
Also partially revert the test changes from
c5a7bcd50e /
https://gitlab.com/apparmor/apparmor/-/merge_requests/548 -
sorting the result only in the tests is a bad idea.
See merge request apparmor/apparmor!552
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Tag profiles and abstractions with abi information.
Tagging abstractions is not strictly necessary but allows the parser
to detect when their is a mismatch and that policy will need an
update for abi.
We do not currently tag the tunables because variable declarations
are not currently affected by abi.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/491
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
... instead of relying on the filesystem(!) ordering, which will look
random to both users and unittests.
Also partially revert the test changes from
c5a7bcd50e /
https://gitlab.com/apparmor/apparmor/-/merge_requests/548 -
sorting the result only in the tests is a bad idea.
This fixes cases when two aliases with the same left side were
configured - instead of "last one wins" in the dict, AliasRuleset now
keeps both.
ProfileList add_alias() changes its parameters and now expects an
AliasRule object. Adjust all callers to that.
Drop the no longer needed write_alias().
Also adjust the tests to use AliasRule and add a dedup test promised in
an earlier patch series.
Add VariableRule and VariableRuleset and use it for variable handling
Besides the usual advantages of switching to classes, we finally get rid of the `filelist` hasher.
While on it, also fix some bugs around variable handling, including https://bugs.launchpad.net/apparmor/+bug/1331856 and some that maybe nobody noticed before.
As usual, see the individual commits for details.
See merge request apparmor/apparmor!544
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Trailing commas in variable values are not allowed (unless they are
quoted). Fix the regex to avoid "eating" the comma, and add a check to
detect invalid commas.
As usual, add some tests, and remove some testcases from the
exception_not_raised list.
... and add a test to ensure that everything works as expected.
Note that broken variable names like '@{foo' match the (quite
permissive) regex, but are invalid nevertheless.
... by calling active_profiles.get_all_merged_variables()
Also remove vars/vars_bad_add_assignment_1.sd from the
exception_not_raised list again - now it raises an exception as
expected.
Add set_variables() to severity.py to set the variables for severity
rating. It typically gets the data from the get_all_merged_variables()
result.
This replaces the slightly broken load_variables() that parsed profile
files for variables. (For example, parsing "@{foo} = /bar" resulted
in a variable name "@{foo} " with trailing space.)
Also adjust aa.py and the severity tests to use set_variables() (with
get_all_merged_variables()) instead of load_variables().
This also re-adds the checks that were removed in the "Store variables
in active_profiles (ProfileList)" commit earlier, while still fixing
lp:1331856.
With this change, unload_variables() becomes useless (the variables get
overwritten in set_variables() anyway), drop it and its calls.
Note that load_variables() silently ignored non-existing files while the
get_all_merged_variables() call only works for existing files that are
known to active_profiles. Since the input of ask_the_questions() and
ask_exec() comes from log_dict (= audit.log or a profile to merge), add
a check if that profile actually exists in the set of active profiles.
Also adjust the severity tests to use set_variables().
Finally, drop the tests that check for handling non-existing include
files, redefining and adding to non-existing variables - all these
things get now handled in include_list_recursive() and
get_all_merged_variables() and their tests.
Fixes: https://bugs.launchpad.net/apparmor/+bug/1331856
This function returns a dict with all variables and their values for a
given profile file. It also checks for redefined variables, and adding
to non-existing variables, and errors out in both cases. Note that it
does not check the include order and is therefore more forgiving than
apparmor_parser.
Also add some tests for get_all_merged_variables().
Note: the tests are based on reading "real" profiles, therefore we need
to initialize apparmor.aa and call some of its functions.
The alternative would be to construct ProfileList objects for some
profiles and includes manually, but doing that in a way that can replace
the tests with "real" profiles would be quite some work, and I'm not
bored enough for that ;-)
Everything handled in 'filelist' gets handled in active_profiles now.
Note: the 'elif' branch in delete_all_duplicates() was probably never
hit because `if include.get(...)` always matched. The only possible
exception might be non-existing include files, but those cause a 'file
not found' error anyway.
... instead of filelist[file]['lvar'], and also write them from there.
Also fix detection of variable definitions inside a profile, which is
not allowed.
Note that ProfileList has a different write order than the old code -
first includes, then variable definitions. This makes more sense because
typical profiles first include tunables/global, and then define
additonal variables (that might use variables from tunables/global) or
extend variables defined in tunables/global.
This change also fixes some problems with the simple_test test profiles.
The "adding to non-existing variable" check currently doesn't exist,
which "fixes" lp:1331856.
OTOH this also means that such cases are not detected, therefore add
vars_bad_add_assignment_1.sd to the exception_not_raised list.
The check will be re-added in a later commit
in get_all_merged_variables().
With the includes rule class landing, this particular test failed
in a test vm due to the sort ordering being different. It's not
clear that there should be an expectation of ordering returned from
get_full_paths(), so sort the result.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/548
strip_quotes() assumed its parameter is at least one character long, and
errored out on an empty string.
It also converted a string consisting of a single quote to an empty
string because that single quote had a quote as first and last char.
This commit fixes these two bugs.
Also rewrite TestStripQuotes to use tests[], and add some test for an empty
string, a one-char path (just a slash) and a single quote.
This patch series moves include rule handling away from the `filelist` hasher to using IncludeRule and IncludeRuleset. This means that only variable handling is left in `filelist`.
As usual, check the individual commits for details.
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/537
Acked-by: John Johansen <john.johansen@canonical.com>
remove_duplicate_rules() composed the 'includes' list from a) the
include rules in the profile and b) the file_includes (preamble
includes), and then checked the profile includes against this
combination of profile and preamble includes.
Checking profile includes against preamble includes is wrong, and the
only reason why this went unnoticed for years is that preamble include
files (like tunables) won't work inside a profile and therefore never
appear there.
In theory this might be a backport candidate, even if this shouldn't
cause a real-world bug.
This function returns a list of all includes in a profile and its
included files.
It's split off from is_known_rule() and get_file_perms() which shared
lots of common code to recursively get the include list. These functions
now use include_list_recursive().
... or calling is_known_rule() on events for non-existing hats.
It's the usual hasher() "fun" again - accessing a non-existing element
will create its parent.
In theory this commit might be worth a backport. In practise, it doesn't cause
any visible problem.
However, starting with the next commit, it will cause lots of test errors.
Also add a missing is_known_rule() call for dbus rules, which might have
caused similar hasher() "fun".
rule_obj.get_full_paths() handles directories and non-existing files
(depending on 'if exists'), so we can simply feed the resulting list
into load_include()
This function returns a list of paths for an include rule. This can be
- a single path if the include file is a file and exists
- a single path if the include file doesn't exist, but doesn't have
'if exists' (this will cause a 'file not found' error when used)
- a list of paths if the include is a directory
- an empty list if the rule has 'if exists' and the file doesn't exist
Also add some tests for get_full_paths()
IncludeRuleset needs to import it (next commit), which is impossible
when it lives in aa.py (would cause recursive import loop because aa.py
imports IncludeRuleset)
... because this is now done via IncludeRule, and keeping the separate
code would mean asking twice.
Note that the user interface changes slightly.
The old workflow was
1 - #include <foo>
2 - #include <bar>
3 - #include <baz>
[select 2 and (A)dd, then get the next question for the remainder]
1 - #include <foo>
2 - #include <baz>
[(A)dd another one, or (I)gnore the remainder]
The new workflow will ask separately for each abstraction, and you can
(A)dd or (I)gnore it. This is probably easier to understand because it's
basically a yes/no question.
... and write them (only) from 'inc_ie' (IncludeRuleset), which can
handle both "include" and "include if exists" rules.
This duplicates storage of include rules because 'include' is still used
and needed at various places that work on/with the include rules.
With this, we get removal of duplicate include lines insinde a profile
in aa-cleanprof "for free" - extend cleanprof_test.in to confirm this.
aa-notify does not need to load the policy includes for its current
features, so drop the unneeded overhead.
Signed-off-by: John Johansen <john.johansen@canonical.com>
