This patch implements parsing of fine grained mediation for unix domain
sockets, that have abstract and anonymous paths. Sockets with file
system paths are handled by regular file access rules.
The unix network rules follow the general fine grained network
rule pattern of
[<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>]
specifically for af_unix this is
[<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>]
<qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ]
<access expr> = ( <access> | <access list> )
<access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' |
'connect' | 'shutdown' | 'getattr' | 'setattr' |
'getopt' | 'setopt' |
'send' | 'receive' | 'r' | 'w' | 'rw' )
(some access modes are incompatible with some rules or require additional
parameters)
<access list> = '(' <access> ( [','] <WS> <access> )* ')'
<WS> = white space
<rule conds> = ( <type cond> | <protocol cond> )*
each cond can appear at most once
<type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' )
<protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' )
<local expr> = ( <path cond> | <attr cond> | <opt cond> )*
each cond can appear at most once
<peer expr> = 'peer' '=' ( <path cond> | <label cond> )+
each cond can appear at most once
<path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
<label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')')
<attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
<opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
<AARE> = ?*[]{}^ ( see man page )
unix domain socket rules are accumulated so that the granted unix
socket permissions are the union of all the listed unix rule permissions.
unix domain socket rules are broad and general and become more restrictive
as further information is specified. Policy may be specified down to
the path and label level. The content of the communication is not
examined.
Some permissions are not compatible with all unix rules.
unix socket rule permissions are implied when a rule does not explicitly
state an access list. By default if a rule does not have an access list
all permissions that are compatible with the specified set of local
and peer conditionals are implied.
The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions.
server = (create, bind, listen, accept)
r = (receive, getattr, getopt)
w = (create, connect, send, setattr, setopt)
In addition it supports the v7 kernel abi semantics around generic
network rules. The v7 abi removes the masking unix and netlink
address families from the generic masking and uses fine grained
mediation for an address type if supplied.
This means that the rules
network unix,
network netlink,
are now enforced instead of ignored. The parser previously could accept
these but the kernel would ignore anything written to them. If a network
rule is supplied it takes precedence over the finer grained mediation
rule. If permission is not granted via a broad network access rule
fine grained mediation is applied.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
before the af type protocol mappings patch was applied, a single rule could
result in multiple rule entries being created. The af type protocol mappings
patch broke this by apply only the first of the mappings that could be
found.
Restore the previous behavior by search through the entire table until
all matches have been made.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
they only fail because of one (expected) reason and we notice if they
don't fail anymore. Complex profiles have the risk to fail for multiple
reasons, which also means nobody will notice if they fail for one reason
less.
The simplification is done by
- removing #include lines
- in some cases, replace the #include line with "/foo/bar r," to avoid
empty hats
Acked-by: Steve Beattie <steve@nxnw.org>
The change to processing escape sequences in trunk commit r2537 requires
a corresponding change to the unit tests in parser_misc.c.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
escape sequences that result in special character that will be interpreted
by later processing need to be passed through as well.
Eg. previously \\ was fixed to be passed through, but other chars
get interpretted as well.
*?[]{}
and ^, in character classes
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Also for characters that are not recognized as a valid escape seq
make sure that the character is emitted.
previously
\$ resulted in \
where it should have been \$ if $ wasn't recognized
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
r2456 unified escape sequence processing but it results in the \\
sequence being processed multiple times (lexer, regex conversion,
backend pcre parsing).
What used to happen was the lexer would only convert octal sequences
and a few special escapes, \\ would be passed through the lexer and
the regex conversion, thus only being handled in the pcre backend.
r2456 changed that so that \\ is handled by the lexer, converting it
to \, which is handled as an escape sequence in both the regex
conversion and the pcre backend.
This means
\\001 instead of being treated as the literal \001 is treated
as an octal escape sequence which is rejected by the regex conversion
(it only allows for certain special chars).
etc.
Fix this by ensuring the lexer does not processes \\ and passes it
through so it is only handled in the backend as was done in the past.
Also fix front end escape sequence processing of octals etc from resulting
in a later escape sequence. That is \134, \d92, .. would get converted
to \ in the lexer and then treated as an escape sequence in the regex
conversion or pcre processing.
We fix this by converting them to the equivalent \\ sequence in the
lexer and letting the backend processes it.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
For some strange reason our caching use ctime instead of mtime.
However this can lead to odd cases of the cache missing even though
neither the profile data nor cache data have changed.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Commit r2456 fixes a bug in the parsers compilation that can result
policy failures. Unfortunately this Bug slipped into the wild and
shipped in at least one distro.
Bump the parser abi so that parsers that have the fix will invalid
existing cache files, and recompile policy to ensure the fix is applied.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Jamie Strandboge <jamie@canonical.com>
Description: man page updates for signals, ptrace and new variables
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
v3: fix freeing of filename when undefined
v2: address tyhicks feedback
refactor to have a common write routine
fix issue with set profile load being done even if !kernel_load
Profile loads from cache files that contain multiple profiles can
result in multiple reloads of the same profile or error messages about
failure to load profiles if the --add option is used. eg.
apparmor="STATUS" operation="profile_load"
name="/usr/lib/apache2/mpm-prefork/apache2" pid=8631
comm="apparmor_parser"
<sth0R> [82932.058388] type=1400 audit(1395415826.937:616):
apparmor="STATUS" operation="profile_load" name="DEFAULT_URI" pid=8631
comm="apparmor_parser"
<sth0R> [82932.058391] type=1400 audit(1395415826.937:617):
apparmor="STATUS" operation="profile_load"
name="HANDLING_UNTRUSTED_INPUT" pid=8631 comm="apparmor_parser"
<sth0R> [82932.058394] type=1400 audit(1395415826.937:618):
apparmor="STATUS" operation="profile_load" name="phpsysinfo" pid=8631
comm="apparmor_parser"
<sth0R> [82932.059058] type=1400 audit(1395415826.937:619):
apparmor="STATUS" operation="profile_replace" info="profile can not be
replaced" error=-17
name="/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI" pid=8631
comm="apparmor_parser"
<sth0R> [82932.059574] type=1400 audit(1395415826.937:620):
apparmor="STATUS" operation="profile_replace" info="profile can not be
replaced" error=-17
name="/usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT"
pid=8631 comm="apparmor_parser"
The reason this happens is that the cache file is a container that
can contain multiple profiles in sequential order
profile1
profile2
profile3
The parser loads the entire cache file to memory and the writes the
whole file to the kernel interface. It then skips foward in the file
to the next profile and reloads the file from that profile into
the kernel.
eg. First load
profile1
profile2
profile3
advance to profile2, do second load
profile2
profile3
advance to profile3, do third load
profile3
With older kernels the interface would stop after the first profile and
return that it had processed the whole file, thus while wasting compute
resources copying extra data no errors occurred. However newer kernels
now support atomic loading of multipe profiles, so that all the profiles
passed in to the interface get processed.
This means on newer kernels the current parser load behavior results
in multiple loads/replacements when a cache file contains more than
one profile (note: loads from a compile do not have this problem).
To fix this, detect if the kernel supports atomic set loads, and load
the cache file once. If it doesn't only load one profile section
from a cache file at a time.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Mention, in the apparmor.d man page, that pivot_root arguments must end
with a '/' character since they are directories.
The parser currently allows pivot_root arguments that do not end in '/',
but those rules will always fail to match.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
It may not be obvious that the peer label can be "unconfined". Provide
an example rule, in the apparmor.d man page, demonstrating the
peer=(label=unconfined) conditional.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch extends the coverage of the parser's simple dbus language
tests.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch adds basic signal tests to the parser's simple language
test suite.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
With the recent addition of features like ptrace and signals that
give warnings and then ignore the subset of rules when the features
directory indicates that the kernel does not support mediating such
features, at least one of the language tests fails in a chroot
environment where the apparmor securityfs tree is not mounted
inside it.
To compensate, a features file containing the current supported features
is included, and the simple.pl test driver is modified to pass it as an
argument to the parser, so that it will act as if the environment
supports all our current features.
A simple python script is included that was used to generate the
features file based on the current feature set.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
table
This patch adds the creation of an implicit set variable
@{profile_name} for use within policy. It expands to:
- a given profile name if specified; e.g. for
'profile flappy_bird /some/pattern/match* { [...] }'
@{profile_name} would expand to 'flappy_bird'
- if no given name, the match pattern; e.g. for
'/usr/bin/doge_bird { [...] }'
@{profile_name} would expand to '/usr/bin/doge_bird'
- hats and child profiles will include the fully qualified name; e.g.
the 'doge' hat in the /usr/bin/flappy_bird profile would cause
@{profile_name} to expand to '/usr/bin/flappy_bird//doge' within the
'doge' hat, and '/usr/bin/flappy_bird' outside of it in the profile.
There are some parsing tests added, but more tests are needed to verify
that expansion occurs properly (I've verified manually using parser
dumps of the added tests, but automated checks are needed).
The @{profile_name} variable is expected to be most useful in the
context of signal and ptrace rules (e.g. for specifying that an app
can send itself signals).
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
seenlist bug
This patch:
- refactors the parser_symtab.c unit tests a bit in preparation for
the patch to add an implicit autofilled @{profile_name} variable
- expands coverage of the unit tests such that all code paths that
don't result in an exit() or are due to memory allocation errors are
exercised (this doesn't mean the tests are complete; the
__expand_variable() could use more tests for correctness).
- it fixes a bug where variables were not being removed from the
seenlist when a problem was detected in __expand_variable().
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-By: Seth Arnold <seth.arnold@canonical.com>
This patch adds a bunch of language parsing tests for ptrace rules.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch adds the newer rules class entries (e.g. ptrace, signals)
when dumping profiles (invoking the parser with the -dd argument).
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
ptrace rules currently take the form of
ptrace [<ptrace_perms>] [<peer_profile_name>],
ptrace_perm := read|trace|readby|tracedby
ptrace_perms := ptrace_perm | '(' ptrace_perm+ ')'
After having used the cross check (permission needed in both profiles)
I am not sure it is correct for ptrace.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The match
{VARIABLE_NAME}/{WS}*={WS}*\(
is too broad causing mount and dbus rules to fail for sets of values eg.
mount options=(ro bind)
Instead of doing a broad match, for now lets lock it down to just
peer=(...) being the only cond that can cause entry into CONDLISTID
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The match
{VARIABLE_NAME}/{WS}*={WS}*\(
is too broad causing mount and dbus rules to fail for sets of values eg.
mount options=(ro bind)
Instead of doing a broad match, for now lets lock it down to just
peer=(...) being the only cond that can cause entry into CONDLISTID
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add signal rules and make sure the parser encodes support for them
if the supported feature set reports supporting them.
The current format of the signal rule is
[audit] [deny] signal [<signal_perms>] [<signal_set>] <target_profile>,
signal_perm := 'send'|'receive'|'r'|'w'|'rw'
signal_perms := <signal_perm> | '(' <signal_perm> ([,]<signal_perm>)* ')'
signal := ("hup"|"int"|"quit"|"ill"|"trap"|"abrt"|"bus"|"fpe"|"kill"|
"usr1"|"segv"|"usr2"|"pipe"|"alrm"|"term"|"tkflt"|"chld"|
"cont"|"stop"|"stp"|"ttin"|"ttou"|"urg"|"xcpu"|"xfsz"|"vtalrm"|
"prof"|"winch"|"io"|"pwr"|"sys"|"emt"|"exists")
signal_set := set=<signal> | '(' <signal> ([,]<signal>)* ')'
it does not currently follow the peer=() format, and there is some question
as to whether it should or not. Input welcome.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
For some rules the output of apparmor_parser -p has a double comma
Eg.
ptrace (tracedby),
dbus (send,receive),
is output as
ptrace (tracedby),,
dbus (send,receive),,
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
apparmor_parser -p is broken. Outputting garbage charcters after every
include statement.
eg.
##included <tunables/multiarch>
^@^@V><A8>^?^@^@<C8>^NV><A8>^?^@^@<A0>^Pu^@# -----------------------------------
-------------------------------
#
This is happening because includes are handled specially and should not
go through the usual preprocessing output dump.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch makes use of the htoleXX() functions (see endian(3))
defined as part of endian.h (already included in parser_interface.c),
instead of defining a function differently based on the detection of
endian related macros.
This fixes a build failure experienced on powerpc with John's patch
set applied. This patch has been updated with John's feedback to use
letoh16() in the le16_to_cpu() macro.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
