In the following policy, "ptrace" would be dropped during merging:
$FOO=true
/bin/true {
if $FOO {
ptrace,
}
}
Current behavior:
----- Debugging built structures -----
Name: /bin/true
Local To: <NULL>
Mode:
With patch:
----- Debugging built structures -----
Name: /bin/true
Local To: <NULL>
Mode:
ptrace,
The use of xbits can not pass verification so we need to leave them
off this makes the profile a leaf profile.
Signed-off-by: John Johansen <john.johansen@canonical.com>
There is one significant difference in the encoding of the network
rules. Before this change, when the parser was encoding a "network,"
rule, it would generate an entry for every family and every
type/protocol. After this patch the parser should generate an entry
for every family, but the type/protocol is changed to .. in the pcre
syntax. There should be no difference in behavior.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The post_process() method is misnamed, it fires when the profile is
finished parsing but fires before variable expansion. Rename it
to better reflect what it does and move the trigger code into
profile as a start of cleaning this stage up.
Also document the order the hooks fire in
Signed-off-by: John Johansen <john.johansen@canonical.com>
Move from using and int for permissions bit mask to a perms_t type.
Also move any perms mask that uses the name mode to perms to avoid
confusing it with other uses of mode.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The kernel will allow for a couple of debug flags on a profile that
can be used to trigger debug messages for only profiles/labels that
have the flag set. Add basic support for these to the parser.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR625 fixed hats not emitting the rule to access the proc interface
needed for change_hat, but it broke the rule being emitted for the
parent (which used to work).
The proc attr access rule should be emitted for any profile that
is a hat OR any profile that contains hats.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/626
Signed-off-by: John Johansen <john.johansen@canonical.com>
The parser is supposed to add a rule to profiles if they are a hat
or contain hats granting write access to the kernel interfaces
used to perform the change_hat operation.
Unfortunately the check is broken and currently won't add the
rule to hats (it does add it for the parent).
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/625
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Acked-by: Steve Beattie <steve.beattie@canonical.com>
The enforce profile mode is the default but specifying it explicitly
has not been supported. Allow enforce to be specified as a mode. If
no mode is specified the default is still enforce.
The kernel has supported kill and unconfined profile modes for a
long time now. And support to the parser so that profiles can make
use of these modes.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/440
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/7
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
LSM stacking adds the new /proc/<pid>/attr/apparmor directory
dedicated to apparmor so that it won't collide with other LSMs.
The library has already been switched to using this interface by
default, but the parser need to add permissions to access this
location when hats and/or change_profile rules are defined.
Also make sure to update the apache abstraction to support the new
interface as well.
Signed-off-by: John Johansen <john.johansen@canonical.com
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The parser was splitting up the namespace and profile name from named
transition targets only to rejoin it later when creating the binary
policy. This complicated the changes needed to support the stacking
identifier '&' in named transition targets.
To keep the stacking support simple, this patch keeps the entire named
transition target string intact from initial profile parsing to writing
out the binary.
All of these changes are straightforward except the hunk that removes
the namespace string addition to the vector in the process_dfa_entry()
function. After speaking with John, kernels with stacking have support
for consuming the namespace with the profile name.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
The add_named_transition function was written in a way that is difficult
to understand while attempting to read the function. This patch attempts
to clean it up.
First, this patch removes this confusing code flow issue:
if (!entry->ns) { ... }
if (entry->ns) { ... } else { ... }
It then unifies the way that the ns and nt_name strings of the cod_entry
struct are handled prior to calling add_entry_to_x_table() and/or
returning. ns and nt_name are now guaranteed to be NULL before
performing either of those actions.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Create new, ref, and unref functions for aa_kernel_interface. The "new"
function allows for the caller to pass in an aa_features object that is
then used to check if the kernel supports set load operations.
Additionally, the "new" function allows for the apparmorfs path to be
discovered once instead of during every policy load.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
[tyhicks: Fixed build failures]
[tyhicks: Fixed bug where a warning was being printed when it shouldn't]
[tyhicks: Forward ported to trunk]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
This will simplify add new features as most of the code can reside in
its own class. There are still things to improve but its a start.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Convert the codomain to a class, and the policy lists that store
codomains to stl containers instead of glibc twalk.
Signed-off-by: John Johansen <john.johansen@canonical.com>
[tyhicks: Merge with dbus changes and process_file_entries() cleanup]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
change_hat 1.4 was an experiement is more directly controlling change_hat
by adding hat rulles to the profile. It has not been used since the
original experiment (4 years). So remove it
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
remove old dead code that used to fail compilation if regular expressions
where detected in the rules and the apparmor kernel module did not support
regular expression matching.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This conversion is nothing more than what is required to get it to
compile. Further improvements will come as the code is refactored.
Unfortunately due to C++ not supporting designated initializers, the auto
generation of af names needed to be reworked, and "netlink" and "unix"
domain socket keywords leaked in. Since these where going to be added in
separate patches I have not bothered to do the extra work to replace them
with a temporary place holder.
Signed-off-by: John Johansen <john.johansen@canonical.com>
[tyhicks: merged with dbus changes and memory leak fixes]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Remove use of AARE_DFA as the alternate pcre matching engine was removed
years ago.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This patch implements the parsing of DBus rules.
It attempts to catch all corner cases, such as specifying a bind
permission with an interface conditional or specifying a subject name
conditional and a peer name conditional in the same rule.
It introduces the concept of conditional lists to the lexer and parser
in order to handle 'peer=(label=/usr/bin/foo name=com.foo.bar)', since
the existing list support in the lexer only supports a list of values.
The DBus rules are encoded as follows:
bus,name<bind_perm>,peer_label,path,interface,member<rw_perms>
Bind rules stop matching at name<bind_perm>. Note that name is used for
the subject name in bind rules and the peer name in rw rules. The
function new_dbus_entry() is what does the proper sanitization to make
sure that if a name conditional is specified, that it is the subject
name in the case of a bind rule or that it is the peer name in the case
of a rw rule.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
http://bugs.launchpad.net/bugs/979135
Currently a change_profile rule does not grant access to the
/proc/<pid>/attr/{current,exec} interfaces that are needed to perform
a change_profile or change_onexec, requiring that an explicit rule allowing
access to the interface be granted.
Make it so change_profile implies the necessary
/proc/@{PID}/attr/{current,exec} w,
rule just like the presence of hats does for change_hat
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
policydb is the new matching format, that combines the matching portions
of different rules into a single dfa/hfa. This patch only lays some ground
work it does not add encoding of any rules into the policydb
Signed-off-by: John Johansen <john.johansen@canonical.com>
The ability to set capabilities from a profile has been removed from the
kernel for several releases. Remove it from the parser as well.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
Add the ability to specify the name and attachment of the profile
separately. It does not allow for the attachment specification to
begin with a variable however since variables in profile names is not
currently support this shouldn't be and issue.
Signed-off-by: John Johansen <john.johansen@canonical.com>
thing again. Fix to use the kernel's definition of AF_MAX in
linux/socket.h if it's larger than glibc's AF_MAX definition in
sys/socket.h and add a wrapper function so that we don't have include
af_names.h everywhere.
Also, fix memory leaks around the handling of network entries of
policies.
- rc.apparmor.functions were not correctly removing profiles on replace and
reload, also convert to using the module interface directly bypassing the
parser.
- fix cx -> named transitions
- fix apparmor_parser -N so that it emits hats as profiles under new kernel
modules. This is the correct behavior as hats are promoted to profiles.
