This patch adds the following mount options: 'nostrictatime',
'lazytime', and 'nolazytime'.
The MS_STRICTATIME mount flag already existed, and 'nostrictatime' was
listed along with 'strictatime' in the comments of parser/mount.cc, so
this patch adds a mapping for 'nostrictatime' to clear MS_STRICTATIME.
Additionally, the Linux kernel includes the 'lazytime' option with
MS_LAZYTIME mapping to (1<<25), so this patch adds MS_LAZYTIME to
parser/mount.h and the corresponding mappings in parser/mount.cc for
'lazytime' and 'nolazytime'.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Make it so the output options that count profiles and processes can
be output to a file.
This does not add a user option to do so
Signed-off-by: John Johansen <john.johansen@canonical.com>
For detailed output split up where output is going from whether json
is being produced.
This also allows none json output to go to a file.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The chfa equivalence class shouldn't be a reference. Its needs to
actually exist and be part of the class during later method calls.
As a reference it leads to bad references when used later.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1015
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
When the replacement regex for multiple qualifiers matches, the
capture group variables ($1, $2, etc) are overwritten to match the
most recent regex. Since there are no capture groups in the 's/,/ /g'
regex, then $2 was empty, causing an error on policy generation.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The chfa equivalence class shouldn't be a reference. Its needs to
actually exist and be part of the class during later method calls.
As a reference it leads to bad references when used later.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Historically, if you create a `profile foo /bin/foo` with aa-logprof (by
choosing "named exec"), it will be saved as `/etc/apparmor.d/profile_foo`
This patch drops the `profile_` filename prefix so that the filename
will be `/etc/apparmor.d/foo`
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1014
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
When a user choooses to execute to a named profile (not: named child),
make sure to get the profile filename in the correct way to avoid a crash.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/314
I propose this patch for 2.13..master. (Note: I verified that the bug already exists in 2.13, and that this patch fixes it.)
Closes#314
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1013
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
... by allowing to read all files below ~/.icons instead of only the
directory listing.
I propose this patch for all branches.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1008
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The parser front end is inconsistent about how it handles permissions and rules. This makes extending the permission set and fixing inconsistencies between say file and af_unix rules difficult and prone to failures.
This is a set of work to cleanup the frontend parse handling, and middle semantic checks, dedup, and processing of rules and their permissions. It also is starting to lay the ground work for the parser retaining more information to output better error, and debug messages.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/802
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Historically, if you create a `profile foo /bin/foo` with aa-logprof (by
choosing "named exec"), it will be saved as `/etc/apparmor.d/profile_foo`
This patch drops the `profile_` filename prefix so that the filename
will be `/etc/apparmor.d/foo`
When a user choooses to execute to a named profile (not: named child),
make sure to get the profile filename in the correct way to avoid a
crash.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/314
Noticed that this externally-visible service was not confined, so I put together a profile for it.
Please backport to `apparmor-3.[01]` if it looks good!
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1011
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
This is used by various applications including libreoffice etc so it may as well
be added to the base abstraction along with the existing zoneinfo DB access.
AVC apparmor="DENIED" operation="open" class="file" profile="snap.libreoffice.calc" name="/usr/share/zoneinfo-icu/44/le/zoneinfo64.res" pid=44742 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Signed-off-by: Alex Murray <alex.murray@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1007
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
This is used by various applications including libreoffice etc so it may as well
be added to the base abstraction along with the existing zoneinfo DB access.
AVC apparmor="DENIED" operation="open" class="file" profile="snap.libreoffice.calc" name="/usr/share/zoneinfo-icu/44/le/zoneinfo64.res" pid=44742 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Signed-off-by: Alex Murray <alex.murray@canonical.com>
The description of @{etc_ro} and @{etc_rw} were not good enough in
explaining which directories they should contain, and when to use which
of the variables in a profile.
I propose this patch for all branches.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1000
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Probably thanks to O_MAYEXEC, denials for file access can now contain a
mix of x (exec) and other file permissions.
The actual exec should appear in a separate "exec" log event, therefore
ignore 'x' in file events for now if it's mixed with other permissions.
Note that file events ("open", "link" etc.) that contain denied_mask="x"
without another permission will still cause an error. (So far, this
hasn't been seen in the wild.)
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/303
Also add the log line from the bugreport and the (for now) expected
result as test_multi testcase.
I propose this patch for all branches.
Closes#303
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1001
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The code for add_local_entry is actually currently unused and will
have to change anyways by the time it is. Some drop it and the
associated variables.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Another step towards having a block rule and retaining parsed rule
structure. Setup the parse to use a common block pattern, that when
we are ready will become an actual rule.
Signed-off-by: John Johansen <john.johansen@canonical.com>
In preparation for file rules and rule duplication removal add
flags to rule_t with the first flag indicating if the rule is
deleted.
We do this instead of actually deleting the rule so we can hold
on to the rule for debug and printing output in the future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
in preparation for file rules switching to rule_t add a method to
indicate whether a particular rule is mergeable/dedupable.
Whether a rule merges or dedups will be up to the rules comparison
and merge methods.
Signed-off-by: John Johansen <john.johansen@canonical.com>
In preparation for rule comparison and elemination have each rule
carry a type that can be used as the base of comparison. The
rule class is folded into this type.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Instead of having each rule individually handle the class info
introduce a class_rule_t into the hierarchy and consolidate.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The post_process() method is misnamed, it fires when the profile is
finished parsing but fires before variable expansion. Rename it
to better reflect what it does and move the trigger code into
profile as a start of cleaning this stage up.
Also document the order the hooks fire in
Signed-off-by: John Johansen <john.johansen@canonical.com>
The previous patch enable the prefix based rules all to use the
same code pattern. Group them together
Signed-off-by: John Johansen <john.johansen@canonical.com>
Cleanup the parse code by making shared prefix and perms classes for
rules and convert rules to use them.
Signed-off-by: John Johansen <john.johansen@canonical.com>
This removes the struct wrapper used in the previous patch to ensure
that all uses are properly converted.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Audit control support is going to be extended to support allowing
policy to which rules should quiet auditing. Update the frontend
internals to prepare for this.
Signed-off-by: John Johansen <john.johansen@canonical.com>
