Expr tree simplification makes multiple passes at simplifying the
expression tree trying to use fatoring rules and heuristics to achieve
the minimum tree, so that dfa construction has fewer nodes to deal
with.
Unfortunately expr tree simplification can slow some policy compiles,
dependent on the type of expressions generated, down, and even worse
is currently subject to never terminating on some expressions as the
left and right passes keep undoing each others work.
Limiting the number of passes that expr tree simplification does can
provide most of its benefits (later passes generally have diminishing
returns), reduces the overhead it has on simple policy where it is of
little benefit, and insures that simplifications can not get stuck in
an infinite loop due to the left and right passes ping-ponging on each
others factoring.
Note: This also results in a performance improvement in evince
compiles, and general policy compiles because it achieves a better
balance between time spent on simplifying the tree to remove nodes and
time the dfa build requires to build with extra nodes and then
eliminate with minimization.
$ time apparmor_parser -QT /etc/apparmor.d/usr.bin.evince
real 0m2.744s
user 0m2.714s
sys 0m0.028s
vs.
$ time apparmor_parser -QT /etc/apparmor.d/usr.bin.evince
real 0m2.992s
user 0m2.979s
sys 0m0.012s
and
$ time apparmor_parser -QT /etc/apparmor.d/
real 0m3.568s
user 0m14.529s
sys 0m0.152s
vs.
$ time apparmor_parser -QT /etc/apparmor.d/
real 0m3.741s
user 0m15.400s
sys 0m0.179s
PR: https://gitlab.com/apparmor/apparmor/merge_requests/246
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Remove traces of aa-eventd
aa-eventd and its initscripts have been moved to deprecated/ in 2014 and didn't get any serious updates for several more years, so it's most probably useless and/or broken nowadays.
This also means we don't need to keep the AA_EV_BIN and AA_EV_PIDFILE variables in rc.apparmor.functions anymore.
(In theory I could move these variables to deprecated/rc.aaeventd.* - but in practise that sounds more than superfluous ;-)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/263
Acked-by: John Johansen <john.johansen@canonical.com>
aa-eventd and its initscripts have been moved to deprecated/ in 2014 and
didn't get any serious updates for several more years, so it's most
probably useless and/or broken nowadays.
This also means we don't need to keep the AA_EV_BIN and AA_EV_PIDFILE
variables in rc.apparmor.functions anymore.
The apparmor kernel "module" has not been a loadable module for more
than a decade, it must be built into the kernel and due configuration
requirements it will never go back to being a loadable module.
Remove the long unfunctioning load_module support from the init script.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/257
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: seth.arnold@canonical.com
Use @{sys} tunable in profiles and abstractions
Commit aa065287 made @{sys} tunable available by default.
Update profiles and abstractions to actually use @{sys} tunable for better confinement in the future (when @{sys} becomes kernel var).
Closes LP#1728551
PR: https://gitlab.com/apparmor/apparmor/merge_requests/262
Acked-by: John Johansen <john.johansen@canonical.com>
Commit aa06528790 made @{sys} tunable
available by default.
Update profiles and abstractions to actually use @{sys} tunable for
better confinement in the future (when @{sys} becomes kernel var).
Closes LP#1728551
Merge branch 'regex-dragon-book' into 'master'
PR: https://gitlab.com/apparmor/apparmor/merge_requests/261
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Elaborate in class comment of firstpos, lastpos, followpos, and nullable
fields beyond just referencing the Dragon book. Also add the section of
the book these are explained in.
If a test is marked as TODO, but matches its EXRESULT, this means the
TODO is superfluous and (probably) a change fixed what the TODO was for.
Instead of more or less ignoring such superfluous TODOs, error out to
make the change visible instantly.
Both result in "superfluous TODO" (for unknown reason), but fail after
removing the TODO.
Disable the tests until we find out why they have this strange
behaviour, to unblock merging the "error out on superfluous TODO" patch.
Remove TODO notes from no-longer-failing tests
See merge request apparmor/apparmor!180
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: intrigeri <intrigeri@debian.org>
replace -1 return codes with 255
Technically "return -1" returns 255, so we should write it that way.
(found by shellcheck)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/256
Acked-by: John Johansen <john.johansen@canonical.com>
This "will break with non-glibc libcs on Debian and with glibc headers moved to
multiarch locations" (https://bugs.debian.org/798955). Patch based on the one
proposed by Helmut Grohne <helmut@subdivi.de>, amended to replace hard coded
"gcc" with "$(CC)".
Bug-Debian: https://bugs.debian.org/909966
profiles/Makefile: test abstractions against apparmor_parser
See merge request apparmor/apparmor!237
Acked-by: Christian Boltz <apparmor@cboltz.de> for trunk and 2.13.
Pre-acked for 2.10..2.12 after removing the --config-file option which is not supported in these branches.
aa-notify man page: update user's configuration file path
See merge request apparmor/apparmor!239
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
Also adjust the signal rules in the dovecot-common and apache2-common
abstractions to match the profile names, and to really do that
(peer=...{bin,sbin}... didn't work, the correct syntax would have been
peer=...\{bin,sbin\}...)
This fixes the regression introduced by !149 / commit
4200932d8f
Add most abi/bad_*.sd tests to "exception not raised" list
Interestingly, abi/bad_6.sd is detected as invalid, and therefore not
added to the list.
I propose this for all branches that g[eo]t support for abi rules and the abi testcases.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/238
Acked-by: John Johansen <john.johansen@canonical.com>
AppArmor 3.0 requires policy to use a feature abi rule for access to
new features. However some policy may start using abi rules even if
they don't have rules that require new features. This is especially
true for out of tree policy being shipped in other packages.
Add enough support to older releases that the parser will ignore the
abi rule and warn that it is falling back to the apparmor 2.x
technique of using the system abi.
If the profile contains rules that the older parser does not
understand it will fail policy compilation at the unknown rule instead
of the abi rule.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/196
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The handling for quotedid checked for the first quote but failed
to ensure the trailing quote was present.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/196
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
We can reduce the INCLUDE/INCLUDE_EXISTS code dup by using a
variable for whether the name was enclosed by '<' and using
processid() to handle the whether the id is quoted or not.
In addition using processid allows include names to contain
escaoe sequences like \n and have them handled correctly.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/196
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
We can reduce code duplication by checking the current state to
determine the single parameter difference between include and
include if exists
PR: https://gitlab.com/apparmor/apparmor/merge_requests/196
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Currently if stdin is used the warning
apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
is always displayed but if caching has been disabled there is no need for
this message.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Fix aa-mergeprof crash caused by accidentially initialzed hat
See merge request apparmor/apparmor!234
Acked-by: John Johansen <john.johansen@canonical.com>
Hasher causes some fun in aa-mergeprof: If the profile in
/etc/apparmor.d/ has a hat or subprofile that doesn't exist in the
to-be-merged profile, aa-mergeprof crashes. This is caused by reading
self.other.aa[program][hat]['include'] which accidently "creates" that
profile inside the aa hasher as empty hasher (instead of ProfileStorage).
Later, the code loops over self.other.aa[profile].keys(), expects
everything to be ProfileStorage, and explodes [1] when for example
trying to run .delete_duplicates on the hasher (which obviously doesn't
provide this method).
This patch adds checks to all self.other.aa accesses in
CleanProf.remove_duplicate_rules() to avoid accidently creating new keys
in the hasher.
Interestingly this bug survived unnoticed for years (at least since
2.11).
[1] last lines of the backtrace:
File ".../utils/apparmor/cleanprofile.py", line 42, in compare_profiles
deleted += self.remove_duplicate_rules(profile)
File ".../utils/apparmor/cleanprofile.py", line 65, in remove_duplicate_rules
deleted += apparmor.delete_duplicates(self.other.aa[program][hat], inc)
File ".../utils/apparmor/aa.py", line 1680, in delete_duplicates
deleted += profile[rule_type].delete_duplicates(include[incname][incname][rule_type])
AttributeError: 'collections.defaultdict' object has no attribute 'delete_duplicates'
.gitignore profiles/apparmor.d/local/* except README
The old patter . doesn't match lsb_release and nvidia_modprobe, and
the only file we ship in local is a README. This patch adjusts the
pattern to ignore everything except README.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/227
Acked-by: John Johansen <john.johansen@canonical.com>
The old patter *.* doesn't match lsb_release and nvidia_modprobe, and
the only file we ship in local is a README. This patch adjusts the
pattern to ignore everything except README.
commit 94dfe15b28 attempted to remove
LD_RUN_PATH unfortunately
But all it actually does is cause the Makefile.perl to embed the rpath
"" instead. Which is still an rpath, only I guess an even worse one.
--
Eli Schwartz
Arch Linux Bug Wrangler and Trusted User
This is because it cleared the setting of the variable LD_RUN_PATH
which was expanded in the command
$(INST_DYNAMIC) : $(OBJECT) $(MYEXTLIB) $(INST_ARCHAUTODIR)$(DFSEP).exists $(EXPORT_LIST) $(PERL_ARCHIVEDEP) $(PERL_ARCHIVE_AFTER) $(INST_DYNAMIC_DEP)
$(RM_F) $@
LD_RUN_PATH="$(LD_RUN_PATH)" $(LD) $(LDDLFLAGS) $(LDFROM) $(OTHERLDFLAGS) -o $@ $(MYEXTLIB) \
$(PERL_ARCHIVE) $(LDLOADLIBS) $(PERL_ARCHIVE_AFTER) $(EXPORT_LIST) \
$(INST_DYNAMIC_FIX)
$(CHMOD) $(PERM_RWX) $@
resulting in LD_RUN_PATH="" being passed to the command.
Finish removing LD_RUN_PATH from Makefile.perl by removing it from
the command invocation if it is present.
Note: we use \x24 instead of $ in the regex as there seems to be a bug
and no level of escaping $ would allow it to be used.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
