Currently the parser is bailing when it fails to load a profile,
not processing any potential subsequent profiles in the dir or passed
in list. This results in all policy after the first error failing
to load, instead of just the profile(s) with the error.
This is a different behavior than what has been done by initscripts
that have driven it with xargs -n1, passing it a single profile
at a time.
Fix this so that the parser only exits on first error if specifically
told to do so.
Note: this does not fix the various failure points in the parser
that call exit, instead of returning an error.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>, thanks.
With the move to C++-ification of the parser, the parser's makefile was
not updated to take into account .cc files when deriving object files.
This would result in the final linking compilation of the parser binary
including all of the .cc files in its command line, rather than the ,o
files. This patch fixes the issue as well as an additional typo in the
dependency list for af_unix.o that was not triggered because af_unix.o
was not being built independently.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Update unix_socket and unix_socket_client to use setsockopt() in order
to set send and receive timeouts for socket IO operations. This takes
the place of poll(). Poll() was not being used for all potentially
blocking socket operations which could have resulted in test cases
blocking infinitely.
This also has the nice side effect of using getsockopt() and
setsockopt(). These are AppArmor mediation points in kernel ABI v7 so it
is worthwhile to test the calls while under confinement.
This patch updates the existing v7 policy generation to allow the getopt
and setopt accesses.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The AppArmor kernel ABI v7 requires that a 'unix create,' rule be
granted to confined processes that call socket(AF_UNIX, type, 0). This
is true for pathname, abstract, and unnamed UNIX domain sockets since
the address type of a socket is not yet known when socket(2) is called.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
It is too complicated, due to the number of corner cases, to write a
script that generates the rules for each AF_UNIX address type (pathname,
abstract, and unnamed) and socket type (stream, dgram, and seqpacket).
This patch moves the AF_UNIX pathname tests into their own file with the
intent of having each address type be tested in their own file.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Instead of using the entire sun_path buffer for abstract socket names,
only use the exact length of the string that is specified on the command
line. The nul-terminator is not included for abstract sockets.
The size of sun_path is modified to include the nul-terminator for
pathname address types.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
out common parts (like audit and deny flags or the typical end of the
line (comma and comment).
The patch also introduces the named match groups <audit>, <allow> and
<comment> which we can start to use whenever we want. The group
numbering is kept unchanged, so we can migrate one regex / rule type
after the other to named groups (not only audit, allow and comments, but
changing all regexes will be another patch ;-)
As a side effect, fix RE_PROFILE_CHANGE_PROFILE, RE_PROFILE_ALIAS and
RE_PROFILE_RLIMIT which did not allow ", #" (comma, space, comment) at
the end of the line.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
This patch updates the parser code to reject rules that contain local
socket permissions and peer conditional elements. The error message for
that condition is also corrected to resolve a copy and paste mistake
from the D-Bus rule parsing code.
The patch also updates the man page to correctly describe the two sets
of socket permissions and fixes an example rule that resulted in a
parser error after the change described above.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
while it is not possible to specify a rule with local conditionals with
peer conditionals
eg.
unix listen peer=(addr=@foo),
a rule such as
unix peer=(addr=@foo),
is possible, and was setting all permissions for local as well as the peer
condition permissions.
Currently this means the create permission must be specified in a separate
rule from a rule with a peer= condition, if create is to be allowed. This
isn't too much of an issue but it does mean rule such as
unix connect peer=(addr=@foo),
Can not imply the ability to create a socket. Which may indeed be the
behavior if we wish to enforce that the socket was created in another
process and passed in. Is this what we want to do?
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
The new af_unix apparmor kernel patches include the first step towards
implicit labeling. As a result, when a file descriptor is inherited
across one profile boundary to another, both labels' policies are
checked for valid access to the file descriptor. However, due to a quirk
in the linux kernel, when a socket is opened, the file descriptor is
marked as having read and write (aka send and receive) access. When the
crosscheck revalidation occurs, this means that the policy being
inherited from requires read/write access to the socket descriptor, even
if the process never reads or writes to it. This resulted in a few
failures in the socketpair tests.
The following patch adjusts the failing tests to include the neccessary
send and receive permissions, as well as adding additional tests that
are expected to fail when they are not present, to try to ensure that
if our crosscheck behavior changes, we catch it.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Based on a patch from Felix Geyer who wrote in April:
> On Ubuntu trusty the php package creates config symlinks in
> /etc/php5/cli/conf.d/, /etc/php5/cgi/conf.d/ and
> /etc/php5/fpm/conf.d/ to /etc/php5/mods-available/.
This patch is a simplified version of his patch that allows
/etc/php5/**.ini r and /etc/php5/**/ r
Acked-by: Seth Arnold <seth.arnold@canonical.com> on IRC
(after menacing an Acked-by: <timeout>)
both real [0] and hypothetical (e.g. gui prototypes), as part of
the python utils merge, some namespace packaging bits were added
to apparmor/__init__.py, based on the (not very clear) advice given
in python's pep 0420 [1]. However, a side effect of this is that it
causes system installed versions of python modules to be used over
paths specified via PYTHONPATH [2], which breaks our in-tree tests
when the system versions of the python modules are out of date with
respect to the in-tree version.
It seems based on testing, however, that carrying this code snippet
is no longer necessary to have external modules be found. Thus,
the following patch drops it.
[0] e.g. https://launchpad.net/click-apparmor
[1] http://www.python.org/dev/peps/pep-0420/
[2] a python upstream discussion about this occurred at
https://mail.python.org/pipermail/distutils-sig/2014-March/024049.html
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This patch adds a 'check_pod_files' make target to the common make
rules, and then fixes the errors it highlighted as well as most of
the warnings. It will cause 'make check' in most of the directories to
fail if there are errors in a pod file (but not if there are warnings).
Common issues were:
- using an '=over/=back' pair for code-like snippets that did not
contain any =items therein; the =over keyword is intended for
indenting lists of =item entries, and generates a warning if
there isn't any.
- not escaping '<' or '>'
- blank lines that contained spaces or tabs
The second -warnings flag passed to podchecker is to add additional
warnings, un-escaped '<' and '>' being of them.
I did not fix all of the warnings in apparmor.d.pod, as I have not come
up with a good warning-free way to express the BNF of the language
similar in format to what is currently generated. The existing
libapparmor warnings (complaints about duplicate =item definition
names) are actually a result of passing the second -warnings flag.
The integration into libapparmor is suboptimal due to automake's
expectation that there will be a test driver program(s) for make check
targets; that's why I added the podchecker call to the manpage
generation point.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
---
changehat/mod_apparmor/Makefile | 3
changehat/mod_apparmor/mod_apparmor.pod | 28 ++-
common/Make.rules | 4
libraries/libapparmor/doc/Makefile.am | 7
parser/Makefile | 2
parser/apparmor.d.pod | 275
+++++++++++++-------------------
utils/Makefile | 3
utils/aa-cleanprof.pod | 2
utils/aa-complain.pod | 2
utils/aa-decode.pod | 2
utils/aa-easyprof.pod | 69 +++-----
utils/aa-enforce.pod | 2
utils/aa-genprof.pod | 2
utils/aa-logprof.pod | 6
utils/aa-sandbox.pod | 64 ++-----
utils/logprof.conf.pod | 2
utils/vim/Makefile | 2
17 files changed, 212 insertions(+), 263 deletions(-)
This patch:
- replaces unnamed arguments with named arguments wherever more than 1
one arguments ware present in a message
- minor fix in aa-unconfined for pname argument in 2 strings
- updated pot files (as a side-effect of testing with make)
Acked-by: Christian Boltz <apparmor@cboltz.de>
In profile.h, flagvals is declared to be class, but then in the
Profile class, the flags field declares it as a struct. This patch
makes the field declaration type consistent.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
In trunk commit 2615, make targets for af_rule.o and af_unix.o were
added. Unfortunately, the af_rule.o target's dependency on rule.h was
missing the .h suffix. This patch fixes the issue and adds some other
headers that the source file are dependent on.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Put a bare unix rule in the core gendbusprofile() function that all
dbus_*.sh use. We aren't interested in testing AF_UNIX mediation in the
dbus tests, since that's already done elsewhere, so we'll
unconditionally allow full AF_UNIX access to prevent test breakage
caused by any future changes in libdbus.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
A side effect of not including utils/apparmor/*.py in the .pot file was
that some translations were lost. This patch includes backported (or
forward-ported?) translations from r2186. It's not a simple merge, I
reviewed everything I merged and changed it if necessary.
I also removed the outdated
"Language-Team: Novell Language <language@novell.com>\n"
Acked-by: Seth Arnold <seth.arnold@canonical.com>
In the conversion from perl to python, it got overlooked to add the
python-apparmor modules to the set of things to search for translatable
strings in. This patch addresses the issue.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
missing <sys/sysctl.h> header. This header is included by accident, a
vestige of earlier days, and wasn't removed when the sysctls were removed.
(Think Linux 2.0 or Linux 2.2 days.)
See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760378
Thanks to Thorsten Glaser for the discovery and initial fix.
