Some capabilities like perfmon and bpf have been split out from
another capability, likely cap sys_admin. Add this backmapping
infomation so that the parser can take advantage of it to support
policy on older kernels that don't support the new capabilities.
Signed-off-by: John Johansen <john.johansen@canonical.com>
There are currently two capability name tables the one that is
autogenerated and an internal hardcoded name table.
Now that the autogenerated table has been converted to a base
static table we can drop the internal static table. This
removes the chance of getting the tables getting out of sync.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The static cap sys_log declaration is no longer needed as
base_cap_names.h contains it and ensures that it will always be
present.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The auto-generated cap_names.h has problems when the parser if the
parser is built against a kernel with a smaller capability list than
the kernel policy is being compiled for.
Moving to a pre-generated list lets us support all capabilities even
when we build against older kernels. However we don't want to only use
the pre-generated list as that would make it too easy to miss when a
new capability has been added.
Keep auto generating the caps list and compare it to the pre-generated
caps list so we can detect when new capabilities are added, and fail
the build so that the pre-generated list can be updated. We screen the
diff for only additions so that the parser can continue to build on
older kernels that don't have the full capability list without errors.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Mikhail Morfikov has discovered [0] that some font packages in Debian
ships font files in /usr/bin/fonts-foo-bar (like
/usr/share/fonts-font-awesome/ for example). This produces denials for
GUI applications.
Update fonts abstraction to allow reading /usr/bin/fonts-* directories.
Also, refactor abstraction to aggregate two old rules into one.
Closes#94
[0] https://gitlab.com/apparmor/apparmor/-/issues/94
When aa-autodep or aa-genprof create a new profile, always add an abi rule. (Hardcoded to <abi/3.0> for now to keep things simple.)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/571
Acked-by: John Johansen <john.johansen@canonical.com>
This fixes a regression introduced by the abi patches for policy that
is not tagged with an abi rule.
Specifically if the current apparmor (apparmor 3) is used with a
kernel that supports unix rules, and policy has network rules but has
not been updated to use abi rules, without this patch the policy unix
rules will stop working and unix mediation will not be enforced.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/568
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
The lexer is broken and passing echo input to stdout that it doesn't match in some states ignoring the error.
First add `%option nodefault` to guarantee the lexer won't ever echo the unknown input to stdout, this will cause the parser to error out with
```
flex scanner jammed
```
and $?=2 if a profile contains unknown/invalid parts. That's not really a helpful error message, but still better than ignoring errors.
Next improve the error message output,
```
AppArmor parser error for tst/simple_tests//vars/vars_simple_assignment_14.sd line 8: Lexer found unexpected character: '
' (0xa) in state: SUB_ID_WS
```
using flex's error output only if there is an mistake made when introducing new states.
Finally fix bugs that are found.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/569
Acked-by: Steve Beattie <steve.beattie@canonical.com>
* allow reading my.cnf in dovecot-dict profile (seen with the mail users in a mysql database)
* allow /proc/\*/attr/current in dovecot imap and lmtp (needed when using the "apparmor" plugin which means dovecot switches to user-specific hats)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/566
Acked-by: John Johansen <john.johansen@canonical.com>
Newlines should generally be treated as whitespace. Expand the list
of states using the newline rule to include almost all rules that
eat WS.
There are two exceptions assign and comment which have special handling
of newlines.
this fixes the failures
not ok 71543 - ./simple_tests//vars/vars_simple_assignment_13.sd: quoted commas should not trigger an error
not ok 71544 - ./simple_tests//vars/vars_simple_assignment_14.sd: quoted commas should not trigger an error
found by introducing nodefault
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/569
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Split the newline processing into a separate rule block so that it can
be shared with states that need to process newlines without processing
end of rule conditions.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/569
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
There were several states missing from the default rule which catches
unexpected input in a state.
Update the default rule to catch all input including newlines and
update its error message to include information about which state the
failure occured in. Also update the comment about what to do when
adding new states.
While the lexer now has the "nodefault" option set, it doesn't provide
as much information as the default rule does, so we prefer states
to use our provided default rule.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/569
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
With %option nodefault, the parser now errors out as expected, even if
the error message isn't too helpful.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/569
Signed-off-by: Christian Boltz <apparmor@cboltz.de> Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
... (using `%option nodefault`) instead of echoing the unknown parts to
stdout, and ignoring the error.
This will cause the parser to error out with
flex scanner jammed
and $?=2 if a profile contains unknown/invalid parts. That's not really
a helpful error message, but still better than ignoring errors.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/569
Signed-off-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Merge branch 'antnesterov/apparmor-fix-dhclient-profile'
@smb: converted read permission to /etc/openssl.cnf to use the openssl
abstraction instead.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/570
This fixes a regression due on older policy due to the abi patches.
Specifically if the current apparmor is used with a kernel that
supports v7 networking, and policy has network rules but has not been
updated to use abi rules, without this patch the policy network rules
will stop working and network mediation will be unenforced.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/564
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Add profile flags enforce, kill and unconfined.
enforce - is the default mode and is not required but this allows the mode reported by introspection to be used in the profile.
kill - a modified enforce mode that kills tasks instead of returning a denial.
unconfined - allow a named profile to behave as if it is unconfined.
Eg.
profile example flags=(enforce) { ... }
profile example flags=(kill) { ... }
profile example flags=(unconfined) { ... }
Closes#7
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/440
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
The enforce profile mode is the default but specifying it explicitly
has not been supported. Allow enforce to be specified as a mode. If
no mode is specified the default is still enforce.
The kernel has supported kill and unconfined profile modes for a
long time now. And support to the parser so that profiles can make
use of these modes.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/440
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/7
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
This is not a real change - since some commits, include_dir_filelist()
gets only called with absolute paths.
Add a check to ensure this, drop the now superfluous get_include_path()
call, and replace usage of include_name_abs with include_name (which are
the same now).
Also drop the superfluous profile_dir parameter, and adjust the only
caller accordingly.
With the check that incfile starts with a '/', incfile and incfile_abs
(as returned by get_include_path()) are always the same.
Drop the get_include_path() call and setting incfile_abs, and replace
usage of incfile_abs with incfile.
This is just a cleanup, no behaviour change.
... so that the include rules proposed by aa-logprof continue to be
relative to the profile directory.
This fixes the behaviour change introduced in the previous commit.
This removes the need to remove profile_dir from include paths at
various places.
A side effect is that aa-logprof / match_includes() now propose more
include rules, for example matching local/ files.
Another side effect is that proposals for include rules
(match_includes() again) now come with the full path.
Both side effects will be fixed in the next commits.
This is needed for running the tests, because test/logprof.conf contains
a relative path, and tests only "manually" set the profile_dir if they
need/have a modified copy of the profiles.
chfa.cc:348:4: warning: this statement may fall through [-Wimplicit-fallthrough=]
os.put((char)(*pos >> 16));
^~
chfa.cc:349:3: note: here
case 2:
^~~~
chfa.cc:350:4: warning: this statement may fall through [-Wimplicit-fallthrough=]
os.put((char)(*pos >> 8));
^~
chfa.cc:351:3: note: here
case 1:
^~~~
chfa.cc: In function ‘void write_flex_table(std::ostream&, int, Iter, Iter) [with Iter = __gnu_cxx::__normal_iterator<unsigned int*, std::vector<unsigned int> >]’:
chfa.cc:348:4: warning: this statement may fall through [-Wimplicit-fallthrough=]
os.put((char)(*pos >> 16));
^~
chfa.cc:349:3: note: here
case 2:
^~~~
chfa.cc:350:4: warning: this statement may fall through [-Wimplicit-fallthrough=]
os.put((char)(*pos >> 8));
^~
chfa.cc:351:3: note: here
case 1:
^~~~
chfa.cc: In function ‘void write_flex_table(std::ostream&, int, Iter, Iter) [with Iter = __gnu_cxx::__normal_iterator<short unsigned int*, std::vector<short unsigned int> >]’:
chfa.cc:348:4: warning: this statement may fall through [-Wimplicit-fallthrough=]
os.put((char)(*pos >> 16));
^~
chfa.cc:349:3: note: here
case 2:
^~~~
chfa.cc:350:4: warning: this statement may fall through [-Wimplicit-fallthrough=]
os.put((char)(*pos >> 8));
^~
chfa.cc:351:3: note: here
case 1:
^~~~
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/561
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
-Wimplicit-fallthrough only recognizes specic comment patterns
switch to a comment it recognizes.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/561
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
aa_status.c: In function ‘get_processes’:
aa_status.c:236:10: warning: unused variable ‘len’ [-Wunused-variable]
size_t len = 0;
^~~
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/561
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Cleanup unused var warning
aa_enabled.c: In function ‘exit_with_error’:
aa_enabled.c:34:6: warning: unused variable ‘err’ [-Wunused-variable]
int err;
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/561
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Tag unused parameters so the -Wunused-parameter won't complain about
them.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/561
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
