These classes are meant to handle 'include' and 'include if exists'
rules.
Due to restrictions in re_match_include_parse(), some cases in
is_covered_localvars() and is_equal_localvars() can't be reached in the
unittests.
Also, IncludeRule isn't used in aa-logprof (yet?), which means
logprof_header_localvars() result format isn't decided yet, and
therefore not tested.
This means test coverage for the new classes isn't 100% this time ;-)
- extend RE_INCLUDE to also match "include if exists"
- rename re_match_include() to re_match_include_parse() and extend it to
also support "include if exists" rules. The return value also includes
"ismagic" now to avoid another future change, but that's not used yet.
- add re_match_include() which is now a wrapper around
re_match_include_parse() and behaves exactly as the old
re_match_include()
$ make check
will fail unless PYFLAKES=pyflakes3 is passed as an environment
variable. Fix it so make check will work by default.
Signed-off-by: John Johansen <john.johansen@canonical.com>
This function was introduced as a temporary (ahem...) solution in 95404bb2f3 but was never really correct. It checked against other_value.regex (as a string!) and, while this was somewhat generous in the results, could have unintended side effects.
Better error out on the safe side and add/keep a few superfluous rules than having a wrong match in is_covered() and miss to add/keep a rule that would be needed.
The perfect solution would be to really compare one AARE against the other as the parser does. I'm not too keen to implement this in python, and will wait until someone provides this function (which the parser already has) via libapparmor ;-)
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/478
Acked-by: John Johansen <john.johansen@canonical.com>
Only bool and str keys may be overwritten.
Other key types (list, dict, *Ruleset) can have their content modified
(not __setitem__()s job), but replacing the whole collection should
never happen.
This function was introduced as a temporary (ahem...) solution in
95404bb2f3 but was never really correct.
It checked against other_value.regex (as a string!) and, while this was
somewhat generous in the results, could have unintended side effects.
Better error out on the safe side and add/keep a few superfluous rules
than having a wrong match in is_covered() and miss to add/keep a rule
that would be needed.
The perfect solution would be to really compare one AARE against the
other as the parser does. I'm not too keen to implement this in python,
and will wait until someone provides this function (which the parser
already has) via libapparmor ;-)
If create-apparmor.vim.py fails, an empty apparmor.vim gets created. The
next "make" run will assume that apparmor.vim was already created (the
file exists and has a new-enough timestamp) and will therefore skip the
create-apparmor.vim.py run, keeping the broken apparmor.vim forever.
Adjust the Makefile to delete apparmor.vim if the script fails. This
ensures that make tries again in the next run.
This way we could generate the capabilities in a way that works with
every version of make.
Changes to list_capabilities are intended to exactly replicate the old
behavior.
Support profiles that choose to match the presence of an extended
attribute without validating its value. This lets AppArmor target xattrs
with binary data, such as security.ima and security.evm values. For
example, it's now possible to write a profile such as:
profile signed_binaries /** xattrs=(security.ima) {
# ...
}
Both presence and value matches can be used in the same profile. To
match a signed xattr, target both the xattr and the security.ima value:
profile python_script /** xattrs=(
security.evm
security.apparmor="python"
) {
# ...
}
Updated to work using out of band matching instead of separate data
array.
Signed-off-by: Eric Chiang <ericchiang@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
'localinclude' is/was meant to have 'local/*' includes separate, but
it's write-only and never used, which makes it useless.
Additionally, it causes a crash in the aa-* tools which gets fixed by
removing all the 'localinclude'-related code (what a big word for two
lines ;-)
References: https://bugs.launchpad.net/apparmor/+bug/1848227
aa-status crashed if a profile name contains an opening parenthesis
because the regex enforces (simplified) '^[^(]* \(.*\)' when reading
/sys/kernel/security/apparmor/profiles
This obviously doesn't match if a profile name contains '(' which is
rare and strange, but still allowed, and the match result "None" then
crashes aa-status.
Adjust the regex to allow all chars instead of all except '(' to handle
these corner cases.
Note that '(enforce)' and '(complain)' still get read correctly because
the regex ends with '\((\w+)\)$' and therefore enforces matching
"something inside parenthesis at the end of the line".
This bug exists since aa-status was rewritten into python, and even
existed in the perl version before. However, in the perl version, the
regex matching was protected with an if so profile names with '(' were
skipped and hidden from the aa-status output.
Fixes: https://gitlab.com/apparmor/apparmor/issues/51
As discussed in https://gitlab.com/apparmor/apparmor/merge_requests/395
RE_LOG_ALL should be more broad so that it doesn't accidently
overlook/ignore valid log events.
Instead of adding more and more known log formats to logparser.py,
simplify the regex to do only a basic check.
If we really hand over a line to libapparmor that isn't an AppArmor log
event, worst thing that can happen is that we waste a few milliseconds
for handing over that line to libapparmor, and get AA_RECORD_INVALID as a
result.
commit 7297e2f6a8 assumed that exec events
always have a "target=...", but this is only true for events in complain
mode. In enforce mode, the log line doesn't include "target=...".
This commits sets an empty target instead of erroring out on every exec
event in enforce mode.
Also adjust ask_exec() in aa.py to only update
hashlog[aamode][target_profile]['final_name'] if target_profile is set
(hashlog[aamode][''] doesn't exist and trying to write to it would error
out)
convert_regexp() needs to escape '(' and ')' in filenames taken from a
logfile to get rid of their special meaning, and to avoid a crash on
unbalanced parenthesis (which makes the regex invalid if they are not
escaped).
Note: The added tests include an example log line, but the tests itsself
don't/didn't trigger the crash because they don't call convert_regexp().
Fixes: https://bugs.launchpad.net/bugs/1835311
v2:
- parse partial log line broken at \n
- add testcase_dbus_10.* for partial log line
- remove quotes from testcasw_dbus_09.profile
The following log format has been seen in the wild, and currently results
in a RECORD_INVALID
[4835959.046111] audit: type=1107 audit(1561053426.749:186): pid=640 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="LookupDynamicUserByName" mask="send" name="org.freedesktop.systemd1" pid=20596 label="/usr/sbin/sshd" peer_pid=1 peer_label="unconfined"
exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Test parsing the above message with and without the \n embedded between
peer_label= and exec=
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
When dc010bc034 was
backported to the apparmor-2.13 branch (in commit
75236d62e2), it did not take into
account cb8c3377ba, which creates the
common/list_af_names.sh script as used in the test case, was not also
backported to the apparmor-2.13 branch.
Change the test case to get the list of network AF names via the same
make invocation taken by the utils/vim/create-apparmor.vim.py script
before the common/list_af_names.sh existed.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/391
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
