... which is used by aa-remove-unknown.
apparmor_parser can read a whole directory, therefore we don't need to
do the directory listing, excluding *.rpmnew etc. ourself.
Related to https://gitlab.com/apparmor/apparmor/-/issues/148
The AppArmor systemd scripts correctly detect the Windows Subsystem for Linux as a container, since all Linux distros executing under WSL 2 are containerized; however, unlike the majority of containers (since there is no accessible host distribution above them trying to set AppArmor policies that might interfere), AppArmor itself functions without problems in the WSL environment.
This patch adds WSL detection to the is_container_with_internal_policy function, allowing AppArmor to be started and operate normally in a WSL-plus-systemd environment.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/812
Acked-by: John Johansen <john@jjmx.net>
LP:1377338 <https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1377338>
has been fixed for quite awhile and we don't need to call xargs as
a fallback when loading policy fails.
In addition we really don't want to be doing this because we want to
be moving to atomic profile loads where if one profile fails the
whole load fails. This is a step in that direction.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
busybox xargs does not have -d nor long --max-procs options,
instead use -0 (and separate arguments with printf "%s\0")
and -P which are more portable.
While we are here, also add -r (--no-run-if-empty, which also has
no long equivalent for busybox) as we likely don't want to run
anything if no profile were found
This is useful for alpine systems where findutils is not installed by
default, but busybox xargs is available.
The parser is broken on RLIMIT parsing when receiving unexpected input
because the shared state for this specifies RLIMIT_MODEINCLUDE which
is an unknown start condition resulting in the following warning
parser_lex.l:745: undeclared start condition RLIMIT_MODEINCLUDE
and also means RLIMIT and INCLUDE are not properly handled
Signed-off-by: John Johansen <john.johansen@canonical.com>
This resolves an issue in the parser's job handling when running on a machine with >8 CPU cores. The test library was updated to resolve failures in the caching tests caused by the features directory entries being unsorted in the tests.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/775
Acked-by: John Johansen [john@jjmx.net](mailto:john@jjmx.net)
Currently for directory includes the directory timestamp is ignored.
This is wrong as operations like removing a file from the dir won't
be considered in the timestamp check.
Fix this by updating the timestamp check to include the included
directories timestamp.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/760
Signed-off-by: John Johansen <john@jjmx.net>
Acked-by: Georgia Garcia <georgia.garcia@canonical.com>
The parser was not compiling on older versions of Ubuntu
(trusty) because the capability CAP_AUDIT_READ that was
defined on base_cap_names.h was not available until
kernel version 3.16.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/767
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Unfortunately the parser was doing ifdef checks for capabilities
in two places. Move all the capability ifdefs into capability.h
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/768
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Georgia Garcia <georgia.garcia@canonical.com>
The name var is being improperly used in a warning. Not only is
it being used after it is freed, it also never had the correct value
as the "name" variable contained the value being used as the base
attachment.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: time out
Profile includes can be setup to loop and expand in a pathalogical
manner that causes build failures. Fix this by caching which includes
have already been seen in a given profile context.
In addition this can speed up some profile compiles, that end up
re-including common abstractions. By not only deduping the files
being included but skipping the need to reprocess and dedup the
rules within the include.
Fixes: https://bugzilla.suse.com/show_bug.cgi?id=1184779
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/743
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
When building the parser with DEBUG=1 enabled the build fails with
the following error and warnings
In file included from parser_main.c:47:0:
parser_main.c: In function ‘void auto_tune_parameters()’:
parser_main.c:1421:35: error: ‘estimate_jobs’ was not declared in this scope
PDEBUG("Auto tune: --jobs=%d", estimate_jobs);
^
parser.h:201:37: note: in definition of macro ‘PDEBUG’
fprintf(stderr, "parser: " fmt, ## args); \
^~~~
parser_main.c:1421:35: note: suggested alternative: ‘estimated_jobs’
PDEBUG("Auto tune: --jobs=%d", estimate_jobs);
^
parser.h:201:37: note: in definition of macro ‘PDEBUG’
fprintf(stderr, "parser: " fmt, ## args); \
^~~~
parser.h:201:41: warning: format ‘%d’ expects argument of type ‘int’, but argument 3 has type ‘long int’ [-Wformat=]
fprintf(stderr, "parser: " fmt, ## args); \
^
parser_main.c:1428:5: note: in expansion of macro ‘PDEBUG’
PDEBUG("Auto tune: --jobs=%d", jobs);
^~~~~~
Makefile:234: recipe for target 'parser_main.o' failed
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/745
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Add additional info about complain mode, its behavior, how to enable
it and add warnings about its use.
In addition add info on how to set kernel parameters on boot for
the various options that are covered.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/722
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Rule downgrades are used to provide some confinement when a feature
is only partially supported by the kernel.
Eg. On a kernel that doesn't support fine grained af_unix mediation
but does support network mediation.
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
will be downgraded to
network unix type=stream,
Which while more permissive still provides some mediation while
allowing the appication to still function. However making the rule
a deny rule result in tightening the profile.
Eg.
deny unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
will be downgraded to
deny network unix type=stream,
and that deny rule will take priority over any allow rule. Which means
that if the profile also had unix allow rules they will get blocked by
the downgraded deny rule, because deny rules have a higher priority,
and the application will break. Even worse there is no way to add the
functionality back to the profile without deleting the offending deny
rule.
To fix this we drop deny rules that can't be downgraded in a way that
won't break the application.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1180766
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/700
Signed-off-by: John Johansen <john.johansen@canonical.com>
The dynamic_cast operator is slow as it needs to look at RTTI information and even does some string comparisons, especially in deep hierarchies. Profiling with callgrind showed that dynamic_cast can eat a huge portion of the running time, as it takes most of the time that is spent in the simplify_tree() function. For some complex profiles, the number of calls to dynamic_cast can be in the range of millions.
This commit replaces the use of dynamic_cast in the Node hierarchy with a method called is_type(), which returns true if the pointer can be casted to the specified type. It works by looking at an Node object field that is an integer with bits set for each type up in the hierarchy. Therefore, dynamic_cast is replaced by a simple bits operation.
In my tests, for complex profiles the improvement in speed even made running apparmor_parser with "-O no-expr-simplify" slower that when simplifying, apparently because the smaller trees obtained after the expression simplification require less calls to DFA::update_state_transitions(), and that compensates the now significantly slower time spent in simplify_tree(). This opens the door to maybe avoid "-O no-expr-simplify" in the snapd daemon, thus allowing faster run-time checks in the kernel.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/711
Acked-by: John Johansen <john.johansen@canonical.com>
On some systems the build of the parser is spitting out
cc: fatal error: no input files
compilation terminated.
This is being caused by the REALLOCARRAY checkfailing due to cpp trying
to check for both input and output files and not correctly falling
back to stdin/stdout if infile and outfile aren't specified.
Fix this by being explicit that infile and outfile are supposed to
use stdin and stdout.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/712
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
The dynamic_cast operator is slow as it needs to look at RTTI
information and even does some string comparisons, especially in deep
hierarchies like the one for Node. Profiling with callgrind showed
that dynamic_cast can eat a huge portion of the running time, as it
takes most of the time that is spent in the simplify_tree()
function. For some complex profiles, the number of calls to
dynamic_cast can be in the range of millions.
This commit replaces the use of dynamic_cast in the Node hierarchy
with a method called is_type(), which returns true if the pointer can
be casted to the specified type. It works by looking at a Node object
field that is an integer with bits set for each type up in the
hierarchy. Therefore, dynamic_cast is replaced by a simple bits
operation.
This change can reduce the compilation times for some profiles more
that 50%, especially in arm/arm64 arch. This opens the door to maybe
avoid "-O no-expr-simplify" in the snapd daemon, as now that option
would make the compilation slower in almost all cases.
This is the example profile used in some of my tests, with this change
the run-time is around 1/3 of what it was before on an x86 laptop:
profile "test" (attach_disconnected,mediate_deleted) {
dbus send
bus={fcitx,session}
path=/inputcontext_[0-9]*
interface=org.fcitx.Fcitx.InputContext
member="{Close,Destroy,Enable}IC"
peer=(label=unconfined),
dbus send
bus={fcitx,session}
path=/inputcontext_[0-9]*
interface=org.fcitx.Fcitx.InputContext
member=Reset
peer=(label=unconfined),
dbus receive
bus=fcitx
peer=(label=unconfined),
dbus receive
bus=session
interface=org.fcitx.Fcitx.*
peer=(label=unconfined),
dbus send
bus={fcitx,session}
path=/inputcontext_[0-9]*
interface=org.fcitx.Fcitx.InputContext
member="Focus{In,Out}"
peer=(label=unconfined),
dbus send
bus={fcitx,session}
path=/inputcontext_[0-9]*
interface=org.fcitx.Fcitx.InputContext
member="{CommitPreedit,Set*}"
peer=(label=unconfined),
dbus send
bus={fcitx,session}
path=/inputcontext_[0-9]*
interface=org.fcitx.Fcitx.InputContext
member="{MouseEvent,ProcessKeyEvent}"
peer=(label=unconfined),
dbus send
bus={fcitx,session}
path=/inputcontext_[0-9]*
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(label=unconfined),
dbus (send)
bus=session
path=/org/a11y/bus
interface=org.a11y.Bus
member=GetAddress
peer=(label=unconfined),
dbus (send)
bus=session
path=/org/a11y/bus
interface=org.freedesktop.DBus.Properties
member=Get{,All}
peer=(label=unconfined),
dbus (receive, send)
bus=accessibility
path=/org/a11y/atspi/**
peer=(label=unconfined),
dbus (send)
bus=system
path=/org/freedesktop/Accounts
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(label=unconfined),
dbus (send)
bus=system
path=/org/freedesktop/Accounts
interface=org.freedesktop.Accounts
member=FindUserById
peer=(label=unconfined),
dbus (receive, send)
bus=system
path=/org/freedesktop/Accounts/User[0-9]*
interface=org.freedesktop.DBus.Properties
member={Get,PropertiesChanged}
peer=(label=unconfined),
dbus (send)
bus=session
interface=org.gtk.Actions
member=Changed
peer=(name=org.freedesktop.DBus, label=unconfined),
dbus (receive)
bus=session
interface=org.gtk.Actions
member={Activate,DescribeAll,SetState}
peer=(label=unconfined),
dbus (receive)
bus=session
interface=org.gtk.Menus
member={Start,End}
peer=(label=unconfined),
dbus (send)
bus=session
interface=org.gtk.Menus
member=Changed
peer=(name=org.freedesktop.DBus, label=unconfined),
dbus (send)
bus=session
path="/com/ubuntu/MenuRegistrar"
interface="com.ubuntu.MenuRegistrar"
member="{Register,Unregister}{App,Surface}Menu"
peer=(label=unconfined),
}
65ba20b955 provides a fix for job
scaling but during a merge conflict part of the patch got dropped.
This is the missing portion of the patch that was approved as part
of MR703
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/703
Signed-off-by: John Johansen <john.johansen@canonical.com>
job scaling allows the parser to resample the number of cpus available
and increase the number of jobs that can be launched if cpu available
increases.
Unfortunately job scaling was being applied even when a fixed number
of jobs was specified. So
--jobs=2
doesn't actually clamp the compile at 2 jobs.
Instead job scaling should only be applied when --jobs=auto or when
jobs are set to a multiple of the cpus.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/703
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
The parsers default settings can OOM smaller special use systems
when building or loading policy. Use basic memory info and cpus to
tune the parser for lower resource environments.
Currently this just sets the jobs parameters if the default values
haven't been modified by user config or parameters. But in the
future this could add cache control and compile parameters.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/702
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
If af_unix rules are not supported but network rules are and
--warn=rule-downgraded is not set then the parser will incorrectly
output warning when the rule is actually being downgraded.
Warning from profile test-profile (./prof): extended network unix socket rules not enforced
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/699
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/144
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
3.0 added the ability to extract and use the kernels cap mask
to augment its internal capability list as a stop gap measure to
support new capabilities.
Unfortunately not all kernel export the cap/mask and this is causing
the policy compile to fail. If the kernel doesn't export a cp/mask
just use the internal list.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/140
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/691
Signed-off-by: John Johansen <john.johansen@canonical.com>
Adjust function and variable names to spell separator correctly. Kept
as a distinct change in case someone wants to cherrypick other fixes.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/687
Fix spelling errors in code strings. Some strings are translatable.
This fixes are potentially user visible.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/687
With the exception of the documentation fixes, these should all be
invisible to users.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/687
The generated files are exactly the same, but the code is a bit more
readable.
Additional differences:
- added test_gen_list() to verify the result of gen_list()
- null_target has a non-empty value to avoid that it gets skipped in
loops as empty value
- invert_save has an additional entry for ''
- copyright header added (based on git log of gen-xtrans.pl)
Linux 5.9 added CAP_CHECKPOINT_RESTORE add it to the set of supported
capabilities.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/654
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
