pwarn() prints "Warning" itsself, therefore it doesn't make sense to include/repeat that word in the actual warning text.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/650
Acked-by: John Johansen <john.johansen@canonical.com>
when a profile is being forced to complain a variation of the
following message is displayed
Warning from /etc/apparmor.d/usr.sbin.sssd (/etc/apparmor.d/usr.sbin.sssd line 54): Warning failed to create cache: usr.sbin.sssd
This is incorrect in that the parser doesn't even try to create the
cache, it just can't cache force complain profiles.
Output a warning message for this case that is correct.
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1899218
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/649
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
The comments describing the example rules to pin the abi are wrong.
The comments of the two example rules are swapped resulting in confusion.
While we are at it. Add a reference to the wiki doc on abi, and
how to disable abi warnings without pinning.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/648
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
add limits.h
aa_status.c:269:22: error: 'PATH_MAX' undeclared (first use in this function); did you mean 'AF_MAX'? | 269 | real_exe = calloc(PATH_MAX + 1, sizeof(char));
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/647
Signed-off-by: Armin Kuster [akuster808@gmail.com](mailto:akuster808@gmail.com)
Acked-by: John Johansen <john.johansen@canonical.com>
In cross build environments, using the hosts cpp gives incorrect
detection of reallocarray. Change cpp to a variable.
fixes:
parser_misc.c: In function 'int capable_add_cap(const char*, int, unsigned int, capability_flags)':
| parser_misc.c:297:37: error: 'reallocarray' was not declared in this scope
| 297 | tmp = (struct capability_table *) reallocarray(cap_table, sizeof(struct capability_table), cap_table_size+1);
Signed-off-by: Armin Kuster <akuster808@gmail.com>
By using assertIn, we test if a given message is contained in the parser
error message. This can (and actually does) hide errors if the error
message changes outside the checked part.
Change the test to assertEqual to test the full error message, and add
'\n' to all expected error messages to make them still match.
Depending on the kernel version and patches, there can be an additional
message
Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
which will be ignored by the check.
bison change the default text past to yerror in bison 3.6, this
breaks make check as some tests are comparing against the error
output
======================================================================
FAIL: test_modefail (__main__.AAErrorTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/home/jj/apparmor.git/parser/tst/testlib.py", line 50, in new_unittest_func
return unittest_func(self)
File "./errors.py", line 58, in test_modefail
self._run_test(
File "./errors.py", line 40, in _run_test
self.assertIn(message, outerr, report)
AssertionError: 'AppArmor parser error for errors/modefail.sd in profile errors/modefail.sd at line 6: syntax error, unexpected TOK_ID, expecting TOK_MODE' not found in 'AppArmor parser error for errors/modefail.sd in profile errors/modefail.sd at line 6: syntax error\n' :
Command: ../apparmor_parser --config-file=./parser.conf -S -I errors errors/modefail.sd
Exit value:1
STDERR
AppArmor parser error for errors/modefail.sd in profile errors/modefail.sd at line 6: syntax error
To fix this we need to add
define parse.error=verbose
to bison. Unfortunately define parse.error was only added in bison 3.0
and and older versions of bison will break if that is defined in
parser_yacc.y
Instead test for the version of bison available and set define parse.error
as a build flag if supported by the version of bison being called.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/640
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Currently mount options type= and options= do not expand variables
but they should. Fix it.
Note: this does not treat either as paths because their use is
too device dependent for it to be safe to filter slashes.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/638
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Attempt to get clarity on what is valid syntax for mount options and
fstype options.
Note that simple_tests/mount/bad_opt_27.sd is marked TODO, as the
parser accepts it but should not.
Also mark the tests as expecting to fail to raise an exception by the
python utils.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607
Signed-off-by: John Johansen <john.johansen@canonical.com>
Test to ensure that slash filtering occurs properly in mount path
components.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607
Signed-off-by: John Johansen <john.johansen@canonical.com>
Test to ensure that slash filtering occurs properly in dbus path
components.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607
Signed-off-by: John Johansen <john.johansen@canonical.com>
The mnt_point and devices conditionals in mount rules are generally
paths and should have slashes filtered after variable expansion.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607
Signed-off-by: John Johansen <john.johansen@canonical.com>
Similar to unix addr rules, the dbus path conditional is more a path
than a profile name and should get its slashes filtered after variable
expansion.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607
Signed-off-by: John Johansen <john.johansen@canonical.com>
af_unix allows for sockets to be bound to a name that is autogenerated.
Currently this type of binding is only supported by a very generic
rule.
unix (bind) type=dgram,
but this allows both sockets with specified names and anonymous
sockets. Extend unix rule syntax to support specifying just an
auto bind socket by specifying addr=auto
eg.
unix (bind) addr=auto,
It is important to note that addr=auto only works for the bind
permission as once the socket is bound to an autogenerated address,
the addr with have a valid unique value that can be matched against
with a regular
addr=@name
expression
Fixes: https://bugs.launchpad.net/apparmor/+bug/1867216
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/521
Signed-off-by: John Johansen <john.johansen@canonical.com>
v8 network permissions extend into the range used by exec mapping
so it is important to not blindly do execmapping on both the
file dfa and policydb dfa any more.
Track what type of dfa and its permissions we are building so
we can properly apply exec mapping only when building the
file dfa.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/521
Signed-off-by: John Johansen <john.johansen@canonical.com>
Snapd now loads its own policy via its own systemd unit
https://github.com/snapcore/snapd/pull/8467
If A distro is not using snapd systemd unit then dropping snapd policy
from the apparmor unit is a breaking change, distros will either need
to use the snapd systemd unit or revert
0164fd05 init: stop loading snap policy
Signed-off-by: John Johansen <john.johansen@canonical.com>
snapd now loads its snap policy via its own systemd unit, so stop
loading the snap policy in /var/lib/snapd/apparmor/profiles
Fixs: https://launchpad.net/bugs/1871148
Signed-off-by: John Johansen <john.johansen@canonical.com>
This add a test to ensure that the parser is inserting rules to allow
access to the proc interface for change_hat.
Unfortunately the rule the parser inserts is a bare owner write that
we can't replicate in policy as policy write perm maps to create,
append and write.
So to test equality compare profiles using rules granting access to
the proc attr interface except one uses the append permission and
the other uses write. They will differ in permissions unless the
parser inserts the proc attr write rule for change_hat in which
case the permissions will get merged and we have equivalence.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/626
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR625 fixed hats not emitting the rule to access the proc interface
needed for change_hat, but it broke the rule being emitted for the
parent (which used to work).
The proc attr access rule should be emitted for any profile that
is a hat OR any profile that contains hats.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/626
Signed-off-by: John Johansen <john.johansen@canonical.com>
The parser is supposed to add a rule to profiles if they are a hat
or contain hats granting write access to the kernel interfaces
used to perform the change_hat operation.
Unfortunately the check is broken and currently won't add the
rule to hats (it does add it for the parent).
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/625
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Acked-by: Steve Beattie <steve.beattie@canonical.com>
Convert the two commented-out fprintf() lines in is_merged_x_consistent() to useful debug logging using PDEBUG macro.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/616
Acked-by: John Johansen <john.johansen@canonical.com>
A debug message in reset_parser() gives developers more data about how
the parser is behaving. In addition, it provides much needed context to
the relatively vague debug message in clear_cap_flag().
Another solution might be to pass the profile name into
clear_cap_flag(), however, clear_cap_flag() does not need the profile
name, except potentially for debugging purposes.
Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com>
A copy/paste error leads to a build failure due to an undefined variable
"name" in parser_misc.c:clear_cap_flag().
Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com>
yyerror is outputting the file name twice when not in a profile or
the profilename global is not defined. Drop the second output of
the file name as it just clutters up the error message.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/610
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Mike Salvatore <mike.salvatore@canonical.com>
yyno_top_state was set as part of getting rid of the need to link against
libfl.
However we actually need to ability when the scanner is built with
debugging. Fix it so the option and libfl linking are conditionally
used based on whether DEBUG is defined.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/609
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Mike Salvatore <mike.salvatore@canonical.com>
--config-file is processed early in a separate argument processing
pass. Adjust --warn and --Werror processing so they are done in
both the early and late arg processing pass.
--warn and --Werror must be run in both argument processing passes
so that
1. They can be used with --config-file as long as they are specified
before --config-file (early pass)
2. They are not overriden by any flags set in the config file, as
command line options take priority over what is in the config
file (hence the need for reprocessing in the second pass)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/600
Signed-off-by: John Johansen <john.johansen@canonical.com>
Make it so --Werror=show can display which flags have been set.
In addition update its --help=Werror flag table to display
./apparmor_parser --Werror=[Option]
instead of --Warn
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/600
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add the ability to show which warnings are enabled by specifying "show"
as an to the --dump, --warn, and --Optimize options
Eg.
--warn=show
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/600
Signed-off-by: John Johansen <john.johansen@canonical.com>
Some warning flags are enabled by default, allow a warning to
be disbaled by specifying no- infront of the warning.
Eg.
--warn=no-deprecated
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/600
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add basic ability to treat a warning as an error and abort the compile
by specifying the new option --Werror.
--Werror
will turn all warnings into errors. Where if an warning type is
specified only that type of warning will be turned into an error.
--Werror=deprecated.
The full list of supported warning types can be found by using
apparmor_parser --help=warn
or
apparmor_parser --help=Werror
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/600
Signed-off-by: John Johansen <john.johansen@canonical.com>
Make all warnings that go through pwarn() controllable by warning
flags. This adds several new warning control flags, documented in
--help=warn
Convert --debug-cache to be unified with warning flags. So it can be
set by either
--debug-cache
or
--warn=debug-cache
Also add an "all" option to be able to turn on all warnings.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/600
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add the flag
--warn=dev
to be able to toggle several developer warnings with a single flag.
Note: --warn=all is being reserved for a larger patch to warnings
when all warnings are setup with control flags.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/600
Signed-off-by: John Johansen <john.johansen@canonical.com>
Provide example rules in parser.conf to pin pre 3.0 policy and
appropriate abi files.
abis for vanilla upstream kernels and outoftree network patched
kernels are provided. With both ABIs dropping v8 support from
advertised by the kernel as 2.x policy/userspace did not support it.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/598
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
The autogenerated capabilities comparison needs to be updated if the
capability_table structure changes. Add a note by the structure to
make sure the Makefile will get updated if the structure is changed.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/597
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The sed command to manipulate the known cap list (base_cap_names.h) into
a format to match the generated_cap_names.h was buggy because the
trailing '}' would never match anything, leading to failures when built
against 5.8 kernel headers, due to it not replacing the base capabilities
correctly.
Fix this by removing the trailing '}" match and instead match the third
comma-delimited field that matches a capability name, and replace that.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/596
The warn_once() function is duplicated in 6 different places. A common, reusable version has been added to parser_common.c.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/590
Acked-by: John Johansen <john.johansen@canonical.com>
