Add support for a default_allow mode that facillitates writing profiles
in that allow everything by default. This is not normally recomended
but fascilitates creating basic profiles while working to transition
policy away from unconfined.
This mode is being added specifically to replace the use of the
unconfined flag in these transitional profiles as the use of unconfined
in policy is confusing and does not reflect the semantics of what is
being done.
Generally the goal for policy should be to remove all default_allow
profiles once the policy is fully developed.
Note: this patch only adds parsing of default_allow mode. Currently
it sets the unconfined flag to achieve default allow but this
prevents deny rules from being applied. Once dominance is fixed a
subsequent patch will transition default_allow away from using
the unconfined flag.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1109
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
man apparmor_parser gives examples for the --warn command line option as
apparmor_parser --warn=rules-not-enforced ...
and
apparmor_parser --warn=no-rules-not-enforced ...
but the actual --warn options are rule-not-enforced / no-rule-not-enforced
(without s)
Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057453
Given the following profile:
profile foo {
profile bar {
profile baz {
}
}
}
The parser would correctly serialize the "foo" profile and the
"foo//bar" profile, but it would incorrectly name "bar//baz" when it
should be "foo//bar//baz". This would cause issues loading the profile
in certain kernels causing a "parent does not exist" error.
Partially addresses #346.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Add support for a default_allow mode that facillitates writing profiles
in that allow everything by default. This is not normally recomended
but fascilitates creating basic profiles while working to transition
policy away from unconfined.
This mode is being added specifically to replace the use of the
unconfined flag in these transitional profiles as the use of unconfined
in policy is confusing and does not reflect the semantics of what is
being done.
Generally the goal for policy should be to remove all default_allow
profiles once the policy is fully developed.
Note: this patch only adds parsing of default_allow mode. Currently
it sets the unconfined flag to achieve default allow but this
prevents deny rules from being applied. Once dominance is fixed a
subsequent patch will transition default_allow away from using
the unconfined flag.
Signed-off-by: John Johansen <john.johansen@canonical.com>
When the regex parser failed, the Chars objects created/used in rules
charset and cset_chars would not be cleaned up properly and would
leak.
Closes#361
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Extend the policy syntax to have a rule that allows specifying all
permissions for all rule types.
allow all,
This is useful for making blacklist based policy, but can also be
useful when combined with other rule prefixes, eg. to add audit
to all rules.
audit access all,
Signed-off-by: John Johansen <john.johansen@canonical.com>
Since network rules don't use the "perms" attribute, it is using the
dedup class in which duplicate rules are removed.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
There is one significant difference in the encoding of the network
rules. Before this change, when the parser was encoding a "network,"
rule, it would generate an entry for every family and every
type/protocol. After this patch the parser should generate an entry
for every family, but the type/protocol is changed to .. in the pcre
syntax. There should be no difference in behavior.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
coverity is reporting an overrun of the profile_mode_table
217 if (merge_profile_mode(mode, rhs.mode) == MODE_CONFLICT)
>>> CID 322989: (OVERRUN)
>>> Overrunning array "profile_mode_table" of 6 8-byte elements at element index 6 (byte offset 55) using index "this->mode" (which evaluates to 6).
this is because it is being indexed by the profile_mode enum which can
go up to a 6th entry. The code tests for MODE_CONFLICT before using
the table so it shouldn't trigger a bug today, but play it safe for
the future and also get rid of the coverity scan error by adding a
"conflict" entry to the mode_table.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1098
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
SIGNAL makes more sense because it's about a single signal.
Besides that, a9494f5523 introduced a (at
that point broken) usage of SIGNAL which becomes valid with this commit.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1100
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
SIGNAL makes more sense because it's about a single signal.
Besides that, a9494f5523 introduced a (at
that point broken) usage of SIGNAL which becomes valid with this commit.
Documentation for io_uring and userns rules is missing from the
apparmor.d man page. Provide some basic documentation for them.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/349
Signed-off-by: John Johansen <john.johansen@canonical.com>
coverity is reporting an overrun of the profile_mode_table
217 if (merge_profile_mode(mode, rhs.mode) == MODE_CONFLICT)
>>> CID 322989: (OVERRUN)
>>> Overrunning array "profile_mode_table" of 6 8-byte elements at element index 6 (byte offset 55) using index "this->mode" (which evaluates to 6).
this is because it is being indexed by the profile_mode enum which can
go up to a 6th entry. The code tests for MODE_CONFLICT before using
the table so it shouldn't trigger a bug today, but play it safe for
the future and also get rid of the coverity scan error by adding a
"conflict" entry to the mode_table.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add a flag that allows setting the signal used to kill the process.
This should not be normally used but can be very useful when
debugging applications, interaction with apparmor.
Signed-off-by: John Johansen <john.johansen@canonical.com>
When merging flags with a disconnected_path specified, there is no
check for a conflict and we can just throw away (and leak) one of
the paths.
Signed-off-by: John Johansen <john.johansen@canonical.com>
We have a basic flagvals class it makes sense to move the parser
code into it, to help make management easier going forward.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Currently you need to use attach_disconnected with
attach_disconnected.path=XXX to be able to attach to a different
location than / whic is ugly and redundant.
Make it so attach_disconnected.path implies attach_disconnected.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1084
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
Currently you need to use attach_disconnected with
attach_disconnected.path=XXX to be able to attach to a different
location than / whic is ugly and redundant.
Make it so attach_disconnected.path implies attach_disconnected.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add support for specifying the path prefix used when attach disconnected
is specified. The kernel supports prepending a different value than
/ when a path is disconnected. Expose through a profile flag.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The permissions for AA_NET_OPT need to be bounded by mask so we can
make sure it matches when a policy specified only setopt or only
getopt. This was causing failures on the regression tests
unix_socket_pathname, unix_socket_abstract, unix_socket_unnamed and
unix_socket_autobind
Fixes: 44f3be091 ("parser: convert the stored audit from a bit mask to a bool")
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Add support for the prompt profile flag. That allows policy to do an upcall to userspace if supported by the kernel and if a userspace daemon is available.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1062
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This reverts commit 460c3d5b59.
The 4.0 ABI was pinned for the development cycle but it can cause
in-tree uses of parser/parser.conf to fail if it cannot find the 4.0
file in /etc/apparmor.d/abi/.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Do this to simplify test identification, and also support the different
invocation mechanisms of unittest, like running individual tests.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1070
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Approved-by: John Johansen <john@jjmx.net>
Add tests for passing the parser a file that doesn't exist, a symlink
to a file that doesn't exist, and a directory that contains that
latter. Also include tests for different levels of -j passed as an
argument. These tests are based on the fixing commit 1259319508
("parser: Fix parser failing to handle errors when setting up work")
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1070
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Approved-by: John Johansen <john@jjmx.net>
Instead of pushing the cmp logic for rule merging into each rule
class make it the default behavior for the perms_rule_t parent class.
Also save off the original perms for the merged rule.
For classes that don't want perms merging add an alternate
dedup_perms_rule_t clase.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1069
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
Instead of pushing the cmp logic for rule merging into each rule
class make it the default behavior for the perms_rule_t parent class.
Also save off the original perms for the merged rule.
For classes that don't want perms merging add an alternate
dedup_perms_rule_t clase.
Signed-off-by: John Johansen <john.johansen@canonical.com>
speedup and reduce memory usage of dfa generation
A variety of changes to improve dfa generation
- By switching to Nodevec instead of Node sets we can reduce memory usage slightly and reduce code
- By using charsets for chars we reduce code and increase chances of node merging/reduction which reduces memory usage slightly
- By merging charsets we reduce the number of nodes
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1066
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
By changing the compare function from each rule to use class_rule_t,
instead of perms_rule_t, we temporarily ignore if permissions are
different. If every rule attribute is the same, then the permissions
can be merged. This is done at the perms_rule_t's level.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Currently File rules are the only rules that have rule dedup/merging performed. Extend support for rule merging to all other rule types.
This can result in a small performance regression when rules can not be merged/deduped but can result in a large performance increase when lots of rules can be eliminated.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1065
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Instead of having multiple tables, since we have room post split
of optimization and dump flags just move all the optimization and
dump flags into a common table.
We can if needed switch the flag entry size to a long in the future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add the ability to control whether rule merging is done.
TODO: in the furture cleanup display of flags split accross two tables
Signed-off-by: John Johansen <john.johansen@canonical.com>
In preparation for more flags (not all of the backend dfa based),
rework the optimization and dump flag handling which has been exclusively
around the dfa up to this point.
- split dfa control and dump flags into separate fields. This gives more
room for new flags in the existing DFA set
- rename DFA_DUMP, and DFA_CONTROL to CONTROL_DFA and DUMP_DFA as
this will provide more uniform naming for none dfa flags
- group dump and control flags into a structure so they can be passed
together.
Signed-off-by: John Johansen <john.johansen@canonical.com>
this is reuired because af_rule merging does not take into account
the potential af_unix addresses and could incorrectly merge af_unix
rules.
Signed-off-by: John Johansen <john.johansen@canonical.com>
