Merge branch 'parser-fix_cap_list_check' into 'master'
The sed command to manipulate the known cap list (`base_cap_names.h`) into
a format to match the generated_cap_names.h was buggy because the
trailing `}` would never match anything, leading to failures when built
against 5.8 kernel headers, due to it not raplcing the base capabilities
correctly.
Fix this by removing the trailing `}` match and instead match the third
comma-delimited field that matches a capability name, and replace that.
See merge request apparmor/apparmor!596
The sed command to manipulate the known cap list (base_cap_names.h) into
a format to match the generated_cap_names.h was buggy because the
trailing '}' would never match anything, leading to failures when built
against 5.8 kernel headers, due to it not replacing the base capabilities
correctly.
Fix this by removing the trailing '}" match and instead match the third
comma-delimited field that matches a capability name, and replace that.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/596
fix bug that some rules will be added to the profile repeatedly
The ask_exec() function may cause some rules to be added to the profile repeatedly.
See merge request apparmor/apparmor!593
Acked-by: Christian Boltz <apparmor@cboltz.de>
The warn_once() function is duplicated in 6 different places. A common, reusable version has been added to parser_common.c.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/590
Acked-by: John Johansen <john.johansen@canonical.com>
In AppArmor 2 distros could pin the feature file being used by setting
the feature-file option in the config file.
With AppArmor 3 policy is now explicitly tagged with an abi rule.
The problem is the interaction on systems that have a mixture of
AppArmor 2 and AppArmor 3 policy and use feature pinning.
The feature pinning is required to make the apparmor 2 policy behave
as expected but it also overrides the abi rules that are explicitly
set as part of the policy. This means we either have the apparmor 2
pinned policy working as desired or the apparmor 3 policy, but not
both.
To fix this make setting the flag in the config file have lower
priority than the feature abi rule. But still allow the config option
specified on the command line to override the config file and the
feature abi rule.
The Priority ordering to determine the policy abi to use is
1. Use abi rules if present
2. if no abi rule use command line option
3. if no abi rule or command line option use config setting
4. if none of the above use the default abi
v2:
add priority ordering to documentation
reorder priority so existing config/command line options behave as expected, make ABI rules highest priority
add new option --override-policy-ABI to allow overriding of abi rules
move arg processing from numbers to defines
v3
update patch description around how the abi pinning problem is being fixed
add MR: tags to patches
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/579
I screwed up adding the last option, yet again because
EARLY_ARG_CONFIG_FILE was define out of order, and adding the new
option seems to skip a number, ...
Switch to defines to make it easier to update, and keep all these
define numbers together in order.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/579
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add an option to allow setting/pinning the feature ABI and overriding
of ABI rules if they exist.
--override-policy-abi
This option is primarily for profile development and testing without
allowing adjusting feature abis temporarily without modifying the
profile.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/579
Signed-off-by: John Johansen <john.johansen@canonical.com>
In AppArmor 2 distros could pin the feature file being used by setting
the feature-file option in the config file.
With AppArmor 3 policy is now explicitly tagged with an abi rule.
The problem is the interaction on systems that have a mixture of
AppArmor 2 and AppArmor 3 policy and use feature pinning.
The feature pinning is required to make the apparmor 2 policy behave
as expected but it also overrides the abi rules that are explicitly
set as part of the policy. This means we either have the apparmor 2
pinned policy working as desired or the apparmor 3 policy, but not
both.
To fix this make setting the flag on command line or in config file
lower priority than an abi rule specified in policy. The ability
to override abi rules will be added in a separate patch.
The Priority ordering to determine the policy abi to use is
1. Use abi rules if present
2. if no abi rule use command line option
3. if no abi rule or command line option use config setting
4. if none of the above use the default abi
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/579
Signed-off-by: John Johansen <john.johansen@canonical.com>
Adapted from https://nordisch.org/posts/php-fpm-apparmor/, port the
nextcloud-independent portion of the php-fpm worker abstractions and
php-fpm isolation for more general usage.
Signed-off-by: Antonio Russo <antonio.e.russo@gmail.com>
utils `make check_severity_db` will fail the build if a (probably new)
capability in not listed in severity.db. This also means it should print
out an ERROR, not a warning.
This is a follow-up of lp#1890547 and
https://gitlab.com/apparmor/apparmor/-/merge_requests/589
The warn_once() function is duplicated in 6 different places. A common,
reusable version has been added to parser_common.c.
Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com>
Nobody told the tools that log events with operation="symlink" exist. Add this keyword to the list of file or network operations (I don't expect network symlinks ;-) but keeping everything in that list makes things easier than special-casing it.)
Also add the log sample and expected result to the libapparmor tests.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/107
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/587
Acked-by: John Johansen <john.johansen@canonical.com>
Nobody told the tools that log events with operation="symlink" exist.
Add this keyword to the list of file or network operations (I don't
expect network symlinks ;-) but keeping everything in that list makes
things easier than special-casing it.)
Also add the log sample and expected result to the libapparmor tests.
Fixes https://gitlab.com/apparmor/apparmor/-/issues/107
The fixes that landed for #98 are incomplete: they only added a check to
ensure that the parser is built, and not libapparmor as well, and also
didn't adjust the invocation of aa-logprof to actually make use of the
built libapparmor or its swig python library.
Furthermore, neither it nor the tests in utils/ add the location of the
swig libapparmor C library to the library search path, meaning that if
the system one does not exist, it will not be found and the test will
fail.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
Similar to the profiles/ check using the python utilities, the
tests for the python utilities were not including the path for the
swig libapparmor library in the LD_LIBRARY_PATH variable, only in
PYTHONPATH. This commit fixes that, renaming the variable used for
the built libapparmor check.
v2:
- actually use the LIBAPPARMOR_PATH variable when defining
LD_LIBRARY_PATH
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
The commit c8b6d8b393 ("profiles: Update 'make check' to select tools
based on USE_SYSTEM") set a bunch of variables but neglected to apply
them when invoking aa-logprof. This commit addresses this by:
* correcting the PYTHONPATH used with aa-logprof
* setting LD_LIBRARY_PATH when invoking aa-logprof
* adjusting LD_LIBRARY_PATH to include both the directory location
of libapparmor but also the swig libapparmor library needed for
python tools to function.
* adjusts the test for the presence of libapparmor to not use
LD_LIBRARY_PATH but instead a libapparmor specific variable
LIBAPPARMOR_PATH
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
Fixes: c8b6d8b393
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
When running the 'check-logprof' test using tools in the tree,
libapparmor needs to have been built for the python utilities to work.
Add a check for its existence to the test-dependencies target.
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
The "local" make target does not depend on the parser having been
built. Create a separate "test-dependencies" target and have the tests
that need them depend on that and the "local" target, when validating
the profile set against the apparmor tools.
Fixes: c8b6d8b393
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
The authentication, base and nameservice abstraction used /{usr/,}etc/
in several rules. Switch that to the more readable (and tunable)
@{etc_ro} variable.
Add a couple of bitmap renderings of the logo for convenience
128x128 pixel rendering of the logo
700x700 pixel rendering of the logo
Signed-off-by: John Johansen <john.johansen@canonical.com>
The profiles dirs make check is not always using the correct tools.
Update it to be similar to other Makefiles where the var USE_SYSTEM
make check USE_SYSTEM=1
is used to indicated that the system installed tools should be used
and
make check
is used to run the tests against the in tree tools
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/580
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
The hashing of the featue set is wrong because it is hashing the
whole feature structure instead of just the feature string.
This results in the refcount and hash field becoming part of the
hash and the feature string not being completely hashed as the
bytes of the refcount and hash field are being counted in the
as part of the string length when the hash is taken.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/583
Reported-by: Samuele Pedroni <samuele.pedroni@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
This adds support for the new PERFMON, and BPF capabilities.
In addition this updates AppArmor's handling in several ways.
* Move to a static capability list that is compared to the automatically generated capability list, and fail the build if new capabilities are detected. This is required to ensure backwards mapping of capabilities is properly handled.
* allow an already built apparmor to dynamically detect any new additions of capabilities so a release patch doesn't need to be made to support new capabilities. This however will be missing support for backwards mapping of capabilities
* support backwards mapping of new capabilities that have been split of existing capabilities for older kernels (eg. CAP_PERFMON was split off of CAP_SYS_ADMIN)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/578
Acked-by: Seth Arnold <seth.arnold@canonical.com>
If a capability is known in policy but not by the kernel, check to see if it has
a backwards mapping to a different capability and use that instead.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The kernel and policy abis can be used to detect and support new
capabilities without having to update base_cap_names.h and and
rebuilding the compiler.
This is not perfect however in that the does not provide any backwards
compatibility mappings, so we still need to keep the internal
capability table.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Currently features doesn't provide a way to query a features
value. So add an api to extract the value string of a feature.
The value string returned is a raw text value and may contain
leading spaces, etc that the caller may need to be aware of.
Signed-off-by: John Johansen <john.johansen@canonical.com>
We need to be able to dynamically add capabilities to the capability
list so switch to using a dynamically allocated table that we can
extend.
Signed-off-by: John Johansen <john.johansen@canonical.com>
We need a set of flags to track where a capability can from so we know
how to processes it for policy compatibility purposes.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Some capabilities like perfmon and bpf have been split out from
another capability, likely cap sys_admin. Add this backmapping
infomation so that the parser can take advantage of it to support
policy on older kernels that don't support the new capabilities.
Signed-off-by: John Johansen <john.johansen@canonical.com>
There are currently two capability name tables the one that is
autogenerated and an internal hardcoded name table.
Now that the autogenerated table has been converted to a base
static table we can drop the internal static table. This
removes the chance of getting the tables getting out of sync.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The static cap sys_log declaration is no longer needed as
base_cap_names.h contains it and ensures that it will always be
present.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The auto-generated cap_names.h has problems when the parser if the
parser is built against a kernel with a smaller capability list than
the kernel policy is being compiled for.
Moving to a pre-generated list lets us support all capabilities even
when we build against older kernels. However we don't want to only use
the pre-generated list as that would make it too easy to miss when a
new capability has been added.
Keep auto generating the caps list and compare it to the pre-generated
caps list so we can detect when new capabilities are added, and fail
the build so that the pre-generated list can be updated. We screen the
diff for only additions so that the parser can continue to build on
older kernels that don't have the full capability list without errors.
Signed-off-by: John Johansen <john.johansen@canonical.com>
