If a capability is known in policy but not by the kernel, check to see if it has
a backwards mapping to a different capability and use that instead.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The kernel and policy abis can be used to detect and support new
capabilities without having to update base_cap_names.h and and
rebuilding the compiler.
This is not perfect however in that the does not provide any backwards
compatibility mappings, so we still need to keep the internal
capability table.
Signed-off-by: John Johansen <john.johansen@canonical.com>
We need to be able to dynamically add capabilities to the capability
list so switch to using a dynamically allocated table that we can
extend.
Signed-off-by: John Johansen <john.johansen@canonical.com>
We need a set of flags to track where a capability can from so we know
how to processes it for policy compatibility purposes.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Some capabilities like perfmon and bpf have been split out from
another capability, likely cap sys_admin. Add this backmapping
infomation so that the parser can take advantage of it to support
policy on older kernels that don't support the new capabilities.
Signed-off-by: John Johansen <john.johansen@canonical.com>
There are currently two capability name tables the one that is
autogenerated and an internal hardcoded name table.
Now that the autogenerated table has been converted to a base
static table we can drop the internal static table. This
removes the chance of getting the tables getting out of sync.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The static cap sys_log declaration is no longer needed as
base_cap_names.h contains it and ensures that it will always be
present.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The auto-generated cap_names.h has problems when the parser if the
parser is built against a kernel with a smaller capability list than
the kernel policy is being compiled for.
Moving to a pre-generated list lets us support all capabilities even
when we build against older kernels. However we don't want to only use
the pre-generated list as that would make it too easy to miss when a
new capability has been added.
Keep auto generating the caps list and compare it to the pre-generated
caps list so we can detect when new capabilities are added, and fail
the build so that the pre-generated list can be updated. We screen the
diff for only additions so that the parser can continue to build on
older kernels that don't have the full capability list without errors.
Signed-off-by: John Johansen <john.johansen@canonical.com>
AppArmor 3.0 requires policy to use a feature abi rule for access to
new features. However some policy may start using abi rules even if
they don't have rules that require new features. This is especially
true for out of tree policy being shipped in other packages.
Add enough support to older releases that the parser will ignore the
abi rule and warn that it is falling back to the apparmor 2.x
technique of using the system abi.
If the profile contains rules that the older parser does not
understand it will fail policy compilation at the unknown rule instead
of the abi rule.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/196
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The handling for quotedid checked for the first quote but failed
to ensure the trailing quote was present.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/196
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The define `RLIMIT_OFILE` is a historic macro originating from
the BSDs, which is nowadays an alias for `RLIMIT_NOFILE`. On some
implementations, it has thus been dropped in favor of the new
define, but we still assume it will always be defined in our
rlimit keywords table. Wrap it in an `ifdef` to fix compilation
on systems where it does not exist.
For the second macro `RLIMIT_RTTIME`, we do check for its
existence in our keywords table, but then forgot to do so in the
YACC rules. Wrap it into an `ifdef`, as well.
Both patches serve the goal to fix compilation on musl libc.
Signed-off-by: Patrick Steinhardt <ps@pks.im>
The debugging code for profile entries contains a check to ensure that
it's not NULL, but the list iterator macro already ensures that the
iteration will stop if the item is NULL, making the check redundant.
Coverity CID #55983
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Check if the current kernel supports stacking. If not, ensure that named
transitions (exec, change_profile, etc.) do not attempt to stack their
targets.
Also, set up the change_profile vector according to whether or not the
kernel supports stacking. Earlier kernels expect the policy namespace to
be in its own NUL-terminated vector element rather than passing the
entire label (namespace and profile name) as a single string to the
kernel.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Allow for a leading '&' character to be present in the named transition
target strings to indicate that the transition should stack the current
profile with the specified profile.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
The parser was splitting up the namespace and profile name from named
transition targets only to rejoin it later when creating the binary
policy. This complicated the changes needed to support the stacking
identifier '&' in named transition targets.
To keep the stacking support simple, this patch keeps the entire named
transition target string intact from initial profile parsing to writing
out the binary.
All of these changes are straightforward except the hunk that removes
the namespace string addition to the vector in the process_dfa_entry()
function. After speaking with John, kernels with stacking have support
for consuming the namespace with the profile name.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch separates the label parsing functionality from the program
termination and memory allocation duties of parse_label(). This will
ultimately help in creating simple helper functions that simply need to
check if a label contains a namespace.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
The copy_cod_entry() function was not copying the nt_name field of the
cod_entry struct.
This was discovered during code review and I'm not certain if it causes
any real world bugs.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
https://launchpad.net/bugs/1540666
Reuse the new parse_label() function to initialize named_transition
structs so that transition targets, when used with change_profile, are
properly seperated into a profile namespace and profile name.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Bug: https://launchpad.net/bugs/1379874
https://launchpad.net/bugs/1544387
Don't split namespaces from profile names using YACC grammar. Instead,
treat the entire string as a label in the grammer. The label can then be
split into a namespace and a profile name using the new parse_label()
function.
This fixes a bug that caused the profile keyword to not be used with a
label containing a namespace in the profile declaration.
Fixing this bug uncovered a bad parser test case at
simple_tests/profile/profile_ns_ok1.sd. The test case mistakenly
included two definitions of the :foo:unattached profile despite being
marked as expected to pass. I've adjusted the name of one of the
profiles to :foo:unattached2.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch fixes the unit test memory leaks found
by intrigeri using AddressSanitizer in the following email thread:
https://lists.ubuntu.com/archives/apparmor/2015-August/008491.html
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The capnames list missed a comma, which lead to the funny
"mac_overridesyslog" capability name.
__debug_capabilities() seems to be the only user of capnames, which
might explain why this bug wasn't noticed earlier.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
currently the parser supports ambiguous units like m for time,
which could mean minutes or milliseconds. Fix this and refactor the
time parsing into a single routine.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Steve Beattie <steve@nxnw.org>
When is_blacklisted() was internal to the parser, it would print an
error message when encountering some file names. If the path parameter
was non-null, the error message would include the file path instead of
the file name.
Now that the function has been moved to libapparmor, callers are
expected to print the appropriate error message if _aa_is_blacklisted()
returns -1. Since the error message printing no longer occurs inside of
_aa_is_blacklisted(), the path parameter can be removed.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
The parser currently is still using the old permission layout, the kernel
uses a newer layout that allows for more permission bits. The newer
newer permission layout is needed by the library to query the kernel,
however that causes some of the permission bits to be redefined.
Rename the permission bits that cause redefination warnings to use
AA_OLD_MAY_XXX
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
This patch creates a private API in libapparmor in which upstream
provides no guarantees in regards to ABI stability.
A new header file, <sys/apparmor_private.h>, is created. The "_aa"
prefix will be used for symbols belonging to the private API.
To kick things off, a library friendly version of is_blacklisted() is
moved into libapparmor.
The purpose of a private libapparmor API is to prevent duplicated code
between the parser and libapparmor. This becomes an issue as we prepare
to move chunks of the parser into libapparmor.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Only present when building with DEBUG=1.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Abstract af_unix socket names can contain a null character, however the
aare to pcre conversion explicitly disallows null characters because they
are not valid characters for pathnames. Fix this so that they type of
globbing is selectable.
this is a partial fix for
Bug: http://bugs.launchpad.net/bugs/1413410
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Bug: https://bugzilla.novell.com/show_bug.cgi?id=895495
We define the __unused macro as a shortcut for __attribute__((unused))
to quiet compiler warnings for functions where an argument is unused,
for whatever reason. However, on 64 bit architectures, older glibc's
bits/stat.h header defines an array variable with the name __unused
that collides with our macro and causes the parser to fail to build,
because the resulting macro expansion generates invalid C code.
This commit fixes the issue by removing the __unused macro where it's
not needed (mod_apparmor) and renaming it to 'unused' elsewhere. It also
in some instances reorders the arguments so that the unused macro
appears last consistently.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
This patch implements parsing of fine grained mediation for unix domain
sockets, that have abstract and anonymous paths. Sockets with file
system paths are handled by regular file access rules.
The unix network rules follow the general fine grained network
rule pattern of
[<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>]
specifically for af_unix this is
[<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>]
<qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ]
<access expr> = ( <access> | <access list> )
<access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' |
'connect' | 'shutdown' | 'getattr' | 'setattr' |
'getopt' | 'setopt' |
'send' | 'receive' | 'r' | 'w' | 'rw' )
(some access modes are incompatible with some rules or require additional
parameters)
<access list> = '(' <access> ( [','] <WS> <access> )* ')'
<WS> = white space
<rule conds> = ( <type cond> | <protocol cond> )*
each cond can appear at most once
<type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' )
<protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' )
<local expr> = ( <path cond> | <attr cond> | <opt cond> )*
each cond can appear at most once
<peer expr> = 'peer' '=' ( <path cond> | <label cond> )+
each cond can appear at most once
<path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
<label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')')
<attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
<opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
<AARE> = ?*[]{}^ ( see man page )
unix domain socket rules are accumulated so that the granted unix
socket permissions are the union of all the listed unix rule permissions.
unix domain socket rules are broad and general and become more restrictive
as further information is specified. Policy may be specified down to
the path and label level. The content of the communication is not
examined.
Some permissions are not compatible with all unix rules.
unix socket rule permissions are implied when a rule does not explicitly
state an access list. By default if a rule does not have an access list
all permissions that are compatible with the specified set of local
and peer conditionals are implied.
The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions.
server = (create, bind, listen, accept)
r = (receive, getattr, getopt)
w = (create, connect, send, setattr, setopt)
In addition it supports the v7 kernel abi semantics around generic
network rules. The v7 abi removes the masking unix and netlink
address families from the generic masking and uses fine grained
mediation for an address type if supplied.
This means that the rules
network unix,
network netlink,
are now enforced instead of ignored. The parser previously could accept
these but the kernel would ignore anything written to them. If a network
rule is supplied it takes precedence over the finer grained mediation
rule. If permission is not granted via a broad network access rule
fine grained mediation is applied.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The change to processing escape sequences in trunk commit r2537 requires
a corresponding change to the unit tests in parser_misc.c.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
escape sequences that result in special character that will be interpreted
by later processing need to be passed through as well.
Eg. previously \\ was fixed to be passed through, but other chars
get interpretted as well.
*?[]{}
and ^, in character classes
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
r2456 unified escape sequence processing but it results in the \\
sequence being processed multiple times (lexer, regex conversion,
backend pcre parsing).
What used to happen was the lexer would only convert octal sequences
and a few special escapes, \\ would be passed through the lexer and
the regex conversion, thus only being handled in the pcre backend.
r2456 changed that so that \\ is handled by the lexer, converting it
to \, which is handled as an escape sequence in both the regex
conversion and the pcre backend.
This means
\\001 instead of being treated as the literal \001 is treated
as an octal escape sequence which is rejected by the regex conversion
(it only allows for certain special chars).
etc.
Fix this by ensuring the lexer does not processes \\ and passes it
through so it is only handled in the backend as was done in the past.
Also fix front end escape sequence processing of octals etc from resulting
in a later escape sequence. That is \134, \d92, .. would get converted
to \ in the lexer and then treated as an escape sequence in the regex
conversion or pcre processing.
We fix this by converting them to the equivalent \\ sequence in the
lexer and letting the backend processes it.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
ptrace rules currently take the form of
ptrace [<ptrace_perms>] [<peer_profile_name>],
ptrace_perm := read|trace|readby|tracedby
ptrace_perms := ptrace_perm | '(' ptrace_perm+ ')'
After having used the cross check (permission needed in both profiles)
I am not sure it is correct for ptrace.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The match
{VARIABLE_NAME}/{WS}*={WS}*\(
is too broad causing mount and dbus rules to fail for sets of values eg.
mount options=(ro bind)
Instead of doing a broad match, for now lets lock it down to just
peer=(...) being the only cond that can cause entry into CONDLISTID
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add signal rules and make sure the parser encodes support for them
if the supported feature set reports supporting them.
The current format of the signal rule is
[audit] [deny] signal [<signal_perms>] [<signal_set>] <target_profile>,
signal_perm := 'send'|'receive'|'r'|'w'|'rw'
signal_perms := <signal_perm> | '(' <signal_perm> ([,]<signal_perm>)* ')'
signal := ("hup"|"int"|"quit"|"ill"|"trap"|"abrt"|"bus"|"fpe"|"kill"|
"usr1"|"segv"|"usr2"|"pipe"|"alrm"|"term"|"tkflt"|"chld"|
"cont"|"stop"|"stp"|"ttin"|"ttou"|"urg"|"xcpu"|"xfsz"|"vtalrm"|
"prof"|"winch"|"io"|"pwr"|"sys"|"emt"|"exists")
signal_set := set=<signal> | '(' <signal> ([,]<signal>)* ')'
it does not currently follow the peer=() format, and there is some question
as to whether it should or not. Input welcome.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Fix the octal escape sequence that was broken, so that short escapes \0,
\00 \xa, didn't work and actually resulted in some encoding bugs.
Also we were missing support for the decimal # conversion \d123
Incorporate and update Steve Beattie's unit tests of escape sequences
patch
v2
- unify escape sequence processing, creating lib fns.
- address Steve Beattie's feedback
- incorporate Steve Beattie's feedback
v3
- address Seth's feedback
- add missing strn_escseq tests
- expand strn_escseq to take a 3rd parameter to allow specifying chars to
convert straight across. . eg "+" will cause it to convert \+ as +
- fix libapparmor/parse.y failed escape pass through to match processunqoted
Unit tests by Steve Beattie
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Make it more generic so that it can be shared with signals.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This will simplify add new features as most of the code can reside in
its own class. There are still things to improve but its a start.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This patch adds support for the rttime rlimit (aka RLIMIT_RTTIME),
available since the 2.6.25 kernel, according to the getrlimit(2)
man page; see that man page for more details on this rlimit.
An acceptance test is also added, as well as an update to the
apparmor.vim input template.
While reviewing to see what made sense in apparmor.vim for the rttime
rlimit, I discovered that RLIMIT_RTTIME's units are microseconds, not
seconds like RLIMIT_CPU (according to the setrlimit(2) manpage). This
necessitated not sharing the case switch with RLIMIT_CPU. I didn't add
a keyword for microseconds, but I did for milliseconds. I also don't
accept any unit larger than minutes, as it didn't seem appropriate
(and even minutes felt... gratuitous). I would appreciate feedback
on what keywords would be useful here.
Patch History:
v1: initial submission
v2: - add apparmor.vim support for rttime keyword
- adjust RLIMIT_TIME value assignment due to its units being
microseconds, not seconds, and add milliseconds keyword.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
By default, statically link against the in-tree libapparmor. If the
in-tree libapparmor is not yet built, print a helpful error message. To
build against the system libapparmor, the USE_SYSTEM make
variable can be set on the command line like so:
$ make USE_SYSTEM=1
This patch also fixes issues around the inclusion of the apparmor.h
header. Previously, the in-tree apparmor.h was always being included
even if the parser was being linked against the system libapparmor.
It modifies the apparmor.h include path based on the previous patch
separating them out in the libapparmor source. This was needed because
header file name collisions were already occurring.
For source files needing to include apparmor.h, the make targets were
also updated to depend on the local apparmor.h when building against
the in-tree libapparmor. When building against the system libapparmor,
the variable used in the dependency list is empty. Likewise, a
libapparmor.a dependency is added to the apparmor_parser target when
building against the in-tree apparmor.
Patch history:
v1: from Tyler Hicks <tyhicks@canonical.com>
- initial version
v2: revert to altering the include search path rather than including
the apparmor.h header directly via cpp arguments, alter the
include statements to <sys/apparmor.h> which will work against
either in-tree or (default) system paths.
v3: convert controlling variable to USE_SYSTEM from SYSTEM_LIBAPPARMOR
to unify between the parser and the regression tests.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Steve Beattie <steve@nxnw.org>
The parser was not checking for an error when reading from
/proc/sys/kernel/osrelease. Additionally, valgrind was complaining
because of the uninitialized space in the buffer in between where
the read(2) had deposited its data and where the parser was writing
a trailing NUL to close the string. This patch fixes the above by
writing the NUL byte at the position at the end of the read characters
and checks for a negative result from the read() call.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Now that the parser links against libapparmor, it makes sense to move
all public permission types and flags to libapparmor's apparmor.h. This
prevents duplication across header files for the parser and libapparmor.
Additionally, this patch breaks the connection between
AA_DBUS_{SEND,RECEIVE,BIND} and AA_MAY_{WRITE,READ,BIND} by using raw
values when defining the AA_DBUS_{SEND,RECEIVE,BIND} macros. This makes
sense because the two sets of permission flags are from two distinctly
different mediation types (AA_CLASS_DBUS and AA_CLASS_FILE). While it is
nice that they share some of the same values, the macros don't need to
be linked together. In other words, when you're creating a D-Bus rule,
it would be incorrect to use permission flags from the AA_CLASS_FILE
type.
The change mentioned above allows the AA_MAY_{WRITE,READ,BIND} macros
to be removed from public-facing apparmor.h header.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Allows for the policy writer to grant permission to eavesdrop on the
specified bus. Some example rules for granting the eavesdrop permission
are:
# Grant send, receive, bind, and eavesdrop
dbus,
# Grant send, receive, bind, and eavesdrop on the session bus
dbus bus=session,
# Grant send and eavesdrop on the system bus
dbus (send eavesdrop) bus=system,
# Grant eavesdrop on any bus
dbus eavesdrop,
Eavesdropping rules can contain the bus conditional. Any other
conditionals are not compatible with eavesdropping rules and the parser
will return an error.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Allow directories to be passed directly to the parser and handled instead
of needing an initscript to find the files in the directory.
eg. load all profiles in profiles dir
apparmor_parser -r /etc/apparmor.d/
eg. load all binary files in the cache dir
apparmor_parser -Br /etc/apparmor.d/cache/
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This patch fixes a few more parser memory leaks as identified by the
simple valgrind test script. These mostly occur during cleanup of
structs and classes and as such, don't represent very serious leaks
for common usages of the parser.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
