- Update matching regex for reordered kernel audit messages (when they
come through syslog). Ideally, rather than use a regex, the utils would
just use the log parsing library to determine whether it's a log even
of interest.
- fix debugging code write a logfile in /var/log/apparmor and not a
predictable location in /tmp; File::Temp would be the right solution
except that the log file is created in a BEGIN clause, and
File::Temp.new() ends up returning an unopened filehandle in that
situation, so logging fails. Someone with more perl-fu may know how to
fix that.
- fix "Namespcae" tyop
- get rid of sub_name and default_deny from the main profile struct as
they haven't been used for a long time; also eliminates their output
from the debugging output.
- emit dumped parsing structure with only one -d, users were confuzzled
and it was not documented that you needed to use -dd to get it to
output anything if DEBUG wasn't set when compiling.
doesn't work. Making the parser match the documentation, though either
form should still work.
(Based on a secondary element of https://bugs.launchpad.net/bugs/341205)
Change the globbing conversion to include [^\x00]. This reduces cases of
artifical overlap between globbing rules, and link rules. Link rules
are encoded to use a \0 char to seperate the 2 match parts of the rule.
Before this fix a glob * or ** could match against the \0 seperator
resulting the generation of dfa states for that overlap. This of course
can never happen as \0 is not a valid path name character.
In one example stress policy when adding the rule
owner /** rwl,
this change made the difference between having a dfa with 55152 states
and one with 30019
- disable charter, charset merging. This can actually hamper optimization
in some cases and needs special cases added to the factoring code.
The charset code is merged off into its own routines that can be
reenabled at a later time.
- fix a couple bugs in tree simplifications that would cause earlier
exit before the tree had even reached a local minima
I particular the t != c portion of the simplify_tree, would cause
the loop to exit early if it didn't change but other modifications
had been made.
- remove the extra epsnode that was getting added to the created tree
- optimize the forward factor alt loop so that it will find all left
factor matches down the alt subtree without having to loop and recompare
against nodes that were already checked
These changes result in small improvements in most cases, but in some
policies the changes result in very large wins. The early bailout of
optimizations was causing 2.5* as many dfa states in one particular
stress test policy.
- fix-complain.diff
Fixes deny rules in complain mode so that they don't reject events
- mount-capability.diff
Allow confined applications to mount and unmount as long as they
have capability sys_admin
- fix-config.diff
Add the missing SECURITY_NETWORK dependency
- fix-security-param.diff
Make apparmor respect the security= parameter
- securit_default.diff
Add a new kernel config option to allow setting the default LSM,
When multiple LSMs are compiled into the kernel this is often
more desirable than taking the first LSM to register
- fork-tracking.diff
Newer kernels have changed the allocation of child pid until after
the security_clone hook. This breaks AppArmor's fork tracking
for processes that enter the null-complain-profile.
To fix this the parent pid is output with every message. A corresponding
update in the tools also must be done.
- fix-d_namespace_path.diff
It is possible that the root.mnt->mnt_ns has been unmounted, resulting
in an oops. In this case just test for it, and if it happens the
ns_root.mnt passed to __d_path will be NULL resulting in a disconnected
path.
- AppArmor-misc-cleanups.diff
Some miscelleanous cleanups from Miklos Szeredi, covering some
kernel coding style and defaults cleanups
- AppArmor-checkpatch.diff
patch from Miklos Szeredi, to cleanup sparse warnings, and other misc
coding style errors.
Needs love in the form of enhancements to support regexs, all the added
features in upcoming 2.3 release, etc.
Could also stand a bit of refactoring to make the ruby program not suck
up so much ram by writing out profiles as things go along rather than
generating a bunch of large objects and keeping them around.
Fork tracking is broken by the kernel message for clone no longer supplying
the child pid correctly. Instead the parent pid will be output with each
message and the tools will fake a fork when they detect a previously
unknow parent child relationship.
/usr/bin/rsyncd) bnc#408869
The unconfined tool shows:
[...]
29799 /usr/bin/rsync not confined
29799 /usr/bin/rsync not confined
This is because unconfined is grabbing the post symlink resolved exe filename
which for /usr/sbin/rsyncd is /usr/bin/rsync.
To fix this provide both the cmdline and exec name in parenthesis when the
exe name and the cmdline name differ.
For the above example you would see
29799 /usr/bin/rsync (/usr/sbin/rsyncd) not confined
been made but only from the top level. This allows us to get the
optimizations that were missed, while not causing the massive recursive call
explosion we had before.
