Removes an unnecessary variable, simplifies and unifies some of the loop
logic, and removes commented out code.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
When merging file entries in process_file_entries(), an error condition
can leave the entries list in a bad state which can cause invalid reads
and/or double frees when freeing the codomain and entries list memory.
The problem comes from the need to sort the entries linked list. An
array of pointers is created to represent the linked list, then the
array is sorted, then the linked list and the array coexist while the
entries are merged, then the linked list is reconstructed and the array
is freed. While the entries are being merged, an error condition can
occur and the function can return while the linked list is partially
modified.
The solution is to complete the sorting, reconstruct the linked list,
and free the array immediately. Once the linked list is in a good state,
the entries can be merged. Care is taken to adjust the linked list
pointers as entries are merged. An error condition can occur but the
linked list is always in a good state and proper cleanup can be
performed without any memory access issues.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
If a parser test case causes the parser to produce a core dump, the
simple.pl test runner incorrectly treats the test as a success.
This patch treats tests that cause core dumps as failures, even when the
tests are marked as #=TODO. The only way to ignore tests that fail in
this manner is with #=DISABLED.
Note that this patch changes the meaning of the $result variable.
Previously, it held a true or false status returned when closing the
apparmor_parser pipe. Now, it holds the exit status of apparmor_parser.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This patch fixes a few memory leaks found by valgrind. Most of these
occur in error cases and as such, are not a big deal. The dbus TOK_MODE
and flags TOK_CONDID leaks in parser_yacc.y are legitimate leaks,
if of very small amounts of memory.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
This patch adds tests for the swig generated python library bindings
that reuse the C language tests.
Fitting it into autotools was a bit of a trick, and is likely pretty
brittle, as before the test script runs, it needs to know the location
of the built libapparmor.so library, the built _LibAppArmor.so library
and the python wrapper bits (thankfully, the latter two are the same
directory). It's also unclear how to get autotools to emit the output of
the test_python.py script when building, rather than just summarizing it
as one test run.
Also note that test_python.py is doing a bit of magic to automatically
generate test case methods based on the contents of the test_multi/
directory. This has the disadvantage of breaking tools like nosetests
and other external tools that try to automatically detect testcases.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
This patch gives a more pythonish whitespace cleanup to the swig python
setup.py.in configuration file. It also updates the wiki url.
(That said, pep8 will still probably barf all over it.)
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
This patch converts the C test program to only emit the basename(3) of
the test input file under consideration, rather than the entire path as
passed on the command line, and fixes up all the expected outputs to
match.
The reason to do this is to make it easier for other tools located
in other directories (e.g. under libapparmor/swig) to use these same
test cases with reduced special casing.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
This patch wraps the event record output cases in a macro, for
consistent generation.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
This patch converts most of the fields to using the existing macros for
output, to make consistent and simplify the code a bit.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
The test program didn't make use of the existing print_long() macro for
printing long values, which meant that they were always emitted for
every testcase. This patch makes them consistent with all the other
emitted fields and fixes up the expected output where they shouldn't be
emitted.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
The oldstyle name configure.in has been deprecated by autotools. This
patch renames configure.in to the new standard name configure.ac.
The AC_INIT() entry was adjusted as well to point to configure.ac
instead of configure.in.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
This patch makes the binding check messages a little more understandable
and coherent. The original messages looked like (for a perl binding only
build):
checking Checking for Python... no
checking Checking for perl... yes
checking for perl... /usr/bin/perl
Note the duplicated 'checking Checking' and '[cC]hecking for perl'
statements. With the patch applied, the output looks like thus:
checking whether python bindings are enabled... no
checking whether perl bindings are enabled... yes
checking for perl... /usr/bin/perl
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
This patch causes libapparmor's configure script to exit with an error
if a language binding is asked for and the relevant interpreter is not
found. The previous behavior was to *silently* disable the binding.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
This patch causes libapparmor's configure script to exit with an error
if any of the language bindings are requested but swig has not been
found earlier in the configure script. Without this script, configure
would bury the inability to find swig in its output, without informing
the user that building any of the language bindings would fail.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
The function new_dbus_entry() free()s the conds argument but not the
peer_conds argument.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
This patch moves the DUP_STRING macro to parser.h and modifies
it to accept a goto error target, that will be jumped to if the
call to strdup(3) fails. It also uses it in additional locations
where copying structures occurs, as well as detecting additional
cases where a structure duplication might have failed but not been
propagated outward.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
The aa_getcon man page only implies that the *mode strings returned by
aa_getprocattr(), aa_gettaskcon(), aa_getcon(), and aa_getpeercon()
should not be freed. A developer using the man page to build against
libapparmor may miss that subtlety and end up hitting double free issues.
This patch makes the man page more clear, makes the function comments
more clear, and changes the aa_getprocattr() *buf param to *con. The use
of *buf should reserved for the aa_get*_raw() functions that do not
allocate a buffer for the confinement context and all documents now
clearly mention that *con must be freed.
Additionally, this patch removes the line wrapping of the
aa_getprocattr_raw() prototype in the aa_getcon man page source. The
line wrapping caused incorrect formatting of the function prototype when
viewing the man page.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
r2125 caused a regression in aa_getpeercon_raw() when a NULL pointer was
passed into the mode parameter. Instead of unconditionally
NUL-terminating the con string before the mode portion of the security
context, it made it to where the NUL byte was only put into place when
mode was non-NULL.
This resulted in the con string incorrectly containing the label and the
mode.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Bug: https://bugs.launchpad.net/bugs/1218099
This patch adds support for expanding variables with dbus rules.
Specifically, they can expanded within the bus, name, path, member,
interface, and peer label fields.
Parser test cases and regression test cases are added as well.
Patch history:
v1: initial version of patch
v2: add equality.sh tests to verify that the results of using
variable expansion is the same as what should be equivalent rules
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
In aa_query_label(), errors encountered during a write() to the AppArmor
filesystem's .access file results in an unintentional file descriptor
leak outside of aa_query_label(). Callers don't expect aa_query_label()
to return with a newly opened file descriptor so they can't be expected
to close the fd.
This flaw was introduced in r2147, which has not yet been included in an
official release.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
The profile parsing in the Immunix::AppArmor perl module has fallen
behind when it comes to some of the newer rule types and syntax
supported by apparmor_parser.
When an unsupported rule is found, it causes aa-logprof and aa-genprof
to error out. This patch creates a list of valid, but unsupported rule
types that should be ignored by the perl module when parsing policy.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Patch by Kshitij Gupta <kgupta8592@gmail.com>
A previous bugreport [1] was fixed using the smartmatch operator,
which raised the minimum Perl version requirement to >=5.10.1 .
However in Perl5.18 the smartmatch operator has again become
"experimental" [2] so the following patch replace smartmatch operator
with grep and thereby avoiding the requirement hike and avoiding
warnings.
[1] https://bugs.launchpad.net/apparmor/+bug/1180230
[2] http://blogs.perl.org/users/mike_b/2013/06/a-little-nicer-way-to-use-smartmatch-on-perl-518.html
ACKed-by: Christian Boltz <apparmor@cboltz.de>
When dnsmasq is started with the --enable-dbus option, it uses the
system bus.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Integrate dbus tests into the regression testing framework.
This started out as dbus-send.c, from the dbus source, and then grew
from there.
dbus_message is an example "client" program that only sends out
messages. dbus_service binds to a well-known name and then listens and
responds to incoming messages. They share some code in dbus_common.c.
The test scripts, dbus_message.sh and dbus_service.sh, share some
functionality in dbus.inc.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
It may be useful to applications that do AppArmor queries to know if the
subject label in the query is unknown to the kernel. For example, the
corresponding profile may have been removed/renamed.
This patch eliminates all potential return locations of aa_query_label()
that may have errno set to ENOENT, except for the write() to
apparmorfs/.access that sets ENOENT when the subject label isn't found
by the kernel.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Test a set of send, bind, and receive denials routed through syslog,
as well as a set routed through auditd.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-By: Seth Arnold <seth.arnold@canonical.com>
This requires libaalogparse to become aware of USER_AVC messages.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Add a new set of tests that tests delegation of file descriptors when
inherited across combinations of confined and unconfined processes.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch broadens the testing of file descriptor passing over Unix
domain sockets, but the real focus is on passing a file descriptor from
an unconfined server to a confined client. The confined client should
have full access to the file descriptor, despite not having a
corresponding file rule in its profile, due to delegation.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
required for a test to run. This will help keep the regression suite
from reporting a lot of failures when it hits a kernel that doesn't
support the feature being tested.
its current iteration is pretty brain dead, only testing for the
existance of feature files/dirs (and not contents) but I think it is
probably sufficient for now.
To use it, just call the required_features fn right after sourcing
prologue.inc in the bash test script that is called by the make file.
If any of the requested features don't exist the bash script will exit
reporting the first feature that was missing
Eg.
. $bin/prologue.inc
required_features dbus
required_features dbus dbus/mask network domain/change_hatv
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Allows for the test script to specify a final check to be performed
after checking the output of the test binary. This may be useful, for
example, if the test script wants to compare logging output of the test
binary to known-good logging output.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Add an interface for trusted applications to use when they need to query
AppArmor kernel policy to determine if an action should be allowed.
This is a simplified interface that tries to make it as easy as possible
for applications to use. They provide a permissions mask and query
string and they get a pair of booleans back that let them know if the
action should be allowed and/or audited.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This test is to verify that a list of profiles compile down into the
same binary representation. This is useful, for example, when testing a
rule syntax that includes permission aliases, as well as implied and
explicit accesses.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This is a test in the style of gen-xtrans.pl that attempts to run
through the most commonly constructed DBus rules. It also attempts to
run through some common mistakes to ensure that the parser fails
appropriately.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch implements the parsing of DBus rules.
It attempts to catch all corner cases, such as specifying a bind
permission with an interface conditional or specifying a subject name
conditional and a peer name conditional in the same rule.
It introduces the concept of conditional lists to the lexer and parser
in order to handle 'peer=(label=/usr/bin/foo name=com.foo.bar)', since
the existing list support in the lexer only supports a list of values.
The DBus rules are encoded as follows:
bus,name<bind_perm>,peer_label,path,interface,member<rw_perms>
Bind rules stop matching at name<bind_perm>. Note that name is used for
the subject name in bind rules and the peer name in rw rules. The
function new_dbus_entry() is what does the proper sanitization to make
sure that if a name conditional is specified, that it is the subject
name in the case of a bind rule or that it is the peer name in the case
of a rw rule.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Document the DBus rule syntax and provide several examples.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch fixes problems in the handling of both the final cache
name location and the temporary cache file when an alternate location
is specified.
The first issue is that if the alternate cache directory location was
specified, the alternate directory name would be used as the final location for
the cache file, rather than the alternate directory + the basename of
the profile.
The second issue is that it would generate the temporary file that it
stores the cache file in [basedir]/cache even if an alternate cache
location was specified on the command line. This causes a problem
if [basedir]/cache is on a separate device than the alternate cache
location, because the rename() of the tempfile into the final location
would fail (which the parser would not check the return code of).
This patch fixes the above by incorporating the basename into the cache
file name if the alternate cache location has been specified, bases the
temporary cache file name on the destination cache name (such that they
end up in the same directory), and finally detects if the rename fails
and unlinks the temporary file if that happens (rather than leave it
around). It also has been updated to add a couple of testcases to verify
that writing and reading from an alternate cache location work.
Patch history:
v1: first draft of patch
v2: add testcases, convert PERROR() to pwarn() if rename() fails for
placing cachefile into place.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Debian sid's fonts-mathjax ships fonts in
/usr/share/javascript/mathjax/fonts, that are now used by default by
fontconfig-enabled software.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
At least on Debian, with recent versions of fontconfig-config
(>= 2.10), files in /etc/fonts/conf.d/ are symlinks pointing to
/usr/share/fontconfig/.
This was reported by Jakub Wilk <jwilk@debian.org> on Debian bug #714843.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
abstractions/ubuntu-browsers.d/ubuntu-integration.
Patch by Felix Geyer <debfx@ubuntu.com>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
