The libapparmor library is built with gcc, while the parser is built
with g++. The parser code needs to cast pointers returned from the
malloc(3) family of calls. However, code removed from the parser to
libapparmor can drop the casts.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Creates a libapparmor function, _aa_asprintf(), which sets the *strp to
NULL on error. This is needed for all of the users of the _aa_autofree
cleanup attribute because the value of *strp is undefined when
asprintf() fails and that could result in _aa_autofree() being passed a
pointer value that it should not free.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
As code is moved from the parser to libapparmor, the libapparmor code
base will need to have the "unused" macro defined. This macro will need
to be duplicated in the parser and libapparmor due to it being a
compiler-specific macro that shouldn't be exported from libapparmor.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
The existing kernel_interface.c file collides with the expected file
name of the implementation of the aa_kernel_interface API.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The parser's copy of the two atomic operations will be removed once the
new API's (aa_features, aa_policy_cache, aa_kernel_interface) are moved
from the parser to libapparmor.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The function names must be prepended with "_aa_" since they're going to
be exported from libapparmor. The code bases using the _aa_autofree(),
_aa_autoclose(), and _aa_autofclose() will need to internally alias
those functions to the previously used autofree, autoclose, and
autofclose names.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch adds equivalents of the parser's PDEBUG() and PERROR()
functions to libapparmor.
It does not add gettext(3) support to libapparmor since these are
messages that only developers will see (debug builds with
LIBAPPARMOR_DEBUG=1) or messages that go to the syslog.
PDEBUG() does nothing unless libapparmor is built with --enable-debug.
It prints to stderr if libapparmor is built with --enable-debug and the
LIBAPPARMOR_DEBUG environment variable is set.
PERROR() uses syslog(LOG_ERR, ...) by default. The message is sent to
the syslog and to stderr if libapparmor is built with --enable-debug and
the LIBAPPARMOR_DEBUG environment variable is set.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
This is needed for some of the parser functionality that will be moved
to libapparmor. In the short term, only the 'bool' type is needed but it
makes sense to simply require a C99 compliant compiler for libapparmor
since the parser is being rewritten in C++. The use of C99 will reduce
future headaches when moving code between the two code bases.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch creates a private API in libapparmor in which upstream
provides no guarantees in regards to ABI stability.
A new header file, <sys/apparmor_private.h>, is created. The "_aa"
prefix will be used for symbols belonging to the private API.
To kick things off, a library friendly version of is_blacklisted() is
moved into libapparmor.
The purpose of a private libapparmor API is to prevent duplicated code
between the parser and libapparmor. This becomes an issue as we prepare
to move chunks of the parser into libapparmor.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Adjust the libapparmor function prototypes, variable names, and comments
that incorrectly used the name "con" when referring to the label.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
The correct usage of the terms context and label is not clear in the
aa_getcon(2) man page. The aa_getcon(2) family of functions are also
prototyped incorrectly since the *con parameter represents a label and
not a context.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Get rid of the relics in libapparmor's Makefile.am for generating
tarballs from svn, which is no longer relevant. Also clean generated
manpages during make clean rather than just make maintainer-clean.
Those *.spec{,.in} files were not updated for years (last change
2006/2007) and don't fit the current "one tarball for everything" model.
Acked-by: Steve Beattie <steve@nxnw.org>
This patch adds the --enable-man-pages option, defaulting to "yes", to
libapparmor's configure stage so that libapparmor can be built on
systems lacking Perl.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Fail the configure stage if podchecker is not available since man page
generation always happens.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Point to the site for Perl the language and not Perl news.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
There's no need to date ourselves.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The configure script fails if pod2man isn't available since PROG_POD2MAN
is called unconditionally so it is safe to split man page generation out
of the --with-perl configure option.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch adds a 'check_pod_files' make target to the common make
rules, and then fixes the errors it highlighted as well as most of
the warnings. It will cause 'make check' in most of the directories to
fail if there are errors in a pod file (but not if there are warnings).
Common issues were:
- using an '=over/=back' pair for code-like snippets that did not
contain any =items therein; the =over keyword is intended for
indenting lists of =item entries, and generates a warning if
there isn't any.
- not escaping '<' or '>'
- blank lines that contained spaces or tabs
The second -warnings flag passed to podchecker is to add additional
warnings, un-escaped '<' and '>' being of them.
I did not fix all of the warnings in apparmor.d.pod, as I have not come
up with a good warning-free way to express the BNF of the language
similar in format to what is currently generated. The existing
libapparmor warnings (complaints about duplicate =item definition
names) are actually a result of passing the second -warnings flag.
The integration into libapparmor is suboptimal due to automake's
expectation that there will be a test driver program(s) for make check
targets; that's why I added the podchecker call to the manpage
generation point.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
---
changehat/mod_apparmor/Makefile | 3
changehat/mod_apparmor/mod_apparmor.pod | 28 ++-
common/Make.rules | 4
libraries/libapparmor/doc/Makefile.am | 7
parser/Makefile | 2
parser/apparmor.d.pod | 275
+++++++++++++-------------------
utils/Makefile | 3
utils/aa-cleanprof.pod | 2
utils/aa-complain.pod | 2
utils/aa-decode.pod | 2
utils/aa-easyprof.pod | 69 +++-----
utils/aa-enforce.pod | 2
utils/aa-genprof.pod | 2
utils/aa-logprof.pod | 6
utils/aa-sandbox.pod | 64 ++-----
utils/logprof.conf.pod | 2
utils/vim/Makefile | 2
17 files changed, 212 insertions(+), 263 deletions(-)
This patch adjusts the bison grammer in libapparmor and the parser
to use the %define api.pure directive instead of the deprecated
%pure_parser and %pure-parser keywords. Bison had been warning about
the former:
libraries/libapparmor/src/grammar.y:71.1-12: warning: deprecated directive, use ‘%pure-parser’ [-Wdeprecated]
%pure_parser
^^^^^^^^^^^^
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch adds support for the mount and pivotroot related keywords,
fstype, flags, and srcname.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
When signals and ptrace mediation were added to apparmor, the aalogparse
routines were not adjusted to compensate. This patch adds support for
the signal and peer keywords.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The upstream kernel at some point between the 3.13 and 3.16 kernel
adjusted the output of audit messages to include an additional "audit:"
keyword. e.g. a 3.13 message would look like:
kernel: [182243.243324] type=1400 audit(1409684003.960:273342): [SNIP]
whereas in 3.16, it looks like:
kernel: [182243.243324] audit: type=1400 audit(1409684003.960:273342): [SNIP]
^^^^^^
This patch adjust the libapparmor aalogparse grammar and lexer to
compensate for this change.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch fixes some memory leaks in the libapparmor log parsing
functions, specifically around handling records obtained from syslog
and records containing network addresses.
Bug: https://bugs.launchpad.net/bugs/1340927
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Current libapparmor python bindings are very "unpythonic". Also lack
ability to access "why" information in case of failure.
In python when something fail the normal behaviour is exception
to occur. In case of apparmor functions die silently and require
user to verify returned value.
And here comes second problem. In C api when return value is -1
(and the same value is returned in python API) we can access errno
to get information why this occured. Unfortunately in python there
is no way to access the same information. Pythonic way of accessing
errno is via exception (which is never raised in python bindings
currently).
So the patch adds exceptions on failures. First %exception creates
a wrapper that swig adds to each function listed below. Empty %exception
causes that the rest of code (beside listed functions) won't be wrapped.
How this works? Example on apparmor disabled system:
Before:
>>> LibAppArmor.aa_change_hat(hat, random.randint(1, sys.maxint))
-1
After:
>>> LibAppArmor.aa_change_hat(hat, random.randint(1, sys.maxint))
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OSError: [Errno 22] Invalid argument
so pythonic way of accessing "why":
>>> try:
... LibAppArmor.aa_change_hat(hat, random.randint(1, sys.maxint))
... except OSError, e:
... print e.errno
...
22
Signed-off-by: Arkadiusz Miśkiewicz <arekm@maven.pl>
Acked-by: Steve Beattie <steve@nxnw.org>
In the course of developing apparmor dbus mediation, the aa_query_label
symbol was added to libapparmor on trunk, and given the symbol version
(via libapparmor.map) of APPARMOR_3.0. As apparmor upstream, we have
not made a release where this would have been exported.
Unfortunately, in Ubuntu, a version was released in 13.10 that included
the aa_query_label() symbol with a version of APPARMOR_1.1. This
can cause a breakage on that platform with the incorporation of the
impending apparmor 2.9 release.
This patch provides both versions (APPARMOR_1.1 and APPARMOR_2.9)
of the aa_query_label() symbol. It requires the function name in
kernel_interface.c to be renamed (similar to how the deprecated
change_hat() symbol is named in the source as __change_hat()),
otherwise linking fails with duplicated symbols. The default symbol
used will still be the APPARMOR_2.9 version, but binaries linked with
the APPARMOR_1.1 version would still continue to work unchanged.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
This commit adjusts the trunk libtool versions in accordance
with the outlined rules. It also adds clarifying text to the
documentation comment to explain how to use the rules and what the
resulting outcome is. Finally, it removes a bogus argument to linker
to forcibly set the SONAME in the library, as libtool will do this
automatically (and override the passed argument).
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch fixes the format string for the magic token in aa_change_hat
to match the type of the magic token (long). Without this, on 64
bit platforms, only the bottom 32 bits of the token would be used.
aa_change_hatv() has the correct format string, so an aa_change_hatv()
call followed by an exiting aa_change_hat() call would result in the
latter having a different token, which would cause the process to be
killed by apparmor.
(Hat tip to John Johansen for spotting the actual bug.)
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch moves the apparmor.h and aalogparse.h headers
from the libapparmor/src/ directory to a new directory
libapparmor/include/. The apparmor.h header is stored in a sys/
directory within libapparmor/include/ to match its usual install
location in /usr/include/sys/, simplifying the #include statements of
source that wishes to include either the in-tree or system installed
version of the header (i.e. #include <sys/apparmor.h> can be used
everywhere).
The patch size is inflated by the movements of the header files, which
are unchanged except for their locations. Otherwise, the rest of the
changes are to modify the include search path or to stop looking in
$CWD for one of the headers.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
libtoolize is the standard mechanism for incorporating libtool support
into a library; however, libapparmor's autogen.sh script specifically
looks for the existence of the libtool binary rather than libtoolize.
The libtoolize tool automatically generates a libtool script and does
not require the existence of the libtool binary, so we no longer need
to check for it.
The autogen.sh script aborting because it can't find the libtool
binary causes a spurious build failure in Ubuntu 14.04, due to the
libtool binary being separated out into its own package, and which
is not a strict dependency for libtool.
(I also added setting the package variable so that the error message
emitted will indicate that the failure is in building libapparmor.)
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Currently, D-Bus rules are the only type of policy that we expect to be
queried from userspace. Therefore, we do not need to export other
mediation types at this time.
This patch removes all AA_CLASS_* macros, except AA_CLASS_DBUS, from
libapparmor's apparmor.h header. These macros are already defined in the
parser's policydb.h header.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Now that the parser links against libapparmor, it makes sense to move
all public permission types and flags to libapparmor's apparmor.h. This
prevents duplication across header files for the parser and libapparmor.
Additionally, this patch breaks the connection between
AA_DBUS_{SEND,RECEIVE,BIND} and AA_MAY_{WRITE,READ,BIND} by using raw
values when defining the AA_DBUS_{SEND,RECEIVE,BIND} macros. This makes
sense because the two sets of permission flags are from two distinctly
different mediation types (AA_CLASS_DBUS and AA_CLASS_FILE). While it is
nice that they share some of the same values, the macros don't need to
be linked together. In other words, when you're creating a D-Bus rule,
it would be incorrect to use permission flags from the AA_CLASS_FILE
type.
The change mentioned above allows the AA_MAY_{WRITE,READ,BIND} macros
to be removed from public-facing apparmor.h header.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Allows for the policy writer to grant permission to eavesdrop on the
specified bus. Some example rules for granting the eavesdrop permission
are:
# Grant send, receive, bind, and eavesdrop
dbus,
# Grant send, receive, bind, and eavesdrop on the session bus
dbus bus=session,
# Grant send and eavesdrop on the system bus
dbus (send eavesdrop) bus=system,
# Grant eavesdrop on any bus
dbus eavesdrop,
Eavesdropping rules can contain the bus conditional. Any other
conditionals are not compatible with eavesdropping rules and the parser
will return an error.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
useful for people without the tools installed, and is against Debian
packaging policy (symlink pointing outside the source tree).
Signed-off-by: Kees Cook <kees@ubuntu.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This typo allowed apparmor.h to be pulled in multiple times.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The libapparmor_wrap.c target generates libapparmor_wrap.c and
LibAppArmor.pm. The Perl module must exist before `perl Makefile.PL`
under the Makefile.perl target, otherwise the generated Makefile.perl
ends up with an empty $(TO_INST_PM) variable and the pm_to_blib target's
dependencies are incomplete. That results in the Perl module not getting
copied to the blib directory and a build that is missing LibAppArmor.pm.
A build missing LibAppArmor.pm only occurred while building with
multiple threads.
Thanks to Seth Arnold for the suggestion on how to best fix the
dependencies.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
(The broken URLs were introduced in r1582.)
for utils/*.pod:
Acked-by: Steve Beattie <steve@nxnw.org>
for the other directories:
Patch by Steve Beattie
Acked-by: Christian Boltz <apparmor@cboltz.de>
The python bindings were using the wrong data type cast (long long
instead of just long) on the value '-1' that is used to indicate no
value for the 'fsuid' and 'ouid' fields in the returned data structure.
Thus a bunch of the tests were failing in 32bit environments.
This patch corrects the issue.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch adds tests for the swig generated python library bindings
that reuse the C language tests.
Fitting it into autotools was a bit of a trick, and is likely pretty
brittle, as before the test script runs, it needs to know the location
of the built libapparmor.so library, the built _LibAppArmor.so library
and the python wrapper bits (thankfully, the latter two are the same
directory). It's also unclear how to get autotools to emit the output of
the test_python.py script when building, rather than just summarizing it
as one test run.
Also note that test_python.py is doing a bit of magic to automatically
generate test case methods based on the contents of the test_multi/
directory. This has the disadvantage of breaking tools like nosetests
and other external tools that try to automatically detect testcases.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
This patch gives a more pythonish whitespace cleanup to the swig python
setup.py.in configuration file. It also updates the wiki url.
(That said, pep8 will still probably barf all over it.)
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
