This patch removes the string length limit in convert_aaregex_to_pcre()
usage. One of the benefits to moving to C++ is the ability to use
std::strings, which dynamically resize themselves. While it's a large
patch, a non-trivial amount is due to needing to get a char * string
back out via the c_str() method.
The unit tests are modified to include checks to ensure that
convert_aaregex_to_pcre only appends to the passed pcre string,
it never resets it.
As the test case with overlong alternations added in the previous
patch now passes, the TODO status is removed from it.
(Note: there's a couple of FIXME comments related to converting typebuf
to std::string that are added by this patch that are addressed in the
next patch. I kept that conversion separate to try to reduce the size
of this patch a little.)
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch adds a test case with an extremely large set of alternations.
It is marked TODO, because it fails with the current parser due to
strings used in convert_aaregex_to_pcre() being limited to (roughly)
PATH_MAX.
While contrived, it is possible to have alternations that are longer
than PATH_MAX that always match paths that are shorter than PATH_MAX.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch adds more testcases around variables used in dbus rules.
In particular, it
- attempts to verify that variable expansion and alternation
expansion results in identical DFA blobs,
- tests that variables can be expanded within alternations,
- tests that alternations can occur in variable definitions, and
- that having alternations inside variable declarations that are
used inside alternations results in parsing success
Note that vars/vars_dbus_9.sd veers into stress test land, as the
combinatoric expansion results in over 1000 dbus rule entries being
generated, which means that DFA reduction on all the fields takes
noticeable amounts of time (around 1s on my i5 ivy-core laptop).
Patch history:
v1: initial version
v2: based on feedback:
- add more alternation tests for cases where only part of the
alternation is defined within a variable
- mark test with nested alternations as being successful now that
the patch that implements it was accepted
v3: based on feedback from cboltz:
- tst/simple_tests/vars/vars_dbus_9.sd: reference all variables
declared, including a variable that references another variable
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
equivalents. (v2)
This patch verifies basic alternation usage.
Patch history:
v1: initial revision
v2: mark nested alternation tests as passing, as it was deemed a bug
that the parser didn't support them.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-By: Christian Boltz <apparmor@cboltz.de>
This patch adds a test that verifies the parser considers an emty
character class regex as a parse arror.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-By: Christian Boltz <apparmor@cboltz.de>
Our simple language tests did not include any file deny rule tests. This
patch adds a few simple ones.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This conversion is nothing more than what is required to get it to
compile. Further improvements will come as the code is refactored.
Unfortunately due to C++ not supporting designated initializers, the auto
generation of af names needed to be reworked, and "netlink" and "unix"
domain socket keywords leaked in. Since these where going to be added in
separate patches I have not bothered to do the extra work to replace them
with a temporary place holder.
Signed-off-by: John Johansen <john.johansen@canonical.com>
[tyhicks: merged with dbus changes and memory leak fixes]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
From: John Johansen <john.johansen@canonical.com>
let allow be used as a prefix in place of deny. Allow is the default
and is implicit so it is not needed but some user keep tripping over
it, and it makes the language more symmetric
eg.
/foo rw,
allow /foo rw,
deny /foo rw,
Patch history:
v1: - initial revision
v2: - rename yacc target rule from opt_deny to opt_perm_mode to
reflect
that it can be either an allow or deny modifier
- break apart tests into more digestible chunks and to clarify
their purpose
- fix some tests to exercise 'audit allow'
- add negative tests for 'allow' and 'deny' in the same rule
- add support for 'allow' keyword to apparmor.vim
- fix a bug in apparmor.vim to let it recognize multiple
capability entries in a single line.
v3: - add support for optional keywords on capability rules in
regression tests, as well as the bare capability keyword (via
'cap:ALL')
- add allow, deny, and conflicting capability behavioral
regression tests
- fix vim syntax modeline to refer to apparmor in parser tests
- adjust FILE regex in vim syntax file creator script
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Bug: https://bugs.launchpad.net/bugs/1218099
This patch adds support for expanding variables with dbus rules.
Specifically, they can expanded within the bus, name, path, member,
interface, and peer label fields.
Parser test cases and regression test cases are added as well.
Patch history:
v1: initial version of patch
v2: add equality.sh tests to verify that the results of using
variable expansion is the same as what should be equivalent rules
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
was addressed (however temporarily) in commit 2085.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Minimization was failing because it was too agressive. It was minimizing
as if there was only 1 accept condition. This allowed it to remove more
states but at the cost of loosing unique permission sets, they where
being combined into single commulative perms. This means that audit,
deny, xtrans, ... info on one path would be applied to all other paths
that it was combined with during minimization.
This means that we need to retain the unique accept states, not allowing
them to be combined into a single state. To do this we put each unique
permission set into its own partition at the start of minimization.
The states within a partition have the same permissions and can be combined
within the other states in the partition as the loss of unique path
information is will not result in a conflict.
This is similar to what perm hashing used to do but deny information is
still being correctly applied and carried.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
The in x intersection consistency test for minimization was failing because
it was screening off the AA_MAY_EXEC permission before passing the exec
information to the consistency test fn. This resulted in the consistency
test fn not testing the consistency because it treated the permission set
as not having x permissions.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add the optional 'file' keyword to the language/grammer. The main reason
for doing this is to support false token injection. Which is needed
to move towards the parser being broken out into an api that can be
used to parse individual rule types, separate from parsing the whole file.
Since we are adding the token to the grammar expose it to userspace with
the 'file' keyword. While not needed it helps bring consistency, as all
the other rule types start with a keyword (capability, network, rlimit, ...).
Also allow the bare keyword to be used to represent allowing all file
operations, just as with network and capability. Domain transitions are
defaulted to ix. Thus
file,
is equivalent to
/** rwlkmix,
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
The ability to set capabilities from a profile has been removed from the
kernel for several releases. Remove it from the parser as well.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
Allow the capability rule to be bare to represent all capabilities similar
to how network, and other rule types work.
capability,
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
'[[:alpha:]][[:alnum:]_]*' (i.e. a single alpha followed by any number
of alphanumerics or underscores). Unfortunately, the code that expends
variables inside a profile does not match this, it incorrectly matched
'([[:alpha:]]|_)+' (one or more alphas or underscores). This patch
corrects the behavior there as well as synchronizing the expected
variable names in the apparmor.d manpage and apparmor.vim syntax file.
It also adds unit tests and testcases to verify the behavior.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
x Permissions when specified as a the start of the rule had a differnt
meaning than when they appeared at the tail of a rule.
Specifically px,cx,ux were not treated as unsafe when they appeared at
the start of the rule.
px /foo,
instead of at the tail of the rule
/foo px,
the keyword unsafe had to be used to force the rule to cause the x transitio
to be its unsafe variant.
Fix leading permissions so that they are consistent with file rules that
use trailing permissions.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Several of the x-trans tests where failing because of the include file was
bad. This kept the test from testing what it was supposed as the test
was expected to fail. Thus hidding a bug :(
Signed-off-by: John Johansen <john.johansen@canonical.com>
clean up profile parsing by merging profile and :namespace:profile parsing
into a single rule.
This also fixes a bug where the profile keyword was not allowed to proceed
profiles with a namespace declaration.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Change_profile was broken so that it couldn't parse expressions that
weren't path based or started with a variable. Furthermore if the name
held any expressions it was not hanlded correctly, as it was being passed
directly to dfa conversion without going through glob -> pcre conversion.
