This patch makes use of the htoleXX() functions (see endian(3))
defined as part of endian.h (already included in parser_interface.c),
instead of defining a function differently based on the detection of
endian related macros.
This fixes a build failure experienced on powerpc with John's patch
set applied. This patch has been updated with John's feedback to use
letoh16() in the le16_to_cpu() macro.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
alone when the labeling is not path dependent.
Some rules will not generate label entries, some will generate only
label entries and some will generate both label and path entries.
This is left to the particular rule encoding.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Using the parser timestamp was a work around to force recompilation of
policy that was built with a buggy parser. There are better ways to
handle this so remove checking of the parser timestamp.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This will allow for the parser to invalidate its caches separate of whether
the kernel policy version has changed. This can be desirable if a parser
bug is discovered, a new version the parser is shipped and we need to
force cache files to be regenerated.
Policy current stores a 32 bit version number in the header binary policy.
For newer policy (> v5 kernel abi) split this number into 3 separate
fields policy_version, parser_abi, kernel_abi.
If binary policy with a split version number is loaded to an older
kernel it will be correctly rejected as unsupported as those kernels
will see it as a none v5 version. For kernels that only support v5
policy on the kernel abi version is written.
The rules for policy versioning should be
policy_version:
Set by text policy language version. Parsers that don't understand
a specified version may fail, or drop rules they are unaware of.
parser_abi_version:
gets bumped when a userspace bug is discovered that requires policy be
recompiled. The policy version could be reset for each new kernel version
but since the parser needs to support multiple kernel versions tracking
this is extra work and should be avoided.
kernel_abi_version:
gets bumped when semantic changes need to be applied. Eg unix domain
sockets being mediated at connect.
the kernel abi version does not encapsulate all supported features.
As kernels could have different sets of patches supplied. Basic feature
support is determined by the policy_mediates() encoding in the policydb.
As such comparing cache features to kernel features is still needed
to determine if cached policy is best matched to the kernel.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Tag start of entries in the policydb as being mediated. This makes
the start state for any class being mediated be none 0. The kernel
can detect this to determine whether the parser expected mediation
for the class.
This is just a way of encoding what features expect mediation within
the policydb it self so that a separate table isn't needed.
This is also used to indicate the new unix semantics for mediation of
unix domain sockets on connect should be applied.
Note: this does cause a fail open on situation on Ubuntu Saucy, which
did not properly indicate support. That is if a kernel using this patch
is installed on an Ubuntu Saucy system, unix domain socket mediation
on connect won't happen, instead the older behavior will be applied.
This won't cause policy failures as it is less strict than what
Ubuntu Saucy applies.
This is necessary so that AppArmor can properly function on older
userspaces without a compile time configuration on the kernel to determine
behavior. A kernel expecting this behavior will function correctly
with all old userspaces expect it will not enforce connect time mediation
on Ubuntu Saucy. However Ubuntu does not support Trusty (or newer)
kernels as backports to Saucy, so this does not break them.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This cleans things up a bit and fixes a bug where not all rules are
getting properly counted so that the addition of policy_mediation
rules fails to generate the policy dfa in some cases.
Because the policy dfa is being generated correctly now we need to
fix some tests to use the new -M flag to specify the expected features
set of the test.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The features file patch broke detection of network support.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This is not the cleanup this code needs, but a quick hack to add the
-M flag so we can specify a feature file (or directory) to use for
the compile.
It mostly just moves around existing code and adds the -M option,
though it does introduce a few changes.
While I didn't do it in this patch I propose we drop support for
the match file without create support. This is several years old
now and would clean things up a lot.
Note: that the manually input -m or -M drop support for it already
I just can't see a good way to support a single input stream indicating
the result/existance of two separate files.
This needs more work but is needed to support tests and the policy_mediates
frame work depends on the policydb getting generated with the special
stub rules to indicate whether policy was compiled expecting a certain
feature. But this can break the current tests, at least once a bug
in the policy rule counting is fixed in a follow on patch.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
- allow rw access to /var/cache/krb5rcache/*
- treat passdb.tdb.tmp as passdb.tdb
Patch from Lars Müller <lmuelle@suse.com>
References: https://bugzilla.novell.com/show_bug.cgi?id=870607
Acked-by: Steve Beattie <steve@nxnw.org>
Another issue with commit 2456 is that with older versions of glibc and
g++, a definition for SIZE_MAX was not being found; e.g. on Ubuntu 12.04
LTS and 12.10, the parser fails to compile with the following error:
g++ -g -O2 -pipe -Wall -Wsign-compare -Wmissing-field-initializers -Wformat-security -Wunused-parameter -std=gnu++0x -D_GNU_SOURCE -DPACKAGE=\"apparmor-parser\" -DLOCALEDIR=\"/usr/share/locale\" -DSUBDOMAIN_CONFDIR=\"/etc/apparmor\" -I../libraries/libapparmor//include -c -o lib.o lib.c
lib.c: In function 'int str_escseq(const char**, const char*)':
lib.c:292:32: error: 'SIZE_MAX' was not declared in this scope
The following patch addresses the issue by explicitly including the C stdint
header which contains the definition for SIZE_MAX.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Trunk commit 2456 broke the builds on i386 with the following compiler
error:
g++ -g -O2 -pipe -Wall -Wsign-compare -Wmissing-field-initializers -Wformat-security -Wunused-parameter -std=gnu++0x -D_GNU_SOURCE -DPACKAGE=\"apparmor-parser\" -DLOCALEDIR=\"/usr/share/locale\" -DSUBDOMAIN_CONFDIR=\"/etc/apparmor\" -I../libraries/libapparmor//include -c -o lib.o lib.c
lib.c: In function 'int strn_escseq(const char**, const char*, size_t)':
lib.c:236:47: error: no matching function for call to 'min(long unsigned int, size_t&)'
tmp = strntol(*pos, &end, 8, 255, min(3ul, n));
^
This is due to size_t differing in size on i386 and amd64. The
following patch addresses the issue by casting the constant values
to size_t (and removing the ul suffix since the constant values are
getting cast anyway), satisfying C++'s types (and the patch removes
the unnecessary min macro).
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Policy enforcement needs to be able to support older userspaces and
compilers that don't know about new features. The absence of a feature
in the policydb indicates that feature mediation is not present for
it.
We add stub rules, that provide a none 0 start state for features that
are supported at compile time. This can be used by the kernel to
indicate that it should enforce a given feature. This does not indicate
the feature is allowed, in an abscence of other rules for the feature
the feature will be denied.
Note: this will break the minimize tests when run with kernels that
support mount or dbus rules. A patch to specify these features to
the parser is needed to fix this.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Fix the octal escape sequence that was broken, so that short escapes \0,
\00 \xa, didn't work and actually resulted in some encoding bugs.
Also we were missing support for the decimal # conversion \d123
Incorporate and update Steve Beattie's unit tests of escape sequences
patch
v2
- unify escape sequence processing, creating lib fns.
- address Steve Beattie's feedback
- incorporate Steve Beattie's feedback
v3
- address Seth's feedback
- add missing strn_escseq tests
- expand strn_escseq to take a 3rd parameter to allow specifying chars to
convert straight across. . eg "+" will cause it to convert \+ as +
- fix libapparmor/parse.y failed escape pass through to match processunqoted
Unit tests by Steve Beattie
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch separates pivot_root rules from mount rules, since the syntax
of the two types of rules is very different. It also documents the
missing "oldroot=" prefix required for the conditional corresponding to
the put_old parameter. Finally, it briefly describes pivot_root rules
and provides some examples.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This test attempts to clone itself in a new mount namespace, pivot root
into a new filesystem (ext2 disk image mounted over loopback), and then
verify that a profile transition, if one was specified in the pivot_root
rule, has properly occurred.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Make it more generic so that it can be shared with signals.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Yes its seems pointless because these will eventually get replaced by
stl. But until then
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Valgrind is offering complaints like the following when dealing with
profiles with mount rules:
==27919== Conditional jump or move depends on uninitialised value(s)
==27919== at 0x805CDC1: mnt_rule::mnt_rule(cond_entry*, char*, cond_entry*
==27919== by 0x805674E: do_mnt_rule(cond_entry*, char*, cond_entry*, char*
==27919== by 0x8057937: yyparse() (parser_yacc.y:1133)
==27919== by 0x8053916: process_profile(int, char const*) (parser_main.c:1
==27919== by 0x804B20E: main (parser_main.c:1340)
Doing this consistently with the other initializers for the mount
class instead:
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
This will simplify add new features as most of the code can reside in
its own class. There are still things to improve but its a start.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Bug: https://bugs.launchpad.net/bugs/1295346
Add the ability to read and write path rules containing the file prefix.
This also includes bare "file," rules.
The ALL global is updated to include a preceding NUL char to eliminate
possibilities of a real file path colliding with the ALL global.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The mount.sh regression test script was not testing with actual AppArmor
mount rules. This patch improves mkprofile.pl by adding the ability to
generate mount rules and adds tests to mount.sh that verify mount
mediation is working properly.
Signed-off-by: John Johansen <john.johansen@canonical.com>
[tyhicks: Fixed a couple typos and added fstype tests]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This updates the regression tests for v6 policy. It refactors the
required_features test into a have_features fn, and a new
requires_features fn (renamed to catch all instances make sure they
where right)
The have_features fn is then applied to several test to make them
conditionally apply based off of availability of the feature
and policy version.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
With the conversion of the python utils, aa-easyprof got added to the
list of tools to be installed (in /usr/sbin/), but is already installed
(in /usr/bin) by the python-tools-setup.py distutils script, leaving two
copies of the tool in place. This patch filters out aa-easyprof from the
list of tools for the makefile to install itself, leaving it to
(continue to) be installed by the distutils script.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The valgrind test script would happily chug along even if if valgrind
was not installed, not doing anything of use. This patch fixes that, and
offers up the ability to specify an alternate location for valgrind if
it does not exist in the usual /usr/bin location.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
\s is a new feature of GNU grep 2.6 (released on 2010-03-23) and
it does not work in older versions. By using [[:space:]] instead,
AppArmor can compile on systems with older versions of grep.
Signed-off-by: Alban Crequy <alban.crequy@collabora.co.uk>
Acked-by: Steve Beattie <steve@nxnw.org>
This branch removes the deprecated/management subdirectory as the code
there has languished there for four years without interest. It then
drops excluding the deprecated/ tree from the toplevel tarball creation,
while adding a mechanism for adding back in exclusions to tar.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
After removing the tools that had lingered in the deprecated directory
for too long, don't exclude the deprecated/ subdirectory from tarball
creation, as SUSE needs access to the deprecated perl modules for YaST.
Add a make variable for adding back in exclusions if needed.
profile editor. They've been under the deprecated tree since Feb 2010,
and were placed there because they were already problematic to support.
No one has taken the mantle to resurrect support after 4 years, so
remove them from the tree entirely. (They will live on in the history,
if anyone does decide to resurrect them.)
This patch adds some simple tests of the capability regex in
apparmor/aa.py.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Bug: https://bugs.launchpad.net/bugs/1294819
This patch as minimal support for bare capability rules ("capability,").
It prevents aa.py from emitting a traceback when encountering such a
rule.
It only adds the ability to parse and write the bare rule. It doesn't
attempt to be clever when deleting duplicate rules, such as realizing
that "capability audit_control," can be deleted if "capability," is also
present.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Bug: https://bugs.launchpad.net/bugs/1294825
This patch is inspired by sbeattie's patch to add limited dbus rule
support. It adds does very dumb parsing of mount rules. Basically, it
stores mount, remount, and umount rules as raw strings wrapped in a
class.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
On ppc64el platforms, the minimum swapfile size is 640KiB. Our swap
test aborts there because it creates a swapfile of size 512KiB. This
patch adjusts the size to 768KiB, to satisfy ppc64el and to try
to keep the size down for embedded and otherwise limited platforms
(e.g. phones).
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Some kernels have CONFIG_SYSCALL_SYSCTL disabled, which is something to
be encouraged. This patch separates out the two different kind of sysctl
tests (syscall based and /proc/sys based) into separate shell functions,
and then checks to see that the test environment supports each before
invoking each shell function, issuing a warning (but not failing the
tests) if not available.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Bug: https://bugs.launchpad.net/bugs/1294848
This patch fixes the testsuite for aa-easyprof when the easyprof
utilities and configuration files are not installed in the system.
What was happening was that verify_manifest was calling parse_args()
without the synthetic arguments created by the test case and passing
the result to AppArmorEasyProfile(). Because parse_args() didn't
have the synthetic arguments, it would parse the actual command line
arguments passed to the testscript, which of course didn't specify the
alternate configuration file location. This would work when easyprof
had been installed in the system, because the fallback configuration
file in /etc/apparmor/easyprof.conf would exist and specify template
and policy group locations. Without that, though, the tests would abort
due to not knowing the location of the templates and policy groups.
This patch fixes the issue by passing the synthetic argument list
to verify_manifest, which uses that when calling parse_args(). A
debugging statement that states which conffile is being used when
AppArmorEasyProfile is being instantiated.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
last_audit_entry_time() was waiting forever because
subprocess.check_output() started tail without any parameters.
Fixed by removing shell=True (default is shell=False).
Also fix the regex ("^.*", the dot was missing)
Acked-by: Steve Beattie <steve@nxnw.org>
The regression swap test attempts to activate a swap file in a
directory under where tmpdir is set in uservars.inc; if this is a
tmpfs filesystem, this will fail (it's kind of silly to create a
swap file on a tmpfs, a memory-backed filesystem). This patch adds a
check to the swap test script and skips the tests if it detects it's
on tmpfs and marks the test as a failure if the check fails.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
- added beginning of utils translations for Polish and Swedish
- Some rejiggering of existing utils translations; I don't think any
existing translations got lost, but there are new missing entries
- A whole bunch of comment updating for the parser translations
Acked-by: Steve Beattie <steve@nxnw.org>
It was never used, never supported, and we are doing it differently now.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
