aa-eventd and its initscripts have been moved to deprecated/ in 2014 and
didn't get any serious updates for several more years, so it's most
probably useless and/or broken nowadays.
This also means we don't need to keep the AA_EV_BIN and AA_EV_PIDFILE
variables in rc.apparmor.functions anymore.
The apparmor kernel "module" has not been a loadable module for more
than a decade, it must be built into the kernel and due configuration
requirements it will never go back to being a loadable module.
Remove the long unfunctioning load_module support from the init script.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/257
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: seth.arnold@canonical.com
Elaborate in class comment of firstpos, lastpos, followpos, and nullable
fields beyond just referencing the Dragon book. Also add the section of
the book these are explained in.
If a test is marked as TODO, but matches its EXRESULT, this means the
TODO is superfluous and (probably) a change fixed what the TODO was for.
Instead of more or less ignoring such superfluous TODOs, error out to
make the change visible instantly.
Both result in "superfluous TODO" (for unknown reason), but fail after
removing the TODO.
Disable the tests until we find out why they have this strange
behaviour, to unblock merging the "error out on superfluous TODO" patch.
Remove TODO notes from no-longer-failing tests
See merge request apparmor/apparmor!180
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: intrigeri <intrigeri@debian.org>
Imported from the Debian/Ubuntu packaging. We need this function so that
Debian/Ubuntu can switch to using this shell library instead of their own code.
AppArmor 3.0 requires policy to use a feature abi rule for access to
new features. However some policy may start using abi rules even if
they don't have rules that require new features. This is especially
true for out of tree policy being shipped in other packages.
Add enough support to older releases that the parser will ignore the
abi rule and warn that it is falling back to the apparmor 2.x
technique of using the system abi.
If the profile contains rules that the older parser does not
understand it will fail policy compilation at the unknown rule instead
of the abi rule.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/196
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The handling for quotedid checked for the first quote but failed
to ensure the trailing quote was present.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/196
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
We can reduce the INCLUDE/INCLUDE_EXISTS code dup by using a
variable for whether the name was enclosed by '<' and using
processid() to handle the whether the id is quoted or not.
In addition using processid allows include names to contain
escaoe sequences like \n and have them handled correctly.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/196
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
We can reduce code duplication by checking the current state to
determine the single parameter difference between include and
include if exists
PR: https://gitlab.com/apparmor/apparmor/merge_requests/196
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Currently if stdin is used the warning
apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
is always displayed but if caching has been disabled there is no need for
this message.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
The hardcoded paths for flex and python can break builds on systems
where those tools are stored in an alternate location. Use which
to lookup where flex and bison are available.
This fixes issue #4
Signed-off-by: John Johansen <john.johansen@canonical.com>
Instead of printing the (useless) numbers of no-longer-failing tests
marked as TODO, let `prove` print out the actual test names.
A side effect is that really unfixed TODOs and disabled tests get
printed (lists about 10 tests), but that's much better than having to
hunt down the no-longer-failing TODOs.
This change will print out lines like (the first one is still a TODO,
the second one got fixed at some time)
```
not ok 71447 - TODO: ./simple_tests//vars/vars_profile_name_13.sd: reference variables that are the profile name and attachment # TODO Unfixed testcase.
ok 71448 - TODO: ./simple_tests//vars/vars_profile_name_14.sd: reference variables in rules that also have alternations # TODO Unfixed testcase.
```
before printing the test summary.
Without this, the system-wide parser.conf gets used, which causes test
failures if for example caching is enabled and the cache dir isn't
writeable for the user running the tests.
Using stdin with --write-cache set results in
# apparmor_parser --show-cache --write-cache
Cache: added primary location '/var/cache/apparmor'
Warnung aus stdin (Zeile 1): Cache: added readonly location '/usr/share/apparmor/cache'
Warnung aus stdin (Zeile 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
Cache miss: stdin
Wrote cache: /var/cache/apparmor/9b2cd0d0.0/(null)
The "Wrote cache:" message is referencing a null value and should not
be displayed.
BugLink: http://bugs.launchpad.net/bugs/1787717
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Timeout
The caching tests will fail if a warning is thrown. Some setups may
not have a parser config file in the default location which results
in the warning
config file '/etc/apparmor/parser.conf' not found
which causes the tests to fail.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/175
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Requiring --config-file to be first in the option list is not user
friendly fix the option parsing so that --config-file can be specified
anywhere in the option list.
This also fixes a bug where even when the --config-file option is
first the option parsing fails because the detection logic is broken
for some option cases.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/175
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
To help avoid the duplicate option problem in the future sort and group
the config options using numbers at the end of the option table.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/173
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Unfortunately both --config-file and --compile-features are using
139 to indicate the feature which breaks one or the other depending
on how the switch state that processes the options is compiled.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/173
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
After the config file patch was committed to 2.13 a couple of
improvements were suggested by intrigeri and cboltz. These have
been done as a separate patch so they can be applied to both
dev and 2.13.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/170
Acked-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
The compiler is spitting out the warning
parser_main.c:1291:16: warning: ISO C++ forbids converting a string constant to 'char*' [-Wwrite-strings]
char *tmp = "/var/cache/apparmor";
fix this by constifying the cacheloc array.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The parser config file can affect the parsers behavior during tests.
Allow overriding the default location with the option
--config-file=
the option must be the first option in the commands argument list.
Also provile a
--print-config-file
option to display what the parser is using for a config file.
BugLink: http://bugs.launchpad.net/bugs/1277711
Acked-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Let's not store a bunch of automatically generated binary files in /etc.
AppArmor 3.0 will store the cache in /var/cache and most distros
(openSUSE, Debian, and soon Ubuntu) moved it there already.
Bug-Debian: https://bugs.debian.org/904637
'case OPTION_OFILE' missed the 'break', which means if did fallthrough
to the default case.
Adding the 'break' means no longer executing another PERROR, and no
longer executing the 'exit(1)' in the default branch.
References: coverity #55994
The initial apparmor.service assumed the profile cache is in
/var/lib/apparmor/ which was an openSUSE-specific path that was chosen
for historical reasons, but was far from perfect.
In the meantime, the profile cache moved to /var/cache/apparmor/ and the
read-only/packaged version was added in /usr/share/apparmor/cache/
This commit adjusts apparmor.service to use these paths.
The POSIX standard never defines the typedefs `comparison_fn_t` and
`__free_fn_t`, but they are provided by glibc and user in the parsing
code. Provide the typedefs ourselves to fix compiling on musl based
systems.
Signed-off-by: Patrick Steinhardt <ps@pks.im>
This is especially handy if your distro doesn't split sbin and bin
and only wants to install into bin (so that the sbin directory doesn't
clash with the sbin -> bin symlink)
[Per feedback, added USR_SBINDIR as a toggle for the install location
of aa-teardown -- @smb]
Signed-off-by: Rasmus Thomsen <cogitri@exherbo.org>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/111/
Split the features file into compile features and kernel features
which is needed for policy versioning and the new caching scheme.
A new flag --kernel-features was added to set the kernel features but
unfortunately -M, --features-file was setup to only specify the
compile features, when it used to effectively specify both the
compile and kernel features.
This broke existing uses of -M.
Fix this by having -M specify both the compile and kernel features,
and a new flag --compile-features that can be used to specify the
compile fature set separate from the kernel feature set.
sbeattie> fixed up error message to refer to compile features when
--compile-features argument fails.
Fixes: 9e48a5da5e ("parser: split kernel features from compile features.")
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/104
The parser currently uses a fork model to do job processing. For
consistency even when the number of jobs is set to 1 a single
work process is forked. However this makes using gdb more difficult
and can be even worse for other debugging tools.
Make -j 0 disable all job spawning so all processing happens in the
main process.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/105
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
