Instead of updating the profile name, allow a profile to have multiple
alternate names. Aliases are now added as alternate names and matched
through the xmatch dfa.
This will allow turning on and off various debug dumps as needed.
Multiple dump options can be specified as needed by using multiple
options.
eg. apparmor_parser -D variables
apparmor_parser -D dfa-tree -D dfa-simple-tree
The help option has also been updated to take an optional argument
to display help about give parameters, currently only dump is supported.
eg. apparmor_parser -h # standard help
apparmor_parser -h=dump # dump info about --dump options
Also Enable the dfa expression tree dumps
Change_profile was broken so that it couldn't parse expressions that
weren't path based or started with a variable. Furthermore if the name
held any expressions it was not hanlded correctly, as it was being passed
directly to dfa conversion without going through glob -> pcre conversion.
Change the globbing conversion to include [^\x00]. This reduces cases of
artifical overlap between globbing rules, and link rules. Link rules
are encoded to use a \0 char to seperate the 2 match parts of the rule.
Before this fix a glob * or ** could match against the \0 seperator
resulting the generation of dfa states for that overlap. This of course
can never happen as \0 is not a valid path name character.
In one example stress policy when adding the rule
owner /** rwl,
this change made the difference between having a dfa with 55152 states
and one with 30019
key words. Deny is also used to subtract permissions from the
profiles permission set.
the audit key word can be prepended to any file, network, or capability
rule, to force a selective audit when that rule is matched. Audit
permissions accumulate just like standard permissions.
eg.
audit /bin/foo rw,
will force an audit message when the file /bin/foo is opened for
read or write.
audit /etc/shadow w,
/etc/shadow r,
will force an audit message when /etc/shadow is opened for writing.
The audit message is per permission bit so only opening the file
for read access will not, force an audit message.
audit can also be used in block form instead of prepending audit
to every rule.
audit {
/bin/foo rw,
/etc/shadow w,
}
/etc/shadow r, # don't audit r access to /etc/shadow
the deny key word can be prepended to file, network and capability
rules, to result in a denial of permissions when matching that rule.
The deny rule specifically does 3 things
- it gives AppArmor the ability to remember what has been denied
so that the tools don't prompt for what has been denied in
previous profiling sessions.
- it subtracts globally from the allowed permissions. Deny permissions
accumulate in the the deny set just as allow permissions accumulate
then, the deny set is subtracted from the allow set.
- it quiets known rejects. The default audit behavior of deny rules
is to quiet known rejects so that audit logs are not flooded
with already known rejects. To have known rejects logged prepend
the audit keyword to the deny rule. Deny rules do not have a
block form.
eg.
deny /foo/bar rw,
audit deny /etc/shadow w,
audit {
deny owner /blah w,
deny other /foo w,
deny /etc/shadow w,
}
This causes the dfa engine to not strip trailing /
and to handle /*/ /**/ and /* and /** cases specially so that directories
don't get matched unintentionally
aare pcre
/foo/* -> /foo/[^/][^/]* so the dir /foo/ will not match the rule
/foo/** -> /foo/[^/].*
/*/foo -> /[^/][^/]*/foo so the rule won't match //foo
/**/foo -> /[^/].*/foo
rules that contain more than a * or ** between dir / elements do not
get converted, ie.
/foo*
/foo**
/foo*/
/foo**/
/*foo
/**foo
/*foo/
/**foo/
there is a known case where this patch is incomplete. When there
exists an alternation that can be empty and * or ** ie.
/{foo,}*
/{foo,*}
