apparmor.vim: support 'include if exists'
See merge request apparmor/apparmor!500
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12..master
For now, only 'include if exists' rules will be handled by IncludeRule.
Using it also for 'include' rules needs some more code changes so that
included files still get checked etc.
Also remove some testcases from test-parser-simple-tests.py unknown_line
which no longer fail.
These classes are meant to handle 'include' and 'include if exists'
rules.
Due to restrictions in re_match_include_parse(), some cases in
is_covered_localvars() and is_equal_localvars() can't be reached in the
unittests.
Also, IncludeRule isn't used in aa-logprof (yet?), which means
logprof_header_localvars() result format isn't decided yet, and
therefore not tested.
This means test coverage for the new classes isn't 100% this time ;-)
LSM stacking adds the new /proc/<pid>/attr/apparmor directory
dedicated to apparmor so that it won't collide with other LSMs.
The library has already been switched to using this interface by
default, but the parser need to add permissions to access this
location when hats and/or change_profile rules are defined.
Also make sure to update the apache abstraction to support the new
interface as well.
Signed-off-by: John Johansen <john.johansen@canonical.com
Acked-by: Seth Arnold <seth.arnold@canonical.com>
- extend RE_INCLUDE to also match "include if exists"
- rename re_match_include() to re_match_include_parse() and extend it to
also support "include if exists" rules. The return value also includes
"ismagic" now to avoid another future change, but that's not used yet.
- add re_match_include() which is now a wrapper around
re_match_include_parse() and behaves exactly as the old
re_match_include()
AppArmor 3 exposes kernel support for the kill and unconfined profile
modes. Make sure aa-status has basic support for these modes.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Processes that are confined by multiple profiles in a stack can have
more than one profile mode applied. Allow aa-status to report
processes that are in a mixed profile confinement mode.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Switch aa-status over to using the libapparmor proc accessor. This
will ensure that aa-status works correctly under LSM stacking kernels,
and if other new interfaces are added in the future.
Also at the same time switch over the splitting of context's to
the library provided aa_splitcon() fn.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Make aa-enabled able to distinguish being enabled and enabled without
access to the shared LSM iterfaces.
Signed-off-by: John Johansen <john.johansen@canonical.com>
With LSM stacking apparmor may be available even if it is not
enabled. If apparmor is available but not enabled it does not own
the /proc/<pid>/attr/* interface and should not use it as they
will not provide apparmor context.
Note: this also applies to the SO_PEERSEC interface, currently we
only fail is apparmor does not own the interface. Once the new interface
command is finalized supprt to use that will be added.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
LSM stacking makes the old /proc/<pid>/attr/* interfaces potentially
be shared such that the values returned might be for a different LSM
than apparmor.
Use the new apparmor dedicated interface at /proc/<pid>/attr/apparmor/*
if it is present.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
libapparmor and the pyton tools now require python3 but on systems
where python2 is the default the build will fail unless the PYTHON=
env var is set to the systems python3.
Instead just force autoconf to search for python3 as the python
version to use.
Signed-off-by: John Johansen <john.johansen@canonical.com>
This series adds a couple of patches to make the software more crosscompilation friendly. They are based on the work I'm doing to fix the package on buildroot
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/485
Acked-by: John Johansen <john.johansen@canonical.com>
When libintl is available on the system, we need to link against the
libintl library too.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
In order to have all the prerequisite folders before actually installing
os dependent configuration files, we need to guarantee the correct
install sequence.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
If Swig builds the library against python 2 and the utils/tests
run using python3, parts of the library are in accesible with
failures like
Traceback (most recent call last):
File "test-pivot_root_parse.py", line 12, in <module>
import apparmor.aa as aa
File "/home/jj/apparmor/apparmor-jjohansen.git/utils/apparmor/aa.py", line 28, in <module>
import apparmor.logparser
File "/home/jj/apparmor/apparmor-jjohansen.git/utils/apparmor/logparser.py", line 19, in <module>
import LibAppArmor
ImportError: No module named LibAppArmor
Signed-off-by: John Johansen <john.johansen@canonical.com>
$ make check
will fail unless PYFLAKES=pyflakes3 is passed as an environment
variable. Fix it so make check will work by default.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The apparmor python tools are written assuming python3. But the tests
are still using python2. This can result in failures of the test suite
on some systems, depending on how libapparmor is built.
Eg. on Ubuntu 18.04
apparmor.git/utils$ PYTHON=/usr/bin/python3 make check PYFLAKES=/usr/bin/pyflakes3
LANG=C podchecker -warning -warning *.pod
aa-audit.pod pod syntax OK.
aa-autodep.pod pod syntax OK.
aa-cleanprof.pod pod syntax OK.
aa-complain.pod pod syntax OK.
aa-decode.pod pod syntax OK.
aa-disable.pod pod syntax OK.
aa-easyprof.pod pod syntax OK.
aa-enforce.pod pod syntax OK.
aa-genprof.pod pod syntax OK.
aa-logprof.pod pod syntax OK.
aa-mergeprof.pod pod syntax OK.
aa-notify.pod pod syntax OK.
aa-remove-unknown.pod pod syntax OK.
aa-sandbox.pod pod syntax OK.
aa-status.pod pod syntax OK.
aa-unconfined.pod pod syntax OK.
logprof.conf.pod pod syntax OK.
aa-notify syntax OK
Checking aa-easyprof
Checking aa-genprof
Checking aa-logprof
Checking aa-cleanprof
Checking aa-mergeprof
Checking aa-autodep
Checking aa-audit
Checking aa-complain
Checking aa-enforce
Checking aa-disable
Checking aa-status
Checking aa-unconfined
Checking apparmor
Checking test/common_test.py
Checking test/minitools_test.py
Checking test/test-aa-decode.py
Checking test/test-aa-easyprof.py
Checking test/test-aa.py
Checking test/test-aamode.py
Checking test/test-aare.py
Checking test/test-baserule.py
Checking test/test-capability.py
Checking test/test-change_profile.py
Checking test/test-common.py
Checking test/test-config.py
Checking test/test-dbus.py
Checking test/test-example.py
Checking test/test-file.py
Checking test/test-libapparmor-test_multi.py
Checking test/test-logparser.py
Checking test/test-mount_parse.py
Checking test/test-network.py
Checking test/test-parser-simple-tests.py
Checking test/test-pivot_root_parse.py
Checking test/test-profile-list.py
Checking test/test-profile-storage.py
Checking test/test-ptrace.py
Checking test/test-regex_matches.py
Checking test/test-rlimit.py
Checking test/test-severity.py
Checking test/test-signal.py
Checking test/test-translations.py
Checking test/test-unix_parse.py
make[1]: Entering directory '/home/jj/apparmor/apparmor-jjohansen.git/utils/test'
=== test-example.py ===
.......
----------------------------------------------------------------------
Ran 7 tests in 0.000s
OK
.......
----------------------------------------------------------------------
Ran 7 tests in 0.000s
OK
=== test-pivot_root_parse.py ===
Traceback (most recent call last):
File "test-pivot_root_parse.py", line 12, in <module>
import apparmor.aa as aa
File "/home/jj/apparmor/apparmor-jjohansen.git/utils/apparmor/aa.py", line 28, in <module>
import apparmor.logparser
File "/home/jj/apparmor/apparmor-jjohansen.git/utils/apparmor/logparser.py", line 19, in <module>
import LibAppArmor
ImportError: No module named LibAppArmor
Makefile:81: recipe for target 'check' failed
make[1]: *** [check] Error 1
make[1]: Leaving directory '/home/jj/apparmor/apparmor-jjohansen.git/utils/test'
Makefile:95: recipe for target 'check' failed
make: *** [check] Error 2
Signed-off-by: John Johansen <john.johansen@canonical.com>
This function was introduced as a temporary (ahem...) solution in 95404bb2f3 but was never really correct. It checked against other_value.regex (as a string!) and, while this was somewhat generous in the results, could have unintended side effects.
Better error out on the safe side and add/keep a few superfluous rules than having a wrong match in is_covered() and miss to add/keep a rule that would be needed.
The perfect solution would be to really compare one AARE against the other as the parser does. I'm not too keen to implement this in python, and will wait until someone provides this function (which the parser already has) via libapparmor ;-)
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/478
Acked-by: John Johansen <john.johansen@canonical.com>
Only bool and str keys may be overwritten.
Other key types (list, dict, \*Ruleset) can have their content modified (not **setitem**()s job), but replacing the whole collection should never happen.
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/476
Acked-by: John Johansen <john.johansen@canonical.com>
Only bool and str keys may be overwritten.
Other key types (list, dict, *Ruleset) can have their content modified
(not __setitem__()s job), but replacing the whole collection should
never happen.
This function was introduced as a temporary (ahem...) solution in
95404bb2f3 but was never really correct.
It checked against other_value.regex (as a string!) and, while this was
somewhat generous in the results, could have unintended side effects.
Better error out on the safe side and add/keep a few superfluous rules
than having a wrong match in is_covered() and miss to add/keep a rule
that would be needed.
The perfect solution would be to really compare one AARE against the
other as the parser does. I'm not too keen to implement this in python,
and will wait until someone provides this function (which the parser
already has) via libapparmor ;-)
