On (terribly, but real-world) slow buid hosts, running test-logprof.py
fails with a timeout. Increase the timeout so that even those build
hosts get enough time to finish the aa-logprof tests.
Add support for specifying the path prefix used when attach disconnected
is specified.
TODO: add regression tests
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/661
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Add support for specifying the path prefix used when attach disconnected
is specified. The kernel supports prepending a different value than
/ when a path is disconnected. Expose through a profile flag.
Signed-off-by: John Johansen <john.johansen@canonical.com>
... and a simple test for a single (fake) event for ping.
Notes:
- to let aa-logprof work in the CI environment, we need to skip checking
for the AppArmor mountpoint. Introduce --no-check-mountpoint for this.
- PYTHONPATH and LD_LIBRARY_PATH need to be explicitely forwarded when
starting aa-logprof via subprocess.Popen()
- if the test runs with coverage enabled, it will also start aa-logprof
with coverage (parameters copied from Makefile).
Speaking about coverage - this test adds 4% overall coverage, and 10%
more coverage for apparmor/aa.py.
Add support for the prompt profile flag. That allows policy to do an upcall to userspace if supported by the kernel and if a userspace daemon is available.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1062
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Add a json_log option (default: disabled) to logprof.conf that enables
logging of all aa-logprof and aa-genprof input and output to a
/tmp/aa-jsonlog-* file.
This can be useful for debugging, and maybe also to create tests that do
a full aa-logprof run.
This patch introduces a minor behaviour change if aa-logprof errors out
on startup (for example if the config file is broken or the parser can't
be found):
Before:
```
$ aa-logprof --json
{"dialog": "apparmor-json-version","data": "2.12"}
ERROR: Can't find apparmor_parser at /sbin/apparmor_parser
```
After:
```
$ aa-logprof --json
ERROR: Can't find apparmor_parser at /sbin/apparmor_parser
```
Note that the json version line will not be printed if aa-logprof or
aa-genprof error out that early.
If there are no startup errors, the behaviour will not change.
Allowing access to a debug flag can greatly improve policy debugging.
This is different than the debug mode of old, that was removed. It only
will trigger additional messages to the kernel ring buffer, not
the audit log, and it does not change mediation.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1048
made it so rules like
mount slave /snap/bin/** -> /**,
mount /snap/bin/** -> /**,
would get passed into change_mount_type rule generation when they
shouldn't have been. This would result in two different errors.
1. If kernel mount flags were present on the rule. The error would
be caught causing an error to be returned, causing profile compilation
to fail.
2. If the rule did not contain explicit flags then rule would generate
change_mount_type permissions based on souly the mount point. And
the implied set of flags. However this is incorrect as it should
not generate change_mount permissions for this type of rule. Not
only does it ignore the source/device type condition but it
generates permissions that were never intended.
When used in combination with a deny prefix this overly broad
rule can result in almost all mount rules being denied, as the
denial takes priority over the allow mount rules.
Fixes: https://bugs.launchpad.net/apparmor/+bug/2023814
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1211989
Fixes: 9d3f8c6cc ("parser: fix parsing of source as mount point for propagation type flags")
Fixes: MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1048
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1054
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 86d193e183)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Historically, if you create a `profile foo /bin/foo` with aa-logprof (by
choosing "named exec"), it will be saved as `/etc/apparmor.d/profile_foo`
This patch drops the `profile_` filename prefix so that the filename
will be `/etc/apparmor.d/foo`
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1014
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Historically, if you create a `profile foo /bin/foo` with aa-logprof (by
choosing "named exec"), it will be saved as `/etc/apparmor.d/profile_foo`
This patch drops the `profile_` filename prefix so that the filename
will be `/etc/apparmor.d/foo`
When a user choooses to execute to a named profile (not: named child),
make sure to get the profile filename in the correct way to avoid a
crash.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/314
Update (most of the) code and inline comments/docstrings to follow
https://peps.python.org/pep-0008/ so that future maintenance is slightly
easier.
Continue to keep long lines as splitting them does not always improve
the code readability.
Probably thanks to O_MAYEXEC, denials for file access can now contain a
mix of x (exec) and other file permissions.
The actual exec should appear in a separate "exec" log event, therefore
ignore 'x' in file events for now if it's mixed with other permissions.
Note that file events ("open", "link" etc.) that contain denied_mask="x"
without another permission will still cause an error. (So far, this
hasn't been seen in the wild.)
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/303
Also add the log line from the bugreport and the (for now) expected
result as test_multi testcase.
These tests contains incompatible mount options and broken
after ("parser: add conflicting flags check for options= conditionals")
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
If the "operation" field is not present, we get the following error:
AttributeError: 'NoneType' object has no attribute 'startswith'
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
... by returning early if there's nothing to do.
The main improvement is more readable code, but there should also be a
minor performance improvement.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/955
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Based on what was done in the parser, replicate the logic
so it can be used in the python tools.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This MR closes#286.
Strings with only invalid escape sequences were prefixed with an `r`. Strings containing both valid and invalid escape sequences were handled on a case-by-case basis, as simply changing to a raw string breaks valid escape sequences.
Closes#286
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/951
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
This closes#277 by introducing the following changes:
1. `BaseRule` was made a "proper" abstract base class in that it now enforces that subclasses implement all abstract methods.
2. As a consequence of this change, `BaseRule` can no longer be directly instantiated; tests were changed accordingly.
3. These test changes led to test failures, the reason being that many rule methods hardcoded class names, breaking inheritance. I made a commit to address this.
4. Once tests were passing, code coverage regressed due to the fact that there was now effectively-unreachable code in abstract instance methods. This code, which was only raising `NotImplementedError`s, was removed. I say "effectively-unreachable" here because it could be reached by calling `super()` via a subclass.
5. There are three "bonus" commits as well; one bug fix, one typo fix, and one cleanup.
Closes#277
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/930
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
