mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 16:35:02 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
6782 commits 23 branches 109 tags 32 MiB
Commit graph

1577 commits

Author SHA1 Message Date
Steve Beattie
c0275d06eb Fix up some dependencies in parser_misc.c's unit test build. 2008-04-16 16:27:23 +00:00
Steve Beattie
e41a326ef5 Add a flag so that 'make check V=1' will turn on verbose output. 2008-04-16 16:09:36 +00:00
John Johansen
ee03760c1d disable named transition conversion to cx. Needs to be reworked 2008-04-16 08:48:06 +00:00
John Johansen
11f925abba fix named transition, enable cx to imply transition to local profile, without having to specify name 2008-04-16 06:54:51 +00:00
John Johansen
015df061e3 Named transition - but disabled due to a bug 2008-04-16 04:45:02 +00:00
John Johansen
db34aac811 Basis for named transitions 2008-04-16 04:44:21 +00:00
John Johansen
051a3f8c01 add missing parser_alias.c + fix parameter bug in parser.h 2008-04-11 17:43:22 +00:00
Steve Beattie
666a8ec51b Fix up prototype error. 2008-04-10 22:24:35 +00:00
John Johansen
16b5a26306 update for ptrace rules 2008-04-09 23:56:31 +00:00
John Johansen
4dd0e8ead8 allow for ptrace rules 2008-04-09 09:04:08 +00:00
John Johansen
78590d1823 allow for simpe alias rules 2008-04-09 09:03:17 +00:00
John Johansen
b742da7751 allow <= to be used instead of subset in link rules 2008-04-09 09:02:51 +00:00
John Johansen
add2b93657 update interface version 2008-04-08 20:30:06 +00:00
John Johansen
aba82ff427 reject rlimit cpu in the parser 2008-04-07 04:26:02 +00:00
John Johansen
831f2e252c add missing tests 2008-04-06 18:57:05 +00:00
John Johansen
ecf6b55baf let a profile control a tasks rlimits 2008-04-06 18:55:46 +00:00
John Johansen
34f2c96700 let a profile set a tasks caps, similar to fscaps 2008-04-06 18:55:27 +00:00
John Johansen
13e04a9f02 update of unattached profile to require profile keyword 2008-04-06 18:54:52 +00:00
John Johansen
d4c9f0ad0c recommit namespace update to use :namespace: 2008-04-06 18:53:59 +00:00
John Johansen
c460dcc52f update change_hats rules to generate rules for all hats 2008-04-06 18:52:47 +00:00
John Johansen
5f5aeee472 Allow for profiles without attachment, ie. they don't begin with / 
currently profile names can not collide with file modes nor with
keywords
 2008-04-05 05:47:49 +00:00
John Johansen
bbd31c70a1 change namespaces to use the :namespace: format 2008-04-05 05:46:06 +00:00
John Johansen
74152bbd9d Add the implicit change_hat rules for hats in the profile. 
Allow external hats by declaring them in the profile via
  ^hatname,

eg.
  /foo {
     ^local_hat {

     }

     ^external_hat,
  }

  /foo//external_hat {

  }
 2008-04-05 05:44:44 +00:00
John Johansen
ec08477129 fix type on typename in cast bug 2008-04-05 04:57:51 +00:00
John Johansen
a3c0753b89 Add Audit control to AppArmor through, the use of audit and deny 
key words.  Deny is also used to subtract permissions from the
profiles permission set.

the audit key word can be prepended to any file, network, or capability
rule, to force a selective audit when that rule is matched.  Audit
permissions accumulate just like standard permissions.

  eg.
  audit /bin/foo rw,

  will force an audit message when the file /bin/foo is opened for
  read or write.

  audit /etc/shadow w,
  /etc/shadow r,
  will force an audit message when /etc/shadow is opened for writing.
  The audit message is per permission bit so only opening the file
  for read access will not, force an audit message.

  audit can also be used in block form instead of prepending audit
  to every rule.

  audit {
    /bin/foo rw,
    /etc/shadow w,
  }
  /etc/shadow r,	# don't audit r access to /etc/shadow


the deny key word can be prepended to file, network and capability
rules, to result in a denial of permissions when matching that rule.
The deny rule specifically does 3 things
- it gives AppArmor the ability to remember what has been denied
  so that the tools don't prompt for what has been denied in
  previous profiling sessions.
- it subtracts globally from the allowed permissions.  Deny permissions
  accumulate in the the deny set just as allow permissions accumulate
  then, the deny set is subtracted from the allow set.
- it quiets known rejects.  The default audit behavior of deny rules
  is to quiet known rejects so that audit logs are not flooded
  with already known rejects.  To have known rejects logged prepend
  the audit keyword to the deny rule.  Deny rules do not have a
  block form.

eg.
  deny /foo/bar rw,
  audit deny /etc/shadow w,

  audit {
     deny owner /blah w,
     deny other /foo w,
     deny /etc/shadow w,
  }
 2008-03-13 17:39:03 +00:00
John Johansen
36ad7de2c5 Add the ability to specify link subset test on a link pair, and 
fix a bug where link pairs could get improperly merged.
 2008-03-13 16:49:10 +00:00
John Johansen
d2eeef8291 extend the flags in preparation for audit control 2008-03-13 16:46:53 +00:00
John Johansen
814773b2e1 Update the parse to emit a 0 to seperate pairs in the dfa. 
This was always the intended behavior and fixes a bug where
the dfa will match change profile rules using // seperator.
 2008-03-13 16:46:19 +00:00
John Johansen
486bb79ef7 merge over r1088 - Add descriptiion of append, lock and network rules to the man page 2008-02-19 10:19:28 +00:00
John Johansen
92977daf75 merge over change from 1082 - update parser .spec change log 2008-02-19 10:18:12 +00:00
John Johansen
482b8741b7 fix init script so that it doesn't result in a regex with a null alternation ie. |apparmor 2008-01-03 23:21:07 +00:00
John Johansen
e9fd1d8fc1 update init functions to work with the apparmor module being builtin to the kernel 2008-01-03 22:27:20 +00:00
John Johansen
5b758f9dad fix bug where parser wasn't properly merging link rules, when a link pair was specified 2007-12-20 12:58:59 +00:00
John Johansen
edda8c2604 add owner parser tests 2007-12-20 12:58:16 +00:00
John Johansen
ace86e6d01 fix overlapping x modifiers perm computation 2007-12-20 12:56:50 +00:00
John Johansen
65e2c09be1 remove dead code 2007-12-20 12:55:27 +00:00
John Johansen
97dbaa02cb change from U:G:O syntax to owner syntax and remove group permission 2007-11-29 18:06:53 +00:00
John Johansen
4ce25448af allow specifying link permissions as a pair 2007-11-16 09:37:31 +00:00
John Johansen
398102afa8 old style link compatability 2007-11-16 09:36:42 +00:00
John Johansen
0e5484ce77 fix change profile 2007-11-16 09:36:19 +00:00
John Johansen
638535d650 exec modes per U:G:O 2007-11-16 09:35:57 +00:00
John Johansen
ec639bc82c user:group:any permissions 2007-11-16 09:35:31 +00:00
John Johansen
e601767e03 simple cleanup 2007-11-16 09:34:53 +00:00
John Johansen
40c3686041 remove old netdomain syntax 2007-11-16 09:34:01 +00:00
John Johansen
50284e8aad autogenerate the capability names file 2007-11-16 09:32:38 +00:00
John Johansen
c841a140b3 make the use of flags= optional 2007-11-16 09:31:33 +00:00
John Johansen
999e291acc factor use of id and varid into single token 2007-11-16 09:30:08 +00:00
John Johansen
20d5d20855 tests for pix exec mode 2007-11-16 09:28:30 +00:00
John Johansen
230b04231c add pix transition mode 2007-11-16 09:27:34 +00:00
John Johansen
92a569fdb3 profile namespace tests 2007-11-16 09:22:49 +00:00