There are two distinct declarations of perms_t.
rule.h: typedef uint32_t perms_t
hfa.h: class perms_t
these definitions clash when the front end and backend share more info.
To avoid this rename rule.h to perm32_t, and move the definition into
perms.h and use it in struct aa_perms.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Adds the corresponding `MS_NOSYMFOLLOW` flag to parser/mount.h as well,
defined as (1 << 8) just as in the util-linux and the kernel.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
This patch adds the following mount options: 'nostrictatime',
'lazytime', and 'nolazytime'.
The MS_STRICTATIME mount flag already existed, and 'nostrictatime' was
listed along with 'strictatime' in the comments of parser/mount.cc, so
this patch adds a mapping for 'nostrictatime' to clear MS_STRICTATIME.
Additionally, the Linux kernel includes the 'lazytime' option with
MS_LAZYTIME mapping to (1<<25), so this patch adds MS_LAZYTIME to
parser/mount.h and the corresponding mappings in parser/mount.cc for
'lazytime' and 'nolazytime'.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
The post_process() method is misnamed, it fires when the profile is
finished parsing but fires before variable expansion. Rename it
to better reflect what it does and move the trigger code into
profile as a start of cleaning this stage up.
Also document the order the hooks fire in
Signed-off-by: John Johansen <john.johansen@canonical.com>
Cleanup the parse code by making shared prefix and perms classes for
rules and convert rules to use them.
Signed-off-by: John Johansen <john.johansen@canonical.com>
This removes the struct wrapper used in the previous patch to ensure
that all uses are properly converted.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Audit control support is going to be extended to support allowing
policy to which rules should quiet auditing. Update the frontend
internals to prepare for this.
Signed-off-by: John Johansen <john.johansen@canonical.com>
This removes the struct wrapper used in the previous patch to ensure
that all uses are properly converted.
Signed-off-by: John Johansen <john.johansen@canonical.com>
This delays the convertion of the audit flag until passing to the
backend. This is a step towards fix the parser front end so that it
doesn't use encoded permission mappings.
Note: the patch embedds the bool conversion into a struct to ensure
the compiler will fail to build unless every use is fixed. The
struct is removed in the following patch.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Make mount permission set consistent with the other rule types. This
is a step towards refactoring.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Now that flag processing for mount rules with single option
conditionals are fixed e-enable multiple mount conditionals on a
single mount rule. The mount conditionals are equivalent to specifying
multiple rules.
mount options=(a,b,c) options=(c,d),
is the same as
mount options=(a,b,c),
mount options=(c,d),
and
mount options in (a,b,c) options in (c,d),
is the same as
mount options in (a,b,c),
mount options in (c,d),
when multiple options= and options in are combined in a single rule
it is the same as the cross product of the options.
where
mount options=(a,b,c) options in (d,e),
is a single rule.
mount options=(a,b,c) options=(d,e) options in (f),
is equivalent to
mount options=(a,b,c) options in (f),
mount options=(d,e) options in (f),
and while it is not recommended that multiple options= and options in
conditions be used in a single rule.
mount options=(a,b,c) options=(d,e) options in (f) options in (g),
is equivalent to
mount options=(a,b,c) options in (f),
mount options=(a,b,c) options in (g),
mount options=(d,e) options in (f),
mount options=(d,e) options in (g),
Bug Link: https://bugs.launchpad.net/apparmor/+bug/1597017
Signed-off-by: John Johansen <john.johansen@canonical.com>
- rebased to bba1a023bf
- fixed infinite loop in mnt_rule::gen_policy_re
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
The combined optional flag and exact match flag processing is problematic
separate out the optional flag processing so it is only combined during
match string generation.
While doing so we fix the flag output so that multiple rules are
not output when they shouldn't be.
In addition we temporarily break multiple options= and 'options in'
conditionals in a single rule, which we will fix in a separate patch.
Bug Link: https://bugs.launchpad.net/apparmor/+bug/1597017
Signed-off-by: John Johansen <john.johansen@canonical.com>
- rebased to bba1a023bf
- made tests happy by changing condition in gen_policy_re()
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Simplify flag masking and fix the MS_MAKE_CMDS flag set. This is a
step in fixing
Bug Link: https://bugs.launchpad.net/apparmor/+bug/1597017
Signed-off-by: John Johansen <john.johansen@canonical.com>
- rebased to bba1a023bf
- fixed MS_MAKE_CMDS definition to the correct one.
We shouldn't add (MS_ALL_FLAGS & ~(MNT_FLAGS)) to this bitmask.
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Do a minimal code refactoring (ie. no functional changes, just moving
code,adding boiler plate and glue) in preparation to fix
bug https://bugs.launchpad.net/apparmor/+bug/1597017
Bug Link: https://bugs.launchpad.net/apparmor/+bug/1597017
Signed-off-by: John Johansen <john.johansen@canonical.com>
- rebased to bba1a023bf
- fixed compiler warnings:
<built-in>: In member function ‘int mnt_rule::gen_policy_new_mount(Profile&, int&, unsigned int, unsigned int)’:
<built-in>: note: by argument 1 of type ‘const char*’ to ‘long unsigned int __builtin_strlen(const char*)’ declared here
mount.cc:880:14: note: ‘class_mount_hdr’ declared here
880 | char class_mount_hdr[64];
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
The warn_once() function is duplicated in 6 different places. A common,
reusable version has been added to parser_common.c.
Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com>
The parser is incorrectly screening off the bind flags on remount. The
following patch by Ash Wilson fixes this issue
BugLink: http://bugs.launchpad.net/bugs/1272028
Signed-off-by: Ash Wilson <smashwilson@gmail.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
This patch restricts MS_REC to only be used while defining the MS_RBIND,
MS_RUNBINDABLE, MS_RPRIVATE, MS_RSLAVE, and MS_RSHARED macros.
The MS_R* macros are simply an OR of the corresponding non-recursive
macro and MS_REC:
#define MS_RBIND (MS_BIND | MS_REC)
Previously, a shortcut was taken when needing to specify the
non-recursive and recursive macros:
(MS_BIND | MS_UNBINDABLE | MS_PRIVATE | MS_SLAVE | MS_SHARED | MS_REC)
By using MS_REC above, it is not immediately clear that
MS_R{BIND,UNBINDABLE,PRIVATE,SLAVE,SHARED} are also included.
By restricting the use of MS_REC, this patch improves readability by
forcing the use of the MS_R{BIND,UNBINDABLE,PRIVATE,SLAVE,SHARED} macros
instead of relying on the MS_REC shortcut.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
The parser correctly rejects mount make-* options (make-shared,
make-slave, make-private, make-unbindable) when a device is specified
(the source argument of mount(2)). However, it was not rejecting the
recursive make-* options (make-rshared, make-rslave, make-rprivate,
make-runbindable) when a device was specified.
This patch adds the MS_REC bit, which is used to indicate a recursive
option, to the MS_CMDS macro. Without this change, the recursive options
are treated as normal mount options.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Bug: https://bugzilla.novell.com/show_bug.cgi?id=895495
We define the __unused macro as a shortcut for __attribute__((unused))
to quiet compiler warnings for functions where an argument is unused,
for whatever reason. However, on 64 bit architectures, older glibc's
bits/stat.h header defines an array variable with the name __unused
that collides with our macro and causes the parser to fail to build,
because the resulting macro expansion generates invalid C code.
This commit fixes the issue by removing the __unused macro where it's
not needed (mod_apparmor) and renaming it to 'unused' elsewhere. It also
in some instances reorders the arguments so that the unused macro
appears last consistently.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
This will simplify add new features as most of the code can reside in
its own class. There are still things to improve but its a start.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Remount should not be screening off the set of flags it is. They are
the set of flags that the kernel is masking out for make_type and
should not be used on remount. Instead just screen off the other cmds
that can have their own rules generated.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
The changes are around how user data is handled.
1. permissions are mapped before data is matched
2. If data is to be mapped a AA_CONT_MATCH flag is set in the permissions
which allows data matching to continue.
3. If data auditing is to occur the AA_AUDIT_MNT_DATA flag is set
This allows better control over matching and auditing of data which can
be binary and should not be matched or audited
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
