With trunk commit 2205 "use libapparmor's find mountpoint fn",
the parser now builds against and uses libapparmor at runtime. However,
it currently builds against the system installed libapparmor library and
header files, which fails if either aren't installed, and is thus
painful for bootstrapping in a new environment.
Instead, the parser, like pam_apparmor and mod_apparmor, should build
against the in-tree libapparmor header and library. This patch does
that and adjusts the tests to point LD_LIBRARY_PATH at the location
of the built library as well.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
$HOME/.config/fontconfig/conf.d/* and
$HOME/.config/fontconfig/fonts.conf
/etc/fonts/conf.d/50-user.conf:
<!--
Load per-user customization files where stored on XDG Base Directory
specification compliant places. it should be usually:
$HOME/.config/fontconfig/conf.d
$HOME/.config/fontconfig/fonts.conf
-->
<include ignore_missing="yes" prefix="xdg">fontconfig/conf.d</include>
<include ignore_missing="yes" prefix="xdg">fontconfig/fonts.conf</include>
abstractions/fonts should allow read access to those files:
From: Felix Geyer debfx@ubuntu.com
Acked-by: John Johansen <john.johansen@canonical.com>
cache files will be written out even if the '--skip-bad-cache' option
is given and the cached features file differs from the features of
the currently running kernel. The patch below fixes the regression.
From: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Fix Makefile to rebuild dbus object when yacc definitions change.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
With the conversion to c++, the use of void* pointers for the parser
interface buffers generates several warnings. This patch converts the
types from void* to u8* for the buffer pointers, to clean up those
warnings.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch is a very minor optimization to the search to determine
whether a given rule is an exact match or not. If a wildcard rule
(i.e. an inexact match) is discovered, exact_match is set to 0,
so we don't need to continue the tree traversal.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch fixes a few more parser memory leaks as identified by the
simple valgrind test script. These mostly occur during cleanup of
structs and classes and as such, don't represent very serious leaks
for common usages of the parser.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Our simple language tests did not include any file deny rule tests. This
patch adds a few simple ones.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
The README in the parser directory was woefully out of date; this patch
updates the information to contain the current mail list, wiki, and bug
tracking locations.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
From: Kshitij Gupta <kgupta8592@gmail.com>
This patch removes:-
2 rules covered by abstractions in smbd profile:
- /var/log/samba/cores/smbd/ rw and /var/log/samba/cores/smbd/** rw
are in abstractions/samba covered by /var/log/samba/cores/** rw
1 superfluous rule:
- /var/lib/samba/printers/** rw is covered by /var/lib/samba/** rwk
Acked-by: Steve Beattie <steve@nxnw.org>
An abstraction to grant the ability to query dconf settings. It does
not grant the ability to update or add settings, due to our current
inability to restrict where within the dconf hierarchy updates
can occur.
From: intrigeri <intrigeri@boum.org>
Acked-by: Steve Beattie <steve@nxnw.org>
From: Kshitij Gupta <kgupta8592@gmail.com>
This patch removes rules covered by abstractions in nscd profile:
- the network rules are in abstractions/nameservice
- @{PROC}/filesystems is in abstractions/base
- /{,var/}run/avahi-daemon/socket is in abstractions/nameservice
- /tmp/.winbindd/pipe and /var/lib/samba/winbindd_privileged/pipe are
in abstractions/winbind via abstractions/nameservice
Acked-by: Steve Beattie <steve@nxnw.org>
covered by abstractions:
- the network rules are in abstractions/nameservice
- /etc/gai.conf is also in abstractions/nameservice
- @{PROC}/sys/kernel/ngroups_max is in abstractions/base
Acked-by: Steve Beattie <steve@nxnw.org>
This patch addresses a bunch of the compiler string conversion warnings
that were introduced with the C++-ification patch.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Drop support for the old subdomainfs mountpoint and use the fn exported
by libapparmor.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
we are writing a new cache .features file the cache dir should be cleared
out.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Fix this and unify creation and use of cacheloc so that we can hopefully
avoid these bugs.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
--cache-loc= is specified. This results in using the .features file from
/etc/apparmor.d/cache or always recompiling policy.
The former case is particularly bad as the .features file in
/etc/apparmor.d/cache/ may not correspond to the file in the specified
cache location.
bug: launchpad.net/bugs/1229393
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
This is a regression test to load a profile, query it from userspace
using aa_query_label(), and then verify the results.
The query interface is tested by the dbus mediation regression tests,
but this test helps in finding bugs specific to AppArmor, which may
possibly be caused by the parser, kernel, and/or libapparmor.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
AppArmor dbus rules are split into two classes. The first is
(send receive) rules and the second in bind rules. When the parser was
creating its internal representation of dbus rules, it wasn't separating
the overlapping bitmasks for (send receive) perms and bind perms.
(send receive) perms are 0x06 and bind perms are 0x40. Here's the old
parser output for an audit dbus rule that has accept states for
(send receive) and for bind:
$ dbus="/t { audit dbus, }"
$ echo $dbus | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
{1} <== (allow/deny/audit/quiet)
{3} (0x 40/0/40/0)
{7} (0x 46/0/46/0)
The {3} state is the accept state for the bind perms. The {7} state is
the accept state for the (send receive) perms. Note that the bind perm
mask bled over into the (send receive) accept state's mask.
With this patch, the masks for the two accept states do not overlap:
$ echo $dbus | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
{1} <== (allow/deny/audit/quiet)
{3} (0x 40/0/40/0)
{7} (0x 6/0/6/0)
Additionally, this patch makes the rule creation for (send receive)
perms more strict to keep any future perm bits from unintentionally
slipping into the (send receive) accept states.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Rules that have the audit and deny modifiers are to be explicitly denied
and audited. However, accept states were incorrectly being generated
with the deny and quiet masks set. This resulted in actions being denied
but not audited.
Here's the old parser output for audit deny dbus and mount rules:
$ dbus="/t { audit deny dbus, }"
$ mount="/t { audit deny mount, }"
$ echo $dbus | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
{1} <== (allow/deny/audit/quiet)
{3} (0x 0/40/0/40)
{7} (0x 0/46/0/46)
$ $ echo $mount | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
{1} <== (allow/deny/audit/quiet)
{5} (0x 0/2/0/2)
With this patch, no accept states are generated which means that actions
will be denied and audited:
$ echo $dbus | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
{1} <== (allow/deny/audit/quiet)
$ echo $mount | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
{1} <== (allow/deny/audit/quiet)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
When using the deny rule modifier, accept states were not being
generated for dbus and mount rules. This means that the actions were
being denied, but it was not possible to quiet the auditing of the
actions.
The problem is that the deny and audit members of the dbus_entry and
mnt_entry structs were being used incorrectly. The deny member is a
boolean, not a bitmask. When the deny modifier is exclusively used in a
rule, the deny boolean should be true and the audit mask should be equal
to the perm mask.
Here's the old parser output for denied dbus and mount rules:
$ dbus="/t { deny dbus, }"
$ mount="/t { deny mount, }"
$ echo $dbus | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
{1} <== (allow/deny/audit/quiet)
$ echo $mount | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
{1} <== (allow/deny/audit/quiet)
With this patch, the accept states are generated correctly with deny and
quiet masks:
$ echo $dbus | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
{1} <== (allow/deny/audit/quiet)
{3} (0x 0/40/0/40)
{7} (0x 0/46/0/46)
$ echo $mount | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
{1} <== (allow/deny/audit/quiet)
{5} (0x 0/2/0/2)
https://launchpad.net/bugs/1226356
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Convert the codomain to a class, and the policy lists that store
codomains to stl containers instead of glibc twalk.
Signed-off-by: John Johansen <john.johansen@canonical.com>
[tyhicks: Merge with dbus changes and process_file_entries() cleanup]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
change_hat 1.4 was an experiement is more directly controlling change_hat
by adding hat rulles to the profile. It has not been used since the
original experiment (4 years). So remove it
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
remove old dead code that used to fail compilation if regular expressions
where detected in the rules and the apparmor kernel module did not support
regular expression matching.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This conversion is nothing more than what is required to get it to
compile. Further improvements will come as the code is refactored.
Unfortunately due to C++ not supporting designated initializers, the auto
generation of af names needed to be reworked, and "netlink" and "unix"
domain socket keywords leaked in. Since these where going to be added in
separate patches I have not bothered to do the extra work to replace them
with a temporary place holder.
Signed-off-by: John Johansen <john.johansen@canonical.com>
[tyhicks: merged with dbus changes and memory leak fixes]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Remove use of AARE_DFA as the alternate pcre matching engine was removed
years ago.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
From: John Johansen <john.johansen@canonical.com>
let allow be used as a prefix in place of deny. Allow is the default
and is implicit so it is not needed but some user keep tripping over
it, and it makes the language more symmetric
eg.
/foo rw,
allow /foo rw,
deny /foo rw,
Patch history:
v1: - initial revision
v2: - rename yacc target rule from opt_deny to opt_perm_mode to
reflect
that it can be either an allow or deny modifier
- break apart tests into more digestible chunks and to clarify
their purpose
- fix some tests to exercise 'audit allow'
- add negative tests for 'allow' and 'deny' in the same rule
- add support for 'allow' keyword to apparmor.vim
- fix a bug in apparmor.vim to let it recognize multiple
capability entries in a single line.
v3: - add support for optional keywords on capability rules in
regression tests, as well as the bare capability keyword (via
'cap:ALL')
- add allow, deny, and conflicting capability behavioral
regression tests
- fix vim syntax modeline to refer to apparmor in parser tests
- adjust FILE regex in vim syntax file creator script
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
example with LANG=pt_BR) because a regex relies on netstat output.
Enforce LANG=C to make sure aa-unconfined always sees the expected output.
Acked-by: Steve Beattie <steve@nxnw.org>
(The broken URLs were introduced in r1582.)
for utils/*.pod:
Acked-by: Steve Beattie <steve@nxnw.org>
for the other directories:
Patch by Steve Beattie
Acked-by: Christian Boltz <apparmor@cboltz.de>
Patch-Author: Stefan Seyfried <seife+obs@b1-systems.com>
After this change in ntp:
* Mo Aug 19 2013 crrodriguez@opensuse.org
- Build with -DOPENSSL_LOAD_CONF , ntp must respect and use
the system's openssl configuration.
we need to read openssl.cnf or starting of ntpd will fail silently(!)
Patch v2 by Christian Boltz: use abstractions/openssl instead of
allowing /etc/ssl/openssl.cnf directly
Acked-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The python bindings were using the wrong data type cast (long long
instead of just long) on the value '-1' that is used to indicate no
value for the 'fsuid' and 'ouid' fields in the returned data structure.
Thus a bunch of the tests were failing in 32bit environments.
This patch corrects the issue.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
- Make indenting consistent
- Move common match + fn patterns into a single shared entry with mulitstate
headers
- add names table to convert lexer state #s to state names used in the code
- Create/use macros for common patterns of DUMP, DEBUG, return ...
this fixes a few places where preprocess or DEBUG output was not
available
- update RE patterns for bugs eg. {WS} inside a character class [] does
not match whitespace
all told despite adding code to provide better support to debug and
preprocessing, the code is about 150 lines shorter, and has few corner
cases cleaned up.
Signed-off-by: John Johansen <john.johansen@canonical.com>
[tyhicks: Added small fix for D-Bus parsing bug]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Removes an unnecessary variable, simplifies and unifies some of the loop
logic, and removes commented out code.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
When merging file entries in process_file_entries(), an error condition
can leave the entries list in a bad state which can cause invalid reads
and/or double frees when freeing the codomain and entries list memory.
The problem comes from the need to sort the entries linked list. An
array of pointers is created to represent the linked list, then the
array is sorted, then the linked list and the array coexist while the
entries are merged, then the linked list is reconstructed and the array
is freed. While the entries are being merged, an error condition can
occur and the function can return while the linked list is partially
modified.
The solution is to complete the sorting, reconstruct the linked list,
and free the array immediately. Once the linked list is in a good state,
the entries can be merged. Care is taken to adjust the linked list
pointers as entries are merged. An error condition can occur but the
linked list is always in a good state and proper cleanup can be
performed without any memory access issues.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
If a parser test case causes the parser to produce a core dump, the
simple.pl test runner incorrectly treats the test as a success.
This patch treats tests that cause core dumps as failures, even when the
tests are marked as #=TODO. The only way to ignore tests that fail in
this manner is with #=DISABLED.
Note that this patch changes the meaning of the $result variable.
Previously, it held a true or false status returned when closing the
apparmor_parser pipe. Now, it holds the exit status of apparmor_parser.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This patch fixes a few memory leaks found by valgrind. Most of these
occur in error cases and as such, are not a big deal. The dbus TOK_MODE
and flags TOK_CONDID leaks in parser_yacc.y are legitimate leaks,
if of very small amounts of memory.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
This patch adds tests for the swig generated python library bindings
that reuse the C language tests.
Fitting it into autotools was a bit of a trick, and is likely pretty
brittle, as before the test script runs, it needs to know the location
of the built libapparmor.so library, the built _LibAppArmor.so library
and the python wrapper bits (thankfully, the latter two are the same
directory). It's also unclear how to get autotools to emit the output of
the test_python.py script when building, rather than just summarizing it
as one test run.
Also note that test_python.py is doing a bit of magic to automatically
generate test case methods based on the contents of the test_multi/
directory. This has the disadvantage of breaking tools like nosetests
and other external tools that try to automatically detect testcases.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
This patch gives a more pythonish whitespace cleanup to the swig python
setup.py.in configuration file. It also updates the wiki url.
(That said, pep8 will still probably barf all over it.)
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
This patch converts the C test program to only emit the basename(3) of
the test input file under consideration, rather than the entire path as
passed on the command line, and fixes up all the expected outputs to
match.
The reason to do this is to make it easier for other tools located
in other directories (e.g. under libapparmor/swig) to use these same
test cases with reduced special casing.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
This patch wraps the event record output cases in a macro, for
consistent generation.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
This patch converts most of the fields to using the existing macros for
output, to make consistent and simplify the code a bit.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
The test program didn't make use of the existing print_long() macro for
printing long values, which meant that they were always emitted for
every testcase. This patch makes them consistent with all the other
emitted fields and fixes up the expected output where they shouldn't be
emitted.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
