While `include/sys/apparmor.h` makes use of `socklen_t`, it doesn't include the `<sys/socket.h>` header to make its declaration available. While this works on systems using glibc via transitive includes, it breaks compilation on musl libc.
Fix the issue by including the header.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/642
Acked-by: John Johansen <john.johansen@canonical.com>
While `_aa_asprintf` is supposed to be of private visibility, it's used
by apparmor_parser and thus required to be visible when linking. This
commit thus adds it to the list of private symbols to make it available
for linking in apparmor_parser.
Signed-off-by: Patrick Steinhardt <ps@pks.im>
With AppArmor release 3.0, a new function `aa_features_new_from_file`
was added, but not added to the list of public symbols. As a result,
it's not possible to make use of this function when linking against
libapparmor.so.
Fix the issue by adding it to the symbol map.
Signed-off-by: Patrick Steinhardt <ps@pks.im>
While `include/sys/apparmor.h` makes use of `socklen_t`, it doesn't
include the `<sys/socket.h>` header to make its declaration available.
While this works on systems using glibc via transitive includes, it
breaks compilation on musl libc.
Fix the issue by including the header.
Signed-off-by: Patrick Steinhardt <ps@pks.im>
Add a basic tool for manipulating the apparmor features abi via
libapparmor. This serves as a basic tool and as an example of using
the library api.
Currently its function is limited to extracting the kernel feature
abi and loading a feature abi from a file and then outputing it.
In the future it will pickup the ability to verify the feature
abi, and merge feature abis.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/613
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Note that the log doesn't include enough information for EXEC MODE and
EXEC COND, therefore aa-logprof will always propose ALL as EXEC COND
(comm= might give a hint about EXEC COND, but isn't good enough).
With the added support in aa-logprof, remove the changeprofile tests
from the known-failing list in test-libapparmor-test_multi.py.
Also add another test log (from darix) / expected profile to the
libapparmor testsuite.
Nobody told the tools that log events with operation="symlink" exist. Add this keyword to the list of file or network operations (I don't expect network symlinks ;-) but keeping everything in that list makes things easier than special-casing it.)
Also add the log sample and expected result to the libapparmor tests.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/107
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/587
Acked-by: John Johansen <john.johansen@canonical.com>
Nobody told the tools that log events with operation="symlink" exist.
Add this keyword to the list of file or network operations (I don't
expect network symlinks ;-) but keeping everything in that list makes
things easier than special-casing it.)
Also add the log sample and expected result to the libapparmor tests.
Fixes https://gitlab.com/apparmor/apparmor/-/issues/107
The hashing of the featue set is wrong because it is hashing the
whole feature structure instead of just the feature string.
This results in the refcount and hash field becoming part of the
hash and the feature string not being completely hashed as the
bytes of the refcount and hash field are being counted in the
as part of the string length when the hash is taken.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/583
Reported-by: Samuele Pedroni <samuele.pedroni@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Currently features doesn't provide a way to query a features
value. So add an api to extract the value string of a feature.
The value string returned is a raw text value and may contain
leading spaces, etc that the caller may need to be aware of.
Signed-off-by: John Johansen <john.johansen@canonical.com>
PDEBUG is defined away when debug isn't configure in the build, this
hides the bad format string and argument.
Fix this and make sure we can still have the debug output that was
supposed to be printed.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/561
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
private.c: In function ‘_aa_is_blacklisted’:
private.c:140:35: warning: comparison of integer expressions of different signedness: ‘long int’ and ‘size_t’ {aka ‘long unsigned int’} [-Wsign-compare]
140 | found - name + suffix->len == name_len ) {
| ^~
private.c: In function ‘readdirfd’:
private.c:352:16: warning: comparison of integer expressions of different signedness: ‘size_t’ {aka ‘long unsigned int’} and ‘ssize_t’ {aka ‘long int’} [-Wsign-compare]
352 | for (i = 0; i < n; ) {
| ^
private.c:378:17: warning: comparison of integer expressions of different signedness: ‘size_t’ {aka ‘long unsigned int’} and ‘ssize_t’ {aka ‘long int’} [-Wsign-compare]
378 | for (i = 0; i < n; i++)
| ^
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/561
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
The len parameter returns a value that correlates to a getsockopt
parameter which is typed to socklen_t which is an unsigned int.
This technically changes the fn() api but old code using this is
already broken if the getsockopt parameter is large enough to overflow
the value.
In reality what is returned shouldn't ever be negative and the value
should never be large enough to trip the overflow. This is just
cleaning up a corner case.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/561 Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
kernel.c: In function ‘aa_getpeercon_raw’:
kernel.c:823:14: warning: comparison of integer expressions of different signedness: ‘socklen_t’ {aka ‘unsigned int’} and ‘int’ [-Wsign-compare]
823 | if (optlen < *len) {
| ^
kernel.c: In function ‘query_label’:
kernel.c:966:10: warning: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Wsign-compare]
966 | if (ret != size) {
| ^~
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/561 Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
```
libaalogparse.c: In function 'hex_to_string':
libaalogparse.c:144:16: warning: comparison of integer expressions of different signedness: 'int' and 'size_t' {aka 'long unsigned int'} [-Wsign-compare]
144 | for (i = 0; i < len; i++) {
| ^
```
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/558
Acked-by: John Johansen <john.johansen@canonical.com>
Following up on !549, this patchset unifies most of the compiler warnings settings to use EXTRA_WARNINGS as newly defined in `common/Make.rules` and then adds the `-Wimplicit-fallthrough` compiler warning to the default set.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/551
Acked-by: John Johansen <john.johansen@canonical.com>
```
libaalogparse.c: In function 'hex_to_string':
libaalogparse.c:144:16: warning: comparison of integer expressions of different signedness: 'int' and 'size_t' {aka 'long unsigned int'} [-Wsign-compare]
144 | for (i = 0; i < len; i++) {
| ^
```
`i` gets used/changed as counter variable in the for loop and only gets
increased (starting at 0), so making it an (unsigned) size_t should be
safe.
Add basic support for policy to specify a feature abi. Under the
current implementation the first feature abi specified will be
used as the policy abi for the entire profile.
If no feature abi is defined before rules are processed then the
default policy abi will be used.
If multiple feature abi rules are encountered and the specified
abi is different then a warning will be issued, and the initial abi
will continue to be used. The ability to support multiple policy
feature abis during a compile will be added in a future patch.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/491
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Define EXTRA_WARNINGS in the common/Make.rules helper so that adding
additional warnings can be done in one(-ish) location, and replace
locally defined C compiler warning flags with EXTRA_WARNINGS in most
locations in the build tree.
v2: issue a warning for any compiler option that the compiler does not
support
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
asprintf(3) returns a signed int, so storing the result in a size_t is
and then comparing that stored value against -1 is not such a good idea.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/549
Move suggested bug reporting from launchpad to gitlab
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
With LSM stacking apparmor may be available even if it is not
enabled. If apparmor is available but not enabled it does not own
the /proc/<pid>/attr/* interface and should not use it as they
will not provide apparmor context.
Note: this also applies to the SO_PEERSEC interface, currently we
only fail is apparmor does not own the interface. Once the new interface
command is finalized supprt to use that will be added.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
LSM stacking makes the old /proc/<pid>/attr/* interfaces potentially
be shared such that the values returned might be for a different LSM
than apparmor.
Use the new apparmor dedicated interface at /proc/<pid>/attr/apparmor/*
if it is present.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
libapparmor and the pyton tools now require python3 but on systems
where python2 is the default the build will fail unless the PYTHON=
env var is set to the systems python3.
Instead just force autoconf to search for python3 as the python
version to use.
Signed-off-by: John Johansen <john.johansen@canonical.com>
If Swig builds the library against python 2 and the utils/tests
run using python3, parts of the library are in accesible with
failures like
Traceback (most recent call last):
File "test-pivot_root_parse.py", line 12, in <module>
import apparmor.aa as aa
File "/home/jj/apparmor/apparmor-jjohansen.git/utils/apparmor/aa.py", line 28, in <module>
import apparmor.logparser
File "/home/jj/apparmor/apparmor-jjohansen.git/utils/apparmor/logparser.py", line 19, in <module>
import LibAppArmor
ImportError: No module named LibAppArmor
Signed-off-by: John Johansen <john.johansen@canonical.com>
This patch fixes a couple of nitpicks that I encountered packaging apparmor for buildroot:
1. In a cross-compiling environment, python executable cannot be trusted for getting the python settings because it is generally compiled for the host. For this reason, we should rely on target python-config.
1. Setup.py for libapparmor swig bindings is always called without taking into account the discovered settings from ac_python_devel.m4
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/462
When crosscompiling, setupy.py should be called passing the settings
discovered by ac_python_devel.m4 and not using the default system
settings.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
In a crosscompiling environment it's common to have a python executable
running for the host system with a python-config reporting the host
configuration and a second python-config reporting the target configuration.
In such cases, relying on the default oython-config is wrong and breaks
the cross compilation.
This patch adds a PYTHON_CONFIG variable that can be pointed to the second
python-config and fixes the rest of the m4 accordingly.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
The library version must be consistent across releases. Since 2.13.4
and master use the same library version it needs to be updated.
Signed-off-by: John Johansen <john.johansen@canonical.com>
logparser.py: don't error out on exec events without target
See merge request apparmor/apparmor!405
Acked-by: John Johansen <john.johansen@canonical.com>
Improve readability by being explicit about the value to use when the
conditional evaluates to true.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Suggested-by: John Johansen <john.johansen@canonical.com>
- in complain mode, exec events include target=...
- in enforce mode, the log message doesn't include target=...
Note that the utils tests skip exec events (they'd be interactive),
therefore exec*.profile doesn't contain an exec rule.
convert_regexp() needs to escape '(' and ')' in filenames taken from a
logfile to get rid of their special meaning, and to avoid a crash on
unbalanced parenthesis (which makes the regex invalid if they are not
escaped).
Note: The added tests include an example log line, but the tests itsself
don't/didn't trigger the crash because they don't call convert_regexp().
Fixes: https://bugs.launchpad.net/bugs/1835311
v2:
- parse partial log line broken at \n
- add testcase_dbus_10.* for partial log line
- remove quotes from testcasw_dbus_09.profile
The following log format has been seen in the wild, and currently results
in a RECORD_INVALID
[4835959.046111] audit: type=1107 audit(1561053426.749:186): pid=640 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="LookupDynamicUserByName" mask="send" name="org.freedesktop.systemd1" pid=20596 label="/usr/sbin/sshd" peer_pid=1 peer_label="unconfined"
exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Test parsing the above message with and without the \n embedded between
peer_label= and exec=
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
When building with swig 4 we are seeing the error
AttributeError: 'aa_log_record' object has no attribute '__getattr__'
Which forces swig to use modern classes which do not generate __getattr__
methods.
issue: https://gitlab.com/apparmor/apparmor/issues/33
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Signed-off-by: John Johansen <john.johansen@canonical.com>
In logparser.py parse_event_for_tree, convert path handling to hashlog.
While on it, include 'owner' as part of hashlog so that aa.py doesn't
need to guess.
Also switch to a simple for loop instead of using log_str_to_mode() from
aamode.py to convert denied_mask to hasher keys (which would have been
needed to allow merging of several log events for the same path anyway).
Note that the check for 'mrawlk' (intentionally without 'x') is more
strict than the validate_log_mode(), but it should still cover all file
permissions. (validate_log_mode() also allows things like 'Px', which
we'll never hit in a logfile.)
In aa.py collapse_log() update the handling of path events to match the
additional [owner] key in hashlog/prelog. This makes the owner detection
in collapse_log() superfluous.
In aa.py handle_children(), remove 'path' handling from the 'path' or
'exec' section, and add an 'if True:' to avoid lots of whitespace
changes.
In aamode.py, drop the now unused split_mode() function, and
AA_OTHER_REMOVE() that was only used by split_mode().
Finally, remove sample log events with null-* hats from the list of
known failures in test-libapparmor-test_multi.py (we no longer filter
out null-* hats), and fix whitespace in two expected profiles.
- Code layout based on aa-genprof example
- Extend Python dependencies to cover new need by aa-notify
- Update documentation after aa-notify is no longer in Perl
Add some tests with the complex profile name (including alternations and
wildcards) to ensure we don't break such cases in the future.
These tests are based on the log from the (invalid) bugreport
https://gitlab.com/apparmor/apparmor/issues/26
