This patch reverts commit 2131 which added support for the newer apache
2.4 ap_hook_check_access_ex() api, based on a report from Christian that
it broke apache's simple authentication.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
With the two recent unix socket test patches to mark dgram tests as
failing but expected to pass, I realized that there's no indication
in the output that there are current expected failures (except for
the single corefile test expected failure)[0]. This patch attempts to
remedy that by emitting the x-type plus the test description for each
test that is marked as such. I've set it to always emit these results.
[0] The test infrastructure does give an alert if there is a test that
has been marked xpass or xfail but has started behaving correctly.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
It's not been tracked down in
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1373172 why
this is happening, but the current unnamed unix socket dgram tests
are failing when only the server is confined, and the peer label is
given as only the confining profile (the stream and seqpacket dgram
tests/permissions don't seem to trigger this revalidation rejection).
Until this bug is diagnosed and addressed, mark these tests as failing
but expected to pass (i.e. 'xpass').
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
With the addition of the unix socket mediation and
corresponding tests, there are currently two tests that fail
in unix_socket_pathname.sh. These have been recorded as bugs
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1373174 and
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1373176 but John
has not had time to investigate if these are legitimate bugs. The
following patch marks the tests as expecting to pass but currently
failing.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Currently the apparmor parser warns about rules that are not enforced or
downgraded. This is a problem for distros that are not carrying the out of
tree kernel patches, as most profile loads result in warnings.
Change the behavior to not output a message unless a warn flag is passed.
This patch adds 2 different warn flags
--warn rule-downgraded # warn if a rule is downgraded
--warn rule-not-enforced # warn if a rule is not enforced at all
If the warnings are desired by default the flags can be set in the
parser.conf file.
v2 of patch
- update man page
- add --warn to usage statement
- make --quiet clear warn flags
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This patch:
- allows the unsupported rules to be stored when parsing profiles
- writes all the unsupported rules back to profile
Acked-by: Christian Boltz <apparmor@cboltz.de>
match groups.
Also split out RE_OWNER that matches the "owner" keyword.
To make the code easier to understand, I dropped the existing audit
variable and instead directly query the "new" audit variable while
filling path_rule['audit'].
Acked-by: Steve Beattie <steve@nxnw.org>
YaST still uses AppArmor.pm, and now errors out when starting the
profile editor because it doesn't know about signal, unix, ptrace and
dbus rules.
This patch adds basic support for those rules to AppArmor.pm by adding
them to the "ignore those rules" regex.
Note: Rules covered by this regex are lost when writing the profile
therefore the patch adds a comment to at least make this a "known bug".
References:https://bugzilla.novell.com/show_bug.cgi?id=900013
Acked-by: Steve Beattie <steve@nxnw.org>
BugLink: http://bugs.launchpad.net/bugs/1378091
The audit flags are not being set correctly by the parser so that
audit capability XXX,
will not result in an audit message being logged when the capability
is used.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The following patch:
- creates a class for prompt questions moving away from Perl hash hack
for the purpose.
- moves some functions to the methods for that class
- fix options being incorrectly passed to questionPrompt in aa-mergeprof
Acked-by: Christian Boltz <apparmor@cboltz.de>
socket. Note, DBus mediation is still in effect so rules still need to be added
for accessing the DBus API (LP: #1375067)
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
utils/test/runtests-py*.sh always exits with $? = 1 even if there is no
error. This is caused by the last executed command, test -n
This patch changes it to test -z so that we'll get $? = 0 if all tests
succeed.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Bug: https://bugzilla.novell.com/show_bug.cgi?id=895495
We define the __unused macro as a shortcut for __attribute__((unused))
to quiet compiler warnings for functions where an argument is unused,
for whatever reason. However, on 64 bit architectures, older glibc's
bits/stat.h header defines an array variable with the name __unused
that collides with our macro and causes the parser to fail to build,
because the resulting macro expansion generates invalid C code.
This commit fixes the issue by removing the __unused macro where it's
not needed (mod_apparmor) and renaming it to 'unused' elsewhere. It also
in some instances reorders the arguments so that the unused macro
appears last consistently.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Bug: https://bugs.launchpad.net/bugs/1339727
LightDM keeps moving the location where it stores xauthority files for
users, when configured to store them in a system directory (e.g. with
[LightDM]
user-authority-in-system-dir=true
set in a lightdm configuration file).
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
BugLink: http://bugs.launchpad.net/bugs/1373085
The parser fails to accept certain characters, even when escaped
or quoted as part of the profile or label name in ipc rules. This
is due to the lexer not accepting those characters as part of the
input pattern.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
(capability is one of the easiest rule types, so it's good as a start.)
The patch also adds basic support for rules containing more than one
capability, like
capability chown dac_override,
Note that this is just a pass-through mode (instead of complaining about
an invalid line). aa-logprof will happily add another "capability chown"
if it hits a log entry for it. (But: we never got a bugreport about not
supporting multi-capability lines, so I guess they are rarely used ;-)
I also added a parse_audit_allow() function to handle the audit and
allow/deny keywords. They are used in most rule types, which means we
can get rid of some duplicated code with this function.
Finally, update utils/test/test-regex_matches.py - RE_PROFILE_CAP now
has 5 instead of 4 match groups because of the added multi-capability
support.
While on it, I also improved the error message in setup_regex_tests()
to also show the rule that causes a problem.
Acked-by: Steve Beattie <steve@nxnw.org>
Bug: https://bugs.launchpad.net/bugs/1375516
The unix_socket test program calls getsockopt() after calling bind().
Because AppArmor continues to use traditional file rules for sockets
bound to a filesystem path, it does not mediate some socket operations
after the socket has been bound to the filesystem path. The getopt
permission is one of those socket operations.
To account for this lack of mediation, the getopt permission should be
removed from the server permissions list.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Tests abstract UNIX domain sockets with various combinations of implied
permissions, explicit permissions, and conditionals. It also tests with
bad permissions and conditionals.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Iterate through the individual client and server AF_UNIX pathname
permissions and remove them, one-by-one, to verify that the test fails.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The client and server programs require a different set of AF_UNIX
permissions. This patch makes it so that the unix rules are constructed
differently depending on the program under test.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Tests abstract UNIX domain sockets with various combinations of implied
permissions, explicit permissions, and conditionals. It also tests with
bad permissions and conditionals.
The new file unix_socket.inc includes a generic set of tests that can be
reused by another test script in order to test unnamed AF_UNIX socket
mediation. The do_test() function is conditionalized in a way that it
can test confined servers and confined clients depending on the
arguments passed in.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The unix_socket operations for testing getopt and setopt permissions
were occurring back to back. This patch breaks them up into "pre-bind"
and "post-bind" operations. The setopt operation now occurs pre-bind
while the getopt operation happens post-bind. This allows for the test
policy to test setopt without an addr= conditional and to test getopt
with an addr= conditional.
Additionally, the wrapper functions that call setsockopt()/getsockopt()
are moved into a new file that both unix_socket.c and
unix_socket_client.c can reuse.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The client will now do a getsockname() on its socket in order to test
the AppArmor 'getattr' unix rule permission.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The server will now do a shutdown() on its socket in order to test the
AppArmor 'shutdown' unix rule permission.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Use the sendto()/recvfrom() functions when dealing with dgram sockets in
unix_socket_client.
This allows us to test different interfaces besides the typical
write()/read() and will allow for a smaller permissions set for
unix_socket_client.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The unix_socket_client test program was using an abstract socket, which
was set up using the autobind feature, when testing any socket address
types.
To more accurately test a specific address type, this patch changes the
client code to use whatever address type that the server is using. The
string ".client" will be added to the end of the server's address.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Two weeks ago, I fixed various tests in minitools_test.py which also
included disabling the test if aa-complain deletes the force-complain
symlink because nothing (especially aa-complain) creates those symlinks.
Seth didn't like the removal of that test too much. Therefore this patch
"manually" creates the force-complain symlink and tests that it's removed
by aa-enforce.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
- usr.lib.dovecot.auth needs /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
- usr.lib.dovecot.imap requests block_suspend, which I propose to deny as usual
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Currently the parser is bailing when it fails to load a profile,
not processing any potential subsequent profiles in the dir or passed
in list. This results in all policy after the first error failing
to load, instead of just the profile(s) with the error.
This is a different behavior than what has been done by initscripts
that have driven it with xargs -n1, passing it a single profile
at a time.
Fix this so that the parser only exits on first error if specifically
told to do so.
Note: this does not fix the various failure points in the parser
that call exit, instead of returning an error.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>, thanks.
With the move to C++-ification of the parser, the parser's makefile was
not updated to take into account .cc files when deriving object files.
This would result in the final linking compilation of the parser binary
including all of the .cc files in its command line, rather than the ,o
files. This patch fixes the issue as well as an additional typo in the
dependency list for af_unix.o that was not triggered because af_unix.o
was not being built independently.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Update unix_socket and unix_socket_client to use setsockopt() in order
to set send and receive timeouts for socket IO operations. This takes
the place of poll(). Poll() was not being used for all potentially
blocking socket operations which could have resulted in test cases
blocking infinitely.
This also has the nice side effect of using getsockopt() and
setsockopt(). These are AppArmor mediation points in kernel ABI v7 so it
is worthwhile to test the calls while under confinement.
This patch updates the existing v7 policy generation to allow the getopt
and setopt accesses.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The AppArmor kernel ABI v7 requires that a 'unix create,' rule be
granted to confined processes that call socket(AF_UNIX, type, 0). This
is true for pathname, abstract, and unnamed UNIX domain sockets since
the address type of a socket is not yet known when socket(2) is called.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
It is too complicated, due to the number of corner cases, to write a
script that generates the rules for each AF_UNIX address type (pathname,
abstract, and unnamed) and socket type (stream, dgram, and seqpacket).
This patch moves the AF_UNIX pathname tests into their own file with the
intent of having each address type be tested in their own file.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Instead of using the entire sun_path buffer for abstract socket names,
only use the exact length of the string that is specified on the command
line. The nul-terminator is not included for abstract sockets.
The size of sun_path is modified to include the nul-terminator for
pathname address types.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
