match groups.
Also split out RE_OWNER that matches the "owner" keyword.
To make the code easier to understand, I dropped the existing audit
variable and instead directly query the "new" audit variable while
filling path_rule['audit'].
Acked-by: Steve Beattie <steve@nxnw.org>
YaST still uses AppArmor.pm, and now errors out when starting the
profile editor because it doesn't know about signal, unix, ptrace and
dbus rules.
This patch adds basic support for those rules to AppArmor.pm by adding
them to the "ignore those rules" regex.
Note: Rules covered by this regex are lost when writing the profile
therefore the patch adds a comment to at least make this a "known bug".
References:https://bugzilla.novell.com/show_bug.cgi?id=900013
Acked-by: Steve Beattie <steve@nxnw.org>
BugLink: http://bugs.launchpad.net/bugs/1378091
The audit flags are not being set correctly by the parser so that
audit capability XXX,
will not result in an audit message being logged when the capability
is used.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The following patch:
- creates a class for prompt questions moving away from Perl hash hack
for the purpose.
- moves some functions to the methods for that class
- fix options being incorrectly passed to questionPrompt in aa-mergeprof
Acked-by: Christian Boltz <apparmor@cboltz.de>
socket. Note, DBus mediation is still in effect so rules still need to be added
for accessing the DBus API (LP: #1375067)
Acked-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
utils/test/runtests-py*.sh always exits with $? = 1 even if there is no
error. This is caused by the last executed command, test -n
This patch changes it to test -z so that we'll get $? = 0 if all tests
succeed.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Bug: https://bugzilla.novell.com/show_bug.cgi?id=895495
We define the __unused macro as a shortcut for __attribute__((unused))
to quiet compiler warnings for functions where an argument is unused,
for whatever reason. However, on 64 bit architectures, older glibc's
bits/stat.h header defines an array variable with the name __unused
that collides with our macro and causes the parser to fail to build,
because the resulting macro expansion generates invalid C code.
This commit fixes the issue by removing the __unused macro where it's
not needed (mod_apparmor) and renaming it to 'unused' elsewhere. It also
in some instances reorders the arguments so that the unused macro
appears last consistently.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Bug: https://bugs.launchpad.net/bugs/1339727
LightDM keeps moving the location where it stores xauthority files for
users, when configured to store them in a system directory (e.g. with
[LightDM]
user-authority-in-system-dir=true
set in a lightdm configuration file).
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
BugLink: http://bugs.launchpad.net/bugs/1373085
The parser fails to accept certain characters, even when escaped
or quoted as part of the profile or label name in ipc rules. This
is due to the lexer not accepting those characters as part of the
input pattern.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
(capability is one of the easiest rule types, so it's good as a start.)
The patch also adds basic support for rules containing more than one
capability, like
capability chown dac_override,
Note that this is just a pass-through mode (instead of complaining about
an invalid line). aa-logprof will happily add another "capability chown"
if it hits a log entry for it. (But: we never got a bugreport about not
supporting multi-capability lines, so I guess they are rarely used ;-)
I also added a parse_audit_allow() function to handle the audit and
allow/deny keywords. They are used in most rule types, which means we
can get rid of some duplicated code with this function.
Finally, update utils/test/test-regex_matches.py - RE_PROFILE_CAP now
has 5 instead of 4 match groups because of the added multi-capability
support.
While on it, I also improved the error message in setup_regex_tests()
to also show the rule that causes a problem.
Acked-by: Steve Beattie <steve@nxnw.org>
Bug: https://bugs.launchpad.net/bugs/1375516
The unix_socket test program calls getsockopt() after calling bind().
Because AppArmor continues to use traditional file rules for sockets
bound to a filesystem path, it does not mediate some socket operations
after the socket has been bound to the filesystem path. The getopt
permission is one of those socket operations.
To account for this lack of mediation, the getopt permission should be
removed from the server permissions list.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Tests abstract UNIX domain sockets with various combinations of implied
permissions, explicit permissions, and conditionals. It also tests with
bad permissions and conditionals.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Iterate through the individual client and server AF_UNIX pathname
permissions and remove them, one-by-one, to verify that the test fails.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The client and server programs require a different set of AF_UNIX
permissions. This patch makes it so that the unix rules are constructed
differently depending on the program under test.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Tests abstract UNIX domain sockets with various combinations of implied
permissions, explicit permissions, and conditionals. It also tests with
bad permissions and conditionals.
The new file unix_socket.inc includes a generic set of tests that can be
reused by another test script in order to test unnamed AF_UNIX socket
mediation. The do_test() function is conditionalized in a way that it
can test confined servers and confined clients depending on the
arguments passed in.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The unix_socket operations for testing getopt and setopt permissions
were occurring back to back. This patch breaks them up into "pre-bind"
and "post-bind" operations. The setopt operation now occurs pre-bind
while the getopt operation happens post-bind. This allows for the test
policy to test setopt without an addr= conditional and to test getopt
with an addr= conditional.
Additionally, the wrapper functions that call setsockopt()/getsockopt()
are moved into a new file that both unix_socket.c and
unix_socket_client.c can reuse.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The client will now do a getsockname() on its socket in order to test
the AppArmor 'getattr' unix rule permission.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The server will now do a shutdown() on its socket in order to test the
AppArmor 'shutdown' unix rule permission.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Use the sendto()/recvfrom() functions when dealing with dgram sockets in
unix_socket_client.
This allows us to test different interfaces besides the typical
write()/read() and will allow for a smaller permissions set for
unix_socket_client.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The unix_socket_client test program was using an abstract socket, which
was set up using the autobind feature, when testing any socket address
types.
To more accurately test a specific address type, this patch changes the
client code to use whatever address type that the server is using. The
string ".client" will be added to the end of the server's address.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Two weeks ago, I fixed various tests in minitools_test.py which also
included disabling the test if aa-complain deletes the force-complain
symlink because nothing (especially aa-complain) creates those symlinks.
Seth didn't like the removal of that test too much. Therefore this patch
"manually" creates the force-complain symlink and tests that it's removed
by aa-enforce.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
- usr.lib.dovecot.auth needs /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
- usr.lib.dovecot.imap requests block_suspend, which I propose to deny as usual
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Currently the parser is bailing when it fails to load a profile,
not processing any potential subsequent profiles in the dir or passed
in list. This results in all policy after the first error failing
to load, instead of just the profile(s) with the error.
This is a different behavior than what has been done by initscripts
that have driven it with xargs -n1, passing it a single profile
at a time.
Fix this so that the parser only exits on first error if specifically
told to do so.
Note: this does not fix the various failure points in the parser
that call exit, instead of returning an error.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>, thanks.
With the move to C++-ification of the parser, the parser's makefile was
not updated to take into account .cc files when deriving object files.
This would result in the final linking compilation of the parser binary
including all of the .cc files in its command line, rather than the ,o
files. This patch fixes the issue as well as an additional typo in the
dependency list for af_unix.o that was not triggered because af_unix.o
was not being built independently.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Update unix_socket and unix_socket_client to use setsockopt() in order
to set send and receive timeouts for socket IO operations. This takes
the place of poll(). Poll() was not being used for all potentially
blocking socket operations which could have resulted in test cases
blocking infinitely.
This also has the nice side effect of using getsockopt() and
setsockopt(). These are AppArmor mediation points in kernel ABI v7 so it
is worthwhile to test the calls while under confinement.
This patch updates the existing v7 policy generation to allow the getopt
and setopt accesses.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The AppArmor kernel ABI v7 requires that a 'unix create,' rule be
granted to confined processes that call socket(AF_UNIX, type, 0). This
is true for pathname, abstract, and unnamed UNIX domain sockets since
the address type of a socket is not yet known when socket(2) is called.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
It is too complicated, due to the number of corner cases, to write a
script that generates the rules for each AF_UNIX address type (pathname,
abstract, and unnamed) and socket type (stream, dgram, and seqpacket).
This patch moves the AF_UNIX pathname tests into their own file with the
intent of having each address type be tested in their own file.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Instead of using the entire sun_path buffer for abstract socket names,
only use the exact length of the string that is specified on the command
line. The nul-terminator is not included for abstract sockets.
The size of sun_path is modified to include the nul-terminator for
pathname address types.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
out common parts (like audit and deny flags or the typical end of the
line (comma and comment).
The patch also introduces the named match groups <audit>, <allow> and
<comment> which we can start to use whenever we want. The group
numbering is kept unchanged, so we can migrate one regex / rule type
after the other to named groups (not only audit, allow and comments, but
changing all regexes will be another patch ;-)
As a side effect, fix RE_PROFILE_CHANGE_PROFILE, RE_PROFILE_ALIAS and
RE_PROFILE_RLIMIT which did not allow ", #" (comma, space, comment) at
the end of the line.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
This patch updates the parser code to reject rules that contain local
socket permissions and peer conditional elements. The error message for
that condition is also corrected to resolve a copy and paste mistake
from the D-Bus rule parsing code.
The patch also updates the man page to correctly describe the two sets
of socket permissions and fixes an example rule that resulted in a
parser error after the change described above.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
while it is not possible to specify a rule with local conditionals with
peer conditionals
eg.
unix listen peer=(addr=@foo),
a rule such as
unix peer=(addr=@foo),
is possible, and was setting all permissions for local as well as the peer
condition permissions.
Currently this means the create permission must be specified in a separate
rule from a rule with a peer= condition, if create is to be allowed. This
isn't too much of an issue but it does mean rule such as
unix connect peer=(addr=@foo),
Can not imply the ability to create a socket. Which may indeed be the
behavior if we wish to enforce that the socket was created in another
process and passed in. Is this what we want to do?
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
The new af_unix apparmor kernel patches include the first step towards
implicit labeling. As a result, when a file descriptor is inherited
across one profile boundary to another, both labels' policies are
checked for valid access to the file descriptor. However, due to a quirk
in the linux kernel, when a socket is opened, the file descriptor is
marked as having read and write (aka send and receive) access. When the
crosscheck revalidation occurs, this means that the policy being
inherited from requires read/write access to the socket descriptor, even
if the process never reads or writes to it. This resulted in a few
failures in the socketpair tests.
The following patch adjusts the failing tests to include the neccessary
send and receive permissions, as well as adding additional tests that
are expected to fail when they are not present, to try to ensure that
if our crosscheck behavior changes, we catch it.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Based on a patch from Felix Geyer who wrote in April:
> On Ubuntu trusty the php package creates config symlinks in
> /etc/php5/cli/conf.d/, /etc/php5/cgi/conf.d/ and
> /etc/php5/fpm/conf.d/ to /etc/php5/mods-available/.
This patch is a simplified version of his patch that allows
/etc/php5/**.ini r and /etc/php5/**/ r
Acked-by: Seth Arnold <seth.arnold@canonical.com> on IRC
(after menacing an Acked-by: <timeout>)
both real [0] and hypothetical (e.g. gui prototypes), as part of
the python utils merge, some namespace packaging bits were added
to apparmor/__init__.py, based on the (not very clear) advice given
in python's pep 0420 [1]. However, a side effect of this is that it
causes system installed versions of python modules to be used over
paths specified via PYTHONPATH [2], which breaks our in-tree tests
when the system versions of the python modules are out of date with
respect to the in-tree version.
It seems based on testing, however, that carrying this code snippet
is no longer necessary to have external modules be found. Thus,
the following patch drops it.
[0] e.g. https://launchpad.net/click-apparmor
[1] http://www.python.org/dev/peps/pep-0420/
[2] a python upstream discussion about this occurred at
https://mail.python.org/pipermail/distutils-sig/2014-March/024049.html
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This patch adds a 'check_pod_files' make target to the common make
rules, and then fixes the errors it highlighted as well as most of
the warnings. It will cause 'make check' in most of the directories to
fail if there are errors in a pod file (but not if there are warnings).
Common issues were:
- using an '=over/=back' pair for code-like snippets that did not
contain any =items therein; the =over keyword is intended for
indenting lists of =item entries, and generates a warning if
there isn't any.
- not escaping '<' or '>'
- blank lines that contained spaces or tabs
The second -warnings flag passed to podchecker is to add additional
warnings, un-escaped '<' and '>' being of them.
I did not fix all of the warnings in apparmor.d.pod, as I have not come
up with a good warning-free way to express the BNF of the language
similar in format to what is currently generated. The existing
libapparmor warnings (complaints about duplicate =item definition
names) are actually a result of passing the second -warnings flag.
The integration into libapparmor is suboptimal due to automake's
expectation that there will be a test driver program(s) for make check
targets; that's why I added the podchecker call to the manpage
generation point.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
---
changehat/mod_apparmor/Makefile | 3
changehat/mod_apparmor/mod_apparmor.pod | 28 ++-
common/Make.rules | 4
libraries/libapparmor/doc/Makefile.am | 7
parser/Makefile | 2
parser/apparmor.d.pod | 275
+++++++++++++-------------------
utils/Makefile | 3
utils/aa-cleanprof.pod | 2
utils/aa-complain.pod | 2
utils/aa-decode.pod | 2
utils/aa-easyprof.pod | 69 +++-----
utils/aa-enforce.pod | 2
utils/aa-genprof.pod | 2
utils/aa-logprof.pod | 6
utils/aa-sandbox.pod | 64 ++-----
utils/logprof.conf.pod | 2
utils/vim/Makefile | 2
17 files changed, 212 insertions(+), 263 deletions(-)
This patch:
- replaces unnamed arguments with named arguments wherever more than 1
one arguments ware present in a message
- minor fix in aa-unconfined for pname argument in 2 strings
- updated pot files (as a side-effect of testing with make)
Acked-by: Christian Boltz <apparmor@cboltz.de>
