mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 16:35:02 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/parser
History
Tyler Hicks 8901b3e835 parser: Preserve unknown profiles when restarting apparmor init/job/unit 
CVE-2017-6507

https://launchpad.net/bugs/1668892

The common AppArmor 'restart' code used by some init scripts, upstart
jobs, and/or systemd units contained functionality that is no longer
appropriate to retain. Any profiles not found /etc/apparmor.d/ were
assumed to be obsolete and were unloaded. That behavior became
problematic now that there's a growing number of projects that maintain
their own internal set of AppArmor profiles outside of /etc/apparmor.d/.
It resulted in the AppArmor 'restart' code leaving some important
processes running unconfined. A couple examples are profiles managed by
LXD and Docker.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
2017-03-24 05:06:07 +00:00
..
libapparmor_re parser: Fix delete after new[] -- patch from Oleg Strikov <oleg.strikov@gmail.com> 2017-03-21 12:09:59 -07:00
po translations: fix up msgfmt warnings 2016-05-24 13:08:06 -07:00
tst Fix: make sure overlapping safe and unsafe exec rules conflict 2016-06-02 22:24:22 -07:00
af_rule.cc parser: fix more gcc 5 compilation problems 2015-02-26 14:55:13 -08:00
af_rule.h C tools: rename __unused macro to unused 2014-10-02 12:58:54 -07:00
af_unix.cc And the related patch to fix globbing for af_unix abstract names 2015-02-12 10:19:16 -08:00
af_unix.h C tools: rename __unused macro to unused 2014-10-02 12:58:54 -07:00
apparmor.d.pod Fix 'alias' rule description in apparmor.d manpage 2016-11-16 20:38:54 +01:00
apparmor.pod can ?not fix apparmor.pod 2013-12-12 03:07:37 +01:00
apparmor_parser.pod Fix typo: s/resonable/reasonable/. 2016-10-15 11:33:50 -05:00
common_optarg.c Split dfa optimization and dump flag handling into a separate file so that it can be shared with DFA test programs 2014-04-23 11:10:41 -07:00
common_optarg.h Split dfa optimization and dump flag handling into a separate file so that it can be shared with DFA test programs 2014-04-23 11:10:41 -07:00
COPYING.GPL rpmlint complains about an outdated FSF address in parser/COPYING.GPL. 2011-11-27 13:52:06 +01:00
dbus.cc parser/dbus.cc: fix "accesss" typo. 2015-05-01 10:25:57 +02:00
dbus.h C tools: rename __unused macro to unused 2014-10-02 12:58:54 -07:00
frob_slack_rc as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
immunix.h Rename AA_MAY_XXX permission bits that conflict with new layout 2015-06-06 01:25:49 -07:00
lib.c libapparmor: Use directory file descriptor in _aa_dirat_for_each() 2015-06-15 15:11:51 -05:00
lib.h libapparmor: Use directory file descriptor in _aa_dirat_for_each() 2015-06-15 15:11:51 -05:00
Makefile pass LDFLAGS fully into build 2017-01-19 23:04:34 +00:00
mount.cc And the related patch to fix globbing for af_unix abstract names 2015-02-12 10:19:16 -08:00
mount.h Fix remount with bind 2015-09-21 12:20:19 -07:00
network.c Use the gcc cleanup extension attribute to handle closing temp files 2015-03-25 17:09:26 -05:00
network.h Remove unused net_find_af_val function, and network_families array 2015-02-27 16:20:31 +00:00
parser.conf parser: adjust parser.conf example Include statements 2015-03-09 10:43:13 -07:00
parser.h parser: Check kernel stacking support when handling stacked transitions 2016-03-18 17:28:51 -05:00
parser_alias.c C tools: rename __unused macro to unused 2014-10-02 12:58:54 -07:00
parser_common.c parser: Check kernel stacking support when handling stacked transitions 2016-03-18 17:28:51 -05:00
parser_include.c Use the gcc cleanup extension attribute to handle closing temp files 2015-03-25 17:09:26 -05:00
parser_include.h allow directories to be passed to the parser 2013-10-26 00:15:13 -07:00
parser_interface.c libapparmor: Move the aa_kernel_interface API 2015-03-25 17:09:27 -05:00
parser_lex.l parser: combine SUB_ID and SUB_ID_WS to reduce code duplication 2016-05-31 15:38:36 -05:00
parser_main.c Enable dynamically scaling max jobs if new resources are brought online 2016-04-11 16:22:12 -07:00
parser_merge.c parser: Stop splitting the namespace from the named transition targets 2016-03-18 17:28:51 -05:00
parser_misc.c parser: eliminate redundant/dead code 2016-03-19 01:52:45 -07:00
parser_policy.c parser: Stop splitting the namespace from the named transition targets 2016-03-18 17:28:51 -05:00
parser_regex.c parser: Allow change_profile rules to accept an exec mode modifier 2016-05-31 15:32:08 -05:00
parser_symtab.c C tools: rename __unused macro to unused 2014-10-02 12:58:54 -07:00
parser_variable.c parser: fix memory leaks in unit tests 2016-01-25 12:05:50 -08:00
parser_yacc.y Fix: make sure overlapping safe and unsafe exec rules conflict 2016-06-02 22:24:22 -07:00
policy_cache.c parser: Fix cache file mtime regression 2015-08-12 12:22:41 -05:00
policy_cache.h Set cache file tstamp to the mtime of most recent policy file tstamp 2015-06-06 01:22:53 -07:00
policydb.h Add the ability to mediate signals. 2014-04-23 11:35:29 -07:00
profile.cc parser: first step implementing fine grained mediation for unix domain sockets 2014-09-03 13:22:26 -07:00
profile.h Fix: parser: incorrect output of child profile names 2016-04-18 13:26:53 -07:00
ptrace.cc And the related patch to fix globbing for af_unix abstract names 2015-02-12 10:19:16 -08:00
ptrace.h C tools: rename __unused macro to unused 2014-10-02 12:58:54 -07:00
rc.apparmor.debian as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
rc.apparmor.functions parser: Preserve unknown profiles when restarting apparmor init/job/unit 2017-03-24 05:06:07 +00:00
rc.apparmor.redhat as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
rc.apparmor.slackware as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
rc.apparmor.suse Fix aa_log_end_msg() in rc.apparmor.suse 2015-07-24 00:06:57 +02:00
README parser - update README information 2013-10-11 22:14:28 -07:00
README.devel parser: add some developer documentation 2013-12-10 14:15:02 -08:00
rule.cc Move C++ files from .c suffix to .cc suffix 2014-05-09 15:34:34 -07:00
rule.h Add missing rule.[hc] files that should have been part of commit 2449 2014-04-07 11:41:25 -07:00
signal.cc And the related patch to fix globbing for af_unix abstract names 2015-02-12 10:19:16 -08:00
signal.h C tools: rename __unused macro to unused 2014-10-02 12:58:54 -07:00
subdomain.conf Here's an update to rename another chunk of things that still used 2011-01-13 13:58:26 -08:00
subdomain.conf.pod fix broken URLs in various utils/*.pod files. 2013-09-19 21:17:39 +02:00
techdoc.tex various changes in building techdoc.tex: 2012-05-09 00:41:06 +02:00
unit_test.h Convert codomain to a class 2013-09-27 16:16:37 -07:00

README 

The apparmor_parser allows you to add, replace, and remove AppArmor
policy through the use of command line options. The default is to add.
`apparmor_parser --help` shows what the command line options are.

You can also find more information at http://wiki.apparmor.net

Please send all complaints, feature requests, rants about the software,
and questions to the apparmor@lists.ubuntu.com mailing list. Bug
reports can be filed against the AppArmor project on launchpad.net at
https://launchpad.net/apparmor or reported to the mailing list directly
for those who wish not to register for an account on launchpad.

Security issues can be filed as security bugs on launchpad
or directed to security@ubuntu.com. We will attempt to
conform to the RFP vulnerability disclosure protocol:
http://www.wiretrip.net/rfp/policy.html

Thanks.

-- The AppArmor development team