mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/parser
History
John Johansen 51d33c1a23 parser: fix rule flag generation change_mount type rules 
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1048
made it so rules like

  mount slave /snap/bin/** -> /**,

  mount /snap/bin/** -> /**,

would get passed into change_mount_type rule generation when they
shouldn't have been. This would result in two different errors.

1. If kernel mount flags were present on the rule. The error would
   be caught causing an error to be returned, causing profile compilation
   to fail.

2. If the rule did not contain explicit flags then rule would generate
   change_mount_type permissions based on souly the mount point. And
   the implied set of flags. However this is incorrect as it should
   not generate change_mount permissions for this type of rule. Not
   only does it ignore the source/device type condition but it
   generates permissions that were never intended.

   When used in combination with a deny prefix this overly broad
   rule can result in almost all mount rules being denied, as the
   denial takes priority over the allow mount rules.

Fixes: https://bugs.launchpad.net/apparmor/+bug/2023814
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1211989
Fixes: 9d3f8c6cc ("parser: fix parsing of source as mount point for propagation type flags")
Fixes: MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1048

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 86d193e183)
Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-06-21 01:31:31 -07:00
..
libapparmor_re parser: allow overriding which ar(1) is invoked 2019-07-08 12:32:21 -07:00
po translations: update generated pot files 2020-10-14 03:50:46 -07:00
tst parser: fix rule flag generation change_mount type rules 2023-06-21 01:31:31 -07:00
aa-teardown Add apparmor.service and aa-teardown 2018-03-24 19:28:24 +00:00
aa-teardown.pod all: Use HTTPS links for apparmor.net 2018-09-13 11:45:59 -07:00
af_rule.cc parser: fix more gcc 5 compilation problems 2015-02-26 14:55:13 -08:00
af_rule.h C tools: rename __unused macro to unused 2014-10-02 12:58:54 -07:00
af_unix.cc Merge Fix mode not being printed when debugging AF_UNIX socket rules. 2023-02-01 19:52:15 -08:00
af_unix.h Merge Fix mode not being printed when debugging AF_UNIX socket rules. 2023-02-01 19:52:15 -08:00
apparmor.d.pod docs apparmor.d: add missing mount options to man page 2023-05-18 11:24:49 -05:00
apparmor.pod apparmor(7): Document various debugging options. 2018-11-04 12:03:41 +00:00
apparmor.service Add apparmor.service and aa-teardown 2018-03-24 19:28:24 +00:00
apparmor.systemd Merge branch 'EmersonBernier/shellcheck' into 'master' 2019-01-03 17:42:06 +00:00
apparmor_parser.pod parser: fix --jobs so job scaling is applied correctly 2021-02-10 19:20:27 -08:00
base_cap_names.h parser: Add support for CAP_CHECKPOINT_RESTORE 2020-10-13 21:44:47 -07:00
common_optarg.c Split dfa optimization and dump flag handling into a separate file so that it can be shared with DFA test programs 2014-04-23 11:10:41 -07:00
common_optarg.h Split dfa optimization and dump flag handling into a separate file so that it can be shared with DFA test programs 2014-04-23 11:10:41 -07:00
COPYING.GPL rpmlint complains about an outdated FSF address in parser/COPYING.GPL. 2011-11-27 13:52:06 +01:00
dbus.cc parser: call filter slashes for the dbus path conditional 2020-10-09 02:44:50 -07:00
dbus.h C tools: rename __unused macro to unused 2014-10-02 12:58:54 -07:00
frob_slack_rc as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
immunix.h Rename AA_MAY_XXX permission bits that conflict with new layout 2015-06-06 01:25:49 -07:00
lib.c libapparmor: Use directory file descriptor in _aa_dirat_for_each() 2015-06-15 15:11:51 -05:00
lib.h libapparmor: Use directory file descriptor in _aa_dirat_for_each() 2015-06-15 15:11:51 -05:00
Makefile parser/Makefile: fix generated cap comparison against known list 2020-10-13 03:00:53 -07:00
mount.cc parser: fix rule flag generation change_mount type rules 2023-06-21 01:31:31 -07:00
mount.h parser: added nosymfollow mount option 2023-05-18 11:24:36 -05:00
network.c Use the gcc cleanup extension attribute to handle closing temp files 2015-03-25 17:09:26 -05:00
network.h Remove unused net_find_af_val function, and network_families array 2015-02-27 16:20:31 +00:00
parser.conf Revert "parser: allow specifying the parser config file" 2018-09-17 02:35:44 -07:00
parser.h parser: support multiple mount conditionals in a single rule 2023-05-04 13:07:48 +00:00
parser_alias.c parser: provide typedefs for comparison_fn_t and __free_fn_t 2018-05-09 13:28:47 -07:00
parser_common.c parser: Check kernel stacking support when handling stacked transitions 2016-03-18 17:28:51 -05:00
parser_include.c parser: include <limits.h> for PATH_MAX macro 2017-09-27 11:38:35 +02:00
parser_include.h allow directories to be passed to the parser 2013-10-26 00:15:13 -07:00
parser_interface.c libapparmor: Move the aa_kernel_interface API 2015-03-25 17:09:27 -05:00
parser_lex.l Merge branch 'fix-lexer' into 'master' 2021-09-24 11:26:55 +00:00
parser_main.c parser: fix --jobs so job scaling is applied correctly 2021-02-10 19:20:27 -08:00
parser_merge.c parser: Stop splitting the namespace from the named transition targets 2016-03-18 17:28:51 -05:00
parser_misc.c parser: Make sure apparmor can build on old kernels 2020-10-14 15:05:04 -07:00
parser_policy.c parser: Fix automatic adding of rule for change_hat interface 2020-09-17 15:04:24 -07:00
parser_regex.c parser: fix filter slashes for link targets 2021-03-15 00:53:06 -07:00
parser_symtab.c parser: provide typedefs for comparison_fn_t and __free_fn_t 2018-05-09 13:28:47 -07:00
parser_variable.c parser: fix memory leaks in unit tests 2016-01-25 12:05:50 -08:00
parser_yacc.y parser: ignore feature abi rules 2018-10-12 22:22:29 -07:00
policy_cache.c libapparmor: Add support for overlaycache directories 2018-04-14 15:51:23 -07:00
policy_cache.h libapparmor: Add support for overlaycache directories 2018-04-14 15:51:23 -07:00
policydb.h Add the ability to mediate signals. 2014-04-23 11:35:29 -07:00
profile.cc parser: first step implementing fine grained mediation for unix domain sockets 2014-09-03 13:22:26 -07:00
profile.h Fix: parser: incorrect output of child profile names 2016-04-18 13:26:53 -07:00
ptrace.cc And the related patch to fix globbing for af_unix abstract names 2015-02-12 10:19:16 -08:00
ptrace.h C tools: rename __unused macro to unused 2014-10-02 12:58:54 -07:00
rc.apparmor.debian as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
rc.apparmor.functions fix fails to load profiles in busybox with: 2020-04-20 16:51:40 -07:00
rc.apparmor.redhat as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
rc.apparmor.slackware as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
README README: Move project contact info into the main README 2018-09-13 11:45:59 -07:00
README.devel parser: add some developer documentation 2013-12-10 14:15:02 -08:00
rule.cc Move C++ files from .c suffix to .cc suffix 2014-05-09 15:34:34 -07:00
rule.h Add missing rule.[hc] files that should have been part of commit 2449 2014-04-07 11:41:25 -07:00
signal.cc And the related patch to fix globbing for af_unix abstract names 2015-02-12 10:19:16 -08:00
signal.h C tools: rename __unused macro to unused 2014-10-02 12:58:54 -07:00
subdomain.conf Here's an update to rename another chunk of things that still used 2011-01-13 13:58:26 -08:00
subdomain.conf.pod all: Use HTTPS links for apparmor.net 2018-09-13 11:45:59 -07:00
techdoc.tex various changes in building techdoc.tex: 2012-05-09 00:41:06 +02:00
unit_test.h Convert codomain to a class 2013-09-27 16:16:37 -07:00

README 

The apparmor_parser allows you to add, replace, and remove AppArmor
policy through the use of command line options. The default is to add.
`apparmor_parser --help` shows what the command line options are.

You can also find more information at https://wiki.apparmor.net

-- The AppArmor development team