mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/parser
History
John Johansen 40e193e623 Fix: make sure overlapping safe and unsafe exec rules conflict 
BugLink: https://launchpad.net/bugs/1588069

Currently

  change_profile /** -> A,
  change_profile unsafe /** -> A,

do not conflict because the safe rules only set the change_profile
permission where the unsafe set unsafe exec. To fix this we have the
safe version set exec bits as well with out setting unsafe exec.
This allows the exec conflict logic to detect any conflicts.

This is safe to do even for older kernels as the exec bits off of the
2nd term encoding in the change_onexec rules are unused.

Test files
  tst/simple_tests/change_profile/onx_no_conflict_safe1.sd
  tst/simple_tests/change_profile/onx_no_conflict_safe2.sd
by Christian Boltz <apparmor@cboltz.de>

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
2016-06-02 22:24:22 -07:00
..
libapparmor_re Fix Coverity issue 56025 -- Uninitialized scalar field 2016-01-19 15:07:04 -08:00
po translations: fix up msgfmt warnings 2016-05-24 13:08:06 -07:00
tst Fix: make sure overlapping safe and unsafe exec rules conflict 2016-06-02 22:24:22 -07:00
af_rule.cc parser: fix more gcc 5 compilation problems 2015-02-26 14:55:13 -08:00
af_rule.h C tools: rename __unused macro to unused 2014-10-02 12:58:54 -07:00
af_unix.cc And the related patch to fix globbing for af_unix abstract names 2015-02-12 10:19:16 -08:00
af_unix.h C tools: rename __unused macro to unused 2014-10-02 12:58:54 -07:00
apparmor.d.pod Document aliases for dbus send and receive in apparmor.d 2016-06-01 22:55:14 +02:00
apparmor.pod can ?not fix apparmor.pod 2013-12-12 03:07:37 +01:00
apparmor_parser.pod parser: add basic support for parallel compiles and loads 2016-01-13 17:10:57 -08:00
common_optarg.c Split dfa optimization and dump flag handling into a separate file so that it can be shared with DFA test programs 2014-04-23 11:10:41 -07:00
common_optarg.h Split dfa optimization and dump flag handling into a separate file so that it can be shared with DFA test programs 2014-04-23 11:10:41 -07:00
COPYING.GPL rpmlint complains about an outdated FSF address in parser/COPYING.GPL. 2011-11-27 13:52:06 +01:00
dbus.cc parser/dbus.cc: fix "accesss" typo. 2015-05-01 10:25:57 +02:00
dbus.h C tools: rename __unused macro to unused 2014-10-02 12:58:54 -07:00
frob_slack_rc as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
immunix.h Rename AA_MAY_XXX permission bits that conflict with new layout 2015-06-06 01:25:49 -07:00
lib.c libapparmor: Use directory file descriptor in _aa_dirat_for_each() 2015-06-15 15:11:51 -05:00
lib.h libapparmor: Use directory file descriptor in _aa_dirat_for_each() 2015-06-15 15:11:51 -05:00
Makefile parser: Fix dependency in Makefile 2016-04-06 12:23:48 -05:00
mount.cc And the related patch to fix globbing for af_unix abstract names 2015-02-12 10:19:16 -08:00
mount.h Fix remount with bind 2015-09-21 12:20:19 -07:00
network.c Use the gcc cleanup extension attribute to handle closing temp files 2015-03-25 17:09:26 -05:00
network.h Remove unused net_find_af_val function, and network_families array 2015-02-27 16:20:31 +00:00
parser.conf parser: adjust parser.conf example Include statements 2015-03-09 10:43:13 -07:00
parser.h parser: Check kernel stacking support when handling stacked transitions 2016-03-18 17:28:51 -05:00
parser_alias.c C tools: rename __unused macro to unused 2014-10-02 12:58:54 -07:00
parser_common.c parser: Check kernel stacking support when handling stacked transitions 2016-03-18 17:28:51 -05:00
parser_include.c Use the gcc cleanup extension attribute to handle closing temp files 2015-03-25 17:09:26 -05:00
parser_include.h allow directories to be passed to the parser 2013-10-26 00:15:13 -07:00
parser_interface.c libapparmor: Move the aa_kernel_interface API 2015-03-25 17:09:27 -05:00
parser_lex.l parser: combine SUB_ID and SUB_ID_WS to reduce code duplication 2016-05-31 15:38:36 -05:00
parser_main.c Enable dynamically scaling max jobs if new resources are brought online 2016-04-11 16:22:12 -07:00
parser_merge.c parser: Stop splitting the namespace from the named transition targets 2016-03-18 17:28:51 -05:00
parser_misc.c parser: eliminate redundant/dead code 2016-03-19 01:52:45 -07:00
parser_policy.c parser: Stop splitting the namespace from the named transition targets 2016-03-18 17:28:51 -05:00
parser_regex.c parser: Allow change_profile rules to accept an exec mode modifier 2016-05-31 15:32:08 -05:00
parser_symtab.c C tools: rename __unused macro to unused 2014-10-02 12:58:54 -07:00
parser_variable.c parser: fix memory leaks in unit tests 2016-01-25 12:05:50 -08:00
parser_yacc.y Fix: make sure overlapping safe and unsafe exec rules conflict 2016-06-02 22:24:22 -07:00
policy_cache.c parser: Fix cache file mtime regression 2015-08-12 12:22:41 -05:00
policy_cache.h Set cache file tstamp to the mtime of most recent policy file tstamp 2015-06-06 01:22:53 -07:00
policydb.h Add the ability to mediate signals. 2014-04-23 11:35:29 -07:00
profile.cc parser: first step implementing fine grained mediation for unix domain sockets 2014-09-03 13:22:26 -07:00
profile.h Fix: parser: incorrect output of child profile names 2016-04-18 13:26:53 -07:00
ptrace.cc And the related patch to fix globbing for af_unix abstract names 2015-02-12 10:19:16 -08:00
ptrace.h C tools: rename __unused macro to unused 2014-10-02 12:58:54 -07:00
rc.apparmor.debian as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
rc.apparmor.functions Update the copyright dates for the apparmor_parser 2012-02-24 04:21:59 -08:00
rc.apparmor.redhat as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
rc.apparmor.slackware as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
rc.apparmor.suse Fix aa_log_end_msg() in rc.apparmor.suse 2015-07-24 00:06:57 +02:00
README parser - update README information 2013-10-11 22:14:28 -07:00
README.devel parser: add some developer documentation 2013-12-10 14:15:02 -08:00
rule.cc Move C++ files from .c suffix to .cc suffix 2014-05-09 15:34:34 -07:00
rule.h Add missing rule.[hc] files that should have been part of commit 2449 2014-04-07 11:41:25 -07:00
signal.cc And the related patch to fix globbing for af_unix abstract names 2015-02-12 10:19:16 -08:00
signal.h C tools: rename __unused macro to unused 2014-10-02 12:58:54 -07:00
subdomain.conf Here's an update to rename another chunk of things that still used 2011-01-13 13:58:26 -08:00
subdomain.conf.pod fix broken URLs in various utils/*.pod files. 2013-09-19 21:17:39 +02:00
techdoc.tex various changes in building techdoc.tex: 2012-05-09 00:41:06 +02:00
unit_test.h Convert codomain to a class 2013-09-27 16:16:37 -07:00

README 

The apparmor_parser allows you to add, replace, and remove AppArmor
policy through the use of command line options. The default is to add.
`apparmor_parser --help` shows what the command line options are.

You can also find more information at http://wiki.apparmor.net

Please send all complaints, feature requests, rants about the software,
and questions to the apparmor@lists.ubuntu.com mailing list. Bug
reports can be filed against the AppArmor project on launchpad.net at
https://launchpad.net/apparmor or reported to the mailing list directly
for those who wish not to register for an account on launchpad.

Security issues can be filed as security bugs on launchpad
or directed to security@ubuntu.com. We will attempt to
conform to the RFP vulnerability disclosure protocol:
http://www.wiretrip.net/rfp/policy.html

Thanks.

-- The AppArmor development team