mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 16:35:02 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/parser
History
John Johansen a6691ca53e Merge parser: fix Normalizatin infinite loop 
Expression simplification can get into an infinite loop due to eps
pairs hiding behind and alternation that can't be caught by
normalize_eps() (which exists in the first place to stop a similar
loop).

The loop in question happens in AltNode::normalize when a subtree has
the following structure.

1. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too

                   alt
                   /\
                  /  \
                 /    \
               eps    alt
                      /\
                     /  \
                    /    \
                  alt    eps
                  /\
                 /  \
                /    \
               eps   eps

2. if (normalize_eps(dir)) results in

                   alt
                   /\
                  /  \
                 /    \
               alt    eps
               /\
              /  \
             /    \
           alt    eps
           /\
          /  \
         /    \
       eps   eps

3. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too

                   alt
                   /\
                  /  \
                 /    \
               alt    alt
              /\        /\
             /  \      /  \
            /    \    /    \
          eps    eps eps   eps

4. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too

                   alt
                   /\
                  /  \
                 /    \
               eps    alt
                      /\
                     /  \
                    /    \
                  eps    alt
                         /\
                        /  \
                       /    \
                     eps   eps

5. if (normalize_eps(dir)) results in

                  alt
                   /\
                  /  \
                 /    \
                alt   eps
                /\
               /  \
              /    \
            eps    alt
                    /\
                   /  \
                  /    \
                 eps   eps

6. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too

                  alt
                   /\
                  /  \
                 /    \
                eps   alt
                       /\
                      /  \
                     /    \
                    alt  eps
                    /\
                   /  \
                  /    \
                eps   eps

back to beginning of cycle

Fix this by detecting the creation of an eps_pair in rotate_node(),
that pair can be immediately eliminated by simplifying the tree in that
step.

In the above cycle the pair creation is caught at step 3 resulting
in

3. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too

                   alt
                   /\
                  /  \
                 /    \
               alt    eps
               /\
              /  \
             /    \
           eps    eps

4.  elseif (child[dir]->is_type(ALT_NODE)) rotate_node too

                   alt
                   /\
                  /  \
                 /    \
               eps   alt
                      /\
                     /  \
                    /    \
                  eps    eps

which gets reduced to

                   alt
                   /\
                  /  \
                 /    \
               eps   eps

breaking the normalization loop. The degenerate alt node will be caught
in turn when its parent is dealt with.

This needs to be backported to all releases

Closes: https://gitlab.com/apparmor/apparmor/-/issues/398
Fixes: 846cee506 ("Split out parsing and expression trees from regexp.y")
Reported-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>

Closes #398
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1252
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
2024-06-14 19:39:21 +00:00
..
libapparmor_re parser: fix Normalizatin infinite loop 2024-06-14 07:00:47 -07:00
po translations: update generated pot files 2020-10-14 03:56:38 -07:00
tst Merge parser: fix Normalizatin infinite loop 2024-06-14 19:39:21 +00:00
aa-teardown aa-teardown: Replace /bin/bash with /bin/sh 2018-05-05 17:46:19 -07:00
aa-teardown.pod docs: update documentation to point bug reporting to gitlab 2020-05-05 00:10:53 -07:00
af_rule.cc parser: consolidate rule class handling into aa_class 2023-03-31 02:21:19 -07:00
af_rule.h parser: rework perms rule merging 2023-07-10 20:04:53 -07:00
af_unix.cc parser: add ability to specify permission in network rules 2024-02-28 21:42:18 -03:00
af_unix.h parser: refactor network to use rule class as its base. 2023-09-07 00:12:51 -07:00
all_rule.cc parser: add fine grained conditionals to network rule 2024-02-29 16:25:59 -03:00
all_rule.h parser: fix issues appointed by coverity 2024-03-18 10:36:56 -03:00
apparmor.d.pod parser: add error=EXX flag support 2024-04-15 16:32:16 -03:00
apparmor.pod fix typo: globally 2024-03-29 10:57:33 +01:00
apparmor.service Add Documentation=... to apparmor.service 2023-10-29 10:49:33 +01:00
apparmor.systemd apparmor.systemd: fix shellcheck false positive 2024-04-30 18:30:01 -03:00
apparmor_parser.pod fix typo: aggressive 2024-03-29 10:52:25 +01:00
apparmor_xattrs.pod apparmor_xattrs.7: fix whatis entry 2020-10-25 11:54:47 +00:00
base_af_names.h Add 'mctp' network domain keyword 2022-02-08 19:09:24 +01:00
base_cap_names.h parser: Add support for CAP_CHECKPOINT_RESTORE 2020-10-13 21:30:19 -07:00
bignum.h parser: fix coverity issues found in snapshot 70858 2024-02-28 10:24:08 -03:00
capability.h parser/capability.h: add missing <cstdint> include 2022-05-23 23:13:14 +01:00
common_flags.h parser: Cleanup parser control flags, so they display as expected to user 2023-07-08 19:58:59 -07:00
common_optarg.c parser: Cleanup parser control flags, so they display as expected to user 2023-07-08 19:58:59 -07:00
common_optarg.h parser: Cleanup parser control flags, so they display as expected to user 2023-07-08 19:58:59 -07:00
COPYING.GPL rpmlint complains about an outdated FSF address in parser/COPYING.GPL. 2011-11-27 13:52:06 +01:00
dbus.cc parser: cleanup and rework optimization and dump flag handling 2023-07-07 17:47:41 -07:00
dbus.h parser: rework perms rule merging 2023-07-10 20:04:53 -07:00
default_features.c parser: Move to a pre-generated cap_names.h 2020-07-07 09:43:48 -07:00
file_cache.h Fix comment wording in file_cache.h 2021-05-02 11:29:41 +02:00
frob_slack_rc as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
immunix.h parser: int mode to perms 2023-03-29 10:45:44 -07:00
io_uring.cc parser: add support for a generic all rule type 2023-09-07 01:30:15 -07:00
io_uring.h parser: add support for a generic all rule type 2023-09-07 01:30:15 -07:00
lib.c Fix comment typo in parser/lib.c 2021-12-05 18:16:53 +01:00
lib.h libapparmor: Use directory file descriptor in _aa_dirat_for_each() 2015-06-15 15:11:51 -05:00
Makefile parser: add error=EXX flag support 2024-04-15 16:32:16 -03:00
mount.cc MountRule: sync flags_keywords with parser code 2024-03-03 15:37:59 +01:00
mount.h parser: add rule dedup of mount rules 2023-07-07 17:38:47 -07:00
mqueue.cc parser: fix getattr and setattr perm mapping on mqueue rules 2024-03-27 18:33:23 -03:00
mqueue.h parser: fix getattr and setattr perm mapping on mqueue rules 2024-03-27 18:33:23 -03:00
network.cc Merge parser: add network inet mediation documentation to apparmor.d 2024-04-12 03:46:23 +00:00
network.h switch inet mediation from using anon to none 2024-04-11 19:03:43 -07:00
parser.conf Revert "policy: pin policy to 4.0 abi for dev" 2023-07-19 17:37:24 -03:00
parser.h parser: add error=EXX flag support 2024-04-15 16:32:16 -03:00
parser_alias.c parser: make alias_ignore a bool 2023-03-31 02:17:28 -07:00
parser_common.c parser: add error=EXX flag support 2024-04-15 16:32:16 -03:00
parser_include.c parser: fix definitely and possibly lost memory leaks 2023-03-16 18:03:57 -03:00
parser_include.h parser: add include dedup cache to handle include loops 2021-04-27 20:26:57 -07:00
parser_interface.c parser: add error=EXX flag support 2024-04-15 16:32:16 -03:00
parser_lex.l parser: make lead # in assignment value indicate a comment 2024-06-08 01:32:22 -07:00
parser_main.c parser: add error=EXX flag support 2024-04-15 16:32:16 -03:00
parser_merge.c parser: Cleanup parser control flags, so they display as expected to user 2023-07-08 19:58:59 -07:00
parser_misc.c parser: add support for a generic all rule type 2023-09-07 01:30:15 -07:00
parser_policy.c parser: refactor network to use rule class as its base. 2023-09-07 00:12:51 -07:00
parser_regex.c parser: fix coverity issues found in snapshot 70858 2024-02-28 10:24:08 -03:00
parser_symtab.c treewide: spelling/typo fixes in code strings 2020-12-01 12:47:18 -08:00
parser_variable.c parser: add support for attach_disconnected.path 2023-08-14 01:42:28 -07:00
parser_yacc.y parser: add fine grained conditionals to network rule 2024-02-29 16:25:59 -03:00
policy_cache.c Fix wording of some warnings 2020-10-11 12:22:23 +02:00
policy_cache.h drop unused extern int debug_cache 2021-02-07 16:02:20 +01:00
policydb.h parser: consolidate rule class handling into aa_class 2023-03-31 02:21:19 -07:00
profile-load profile-load: use less ambiguous if/then construct 2022-02-15 07:34:17 +00:00
profile.cc parser: add error=EXX flag support 2024-04-15 16:32:16 -03:00
profile.h parser: add error=EXX flag support 2024-04-15 16:32:16 -03:00
ptrace.cc parser: cleanup and rework optimization and dump flag handling 2023-07-07 17:47:41 -07:00
ptrace.h parser: rework perms rule merging 2023-07-10 20:04:53 -07:00
rc.apparmor.functions aa-teardown: print out which profile removal failed 2024-06-08 23:35:02 +02:00
rc.apparmor.slackware added missing functions to slackware init script 2019-11-08 13:49:48 +01:00
README README: Move project contact info into the main README 2018-09-13 16:54:09 +00:00
README.devel parser: add some developer documentation 2013-12-10 14:15:02 -08:00
rule.cc parser: consolidate rule class handling into aa_class 2023-03-31 02:21:19 -07:00
rule.h parser: add support for a generic all rule type 2023-09-07 01:30:15 -07:00
signal.cc parser: add kill.signal=XXX flag support 2023-08-25 10:16:51 -07:00
signal.h parser: add kill.signal=XXX flag support 2023-08-25 10:16:51 -07:00
techdoc.tex treewide: spelling/typo fixes in comments and docs 2020-12-01 12:47:11 -08:00
unit_test.h Convert codomain to a class 2013-09-27 16:16:37 -07:00
userns.cc parser: cleanup and rework optimization and dump flag handling 2023-07-07 17:47:41 -07:00
userns.h parser: add permission merging 2023-07-10 18:01:32 -03:00

README 

The apparmor_parser allows you to add, replace, and remove AppArmor
policy through the use of command line options. The default is to add.
`apparmor_parser --help` shows what the command line options are.

You can also find more information at https://wiki.apparmor.net

-- The AppArmor development team