mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/parser
History
John Johansen 409e8703cf Fix profile loads from cache files that contain multiple profiles 
backport of dev commit 2510

v3: fix freeing of filename when undefined
v2: address tyhicks feedback
    refactor to have a common write routine
    fix issue with set profile load being done even if !kernel_load

Profile loads from cache files that contain multiple profiles can
result in multiple reloads of the same profile or error messages about
failure to load profiles if the --add option is used. eg.

  apparmor="STATUS" operation="profile_load"
  name="/usr/lib/apache2/mpm-prefork/apache2" pid=8631
  comm="apparmor_parser"
  <sth0R> [82932.058388] type=1400 audit(1395415826.937:616):
  apparmor="STATUS" operation="profile_load" name="DEFAULT_URI" pid=8631
  comm="apparmor_parser"
  <sth0R> [82932.058391] type=1400 audit(1395415826.937:617):
  apparmor="STATUS" operation="profile_load"
  name="HANDLING_UNTRUSTED_INPUT" pid=8631 comm="apparmor_parser"
  <sth0R> [82932.058394] type=1400 audit(1395415826.937:618):
  apparmor="STATUS" operation="profile_load" name="phpsysinfo" pid=8631
  comm="apparmor_parser"
  <sth0R> [82932.059058] type=1400 audit(1395415826.937:619):
  apparmor="STATUS" operation="profile_replace" info="profile can not be
  replaced" error=-17
  name="/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI" pid=8631
  comm="apparmor_parser"
  <sth0R> [82932.059574] type=1400 audit(1395415826.937:620):
  apparmor="STATUS" operation="profile_replace" info="profile can not be
  replaced" error=-17
  name="/usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT"
  pid=8631 comm="apparmor_parser"


The reason this happens is that the cache file is a container that
can contain multiple profiles in sequential order
  profile1
  profile2
  profile3

The parser loads the entire cache file to memory and the writes the
whole file to the kernel interface. It then skips foward in the file
to the next profile and reloads the file from that profile into
the kernel.
  eg. First load
    profile1
    profile2
    profile3

  advance to profile2, do second load
    profile2
    profile3

  advance to profile3, do third load
    profile3


With older kernels the interface would stop after the first profile and
return that it had processed the whole file, thus while wasting compute
resources copying extra data no errors occurred. However newer kernels
now support atomic loading of multipe profiles, so that all the profiles
passed in to the interface get processed.

This means on newer kernels the current parser load behavior results
in multiple loads/replacements when a cache file contains more than
one profile (note: loads from a compile do not have this problem).

To fix this, detect if the kernel supports atomic set loads, and load
the cache file once. If it doesn't only load one profile section
from a cache file at a time.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-05-08 09:37:01 -07:00
..
libapparmor_re parser: fix compilation failure on 32 bit systems 2014-01-10 11:08:38 -08:00
po Fix list email typo 2011-02-23 15:57:36 -08:00
tst Subject: [patch] fix apparmor cache tempfile location to use passed arg v2 2013-07-29 09:52:18 -07:00
apparmor-parser.spec.in Add an example parser.conf file 2011-10-07 14:43:54 -07:00
apparmor.d.pod clarifications for mount rules 2012-04-11 16:34:22 -05:00
apparmor.pod as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
apparmor.vim.pod fix broken URLs in various utils/*.pod files. 2013-09-19 21:21:43 +02:00
apparmor_parser.pod fix broken URLs in various utils/*.pod files. 2013-09-19 21:21:43 +02:00
COPYING.GPL rpmlint complains about an outdated FSF address in parser/COPYING.GPL. 2011-11-27 13:52:06 +01:00
frob_slack_rc as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
immunix.h Fix permission mapping for change_profile onexec 2012-03-26 06:11:16 -07:00
Makefile various changes in building techdoc.tex: 2012-05-09 00:41:06 +02:00
mount.c Make mount operations aware of 'in' keyword so they can affect the flags build list 2012-03-26 06:19:21 -07:00
mount.h Fix mnt_flags passed for remount 2012-03-22 07:55:58 -07:00
parser.conf Commit the example parser.conf file that was supposed to be part of 2011-10-09 20:15:03 -07:00
parser.h Fix profile loads from cache files that contain multiple profiles 2014-05-08 09:37:01 -07:00
parser_alias.c as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
parser_common.c Fix profile loads from cache files that contain multiple profiles 2014-05-08 09:37:01 -07:00
parser_include.c Update the copyright dates for the apparmor_parser 2012-02-24 04:21:59 -08:00
parser_include.h Update the copyright dates for the apparmor_parser 2012-02-24 04:21:59 -08:00
parser_interface.c Fix profile loads from cache files that contain multiple profiles 2014-05-08 09:37:01 -07:00
parser_lex.l Update the parser to support the 'in' keyword for value lists 2012-03-26 06:17:40 -07:00
parser_main.c Fix profile loads from cache files that contain multiple profiles 2014-05-08 09:37:01 -07:00
parser_merge.c Fix compilation errors that slipped in. Yes, I realize this breaks the 2011-02-23 14:40:07 -08:00
parser_misc.c Merge from trunk commit 2050: 2013-01-03 14:38:38 -08:00
parser_policy.c Fix change_profile to grant access to api 2012-04-11 16:04:33 -07:00
parser_regex.c Fix change_onexec for profiles without attachment specification 2012-04-11 16:02:13 -07:00
parser_symtab.c [v2: added clean-ups, backed off on some of the build silencing] 2011-05-13 02:12:49 -07:00
parser_variable.c Add mount rules 2012-02-24 04:19:38 -08:00
parser_yacc.y Fix change_profile to grant access to api 2012-04-11 16:04:33 -07:00
policydb.h Add Basic infrastructure support for the policydb 2012-02-16 08:14:46 -08:00
rc.aaeventd.redhat as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
rc.aaeventd.suse openSUSE patch to remove the "-f" parameter from startproc in rc.aaeventd.suse / 2011-08-13 14:22:35 +02:00
rc.apparmor.debian as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
rc.apparmor.functions Update the copyright dates for the apparmor_parser 2012-02-24 04:21:59 -08:00
rc.apparmor.redhat as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
rc.apparmor.slackware as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
rc.apparmor.suse It looks like rc.apparmor.functions renamed "aa_log_action_begin()" to 2011-09-15 20:20:23 +02:00
README Remove pcre and update tests where necessary 2010-07-31 16:00:52 -07:00
subdomain.conf Here's an update to rename another chunk of things that still used 2011-01-13 13:58:26 -08:00
subdomain.conf.pod fix broken URLs in various utils/*.pod files. 2013-09-19 21:21:43 +02:00
techdoc.tex various changes in building techdoc.tex: 2012-05-09 00:41:06 +02:00

README 

The apparmor_parser allows you to add, replace, and remove AppArmor
policy through the use of command line options. The default is to add.
`apparmor_parser --help` shows what the command line options are.

You can also find more information at
<http://forge.novell.com/modules/xfmod/project/?apparmor>.

Please send all complaints, bug reports, feature requests, rants about the
software, and questions to apparmor-general@forge.novell.com. Security
issues should be directed to security@suse.de or secure@novell.com,
where we will attempt to conform to the RFP vulnerability disclosure
protocol: http://www.wiretrip.net/rfp/policy.html

Thanks.

-- The AppArmor development team