mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 16:35:02 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/utils
History
John Johansen cfe20d2b63 Add support for profiles with xattrs matching 
Add userland support for matching based on extended file attributes. This
leverages DFA based matching already in the kernel:

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8e51f908
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=73f488cd

Matching is exposed via flags on the profile:

    /usr/bin/* xattrs=(user.foo=bar user.bar=foo) {
        # ...
    }

xattr values are appended to the existing xmatch via a null transition.

    $ echo '/usr/bin/* xattrs=(user.foo=foo user.bar=bar) {}' | \
        ./parser/apparmor_parser -QT -D expr-tree
    DFA: Expression Tree
    /usr/bin/[^\0000/]([^\0000/])*(\0000bar)?(\0000foo)?< 0x1>
    DFA: Expression Tree
    (\a|(\n|(\0002|\t)))< 0x4>

Tested manually on a 4.19 kernel via QEMU+KVM.

TODO:

  * ~~Add regression tests~~ (EDIT: done)
  * ~~EDIT: add support in the tools~~ (EDIT: done)

Questions for reviewers:

  * ~~parser/libapparmor: regex construction probably needs cleaning up~~ (EDIT: done)
  * ~~parser/parser_regex.c: confused what xmatch length is for~~ (EDIT: done)

/cc @mjg59

PR: https://gitlab.com/apparmor/apparmor/merge_requests/270
Signed-off-by: John Johansen <john.johansen@canonical.com>
2019-03-21 08:12:07 +00:00
..
apparmor Add support for profiles with xattrs matching 2019-03-21 08:12:07 +00:00
easyprof Add aa-easyprof and easyprof.py and related pieces from the Ubuntu 2014-02-13 17:53:40 -08:00
po translations: sync from launchpad translations 2018-04-15 06:54:44 -07:00
test update network keyword list in utils and add test 2019-03-16 12:52:37 +01:00
vim *: ensure make apparmor_parser is cached 2019-01-22 15:30:51 -08:00
aa-audit Switch utils to python3 2016-10-01 20:57:09 +02:00
aa-audit.pod all: Use HTTPS links for apparmor.net 2018-09-13 16:41:32 +00:00
aa-autodep Switch utils to python3 2016-10-01 20:57:09 +02:00
aa-autodep.pod all: Use HTTPS links for apparmor.net 2018-09-13 16:41:32 +00:00
aa-cleanprof drop dead code from tools.py 2017-06-26 21:27:06 +02:00
aa-cleanprof.pod all: Use HTTPS links for apparmor.net 2018-09-13 16:41:32 +00:00
aa-complain Switch utils to python3 2016-10-01 20:57:09 +02:00
aa-complain.pod all: Use HTTPS links for apparmor.net 2018-09-13 16:41:32 +00:00
aa-decode Rewrite aa-decode to use inline Python instead of to-be-deprecated Perl 2019-02-05 00:20:47 +02:00
aa-decode.pod manpages: incorporate podchecker; fix errors and (most) warnings 2014-09-15 11:30:47 -07:00
aa-disable Switch utils to python3 2016-10-01 20:57:09 +02:00
aa-disable.pod all: Use HTTPS links for apparmor.net 2018-09-13 16:41:32 +00:00
aa-easyprof Switch utils to python3 2016-10-01 20:57:09 +02:00
aa-easyprof.pod utils: Add option to aa-easyprof to specify the apparmor_parser path 2017-03-02 21:24:05 +00:00
aa-enforce Switch utils to python3 2016-10-01 20:57:09 +02:00
aa-enforce.pod all: Use HTTPS links for apparmor.net 2018-09-13 16:41:32 +00:00
aa-genprof split get_profile_filename into .._from_profile_name and .._from_attachment 2018-10-23 00:28:37 +02:00
aa-genprof.pod all: Use HTTPS links for apparmor.net 2018-09-13 16:41:32 +00:00
aa-logprof json support for logprof and genprof 2017-06-15 18:22:43 +02:00
aa-logprof.pod all: Use HTTPS links for apparmor.net 2018-09-13 16:41:32 +00:00
aa-mergeprof Replace existing_profiles & fix minitools for named profiles 2018-10-23 00:28:37 +02:00
aa-mergeprof.pod all: Use HTTPS links for apparmor.net 2018-09-13 16:41:32 +00:00
aa-notify aa-notify: Read user's configuration file from XDG_CONFIG_HOME 2018-10-03 12:38:28 +03:00
aa-notify.pod aa-notify man page: update user's configuration file path 2018-10-15 16:44:00 +03:00
aa-remove-unknown Don't print a literal '\n' in aa-remove-unknown help 2017-12-01 00:26:56 +01:00
aa-remove-unknown.pod utils: Add aa-remove-unknown utility to unload unknown profiles 2017-03-24 05:08:01 +00:00
aa-sandbox Switch utils to python3 2016-10-01 20:57:09 +02:00
aa-sandbox.pod manpages: incorporate podchecker; fix errors and (most) warnings 2014-09-15 11:30:47 -07:00
aa-status aa-status: split profile from exec name 2018-03-01 14:17:57 -08:00
aa-status.pod all: Use HTTPS links for apparmor.net 2018-09-13 16:41:32 +00:00
aa-unconfined utils: Require apparmor.aa users to call init_aa() 2017-03-02 21:21:53 +00:00
aa-unconfined.pod all: Use HTTPS links for apparmor.net 2018-09-13 16:41:32 +00:00
check_po.pl Ignore untranslated texts in check_po.pl 2017-11-27 23:47:52 +01:00
logprof.conf add zsh to logprof.conf 2018-09-24 16:51:11 +00:00
logprof.conf.pod all: Use HTTPS links for apparmor.net 2018-09-13 16:41:32 +00:00
Makefile utils: Add aa-remove-unknown utility to unload unknown profiles 2017-03-24 05:08:01 +00:00
notify.conf comment out use_group to remove group restrictions 2018-03-18 19:56:29 +01:00
python-tools-setup.py utils: stop rewriting shbang lines in setup script 2017-10-26 00:52:31 -07:00
README.md Merge in Kshitij Gupta <kgupta8592@gmail.com>'s rewrite of the 2014-02-12 15:54:00 -08:00
severity.db Update perl abstraction, logprof.conf, severity.db and tests for Debian/Ubuntu 2014-08-20 19:14:24 -05:00

README.md

Known Bugs: Will allow multiple letters in the () due to translation/unicode issues with regexing the key. User input will probably bug out in a different locale.