mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 16:35:02 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/parser
History
John Johansen e08eaa39e2 Fix profile loads from cache files that contain multiple profiles 
v3: fix freeing of filename when undefined
v2: address tyhicks feedback
    refactor to have a common write routine
    fix issue with set profile load being done even if !kernel_load

Profile loads from cache files that contain multiple profiles can
result in multiple reloads of the same profile or error messages about
failure to load profiles if the --add option is used. eg.

  apparmor="STATUS" operation="profile_load"
  name="/usr/lib/apache2/mpm-prefork/apache2" pid=8631
  comm="apparmor_parser"
  <sth0R> [82932.058388] type=1400 audit(1395415826.937:616):
  apparmor="STATUS" operation="profile_load" name="DEFAULT_URI" pid=8631
  comm="apparmor_parser"
  <sth0R> [82932.058391] type=1400 audit(1395415826.937:617):
  apparmor="STATUS" operation="profile_load"
  name="HANDLING_UNTRUSTED_INPUT" pid=8631 comm="apparmor_parser"
  <sth0R> [82932.058394] type=1400 audit(1395415826.937:618):
  apparmor="STATUS" operation="profile_load" name="phpsysinfo" pid=8631
  comm="apparmor_parser"
  <sth0R> [82932.059058] type=1400 audit(1395415826.937:619):
  apparmor="STATUS" operation="profile_replace" info="profile can not be
  replaced" error=-17
  name="/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI" pid=8631
  comm="apparmor_parser"
  <sth0R> [82932.059574] type=1400 audit(1395415826.937:620):
  apparmor="STATUS" operation="profile_replace" info="profile can not be
  replaced" error=-17
  name="/usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT"
  pid=8631 comm="apparmor_parser"


The reason this happens is that the cache file is a container that
can contain multiple profiles in sequential order
  profile1
  profile2
  profile3

The parser loads the entire cache file to memory and the writes the
whole file to the kernel interface. It then skips foward in the file
to the next profile and reloads the file from that profile into
the kernel.
  eg. First load
    profile1
    profile2
    profile3

  advance to profile2, do second load
    profile2
    profile3

  advance to profile3, do third load
    profile3


With older kernels the interface would stop after the first profile and
return that it had processed the whole file, thus while wasting compute
resources copying extra data no errors occurred. However newer kernels
now support atomic loading of multipe profiles, so that all the profiles
passed in to the interface get processed.

This means on newer kernels the current parser load behavior results
in multiple loads/replacements when a cache file contains more than
one profile (note: loads from a compile do not have this problem).

To fix this, detect if the kernel supports atomic set loads, and load
the cache file once. If it doesn't only load one profile section
from a cache file at a time.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-05-08 09:03:13 -07:00
..
libapparmor_re Convert aare_rules into a class 2014-04-23 10:57:16 -07:00
po Launchpad automatic translations update. 2014-05-01 05:27:43 +00:00
tst parser: extend dbus language tests 2014-04-25 21:48:25 -07:00
apparmor-parser.spec.in Add an example parser.conf file 2011-10-07 14:43:54 -07:00
apparmor.d.pod parser: Document that pivot_root arguments must end in '/' 2014-05-05 11:36:00 -05:00
apparmor.pod can ?not fix apparmor.pod 2013-12-12 03:07:37 +01:00
apparmor_parser.pod fix broken URLs in various utils/*.pod files. 2013-09-19 21:17:39 +02:00
common_optarg.c Split dfa optimization and dump flag handling into a separate file so that it can be shared with DFA test programs 2014-04-23 11:10:41 -07:00
common_optarg.h Split dfa optimization and dump flag handling into a separate file so that it can be shared with DFA test programs 2014-04-23 11:10:41 -07:00
COPYING.GPL rpmlint complains about an outdated FSF address in parser/COPYING.GPL. 2011-11-27 13:52:06 +01:00
dbus.c fix: the what names can treated as a condlistid 2014-04-23 11:36:26 -07:00
dbus.h Convert mount and dbus to be subclasses of a generic rule class 2014-04-07 03:16:50 -07:00
frob_slack_rc as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
immunix.h Remove the old unused ptrace code that snuck in years ago. 2014-03-12 05:02:32 -07:00
lib.c parser: find SIZE_MAX on older versions of glibc and g++ 2014-04-17 11:10:41 -07:00
lib.h parser: fix i386 breakage on min() argument mismatches 2014-04-17 09:20:40 -07:00
Makefile Add the ability to specify ptrace rules 2014-04-23 11:38:04 -07:00
mount.c Convert aare_rules into a class 2014-04-23 10:57:16 -07:00
mount.h Convert mount and dbus to be subclasses of a generic rule class 2014-04-07 03:16:50 -07:00
parser.conf Commit the example parser.conf file that was supposed to be part of 2011-10-09 20:15:03 -07:00
parser.h Fix profile loads from cache files that contain multiple profiles 2014-05-08 09:03:13 -07:00
parser_alias.c Remove the old unused ptrace code that snuck in years ago. 2014-03-12 05:02:32 -07:00
parser_common.c Fix profile loads from cache files that contain multiple profiles 2014-05-08 09:03:13 -07:00
parser_include.c parser: Quiet search dir valgrind warning and remove suppression 2014-02-05 15:17:32 -05:00
parser_include.h allow directories to be passed to the parser 2013-10-26 00:15:13 -07:00
parser_interface.c Fix profile loads from cache files that contain multiple profiles 2014-05-08 09:03:13 -07:00
parser_lex.l Add the ability to specify ptrace rules 2014-04-23 11:38:04 -07:00
parser_main.c Fix profile loads from cache files that contain multiple profiles 2014-05-08 09:03:13 -07:00
parser_merge.c Remove the old unused ptrace code that snuck in years ago. 2014-03-12 05:02:32 -07:00
parser_misc.c Add the ability to specify ptrace rules 2014-04-23 11:38:04 -07:00
parser_policy.c Move buffer management for the interface to C++ ostringstream class 2014-04-23 11:07:01 -07:00
parser_regex.c Add the ability to specify ptrace rules 2014-04-23 11:38:04 -07:00
parser_symtab.c parser: add implicit set variable @{profile_name} to profile symbol 2014-04-23 16:38:29 -07:00
parser_variable.c parser: add implicit set variable @{profile_name} to profile symbol 2014-04-23 16:38:29 -07:00
parser_yacc.y change syntax of ptrace target 2014-04-23 11:39:59 -07:00
policydb.h Add the ability to mediate signals. 2014-04-23 11:35:29 -07:00
profile.cc Convert aare_rules into a class 2014-04-23 10:57:16 -07:00
profile.h parser: add implicit set variable @{profile_name} to profile symbol 2014-04-23 16:38:29 -07:00
ptrace.c change syntax of ptrace target 2014-04-23 11:39:59 -07:00
ptrace.h change syntax of ptrace target 2014-04-23 11:39:59 -07:00
rc.aaeventd.redhat as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
rc.aaeventd.suse openSUSE patch to remove the "-f" parameter from startproc in rc.aaeventd.suse / 2011-08-13 14:22:35 +02:00
rc.apparmor.debian as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
rc.apparmor.functions Update the copyright dates for the apparmor_parser 2012-02-24 04:21:59 -08:00
rc.apparmor.redhat as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
rc.apparmor.slackware as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
rc.apparmor.suse It looks like rc.apparmor.functions renamed "aa_log_action_begin()" to 2011-09-15 20:20:23 +02:00
README parser - update README information 2013-10-11 22:14:28 -07:00
README.devel parser: add some developer documentation 2013-12-10 14:15:02 -08:00
rule.c Add missing rule.[hc] files that should have been part of commit 2449 2014-04-07 11:41:25 -07:00
rule.h Add missing rule.[hc] files that should have been part of commit 2449 2014-04-07 11:41:25 -07:00
signal.c fix: the what names can treated as a condlistid 2014-04-23 11:36:26 -07:00
signal.h fix: the what names can treated as a condlistid 2014-04-23 11:36:26 -07:00
subdomain.conf Here's an update to rename another chunk of things that still used 2011-01-13 13:58:26 -08:00
subdomain.conf.pod fix broken URLs in various utils/*.pod files. 2013-09-19 21:17:39 +02:00
techdoc.tex various changes in building techdoc.tex: 2012-05-09 00:41:06 +02:00
unit_test.h Convert codomain to a class 2013-09-27 16:16:37 -07:00

README 

The apparmor_parser allows you to add, replace, and remove AppArmor
policy through the use of command line options. The default is to add.
`apparmor_parser --help` shows what the command line options are.

You can also find more information at http://wiki.apparmor.net

Please send all complaints, feature requests, rants about the software,
and questions to the apparmor@lists.ubuntu.com mailing list. Bug
reports can be filed against the AppArmor project on launchpad.net at
https://launchpad.net/apparmor or reported to the mailing list directly
for those who wish not to register for an account on launchpad.

Security issues can be filed as security bugs on launchpad
or directed to security@ubuntu.com. We will attempt to
conform to the RFP vulnerability disclosure protocol:
http://www.wiretrip.net/rfp/policy.html

Thanks.

-- The AppArmor development team