mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/parser
History
Exact
John Johansen 2ab1941d9d parser: change priority so that it accumulates based on permissions 
The current behavior of priority rules can be non-intuitive with
higher priority rules completely overriding lower priority rules even in
permissions not held in common. This behavior does have use cases but
its can be very confusing, and does not normal policy behavior

Eg.
  priority=0 allow r /**,
  priority=1 deny  w /**,

will result in no allowed permissions even though the deny rule is
only removing the w permission, beause the higher priority rule
completely over ride lower priority permissions sets (including
none shared permissions).

Instead move to tracking the priority at a per permission level. This
allows the w permission to still override at priority 1, while the
read permission is allowed at priority 0.

The final constructed state will still drop priority for the final
permission set on the state.

Note: this patch updates the equality tests for the cases where
the complete override behavior was being tested for.

The complete override behavior will be reintroduced in a future
patch with a keyword extension, enabling that behavior to be used
for ordered blocks etc.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 1ebd991155)
Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-02-11 15:19:32 -08:00
..
libapparmor_re parser: change priority so that it accumulates based on permissions 2025-02-11 15:19:32 -08:00
po translations: update generated pot files 2020-10-14 03:56:38 -07:00
tst parser: change priority so that it accumulates based on permissions 2025-02-11 15:19:32 -08:00
aa-teardown aa-teardown: Replace /bin/bash with /bin/sh 2018-05-05 17:46:19 -07:00
aa-teardown.pod docs: update documentation to point bug reporting to gitlab 2020-05-05 00:10:53 -07:00
af_rule.cc parser: consolidate rule class handling into aa_class 2023-03-31 02:21:19 -07:00
af_rule.h parser: rework perms rule merging 2023-07-10 20:04:53 -07:00
af_unix.cc parser: add the ability to specify a priority prefix to rules 2024-08-14 17:15:24 -07:00
af_unix.h parser: add the ability to specify a priority prefix to rules 2024-08-14 17:15:24 -07:00
all_rule.cc parser: make ix of file, rule have lower priority so it can be overridden 2024-08-14 18:21:26 -07:00
all_rule.h parser: add the ability to specify a priority prefix to rules 2024-08-14 17:15:24 -07:00
apparmor.d.pod parser: misc fixes on apparmor.d man page 2025-02-11 15:15:46 -08:00
apparmor.pod fix typo: globally 2024-03-29 10:57:33 +01:00
apparmor.service Add Documentation=... to apparmor.service 2023-10-29 10:49:33 +01:00
apparmor.systemd apparmor.systemd: fix shellcheck false positive 2024-04-30 18:30:01 -03:00
apparmor_parser.pod fix typo: aggressive 2024-03-29 10:52:25 +01:00
apparmor_xattrs.pod apparmor_xattrs.7: fix whatis entry 2020-10-25 11:54:47 +00:00
base_af_names.h Add 'mctp' network domain keyword 2022-02-08 19:09:24 +01:00
base_cap_names.h parser: Add support for CAP_CHECKPOINT_RESTORE 2020-10-13 21:30:19 -07:00
bignum.h parser: fix coverity issues found in snapshot 70858 2024-02-28 10:24:08 -03:00
capability.h parser/capability.h: add missing <cstdint> include 2022-05-23 23:13:14 +01:00
common_flags.h parser: Cleanup parser control flags, so they display as expected to user 2023-07-08 19:58:59 -07:00
common_optarg.c parser: change priority so that it accumulates based on permissions 2025-02-11 15:19:32 -08:00
common_optarg.h parser: Cleanup parser control flags, so they display as expected to user 2023-07-08 19:58:59 -07:00
cond_expr.cc parser: refactor conditional logic into its own class 2024-08-14 17:22:48 -03:00
cond_expr.h parser: refactor conditional logic into its own class 2024-08-14 17:22:48 -03:00
COPYING.GPL rpmlint complains about an outdated FSF address in parser/COPYING.GPL. 2011-11-27 13:52:06 +01:00
dbus.cc parser: minimization - remove unnecessary second minimization pass 2024-08-14 17:15:24 -07:00
dbus.h convert owner to an enum 2024-08-14 15:47:13 -07:00
default_features.c parser: Move to a pre-generated cap_names.h 2020-07-07 09:43:48 -07:00
file_cache.h Fix comment wording in file_cache.h 2021-05-02 11:29:41 +02:00
frob_slack_rc as ACKed on IRC, drop the unused $Id$ tags everywhere 2010-12-20 12:29:10 -08:00
immunix.h parser: change priority so that it accumulates based on permissions 2025-02-11 15:19:32 -08:00
io_uring.cc Merge parser: fix rule priority destroying rule permissions for some classes 2024-10-28 04:51:48 -07:00
io_uring.h parser: rename rules.h perms_t to perm32_t 2024-08-14 14:39:18 -07:00
lib.c Fix comment typo in parser/lib.c 2021-12-05 18:16:53 +01:00
lib.h libapparmor: Use directory file descriptor in _aa_dirat_for_each() 2015-06-15 15:11:51 -05:00
Makefile Add a tst_binaries target to the parser to build tst binaries 2025-02-11 14:41:45 -08:00
mount.cc Add separator between mount flags in dump_flags 2025-01-09 01:40:41 -08:00
mount.h Allow make-* flags with remount operations 2025-01-09 01:41:22 -08:00
mqueue.cc parser: minimization - remove unnecessary second minimization pass 2024-08-14 17:15:24 -07:00
mqueue.h parser: rename rules.h perms_t to perm32_t 2024-08-14 14:39:18 -07:00
network.cc Merge parser: fix mapping of AA_CONT_MATCH for policydb compat entries 2025-01-08 11:44:22 -08:00
network.h Merge parser: add port range support on network policy 2024-10-28 04:53:20 -07:00
parser.conf Revert "policy: pin policy to 4.0 abi for dev" 2023-07-19 17:37:24 -03:00
parser.h Merge parser: fix integer overflow bug in rule priority comparisons 2024-10-28 04:58:35 -07:00
parser_alias.c parser: make alias_ignore a bool 2023-03-31 02:17:28 -07:00
parser_common.c Merge parser: fix minimization check for filtering deny 2024-10-28 04:58:49 -07:00
parser_include.c parser: fix definitely and possibly lost memory leaks 2023-03-16 18:03:57 -03:00
parser_include.h parser: add include dedup cache to handle include loops 2021-04-27 20:26:57 -07:00
parser_interface.c parser: fix protocol error on older kernels caused by additional xtable 2024-08-14 15:47:13 -07:00
parser_lex.l parser: add the ability to specify a priority prefix to rules 2024-08-14 17:15:24 -07:00
parser_main.c parser: enable extended perms if supported by the kernel 2024-08-14 17:15:24 -07:00
parser_merge.c parser: fix priority for file rules. 2025-01-09 01:44:18 -08:00
parser_misc.c parser: fix priority for file rules. 2025-01-09 01:44:18 -08:00
parser_policy.c parser: don't set xbits when using permstable32_v1 2024-08-14 15:47:13 -07:00
parser_regex.c Merge parser: fix integer overflow bug in rule priority comparisons 2024-10-28 04:58:35 -07:00
parser_symtab.c treewide: spelling/typo fixes in code strings 2020-12-01 12:47:18 -08:00
parser_variable.c parser: add support for attach_disconnected.path 2023-08-14 01:42:28 -07:00
parser_yacc.y Merge parser: fix integer overflow bug in rule priority comparisons 2024-10-28 04:58:35 -07:00
perms.h parser: add the abilitiy to dump the permissions table 2025-01-08 12:22:58 -08:00
policy_cache.c Fix wording of some warnings 2020-10-11 12:22:23 +02:00
policy_cache.h drop unused extern int debug_cache 2021-02-07 16:02:20 +01:00
policydb.h parser: consolidate rule class handling into aa_class 2023-03-31 02:21:19 -07:00
profile-load profile-load: use less ambiguous if/then construct 2022-02-15 07:34:17 +00:00
profile.cc parser: frontend carry use of prompt rules flag on profile 2024-08-14 15:45:58 -07:00
profile.h parser: Add prompt dev compat support 2024-08-14 15:47:13 -07:00
ptrace.cc parser: minimization - remove unnecessary second minimization pass 2024-08-14 17:15:24 -07:00
ptrace.h convert owner to an enum 2024-08-14 15:47:13 -07:00
rc.apparmor.functions Merge Support unloading profiles in kill and prompt mode 2025-01-14 18:24:57 +00:00
rc.apparmor.slackware added missing functions to slackware init script 2019-11-08 13:49:48 +01:00
README README: Move project contact info into the main README 2018-09-13 16:54:09 +00:00
README.devel parser: add some developer documentation 2013-12-10 14:15:02 -08:00
rule.cc parser: consolidate rule class handling into aa_class 2023-03-31 02:21:19 -07:00
rule.h parser: fix prefix dump to include priority 2025-02-11 15:19:32 -08:00
signal.cc parser: minimization - remove unnecessary second minimization pass 2024-08-14 17:15:24 -07:00
signal.h convert owner to an enum 2024-08-14 15:47:13 -07:00
techdoc.tex treewide: spelling/typo fixes in comments and docs 2020-12-01 12:47:11 -08:00
unit_test.h Convert codomain to a class 2013-09-27 16:16:37 -07:00
userns.cc Merge parser: fix rule priority destroying rule permissions for some classes 2024-10-28 04:51:48 -07:00
userns.h parser: rename rules.h perms_t to perm32_t 2024-08-14 14:39:18 -07:00

README 

The apparmor_parser allows you to add, replace, and remove AppArmor
policy through the use of command line options. The default is to add.
`apparmor_parser --help` shows what the command line options are.

You can also find more information at https://wiki.apparmor.net

-- The AppArmor development team