parser: ignore feature abi rules

AppArmor 3.0 requires policy to use a feature abi rule for access to new features. However some policy may start using abi rules even if they don't have rules that require new features. This is especially true for out of tree policy being shipped in other packages. Add enough support to older releases that the parser will ignore the abi rule and warn that it is falling back to the apparmor 2.x technique of using the system abi. If the profile contains rules that the older parser does not understand it will fail policy compilation at the unknown rule instead of the abi rule. PR: https://gitlab.com/apparmor/apparmor/merge_requests/196 (backported form commit 83df7c4747a7f730ab59db014cbd15e469b16395) Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2025-08-22 10:07:12 +00:00 · 2018-09-19 01:15:49 -07:00 · 2018-09-19 01:15:49 -07:00 · 4633658232
commit 4633658232
parent e48533b156
33 changed files with 302 additions and 0 deletions
--- a/parser/parser_lex.l
+++ b/parser/parser_lex.l
@ -261,6 +261,7 @@ LT_EQUAL	<=
 %x CHANGE_PROFILE_MODE
 %x INCLUDE
 %x INCLUDE_EXISTS
+%x ABI_MODE

 %%

@ -315,6 +316,19 @@ LT_EQUAL	<=
 	}
 }

+<ABI_MODE>{
+	(\<(([^"\>\t\r\n]+)|{QUOTED_ID})\>|{QUOTED_ID}|{IDS})	{ /* <filename> | <"filename"> | "filename" | filename */
+		int lt = *yytext == '<'  ? 1 : 0;
+		char *filename = processid(yytext + lt, yyleng - lt*2);
+		bool exists = YYSTATE == INCLUDE_EXISTS;
+
+		if (!filename)
+			yyerror(_("Failed to process filename\n"));
+		yylval.id = filename;
+		POP_AND_RETURN(TOK_ID);
+	}
+}
+
 <<EOF>> {
 	fclose(yyin);
 	pop_include_stack();
@ -666,6 +680,9 @@ include/{WS}	{
 	case TOK_UNIX:
 		state = UNIX_MODE;
 		break;
+	case TOK_ABI:
+		state = ABI_MODE;
+		break;
 	default: /* nothing */
 		break;
 	}
@ -719,4 +736,5 @@ unordered_map<int, string> state_names = {
 	STATE_TABLE_ENT(CHANGE_PROFILE_MODE),
 	STATE_TABLE_ENT(INCLUDE),
 	STATE_TABLE_ENT(INCLUDE_EXISTS),
+	STATE_TABLE_ENT(ABI_MODE),
 };
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@ -111,6 +111,7 @@ static struct keyword_table keyword_table[] = {
 	{"trace",		TOK_TRACE},
 	{"tracedby",		TOK_TRACEDBY},
 	{"readby",		TOK_READBY},
+	{"abi",			TOK_ABI},

 	/* terminate */
 	{NULL, 0}
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@ -152,6 +152,7 @@ void add_local_entry(Profile *prof);
 %token TOK_TRACE
 %token TOK_TRACEDBY
 %token TOK_READBY
+%token TOK_ABI

 /* rlimits */
 %token TOK_RLIMIT
@ -400,6 +401,7 @@ hat: hat_start profile_base
 preamble: { /* nothing */ }
 	| preamble alias { /* nothing */ };
 	| preamble varassign { /* nothing */ };
+	| preamble abi_rule { /* nothing */ };

 alias: TOK_ALIAS TOK_ID TOK_ARROW TOK_ID TOK_END_OF_RULE
 	{
@ -615,6 +617,8 @@ rules:	{ /* nothing */
 		$$ = prof;
 	};

+rules: rules abi_rule { /* nothing */ }
+
 rules:  rules opt_prefix rule
 	{
 		PDEBUG("matched: rules rule\n");
@ -1065,6 +1069,12 @@ opt_named_transition: { /* nothing */ $$ = NULL; }
 rule: file_rule { $$ = $1; }
 	| link_rule { $$ = $1; }

+abi_rule: TOK_ABI TOK_ID TOK_END_OF_RULE
+	{
+		pwarn(_("%s: Profile abi not supported, falling back to system abi.\n"), progname);
+		free($2);
+	};
+
 opt_exec_mode: { /* nothing */ $$ = EXEC_MODE_EMPTY; }
 	| TOK_UNSAFE { $$ = EXEC_MODE_UNSAFE; };
 	| TOK_SAFE { $$ = EXEC_MODE_SAFE; };
--- a/parser/tst/simple_tests/abi/bad_1.sd
+++ b/parser/tst/simple_tests/abi/bad_1.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi relative path in quotes
+#=EXRESULT FAIL
+#=TODO
+
+abi "abi/4.19,
+
+/does/not/exist {
+}
--- a/parser/tst/simple_tests/abi/bad_10.sd
+++ b/parser/tst/simple_tests/abi/bad_10.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path quotes in <> with spaces
+#=EXRESULT FAIL
+#
+
+abi < "abi/4.19">,
+
+/does/not/exist {
+}
--- a/parser/tst/simple_tests/abi/bad_11.sd
+++ b/parser/tst/simple_tests/abi/bad_11.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path quotes in <> with spaces
+#=EXRESULT FAIL
+#
+
+abi <"abi/4.19" >,
+
+/does/not/exist {
+}
--- a/parser/tst/simple_tests/abi/bad_12.sd
+++ b/parser/tst/simple_tests/abi/bad_12.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path quotes in <> with spaces
+#=EXRESULT FAIL
+#
+
+abi < "abi/4.19" >,
+
+/does/not/exist {
+}
--- a/parser/tst/simple_tests/abi/bad_2.sd
+++ b/parser/tst/simple_tests/abi/bad_2.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi relative path in quotes with spaces
+#=EXRESULT FAIL
+#
+
+abi abi/4.19",
+
+/does/not/exist {
+}
--- a/parser/tst/simple_tests/abi/bad_3.sd
+++ b/parser/tst/simple_tests/abi/bad_3.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi abs path in quotes
+#=EXRESULT FAIL
+#
+
+abi "/abi/4.19"
+
+/does/not/exist {
+}
--- a/parser/tst/simple_tests/abi/bad_4.sd
+++ b/parser/tst/simple_tests/abi/bad_4.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi abs path in quotes with space
+#=EXRESULT FAIL
+#
+
+abi "/abi/4.19 ubuntu,
+
+/does/not/exist {
+}
--- a/parser/tst/simple_tests/abi/bad_5.sd
+++ b/parser/tst/simple_tests/abi/bad_5.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi relative path no quotes missing ,
+#=EXRESULT FAIL
+#
+
+abi abi/4.19
+
+/does/not/exist {
+}
--- a/parser/tst/simple_tests/abi/bad_6.sd
+++ b/parser/tst/simple_tests/abi/bad_6.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path
+#=EXRESULT FAIL
+#=TODO
+
+abi <abi/4.19,
+
+/does/not/exist {
+}
--- a/parser/tst/simple_tests/abi/ok_1.sd
+++ b/parser/tst/simple_tests/abi/ok_1.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi relative path in quotes
+#=EXRESULT PASS
+#
+
+abi "abi/4.19",
+
+/does/not/exist {
+}
--- a/parser/tst/simple_tests/abi/ok_10.sd
+++ b/parser/tst/simple_tests/abi/ok_10.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path quotes in <> with spaces
+#=EXRESULT PASS
+#=TODO
+
+abi < "abi/4.19">,
+
+/does/not/exist {
+}
--- a/parser/tst/simple_tests/abi/ok_11.sd
+++ b/parser/tst/simple_tests/abi/ok_11.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path quotes in <> with spaces
+#=EXRESULT PASS
+#=DISABLED
+
+abi <"abi/4.19" >,
+
+/does/not/exist {
+}
--- a/parser/tst/simple_tests/abi/ok_12.sd
+++ b/parser/tst/simple_tests/abi/ok_12.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path quotes in <> with spaces
+#=EXRESULT PASS
+#=TODO
+
+abi < "abi/4.19" >,
+
+/does/not/exist {
+}
--- a/parser/tst/simple_tests/abi/ok_13.sd
+++ b/parser/tst/simple_tests/abi/ok_13.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path quotes in <> with spaces
+#=EXRESULT PASS
+#
+
+abi <"abi/4.19 ubuntu">,
+
+/does/not/exist {
+}
--- a/parser/tst/simple_tests/abi/ok_14.sd
+++ b/parser/tst/simple_tests/abi/ok_14.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path with space between path and ,
+#=EXRESULT PASS
+#
+
+abi <abi/4.19> ,
+
+/does/not/exist {
+}
--- a/parser/tst/simple_tests/abi/ok_15.sd
+++ b/parser/tst/simple_tests/abi/ok_15.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path with space between path and ,
+#=EXRESULT PASS
+#
+
+abi "abi/4.19" ,
+
+/does/not/exist {
+}
--- a/parser/tst/simple_tests/abi/ok_16.sd
+++ b/parser/tst/simple_tests/abi/ok_16.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path with space between path and ,
+#=EXRESULT PASS
+#
+
+abi abi/4.19 ,
+
+/does/not/exist {
+}
--- a/parser/tst/simple_tests/abi/ok_17.sd
+++ b/parser/tst/simple_tests/abi/ok_17.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path no space between and and path
+#=EXRESULT PASS
+#
+
+abi<abi/4.19>,
+
+/does/not/exist {
+}
--- a/parser/tst/simple_tests/abi/ok_18.sd
+++ b/parser/tst/simple_tests/abi/ok_18.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path no space between and and path
+#=EXRESULT PASS
+#
+
+abi"abi/4.19",
+
+/does/not/exist {
+}
--- a/parser/tst/simple_tests/abi/ok_2.sd
+++ b/parser/tst/simple_tests/abi/ok_2.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi relative path in quotes with spaces
+#=EXRESULT PASS
+#
+
+abi "abi/4.19 ubuntu",
+
+/does/not/exist {
+}
--- a/parser/tst/simple_tests/abi/ok_20.sd
+++ b/parser/tst/simple_tests/abi/ok_20.sd
@ -0,0 +1,10 @@
+#
+#=DESCRIPTION abi testing - abi path in profile
+#=EXRESULT PASS
+#
+
+
+/does/not/exist {
+  abi <abi/4.19>,
+
+}
--- a/parser/tst/simple_tests/abi/ok_21.sd
+++ b/parser/tst/simple_tests/abi/ok_21.sd
@ -0,0 +1,10 @@
+#
+#=DESCRIPTION abi testing - abi path in profile
+#=EXRESULT PASS
+#
+
+
+/does/not/exist {
+  abi "abi/4.19",
+
+}
--- a/parser/tst/simple_tests/abi/ok_22.sd
+++ b/parser/tst/simple_tests/abi/ok_22.sd
@ -0,0 +1,10 @@
+#
+#=DESCRIPTION abi testing - abi path in profile
+#=EXRESULT PASS
+#
+
+
+/does/not/exist {
+  abi abi/4.19,
+
+}
--- a/parser/tst/simple_tests/abi/ok_3.sd
+++ b/parser/tst/simple_tests/abi/ok_3.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi abs path in quotes
+#=EXRESULT PASS
+#
+
+abi "/abi/4.19",
+
+/does/not/exist {
+}
--- a/parser/tst/simple_tests/abi/ok_4.sd
+++ b/parser/tst/simple_tests/abi/ok_4.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi abs path in quotes with space
+#=EXRESULT PASS
+#
+
+abi "/abi/4.19 ubuntu",
+
+/does/not/exist {
+}
--- a/parser/tst/simple_tests/abi/ok_5.sd
+++ b/parser/tst/simple_tests/abi/ok_5.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi relative path no quotes
+#=EXRESULT PASS
+#
+
+abi abi/4.19,
+
+/does/not/exist {
+}
--- a/parser/tst/simple_tests/abi/ok_6.sd
+++ b/parser/tst/simple_tests/abi/ok_6.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path
+#=EXRESULT PASS
+#
+
+abi <abi/4.19>,
+
+/does/not/exist {
+}
--- a/parser/tst/simple_tests/abi/ok_7.sd
+++ b/parser/tst/simple_tests/abi/ok_7.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path spaces
+#=EXRESULT PASS
+#
+
+abi < abi/4.19>,
+
+/does/not/exist {
+}
--- a/parser/tst/simple_tests/abi/ok_8.sd
+++ b/parser/tst/simple_tests/abi/ok_8.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path spaces
+#=EXRESULT PASS
+#
+
+abi <abi/4.19 >,
+
+/does/not/exist {
+}
--- a/parser/tst/simple_tests/abi/ok_9.sd
+++ b/parser/tst/simple_tests/abi/ok_9.sd
@ -0,0 +1,9 @@
+#
+#=DESCRIPTION abi testing - abi path spaces
+#=EXRESULT PASS
+#
+
+abi < abi/4.19 >,
+
+/does/not/exist {
+}