Merge branch 'apparmor-2.10' into 'apparmor-2.10'

2.10: Add basic support for abi rules to the tools Add basic "understand and keep" support for abi rules, where "understand" means to not error out when seeing an abi rule, and "keep" simply means to keep the original abi rule when serializing a profile. On the long term, abi rules should be parsed (similar to include rules), but for now, this patch is the smallest possible changeset and easy to backport. Note that the only added test is via cleanprof_test.* which is used by minitools_test.py - and does not run if you do a 'make check'. Oh, and of course the simple_tests/abi/ files also get parsed by test-parser-simple-tests.py. BTW: Even serialize_profile_from_old_profile() can handle abi rules ;-) This is a backport of 072d3e04 / !202 (merged) to 2.10 (with some adjustments because that commit didn't appy cleanly) PR: https://gitlab.com/apparmor/apparmor/merge_requests/225 Acked-by: John Johansen <john.johansen@canonical.com>
2025-08-31 06:16:03 +00:00 · 2018-10-05 19:49:50 +00:00
parent de6ea8d82b d90afe7313
commit 49bd73172e
4 changed files with 36 additions and 3 deletions
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -41,7 +41,7 @@ from apparmor.aamode import (str_to_mode, mode_to_str, contains, split_mode,
                             flatten_mode, owner_flatten_mode)

 from apparmor.regex import (RE_PROFILE_START, RE_PROFILE_END, RE_PROFILE_LINK,
-                            RE_PROFILE_ALIAS,
+                            RE_ABI, RE_PROFILE_ALIAS,
                            RE_PROFILE_BOOLEAN, RE_PROFILE_VARIABLE, RE_PROFILE_CONDITIONAL,
                            RE_PROFILE_CONDITIONAL_VARIABLE, RE_PROFILE_CONDITIONAL_BOOLEAN,
                            RE_PROFILE_BARE_FILE_ENTRY, RE_PROFILE_PATH_ENTRY,
@@ -2849,6 +2849,18 @@ def parse_profile_data(data, file, do_include):
            else:
                profile_data[profile][hat][allow]['path'][path]['audit'] = set()

+        elif RE_ABI.search(line):
+            if profile:
+                if not profile_data[profile][hat].get('abi'):
+                    profile_data[profile][hat]['abi'] = []
+                profile_data[profile][hat]['abi'].append(line)
+            else:
+                if not filelist.get(file):
+                    filelist[file] = hasher()
+                if not filelist[file].get('abi'):
+                    filelist[file]['abi'] = []
+                filelist[file]['abi'].append(line)
+
        elif re_match_include(line):
            # Include files
            include_name = re_match_include(line)
@@ -3256,6 +3268,17 @@ def write_change_profile(prof_data, depth):
        data = prof_data['change_profile'].get_clean(depth)
    return data

+def write_abi(ref, depth):
+    pre = '  ' * depth
+    data = []
+
+    if ref.get('abi'):
+        for line in ref.get('abi'):
+            data.append('%s%s' % (pre, line))
+        data.append('')
+
+    return data
+
 def write_alias(prof_data, depth):
    return write_pair(prof_data, depth, '', 'alias', 'alias ', ' -> ', ',', quote_if_needed)

@@ -3496,7 +3519,8 @@ def write_paths(prof_data, depth):
    return data

 def write_rules(prof_data, depth):
-    data = write_alias(prof_data, depth)
+    data = write_abi(prof_data, depth)
+    data += write_alias(prof_data, depth)
    data += write_list_vars(prof_data, depth)
    data += write_includes(prof_data, depth)
    data += write_rlimits(prof_data, depth)
@@ -3586,6 +3610,7 @@ def serialize_profile(profile_data, name, options):

    prof_filename = get_profile_filename(name)
    if filelist.get(prof_filename, False):
+        data += write_abi(filelist[prof_filename], 0)
        data += write_alias(filelist[prof_filename], 0)
        data += write_list_vars(filelist[prof_filename], 0)
        data += write_includes(filelist[prof_filename], 0)
@@ -3658,7 +3683,8 @@ def serialize_profile_from_old_profile(profile_data, name, options):
    with open_file_read(prof_filename) as f_in:
        profile = None
        hat = None
-        write_methods = {'alias': write_alias,
+        write_methods = {'abi': write_abi,
+                         'alias': write_alias,
                         'lvar': write_list_vars,
                         'include': write_includes,
                         'rlimit': write_rlimits,
--- a/utils/apparmor/regex.py
+++ b/utils/apparmor/regex.py
@@ -113,6 +113,7 @@ def parse_profile_start_line(line, filename):

    return result

+RE_ABI = re.compile('^\s*#?abi\s*(<(?P<magicpath>.*)>|"(?P<quotedpath>.*)"|(?P<unquotedpath>[^<>"]*))' + RE_COMMA_EOL)

 RE_INCLUDE = re.compile('^\s*#?include\s*<(?P<magicpath>.*)>' + RE_EOL)

--- a/utils/test/cleanprof_test.in
+++ b/utils/test/cleanprof_test.in
@@ -2,6 +2,7 @@
 #include <tunables/global>

 		alias /foo    ->    /bar	,
+  abi  <abi/4.19>    ,

 /usr/bin/a/simple/cleanprof/test/profile {
 	# Just for the heck of it, this comment wont see the day of light
@@ -9,6 +10,7 @@
 	#Below rule comes from abstractions/base
 	allow /usr/share/X11/locale/**  r,
 	allow /home/*/** r,
+               abi  "abi/4.20"    ,

    unix (receive) type=dgram,

--- a/utils/test/cleanprof_test.out
+++ b/utils/test/cleanprof_test.out
@@ -1,3 +1,5 @@
+abi  <abi/4.19>    ,
+
 alias /foo -> /bar,

 #include <tunables/global>
@@ -6,6 +8,8 @@ alias /foo -> /bar,


 /usr/bin/a/simple/cleanprof/test/profile {
+  abi  "abi/4.20"    ,
+
  #include <abstractions/base>

  unix (receive) type=dgram,