mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 22:35:35 +00:00
Code Issues Releases Wiki Activity

update more documentation, update Debian start-up script for LSB, flip logprof repo

Browse Source
This commit is contained in:
Kees Cook
2009-11-11 10:51:05 -08:00
parent da6c9246f5
commit 6fa3406b0e
4 changed files with 94 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
parser/Makefile
View File

@@ -125,7 +125,7 @@ techdoc/index.html: techdoc.pdf
techdoc.txt: techdoc/index.html techdoc.txt: techdoc/index.html
w3m -dump $< > $@ w3m -dump $< > $@
all: $(TOOLS) $(MANPAGES) ${HTMLMANPAGES} techdoc.pdf techdoc/index.html all: $(TOOLS) $(MANPAGES) ${HTMLMANPAGES} techdoc.pdf
$(Q)make -C po all $(Q)make -C po all
$(Q)make -s tests $(Q)make -s tests

12
parser/apparmor.pod
View File

@@ -30,12 +30,12 @@ of resources. AppArmor's unique security model is to bind access control
attributes to programs rather than to users. attributes to programs rather than to users.
AppArmor confinement is provided via I<profiles> loaded into the kernel AppArmor confinement is provided via I<profiles> loaded into the kernel
via apparmor_parser(8), typically through the F</etc/init.d/boot.apparmor> via apparmor_parser(8), typically through the F</etc/init.d/apparmor>
SysV initscript, which is used like this: SysV initscript, which is used like this:
# /etc/init.d/boot.apparmor start # /etc/init.d/apparmor start
# /etc/init.d/boot.apparmor stop # /etc/init.d/apparmor stop
# /etc/init.d/boot.apparmor restart # /etc/init.d/apparmor restart
AppArmor can operate in two modes: I<enforcement>, and I<complain or learning>: AppArmor can operate in two modes: I<enforcement>, and I<complain or learning>:
@@ -135,11 +135,11 @@ depending upon local configuration.
=over 4 =over 4
=item F</etc/init.d/boot.apparmor> =item F</etc/init.d/apparmor>
=item F</etc/apparmor.d/> =item F</etc/apparmor.d/>
=item F</lib/apparmor/> =item F</var/lib/apparmor/>
=item F</var/log/audit/audit.log> =item F</var/log/audit/audit.log>

130
parser/rc.apparmor.functions
View File

@@ -23,10 +23,14 @@
# NOTE: rc.apparmor initscripts that source this file need to implement # NOTE: rc.apparmor initscripts that source this file need to implement
# the following set of functions: # the following set of functions:
# aa_action # aa_action
# aa_log_action_start
# aa_log_action_end
# aa_log_success_msg # aa_log_success_msg
# aa_log_warning_msg # aa_log_warning_msg
# aa_log_failure_msg # aa_log_failure_msg
# aa_log_skipped_msg # aa_log_skipped_msg
# aa_log_daemon_msg
# aa_log_end_msg
# Some nice defines that we use # Some nice defines that we use
@@ -58,14 +62,7 @@ if [ -f "${APPARMOR_CONF}" ] ; then
. "${APPARMOR_CONF}" . "${APPARMOR_CONF}"
fi fi
if [ -f /sbin/apparmor_parser ] ; then PARSER=/sbin/apparmor_parser
PARSER=/sbin/apparmor_parser
elif [ -f /sbin/subdomain_parser -o -h /sbin/subdomain_parser ] ; then
PARSER=/sbin/subdomain_parser
else
aa_log_failure_msg "Unable to find apparmor_parser, installation problem?"
exit 1
fi
# SUBDOMAIN_DIR and APPARMOR_DIR might be defined in subdomain.conf|apparmor.conf # SUBDOMAIN_DIR and APPARMOR_DIR might be defined in subdomain.conf|apparmor.conf
if [ -d "${APPARMOR_DIR}" ] ; then if [ -d "${APPARMOR_DIR}" ] ; then
@@ -113,7 +110,7 @@ is_apparmor_present() {
# check for subdomainfs version of module # check for subdomainfs version of module
grep -qE "^($modules)[[:space:]]" /proc/modules grep -qE "^($modules)[[:space:]]" /proc/modules
if [ $? -ne 0 ] ; then if [ $? -ne 0 ] ; then
ls /sys/module/apparmor 2>/dev/null | grep -qE "^($modules)" ls /sys/module/apparmor 2>/dev/null | grep -qE "^($modules)"
fi fi
@@ -123,14 +120,37 @@ is_apparmor_present() {
# This set of patterns to skip needs to be kept in sync with # This set of patterns to skip needs to be kept in sync with
# SubDomain.pm::isSkippableFile() # SubDomain.pm::isSkippableFile()
# returns 0 if profile should NOT be skipped
# returns 1 on verbose skip
# returns 2 on silent skip
skip_profile() { skip_profile() {
local profile=$1 local profile=$1
if [ "${profile%.rpmnew}" != "${profile}" -o \ if [ "${profile%.rpmnew}" != "${profile}" -o \
"${profile%.rpmsave}" != "${profile}" -o \ "${profile%.rpmsave}" != "${profile}" -o \
"${profile%.dpkg-new}" != "${profile}" -o \ -e "${PROFILE_DIR}/disable/`basename ${profile}`" -o \
"${profile%.dpkg-old}" != "${profile}" -o \
"${profile%\~}" != "${profile}" ] ; then "${profile%\~}" != "${profile}" ] ; then
return 0 return 1
fi
# Silently ignore the dpkg files
if [ "${profile%.dpkg-new}" != "${profile}" -o \
"${profile%.dpkg-old}" != "${profile}" -o \
"${profile%.dpkg-dist}" != "${profile}" ] ; then
return 2
fi
return 0
}
force_complain() {
local profile=$1
# if profile not in complain mode
if ! egrep -q "^/.*[ \t]+flags[ \t]*=[ \t]*\([ \t]*complain[ \t]*\)[ \t]+{" $profile ; then
local link="${PROFILE_DIR}/force-complain/`basename ${profile}`"
if [ -e "$link" ] ; then
aa_log_warning_msg "found $link, forcing complain mode"
return 0
fi
fi fi
return 1 return 1
@@ -148,47 +168,58 @@ parse_profiles() {
PARSER_MSG="Reloading AppArmor profiles " PARSER_MSG="Reloading AppArmor profiles "
;; ;;
*) *)
aa_log_failure_msg "required 'load' or 'reload'"
exit 1 exit 1
;; ;;
esac esac
echo -n "$PARSER_MSG" aa_log_action_begin "$PARSER_MSG"
# run the parser on all of the apparmor profiles # run the parser on all of the apparmor profiles
if [ ! -f "$PARSER" ]; then if [ ! -f "$PARSER" ]; then
aa_log_failure_msg "- AppArmor parser not found" aa_log_failure_msg "AppArmor parser not found"
aa_log_action_end 1
exit 1 exit 1
fi fi
if [ ! -d "$PROFILE_DIR" ]; then if [ ! -d "$PROFILE_DIR" ]; then
aa_log_skipped_msg "- Profile directory not found\nNo AppArmor policy loaded." aa_log_failure_msg "Profile directory not found"
return 1 aa_log_action_end 1
exit 1
fi fi
if [ -z "$(ls $PROFILE_DIR/)" ]; then if [ -z "$(ls $PROFILE_DIR/)" ]; then
aa_log_skipped_msg "- No profiles found\nNo AppArmor policy loaded." aa_log_failure_msg "No profiles found"
aa_log_action_end 1
return 1 return 1
fi fi
for profile in $PROFILE_DIR/*; do for profile in $PROFILE_DIR/*; do
if skip_profile "${profile}" ; then skip_profile "${profile}"
echo " Skipping profile $profile" skip=$?
# Ignore skip status == 2 (silent skip)
if [ "$skip" -eq 1 ] ; then
aa_log_skipped_msg "$profile"
logger -t "AppArmor(init)" -p daemon.warn "Skipping profile $profile" logger -t "AppArmor(init)" -p daemon.warn "Skipping profile $profile"
[ "$STATUS" -ne 1 ] && STATUS=2 STATUS=2
elif [ -f "${profile}" ] ; then elif [ "$skip" -ne 0 ]; then
$PARSER $ABSTRACTIONS $PARSER_ARGS "$profile" > /dev/null continue
fi
if [ -f "${profile}" ] ; then
COMPLAIN=""
if force_complain "${profile}" ; then
COMPLAIN="-C"
fi
$PARSER $ABSTRACTIONS $PARSER_ARGS $COMPLAIN "$profile" > /dev/null
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo " Profile $profile failed to load" aa_log_failure_msg "$profile failed to load"
STATUS=1 STATUS=1
fi fi
fi fi
done done
if [ $STATUS -eq 0 ]; then if [ $STATUS -eq 2 ]; then
aa_log_success_msg STATUS=0
elif [ $STATUS -eq 2 ]; then
aa_log_warning_msg
else
aa_log_failure_msg
exit $STATUS
fi fi
aa_log_action_end "$STATUS"
return $STATUS
} }
profiles_names_list() { profiles_names_list() {
@@ -205,7 +236,7 @@ profiles_names_list() {
fi fi
for profile in $PROFILE_DIR/*; do for profile in $PROFILE_DIR/*; do
if ! skip_profile "${profile}" && [ -f "${profile}" ] ; then if skip_profile "${profile}" && [ -f "${profile}" ] ; then
LIST_ADD=$($PARSER $ABSTRACTIONS -N "$profile" | grep -v '\^') LIST_ADD=$($PARSER $ABSTRACTIONS -N "$profile" | grep -v '\^')
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
echo "$LIST_ADD" >>$TMPFILE echo "$LIST_ADD" >>$TMPFILE
@@ -326,19 +357,22 @@ load_module() {
fi fi
return $rc return $rc
} }
apparmor_start() { apparmor_start() {
aa_log_daemon_msg "Starting AppArmor"
if ! is_apparmor_loaded ; then if ! is_apparmor_loaded ; then
load_module load_module
rc=$? rc=$?
if [ $rc -ne 0 ] ; then if [ $rc -ne 0 ] ; then
aa_log_end_msg $rc
return $rc return $rc
fi fi
fi fi
if [ ! -w "$SFS_MOUNTPOINT/.load" ] ; then if [ ! -w "$SFS_MOUNTPOINT/.load" ] ; then
aa_log_failure_msg "Loading AppArmor profiles - failed, Do you have the correct privileges?" aa_log_failure_msg "Loading AppArmor profiles - failed, Do you have the correct privileges?"
aa_log_end_msg 1
return 1 return 1
fi fi
@@ -348,8 +382,10 @@ apparmor_start() {
cat "$SFS_MOUNTPOINT/profiles" | if ! read line ; then cat "$SFS_MOUNTPOINT/profiles" | if ! read line ; then
parse_profiles load parse_profiles load
else else
aa_log_skipped_msg "Loading AppArmor profiles - AppArmor already loaded with profiles." aa_log_skipped_msg "AppArmor already loaded with profiles."
fi fi
aa_log_end_msg 0
return 0
} }
remove_profiles() { remove_profiles() {
@@ -359,17 +395,17 @@ remove_profiles() {
# our position. Lets hope there are never enough profiles to # our position. Lets hope there are never enough profiles to
# overflow the variable # overflow the variable
if ! is_apparmor_loaded ; then if ! is_apparmor_loaded ; then
aa_log_failure_msg "- failed, is AppArmor loaded?" aa_log_failure_msg "AppArmor module is not loaded"
return 1 return 1
fi fi
if [ ! -w "$SFS_MOUNTPOINT/.remove" ] ; then if [ ! -w "$SFS_MOUNTPOINT/.remove" ] ; then
aa_log_failure_msg "- failed, Do you have the correct privileges?" aa_log_failure_msg "Root privileges not available"
return 1 return 1
fi fi
if [ ! -x "${PARSER}" ] ; then if [ ! -x "${PARSER}" ] ; then
aa_log_failure_msg "- failed, unable to execute AppArmor parser" aa_log_failure_msg "Unable to execute AppArmor parser"
return 1 return 1
fi fi
@@ -386,23 +422,21 @@ remove_profiles() {
fi fi
done done
rm "$MODULE_PLIST" rm "$MODULE_PLIST"
if [ ${retval} -eq 0 ] ; then
aa_log_success_msg
else
aa_log_failure_msg
fi
return ${retval} return ${retval}
} }
apparmor_stop() { apparmor_stop() {
echo -n "Unloading AppArmor profiles " aa_log_daemon_msg "Unloading AppArmor profiles "
remove_profiles remove_profiles
return $? rc=$?
log_end_msg $rc
return $rc
} }
apparmor_kill() { apparmor_kill() {
aa_log_daemon_msg "Unloading AppArmor modules "
if ! is_apparmor_loaded ; then if ! is_apparmor_loaded ; then
aa_log_failure_msg "Killing AppArmor module - failed, AppArmor is not loaded." aa_log_failure_msg "AppArmor module is not loaded"
return 1 return 1
fi fi
@@ -412,11 +446,13 @@ apparmor_kill() {
elif is_apparmor_present subdomain ; then elif is_apparmor_present subdomain ; then
MODULE=subdomain MODULE=subdomain
else else
aa_log_failure_msg "Killing AppArmor module - failed, AppArmor is builtin" aa_log_failure_msg "AppArmor is builtin"
return 1 return 1
fi fi
aa_action "Unloading AppArmor modules" /sbin/modprobe -qr $MODULE /sbin/modprobe -qr $MODULE
return $? rc=$?
aa_log_end_msg $rc
return $rc
} }
__apparmor_restart() { __apparmor_restart() {

8
utils/logprof.conf
View File

@@ -11,7 +11,7 @@
[settings] [settings]
profiledir = /etc/apparmor.d /etc/subdomain.d profiledir = /etc/apparmor.d /etc/subdomain.d
inactive_profiledir = /etc/apparmor/profiles/extras/ inactive_profiledir = /usr/share/doc/apparmor-profiles/extras
logfiles = /var/log/audit/audit.log /var/log/messages /var/log/syslog logfiles = /var/log/audit/audit.log /var/log/messages /var/log/syslog
parser = /sbin/apparmor_parser /sbin/subdomain_parser parser = /sbin/apparmor_parser /sbin/subdomain_parser
@@ -37,9 +37,9 @@
[repository] [repository]
distro = opensuse11.0 distro = ubuntu-intrepid
url = http://apparmor.opensuse.org/backend/api url = http://apparmor.test.opensuse.org/backend/api
preferred_user = novell preferred_user = ubuntu
[qualifiers] [qualifiers]
# things will be painfully broken if bash has a profile # things will be painfully broken if bash has a profile