From 73a29ade16f45a6c333a11ce2ac0b3ef0a6662b4 Mon Sep 17 00:00:00 2001
From: John Johansen <john@jjmx.net>
Date: Thu, 18 Jul 2024 12:43:21 +0000
Subject: [PATCH] Merge parser: fix unix for all rule

By specifying 0 in the unix type, all rules were allowing only the "none" type, when it wanted to allow all types, so replace it by 0xffffffff. Also, add this testcase to the unix regression tests.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/410

I propose this fix for master and apparmor-4.0

Closes #410
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1273
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

(cherry picked from commit 5b44e33d25cbbe5c29a7e86dc1bb0e91053a8ed2)
Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 parser/all_rule.cc                            |  4 +--
 tests/regression/apparmor/aa_exec.sh          | 13 ++++++++
 tests/regression/apparmor/access.sh           |  9 +++++-
 .../apparmor/attach_disconnected.sh           |  9 ++++++
 tests/regression/apparmor/dbus_eavesdrop.sh   |  5 ++++
 tests/regression/apparmor/dbus_message.sh     |  6 ++++
 tests/regression/apparmor/dbus_service.sh     |  8 +++++
 .../apparmor/dbus_unrequested_reply.sh        |  8 +++++
 tests/regression/apparmor/io_uring.sh         |  5 ++++
 tests/regression/apparmor/mount.sh            | 30 +++++++++++++++++++
 tests/regression/apparmor/net_inet.sh         | 23 +++++++++++---
 tests/regression/apparmor/net_raw.sh          |  4 +++
 tests/regression/apparmor/pivot_root.sh       |  5 ++++
 tests/regression/apparmor/posix_mq.sh         |  4 +++
 tests/regression/apparmor/ptrace_v6.inc       |  9 ++++++
 tests/regression/apparmor/tcp.sh              |  6 ++++
 tests/regression/apparmor/unix_socket.inc     |  5 ++++
 tests/regression/apparmor/userns.sh           |  5 ++++
 18 files changed, 151 insertions(+), 7 deletions(-)

diff --git a/parser/all_rule.cc b/parser/all_rule.cc
index 34159349e..4ebc47a8a 100644
--- a/parser/all_rule.cc
+++ b/parser/all_rule.cc
@@ -39,7 +39,7 @@ void all_rule::add_implied_rules(Profile &prof)
 	prefix_rule_t *rule;
 	const prefixes *prefix = this;
 
-	rule = new unix_rule(0, audit, rule_mode);
+	rule = new unix_rule(0xffffffff, audit, rule_mode);
 	(void) rule->add_prefix(*prefix);
 	prof.rule_ents.push_back(rule);
 
@@ -67,7 +67,7 @@ void all_rule::add_implied_rules(Profile &prof)
 	(void) rule->add_prefix(*prefix);
 	prof.rule_ents.push_back(rule);
 
-	rule = new mnt_rule(NULL, NULL, NULL, NULL, 0);
+	rule = new mnt_rule(NULL, NULL, NULL, NULL, AA_MAY_MOUNT);
 	(void) rule->add_prefix(*prefix);
 	prof.rule_ents.push_back(rule);
 
diff --git a/tests/regression/apparmor/aa_exec.sh b/tests/regression/apparmor/aa_exec.sh
index daaefee9b..9ef1f5355 100755
--- a/tests/regression/apparmor/aa_exec.sh
+++ b/tests/regression/apparmor/aa_exec.sh
@@ -79,3 +79,16 @@ runchecktest "complain (--namespace=${ns})" pass "$aa_exec -n $ns -p $test" "$te
 
 genprofile_aa_exec "$test" 0
 runchecktest "negative test: bad ns (--namespace=${ns}XXX)" fail "$aa_exec -n ${ns}XXX -p $test" "$test (enforce)"
+
+if [ "$(parser_supports 'all,')" = "true" ]; then
+    genprofile --stdin <<EOF
+$test {
+  all,
+}
+
+:${ns}:${test} {
+  all,
+}
+EOF
+    runchecktest "allow all" pass "$aa_exec -p $test" "$test (enforce)"
+fi
diff --git a/tests/regression/apparmor/access.sh b/tests/regression/apparmor/access.sh
index 6b0c9675c..189526ec0 100644
--- a/tests/regression/apparmor/access.sh
+++ b/tests/regression/apparmor/access.sh
@@ -28,7 +28,14 @@ wxperm=wix
 touch $file
 chmod 777 $file	# full perms so discretionary access checks succeed
 
-# PASS TEST 
+# PASS TEST
+if [ "$(parser_supports 'all,')" = "true" ]; then
+    genprofile "all"
+    runchecktest "ACCESS allow all r (rwx)" pass $file r
+    runchecktest "ACCESS allow all rx (rwx)" pass $file rx
+    runchecktest "ACCESS allow all rwx (rwx)" pass $file rwx
+fi
+
 genprofile $file:$rwxperm
 runchecktest "ACCESS file r (rwx)" pass $file r
 runchecktest "ACCESS file rx (rwx)" pass $file rx
diff --git a/tests/regression/apparmor/attach_disconnected.sh b/tests/regression/apparmor/attach_disconnected.sh
index c63e6611b..bb6dced26 100644
--- a/tests/regression/apparmor/attach_disconnected.sh
+++ b/tests/regression/apparmor/attach_disconnected.sh
@@ -105,6 +105,15 @@ do_test "attach_disconnected" pass $file $att_dis_client $socket $loop_device $n
 
 # TODO: adding attach_disconnected.path to a replaced unconfined
 
+# ALLOW ALL does not include attach_disconnected
+if [ "$(parser_supports 'all,')" = "true" ]; then
+	genprofile "all" flag:attach_disconnected -- image=$att_dis_client "all"
+	do_test "attach_disconnected allow all" pass $file $att_dis_client $socket $loop_device $new_root $put_old
+
+	genprofile "all" -- image=$att_dis_client "all"
+	do_test "attach_disconnected allow all no flag" fail $file $att_dis_client $socket $loop_device $new_root $put_old
+fi
+
 genprofile $file_perm unix:create $socket_perm $att_dis_client:px -- image=$att_dis_client $file_perm unix:create $socket_perm $create_dir $cap "pivot_root:ALL" "mount:ALL" flag:attach_disconnected
 
 do_test "attach_disconnected" pass $file $att_dis_client $socket $loop_device $new_root $put_old
diff --git a/tests/regression/apparmor/dbus_eavesdrop.sh b/tests/regression/apparmor/dbus_eavesdrop.sh
index 32746a9b1..189fc16b9 100755
--- a/tests/regression/apparmor/dbus_eavesdrop.sh
+++ b/tests/regression/apparmor/dbus_eavesdrop.sh
@@ -45,6 +45,11 @@ run_tests()
 
 	# Make sure we're okay when confined with appropriate permissions
 
+	if [ "$(parser_supports 'all,')" = "true" ]; then
+		gendbusprofile "all,"
+		runchecktest "eavesdrop (allow all)" pass $args
+	fi
+
 	gendbusprofile "dbus,"
 	runchecktest "eavesdrop (dbus allowed)" pass $args
 
diff --git a/tests/regression/apparmor/dbus_message.sh b/tests/regression/apparmor/dbus_message.sh
index 14bd1e522..882997eb6 100755
--- a/tests/regression/apparmor/dbus_message.sh
+++ b/tests/regression/apparmor/dbus_message.sh
@@ -60,6 +60,12 @@ run_tests()
 
 	# Make sure send is allowed when confined with appropriate permissions
 
+	if [ "$(parser_supports 'all,')" = "true" ]; then
+		message_gendbusprofile "all,"
+		runtestfg "message (allow all)" pass $confined_args
+		checktestfg "compare_logs $unconfined_log eq $confined_log"
+	fi
+
 	message_gendbusprofile "dbus,"
 	runtestfg "message (dbus allowed)" pass $confined_args
 	checktestfg "compare_logs $unconfined_log eq $confined_log"
diff --git a/tests/regression/apparmor/dbus_service.sh b/tests/regression/apparmor/dbus_service.sh
index 10b61484a..4daf74dd7 100755
--- a/tests/regression/apparmor/dbus_service.sh
+++ b/tests/regression/apparmor/dbus_service.sh
@@ -92,6 +92,14 @@ run_tests()
 
 	# Make sure we're okay when confined with appropriate permissions
 
+	if [ "$(parser_supports 'all,')" = "true" ]; then
+		service_gendbusprofile "all,"
+		service_runtestbg "service (allow all)" pass $unconfined_log
+		sendmethod
+		sendsignal
+		service_checktestbg "compare_logs $unconfined_log eq $confined_log"
+	fi
+
 	service_gendbusprofile "dbus,"
 	service_runtestbg "service (dbus allowed)" pass $unconfined_log
 	sendmethod
diff --git a/tests/regression/apparmor/dbus_unrequested_reply.sh b/tests/regression/apparmor/dbus_unrequested_reply.sh
index 626554f3d..6b6d658c3 100644
--- a/tests/regression/apparmor/dbus_unrequested_reply.sh
+++ b/tests/regression/apparmor/dbus_unrequested_reply.sh
@@ -80,6 +80,14 @@ run_tests()
 	sendmethodreturn
 	ur_checktestbg
 
+	if [ "$(parser_supports 'all,')" = "true" ]; then
+		# All perms are granted so the logs should be equal
+		ur_gendbusprofile "all,"
+		ur_runtestbg "unrequested_reply (method_return, dbus allowed)" pass $confined_log
+		sendmethodreturn
+		ur_checktestbg "compare_logs $unconfined_log eq $confined_log"
+	fi
+
 	# All dbus perms are granted so the logs should be equal
 	ur_gendbusprofile "dbus,"
 	ur_runtestbg "unrequested_reply (method_return, dbus allowed)" pass $confined_log
diff --git a/tests/regression/apparmor/io_uring.sh b/tests/regression/apparmor/io_uring.sh
index 8f0feec9d..92e8002a2 100755
--- a/tests/regression/apparmor/io_uring.sh
+++ b/tests/regression/apparmor/io_uring.sh
@@ -55,6 +55,11 @@ do_tests "no perms" fail fail
 genprofile $required_perms "qual=deny:io_uring"
 do_tests "deny perms" fail fail
 
+if [ "$(parser_supports 'all,')" = "true" ]; then
+	genprofile "all"
+	do_tests "allow all" pass pass
+fi
+
 genprofile $required_perms "io_uring"
 do_tests "generic perms" pass pass
 
diff --git a/tests/regression/apparmor/mount.sh b/tests/regression/apparmor/mount.sh
index 37c5f3193..0154d1ac1 100755
--- a/tests/regression/apparmor/mount.sh
+++ b/tests/regression/apparmor/mount.sh
@@ -424,6 +424,34 @@ fsmount_tests() {
 	fsmount_test " fsmount deny att_dis" "qual=deny:" "flag:attach_disconnected" ${should_fail}
 }
 
+all_rule() {
+	if [ "$(parser_supports 'all,')" != "true" ]; then
+		echo "    not supported by parser - skipping allow all,"
+		return
+	fi
+
+	settest mount
+	genprofile "all"
+
+	runchecktest "MOUNT (confined allow all)" pass mount ${loop_device} ${mount_point}
+
+	runchecktest "UMOUNT (confined allow all)" pass umount ${loop_device} ${mount_point}
+
+	runchecktest "MOUNT (confined allow all remount setup)" pass mount ${loop_device} ${mount_point}
+	runchecktest "MOUNT (confined allow all remount)" pass mount ${loop_device} ${mount_point} -o remount
+	remove_mnt
+
+	settest move_mount
+	genprofile "all"
+
+	runchecktest "MOVE_MOUNT (confined fsmount: allow all)" pass fsmount ${loop_device} ${mount_point} ${fstype}
+	remove_mnt
+
+	mount ${loop_device} ${mnt_source}
+	runchecktest "MOVE_MOUNT (confined open_tree: allow all)" pass open_tree ${mount_point2} ${mount_point} ${fstype}
+	remove_mnt
+}
+
 # TEST 1.  Make sure can mount and umount unconfined
 runchecktest "MOUNT (unconfined)" pass mount ${loop_device} ${mount_point}
 remove_mnt
@@ -569,6 +597,8 @@ else
 	fsmount_tests tmpfs ${mount_point} tmpfs
 	fsmount_tests ${loop_device} ${mount_point} ${fstype}
 	open_tree_tests ${mount_point2} ${mount_point} ${fstype}
+
+	all_rule
 fi
 
 #need tests for chroot
diff --git a/tests/regression/apparmor/net_inet.sh b/tests/regression/apparmor/net_inet.sh
index f5060740a..c72ad8f52 100644
--- a/tests/regression/apparmor/net_inet.sh
+++ b/tests/regression/apparmor/net_inet.sh
@@ -97,8 +97,8 @@ generate_profile="genprofile network $sender:px -- image=$sender network"
 do_tests "ipv4 tcp no conds" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port tcp "$generate_profile"
 
 setsockopt_rules="network;(setopt,getopt);ip=0.0.0.0;port=0" # INADDR_ANY
-rcv_rules="network;ip=$bind_ipv4;peer=(ip=anon)"
-snd_rules="network;ip=$remote_ipv4;peer=(ip=anon)"
+rcv_rules="network;ip=$bind_ipv4;peer=(ip=none)"
+snd_rules="network;ip=$remote_ipv4;peer=(ip=none)"
 
 generate_profile="genprofile network;ip=$bind_ipv4;port=$bind_port;peer=(ip=$remote_ipv4,port=$remote_port) $setsockopt_rules $rcv_rules $sender:px -- image=$sender network;ip=$remote_ipv4;port=$remote_port;peer=(ip=$bind_ipv4,port=$bind_port) $setsockopt_rules $snd_rules"
 do_tests "ipv4 udp generic perms" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port udp "$generate_profile"
@@ -126,11 +126,26 @@ generate_profile="genprofile network $sender:px -- image=$sender network"
 do_tests "ipv6 tcp no conds" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port tcp "$generate_profile"
 
 setsockopt_rules="network;(setopt,getopt);ip=::0;port=0" # IN6ADDR_ANY_INIT
-rcv_rules="network;ip=$bind_ipv6;peer=(ip=anon)"
-snd_rules="network;ip=$remote_ipv6;peer=(ip=anon)"
+rcv_rules="network;ip=$bind_ipv6;peer=(ip=none)"
+snd_rules="network;ip=$remote_ipv6;peer=(ip=none)"
 
 generate_profile="genprofile network;ip=$bind_ipv6;port=$bind_port;peer=(ip=$remote_ipv6,port=$remote_port) $setsockopt_rules $rcv_rules $sender:px -- image=$sender network;ip=$remote_ipv6;port=$remote_port;peer=(ip=$bind_ipv6,port=$bind_port) $setsockopt_rules $snd_rules"
 do_tests "ipv6 udp generic perms" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port udp "$generate_profile"
 
 generate_profile="genprofile network;ip=$bind_ipv6;port=$bind_port;peer=(ip=$remote_ipv6,port=$remote_port) $setsockopt_rules $rcv_rules $sender:px -- image=$sender network;ip=$remote_ipv6;port=$remote_port;peer=(ip=$bind_ipv6,port=$bind_port) $setsockopt_rules $snd_rules"
 do_tests "ipv6 tcp generic perms" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port tcp "$generate_profile"
+
+
+if [ "$(parser_supports 'all,')" = "true" ]; then
+    generate_profile="genprofile all -- image=$sender all"
+    do_tests "ipv4 udp allow all" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port udp "$generate_profile"
+
+    generate_profile="genprofile all -- image=$sender all"
+    do_tests "ipv4 tcp allow all" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port tcp "$generate_profile"
+
+    generate_profile="genprofile all -- image=$sender all"
+    do_tests "ipv6 udp allow all" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port udp "$generate_profile"
+
+    generate_profile="genprofile all -- image=$sender all"
+    do_tests "ipv6 tcp allow all" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port tcp "$generate_profile"
+fi
diff --git a/tests/regression/apparmor/net_raw.sh b/tests/regression/apparmor/net_raw.sh
index ca42e56a4..6b4304ca6 100755
--- a/tests/regression/apparmor/net_raw.sh
+++ b/tests/regression/apparmor/net_raw.sh
@@ -29,3 +29,7 @@ runchecktest "RAW SOCKET (no cap)" fail
 genprofile cap:net_raw network:
 runchecktest "RAW SOCKET (cap net_raw)" pass
 
+if [ "$(parser_supports 'all,')" = "true" ]; then
+	genprofile "all"
+	runchecktest "RAW SOCKET (allow all)" pass
+fi
diff --git a/tests/regression/apparmor/pivot_root.sh b/tests/regression/apparmor/pivot_root.sh
index dd7104edc..70abec5e7 100755
--- a/tests/regression/apparmor/pivot_root.sh
+++ b/tests/regression/apparmor/pivot_root.sh
@@ -120,6 +120,11 @@ if [ "$(kernel_features mount)" != "true" -o "$(parser_supports 'mount,')" != "t
 	exit
 fi
 
+if [ "$(parser_supports 'all,')" = "true" ]; then
+	genprofile "all"
+	do_test "allow all rule" pass "$put_old" "$new_root" "$test"
+fi
+
 # Ensure failure when no pivot_root perms are granted
 genprofile $cur $cap
 do_test "cap only" fail "$put_old" "$new_root" "$test"
diff --git a/tests/regression/apparmor/posix_mq.sh b/tests/regression/apparmor/posix_mq.sh
index 0a049009f..9a2c92edd 100755
--- a/tests/regression/apparmor/posix_mq.sh
+++ b/tests/regression/apparmor/posix_mq.sh
@@ -95,6 +95,10 @@ for username in "root" "$userid" ; do
     genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "deny:mqueue" "$sender:px" "$pipe:rw" -- image=$sender "deny mqueue" "$pipe:rw"
     do_tests "confined $username - deny perms" fail fail fail fail $usercmd
 
+    if [ "$(parser_supports 'all,')" = "true" ]; then
+	genprofile "all" -- image=$sender "all"
+	do_tests "confined $username - allow all" pass pass pass pass $usercmd
+    fi
 
     # generic mqueue
     # 2 Potential failures caused by missing other x permission in path
diff --git a/tests/regression/apparmor/ptrace_v6.inc b/tests/regression/apparmor/ptrace_v6.inc
index b0cf983ad..5065a2e8f 100644
--- a/tests/regression/apparmor/ptrace_v6.inc
+++ b/tests/regression/apparmor/ptrace_v6.inc
@@ -235,6 +235,15 @@ runchecktest "test 12p2 -hc" fail -h -c -n 100 $helper
 runchecktest "test 12p2 -h prog" fail -h -n 100 $helper ${bin_true}
 runchecktest "test 12p2 -hc prog" fail -h -c -n 100 $helper ${bin_true}
 
+if [ "$(parser_supports 'all,')" = "true" ]; then
+	genprofile "all"
+	runchecktest "test allow all" pass -n 100 ${bin_true}
+	runchecktest "test allow all -c" pass -c -n 100 ${bin_true}
+	runchecktest "test allow all -h" pass -h -n 100 $helper
+	runchecktest "test allow all -hc" pass -h -c -n 100 $helper
+	runchecktest "test allow all -h prog" pass -h -n 100 $helper ${bin_true}
+	runchecktest "test allow all -hc prog" pass -h -c -n 100 $helper ${bin_true}
+fi
 
 #ptraced confined app traced by profile can px
 genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix
diff --git a/tests/regression/apparmor/tcp.sh b/tests/regression/apparmor/tcp.sh
index 4d27b7bb4..7d528cb39 100755
--- a/tests/regression/apparmor/tcp.sh
+++ b/tests/regression/apparmor/tcp.sh
@@ -35,6 +35,12 @@ runchecktest "TCP (no apparmor)" pass $port
 genprofile 
 runchecktest "TCP (accept, connect) no network rules" fail $port
 
+if [ "$(parser_supports 'all,')" = "true" ]; then
+	# PASS TEST - allow all
+	genprofile "all"
+	runchecktest "TCP (allow all)" pass $port
+fi
+
 # PASS TEST - allow tcp
 genprofile network:tcp
 runchecktest "TCP (accept, connect) allow tcp" pass $port
diff --git a/tests/regression/apparmor/unix_socket.inc b/tests/regression/apparmor/unix_socket.inc
index 905c99c6f..6d6c60fd4 100644
--- a/tests/regression/apparmor/unix_socket.inc
+++ b/tests/regression/apparmor/unix_socket.inc
@@ -71,6 +71,11 @@ do_test()
 
 	desc+=" confined $test_prog"
 
+	if [ "$(parser_supports 'all,')" = "true" ]; then
+		$genprof "all"
+		runchecktest "$desc (allow all)" pass $args
+	fi
+
 	$genprof "unix:ALL"
 	runchecktest "$desc (implicit perms)" pass $args
 
diff --git a/tests/regression/apparmor/userns.sh b/tests/regression/apparmor/userns.sh
index df1260ae3..9df4e7b43 100755
--- a/tests/regression/apparmor/userns.sh
+++ b/tests/regression/apparmor/userns.sh
@@ -101,6 +101,11 @@ fi
 # confined tests should have the same results if apparmor_restrict_unprivileged_userns is enabled or not
 run_confined_tests()
 {
+	if [ "$(parser_supports 'all,')" = "true" ]; then
+		generate_profile="genprofile all"
+		do_test "confined allow all $1" pass pass pass pass "$generate_profile"
+	fi
+
 	generate_profile="genprofile userns"
 	do_test "confined all perms $1" pass pass fail fail "$generate_profile"