Merge parser: fix unix for all rule

By specifying 0 in the unix type, all rules were allowing only the "none" type, when it wanted to allow all types, so replace it by 0xffffffff. Also, add this testcase to the unix regression tests.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/410

I propose this fix for master and apparmor-4.0

Closes #410
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1273
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

(cherry picked from commit 5b44e33d25cbbe5c29a7e86dc1bb0e91053a8ed2)
Signed-off-by: John Johansen <john.johansen@canonical.com>

parser/all_rule.cc

@@ -39,7 +39,7 @@ void all_rule::add_implied_rules(Profile &prof)
 	prefix_rule_t *rule;
 	const prefixes *prefix = this;
 
-	rule = new unix_rule(0, audit, rule_mode);
+	rule = new unix_rule(0xffffffff, audit, rule_mode);
 	(void) rule->add_prefix(*prefix);
 	prof.rule_ents.push_back(rule);
 
@@ -67,7 +67,7 @@ void all_rule::add_implied_rules(Profile &prof)
 	(void) rule->add_prefix(*prefix);
 	prof.rule_ents.push_back(rule);
 
-	rule = new mnt_rule(NULL, NULL, NULL, NULL, 0);
+	rule = new mnt_rule(NULL, NULL, NULL, NULL, AA_MAY_MOUNT);
 	(void) rule->add_prefix(*prefix);
 	prof.rule_ents.push_back(rule);
 

tests/regression/apparmor/aa_exec.sh

@@ -79,3 +79,16 @@ runchecktest "complain (--namespace=${ns})" pass "$aa_exec -n $ns -p $test" "$te
 
 genprofile_aa_exec "$test" 0
 runchecktest "negative test: bad ns (--namespace=${ns}XXX)" fail "$aa_exec -n ${ns}XXX -p $test" "$test (enforce)"
+
+if [ "$(parser_supports 'all,')" = "true" ]; then
+    genprofile --stdin <<EOF
+$test {
+  all,
+}
+
+:${ns}:${test} {
+  all,
+}
+EOF
+    runchecktest "allow all" pass "$aa_exec -p $test" "$test (enforce)"
+fi

tests/regression/apparmor/access.sh

@@ -29,6 +29,13 @@ touch $file
 chmod 777 $file	# full perms so discretionary access checks succeed
 
 # PASS TEST
+if [ "$(parser_supports 'all,')" = "true" ]; then
+    genprofile "all"
+    runchecktest "ACCESS allow all r (rwx)" pass $file r
+    runchecktest "ACCESS allow all rx (rwx)" pass $file rx
+    runchecktest "ACCESS allow all rwx (rwx)" pass $file rwx
+fi
+
 genprofile $file:$rwxperm
 runchecktest "ACCESS file r (rwx)" pass $file r
 runchecktest "ACCESS file rx (rwx)" pass $file rx

tests/regression/apparmor/attach_disconnected.sh

@@ -105,6 +105,15 @@ do_test "attach_disconnected" pass $file $att_dis_client $socket $loop_device $n
 
 # TODO: adding attach_disconnected.path to a replaced unconfined
 
+# ALLOW ALL does not include attach_disconnected
+if [ "$(parser_supports 'all,')" = "true" ]; then
+	genprofile "all" flag:attach_disconnected -- image=$att_dis_client "all"
+	do_test "attach_disconnected allow all" pass $file $att_dis_client $socket $loop_device $new_root $put_old
+
+	genprofile "all" -- image=$att_dis_client "all"
+	do_test "attach_disconnected allow all no flag" fail $file $att_dis_client $socket $loop_device $new_root $put_old
+fi
+
 genprofile $file_perm unix:create $socket_perm $att_dis_client:px -- image=$att_dis_client $file_perm unix:create $socket_perm $create_dir $cap "pivot_root:ALL" "mount:ALL" flag:attach_disconnected
 
 do_test "attach_disconnected" pass $file $att_dis_client $socket $loop_device $new_root $put_old

tests/regression/apparmor/dbus_eavesdrop.sh

@@ -45,6 +45,11 @@ run_tests()
 
 	# Make sure we're okay when confined with appropriate permissions
 
+	if [ "$(parser_supports 'all,')" = "true" ]; then
+		gendbusprofile "all,"
+		runchecktest "eavesdrop (allow all)" pass $args
+	fi
+
 	gendbusprofile "dbus,"
 	runchecktest "eavesdrop (dbus allowed)" pass $args
 

tests/regression/apparmor/dbus_message.sh

@@ -60,6 +60,12 @@ run_tests()
 
 	# Make sure send is allowed when confined with appropriate permissions
 
+	if [ "$(parser_supports 'all,')" = "true" ]; then
+		message_gendbusprofile "all,"
+		runtestfg "message (allow all)" pass $confined_args
+		checktestfg "compare_logs $unconfined_log eq $confined_log"
+	fi
+
 	message_gendbusprofile "dbus,"
 	runtestfg "message (dbus allowed)" pass $confined_args
 	checktestfg "compare_logs $unconfined_log eq $confined_log"

tests/regression/apparmor/dbus_service.sh

@@ -92,6 +92,14 @@ run_tests()
 
 	# Make sure we're okay when confined with appropriate permissions
 
+	if [ "$(parser_supports 'all,')" = "true" ]; then
+		service_gendbusprofile "all,"
+		service_runtestbg "service (allow all)" pass $unconfined_log
+		sendmethod
+		sendsignal
+		service_checktestbg "compare_logs $unconfined_log eq $confined_log"
+	fi
+
 	service_gendbusprofile "dbus,"
 	service_runtestbg "service (dbus allowed)" pass $unconfined_log
 	sendmethod

tests/regression/apparmor/dbus_unrequested_reply.sh

@@ -80,6 +80,14 @@ run_tests()
 	sendmethodreturn
 	ur_checktestbg
 
+	if [ "$(parser_supports 'all,')" = "true" ]; then
+		# All perms are granted so the logs should be equal
+		ur_gendbusprofile "all,"
+		ur_runtestbg "unrequested_reply (method_return, dbus allowed)" pass $confined_log
+		sendmethodreturn
+		ur_checktestbg "compare_logs $unconfined_log eq $confined_log"
+	fi
+
 	# All dbus perms are granted so the logs should be equal
 	ur_gendbusprofile "dbus,"
 	ur_runtestbg "unrequested_reply (method_return, dbus allowed)" pass $confined_log

tests/regression/apparmor/io_uring.sh

@@ -55,6 +55,11 @@ do_tests "no perms" fail fail
 genprofile $required_perms "qual=deny:io_uring"
 do_tests "deny perms" fail fail
 
+if [ "$(parser_supports 'all,')" = "true" ]; then
+	genprofile "all"
+	do_tests "allow all" pass pass
+fi
+
 genprofile $required_perms "io_uring"
 do_tests "generic perms" pass pass
 

tests/regression/apparmor/mount.sh

@@ -424,6 +424,34 @@ fsmount_tests() {
 	fsmount_test " fsmount deny att_dis" "qual=deny:" "flag:attach_disconnected" ${should_fail}
 }
 
+all_rule() {
+	if [ "$(parser_supports 'all,')" != "true" ]; then
+		echo "    not supported by parser - skipping allow all,"
+		return
+	fi
+
+	settest mount
+	genprofile "all"
+
+	runchecktest "MOUNT (confined allow all)" pass mount ${loop_device} ${mount_point}
+
+	runchecktest "UMOUNT (confined allow all)" pass umount ${loop_device} ${mount_point}
+
+	runchecktest "MOUNT (confined allow all remount setup)" pass mount ${loop_device} ${mount_point}
+	runchecktest "MOUNT (confined allow all remount)" pass mount ${loop_device} ${mount_point} -o remount
+	remove_mnt
+
+	settest move_mount
+	genprofile "all"
+
+	runchecktest "MOVE_MOUNT (confined fsmount: allow all)" pass fsmount ${loop_device} ${mount_point} ${fstype}
+	remove_mnt
+
+	mount ${loop_device} ${mnt_source}
+	runchecktest "MOVE_MOUNT (confined open_tree: allow all)" pass open_tree ${mount_point2} ${mount_point} ${fstype}
+	remove_mnt
+}
+
 # TEST 1.  Make sure can mount and umount unconfined
 runchecktest "MOUNT (unconfined)" pass mount ${loop_device} ${mount_point}
 remove_mnt
@@ -569,6 +597,8 @@ else
 	fsmount_tests tmpfs ${mount_point} tmpfs
 	fsmount_tests ${loop_device} ${mount_point} ${fstype}
 	open_tree_tests ${mount_point2} ${mount_point} ${fstype}
+
+	all_rule
 fi
 
 #need tests for chroot

tests/regression/apparmor/net_inet.sh

@@ -97,8 +97,8 @@ generate_profile="genprofile network $sender:px -- image=$sender network"
 do_tests "ipv4 tcp no conds" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port tcp "$generate_profile"
 
 setsockopt_rules="network;(setopt,getopt);ip=0.0.0.0;port=0" # INADDR_ANY
-rcv_rules="network;ip=$bind_ipv4;peer=(ip=anon)"
+rcv_rules="network;ip=$bind_ipv4;peer=(ip=none)"
-snd_rules="network;ip=$remote_ipv4;peer=(ip=anon)"
+snd_rules="network;ip=$remote_ipv4;peer=(ip=none)"
 
 generate_profile="genprofile network;ip=$bind_ipv4;port=$bind_port;peer=(ip=$remote_ipv4,port=$remote_port) $setsockopt_rules $rcv_rules $sender:px -- image=$sender network;ip=$remote_ipv4;port=$remote_port;peer=(ip=$bind_ipv4,port=$bind_port) $setsockopt_rules $snd_rules"
 do_tests "ipv4 udp generic perms" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port udp "$generate_profile"
@@ -126,11 +126,26 @@ generate_profile="genprofile network $sender:px -- image=$sender network"
 do_tests "ipv6 tcp no conds" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port tcp "$generate_profile"
 
 setsockopt_rules="network;(setopt,getopt);ip=::0;port=0" # IN6ADDR_ANY_INIT
-rcv_rules="network;ip=$bind_ipv6;peer=(ip=anon)"
+rcv_rules="network;ip=$bind_ipv6;peer=(ip=none)"
-snd_rules="network;ip=$remote_ipv6;peer=(ip=anon)"
+snd_rules="network;ip=$remote_ipv6;peer=(ip=none)"
 
 generate_profile="genprofile network;ip=$bind_ipv6;port=$bind_port;peer=(ip=$remote_ipv6,port=$remote_port) $setsockopt_rules $rcv_rules $sender:px -- image=$sender network;ip=$remote_ipv6;port=$remote_port;peer=(ip=$bind_ipv6,port=$bind_port) $setsockopt_rules $snd_rules"
 do_tests "ipv6 udp generic perms" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port udp "$generate_profile"
 
 generate_profile="genprofile network;ip=$bind_ipv6;port=$bind_port;peer=(ip=$remote_ipv6,port=$remote_port) $setsockopt_rules $rcv_rules $sender:px -- image=$sender network;ip=$remote_ipv6;port=$remote_port;peer=(ip=$bind_ipv6,port=$bind_port) $setsockopt_rules $snd_rules"
 do_tests "ipv6 tcp generic perms" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port tcp "$generate_profile"
+
+
+if [ "$(parser_supports 'all,')" = "true" ]; then
+    generate_profile="genprofile all -- image=$sender all"
+    do_tests "ipv4 udp allow all" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port udp "$generate_profile"
+
+    generate_profile="genprofile all -- image=$sender all"
+    do_tests "ipv4 tcp allow all" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port tcp "$generate_profile"
+
+    generate_profile="genprofile all -- image=$sender all"
+    do_tests "ipv6 udp allow all" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port udp "$generate_profile"
+
+    generate_profile="genprofile all -- image=$sender all"
+    do_tests "ipv6 tcp allow all" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port tcp "$generate_profile"
+fi

tests/regression/apparmor/net_raw.sh

@@ -29,3 +29,7 @@ runchecktest "RAW SOCKET (no cap)" fail
 genprofile cap:net_raw network:
 runchecktest "RAW SOCKET (cap net_raw)" pass
 
+if [ "$(parser_supports 'all,')" = "true" ]; then
+	genprofile "all"
+	runchecktest "RAW SOCKET (allow all)" pass
+fi

tests/regression/apparmor/pivot_root.sh

@@ -120,6 +120,11 @@ if [ "$(kernel_features mount)" != "true" -o "$(parser_supports 'mount,')" != "t
 	exit
 fi
 
+if [ "$(parser_supports 'all,')" = "true" ]; then
+	genprofile "all"
+	do_test "allow all rule" pass "$put_old" "$new_root" "$test"
+fi
+
 # Ensure failure when no pivot_root perms are granted
 genprofile $cur $cap
 do_test "cap only" fail "$put_old" "$new_root" "$test"

tests/regression/apparmor/posix_mq.sh

@@ -95,6 +95,10 @@ for username in "root" "$userid" ; do
     genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "deny:mqueue" "$sender:px" "$pipe:rw" -- image=$sender "deny mqueue" "$pipe:rw"
     do_tests "confined $username - deny perms" fail fail fail fail $usercmd
 
+    if [ "$(parser_supports 'all,')" = "true" ]; then
+	genprofile "all" -- image=$sender "all"
+	do_tests "confined $username - allow all" pass pass pass pass $usercmd
+    fi
 
     # generic mqueue
     # 2 Potential failures caused by missing other x permission in path

tests/regression/apparmor/ptrace_v6.inc

@@ -235,6 +235,15 @@ runchecktest "test 12p2 -hc" fail -h -c -n 100 $helper
 runchecktest "test 12p2 -h prog" fail -h -n 100 $helper ${bin_true}
 runchecktest "test 12p2 -hc prog" fail -h -c -n 100 $helper ${bin_true}
 
+if [ "$(parser_supports 'all,')" = "true" ]; then
+	genprofile "all"
+	runchecktest "test allow all" pass -n 100 ${bin_true}
+	runchecktest "test allow all -c" pass -c -n 100 ${bin_true}
+	runchecktest "test allow all -h" pass -h -n 100 $helper
+	runchecktest "test allow all -hc" pass -h -c -n 100 $helper
+	runchecktest "test allow all -h prog" pass -h -n 100 $helper ${bin_true}
+	runchecktest "test allow all -hc prog" pass -h -c -n 100 $helper ${bin_true}
+fi
 
 #ptraced confined app traced by profile can px
 genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix

tests/regression/apparmor/tcp.sh

@@ -35,6 +35,12 @@ runchecktest "TCP (no apparmor)" pass $port
 genprofile 
 runchecktest "TCP (accept, connect) no network rules" fail $port
 
+if [ "$(parser_supports 'all,')" = "true" ]; then
+	# PASS TEST - allow all
+	genprofile "all"
+	runchecktest "TCP (allow all)" pass $port
+fi
+
 # PASS TEST - allow tcp
 genprofile network:tcp
 runchecktest "TCP (accept, connect) allow tcp" pass $port

tests/regression/apparmor/unix_socket.inc

@@ -71,6 +71,11 @@ do_test()
 
 	desc+=" confined $test_prog"
 
+	if [ "$(parser_supports 'all,')" = "true" ]; then
+		$genprof "all"
+		runchecktest "$desc (allow all)" pass $args
+	fi
+
 	$genprof "unix:ALL"
 	runchecktest "$desc (implicit perms)" pass $args
 

tests/regression/apparmor/userns.sh

@@ -101,6 +101,11 @@ fi
 # confined tests should have the same results if apparmor_restrict_unprivileged_userns is enabled or not
 run_confined_tests()
 {
+	if [ "$(parser_supports 'all,')" = "true" ]; then
+		generate_profile="genprofile all"
+		do_test "confined allow all $1" pass pass pass pass "$generate_profile"
+	fi
+
 	generate_profile="genprofile userns"
 	do_test "confined all perms $1" pass pass fail fail "$generate_profile"