From 832bb8f4179d1b45d8ba5b96b85b510bccb3cf4e Mon Sep 17 00:00:00 2001 From: John Johansen Date: Tue, 10 Oct 2023 02:22:29 -0700 Subject: [PATCH] parser: Add support for a default_allow mode Add support for a default_allow mode that facillitates writing profiles in that allow everything by default. This is not normally recomended but fascilitates creating basic profiles while working to transition policy away from unconfined. This mode is being added specifically to replace the use of the unconfined flag in these transitional profiles as the use of unconfined in policy is confusing and does not reflect the semantics of what is being done. Generally the goal for policy should be to remove all default_allow profiles once the policy is fully developed. Note: this patch only adds parsing of default_allow mode. Currently it sets the unconfined flag to achieve default allow but this prevents deny rules from being applied. Once dominance is fixed a subsequent patch will transition default_allow away from using the unconfined flag. Signed-off-by: John Johansen --- parser/apparmor.d.pod | 36 +++++- parser/profile.cc | 1 + parser/profile.h | 8 +- .../simple_tests/profile/flags/flags_bad70.sd | 9 ++ .../simple_tests/profile/flags/flags_bad71.sd | 9 ++ .../simple_tests/profile/flags/flags_bad72.sd | 9 ++ .../simple_tests/profile/flags/flags_bad73.sd | 9 ++ .../simple_tests/profile/flags/flags_bad74.sd | 9 ++ .../simple_tests/profile/flags/flags_bad75.sd | 9 ++ .../simple_tests/profile/flags/flags_bad76.sd | 9 ++ .../simple_tests/profile/flags/flags_bad77.sd | 9 ++ .../simple_tests/profile/flags/flags_bad78.sd | 9 ++ .../simple_tests/profile/flags/flags_bad79.sd | 9 ++ .../simple_tests/profile/flags/flags_bad80.sd | 9 ++ .../simple_tests/profile/flags/flags_bad81.sd | 9 ++ .../simple_tests/profile/flags/flags_bad82.sd | 9 ++ .../simple_tests/profile/flags/flags_bad83.sd | 9 ++ .../simple_tests/profile/flags/flags_bad84.sd | 9 ++ .../simple_tests/profile/flags/flags_bad85.sd | 9 ++ .../simple_tests/profile/flags/flags_bad86.sd | 9 ++ .../simple_tests/profile/flags/flags_ok51.sd | 74 ++++++++++++ .../simple_tests/profile/flags/flags_ok52.sd | 39 +++++++ .../simple_tests/profile/flags/flags_ok53.sd | 19 +++ .../simple_tests/profile/flags/flags_ok54.sd | 19 +++ .../simple_tests/profile/flags/flags_ok55.sd | 18 +++ .../simple_tests/profile/flags/flags_ok56.sd | 18 +++ .../simple_tests/profile/flags/flags_ok57.sd | 19 +++ .../simple_tests/profile/flags/flags_ok58.sd | 18 +++ .../simple_tests/profile/flags/flags_ok59.sd | 18 +++ .../simple_tests/profile/flags/flags_ok60.sd | 110 ++++++++++++++++++ .../simple_tests/profile/flags/flags_ok61.sd | 25 ++++ utils/apparmor/aa.py | 4 +- utils/test/test-parser-simple-tests.py | 17 +++ 33 files changed, 586 insertions(+), 10 deletions(-) create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad70.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad71.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad72.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad73.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad74.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad75.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad76.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad77.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad78.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad79.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad80.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad81.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad82.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad83.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad84.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad85.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad86.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_ok51.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_ok52.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_ok53.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_ok54.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_ok55.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_ok56.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_ok57.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_ok58.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_ok59.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_ok60.sd create mode 100644 parser/tst/simple_tests/profile/flags/flags_ok61.sd diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod index b6bb3ef39..96f794695 100644 --- a/parser/apparmor.d.pod +++ b/parser/apparmor.d.pod @@ -117,7 +117,7 @@ B = I | I | 'mediate_deleted' | 'attach_disconnected' | 'attach_disconneced.path='I | 'chroot_relative' | 'debug' | 'interruptible' | 'kill.signal='I -B = 'enforce' | 'complain' | 'kill' | 'unconfined' | 'prompt' +B = 'enforce' | 'complain' | 'kill' | 'default_allow' | 'unconfined' | 'prompt' B = 'audit' @@ -466,12 +466,36 @@ a signal to kill it. permission the action will be allowed, but the violation will be logged with a tag of the access being B. +=item B This mode changes the default behavior of +apparmor from default deny to default allow. When default_allow is +specified the resulting profile will allow operations that the profile +does not have a rule for. This mode is similar to I but +allows for allow and deny rules, specifying audit, and domain +transitions. Profiles in this mode may be be reported as being in +I mode or I mode when introspected from the kernel. + +Note: default_allow is similar and for many profiles will be equivalent +to specifying an I rule in the profile. The default_allow +flag does not provide all the same option that the I rule +provides. + =item B This mode allows a task confined by the profile to -behave as though they are I. This mode allow for an -unconfined behavior that can be later changed to confinement by using -profile replacement. This mode is should not be used under regular -deployment but can be useful during debugging and some system -initialization scenarios. +behave as though it is I. The unconfined behavior can be +later changed to confinement by using profile replacement. This mode +should not be used under regular deployment but can be useful during +debugging and some system initialization scenarios. + +This mode is similar to default_allow and may be emulated by +default_allow in kernels that no longer support a true unconfined +mode. It does not generally allow for specifying deny rules, or allow +rules that override the default behavior, except in a few custom +kernels where unconfined restricts a few operations. It relies on +special customized behavior of the unconfined profile in the kernel +and as such should only be used for debugging. + +Note: true unconfined is being phased out, with unconfined becoming a +replaceable profile. As such unconfined mode will be emulated by a +special profile compiled with the default_allow flag in newer kernels. =item B This mode allows task mediation to send an up call to userspace to ask for a decision when there isn't a rule covering the diff --git a/parser/profile.cc b/parser/profile.cc index 95c4e0756..3d60c7052 100644 --- a/parser/profile.cc +++ b/parser/profile.cc @@ -28,6 +28,7 @@ const char *profile_mode_table[] = { "kill", "unconfined", "prompt", + "default_allow", "conflict" /* should not ever be displayed */ }; diff --git a/parser/profile.h b/parser/profile.h index 154ec492a..a0d2ad268 100644 --- a/parser/profile.h +++ b/parser/profile.h @@ -64,9 +64,10 @@ enum profile_mode { MODE_KILL = 3, MODE_UNCONFINED = 4, MODE_PROMPT = 5, - MODE_CONFLICT = 6 /* greater than MODE_LAST */ + MODE_DEFAULT_ALLOW = 6, + MODE_CONFLICT = 7 /* greater than MODE_LAST */ }; -#define MODE_LAST MODE_PROMPT +#define MODE_LAST MODE_DEFAULT_ALLOW static inline enum profile_mode operator++(enum profile_mode &mode) { @@ -85,6 +86,9 @@ static inline enum profile_mode merge_profile_mode(enum profile_mode l, enum pro static inline uint32_t profile_mode_packed(enum profile_mode mode) { + /* until dominance is fixed use unconfined mode for default_allow */ + if (mode == MODE_DEFAULT_ALLOW) + mode = MODE_UNCONFINED; /* kernel doesn't have an unspecified mode everything * shifts down by 1 */ diff --git a/parser/tst/simple_tests/profile/flags/flags_bad70.sd b/parser/tst/simple_tests/profile/flags/flags_bad70.sd new file mode 100644 index 000000000..e25add6e4 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad70.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, complain) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad71.sd b/parser/tst/simple_tests/profile/flags/flags_bad71.sd new file mode 100644 index 000000000..97db286bf --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad71.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, kill) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad72.sd b/parser/tst/simple_tests/profile/flags/flags_bad72.sd new file mode 100644 index 000000000..7088458ce --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad72.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, unconfined) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad73.sd b/parser/tst/simple_tests/profile/flags/flags_bad73.sd new file mode 100644 index 000000000..f9d578112 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad73.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, enforce) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad74.sd b/parser/tst/simple_tests/profile/flags/flags_bad74.sd new file mode 100644 index 000000000..8fbc9643f --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad74.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, prompt) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad75.sd b/parser/tst/simple_tests/profile/flags/flags_bad75.sd new file mode 100644 index 000000000..d8fc5d3d7 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad75.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, enforce, complain) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad76.sd b/parser/tst/simple_tests/profile/flags/flags_bad76.sd new file mode 100644 index 000000000..93f5a7ec7 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad76.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, enforce, kill) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad77.sd b/parser/tst/simple_tests/profile/flags/flags_bad77.sd new file mode 100644 index 000000000..3e1665db7 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad77.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, enforce, unconfined) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad78.sd b/parser/tst/simple_tests/profile/flags/flags_bad78.sd new file mode 100644 index 000000000..7c2170113 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad78.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, enforce, prompt) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad79.sd b/parser/tst/simple_tests/profile/flags/flags_bad79.sd new file mode 100644 index 000000000..d2fc86e0c --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad79.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, complain, kill) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad80.sd b/parser/tst/simple_tests/profile/flags/flags_bad80.sd new file mode 100644 index 000000000..a708be110 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad80.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, complain, unconfined) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad81.sd b/parser/tst/simple_tests/profile/flags/flags_bad81.sd new file mode 100644 index 000000000..aaf99e787 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad81.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, complain, prompt) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad82.sd b/parser/tst/simple_tests/profile/flags/flags_bad82.sd new file mode 100644 index 000000000..9dda584ca --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad82.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, kill, prompt) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad83.sd b/parser/tst/simple_tests/profile/flags/flags_bad83.sd new file mode 100644 index 000000000..584628efc --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad83.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, unconfined, prompt) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad84.sd b/parser/tst/simple_tests/profile/flags/flags_bad84.sd new file mode 100644 index 000000000..8cd732681 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad84.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, enforce, complain, unconfined) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad85.sd b/parser/tst/simple_tests/profile/flags/flags_bad85.sd new file mode 100644 index 000000000..c25575331 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad85.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, enforce, complain, kill, prompt) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad86.sd b/parser/tst/simple_tests/profile/flags/flags_bad86.sd new file mode 100644 index 000000000..4744c4666 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad86.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, enforce, complain, kill, unconfined, prompt) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok51.sd b/parser/tst/simple_tests/profile/flags/flags_ok51.sd new file mode 100644 index 000000000..f1ed8f9d7 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok51.sd @@ -0,0 +1,74 @@ +# +#=DESCRIPTION validate some uses of the profile flags. +#=EXRESULT PASS +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist2 flags=(audit) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist2 r, +} + +/does/not/exist3 flags=(default_allow,audit) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist5 r, +} + +/does/not/exist4 flags=(audit,default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist7 r, +} + +/does/not/exist5 flags=(audit,default_allow,audit) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist8 r, +} + +/does/not/exist6 (default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist7 (audit) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist2 r, +} + +/does/not/exist8 (default_allow,audit) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist5 r, +} + +/does/not/exist9 (audit,default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist7 r, +} + +/does/not/exist10 (audit,default_allow,audit) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist8 r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok52.sd b/parser/tst/simple_tests/profile/flags/flags_ok52.sd new file mode 100644 index 000000000..bf6078d9a --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok52.sd @@ -0,0 +1,39 @@ +# +#=DESCRIPTION validate some uses of the profile flags. +#=EXRESULT PASS +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist1 flags=(audit, default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist2 flags=(default_allow, audit) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist3 flags=(default_allow, chroot_relative) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist4 flags=(chroot_relative, default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok53.sd b/parser/tst/simple_tests/profile/flags/flags_ok53.sd new file mode 100644 index 000000000..66acd4c72 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok53.sd @@ -0,0 +1,19 @@ +# +#=DESCRIPTION validate some uses of the profile flags. +#=EXRESULT PASS +# vim:syntax=subdomain +# +/does/not/exist1 flags=(default_allow, namespace_relative) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist2 flags=(namespace_relative, default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + diff --git a/parser/tst/simple_tests/profile/flags/flags_ok54.sd b/parser/tst/simple_tests/profile/flags/flags_ok54.sd new file mode 100644 index 000000000..fd86697b3 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok54.sd @@ -0,0 +1,19 @@ +# +#=DESCRIPTION validate some uses of the profile flags. +#=EXRESULT PASS +# vim:syntax=subdomain +# + +/does/not/exist1 flags=(default_allow, mediate_deleted) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist2 flags=(mediate_deleted, default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok55.sd b/parser/tst/simple_tests/profile/flags/flags_ok55.sd new file mode 100644 index 000000000..a7a460f64 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok55.sd @@ -0,0 +1,18 @@ +# +#=DESCRIPTION validate some uses of the profile flags. +#=EXRESULT PASS +# vim:syntax=subdomain +# +/does/not/exist1 flags=(default_allow, delegate_deleted) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist2 flags=(delegate_deleted, default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok56.sd b/parser/tst/simple_tests/profile/flags/flags_ok56.sd new file mode 100644 index 000000000..6bc5abf89 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok56.sd @@ -0,0 +1,18 @@ +# +#=DESCRIPTION validate some uses of the profile flags. +#=EXRESULT PASS +# vim:syntax=subdomain +# +/does/not/exist1 flags=(default_allow, attach_disconnected) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist2 flags=(attach_disconnected, default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok57.sd b/parser/tst/simple_tests/profile/flags/flags_ok57.sd new file mode 100644 index 000000000..d0f9f3967 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok57.sd @@ -0,0 +1,19 @@ +# +#=DESCRIPTION validate some uses of the profile flags. +#=EXRESULT PASS +# vim:syntax=subdomain +# +/does/not/exist1 flags=(default_allow, no_attach_disconnected) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist2 flags=(no_attach_disconnected, default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + diff --git a/parser/tst/simple_tests/profile/flags/flags_ok58.sd b/parser/tst/simple_tests/profile/flags/flags_ok58.sd new file mode 100644 index 000000000..317d41b65 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok58.sd @@ -0,0 +1,18 @@ +# +#=DESCRIPTION validate some uses of the profile flags. +#=EXRESULT PASS +# vim:syntax=subdomain +# +/does/not/exist1 flags=(default_allow, chroot_attach) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist2 flags=(chroot_attach, default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok59.sd b/parser/tst/simple_tests/profile/flags/flags_ok59.sd new file mode 100644 index 000000000..87cb6872d --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok59.sd @@ -0,0 +1,18 @@ +# +#=DESCRIPTION validate some uses of the profile flags. +#=EXRESULT PASS +# vim:syntax=subdomain +# +/does/not/exist1 flags=(default_allow, chroot_no_attach) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist2 flags=(chroot_no_attach, default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok60.sd b/parser/tst/simple_tests/profile/flags/flags_ok60.sd new file mode 100644 index 000000000..a2f48f177 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok60.sd @@ -0,0 +1,110 @@ +# +#=DESCRIPTION validate some uses of the profile flags. +#=EXRESULT PASS +# vim:syntax=subdomain +# + +#============================== + +/does/not/exist1 flags=(default_allow, chroot_relative, mediate_deleted) { + + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist2 flags=(chroot_relative, mediate_deleted, default_allow) { + + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + + +#------- + + +/does/not/exist12 flags=(default_allow, chroot_relative, delegate_deleted) { + + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist13 flags=(chroot_relative, delegate_deleted, default_allow) { + + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + + +#------- + + +/does/not/exist22 flags=(default_allow, chroot_relative, attach_disconnected) { + + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist23 flags=(chroot_relative, attach_disconnected, default_allow) { + + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + + +#------- + +/does/not/exist32 flags=(default_allow, chroot_relative, no_attach_disconnected) { + + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist33 flags=(chroot_relative, no_attach_disconnected, default_allow) { + + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + + +#------- + + +/does/not/exist42 flags=(default_allow, chroot_relative, chroot_attach) { + + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist43 flags=(chroot_relative, chroot_attach, default_allow) { + + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + + +#------- + + +/does/not/exist52 flags=(default_allow, chroot_relative, chroot_no_attach) { + + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist53 flags=(chroot_relative, chroot_no_attach, default_allow) { + + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok61.sd b/parser/tst/simple_tests/profile/flags/flags_ok61.sd new file mode 100644 index 000000000..7a12b81e1 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok61.sd @@ -0,0 +1,25 @@ +# +#=DESCRIPTION verify whitespace is allowed in profile flags. +#=EXRESULT PASS +# vim:syntax=subdomain +# +/does/not/exist3 flags=(default_allow, audit) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist5 r, +} + +/does/not/exist4 flags = (audit , default_allow){ + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist7 r, +} + +/does/not/exist5 flags = ( audit , default_allow , audit ) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist8 r, +} diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py index 6c37c6f67..3d949b479 100644 --- a/utils/apparmor/aa.py +++ b/utils/apparmor/aa.py @@ -281,7 +281,7 @@ def set_complain(filename, program): # a force-complain symlink is more packaging-friendly, but breaks caching # create_symlink('force-complain', filename) delete_symlink('disable', filename) - change_profile_flags(filename, program, ['enforce', 'kill', 'unconfined', 'prompt'], False) # remove conflicting mode flags + change_profile_flags(filename, program, ['enforce', 'kill', 'unconfined', 'prompt', 'default_allow'], False) # remove conflicting mode flags change_profile_flags(filename, program, 'complain', True) @@ -290,7 +290,7 @@ def set_enforce(filename, program): aaui.UI_Info(_('Setting %s to enforce mode.') % (filename if program is None else program)) delete_symlink('force-complain', filename) delete_symlink('disable', filename) - change_profile_flags(filename, program, ['complain', 'kill', 'unconfined', 'prompt'], False) # remove conflicting and complain mode flags + change_profile_flags(filename, program, ['complain', 'kill', 'unconfined', 'prompt','default_allow'], False) # remove conflicting and complain mode flags def delete_symlink(subdir, filename): diff --git a/utils/test/test-parser-simple-tests.py b/utils/test/test-parser-simple-tests.py index 33eec798c..343fce2ba 100644 --- a/utils/test/test-parser-simple-tests.py +++ b/utils/test/test-parser-simple-tests.py @@ -170,6 +170,23 @@ exception_not_raised = ( 'profile/flags/flags_bad67.sd', 'profile/flags/flags_bad68.sd', 'profile/flags/flags_bad69.sd', + 'profile/flags/flags_bad70.sd', + 'profile/flags/flags_bad71.sd', + 'profile/flags/flags_bad72.sd', + 'profile/flags/flags_bad73.sd', + 'profile/flags/flags_bad74.sd', + 'profile/flags/flags_bad75.sd', + 'profile/flags/flags_bad76.sd', + 'profile/flags/flags_bad77.sd', + 'profile/flags/flags_bad78.sd', + 'profile/flags/flags_bad79.sd', + 'profile/flags/flags_bad80.sd', + 'profile/flags/flags_bad81.sd', + 'profile/flags/flags_bad82.sd', + 'profile/flags/flags_bad83.sd', + 'profile/flags/flags_bad84.sd', + 'profile/flags/flags_bad85.sd', + 'profile/flags/flags_bad86.sd', 'profile/flags/flags_bad_disconnected_path1.sd', 'profile/flags/flags_bad_disconnected_path2.sd', 'profile/flags/flags_bad_disconnected_path3.sd',