From a91c1e432969b10f891df3a193df2494651cebae Mon Sep 17 00:00:00 2001 From: John Johansen Date: Wed, 19 Sep 2018 01:15:49 -0700 Subject: [PATCH] parser: ignore feature abi rules AppArmor 3.0 requires policy to use a feature abi rule for access to new features. However some policy may start using abi rules even if they don't have rules that require new features. This is especially true for out of tree policy being shipped in other packages. Add enough support to older releases that the parser will ignore the abi rule and warn that it is falling back to the apparmor 2.x technique of using the system abi. If the profile contains rules that the older parser does not understand it will fail policy compilation at the unknown rule instead of the abi rule. PR: https://gitlab.com/apparmor/apparmor/merge_requests/196 (backported form commit 83df7c4747a7f730ab59db014cbd15e469b16395) Signed-off-by: John Johansen Acked-by: Seth Arnold --- parser/parser_lex.l | 18 ++++++++++++++++++ parser/parser_misc.c | 1 + parser/parser_yacc.y | 10 ++++++++++ parser/tst/simple_tests/abi/bad_1.sd | 9 +++++++++ parser/tst/simple_tests/abi/bad_10.sd | 9 +++++++++ parser/tst/simple_tests/abi/bad_11.sd | 9 +++++++++ parser/tst/simple_tests/abi/bad_12.sd | 9 +++++++++ parser/tst/simple_tests/abi/bad_2.sd | 9 +++++++++ parser/tst/simple_tests/abi/bad_3.sd | 9 +++++++++ parser/tst/simple_tests/abi/bad_4.sd | 9 +++++++++ parser/tst/simple_tests/abi/bad_5.sd | 9 +++++++++ parser/tst/simple_tests/abi/bad_6.sd | 9 +++++++++ parser/tst/simple_tests/abi/ok_1.sd | 9 +++++++++ parser/tst/simple_tests/abi/ok_10.sd | 9 +++++++++ parser/tst/simple_tests/abi/ok_11.sd | 9 +++++++++ parser/tst/simple_tests/abi/ok_12.sd | 9 +++++++++ parser/tst/simple_tests/abi/ok_13.sd | 9 +++++++++ parser/tst/simple_tests/abi/ok_14.sd | 9 +++++++++ parser/tst/simple_tests/abi/ok_15.sd | 9 +++++++++ parser/tst/simple_tests/abi/ok_16.sd | 9 +++++++++ parser/tst/simple_tests/abi/ok_17.sd | 9 +++++++++ parser/tst/simple_tests/abi/ok_18.sd | 9 +++++++++ parser/tst/simple_tests/abi/ok_2.sd | 9 +++++++++ parser/tst/simple_tests/abi/ok_20.sd | 10 ++++++++++ parser/tst/simple_tests/abi/ok_21.sd | 10 ++++++++++ parser/tst/simple_tests/abi/ok_22.sd | 10 ++++++++++ parser/tst/simple_tests/abi/ok_3.sd | 9 +++++++++ parser/tst/simple_tests/abi/ok_4.sd | 9 +++++++++ parser/tst/simple_tests/abi/ok_5.sd | 9 +++++++++ parser/tst/simple_tests/abi/ok_6.sd | 9 +++++++++ parser/tst/simple_tests/abi/ok_7.sd | 9 +++++++++ parser/tst/simple_tests/abi/ok_8.sd | 9 +++++++++ parser/tst/simple_tests/abi/ok_9.sd | 9 +++++++++ 33 files changed, 302 insertions(+) create mode 100644 parser/tst/simple_tests/abi/bad_1.sd create mode 100644 parser/tst/simple_tests/abi/bad_10.sd create mode 100644 parser/tst/simple_tests/abi/bad_11.sd create mode 100644 parser/tst/simple_tests/abi/bad_12.sd create mode 100644 parser/tst/simple_tests/abi/bad_2.sd create mode 100644 parser/tst/simple_tests/abi/bad_3.sd create mode 100644 parser/tst/simple_tests/abi/bad_4.sd create mode 100644 parser/tst/simple_tests/abi/bad_5.sd create mode 100644 parser/tst/simple_tests/abi/bad_6.sd create mode 100644 parser/tst/simple_tests/abi/ok_1.sd create mode 100644 parser/tst/simple_tests/abi/ok_10.sd create mode 100644 parser/tst/simple_tests/abi/ok_11.sd create mode 100644 parser/tst/simple_tests/abi/ok_12.sd create mode 100644 parser/tst/simple_tests/abi/ok_13.sd create mode 100644 parser/tst/simple_tests/abi/ok_14.sd create mode 100644 parser/tst/simple_tests/abi/ok_15.sd create mode 100644 parser/tst/simple_tests/abi/ok_16.sd create mode 100644 parser/tst/simple_tests/abi/ok_17.sd create mode 100644 parser/tst/simple_tests/abi/ok_18.sd create mode 100644 parser/tst/simple_tests/abi/ok_2.sd create mode 100644 parser/tst/simple_tests/abi/ok_20.sd create mode 100644 parser/tst/simple_tests/abi/ok_21.sd create mode 100644 parser/tst/simple_tests/abi/ok_22.sd create mode 100644 parser/tst/simple_tests/abi/ok_3.sd create mode 100644 parser/tst/simple_tests/abi/ok_4.sd create mode 100644 parser/tst/simple_tests/abi/ok_5.sd create mode 100644 parser/tst/simple_tests/abi/ok_6.sd create mode 100644 parser/tst/simple_tests/abi/ok_7.sd create mode 100644 parser/tst/simple_tests/abi/ok_8.sd create mode 100644 parser/tst/simple_tests/abi/ok_9.sd diff --git a/parser/parser_lex.l b/parser/parser_lex.l index 3240d7a10..5e7ad5398 100644 --- a/parser/parser_lex.l +++ b/parser/parser_lex.l @@ -261,6 +261,7 @@ LT_EQUAL <= %x CHANGE_PROFILE_MODE %x INCLUDE %x INCLUDE_EXISTS +%x ABI_MODE %% @@ -315,6 +316,19 @@ LT_EQUAL <= } } +{ + (\<(([^"\>\t\r\n]+)|{QUOTED_ID})\>|{QUOTED_ID}|{IDS}) { /* | <"filename"> | "filename" | filename */ + int lt = *yytext == '<' ? 1 : 0; + char *filename = processid(yytext + lt, yyleng - lt*2); + bool exists = YYSTATE == INCLUDE_EXISTS; + + if (!filename) + yyerror(_("Failed to process filename\n")); + yylval.id = filename; + POP_AND_RETURN(TOK_ID); + } +} + <> { fclose(yyin); pop_include_stack(); @@ -666,6 +680,9 @@ include/{WS} { case TOK_UNIX: state = UNIX_MODE; break; + case TOK_ABI: + state = ABI_MODE; + break; default: /* nothing */ break; } @@ -719,4 +736,5 @@ unordered_map state_names = { STATE_TABLE_ENT(CHANGE_PROFILE_MODE), STATE_TABLE_ENT(INCLUDE), STATE_TABLE_ENT(INCLUDE_EXISTS), + STATE_TABLE_ENT(ABI_MODE), }; diff --git a/parser/parser_misc.c b/parser/parser_misc.c index f7772e605..0efb5d7f4 100644 --- a/parser/parser_misc.c +++ b/parser/parser_misc.c @@ -111,6 +111,7 @@ static struct keyword_table keyword_table[] = { {"trace", TOK_TRACE}, {"tracedby", TOK_TRACEDBY}, {"readby", TOK_READBY}, + {"abi", TOK_ABI}, /* terminate */ {NULL, 0} diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y index 3e2bcd220..00d5f3ad8 100644 --- a/parser/parser_yacc.y +++ b/parser/parser_yacc.y @@ -152,6 +152,7 @@ void add_local_entry(Profile *prof); %token TOK_TRACE %token TOK_TRACEDBY %token TOK_READBY +%token TOK_ABI /* rlimits */ %token TOK_RLIMIT @@ -400,6 +401,7 @@ hat: hat_start profile_base preamble: { /* nothing */ } | preamble alias { /* nothing */ }; | preamble varassign { /* nothing */ }; + | preamble abi_rule { /* nothing */ }; alias: TOK_ALIAS TOK_ID TOK_ARROW TOK_ID TOK_END_OF_RULE { @@ -615,6 +617,8 @@ rules: { /* nothing */ $$ = prof; }; +rules: rules abi_rule { /* nothing */ } + rules: rules opt_prefix rule { PDEBUG("matched: rules rule\n"); @@ -1063,6 +1067,12 @@ opt_named_transition: { /* nothing */ $$ = NULL; } rule: file_rule { $$ = $1; } | link_rule { $$ = $1; } +abi_rule: TOK_ABI TOK_ID TOK_END_OF_RULE + { + pwarn(_("%s: Profile abi not supported, falling back to system abi.\n"), progname); + free($2); + }; + opt_exec_mode: { /* nothing */ $$ = EXEC_MODE_EMPTY; } | TOK_UNSAFE { $$ = EXEC_MODE_UNSAFE; }; | TOK_SAFE { $$ = EXEC_MODE_SAFE; }; diff --git a/parser/tst/simple_tests/abi/bad_1.sd b/parser/tst/simple_tests/abi/bad_1.sd new file mode 100644 index 000000000..1070ed76d --- /dev/null +++ b/parser/tst/simple_tests/abi/bad_1.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION abi testing - abi relative path in quotes +#=EXRESULT FAIL +#=TODO + +abi "abi/4.19, + +/does/not/exist { +} diff --git a/parser/tst/simple_tests/abi/bad_10.sd b/parser/tst/simple_tests/abi/bad_10.sd new file mode 100644 index 000000000..9d5cf6b76 --- /dev/null +++ b/parser/tst/simple_tests/abi/bad_10.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION abi testing - abi path quotes in <> with spaces +#=EXRESULT FAIL +# + +abi < "abi/4.19">, + +/does/not/exist { +} diff --git a/parser/tst/simple_tests/abi/bad_11.sd b/parser/tst/simple_tests/abi/bad_11.sd new file mode 100644 index 000000000..6acd3d076 --- /dev/null +++ b/parser/tst/simple_tests/abi/bad_11.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION abi testing - abi path quotes in <> with spaces +#=EXRESULT FAIL +# + +abi <"abi/4.19" >, + +/does/not/exist { +} diff --git a/parser/tst/simple_tests/abi/bad_12.sd b/parser/tst/simple_tests/abi/bad_12.sd new file mode 100644 index 000000000..25fdfa2ca --- /dev/null +++ b/parser/tst/simple_tests/abi/bad_12.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION abi testing - abi path quotes in <> with spaces +#=EXRESULT FAIL +# + +abi < "abi/4.19" >, + +/does/not/exist { +} diff --git a/parser/tst/simple_tests/abi/bad_2.sd b/parser/tst/simple_tests/abi/bad_2.sd new file mode 100644 index 000000000..1da87fc7b --- /dev/null +++ b/parser/tst/simple_tests/abi/bad_2.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION abi testing - abi relative path in quotes with spaces +#=EXRESULT FAIL +# + +abi abi/4.19", + +/does/not/exist { +} diff --git a/parser/tst/simple_tests/abi/bad_3.sd b/parser/tst/simple_tests/abi/bad_3.sd new file mode 100644 index 000000000..2807b1178 --- /dev/null +++ b/parser/tst/simple_tests/abi/bad_3.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION abi testing - abi abs path in quotes +#=EXRESULT FAIL +# + +abi "/abi/4.19" + +/does/not/exist { +} diff --git a/parser/tst/simple_tests/abi/bad_4.sd b/parser/tst/simple_tests/abi/bad_4.sd new file mode 100644 index 000000000..de9b24f29 --- /dev/null +++ b/parser/tst/simple_tests/abi/bad_4.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION abi testing - abi abs path in quotes with space +#=EXRESULT FAIL +# + +abi "/abi/4.19 ubuntu, + +/does/not/exist { +} diff --git a/parser/tst/simple_tests/abi/bad_5.sd b/parser/tst/simple_tests/abi/bad_5.sd new file mode 100644 index 000000000..dcda415c4 --- /dev/null +++ b/parser/tst/simple_tests/abi/bad_5.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION abi testing - abi relative path no quotes missing , +#=EXRESULT FAIL +# + +abi abi/4.19 + +/does/not/exist { +} diff --git a/parser/tst/simple_tests/abi/bad_6.sd b/parser/tst/simple_tests/abi/bad_6.sd new file mode 100644 index 000000000..eab0b1bde --- /dev/null +++ b/parser/tst/simple_tests/abi/bad_6.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION abi testing - abi path +#=EXRESULT FAIL +#=TODO + +abi with spaces +#=EXRESULT PASS +#=TODO + +abi < "abi/4.19">, + +/does/not/exist { +} diff --git a/parser/tst/simple_tests/abi/ok_11.sd b/parser/tst/simple_tests/abi/ok_11.sd new file mode 100644 index 000000000..301f26d4e --- /dev/null +++ b/parser/tst/simple_tests/abi/ok_11.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION abi testing - abi path quotes in <> with spaces +#=EXRESULT PASS +#=DISABLED + +abi <"abi/4.19" >, + +/does/not/exist { +} diff --git a/parser/tst/simple_tests/abi/ok_12.sd b/parser/tst/simple_tests/abi/ok_12.sd new file mode 100644 index 000000000..442b62c92 --- /dev/null +++ b/parser/tst/simple_tests/abi/ok_12.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION abi testing - abi path quotes in <> with spaces +#=EXRESULT PASS +#=TODO + +abi < "abi/4.19" >, + +/does/not/exist { +} diff --git a/parser/tst/simple_tests/abi/ok_13.sd b/parser/tst/simple_tests/abi/ok_13.sd new file mode 100644 index 000000000..80e5d9965 --- /dev/null +++ b/parser/tst/simple_tests/abi/ok_13.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION abi testing - abi path quotes in <> with spaces +#=EXRESULT PASS +# + +abi <"abi/4.19 ubuntu">, + +/does/not/exist { +} diff --git a/parser/tst/simple_tests/abi/ok_14.sd b/parser/tst/simple_tests/abi/ok_14.sd new file mode 100644 index 000000000..7af6c0d7b --- /dev/null +++ b/parser/tst/simple_tests/abi/ok_14.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION abi testing - abi path with space between path and , +#=EXRESULT PASS +# + +abi , + +/does/not/exist { +} diff --git a/parser/tst/simple_tests/abi/ok_15.sd b/parser/tst/simple_tests/abi/ok_15.sd new file mode 100644 index 000000000..7233ae838 --- /dev/null +++ b/parser/tst/simple_tests/abi/ok_15.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION abi testing - abi path with space between path and , +#=EXRESULT PASS +# + +abi "abi/4.19" , + +/does/not/exist { +} diff --git a/parser/tst/simple_tests/abi/ok_16.sd b/parser/tst/simple_tests/abi/ok_16.sd new file mode 100644 index 000000000..72ed19d07 --- /dev/null +++ b/parser/tst/simple_tests/abi/ok_16.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION abi testing - abi path with space between path and , +#=EXRESULT PASS +# + +abi abi/4.19 , + +/does/not/exist { +} diff --git a/parser/tst/simple_tests/abi/ok_17.sd b/parser/tst/simple_tests/abi/ok_17.sd new file mode 100644 index 000000000..f04b55f59 --- /dev/null +++ b/parser/tst/simple_tests/abi/ok_17.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION abi testing - abi path no space between and and path +#=EXRESULT PASS +# + +abi, + +/does/not/exist { +} diff --git a/parser/tst/simple_tests/abi/ok_18.sd b/parser/tst/simple_tests/abi/ok_18.sd new file mode 100644 index 000000000..013434ae9 --- /dev/null +++ b/parser/tst/simple_tests/abi/ok_18.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION abi testing - abi path no space between and and path +#=EXRESULT PASS +# + +abi"abi/4.19", + +/does/not/exist { +} diff --git a/parser/tst/simple_tests/abi/ok_2.sd b/parser/tst/simple_tests/abi/ok_2.sd new file mode 100644 index 000000000..29790dea0 --- /dev/null +++ b/parser/tst/simple_tests/abi/ok_2.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION abi testing - abi relative path in quotes with spaces +#=EXRESULT PASS +# + +abi "abi/4.19 ubuntu", + +/does/not/exist { +} diff --git a/parser/tst/simple_tests/abi/ok_20.sd b/parser/tst/simple_tests/abi/ok_20.sd new file mode 100644 index 000000000..2855bdc9f --- /dev/null +++ b/parser/tst/simple_tests/abi/ok_20.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION abi testing - abi path in profile +#=EXRESULT PASS +# + + +/does/not/exist { + abi , + +} diff --git a/parser/tst/simple_tests/abi/ok_21.sd b/parser/tst/simple_tests/abi/ok_21.sd new file mode 100644 index 000000000..51c906d37 --- /dev/null +++ b/parser/tst/simple_tests/abi/ok_21.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION abi testing - abi path in profile +#=EXRESULT PASS +# + + +/does/not/exist { + abi "abi/4.19", + +} diff --git a/parser/tst/simple_tests/abi/ok_22.sd b/parser/tst/simple_tests/abi/ok_22.sd new file mode 100644 index 000000000..9a0767f59 --- /dev/null +++ b/parser/tst/simple_tests/abi/ok_22.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION abi testing - abi path in profile +#=EXRESULT PASS +# + + +/does/not/exist { + abi abi/4.19, + +} diff --git a/parser/tst/simple_tests/abi/ok_3.sd b/parser/tst/simple_tests/abi/ok_3.sd new file mode 100644 index 000000000..e72657557 --- /dev/null +++ b/parser/tst/simple_tests/abi/ok_3.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION abi testing - abi abs path in quotes +#=EXRESULT PASS +# + +abi "/abi/4.19", + +/does/not/exist { +} diff --git a/parser/tst/simple_tests/abi/ok_4.sd b/parser/tst/simple_tests/abi/ok_4.sd new file mode 100644 index 000000000..afde28965 --- /dev/null +++ b/parser/tst/simple_tests/abi/ok_4.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION abi testing - abi abs path in quotes with space +#=EXRESULT PASS +# + +abi "/abi/4.19 ubuntu", + +/does/not/exist { +} diff --git a/parser/tst/simple_tests/abi/ok_5.sd b/parser/tst/simple_tests/abi/ok_5.sd new file mode 100644 index 000000000..f71a8bbce --- /dev/null +++ b/parser/tst/simple_tests/abi/ok_5.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION abi testing - abi relative path no quotes +#=EXRESULT PASS +# + +abi abi/4.19, + +/does/not/exist { +} diff --git a/parser/tst/simple_tests/abi/ok_6.sd b/parser/tst/simple_tests/abi/ok_6.sd new file mode 100644 index 000000000..5e4ca2f67 --- /dev/null +++ b/parser/tst/simple_tests/abi/ok_6.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION abi testing - abi path +#=EXRESULT PASS +# + +abi , + +/does/not/exist { +} diff --git a/parser/tst/simple_tests/abi/ok_7.sd b/parser/tst/simple_tests/abi/ok_7.sd new file mode 100644 index 000000000..e3ef9b82c --- /dev/null +++ b/parser/tst/simple_tests/abi/ok_7.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION abi testing - abi path spaces +#=EXRESULT PASS +# + +abi < abi/4.19>, + +/does/not/exist { +} diff --git a/parser/tst/simple_tests/abi/ok_8.sd b/parser/tst/simple_tests/abi/ok_8.sd new file mode 100644 index 000000000..e5f2d681a --- /dev/null +++ b/parser/tst/simple_tests/abi/ok_8.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION abi testing - abi path spaces +#=EXRESULT PASS +# + +abi , + +/does/not/exist { +} diff --git a/parser/tst/simple_tests/abi/ok_9.sd b/parser/tst/simple_tests/abi/ok_9.sd new file mode 100644 index 000000000..fb00d0467 --- /dev/null +++ b/parser/tst/simple_tests/abi/ok_9.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION abi testing - abi path spaces +#=EXRESULT PASS +# + +abi < abi/4.19 >, + +/does/not/exist { +}