Add support for profiles with xattrs matching

Add userland support for matching based on extended file attributes. This leverages DFA based matching already in the kernel: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8e51f908 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=73f488cd Matching is exposed via flags on the profile: /usr/bin/* xattrs=(user.foo=bar user.bar=foo) { # ... } xattr values are appended to the existing xmatch via a null transition. $ echo '/usr/bin/* xattrs=(user.foo=foo user.bar=bar) {}' | \ ./parser/apparmor_parser -QT -D expr-tree DFA: Expression Tree /usr/bin/[^\0000/]([^\0000/])*(\0000bar)?(\0000foo)?< 0x1> DFA: Expression Tree (\a|(\n|(\0002|\t)))< 0x4> Tested manually on a 4.19 kernel via QEMU+KVM. TODO: * ~~Add regression tests~~ (EDIT: done) * ~~EDIT: add support in the tools~~ (EDIT: done) Questions for reviewers: * ~~parser/libapparmor: regex construction probably needs cleaning up~~ (EDIT: done) * ~~parser/parser_regex.c: confused what xmatch length is for~~ (EDIT: done) /cc @mjg59 PR: https://gitlab.com/apparmor/apparmor/merge_requests/270 Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-31 14:25:52 +00:00 · 2019-03-21 08:12:07 +00:00
parent 9eb738e5f1 02da244316
commit cfe20d2b63
30 changed files with 643 additions and 13 deletions
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@@ -66,7 +66,7 @@ B<COMMENT> = '#' I<TEXT> [ '\r' ] '\n'

 B<TEXT> = any characters

-B<PROFILE> = ( I<PROFILE HEAD> ) [ I<ATTACHMENT SPECIFICATION> ] [ I<PROFILE FLAG CONDS> ] '{' ( I<RULES> )* '}'
+B<PROFILE> = ( I<PROFILE HEAD> ) [ I<ATTACHMENT SPECIFICATION> ] [ I<PROFILE XATTR CONDS> ] [ I<PROFILE FLAG CONDS> ] '{' ( I<RULES> )* '}'

 B<PROFILE HEAD> = [ 'profile' ] I<FILEGLOB> | 'profile' I<PROFILE NAME>

@@ -78,6 +78,12 @@ B<UNQUOTED PROFILE NAME> = (must start with alphanumeric character (after variab

 B<ATTACHMENT SPECIFICATION> = I<FILEGLOB>

+B<PROFILE XATTR CONDS> =  [ 'xattrs=' ] '(' comma or white space separated list of I<PROFILE XATTR> ')'
+
+B<PROFILE XATTR> = extended attribute name '=' I<XATTR VALUE FILEGLOB>
+
+B<XATTR VALUE FILEGLOB> = I<FILEGLOB>
+
 B<PROFILE FLAG CONDS> =  [ 'flags=' ] '(' comma or white space separated list of I<PROFILE FLAGS> ')'

 B<PROFILE FLAGS> = 'complain' | 'audit' | 'enforce' | 'mediate_deleted' | 'attach_disconnected' | 'chroot_relative'
@@ -1371,6 +1377,18 @@ Directories anywhere underneath F</tmp>.

 =back

+=head2 Extended Attributes
+
+AppArmor profiles have the ability to target files based on their xattr(7)
+values in addition to their path. For example, the following profile matches
+files in /usr/bin with the attribute "security.apparmor" and value "trusted":
+
+  /usr/bin/* xattrs(security.apparmor="trusted") {
+    # ...
+  }
+
+See apparmor_xattrs(7) for further details.
+
 =head2 Rule Qualifiers

 There are several rule qualifiers that can be applied to permission rules.
@@ -1609,7 +1627,7 @@ negative values match when specifying one or the other. Eg, 'rw' matches when

 =head1 SEE ALSO

-apparmor(7), apparmor_parser(8), aa-complain(1),
+apparmor(7), apparmor_parser(8), apprmor_xattrs(7), aa-complain(1),
 aa-enforce(1), aa_change_hat(2), mod_apparmor(5), and
 L<https://wiki.apparmor.net>.