parser: add an option to allow overriding feature ABI rules

Add an option to allow setting/pinning the feature ABI and overriding of ABI rules if they exist. --override-policy-abi This option is primarily for profile development and testing without allowing adjusting feature abis temporarily without modifying the profile. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/579 Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-09-02 15:25:27 +00:00 · 2020-07-21 05:10:46 -07:00
parent acb45dc4b0
commit dcc2918665
4 changed files with 33 additions and 2 deletions
--- a/parser/apparmor_parser.pod
+++ b/parser/apparmor_parser.pod
@@ -186,7 +186,13 @@ Set the location of the apparmor security filesystem (default is

 =item --policy-features n

-Specify the feature set that the policy was developed under.
+Specify the feature set that the policy was developed under. This does
+not override feature ABI rules.
+
+=item --override-policy-abi n
+
+Specify the feature set that the policy was developed under and
+override any feature ABI rules that the policy may be using.

 =item --kernel-features n

--- a/parser/parser.h
+++ b/parser/parser.h
@@ -297,6 +297,7 @@ extern uint32_t kernel_abi_version;

 extern aa_features *pinned_features;
 extern aa_features *policy_features;
+extern aa_features *override_features;
 extern aa_features *kernel_features;

 extern int force_complain;
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@@ -111,6 +111,7 @@ static bool print_cache_dir = false;

 aa_features *pinned_features = NULL;
 aa_features *policy_features = NULL;
+aa_features *override_features = NULL;
 aa_features *kernel_features = NULL;

 static const char *config_file = "/etc/apparmor/parser.conf";
@@ -166,6 +167,7 @@ struct option long_options[] = {
 	{"policy-features",	1, 0, 139},	/* no short option */
 	{"compile-features",	1, 0, 139},	/* original name of policy-features */
 	{"print-config-file",	0, 0, 140},	/* no short option */
+	{"override-policy-abi",	1, 0, 142},	/* no short option */
 	{"config-file",		1, 0, EARLY_ARG_CONFIG_FILE},	/* early option, no short option */

 	{NULL, 0, 0, 0},
@@ -199,6 +201,7 @@ static void display_usage(const char *command)
 	       "-m n, --match-string n  Use only features n\n"
 	       "-M n, --features-file n Set compile & kernel features to file n\n"
 	       "--policy-features n     Policy features set in file n\n"
+	       "--override-policy-abi n     As policy-features but override ABI rules\n"
 	       "--kernel-features n     Kernel features set in file n\n"
 	       "-n n, --namespace n	Set Namespace for the profile\n"
 	       "-X, --readimpliesX	Map profile read permissions to mr\n"
@@ -584,6 +587,23 @@ static int process_arg(int c, char *optarg)
 		}
 		pinned_features = tmp_features;
 		break;
+	case 142:
+		if (override_features)
+			aa_features_unref(override_features);
+		if (strcmp(optarg, "<kernel>") == 0) {
+			if (aa_features_new_from_kernel(&tmp_features)) {
+				fprintf(stderr,
+					"Failed to load kernel features into the policy-features abi: %m\n");
+				exit(1);
+			}
+		} else if (aa_features_new(&tmp_features, AT_FDCWD, optarg)) {
+			fprintf(stderr,
+				"Failed to load policy-features from '%s': %m\n",
+				optarg);
+			exit(1);
+		}
+		override_features = tmp_features;
+		break;
 	case 'q':
 		conf_verbose = 0;
 		conf_quiet = 1;
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -291,7 +291,11 @@ void add_local_entry(Profile *prof);
 list:	 preamble
 	{
 		/* make sure abi is setup */
-		if (policy_features == NULL) {
+		if (override_features) {
+			if (policy_features)
+				aa_features_unref(policy_features);
+			policy_features = aa_features_ref(override_features);
+		} else if (policy_features == NULL) {
 			if (pinned_features) {
 				policy_features = aa_features_ref(pinned_features);
 			/* use default feature abi */