parser: add support for prompt profile mode

Add support for the prompt profile mode. Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-22 10:07:12 +00:00 · 2019-12-05 14:20:24 -08:00 · 2019-12-05 14:20:24 -08:00 · e5dace9ffd
commit e5dace9ffd
parent a271b2474c
16 changed files with 144 additions and 3 deletions
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@ -115,7 +115,7 @@ B<PROFILE FLAG CONDS> =  [ 'flags=' ] '(' comma or white space separated list of

 B<PROFILE FLAGS> = I<PROFILE MODE> | I<AUDIT_MODE> | 'mediate_deleted' | 'attach_disconnected' | 'chroot_relative' | 'debug'

-B<PROFILE MODE> = 'enforce' | 'complain' | 'kill' | 'unconfined'
+B<PROFILE MODE> = 'enforce' | 'complain' | 'kill' | 'unconfined' | 'prompt'

 B<AUDIT MODE> = 'audit'

@ -459,6 +459,11 @@ profile replacement. This mode is should not be used under regular
 deployment but can be useful during debugging and some system
 initialization scenarios.

+=item B<prompt> This mode allows task mediation to send an up call to
+userspace to ask for a decision when there isn't a rule covering the
+permission request. If userspace does not respond then the access
+will be denied.
+
 =back

 =head4 Audit Mode
--- a/parser/profile.cc
+++ b/parser/profile.cc
@ -27,6 +27,7 @@ const char *profile_mode_table[] = {
 	"complain",
 	"kill",
 	"unconfined",
+	"prompt"
 };

 bool deref_profileptr_lt::operator()(Profile * const &lhs, Profile * const &rhs) const
--- a/parser/profile.h
+++ b/parser/profile.h
@ -62,9 +62,10 @@ enum profile_mode {
 	MODE_COMPLAIN = 2,
 	MODE_KILL = 3,
 	MODE_UNCONFINED = 4,
-	MODE_CONFLICT = 5	/* greater than MODE_LAST */
+	MODE_PROMPT = 5,
+	MODE_CONFLICT = 6	/* greater than MODE_LAST */
 };
-#define MODE_LAST MODE_UNCONFINED
+#define MODE_LAST MODE_PROMPT

 static inline enum profile_mode operator++(enum profile_mode &mode)
 {
--- a/parser/tst/simple_tests/profile/flags/flags_bad47.sd
+++ b/parser/tst/simple_tests/profile/flags/flags_bad47.sd
@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(enforce, prompt) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
--- a/parser/tst/simple_tests/profile/flags/flags_bad48.sd
+++ b/parser/tst/simple_tests/profile/flags/flags_bad48.sd
@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(complain, prompt) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
--- a/parser/tst/simple_tests/profile/flags/flags_bad49.sd
+++ b/parser/tst/simple_tests/profile/flags/flags_bad49.sd
@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(kill, prompt) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
--- a/parser/tst/simple_tests/profile/flags/flags_bad50.sd
+++ b/parser/tst/simple_tests/profile/flags/flags_bad50.sd
@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(prompt, enforce) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
--- a/parser/tst/simple_tests/profile/flags/flags_bad51.sd
+++ b/parser/tst/simple_tests/profile/flags/flags_bad51.sd
@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(prompt, complain) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
--- a/parser/tst/simple_tests/profile/flags/flags_bad52.sd
+++ b/parser/tst/simple_tests/profile/flags/flags_bad52.sd
@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(prompt, kill) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
--- a/parser/tst/simple_tests/profile/flags/flags_bad53.sd
+++ b/parser/tst/simple_tests/profile/flags/flags_bad53.sd
@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(prompt, unconfined) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
--- a/parser/tst/simple_tests/profile/flags/flags_bad54.sd
+++ b/parser/tst/simple_tests/profile/flags/flags_bad54.sd
@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(enforce, kill, prompt) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
--- a/parser/tst/simple_tests/profile/flags/flags_bad55.sd
+++ b/parser/tst/simple_tests/profile/flags/flags_bad55.sd
@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(complain, kill, prompt) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
--- a/parser/tst/simple_tests/profile/flags/flags_bad56.sd
+++ b/parser/tst/simple_tests/profile/flags/flags_bad56.sd
@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(enforce, complain, kill, unconfined, prompt) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
--- a/parser/tst/simple_tests/profile/flags/flags_ok27.sd
+++ b/parser/tst/simple_tests/profile/flags/flags_ok27.sd
@ -0,0 +1,12 @@
+#
+#=DESCRIPTION validate some uses of the profile flags.
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(prompt) {
+  #include <includes/base>
+
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
--- a/parser/tst/simple_tests/profile/flags/flags_ok28.sd
+++ b/parser/tst/simple_tests/profile/flags/flags_ok28.sd
@ -0,0 +1,12 @@
+#
+#=DESCRIPTION validate some uses of the profile flags.
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(prompt audit) {
+  #include <includes/base>
+
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
--- a/utils/test/test-parser-simple-tests.py
+++ b/utils/test/test-parser-simple-tests.py
@ -154,6 +154,16 @@ exception_not_raised = (
    'profile/flags/flags_bad44.sd',
    'profile/flags/flags_bad45.sd',
    'profile/flags/flags_bad46.sd',
+    'profile/flags/flags_bad47.sd',
+    'profile/flags/flags_bad48.sd',
+    'profile/flags/flags_bad49.sd',
+    'profile/flags/flags_bad50.sd',
+    'profile/flags/flags_bad51.sd',
+    'profile/flags/flags_bad52.sd',
+    'profile/flags/flags_bad53.sd',
+    'profile/flags/flags_bad54.sd',
+    'profile/flags/flags_bad55.sd',
+    'profile/flags/flags_bad56.sd',
    'profile/profile_ns_bad8.sd',  # 'profile :ns/t' without terminating ':'
    'ptrace/bad_05.sd',  # actually contains a capability rule with invalid (ptrace-related) keyword
    'ptrace/bad_06.sd',  # actually contains a capability rule with invalid (ptrace-related) keyword