From e5dace9ffd0cca77f53dd05fe518bdca4850e74c Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Thu, 5 Dec 2019 14:20:24 -0800
Subject: [PATCH] parser: add support for prompt profile mode

Add support for the prompt profile mode.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 parser/apparmor.d.pod                                |  7 ++++++-
 parser/profile.cc                                    |  1 +
 parser/profile.h                                     |  5 +++--
 parser/tst/simple_tests/profile/flags/flags_bad47.sd | 10 ++++++++++
 parser/tst/simple_tests/profile/flags/flags_bad48.sd | 10 ++++++++++
 parser/tst/simple_tests/profile/flags/flags_bad49.sd | 10 ++++++++++
 parser/tst/simple_tests/profile/flags/flags_bad50.sd | 10 ++++++++++
 parser/tst/simple_tests/profile/flags/flags_bad51.sd | 10 ++++++++++
 parser/tst/simple_tests/profile/flags/flags_bad52.sd | 10 ++++++++++
 parser/tst/simple_tests/profile/flags/flags_bad53.sd | 10 ++++++++++
 parser/tst/simple_tests/profile/flags/flags_bad54.sd | 10 ++++++++++
 parser/tst/simple_tests/profile/flags/flags_bad55.sd | 10 ++++++++++
 parser/tst/simple_tests/profile/flags/flags_bad56.sd | 10 ++++++++++
 parser/tst/simple_tests/profile/flags/flags_ok27.sd  | 12 ++++++++++++
 parser/tst/simple_tests/profile/flags/flags_ok28.sd  | 12 ++++++++++++
 utils/test/test-parser-simple-tests.py               | 10 ++++++++++
 16 files changed, 144 insertions(+), 3 deletions(-)
 create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad47.sd
 create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad48.sd
 create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad49.sd
 create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad50.sd
 create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad51.sd
 create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad52.sd
 create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad53.sd
 create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad54.sd
 create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad55.sd
 create mode 100644 parser/tst/simple_tests/profile/flags/flags_bad56.sd
 create mode 100644 parser/tst/simple_tests/profile/flags/flags_ok27.sd
 create mode 100644 parser/tst/simple_tests/profile/flags/flags_ok28.sd

diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
index c24a8b1df..4b2c5266c 100644
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@@ -115,7 +115,7 @@ B<PROFILE FLAG CONDS> =  [ 'flags=' ] '(' comma or white space separated list of
 
 B<PROFILE FLAGS> = I<PROFILE MODE> | I<AUDIT_MODE> | 'mediate_deleted' | 'attach_disconnected' | 'chroot_relative' | 'debug'
 
-B<PROFILE MODE> = 'enforce' | 'complain' | 'kill' | 'unconfined'
+B<PROFILE MODE> = 'enforce' | 'complain' | 'kill' | 'unconfined' | 'prompt'
 
 B<AUDIT MODE> = 'audit'
 
@@ -459,6 +459,11 @@ profile replacement. This mode is should not be used under regular
 deployment but can be useful during debugging and some system
 initialization scenarios.
 
+=item B<prompt> This mode allows task mediation to send an up call to
+userspace to ask for a decision when there isn't a rule covering the
+permission request. If userspace does not respond then the access
+will be denied.
+
 =back
 
 =head4 Audit Mode
diff --git a/parser/profile.cc b/parser/profile.cc
index 9eeb39018..0c46915a0 100644
--- a/parser/profile.cc
+++ b/parser/profile.cc
@@ -27,6 +27,7 @@ const char *profile_mode_table[] = {
 	"complain",
 	"kill",
 	"unconfined",
+	"prompt"
 };
 
 bool deref_profileptr_lt::operator()(Profile * const &lhs, Profile * const &rhs) const
diff --git a/parser/profile.h b/parser/profile.h
index c73b59faf..9ddf74ad3 100644
--- a/parser/profile.h
+++ b/parser/profile.h
@@ -62,9 +62,10 @@ enum profile_mode {
 	MODE_COMPLAIN = 2,
 	MODE_KILL = 3,
 	MODE_UNCONFINED = 4,
-	MODE_CONFLICT = 5	/* greater than MODE_LAST */
+	MODE_PROMPT = 5,
+	MODE_CONFLICT = 6	/* greater than MODE_LAST */
 };
-#define MODE_LAST MODE_UNCONFINED
+#define MODE_LAST MODE_PROMPT
 
 static inline enum profile_mode operator++(enum profile_mode &mode)
 {
diff --git a/parser/tst/simple_tests/profile/flags/flags_bad47.sd b/parser/tst/simple_tests/profile/flags/flags_bad47.sd
new file mode 100644
index 000000000..4d0d6f703
--- /dev/null
+++ b/parser/tst/simple_tests/profile/flags/flags_bad47.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(enforce, prompt) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
diff --git a/parser/tst/simple_tests/profile/flags/flags_bad48.sd b/parser/tst/simple_tests/profile/flags/flags_bad48.sd
new file mode 100644
index 000000000..52e5731df
--- /dev/null
+++ b/parser/tst/simple_tests/profile/flags/flags_bad48.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(complain, prompt) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
diff --git a/parser/tst/simple_tests/profile/flags/flags_bad49.sd b/parser/tst/simple_tests/profile/flags/flags_bad49.sd
new file mode 100644
index 000000000..c4025599b
--- /dev/null
+++ b/parser/tst/simple_tests/profile/flags/flags_bad49.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(kill, prompt) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
diff --git a/parser/tst/simple_tests/profile/flags/flags_bad50.sd b/parser/tst/simple_tests/profile/flags/flags_bad50.sd
new file mode 100644
index 000000000..ea3b7a5a4
--- /dev/null
+++ b/parser/tst/simple_tests/profile/flags/flags_bad50.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(prompt, enforce) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
diff --git a/parser/tst/simple_tests/profile/flags/flags_bad51.sd b/parser/tst/simple_tests/profile/flags/flags_bad51.sd
new file mode 100644
index 000000000..844c098bd
--- /dev/null
+++ b/parser/tst/simple_tests/profile/flags/flags_bad51.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(prompt, complain) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
diff --git a/parser/tst/simple_tests/profile/flags/flags_bad52.sd b/parser/tst/simple_tests/profile/flags/flags_bad52.sd
new file mode 100644
index 000000000..ae95bf9db
--- /dev/null
+++ b/parser/tst/simple_tests/profile/flags/flags_bad52.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(prompt, kill) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
diff --git a/parser/tst/simple_tests/profile/flags/flags_bad53.sd b/parser/tst/simple_tests/profile/flags/flags_bad53.sd
new file mode 100644
index 000000000..ee1085165
--- /dev/null
+++ b/parser/tst/simple_tests/profile/flags/flags_bad53.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(prompt, unconfined) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
diff --git a/parser/tst/simple_tests/profile/flags/flags_bad54.sd b/parser/tst/simple_tests/profile/flags/flags_bad54.sd
new file mode 100644
index 000000000..df1a2e0eb
--- /dev/null
+++ b/parser/tst/simple_tests/profile/flags/flags_bad54.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(enforce, kill, prompt) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
diff --git a/parser/tst/simple_tests/profile/flags/flags_bad55.sd b/parser/tst/simple_tests/profile/flags/flags_bad55.sd
new file mode 100644
index 000000000..0273d6163
--- /dev/null
+++ b/parser/tst/simple_tests/profile/flags/flags_bad55.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(complain, kill, prompt) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
diff --git a/parser/tst/simple_tests/profile/flags/flags_bad56.sd b/parser/tst/simple_tests/profile/flags/flags_bad56.sd
new file mode 100644
index 000000000..1a0c59b63
--- /dev/null
+++ b/parser/tst/simple_tests/profile/flags/flags_bad56.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(enforce, complain, kill, unconfined, prompt) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
diff --git a/parser/tst/simple_tests/profile/flags/flags_ok27.sd b/parser/tst/simple_tests/profile/flags/flags_ok27.sd
new file mode 100644
index 000000000..13abb61ee
--- /dev/null
+++ b/parser/tst/simple_tests/profile/flags/flags_ok27.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION validate some uses of the profile flags.
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(prompt) {
+  #include <includes/base>
+
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
diff --git a/parser/tst/simple_tests/profile/flags/flags_ok28.sd b/parser/tst/simple_tests/profile/flags/flags_ok28.sd
new file mode 100644
index 000000000..73b744b32
--- /dev/null
+++ b/parser/tst/simple_tests/profile/flags/flags_ok28.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION validate some uses of the profile flags.
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(prompt audit) {
+  #include <includes/base>
+
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
diff --git a/utils/test/test-parser-simple-tests.py b/utils/test/test-parser-simple-tests.py
index 5b86404c1..a1f5b2cb1 100644
--- a/utils/test/test-parser-simple-tests.py
+++ b/utils/test/test-parser-simple-tests.py
@@ -154,6 +154,16 @@ exception_not_raised = (
     'profile/flags/flags_bad44.sd',
     'profile/flags/flags_bad45.sd',
     'profile/flags/flags_bad46.sd',
+    'profile/flags/flags_bad47.sd',
+    'profile/flags/flags_bad48.sd',
+    'profile/flags/flags_bad49.sd',
+    'profile/flags/flags_bad50.sd',
+    'profile/flags/flags_bad51.sd',
+    'profile/flags/flags_bad52.sd',
+    'profile/flags/flags_bad53.sd',
+    'profile/flags/flags_bad54.sd',
+    'profile/flags/flags_bad55.sd',
+    'profile/flags/flags_bad56.sd',
     'profile/profile_ns_bad8.sd',  # 'profile :ns/t' without terminating ':'
     'ptrace/bad_05.sd',  # actually contains a capability rule with invalid (ptrace-related) keyword
     'ptrace/bad_06.sd',  # actually contains a capability rule with invalid (ptrace-related) keyword