mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-24 19:17:19 +00:00
Code Issues Releases Wiki Activity

parser: add support for prompt profile mode

Browse Source 
Add support for the prompt profile mode.

Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2019-12-05 14:20:24 -08:00
parent a271b2474c
commit e5dace9ffd
16 changed files with 144 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
parser/apparmor.d.pod
View File

@ -115,7 +115,7 @@ B<PROFILE FLAG CONDS> = [ 'flags=' ] '(' comma or white space separated list of
B<PROFILE FLAGS> = I<PROFILE MODE> | I<AUDIT_MODE> | 'mediate_deleted' | 'attach_disconnected' | 'chroot_relative' | 'debug' B<PROFILE FLAGS> = I<PROFILE MODE> | I<AUDIT_MODE> | 'mediate_deleted' | 'attach_disconnected' | 'chroot_relative' | 'debug'
B<PROFILE MODE> = 'enforce' | 'complain' | 'kill' | 'unconfined' B<PROFILE MODE> = 'enforce' | 'complain' | 'kill' | 'unconfined' | 'prompt'
B<AUDIT MODE> = 'audit' B<AUDIT MODE> = 'audit'
@ -459,6 +459,11 @@ profile replacement. This mode is should not be used under regular
deployment but can be useful during debugging and some system deployment but can be useful during debugging and some system
initialization scenarios. initialization scenarios.
=item B<prompt> This mode allows task mediation to send an up call to
userspace to ask for a decision when there isn't a rule covering the
permission request. If userspace does not respond then the access
will be denied.
=back =back
=head4 Audit Mode =head4 Audit Mode

1
parser/profile.cc
View File

@ -27,6 +27,7 @@ const char *profile_mode_table[] = {
"complain", "complain",
"kill", "kill",
"unconfined", "unconfined",
"prompt"
}; };
bool deref_profileptr_lt::operator()(Profile * const &lhs, Profile * const &rhs) const bool deref_profileptr_lt::operator()(Profile * const &lhs, Profile * const &rhs) const

5
parser/profile.h
View File

@ -62,9 +62,10 @@ enum profile_mode {
MODE_COMPLAIN = 2, MODE_COMPLAIN = 2,
MODE_KILL = 3, MODE_KILL = 3,
MODE_UNCONFINED = 4, MODE_UNCONFINED = 4,
MODE_CONFLICT = 5 /* greater than MODE_LAST */ MODE_PROMPT = 5,
MODE_CONFLICT = 6 /* greater than MODE_LAST */
}; };
#define MODE_LAST MODE_UNCONFINED #define MODE_LAST MODE_PROMPT
static inline enum profile_mode operator++(enum profile_mode &mode) static inline enum profile_mode operator++(enum profile_mode &mode)
{ {

10
parser/tst/simple_tests/profile/flags/flags_bad47.sd Normal file
View File

@ -0,0 +1,10 @@
#
#=DESCRIPTION Ensure conflicting mode flags cause an error
#=EXRESULT FAIL
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist flags=(enforce, prompt) {
/usr/X11R6/lib/lib*so* r,
/does/not/exist r,
}

10
parser/tst/simple_tests/profile/flags/flags_bad48.sd Normal file
View File

@ -0,0 +1,10 @@
#
#=DESCRIPTION Ensure conflicting mode flags cause an error
#=EXRESULT FAIL
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist flags=(complain, prompt) {
/usr/X11R6/lib/lib*so* r,
/does/not/exist r,
}

10
parser/tst/simple_tests/profile/flags/flags_bad49.sd Normal file
View File

@ -0,0 +1,10 @@
#
#=DESCRIPTION Ensure conflicting mode flags cause an error
#=EXRESULT FAIL
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist flags=(kill, prompt) {
/usr/X11R6/lib/lib*so* r,
/does/not/exist r,
}

10
parser/tst/simple_tests/profile/flags/flags_bad50.sd Normal file
View File

@ -0,0 +1,10 @@
#
#=DESCRIPTION Ensure conflicting mode flags cause an error
#=EXRESULT FAIL
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist flags=(prompt, enforce) {
/usr/X11R6/lib/lib*so* r,
/does/not/exist r,
}

10
parser/tst/simple_tests/profile/flags/flags_bad51.sd Normal file
View File

@ -0,0 +1,10 @@
#
#=DESCRIPTION Ensure conflicting mode flags cause an error
#=EXRESULT FAIL
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist flags=(prompt, complain) {
/usr/X11R6/lib/lib*so* r,
/does/not/exist r,
}

10
parser/tst/simple_tests/profile/flags/flags_bad52.sd Normal file
View File

@ -0,0 +1,10 @@
#
#=DESCRIPTION Ensure conflicting mode flags cause an error
#=EXRESULT FAIL
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist flags=(prompt, kill) {
/usr/X11R6/lib/lib*so* r,
/does/not/exist r,
}

10
parser/tst/simple_tests/profile/flags/flags_bad53.sd Normal file
View File

@ -0,0 +1,10 @@
#
#=DESCRIPTION Ensure conflicting mode flags cause an error
#=EXRESULT FAIL
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist flags=(prompt, unconfined) {
/usr/X11R6/lib/lib*so* r,
/does/not/exist r,
}

10
parser/tst/simple_tests/profile/flags/flags_bad54.sd Normal file
View File

@ -0,0 +1,10 @@
#
#=DESCRIPTION Ensure conflicting mode flags cause an error
#=EXRESULT FAIL
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist flags=(enforce, kill, prompt) {
/usr/X11R6/lib/lib*so* r,
/does/not/exist r,
}

10
parser/tst/simple_tests/profile/flags/flags_bad55.sd Normal file
View File

@ -0,0 +1,10 @@
#
#=DESCRIPTION Ensure conflicting mode flags cause an error
#=EXRESULT FAIL
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist flags=(complain, kill, prompt) {
/usr/X11R6/lib/lib*so* r,
/does/not/exist r,
}

10
parser/tst/simple_tests/profile/flags/flags_bad56.sd Normal file
View File

@ -0,0 +1,10 @@
#
#=DESCRIPTION Ensure conflicting mode flags cause an error
#=EXRESULT FAIL
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist flags=(enforce, complain, kill, unconfined, prompt) {
/usr/X11R6/lib/lib*so* r,
/does/not/exist r,
}

12
parser/tst/simple_tests/profile/flags/flags_ok27.sd Normal file
View File

@ -0,0 +1,12 @@
#
#=DESCRIPTION validate some uses of the profile flags.
#=EXRESULT PASS
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist flags=(prompt) {
#include <includes/base>
/usr/X11R6/lib/lib*so* r,
/does/not/exist r,
}

12
parser/tst/simple_tests/profile/flags/flags_ok28.sd Normal file
View File

@ -0,0 +1,12 @@
#
#=DESCRIPTION validate some uses of the profile flags.
#=EXRESULT PASS
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist flags=(prompt audit) {
#include <includes/base>
/usr/X11R6/lib/lib*so* r,
/does/not/exist r,
}

10
utils/test/test-parser-simple-tests.py
View File

@ -154,6 +154,16 @@ exception_not_raised = (
'profile/flags/flags_bad44.sd', 'profile/flags/flags_bad44.sd',
'profile/flags/flags_bad45.sd', 'profile/flags/flags_bad45.sd',
'profile/flags/flags_bad46.sd', 'profile/flags/flags_bad46.sd',
'profile/flags/flags_bad47.sd',
'profile/flags/flags_bad48.sd',
'profile/flags/flags_bad49.sd',
'profile/flags/flags_bad50.sd',
'profile/flags/flags_bad51.sd',
'profile/flags/flags_bad52.sd',
'profile/flags/flags_bad53.sd',
'profile/flags/flags_bad54.sd',
'profile/flags/flags_bad55.sd',
'profile/flags/flags_bad56.sd',
'profile/profile_ns_bad8.sd', # 'profile :ns/t' without terminating ':' 'profile/profile_ns_bad8.sd', # 'profile :ns/t' without terminating ':'
'ptrace/bad_05.sd', # actually contains a capability rule with invalid (ptrace-related) keyword 'ptrace/bad_05.sd', # actually contains a capability rule with invalid (ptrace-related) keyword
'ptrace/bad_06.sd', # actually contains a capability rule with invalid (ptrace-related) keyword 'ptrace/bad_06.sd', # actually contains a capability rule with invalid (ptrace-related) keyword