mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 18:17:09 +00:00
Code Issues Releases Wiki Activity

Merge parser: add an abi <default> that is equivalent to not specifying an abi

Browse Source 
I am unsure how to test this equivalency due to how abi declarations interact with feature file command line arguments, so advice on that would be welcome.

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1585
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This commit is contained in:
John Johansen 2025-04-12 10:30:28 +00:00
commit f34a7d0b28
4 changed files with 33 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
parser/apparmor.d.pod
View File

@ -80,7 +80,7 @@ B<ALIAS RULE> = 'alias' I<ABS PATH> '-E<gt>' I<REWRITTEN ABS PATH> ','
B<INCLUDE> = ( '#include' | 'include' ) [ 'if exists' ] ( I<ABS PATH> | I<MAGIC PATH> ) B<INCLUDE> = ( '#include' | 'include' ) [ 'if exists' ] ( I<ABS PATH> | I<MAGIC PATH> )
B<ABI> = ( 'abi' ) ( I<ABS PATH> | I<MAGIC PATH> ) ',' B<ABI> = ( 'abi' ) ( I<ABS PATH> | I<MAGIC PATH> | '<kernel>' | '<default>' ) ','
B<ABS PATH> = '"' path '"' (the path is passed to open(2)) B<ABS PATH> = '"' path '"' (the path is passed to open(2))
@ -2127,6 +2127,8 @@ If the policy abi is specified as B<kernel> then the running kernel's
abi will be used. This should never be used in shipped policy as it abi will be used. This should never be used in shipped policy as it
can cause system breakage when a new kernel is installed. can cause system breakage when a new kernel is installed.
The special abi B<default> is equivalent to not specifying an ABI.
=head3 ABI compatibility with AppArmor 2.x =head3 ABI compatibility with AppArmor 2.x
AppArmor 3 remains compatible with AppArmor 2.x by detecting when a AppArmor 3 remains compatible with AppArmor 2.x by detecting when a

11
parser/parser_yacc.y
View File

@ -1780,8 +1780,17 @@ static int abi_features_base(struct aa_features **features, char *filename, bool
bool cached; bool cached;
if (search) { if (search) {
if (strcmp(filename, "kernel") == 0) if (strcmp(filename, "kernel") == 0) {
if (kernel_features) {
*features = aa_features_ref(kernel_features);
return 0;
}
return aa_features_new_from_kernel(features); return aa_features_new_from_kernel(features);
} else if (strcmp(filename, "default") == 0) {
return aa_features_new_from_string(features,
default_features_abi,
strlen(default_features_abi));
}
f = search_path(filename, &fullpath, &cached); f = search_path(filename, &fullpath, &cached);
PDEBUG("abi lookup '%s' -> '%s' f %p cached %d\n", filename, fullpath, f, cached); PDEBUG("abi lookup '%s' -> '%s' f %p cached %d\n", filename, fullpath, f, cached);
if (!f && cached) { if (!f && cached) {

10
parser/tst/simple_tests/abi/ok_23.sd Normal file
View File

@ -0,0 +1,10 @@
#
#=DESCRIPTION abi testing - abi kernel special case
#=EXRESULT PASS
#
abi <kernel>,
/does/not/exist {
}

10
parser/tst/simple_tests/abi/ok_24.sd Normal file
View File

@ -0,0 +1,10 @@
#
#=DESCRIPTION abi testing - abi default special case
#=EXRESULT PASS
#
abi <default>,
/does/not/exist {
}