Merge parser: add an abi <default> that is equivalent to not specifying an abi

I am unsure how to test this equivalency due to how abi declarations interact with feature file command line arguments, so advice on that would be welcome. Signed-off-by: Ryan Lee <ryan.lee@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1585 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
2025-08-22 10:07:12 +00:00 · 2025-04-12 10:30:28 +00:00 · 2025-04-12 10:30:28 +00:00 · f34a7d0b28
commit f34a7d0b28
parent 8138bc60d1 491def4385
4 changed files with 33 additions and 2 deletions
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@ -80,7 +80,7 @@ B<ALIAS RULE> = 'alias' I<ABS PATH> '-E<gt>' I<REWRITTEN ABS PATH> ','

 B<INCLUDE> = ( '#include' | 'include' ) [ 'if exists' ] ( I<ABS PATH> | I<MAGIC PATH> )

-B<ABI> = ( 'abi' ) ( I<ABS PATH> | I<MAGIC PATH> ) ','
+B<ABI> = ( 'abi' ) ( I<ABS PATH> | I<MAGIC PATH> | '<kernel>' | '<default>' ) ','

 B<ABS PATH> = '"' path '"' (the path is passed to open(2))

@ -2127,6 +2127,8 @@ If the policy abi is specified as B<kernel> then the running kernel's
 abi will be used. This should never be used in shipped policy as it
 can cause system breakage when a new kernel is installed.

+The special abi B<default> is equivalent to not specifying an ABI.
+
 =head3 ABI compatibility with AppArmor 2.x

 AppArmor 3 remains compatible with AppArmor 2.x by detecting when a
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@ -1780,8 +1780,17 @@ static int abi_features_base(struct aa_features **features, char *filename, bool
 	bool cached;

 	if (search) {
-		if (strcmp(filename, "kernel") == 0)
+		if (strcmp(filename, "kernel") == 0) {
+			if (kernel_features) {
+				*features = aa_features_ref(kernel_features);
+				return 0;
+			}
 			return aa_features_new_from_kernel(features);
+		} else if (strcmp(filename, "default") == 0) {
+			return aa_features_new_from_string(features,
+								default_features_abi,
+								strlen(default_features_abi));
+		}
 		f = search_path(filename, &fullpath, &cached);
 		PDEBUG("abi lookup '%s' -> '%s' f %p cached %d\n", filename, fullpath, f, cached);
 		if (!f && cached) {
--- a/parser/tst/simple_tests/abi/ok_23.sd
+++ b/parser/tst/simple_tests/abi/ok_23.sd
@ -0,0 +1,10 @@
+#
+#=DESCRIPTION abi testing - abi kernel special case
+#=EXRESULT PASS
+#
+
+abi <kernel>,
+
+/does/not/exist {
+
+}
--- a/parser/tst/simple_tests/abi/ok_24.sd
+++ b/parser/tst/simple_tests/abi/ok_24.sd
@ -0,0 +1,10 @@
+#
+#=DESCRIPTION abi testing - abi default special case
+#=EXRESULT PASS
+#
+
+abi <default>,
+
+/does/not/exist {
+
+}