mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 10:07:12 +00:00
Code Issues Releases Wiki Activity

parser: add support for user namespace creation

Browse Source 
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This commit is contained in:
Georgia Garcia 2022-09-29 17:40:18 -03:00
parent 18d1b06b0c
commit f400b41c4a
12 changed files with 238 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -58,6 +58,7 @@ parser/profile.o
parser/ptrace.o parser/ptrace.o
parser/rule.o parser/rule.o
parser/signal.o parser/signal.o
parser/userns.o
parser/*.7 parser/*.7
parser/*.5 parser/*.5
parser/*.8 parser/*.8

7
parser/Makefile
View File

@ -101,10 +101,10 @@ SRCS = parser_common.c parser_include.c parser_interface.c parser_lex.c \
parser_yacc.c parser_regex.c parser_variable.c parser_policy.c \ parser_yacc.c parser_regex.c parser_variable.c parser_policy.c \
parser_alias.c common_optarg.c lib.c network.c \ parser_alias.c common_optarg.c lib.c network.c \
mount.cc dbus.cc profile.cc rule.cc signal.cc ptrace.cc \ mount.cc dbus.cc profile.cc rule.cc signal.cc ptrace.cc \
af_rule.cc af_unix.cc policy_cache.c default_features.c af_rule.cc af_unix.cc policy_cache.c default_features.c userns.cc
HDRS = parser.h parser_include.h immunix.h mount.h dbus.h lib.h profile.h \ HDRS = parser.h parser_include.h immunix.h mount.h dbus.h lib.h profile.h \
rule.h common_optarg.h signal.h ptrace.h network.h af_rule.h af_unix.h \ rule.h common_optarg.h signal.h ptrace.h network.h af_rule.h af_unix.h \
policy_cache.h file_cache.h policy_cache.h file_cache.h userns.h
TOOLS = apparmor_parser TOOLS = apparmor_parser
OBJECTS = $(patsubst %.cc, %.o, $(SRCS:.c=.o)) OBJECTS = $(patsubst %.cc, %.o, $(SRCS:.c=.o))
@ -301,6 +301,9 @@ profile.o: profile.cc profile.h parser.h network.h
rule.o: rule.cc rule.h policydb.h rule.o: rule.cc rule.h policydb.h
$(CXX) $(EXTRA_CFLAGS) -c -o $@ $< $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
userns.o: userns.cc userns.h parser.h parser_yacc.h rule.h $(APPARMOR_H)
$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
parser_version.h: Makefile parser_version.h: Makefile
@echo \#define PARSER_VERSION \"$(VERSION)\" > .ver @echo \#define PARSER_VERSION \"$(VERSION)\" > .ver
@mv -f .ver $@ @mv -f .ver $@

1
parser/parser.h
View File

@ -344,6 +344,7 @@ extern int features_supports_ptrace;
extern int features_supports_unix; extern int features_supports_unix;
extern int features_supports_stacking; extern int features_supports_stacking;
extern int features_supports_domain_xattr; extern int features_supports_domain_xattr;
extern int features_supports_userns;
extern int kernel_supports_oob; extern int kernel_supports_oob;
extern int conf_verbose; extern int conf_verbose;
extern int conf_quiet; extern int conf_quiet;

1
parser/parser_common.c
View File

@ -78,6 +78,7 @@ int features_supports_signal = 0; /* kernel supports signal rules */
int features_supports_ptrace = 0; /* kernel supports ptrace rules */ int features_supports_ptrace = 0; /* kernel supports ptrace rules */
int features_supports_stacking = 0; /* kernel supports stacking */ int features_supports_stacking = 0; /* kernel supports stacking */
int features_supports_domain_xattr = 0; /* x attachment cond */ int features_supports_domain_xattr = 0; /* x attachment cond */
int features_supports_userns = 0; /* kernel supports user namespace */
int kernel_supports_oob = 0; /* out of band transitions */ int kernel_supports_oob = 0; /* out of band transitions */
int conf_verbose = 0; int conf_verbose = 0;
int conf_quiet = 0; int conf_quiet = 0;

18
parser/parser_lex.l
View File

@ -327,6 +327,7 @@ GT >
%x INCLUDE %x INCLUDE
%x INCLUDE_EXISTS %x INCLUDE_EXISTS
%x ABI_MODE %x ABI_MODE
%x USERNS_MODE
%% %%
@ -339,7 +340,7 @@ GT >
} }
%} %}
<INITIAL,SUB_ID_WS,INCLUDE,INCLUDE_EXISTS,LIST_VAL_MODE,EXTCOND_MODE,LIST_COND_VAL,LIST_COND_PAREN_VAL,LIST_COND_MODE,EXTCONDLIST_MODE,ASSIGN_MODE,NETWORK_MODE,CHANGE_PROFILE_MODE,RLIMIT_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE,ABI_MODE>{ <INITIAL,SUB_ID_WS,INCLUDE,INCLUDE_EXISTS,LIST_VAL_MODE,EXTCOND_MODE,LIST_COND_VAL,LIST_COND_PAREN_VAL,LIST_COND_MODE,EXTCONDLIST_MODE,ASSIGN_MODE,NETWORK_MODE,CHANGE_PROFILE_MODE,RLIMIT_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE,ABI_MODE,USERNS_MODE>{
{WS}+ { DUMP_PREPROCESS; /* Ignoring whitespace */ } {WS}+ { DUMP_PREPROCESS; /* Ignoring whitespace */ }
} }
@ -556,7 +557,6 @@ GT >
} }
<UNIX_MODE>{ <UNIX_MODE>{
create { RETURN_TOKEN(TOK_CREATE); }
listen { RETURN_TOKEN(TOK_LISTEN); } listen { RETURN_TOKEN(TOK_LISTEN); }
accept { RETURN_TOKEN(TOK_ACCEPT); } accept { RETURN_TOKEN(TOK_ACCEPT); }
connect { RETURN_TOKEN(TOK_CONNECT); } connect { RETURN_TOKEN(TOK_CONNECT); }
@ -567,6 +567,10 @@ GT >
shutdown { RETURN_TOKEN(TOK_SHUTDOWN); } shutdown { RETURN_TOKEN(TOK_SHUTDOWN); }
} }
<UNIX_MODE,USERNS_MODE>{
create { RETURN_TOKEN(TOK_CREATE); }
}
<DBUS_MODE,UNIX_MODE>{ <DBUS_MODE,UNIX_MODE>{
bind { RETURN_TOKEN(TOK_BIND); } bind { RETURN_TOKEN(TOK_BIND); }
} }
@ -724,13 +728,16 @@ include/{WS} {
case TOK_ABI: case TOK_ABI:
state = ABI_MODE; state = ABI_MODE;
break; break;
case TOK_USERNS:
state = USERNS_MODE;
break;
default: /* nothing */ default: /* nothing */
break; break;
} }
PUSH_AND_RETURN(state, token); PUSH_AND_RETURN(state, token);
} }
<INITIAL,NETWORK_MODE,RLIMIT_MODE,CHANGE_PROFILE_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE,ABI_MODE>{ <INITIAL,NETWORK_MODE,RLIMIT_MODE,CHANGE_PROFILE_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE,ABI_MODE,USERNS_MODE>{
{END_OF_RULE} { {END_OF_RULE} {
if (YY_START != INITIAL) if (YY_START != INITIAL)
POP_NODUMP(); POP_NODUMP();
@ -738,14 +745,14 @@ include/{WS} {
} }
} }
<INITIAL,SUB_ID_WS,INCLUDE,INCLUDE_EXISTS,LIST_VAL_MODE,EXTCOND_MODE,LIST_COND_VAL,LIST_COND_PAREN_VAL,LIST_COND_MODE,EXTCONDLIST_MODE,NETWORK_MODE,CHANGE_PROFILE_MODE,RLIMIT_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE,ABI_MODE>{ <INITIAL,SUB_ID_WS,INCLUDE,INCLUDE_EXISTS,LIST_VAL_MODE,EXTCOND_MODE,LIST_COND_VAL,LIST_COND_PAREN_VAL,LIST_COND_MODE,EXTCONDLIST_MODE,NETWORK_MODE,CHANGE_PROFILE_MODE,RLIMIT_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE,ABI_MODE,USERNS_MODE>{
\r?\n { \r?\n {
DUMP_PREPROCESS; DUMP_PREPROCESS;
current_lineno++; current_lineno++;
} }
} }
<INITIAL,SUB_ID,SUB_ID_WS,SUB_VALUE,LIST_VAL_MODE,EXTCOND_MODE,LIST_COND_VAL,LIST_COND_PAREN_VAL,LIST_COND_MODE,EXTCONDLIST_MODE,ASSIGN_MODE,NETWORK_MODE,CHANGE_PROFILE_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE,RLIMIT_MODE,INCLUDE,INCLUDE_EXISTS,ABI_MODE>{ <INITIAL,SUB_ID,SUB_ID_WS,SUB_VALUE,LIST_VAL_MODE,EXTCOND_MODE,LIST_COND_VAL,LIST_COND_PAREN_VAL,LIST_COND_MODE,EXTCONDLIST_MODE,ASSIGN_MODE,NETWORK_MODE,CHANGE_PROFILE_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE,RLIMIT_MODE,INCLUDE,INCLUDE_EXISTS,ABI_MODE,USERNS_MODE>{
(.|\n) { (.|\n) {
DUMP_PREPROCESS; DUMP_PREPROCESS;
/* Something we didn't expect */ /* Something we didn't expect */
@ -780,4 +787,5 @@ unordered_map<int, string> state_names = {
STATE_TABLE_ENT(INCLUDE), STATE_TABLE_ENT(INCLUDE),
STATE_TABLE_ENT(INCLUDE_EXISTS), STATE_TABLE_ENT(INCLUDE_EXISTS),
STATE_TABLE_ENT(ABI_MODE), STATE_TABLE_ENT(ABI_MODE),
STATE_TABLE_ENT(USERNS_MODE),
}; };

3
parser/parser_main.c
View File

@ -941,6 +941,9 @@ void set_supported_features()
features_supports_domain_xattr = features_intersect(kernel_features, features_supports_domain_xattr = features_intersect(kernel_features,
policy_features, policy_features,
"domain/attach_conditions/xattr"); "domain/attach_conditions/xattr");
features_supports_userns = features_intersect(kernel_features,
policy_features,
"namespaces/mask/userns_create");
} }
static bool do_print_cache_dir(aa_features *features, int dirfd, const char *path) static bool do_print_cache_dir(aa_features *features, int dirfd, const char *path)

1
parser/parser_misc.c
View File

@ -120,6 +120,7 @@ static struct keyword_table keyword_table[] = {
{"tracedby", TOK_TRACEDBY}, {"tracedby", TOK_TRACEDBY},
{"readby", TOK_READBY}, {"readby", TOK_READBY},
{"abi", TOK_ABI}, {"abi", TOK_ABI},
{"userns", TOK_USERNS},
/* terminate */ /* terminate */
{NULL, 0} {NULL, 0}

4
parser/parser_regex.c
View File

@ -935,6 +935,7 @@ static const char *mediates_ptrace = CLASS_STR(AA_CLASS_PTRACE);
static const char *mediates_extended_net = CLASS_STR(AA_CLASS_NET); static const char *mediates_extended_net = CLASS_STR(AA_CLASS_NET);
static const char *mediates_netv8 = CLASS_STR(AA_CLASS_NETV8); static const char *mediates_netv8 = CLASS_STR(AA_CLASS_NETV8);
static const char *mediates_net_unix = CLASS_SUB_STR(AA_CLASS_NET, AF_UNIX); static const char *mediates_net_unix = CLASS_SUB_STR(AA_CLASS_NET, AF_UNIX);
static const char *mediates_ns = CLASS_STR(AA_CLASS_NS);
int process_profile_policydb(Profile *prof) int process_profile_policydb(Profile *prof)
{ {
@ -977,6 +978,9 @@ int process_profile_policydb(Profile *prof)
(!prof->policy.rules->add_rule(mediates_extended_net, 0, AA_MAY_READ, 0, dfaflags) || (!prof->policy.rules->add_rule(mediates_extended_net, 0, AA_MAY_READ, 0, dfaflags) ||
!prof->policy.rules->add_rule(mediates_net_unix, 0, AA_MAY_READ, 0, dfaflags))) !prof->policy.rules->add_rule(mediates_net_unix, 0, AA_MAY_READ, 0, dfaflags)))
goto out; goto out;
if (features_supports_userns &&
!prof->policy.rules->add_rule(mediates_ns, 0, AA_MAY_READ, 0, dfaflags))
goto out;
if (prof->policy.rules->rule_count > 0) { if (prof->policy.rules->rule_count > 0) {
int xmatch_len = 0; int xmatch_len = 0;

49
parser/parser_yacc.y
View File

@ -142,6 +142,7 @@ void add_local_entry(Profile *prof);
%token TOK_TRACEDBY %token TOK_TRACEDBY
%token TOK_READBY %token TOK_READBY
%token TOK_ABI %token TOK_ABI
%token TOK_USERNS
/* rlimits */ /* rlimits */
%token TOK_RLIMIT %token TOK_RLIMIT
@ -177,6 +178,7 @@ void add_local_entry(Profile *prof);
#include "signal.h" #include "signal.h"
#include "ptrace.h" #include "ptrace.h"
#include "af_unix.h" #include "af_unix.h"
#include "userns.h"
} }
%union { %union {
@ -193,6 +195,7 @@ void add_local_entry(Profile *prof);
signal_rule *signal_entry; signal_rule *signal_entry;
ptrace_rule *ptrace_entry; ptrace_rule *ptrace_entry;
unix_rule *unix_entry; unix_rule *unix_entry;
userns_rule *userns_entry;
flagvals flags; flagvals flags;
int fmode; int fmode;
@ -272,6 +275,10 @@ void add_local_entry(Profile *prof);
%type <id> opt_named_transition %type <id> opt_named_transition
%type <boolean> opt_exec_mode %type <boolean> opt_exec_mode
%type <boolean> opt_file %type <boolean> opt_file
%type <fmode> userns_perm
%type <fmode> userns_perms
%type <fmode> opt_userns_perm
%type <userns_entry> userns_rule
%% %%
@ -858,6 +865,22 @@ rules: rules opt_prefix unix_rule
$$ = $1; $$ = $1;
} }
rules: rules opt_prefix userns_rule
{
if ($2.owner)
yyerror(_("owner prefix not allowed on userns rules"));
if ($2.deny && $2.audit) {
$3->deny = 1;
} else if ($2.deny) {
$3->deny = 1;
$3->audit = $3->mode;
} else if ($2.audit) {
$3->audit = $3->mode;
}
$1->rule_ents.push_back($3);
$$ = $1;
}
rules: rules opt_prefix change_profile rules: rules opt_prefix change_profile
{ {
PDEBUG("matched: rules change_profile\n"); PDEBUG("matched: rules change_profile\n");
@ -1542,6 +1565,32 @@ ptrace_rule: TOK_PTRACE opt_ptrace_perm opt_conds TOK_END_OF_RULE
$$ = ent; $$ = ent;
} }
userns_perm: TOK_VALUE
{
if (strcmp($1, "create") == 0)
$$ = AA_USERNS_CREATE;
else
$$ = 0;
if ($1)
free($1);
}
| TOK_CREATE { $$ = AA_USERNS_CREATE; }
userns_perms: { /* nothing */ $$ = 0; }
| userns_perms userns_perm { $$ = $1 | $2; }
| userns_perms TOK_COMMA userns_perm { $$ = $1 | $3; }
opt_userns_perm: { /* nothing */ $$ = 0; }
| userns_perm { $$ = $1; }
| TOK_OPENPAREN userns_perms TOK_CLOSEPAREN { $$ = $2; }
userns_rule: TOK_USERNS opt_userns_perm opt_conds TOK_END_OF_RULE
{
userns_rule *ent = new userns_rule($2, $3);
$$ = ent;
}
hat_start: TOK_CARET {} hat_start: TOK_CARET {}
| TOK_HAT {} | TOK_HAT {}

1
parser/policydb.h
View File

@ -34,6 +34,7 @@
#define AA_CLASS_SIGNAL 10 #define AA_CLASS_SIGNAL 10
#define AA_CLASS_NETV8 14 #define AA_CLASS_NETV8 14
#define AA_CLASS_LABEL 16 #define AA_CLASS_LABEL 16
#define AA_CLASS_NS 21
/* defined in libapparmor's apparmor.h #define AA_CLASS_DBUS 32 */ /* defined in libapparmor's apparmor.h #define AA_CLASS_DBUS 32 */
#define AA_CLASS_X 33 #define AA_CLASS_X 33

112
parser/userns.cc Normal file
View File

@ -0,0 +1,112 @@
/*
* Copyright (c) 2022
* Canonical, Ltd. (All rights reserved)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of version 2 of the GNU General Public
* License published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, contact Novell, Inc. or Canonical
* Ltd.
*/
#include "parser.h"
#include "profile.h"
#include "userns.h"
#include <iomanip>
#include <string>
#include <iostream>
#include <sstream>
void userns_rule::move_conditionals(struct cond_entry *conds)
{
struct cond_entry *cond_ent;
list_for_each(conds, cond_ent) {
/* for now disallow keyword 'in' (list) */
if (!cond_ent->eq)
yyerror("keyword \"in\" is not allowed in userns rules\n");
/* no valid conditionals atm */
yyerror("invalid userns rule conditional \"%s\"\n",
cond_ent->name);
}
}
userns_rule::userns_rule(int mode_p, struct cond_entry *conds):
audit(0), deny(0)
{
if (mode_p) {
if (mode_p & ~AA_VALID_USERNS_PERMS)
yyerror("mode contains invalid permissions for userns\n");
mode = mode_p;
} else {
/* default to all perms */
mode = AA_VALID_USERNS_PERMS;
}
move_conditionals(conds);
free_cond_list(conds);
}
ostream &userns_rule::dump(ostream &os)
{
if (audit)
os << "audit ";
if (deny)
os << "deny ";
os << "userns ";
if (mode != AA_VALID_USERNS_PERMS) {
if (mode & AA_USERNS_CREATE)
os << "create ";
}
os << ",\n";
return os;
}
int userns_rule::expand_variables(void)
{
return 0;
}
void userns_rule::warn_once(const char *name)
{
rule_t::warn_once(name, "userns rules not enforced");
}
int userns_rule::gen_policy_re(Profile &prof)
{
std::ostringstream buffer;
std::string buf;
if (!features_supports_userns) {
warn_once(prof.name);
return RULE_NOT_SUPPORTED;
}
buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << AA_CLASS_NS;
buf = buffer.str();
if (mode & AA_VALID_USERNS_PERMS) {
if (!prof.policy.rules->add_rule(buf.c_str(), deny, mode, audit,
dfaflags))
goto fail;
}
return RULE_OK;
fail:
return RULE_ERROR;
}

47
parser/userns.h Normal file
View File

@ -0,0 +1,47 @@
/*
* Copyright (c) 2022
* Canonical Ltd. (All rights reserved)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of version 2 of the GNU General Public
* License published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, contact Novell, Inc. or Canonical
* Ltd.
*/
#ifndef __AA_USERNS_H
#define __AA_USERNS_H
#include "parser.h"
#define AA_USERNS_CREATE 8
#define AA_VALID_USERNS_PERMS (AA_USERNS_CREATE)
class userns_rule: public rule_t {
void move_conditionals(struct cond_entry *conds);
public:
int mode;
int audit;
int deny;
userns_rule(int mode, struct cond_entry *conds);
virtual ~userns_rule()
{
};
virtual ostream &dump(ostream &os);
virtual int expand_variables(void);
virtual int gen_policy_re(Profile &prof);
virtual void post_process(Profile &prof unused) { };
protected:
virtual void warn_once(const char *name) override;
};
#endif /* __AA_USERNS_H */