The parser currently skips the cache if optimizations are specified
because it can not determine if the cached policy was compiled
with the specified optimization. However this causes cache misses
even if policy is cached with those options, and distros are setting
some optimizations by default.
Instead of skipping reading the cache if optimizations are set, users
can force overwriting the cache if needed, until the parser can
store aditional meta info in the cache.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/385
BugLink: http://bugs.launchpad.net/bugs/1820068
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit f6cd5c01c1)
apparmor.d manpage: update list of network domain keywords
See merge request apparmor/apparmor!349
Acked-by: Eric Chiang <ericchiang@google.com> for 2.12..master
(cherry picked from commit 6416ccebf6)
6b276563 apparmor.d manpage: update list of network domain keywords
The length of a xmatch is used to prioritize multiple profiles that
match the same path, with the intent that the more specific match wins.
Currently, the length of a xmatch is computed by the position of the
first regex character.
While trying to work around issues with no_new_privs by combining
profiles, we noticed that the xmatch length computation doesn't work as
expected for multiple regexs. Consider the following two profiles:
profile all /** { }
profile bins /{,usr/,usr/local/}bin/** { }
xmatch_len is currently computed as "1" for both profiles, even though
"bins" is clearly more specific.
When determining the length of a regex, compute the smallest possible
match and use that for xmatch priority instead of the position of the
first regex character.
(cherry picked from commit cc09794fbd)
Signed-off-by: John Johansen <john.johansen@canonical.com>
parser/apparmor.systemd: fix minor issues detected by shellcheck
See merge request apparmor/apparmor!293
Acked-by: Christian Boltz <apparmor@cboltz.de> for master and 2.13
(cherry picked from commit a772ee0f8b)
b3937d19 parser/apparmor.systemd: fix minor issues detected by shellcheck
disable abi/ok_10 and abi/ok_12 tests
See merge request apparmor/apparmor!259
(cherry picked from commit 608af94dff)
a3305b51 disable abi/ok_10 and abi/ok_12 tests
Split the features file into compile features and kernel features
which is needed for policy versioning and the new caching scheme.
A new flag --kernel-features was added to set the kernel features but
unfortunately -M, --features-file was setup to only specify the
compile features, when it used to effectively specify both the
compile and kernel features.
This broke existing uses of -M.
Fix this by having -M specify both the compile and kernel features,
and a new flag --compile-features that can be used to specify the
compile fature set separate from the kernel feature set.
sbeattie> fixed up error message to refer to compile features when
--compile-features argument fails.
Backport-requested-by: intrigeri <intrigeri@debian.org>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/104
(cherry picked from commit e83fa67edf)
Fixes: 9e48a5da5e ("parser: split kernel features from compile features.")
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
AppArmor 3.0 requires policy to use a feature abi rule for access to
new features. However some policy may start using abi rules even if
they don't have rules that require new features. This is especially
true for out of tree policy being shipped in other packages.
Add enough support to older releases that the parser will ignore the
abi rule and warn that it is falling back to the apparmor 2.x
technique of using the system abi.
If the profile contains rules that the older parser does not
understand it will fail policy compilation at the unknown rule instead
of the abi rule.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/196
(backported form commit 83df7c4747)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
parser: fix Makefile hardcoded paths to flex and bison
Closes#4
See merge request apparmor/apparmor!224
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit 34cf085036)
17e059a2 parser: fix Makefile hardcoded paths to flex and bison
The compiler is spitting out the warning
parser_main.c:1291:16: warning: ISO C++ forbids converting a string constant to 'char*' [-Wwrite-strings]
char *tmp = "/var/cache/apparmor";
fix this by constifying the cacheloc array.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit e7949d09fa)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Let's not store a bunch of automatically generated binary files in /etc.
AppArmor 3.0 will store the cache in /var/cache and most distros
(openSUSE, Debian, and soon Ubuntu) moved it there already.
Bug-Debian: https://bugs.debian.org/904637
(cherry picked from commit 3d21cf0e32)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Requiring --config-file to be first in the option list is not user
friendly fix the option parsing so that --config-file can be specified
anywhere in the option list.
This also fixes a bug where even when the --config-file option is
first the option parsing fails because the detection logic is broken
for some option cases.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/175
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit af1818c053)
The parser config file can affect the parsers behavior during tests.
Allow overriding the default location with the option
--config-file=
the option must be the first option in the commands argument list.
Also provile a
--print-config-file
option to display what the parser is using for a config file.
BugLink: http://bugs.launchpad.net/bugs/1277711
Acked-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit b1967c892a)
The version of --config-file that landed in apparmor-2.13 has bugs
and the upstream version evolved before it was committed (it is
not just commits on top of the 2.13 patch).
So to backport the newer version with fixes,
revert commit 56b8e16698.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Using stdin with --write-cache set results in
# apparmor_parser --show-cache --write-cache
Cache: added primary location '/var/cache/apparmor'
Warnung aus stdin (Zeile 1): Cache: added readonly location '/usr/share/apparmor/cache'
Warnung aus stdin (Zeile 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
Cache miss: stdin
Wrote cache: /var/cache/apparmor/9b2cd0d0.0/(null)
The "Wrote cache:" message is referencing a null value and should not
be displayed.
BugLink: http://bugs.launchpad.net/bugs/1787717
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Timeout
The parser config file can affect the parsers behavior during tests.
Allow overriding the default location with the option
--config-file=
the option must be the first option in the commands argument list.
Also provile a
--print-config-file
option to display what the parser is using for a config file.
BugLink: http://bugs.launchpad.net/bugs/1277711
Signed-off-by: John Johansen <john.johansen@canonical.com>
Allow the parser to use cache overlays by extending the --cache-loc
flag to support multiple locations via a comma separated list.
eg.
--cache-loc=/var/cache/apparmor/,/etc/apparmor.d/cache.d/
The overlayed cache directories are searched in the order
specified. So in the above example /var/cache/apparmor is searched
before /etc/apparmor.d/
Time stamps are ignored in the search, the first match found wins
regardless if there exists a matching cache file with a newer timestamp
in a directory is later in the search.
Cache writes will only occur to the first dir in the list. So
/var/cache/apparmor/ in the above example.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
The feature set needs to be split, the kernel features set determines
the cache location and controls features down grades to ensure
policy generates a policy that is usable on a given kernel.
The compile featurs set governs the feature set supported by policy
and primarily determines how policy is parsed and compiled.
Taking the intersection of the two feature sets to determine rule
downgrades for a specific kernel is left to a separate patch.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Add the support to have the cache be able to search multiple locations
so that the policy cache can be split into multiple locations and
that there can be a local cache that can override preshipped caches.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Make the internal cache dir tracking use a fixed array and update
all references to the internal dirfd to index the array.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Adjust the cache directory name from
<cache_loc>/<feature_id>
to
<cache_loc>/<feature_id>.<n>
where <n> is 0 for the first cache created for a given feature_id.
If there is a feature_id collision then <n> will be incremented to
the next number.
The .features file within each cache directory is used to disambiguate
which feature_id cache dir belongs to which feature set.
Cache collisions and missing caches cause a slow path that searches
existing cache dirs that fit the cache_name pattern, to ensure the
proper dir is chosen.
TODO: add regression tests
create cache dir check it
copy different feature set to it
create cache dir again, check it, check that it incremented...
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Move the policy cache directory from <cacheloc>/cache/ to
<cacheloc>/cache.d/<features_id>/ where <features_id> is a unique
identifier for a set of aa_features. This allows for multiple AppArmor
policy caches exist on a system. Each policy cache will uniquely
correspond to a specific set of AppArmor kernel features. This means
that a system can reboot into a number of different kernels and the
parser will select the existing policy cache that matches each kernel's
set of AppArmor features.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Use the new --print-cache-dir parser option to construct the policy
cache dir when testing the policy caching functionality.
The majority of the required changes involve fully initializing
self.cmd_prefix prior to calling self.get_cache_dir() since that
function requires self.cmd_prefix to be initialized.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
The --print-cache-dir option can be used to have the parser print the
value of the cache directory that is specific to the features used (from
the current kernel, the --match-string option, or the --features-file
option). After printing the path, apparmor_parser will exit. This is
helpful because the final component in the path will become
unpredictable because it will be based on arbitrary hash function
output.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
