Add the basic infrastructure for adding regex based filters and
allow filtering process and profiles by mode based on a user supplied
filter.
Signed-off-by: John Johansen <john.johansen@canonical.com>
So that the user can control the set of data being shown add a --show
flag. Currently it allows showing
all
profiles
processes
Signed-off-by: John Johansen <john.johansen@canonical.com>
In preparation for new options and controls, split detailed_output()
into detailed_profiles() and detailed_processes() and This switch the
output processing to one larger pass that uses option flags.
This doesn't change current behavior and is in not as clean as the
current code for the current option set. However it will allow us to
easily add new options in one place and have them apply correctly
every where.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The unix network tests are not being run on a v8 network capable kernel. Under v8 there needs to be some adjustments to the tests because unix rules get downgraded to the socket rule ```network unix,``` which does not have the same set of conditionals or fine grained permissions, meaning some tests that would fail under af_unix (like missing permission tests) will pass under v8 network rules.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/893
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
This patch adds the following mount options: 'nostrictatime',
'lazytime', and 'nolazytime'.
The MS_STRICTATIME mount flag already existed, and 'nostrictatime' was
listed along with 'strictatime' in the comments of parser/mount.cc, so
this patch adds a mapping for 'nostrictatime' to clear MS_STRICTATIME.
Additionally, the Linux kernel includes the 'lazytime' option with
MS_LAZYTIME mapping to (1<<25), so this patch adds MS_LAZYTIME to
parser/mount.h and the corresponding mappings in parser/mount.cc for
'lazytime' and 'nolazytime'.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1005
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The conflicting flags value message was hard to read
conflicting flag value = lazytimenolazytime
change it to
conflicting flag values = lazytime, nolazytime
Signed-off-by: John Johansen <john.johansen@canonical.com>
Adds the corresponding `MS_NOSYMFOLLOW` flag to parser/mount.h as well,
defined as (1 << 8) just as in the util-linux and the kernel.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
This patch adds the following mount options: 'nostrictatime',
'lazytime', and 'nolazytime'.
The MS_STRICTATIME mount flag already existed, and 'nostrictatime' was
listed along with 'strictatime' in the comments of parser/mount.cc, so
this patch adds a mapping for 'nostrictatime' to clear MS_STRICTATIME.
Additionally, the Linux kernel includes the 'lazytime' option with
MS_LAZYTIME mapping to (1<<25), so this patch adds MS_LAZYTIME to
parser/mount.h and the corresponding mappings in parser/mount.cc for
'lazytime' and 'nolazytime'.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Make it so the output options that count profiles and processes can
be output to a file.
This does not add a user option to do so
Signed-off-by: John Johansen <john.johansen@canonical.com>
For detailed output split up where output is going from whether json
is being produced.
This also allows none json output to go to a file.
Signed-off-by: John Johansen <john.johansen@canonical.com>
When the replacement regex for multiple qualifiers matches, the
capture group variables ($1, $2, etc) are overwritten to match the
most recent regex. Since there are no capture groups in the 's/,/ /g'
regex, then $2 was empty, causing an error on policy generation.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The chfa equivalence class shouldn't be a reference. Its needs to
actually exist and be part of the class during later method calls.
As a reference it leads to bad references when used later.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Historically, if you create a `profile foo /bin/foo` with aa-logprof (by
choosing "named exec"), it will be saved as `/etc/apparmor.d/profile_foo`
This patch drops the `profile_` filename prefix so that the filename
will be `/etc/apparmor.d/foo`
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1014
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The parser front end is inconsistent about how it handles permissions and rules. This makes extending the permission set and fixing inconsistencies between say file and af_unix rules difficult and prone to failures.
This is a set of work to cleanup the frontend parse handling, and middle semantic checks, dedup, and processing of rules and their permissions. It also is starting to lay the ground work for the parser retaining more information to output better error, and debug messages.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/802
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Historically, if you create a `profile foo /bin/foo` with aa-logprof (by
choosing "named exec"), it will be saved as `/etc/apparmor.d/profile_foo`
This patch drops the `profile_` filename prefix so that the filename
will be `/etc/apparmor.d/foo`
When a user choooses to execute to a named profile (not: named child),
make sure to get the profile filename in the correct way to avoid a
crash.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/314
This is used by various applications including libreoffice etc so it may as well
be added to the base abstraction along with the existing zoneinfo DB access.
AVC apparmor="DENIED" operation="open" class="file" profile="snap.libreoffice.calc" name="/usr/share/zoneinfo-icu/44/le/zoneinfo64.res" pid=44742 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Signed-off-by: Alex Murray <alex.murray@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1007
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
This is used by various applications including libreoffice etc so it may as well
be added to the base abstraction along with the existing zoneinfo DB access.
AVC apparmor="DENIED" operation="open" class="file" profile="snap.libreoffice.calc" name="/usr/share/zoneinfo-icu/44/le/zoneinfo64.res" pid=44742 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Signed-off-by: Alex Murray <alex.murray@canonical.com>
The description of @{etc_ro} and @{etc_rw} were not good enough in
explaining which directories they should contain, and when to use which
of the variables in a profile.
I propose this patch for all branches.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1000
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Probably thanks to O_MAYEXEC, denials for file access can now contain a
mix of x (exec) and other file permissions.
The actual exec should appear in a separate "exec" log event, therefore
ignore 'x' in file events for now if it's mixed with other permissions.
Note that file events ("open", "link" etc.) that contain denied_mask="x"
without another permission will still cause an error. (So far, this
hasn't been seen in the wild.)
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/303
Also add the log line from the bugreport and the (for now) expected
result as test_multi testcase.
I propose this patch for all branches.
Closes#303
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1001
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The code for add_local_entry is actually currently unused and will
have to change anyways by the time it is. Some drop it and the
associated variables.
Signed-off-by: John Johansen <john.johansen@canonical.com>
