John Johansen
ac7ab1c089
Fix policy generation for small dfas
...
cherry-pick of r2303 from trunk
So there are multiple bugs in policy generation for small dfas.
- A bug where dfas reduced to only have a none accepting state
drop the start state for accept tables in the chfa encoding
eg. deny audit dbus,
the accept and accept2 tables are resized to 1 but the cfha format
requires at least 2. 1 for the none accepting state and 1 for the
start state.
the kernel check that the accept tables == other state table sizes
caught this and rejected it.
- the next/check table needs to be padded to the largest base position
used + 256 so no input can ever overflow the next/check table
(next/check[base+c]).
This is normally handled by inserting a transition which resizes
the table. However in this case there where no transitions being
inserted into the dfa. Resulting in a next/check table size of
2, with a base pos of 0. Meaning the table needed to be padded
to 256.
- there is an alignment bug for dfas within the container (see below)
what follows is a hexdump of the generated policy. With the
different parts broken out. There are 2 dfas (policy and older file) and
it is the second dfa that is out of alignment.
The aadfa blob wrapper should be making sure that the start of the actual
dfa is in alignment but this is not happening. In this example
00000000 04 08 00 76 65 72 73 69 6f 6e 00 02 05 00 00 00 |...version......|
00000010 04 08 00 70 72 6f 66 69 6c 65 00 07 05 40 00 2f |...profile...@./|
00000020 68 6f 6d 65 2f 75 62 75 6e 74 75 2f 62 7a 72 2f |home/ubuntu/bzr/|
00000030 61 70 70 61 72 6d 6f 72 2f 74 65 73 74 73 2f 72 |apparmor/tests/r|
00000040 65 67 72 65 73 73 69 6f 6e 2f 61 70 70 61 72 6d |egression/apparm|
00000050 6f 72 2f 71 75 65 72 79 5f 6c 61 62 65 6c 00 04 |or/query_label..|
00000060 06 00 66 6c 61 67 73 00 07 02 00 00 00 00 02 00 |..flags.........|
00000070 00 00 00 02 00 00 00 00 08 02 00 00 00 00 02 00 |................|
00000080 00 00 00 02 00 00 00 00 02 00 00 00 00 04 07 00 |................|
00000090 63 61 70 73 36 34 00 07 02 00 00 00 00 02 00 00 |caps64..........|
000000a0 00 00 02 00 00 00 00 02 00 00 00 00 08 04 09 00 |................|
000000b0 70 6f 6c 69 63 79 64 62 00 07
begin of policy dfa blob wrapper
000000b0 04 06 00 61 61 64 |policydb.....aad|
000000c0 66 61 00 06
size of the following blob (in little endian) so 0x80
000000c0 80 00 00 00
begin of actual policy dfa, notice alignment on 8 byte boundry
000000c0 1b 5e 78 3d 00 00 00 18 |fa.......^x=....|
000000d0 00 00 00 80 00 00 6e 6f 74 66 6c 65 78 00 00 00 |......notflex...|
000000e0 00 01 00 04 00 00 00 00 00 00 00 01 00 00 00 00 |................|
000000f0 00 07 00 04 00 00 00 00 00 00 00 01 00 00 00 00 |................|
00000100 00 02 00 04 00 00 00 00 00 00 00 02 00 00 00 00 |................|
00000110 00 00 00 00 00 00 00 00 00 04 00 02 00 00 00 00 |................|
00000120 00 00 00 02 00 00 00 00 00 08 00 02 00 00 00 00 |................|
00000130 00 00 00 02 00 00 00 00 00 03 00 02 00 00 00 00 |................|
00000140 00 00 00 02 00 00 00 00 08
dfa blob wrapper
00000140 04 06 00 61 61 64 66 |............aadf|
00000150 61 00 06
size of the following blob (in little endian) so 0x4c8
00000150 c8 04 00 00
begin of file dfa, notice alignment. NOT on 8 byte boundry
1b 5e 78 3d 00 00 00 18 00 |a.......^x=.....|
00000160 00 04 c8 00 00 6e 6f 74 66 6c 65 78 00 00 00 00 |.....notflex....|
00000170 01 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 |................|
00000180 00 00 00 00 9f c2 7f 00 00 00 00 00 00 00 00 00 |................|
00000190 04 00 30 00 00 00 00 00 07 00 04 00 00 00 00 00 |..0.............|
000001a0 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001c0 02 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 |................|
000001d0 00 00 00 00 00 00 01 00 00 00 01 00 00 00 02 00 |................|
000001e0 00 00 00 00 00 00 00 00 04 00 02 00 00 00 00 00 |................|
000001f0 00 00 06 00 00 00 00 00 02 00 00 00 05 00 05 00 |................|
00000200 08 00 02 00 00 00 00 00 00 01 02 00 00 00 03 00 |................|
00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000260 00 00 00 00 00 00 00 00 00 00 02 00 04 00 00 00 |................|
00000270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000410 03 00 02 00 00 00 00 00 00 01 02 00 00 00 02 00 |................|
00000420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000470 00 00 00 00 00 00 00 00 00 00 01 00 03 00 04 00 |................|
00000480 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000610 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
end of container
00000610 08 |................|
00000620
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
2014-01-09 17:43:59 -08:00
John Johansen
cbe3f33daf
Add Basic infrastructure support for the policydb
...
policydb is the new matching format, that combines the matching portions
of different rules into a single dfa/hfa. This patch only lays some ground
work it does not add encoding of any rules into the policydb
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-16 08:14:46 -08:00
John Johansen
dd7427d1eb
Remove setting of capabilities from the syntax
...
The ability to set capabilities from a profile has been removed from the
kernel for several releases. Remove it from the parser as well.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
2012-02-16 08:04:04 -08:00
John Johansen
c259deb5b2
Fix apparmor_parser when removing a profile from an alternate namespace
...
The module interface calls for names with namespaces to be in the format of
:namespace:profile or :namespace://profile
but the parser was generating
namespace:profile
causing profile lookup to fail, or removal of the wrong profile as it was
done against the current namespace, instead of the specified namespace
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
2012-01-02 15:35:21 -08:00
Steve Beattie
93ae7808cb
From: Jeff Mahoney <jeffm@suse.com>
...
Subject: apparmor-parser: Fix up translations
References: bnc#586070
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
2011-01-14 17:44:51 -06:00
Kees Cook
723a20ba7d
as ACKed on IRC, drop the unused $Id$ tags everywhere
2010-12-20 12:29:10 -08:00
Kees Cook
feb70284bc
Effectively revert revno 1471, and fix the misdetected error condition
...
so that caching will work again without needing kernel_load.
2010-09-14 12:38:38 -07:00
John Johansen
8762c1dcfb
The upstream 2.6.36 version of apparmor doesn't support network rules.
...
Add a flag to the parser controlling the output of network rules,
and warn per profile when network rules are not going to be enforced.
2010-08-26 10:37:46 -07:00
John Johansen
b5c780d2a1
Remove pcre and update tests where necessary
2010-07-31 16:00:52 -07:00
Kees Cook
624aee531a
Fix many compile-time warnings.
...
Start replacing RPM with lsb-release.
Drop old references to CVE.
Remove unused code.
2010-07-26 09:22:45 -07:00
John Johansen
49530d5fe5
This patch adds back in the -p flag, allowing the dumping of a
...
flattened profile to stdout.
It currently does not do anymore than flattening the include
files. The expansions of variables etc can be added later.
2010-06-26 13:13:52 -07:00
Steve Beattie
69d59f80ed
Don't (un)load flattened hats on removal, as the kernel pulls them out
...
automatically (and the parser emits an error due to this).
2010-03-09 01:38:12 -08:00
John Johansen
5709d94710
Add the ability to control how path mediation is done at the profile level
2010-02-17 12:21:52 -08:00
John Johansen
94b2a345f2
Fix -S flag so the profile can be dumped to stdout again
...
The changes to the loader permission logic broke the -S flag, so update
the test so that we can dump out the profile again.
2010-02-12 13:44:00 -08:00
Kees Cook
0d2518551f
provide kernel version caching, along with ability to test caching subsystem
2009-11-11 10:56:04 -08:00
John Johansen
6998f6fc3d
Add 64bit capabilities
2009-08-20 15:27:12 +00:00
John Johansen
747d7da402
Revert broken 64bit capabilities patch
2009-08-20 15:26:12 +00:00
John Johansen
9e27a95b8e
Enable profile names with regular expressions. This requires a newer
...
kernel.
2009-07-30 06:09:19 +00:00
John Johansen
22d883b4d3
cleanup asprintf return value being ignored warnings
2009-07-24 23:47:46 +00:00
John Johansen
c8fa7815a6
Update capabilities to support 64 bit caps
2009-07-24 23:37:03 +00:00
Steve Beattie
b8cde97ab7
Bah, the whole using linux/socket.h get AF_* tokens versus sys/socket.h
...
thing again. Fix to use the kernel's definition of AF_MAX in
linux/socket.h if it's larger than glibc's AF_MAX definition in
sys/socket.h and add a wrapper function so that we don't have include
af_names.h everywhere.
Also, fix memory leaks around the handling of network entries of
policies.
2009-07-24 17:24:41 +00:00
John Johansen
ab3d7edcdc
add loading from and writing to cache options
...
Signed-Off-By: Kees Cook <kees.cook@canonical.com>
2009-07-24 07:36:09 +00:00
John Johansen
1fd75ff4f4
actually use -q when loading
...
Signed-Off-By: Kees Cook <kees.cook@canonical.com>
2009-07-24 07:34:54 +00:00
John Johansen
0137b992b4
move -D_GNU_SOURCE to Makefile for parser_lex.l to gain it
...
Signed-Off-By: Kees Cook <kees.cook@canonical.com>
2009-07-24 07:33:39 +00:00
Steve Beattie
947a77bcde
Add a case to the interface error reporting for -EACCES return, which
...
likely means that the admin attempted to load a policy while confined by
apparmor.
2009-03-13 03:44:26 +00:00
John Johansen
c149ae6097
Finish adding support to allow the parser to loaded dumped profiles
...
generated using
apparmor_parser profile -S >binary_profile
can now be loaded using
apparmor_parser -B binary_profile
2008-09-10 08:44:53 +00:00
John Johansen
d8df8830f1
add hat flag and add it automatically for embedded hats
...
remove hat rules
2008-06-09 11:48:13 +00:00
John Johansen
8f13e0d60d
- fix rcapparmor stop. Have it dump the loaded profile list to a file before
...
removing profiles, as the list is unstable after additions or removals.
- Add the ability to loaded precompiled policy by specifying the -B
option, which can be combined with --add or --replace
2008-06-09 10:00:28 +00:00
John Johansen
11f925abba
fix named transition, enable cx to imply transition to local profile, without having to specify name
2008-04-16 06:54:51 +00:00
John Johansen
015df061e3
Named transition - but disabled due to a bug
2008-04-16 04:45:02 +00:00
John Johansen
add2b93657
update interface version
2008-04-08 20:30:06 +00:00
John Johansen
ecf6b55baf
let a profile control a tasks rlimits
2008-04-06 18:55:46 +00:00
John Johansen
34f2c96700
let a profile set a tasks caps, similar to fscaps
2008-04-06 18:55:27 +00:00
John Johansen
a3c0753b89
Add Audit control to AppArmor through, the use of audit and deny
...
key words. Deny is also used to subtract permissions from the
profiles permission set.
the audit key word can be prepended to any file, network, or capability
rule, to force a selective audit when that rule is matched. Audit
permissions accumulate just like standard permissions.
eg.
audit /bin/foo rw,
will force an audit message when the file /bin/foo is opened for
read or write.
audit /etc/shadow w,
/etc/shadow r,
will force an audit message when /etc/shadow is opened for writing.
The audit message is per permission bit so only opening the file
for read access will not, force an audit message.
audit can also be used in block form instead of prepending audit
to every rule.
audit {
/bin/foo rw,
/etc/shadow w,
}
/etc/shadow r, # don't audit r access to /etc/shadow
the deny key word can be prepended to file, network and capability
rules, to result in a denial of permissions when matching that rule.
The deny rule specifically does 3 things
- it gives AppArmor the ability to remember what has been denied
so that the tools don't prompt for what has been denied in
previous profiling sessions.
- it subtracts globally from the allowed permissions. Deny permissions
accumulate in the the deny set just as allow permissions accumulate
then, the deny set is subtracted from the allow set.
- it quiets known rejects. The default audit behavior of deny rules
is to quiet known rejects so that audit logs are not flooded
with already known rejects. To have known rejects logged prepend
the audit keyword to the deny rule. Deny rules do not have a
block form.
eg.
deny /foo/bar rw,
audit deny /etc/shadow w,
audit {
deny owner /blah w,
deny other /foo w,
deny /etc/shadow w,
}
2008-03-13 17:39:03 +00:00
John Johansen
40c3686041
remove old netdomain syntax
2007-11-16 09:34:01 +00:00
John Johansen
a4721bd02d
add basic handling of profile namespaces
2007-11-16 09:18:48 +00:00
Steve Beattie
2737f6bc97
Patch by jjohansen@suse.de
...
Acked-By: Steve Beattie <sbeattie@suse.de>
Support for basic network mediation keywords.
2007-07-27 20:29:47 +00:00
John Johansen
5655affcda
flatten hats for individual profile load
2007-06-26 21:09:46 +00:00
John Johansen
cd79c1ac77
update copyright dates
2007-04-11 08:12:51 +00:00
John Johansen
f3ba454d8c
Add dfa support to the parser
2007-02-27 02:29:16 +00:00
John Johansen
20dbc4d8cb
fix miss break #240986 . Back out partial commit of dfa matcher support (that was mistakenly submitted)
2007-02-01 21:45:39 +00:00
John Johansen
d1f8df2fa5
dfa patches for the parser
2007-02-01 20:18:50 +00:00
Steve Beattie
0e969aa582
Fix small memory leak in the parser.
2006-12-19 17:44:53 +00:00
John Johansen
97ef545dc3
revert interface version to v2
2006-08-04 21:30:34 +00:00
John Johansen
c611d4cbf0
increase interface version for loading policy, due to the m and unsafe exec flags breaking compatabity with v2 policy
2006-08-04 17:22:19 +00:00
Steve Beattie
6b0de8f6bc
Update keywords attribute, svn:ignore attribute, update Makefile to
...
point to the new location of the common/ dir.
2006-04-12 03:09:10 +00:00
Steve Beattie
6d3e74907d
Import the rest of the core functionality of the internal apparmor
...
development tree (trunk branch). From svn repo version 6381.
2006-04-11 21:52:54 +00:00