parser: Fix unknown state condition RLIMIT_MODEINCLDE
See merge request apparmor/apparmor!803
Acked-by: Christian Boltz for all branches
(cherry picked from commit b0bc0d532327af63ae1d01d50b4f6cc9b0eb3a2e)
dc7755e5 parser: Fix unknown state condition RLIMIT_MODEINCLDE
Fix typo in manpage
Closes#192
See merge request apparmor/apparmor!789
Acked-by: Acked-by: Seth Arnold <seth.arnold@canonical.com> for all branches
(cherry picked from commit 131ae8425b39e920465ab470a0ffc6301223efcf)
1459f49b Fix typo in manpage
Currently for directory includes the directory timestamp is ignored.
This is wrong as operations like removing a file from the dir won't
be considered in the timestamp check.
Fix this by updating the timestamp check to include the included
directories timestamp.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/760
Signed-off-by: John Johansen <john@jjmx.net>
Acked-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 3d1232e6404ae15ab8d99433569586f03eec972a)
The parser is failing to properly filter the slashes in the link name
after variable expansion. Causing match failures when multiple slashes
occur.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/153
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/723
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 2852e1ecdf9e7bd754e75e0c9adfaeadeea48a67)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The backport of
855dbd4a parser: fix rule downgrade for unix rules
using the rule_t::warn_once which doesn't exist in the 2.x parser
series. Switch this the the static function warn_once.
Fixes: 3d85e123 parser: fix rule downgrade for unix rules
Signed-off-by: John Johansen <john.johansen@canonical.com>
Rule downgrades are used to provide some confinement when a feature
is only partially supported by the kernel.
Eg. On a kernel that doesn't support fine grained af_unix mediation
but does support network mediation.
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
will be downgraded to
network unix type=stream,
Which while more permissive still provides some mediation while
allowing the appication to still function. However making the rule
a deny rule result in tightening the profile.
Eg.
deny unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
will be downgraded to
deny network unix type=stream,
and that deny rule will take priority over any allow rule. Which means
that if the profile also had unix allow rules they will get blocked by
the downgraded deny rule, because deny rules have a higher priority,
and the application will break. Even worse there is no way to add the
functionality back to the profile without deleting the offending deny
rule.
To fix this we drop deny rules that can't be downgraded in a way that
won't break the application.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1180766
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/700
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 855dbd4ac8ddb253343d6a81e094030c28233888)
Signed-off-by: John Johansen <john.johansen@canonical.com>
job scaling allows the parser to resample the number of cpus available
and increase the number of jobs that can be launched if cpu available
increases.
Unfortunately job scaling was being applied even when a fixed number
of jobs was specified. So
--jobs=2
doesn't actually clamp the compile at 2 jobs.
Instead job scaling should only be applied when --jobs=auto or when
jobs are set to a multiple of the cpus.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/703
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 65ba20b955ba91cd44e7a1a3f3194ea7f567dcb2)
With the backport of static caps to support caps from newer kernels
in older build environments. Builds against older kernels broke
because not all of the newer capabilities are defined in the kernel
headers, nor in apparmor.
In particular
CAP_AUDIT_READ was added to the kernel in 3.16
and
CAP_AUDIT_WRITE, CAP_AUDIT_CONTROL, CAP_SETFCAP, CAP_MAC_OVERRIDE,
CAP_MAC_ADMIN, CAP_SYSLOG, CAP_WAKE_ALARM, CAP_BLOCK_SUSPEND in 3.8
The apparmor kernel module was merge into the upstream kernel in 2.6.36.
In order to support all upstream kernels with apparmor add the set
of capabilities introduced since apparmor was merged upstream.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/655
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Linux 5.9 added CAP_CHECKPOINT_RESTORE add it to the set of supported
capabilities.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/654
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
(backported from commit 644a473971df4e18555e97fa36bafd89459c4717)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The sed command to manipulate the known cap list (base_cap_names.h) into
a format to match the generated_cap_names.h was buggy because the
trailing '}' would never match anything, leading to failures when built
against 5.8 kernel headers, due to it not replacing the base capabilities
correctly.
Fix this by removing the trailing '}" match and instead match the third
comma-delimited field that matches a capability name, and replace that.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/596
(cherry picked from commit a7fc8bb5008f17075137e6743230807ebf2b3ee6)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The mnt_point and devices conditionals in mount rules are generally
paths and should have slashes filtered after variable expansion.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit a1978fb1b2f9c97ae6ea7efb752e3d25ac261830)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Similar to unix addr rules, the dbus path conditional is more a path
than a profile name and should get its slashes filtered after variable
expansion.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 35f6d49ec679f41ac30a2dd22780881c03ca01c9)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Currently mount options type= and options= do not expand variables
but they should. Fix it.
Note: this does not treat either as paths because their use is
too device dependent for it to be safe to filter slashes.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/99
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/638
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 882380ad3d8e90a9ac9fe489485ce9f652a1a80a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The parser is not treating unix addr as a path and filtering slashes
after variable expansion. This can lead to errors where
@{foo}=/a/
unix bind addr=@{foo}/bar,
will always fail because addr is being matched as /a//bar instead of
/a/bar.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607
Fixes: https://bugs.launchpad.net/apparmor/+bug/1856738
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 6af05006d9dd1bfaa36e555841496a4cbf3992ee)
The parser is supposed to add a rule to profiles if they are a hat
or contain hats granting write access to the kernel interfaces
used to perform the change_hat operation.
Unfortunately the check is broken and currently won't add the
rule to hats (it does add it for the parent).
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/625
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Acked-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 5b850c154f26bdd5435b8d9d3af4a7fc2072c62e)
The autogenerated capabilities comparison needs to be updated if the
capability_table structure changes. Add a note by the structure to
make sure the Makefile will get updated if the structure is changed.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/597
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
(backported from commit 139fac6062131b11df22bdcb59747329c4f6e7b8)
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/596
(backported from commit 33ff79a9e59dc72428a9d4d94b01e00b8d0b8429)
Signed-off-by: John Johansen <john.johansen@canonical.com>
There are currently two capability name tables the one that is
autogenerated and an internal hardcoded name table.
Now that the autogenerated table has been converted to a base
static table we can drop the internal static table. This
removes the chance of getting the tables getting out of sync.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit fb9c5f9bcfd9a8d73b8eb9a8336693b4bce9fa6f)
The static cap sys_log declaration is no longer needed as
base_cap_names.h contains it and ensures that it will always be
present.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit fdba3a571c82adb589732a1eccbc36878a194330)
The auto-generated cap_names.h has problems when the parser if the
parser is built against a kernel with a smaller capability list than
the kernel policy is being compiled for.
Moving to a pre-generated list lets us support all capabilities even
when we build against older kernels. However we don't want to only use
the pre-generated list as that would make it too easy to miss when a
new capability has been added.
Keep auto generating the caps list and compare it to the pre-generated
caps list so we can detect when new capabilities are added, and fail
the build so that the pre-generated list can be updated. We screen the
diff for only additions so that the parser can continue to build on
older kernels that don't have the full capability list without errors.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 270fb0a2b27321fb14a316b3a3afd4b86f9cec6f)
ABI_MODE needs to be able to consume white space, unfortunately this
was missed, and only showed up with the basckport of the patches
to stop unmatched input from being passed through.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Newlines should generally be treated as whitespace. Expand the list
of states using the newline rule to include almost all rules that
eat WS.
There are two exceptions assign and comment which have special handling
of newlines.
this fixes the failures
not ok 71543 - ./simple_tests//vars/vars_simple_assignment_13.sd: quoted commas should not trigger an error
not ok 71544 - ./simple_tests//vars/vars_simple_assignment_14.sd: quoted commas should not trigger an error
found by introducing nodefault
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/569
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
(cherry picked from commit 21498ff9a434117516477b83c6c380b0c26a6037)
Split the newline processing into a separate rule block so that it can
be shared with states that need to process newlines without processing
end of rule conditions.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/569
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
(cherry picked from commit fffca2ffa00d86b0f3a11eea066cf651486331ea)
There were several states missing from the default rule which catches
unexpected input in a state.
Update the default rule to catch all input including newlines and
update its error message to include information about which state the
failure occured in. Also update the comment about what to do when
adding new states.
While the lexer now has the "nodefault" option set, it doesn't provide
as much information as the default rule does, so we prefer states
to use our provided default rule.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/569
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
(cherry picked from commit 1a4288886bcb46dcfc19ad61d648a30488f44619)
With %option nodefault, the parser now errors out as expected, even if
the error message isn't too helpful.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/569
Signed-off-by: Christian Boltz <apparmor@cboltz.de> Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
(cherry picked from commit 7d062917aa34c62b2eafc3c20f77d0be903b90bc)
... (using `%option nodefault`) instead of echoing the unknown parts to
stdout, and ignoring the error.
This will cause the parser to error out with
flex scanner jammed
and $?=2 if a profile contains unknown/invalid parts. That's not really
a helpful error message, but still better than ignoring errors.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/569
Signed-off-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
(cherry picked from commit c01ed1d57b6115067f43a405b14acf24d84ff03a)
This series adds a couple of patches to make the software more crosscompilation friendly. They are based on the work I'm doing to fix the package on buildroot
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/485
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 9ba2334423cccc811c0e59e3af604f06631a3d4f)
Signed-off-by: John Johansen <john.johansen@canonical.com>
egrep: bad regex '^/.[ \t]+flags[ \t]=[ \t]*([ \t]complain[ \t])[ \t]+{': Invalid contents of {}
Note the final non-escaped {.
The issue is not present any more in branch master.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/80
Signed-off-by: John Johansen <john.johansen@canonical.com>
This way we could generate the capabilities in a way that works with
every version of make.
Changes to list_capabilities are intended to exactly replicate the old
behavior.
(cherry picked from commit e92da079ca12e776991bd36524430bd67c1cb72a)
This change updates parser/Makefile to respect target dependencies and
not rebuild apparmor_parser if nothing's changed. The goal is to allow
cross-compiled tests #17 to run on a target system without the tests
attempting to rebuild the parser.
Two changes were made:
* Generate af_names.h in a script so the script timestamp is compared.
* Use FORCE instead of PHONY for libapparmor_re/libapparmor_re.a
Changes to list_af_names are intended to exactly replicate the old
behavior.
Signed-off-by: Eric Chiang <ericchiang@google.com>
(cherry picked from commit cb8c3377babfed4600446d1f60d53d8e2a581578)
assertEquals is deprecated since Python 2.7 and 3.2.
(cherry picked from commit 62abfe38e8bb3e6ba4dc873efbd1855888ea8aa0)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
(cherry picked from commit f4220a19bec57a2d3d7d92984e9030197605c0dd)
Correct the long option used to print the cache directory.
Fixes: e9d9395f91cd ("parser: Add option to print the cache directory")
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
(cherry picked from commit 50e34b45c2d332b9575bc5c23eb872bdbc3dec4e)
Ref: https://gitlab.com/apparmor/apparmor/merge_requests/406
Acked-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
When cross compiling apparmor-parser, Makefile will use ar for
creating the static library. However, ar produces libraries on
the build platform. The right ar could be prefixed with the target
platform triples.
Signed-off-by: Xiang Fei Ding <dingxiangfei2009@gmail.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Ref: https://github.com/NixOS/nixpkgs/pull/63999
Bug: https://gitlab.com/apparmor/apparmor/issues/41
(cherry picked from commit 654d96a3f78ba4145125060e52dcda6a226909e2)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
This is especially handy if your distro doesn't split sbin and bin
and only wants to install into bin (so that the sbin directory doesn't
clash with the sbin -> bin symlink)
[Per feedback, added USR_SBINDIR as a toggle for the install location
of aa-teardown -- @smb]
Signed-off-by: Rasmus Thomsen <cogitri@exherbo.org>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/111/
(cherry picked from commit 7c86a2acaf33ac9abd5548216e49dcfd3eb6196c)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 90a4b301bd569b7b6c325473d6cee7d1d36702d0)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 78c09e4337ca17483b021e0355c078d449437bae)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit d14723b78c5fea6c8c08c3bd2d81531ee492ff99)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 9f9294b48bedbdfb8263e556ebd5a50db2538b6e)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
The parser currently skips the cache if optimizations are specified
because it can not determine if the cached policy was compiled
with the specified optimization. However this causes cache misses
even if policy is cached with those options, and distros are setting
some optimizations by default.
Instead of skipping reading the cache if optimizations are set, users
can force overwriting the cache if needed, until the parser can
store aditional meta info in the cache.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/385
BugLink: http://bugs.launchpad.net/bugs/1820068
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit f6cd5c01c1a5bca947516055543144870f1476b0)
Drop 'to' option for link rules from manpage
See merge request apparmor/apparmor!368
Acked-by: Eric Chiang <ericchiang@google.com>
(cherry picked from commit 041cd95a98e798e3567c63c3c7eb74d81fc5c64e)
115a1d89 Drop 'to' option for link rules from manpage
apparmor.d manpage: update list of network domain keywords
See merge request apparmor/apparmor!349
Acked-by: Eric Chiang <ericchiang@google.com> for 2.12..master
(cherry picked from commit 6416ccebf636308eeb05185bb4ccdc1731a96980)
6b276563 apparmor.d manpage: update list of network domain keywords
The length of a xmatch is used to prioritize multiple profiles that
match the same path, with the intent that the more specific match wins.
Currently, the length of a xmatch is computed by the position of the
first regex character.
While trying to work around issues with no_new_privs by combining
profiles, we noticed that the xmatch length computation doesn't work as
expected for multiple regexs. Consider the following two profiles:
profile all /** { }
profile bins /{,usr/,usr/local/}bin/** { }
xmatch_len is currently computed as "1" for both profiles, even though
"bins" is clearly more specific.
When determining the length of a regex, compute the smallest possible
match and use that for xmatch priority instead of the position of the
first regex character.
(cherry picked from commit cc09794fbdd3fe311027ae2ceb9f441a30a6075a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The parser is not correctly handling some error conditions when
dealing with work units. Failure to spawn work, access files, etc
should be returned where appropriate, and be able to abort processing
if abort_on_error is set.
In addition some errors are leading to a direct exit without checking
for abort_on_error.
BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921866
BugLink: http://bugs.launchpad.net/bugs/1815294
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Eric Chiang <ericchiang@google.com>
(backported from commit cb43e57d27962039c5bc2a380936c7316575701f)
Conflicts:
parser/parser_main.c
Reason:
commit 48a32b78b189cf9e2c4d8bce8fb45c68bf4cc327 not backported
