2
0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-30 05:47:59 +00:00

1892 Commits

Author SHA1 Message Date
Kees Cook
a92f9e67b3 Add "comm" string to the parser structure and testsuite runner. Update
testsuite output to include "comm" report.
2010-07-26 09:20:02 -07:00
Kees Cook
5649f5237b Add testcases for new LSM-audit log messages.
Update log parser grammar to handle new LSM-audit log messages.
2010-07-26 09:16:23 -07:00
Kees Cook
24a05b0bf5 add kernel regression test build-time by-products to ignore list 2010-07-25 19:00:51 -07:00
Kees Cook
359514432f add more build-time by-products to the ignore list 2010-07-25 18:59:58 -07:00
Kees Cook
cf706a37f0 add build-time by-products to the .bzrignore for libapparmor 2010-07-25 18:52:19 -07:00
John Johansen
4be07c3265 This adds a basic debug dump for the conversion of each rule in a profile to its expression
tree.  It is limited in that it doesn't currently handle the permissions of a rule.

conversion output presents an aare -> prce conversion followed by 1 or more expression
tree rules, governed by what the rule does.
eg.
  aare: /**   ->   /[^/\x00][^\x00]*
  rule: /[^/\x00][^\x00]*  ->  /[^\0000/]([^\0000])*

eg.
echo "/foo { /** rwlkmix, } " | ./apparmor_parser -QT -D rule-exprs -D expr-tree

aare: /foo   ->   /foo
aare: /**   ->   /[^/\x00][^\x00]*
rule: /[^/\x00][^\x00]*  ->  /[^\0000/]([^\0000])*

rule: /[^/\x00][^\x00]*\x00/[^/].*  ->  /[^\0000/]([^\0000])*\0000/[^/](.)*


DFA: Expression Tree
(/[^\0000/]([^\0000])*(((((((((((((<513>|<2>)|<4>)|<8>)|<16>)|<32>)|<64>)|<8404992>)|<32768>)|<65536>)|<131072>)|<262144>)|<524288>)|<1048576>)|/[^\0000/]([^\0000])*\0000/[^/](.)*((<16>|<32>)|<262144>))


This simple example shows many things
1. The profile name under goes pcre conversion.  But since no regular expressions where found
   it doesn't generate any expr rules
2. /** is converted into the pcre expression /[^\0000/]([^\0000])*
3. The pcre expression /[^\0000/]([^\0000])* is converted into two rules that are then
   converted into expression trees.

   The reason for this can not be seen by the output as this is actually triggered by
   permissions separation for the rule.  In this case the link permission is separated
   into what is shown as the second rule: statement.
4. DFA: Expression Tree dump shows how these rules are combined together

You will notice that the rule conversion statement is fairly redundant currently as it just
show pcre to expression tree pcre.  This will change when direct aare parsing occurs,
but currently serves to verify the pcre conversion step.


It is not the prettiest patch, as its touching some ugly code that is schedule to be cleaned
up/replaced. eg. convert_aaregex_to_pcre is going to replaced with native parse conversion
from an aare straight to the expression tree, and dfaflag passing will become part of the
rule set.
2010-07-23 13:29:35 +02:00
John Johansen
837f47c921 This is the user space fix for launchpad.net/busgs/599450
It changes the table resizing so that there is always sufficient
high entries in the table, preventing bounds violations from
occurring.

Previously the resize allocation was always based on the character
set range for a state, which could be more or less than actually
required, and packing would waste some space when over allocation
was done.

As a result this patch in general results in slightly smaller
transition tables even though it enforcing the minimum required
padding to avoid bounds violations.
2010-07-23 04:30:31 +02:00
John Johansen
bfb96638f6 This is a preparatory patch for the fix to launchpad.net/bugs/599450.
It combines the two separate table resize code segments into a single
functionally equivalent segment.  It does not fix the bug.
2010-07-23 04:29:54 +02:00
John Johansen
6453a41a28 Add extra transition table labeling to help with interpretation of the
dump output.
2010-07-23 04:29:29 +02:00
Steve Beattie
1d9ca54cec Minor touchups to the README. 2010-07-22 17:07:10 +02:00
Jamie Strandboge
1cc6ef54d0 added README file 2010-07-22 15:29:07 +02:00
John Johansen
af3476afb9 The templatization of deref_less_than is unnecessary and complicates the code
replace it with its none templatized version.
2010-07-10 17:53:04 -07:00
John Johansen
4f8e01ff36 expression tree node labeling is used during debugging dumps. Currently the node labels
are computed and stored in a map, that is not cleaned up.  This means that the labeling
is retained across different dfas.

Move the labeling into expr node as this takes less memory than using a map and will
also separates node labeling so its per dfa instead of global.  In addition this means
the labeling is cleanedup/freed when the expr tree is freed without any extra work.
2010-07-10 17:52:13 -07:00
John Johansen
d0dcab10f1 Make the transition table dump easier to understand by labeling each entry with its
index.
2010-07-10 17:49:32 -07:00
John Johansen
1004f039ec When creating the dfa the sets firstpos, lastpos, and followpos are computed for
each expression tree node and then used as input to create the dfa states.

Currently they are not being freed until the nodes are destroyed, but the information
is no longer needed once the dfa has been created.  Cleaning them up early reduces
peak memory usage.
2010-07-10 17:47:25 -07:00
John Johansen
da6df9fdc5 The apparmor parser applies the disabled and complain mode directories even when just
dumping the preprocessor output to stdout.

Add a flag to test whether to skip forcing the mode and use it with -p (dump preprocessed
profile).
2010-07-10 17:46:06 -07:00
John Johansen
a30ecbfe3c Add the -o flag to allow specifying the output file instead of loading
to the kernel.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2010-06-26 13:14:56 -07:00
John Johansen
49530d5fe5 This patch adds back in the -p flag, allowing the dumping of a
flattened profile to stdout.

It currently does not do anymore than flattening the include
files.  The expansions of variables etc can be added later.
2010-06-26 13:13:52 -07:00
Steve Beattie
2d2897f426 This patch adds a couple of additional lineno reporting testcases:
* a non-include related syntax error (errors/modefail.sd)
  * multiple successful includes followed by a failed include
    (errors/multi_include.sd)

It also fixes two issues with the parser's line counting:

  * the count began at 0 (demonstrated by the first testcase's error
    being reporting on one line less than it should be), and

  * an extra line increment when includes were detected (demonstrated
    by the second testcase's error being reported at a line beyond the
    correct linenumber.

The existing testcases did not catch these because they were all
based on the first include in the file failing and so the start of
the count from 0 counteracted the extra counted line.
2010-06-25 12:43:48 -07:00
Jamie Strandboge
d744377f4a abstractions/dbus-session: use Pix instead of Ux for dbus-launch since in
addition to setting up a dbus session it can be used to launch applications
2010-06-22 11:50:31 -05:00
Jamie Strandboge
23bc2980c6 ubuntu-media-players: add gmplayer 2010-06-08 14:33:31 -05:00
Jamie Strandboge
f8c7cee59c allow thunderbird 3 in abstractions/ubuntu-email 2010-06-07 08:30:34 -05:00
Kees Cook
6737031eb9 hrm, since I added code, I need to update the copyright details. 2010-06-04 18:57:01 -07:00
Kees Cook
7cfc7e1133 add correct line number and filename tracking for error conditions (LP: #588014)
Bug: https://launchpad.net/bugs/588014
2010-06-04 18:47:44 -07:00
Kees Cook
67bd489ba8 add generated files from parser/ to ignore list 2010-06-04 18:39:20 -07:00
Kees Cook
34f5510faf network interface enumeration 2010-06-04 17:44:59 -07:00
Kees Cook
0e07298340 update for font/icon/mime locations in current gnome 2010-06-04 17:44:30 -07:00
Kees Cook
a7fd5abe37 statvfs allowed by default 2010-06-04 17:43:11 -07:00
Jamie Strandboge
a029b16066 apparmor_notify:
- verify $opt_s is initialized (LP: #582075)
- don't show summary if $opt_s < 1
2010-05-27 09:08:12 -05:00
Jamie Strandboge
ea4756a802 ##rmor_notify: show last date when using -s # -v 2010-05-14 00:08:31 +02:00
Jamie Strandboge
7d76eea05a apparmor_notify: show last date when using -s # -v 2010-05-14 00:07:32 +02:00
Jamie Strandboge
7d22b5bdce abstractions/user-tmp: require 'owner' matching 2010-05-12 10:52:23 +02:00
Jamie Strandboge
8e97e4a405 apparmor_notify: add long options. Your welcome Steve ;) 2010-05-12 10:46:22 +02:00
Steve Beattie
d6713e49cd First, readlink is in /bin/ on ubuntu, not /usr/bin - checked both
paths. Secondly, the /lib64 -> /lib symlink would mean the
/lib64/ld-linux symlink would incorrectly be generated as
/lib64/ld-N.NN.so which still has a symlink in its path, and thus
apparmor wouldn't permit the access. Fixing by having readlink
canonicalize the entire path.

ack thppt.
2010-04-27 02:37:30 -07:00
Jamie Strandboge
369e18202f add dbus-session abstraction 2010-04-19 12:38:17 -05:00
Jamie Strandboge
96b1328967 apparmor_notify: adjust '(3 total)' to '(3 found)' 2010-04-08 23:00:52 -05:00
Jamie Strandboge
0254d63fdc apparmor_notify: group like entries together when using -v with -s. Eg:
$ sudo apparmor_notify -s 1 -v
 Profile: /usr/lib/firefox-3.6.3/firefox-*bin
 Operation: exec
 Name: /usr/bin/apturl
 Denied: ::x
 Logfile: /var/log/audit/audit.log

 Profile: /usr/sbin/ntpd
 Operation: open
 Name: /var/lib/ntp/ntp.conf.dhcp
 Denied: r::
 Logfile: /var/log/audit/audit.log
 (3 total)

 AppArmor denials: 4 (since Wed Apr  7 22:57:56 2010)
 For more information, please see: https://wiki.ubuntu.com/DebuggingApparmor
2010-04-08 22:57:04 -05:00
John Johansen
b0a9f46bb7 Update parser man page to include dump and optimize flags 2010-04-03 16:24:06 -07:00
John Johansen
d295e3b444 Update several flags to not preclude there using with writing the cache,
they will however still skip reading the cache.
2010-04-03 15:41:40 -07:00
Jamie Strandboge
6186118aa0 adjust cgi path for php5 abstraction (LP: #538661) 2010-03-30 12:34:32 -05:00
Jamie Strandboge
98d20bf257 adjust path to extensions in php5 abstraction, since the extensions directory
is more free-form than once thought
2010-03-30 12:31:26 -05:00
Jamie Strandboge
c38f0f22bc apparmor_notify: remove stray print 2010-03-30 12:26:32 -05:00
Jamie Strandboge
24446dd1d0 apparmor_notify.pod: add -u and -w options 2010-03-30 10:48:51 -05:00
Jamie Strandboge
cd90674f37 apparmor_notify: fix reopening logfile after dropping privileges (ie, notice
when auditd logs get rotated)
- use getgrnam() with setgid when dropping to nobody_group
- add '-u USER' option to drop to this user when running priviliged but
  not under sudo. Useful for starting when logged in as root.
- add a read access check before get_logfile_inode() so we don't have to
  wait for the timeout in get_logfile_inode()
- set euid only when dropping privileges, instead of using POSIX::setuid()
  which sets uid, euid and saved id when starting privileged
- create send_message() function which fork/execs so that we can set the
  real uid before calling notify-send (notify-send looks at the real uid
  when trying to connect to dbus)
- adjust reopen_logfile() to raise privileges (via euid) before accessing
  logfile when $< != $>. Drop them again after open().
2010-03-30 10:31:23 -05:00
Jamie Strandboge
4cfe8e9d48 apparmor_notify.pod: update for -f 2010-03-27 09:16:38 -05:00
Jamie Strandboge
5ceb1fa1c9 apparmor_notify:
- also check for inode change
- update size to use stat
- treat logfile_size like logfile_inode
- update logfile_size and logfile_inode in reopen_logfile()
2010-03-27 09:14:33 -05:00
Jamie Strandboge
4fb9a702f0 apparmor_notify:
- add -f option to optionally specify the logfile
- when polling, check to see if the logfile size decreased, and if so, reopen
  it. Currently this only works if you can read the file after dropping
  privileges
2010-03-27 08:28:07 -05:00
Marc Deslauriers
daffe30e47 - utils/SubDomain.pm: get rid of warnings 2010-03-26 09:51:21 -04:00
Jamie Strandboge
f0b380fe5e add 'k' to /var/lib/samba/**.tdb in the samba abstraction 2010-03-25 18:13:00 -05:00
Steve Beattie
4e039d07f3 - Break out make targets so that distributors that don't want full docs
can pick targets they want. Patch from Arkadiusz Miskiewicz <arekm at
  maven.pl>.

- Comment out debug dump of generate af_names.h
2010-03-16 15:18:55 -07:00