By changing the compare function from each rule to use class_rule_t,
instead of perms_rule_t, we temporarily ignore if permissions are
different. If every rule attribute is the same, then the permissions
can be merged. This is done at the perms_rule_t's level.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Currently File rules are the only rules that have rule dedup/merging performed. Extend support for rule merging to all other rule types.
This can result in a small performance regression when rules can not be merged/deduped but can result in a large performance increase when lots of rules can be eliminated.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1065
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Instead of having multiple tables, since we have room post split
of optimization and dump flags just move all the optimization and
dump flags into a common table.
We can if needed switch the flag entry size to a long in the future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add the ability to control whether rule merging is done.
TODO: in the furture cleanup display of flags split accross two tables
Signed-off-by: John Johansen <john.johansen@canonical.com>
In preparation for more flags (not all of the backend dfa based),
rework the optimization and dump flag handling which has been exclusively
around the dfa up to this point.
- split dfa control and dump flags into separate fields. This gives more
room for new flags in the existing DFA set
- rename DFA_DUMP, and DFA_CONTROL to CONTROL_DFA and DUMP_DFA as
this will provide more uniform naming for none dfa flags
- group dump and control flags into a structure so they can be passed
together.
Signed-off-by: John Johansen <john.johansen@canonical.com>
this is reuired because af_rule merging does not take into account
the potential af_unix addresses and could incorrectly merge af_unix
rules.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Currently only file rules get merged. Finish adding basic support
for rule merging and make the default the behavior to dedup
merge rules that are exact matches.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Allowing access to a debug flag can greatly improve policy debugging.
This is different than the debug mode of old, that was removed. It only
will trigger additional messages to the kernel ring buffer, not
the audit log, and it does not change mediation.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1060
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Allowing access to a debug flag can greatly improve policy debugging.
This is different than the debug mode of old, that was removed. It only
will trigger additional messages to the kernel ring buffer, not
the audit log, and it does not change mediation.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The check isn't correct, it should be checking for capability
MAC_ADMIN, but in the future that won't be correct either. Instead
rely on the kernel to check permission to load policy, which it alread
does as it is possible to by-pass the parser to load policy.
Also improve the error message when the kernel does deny
loading policy due to failed permission checks.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1044
Approved-by: Seth Arnold <seth.arnold@gmail.com>
Merged-by: John Johansen <john@jjmx.net>
The check isn't correct, it should be checking for capability
MAC_ADMIN, but in the future that won't be correct either. Instead
rely on the kernel to check permission to load policy, which it alread
does as it is possible to by-pass the parser to load policy.
Also improve the error message when the kernel does deny
loading policy due to failed permission checks.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1048
made it so rules like
mount slave /snap/bin/** -> /**,
mount /snap/bin/** -> /**,
would get passed into change_mount_type rule generation when they
shouldn't have been. This would result in two different errors.
1. If kernel mount flags were present on the rule. The error would
be caught causing an error to be returned, causing profile compilation
to fail.
2. If the rule did not contain explicit flags then rule would generate
change_mount_type permissions based on souly the mount point. And
the implied set of flags. However this is incorrect as it should
not generate change_mount permissions for this type of rule. Not
only does it ignore the source/device type condition but it
generates permissions that were never intended.
When used in combination with a deny prefix this overly broad
rule can result in almost all mount rules being denied, as the
denial takes priority over the allow mount rules.
Fixes: https://bugs.launchpad.net/apparmor/+bug/2023814
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1211989
Fixes: 9d3f8c6cc ("parser: fix parsing of source as mount point for propagation type flags")
Fixes: MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1048
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1054
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 86d193e183bf71448e2394734b0f2d8c316bb262)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Before 300889c3a, mount rules would compile policy when using source
as mount point for rules that contain propagation type flags, such as
unbindable, runbindable, private, rprivate, slave, rslave, shared, and
rshared. Even though it compiled, the rule generated would not work as
expected.
This commit fixes both issues. It allows the usage of source as mount
point for the specified flags, albeit with a deprecation warning, and
it correctly generates the mount rule.
The policy fails to load when both source and mount point are
specified, keeping the original behavior (reference
parser/tst/simple_tests/mount/bad_opt_10.sd for example).
Fixes: https://bugs.launchpad.net/bugs/1648245
Fixes: https://bugs.launchpad.net/bugs/2023025
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
'name' gets used in the error message. Make sure it only gets freed
afterwards.
This bug was introduced in be0d2fa947b90320cb3f32878ceea934eb76a837 /
https://gitlab.com/apparmor/apparmor/-/merge_requests/727
Fixes coverity CID 254465: Memory - illegal accesses (USE_AFTER_FREE)
I propose this fix for 3.0..master.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1040
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
If `else if (preprocess_only)` is true, the more strict condition
`else if (!include_file && preprocess_only)` won't be reached if it gets
checked after the shorter condition.
Exchange the two sections so that both code paths can be reached.
Fixes coverity CID 312499: Control flow issues (DEADCODE)
This was probably introduced in 7dcf013bcab9548582734db244ba74f09449f9c1 / https://gitlab.com/apparmor/apparmor/-/merge_requests/743 which means we'll need to backport this fix to 3.0 and 3.1.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1039
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
'name' gets used in the error message. Make sure it only gets freed
afterwards.
This bug was introduced in be0d2fa947b90320cb3f32878ceea934eb76a837 /
https://gitlab.com/apparmor/apparmor/-/merge_requests/727
Fixes coverity CID 254465: Memory - illegal accesses (USE_AFTER_FREE)
If `else if (preprocess_only)` is true, the more strict condition
`else if (!include_file && preprocess_only)` won't be reached if it gets
checked after the shorter condition.
Exchange the two sections so that both code paths can be reached.
Fixes coverity CID 312499: Control flow issues (DEADCODE)
The conflicting flags value message was hard to read
conflicting flag value = lazytimenolazytime
change it to
conflicting flag values = lazytime, nolazytime
Signed-off-by: John Johansen <john.johansen@canonical.com>
Adds the corresponding `MS_NOSYMFOLLOW` flag to parser/mount.h as well,
defined as (1 << 8) just as in the util-linux and the kernel.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
This patch adds the following mount options: 'nostrictatime',
'lazytime', and 'nolazytime'.
The MS_STRICTATIME mount flag already existed, and 'nostrictatime' was
listed along with 'strictatime' in the comments of parser/mount.cc, so
this patch adds a mapping for 'nostrictatime' to clear MS_STRICTATIME.
Additionally, the Linux kernel includes the 'lazytime' option with
MS_LAZYTIME mapping to (1<<25), so this patch adds MS_LAZYTIME to
parser/mount.h and the corresponding mappings in parser/mount.cc for
'lazytime' and 'nolazytime'.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
The chfa equivalence class shouldn't be a reference. Its needs to
actually exist and be part of the class during later method calls.
As a reference it leads to bad references when used later.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The code for add_local_entry is actually currently unused and will
have to change anyways by the time it is. Some drop it and the
associated variables.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Another step towards having a block rule and retaining parsed rule
structure. Setup the parse to use a common block pattern, that when
we are ready will become an actual rule.
Signed-off-by: John Johansen <john.johansen@canonical.com>
In preparation for file rules and rule duplication removal add
flags to rule_t with the first flag indicating if the rule is
deleted.
We do this instead of actually deleting the rule so we can hold
on to the rule for debug and printing output in the future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
in preparation for file rules switching to rule_t add a method to
indicate whether a particular rule is mergeable/dedupable.
Whether a rule merges or dedups will be up to the rules comparison
and merge methods.
Signed-off-by: John Johansen <john.johansen@canonical.com>
In preparation for rule comparison and elemination have each rule
carry a type that can be used as the base of comparison. The
rule class is folded into this type.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Instead of having each rule individually handle the class info
introduce a class_rule_t into the hierarchy and consolidate.
Signed-off-by: John Johansen <john.johansen@canonical.com>
