reload. For now just special-case libvirt's profiles. If more applications
use dynamic profiles, this should be generalized in some way to flag profiles
as dynamic. (LP: #702774)
reload. For now just special-case libvirt's profiles. If more applications
use dynamic profiles, this should be generalized in some way to flag profiles
as dynamic. (LP: #702774)
reload. For now just special-case libvirt's profiles. If more applications
use dynamic profiles, this should be generalized in some way to flag profiles
as dynamic.
Rename change_hat.c to kernel_interface.c to better reflect that it
is providing multiple kernel_interfaces.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The apparmor_parser translation files where using the old subdomain_parser
domain, but the parser was binding to apparmor-parser. Create a new
apparmor-parser.pot file and remove the subdomain_parser.pot file.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Output a better failure message when a conflict of x permissions cause
policy compilation to fail. We don't have enough information available
to output which rules during the dfa compilation so just improve the
message to let people know that it means there are conflicting x modifiers
in the rules.
Signed-off-by: John Johansen <john.johansen@canonical.com>
portion of apparmor has gone upstream. These patches had already been
dropped from the 2.5.x tree.
The compatibility kernel patches are still provided.
Subject: apparmor-utils: Inherit flags in sub-profiles when generating profiles
References: bnc#496204
When creating profiles with cx subprofiles, genprof will set the
sub-profile in enforce mode. When genprof cycles multiple times, it
prohibits the sub-profile from working correctly.
e.g.
# Last Modified: Mon Jan 24 13:52:26 2011
#include <tunables/global>
/home/jeffm/mycat flags=(complain) {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
/bin/bash ix,
/bin/cat cx,
/home/jeffm/mycat r,
profile /bin/cat {
#include <abstractions/base>
/bin/cat r,
/home/jeffm/mycat r,
}
}
This patch allows sub-profiles to inherit the flags from the parent
profile, which allows it to be created in complain mode (if appropriate).
The temporary complain flags are cleaned up at genprof completion as
expected.
This issue was reported at: https://bugzilla.novell.com/show_bug.cgi?id=496204
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Bug: https://launchpad.net/bugs/707092
Subject: Subdomain.pm: Fix for null path
References: bnc#407959
When handling the following log entry, logprof will spew perl errors and
ultimately generate an invalid config: "r,"
Since there is nothing to do with a null path, just skip to the next entry.
type=APPARMOR_DENIED msg=audit(1214497030.421:39): operation="inode_permission" info="Failed name resolution - object not a valid entry" requested_mask="r" denied_mask="r" pid=31367 profile="/usr/sbin/httpd2-worker
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: apparmor: Subdomain.pm: Fix handling of audits of unconfined processes
The version of AppArmor that was accepted into the mainline kernel
issues audit events for things like change_hat while unconfined.
Previous versions just returned -EPERM without the audit.
This results in logprof and friends spewing uninitialized value errors
when it hits events like:
type=AVC msg=audit(1291742101.899:220): apparmor="DENIED" operation="change_hat" info="unconfined" error=-1 pid=28005 comm="cron
... which happen any time an unconfined process does something with pam
when pam_apparmor is installed.
This patch skips those events.
[Note that the second half of the OpenSUSE patch had already been applied.]
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: apparmor: Fix incorrect /proc/*/sys usage in usr.sbin.ntpd
References: bnc#634801
/proc/sys/kernel exists, but /proc/*/sys/kernel doesn't. This patch
fixes the profile.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Description: the Ubuntu buildds do not have the AppArmor securityfs mounted, so
the cache tests fail. This patch skips these tests if the introspection
directory is not mounted, but runs them if it is. This should allow testing of
local builds while still allowing builds on the official buildds.
Acked-By: Steve Beattie <sbeattie@ubuntu.com> - both Ubuntu and
OpenSUSE were carrying patches that disabled the caching test,
though OpenSUSE's disabled it completely rather than checking. The
parser builds need to complete even when the kernel it's building on
doesn't support AppArmor or all the extensions that the parser needs
at runtime.
Subject: apparmor-docs: Fix grammar error in techdoc.pdf
References: bnc#588235
This patch fixes a grammar error in techdoc.pdf.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: apparmor-utils: Translation unification
References: bnc#586072
This patch removes small inconsistencies between identical strings to
allow for easier translation.
Reported-by: Isis Binder <isis.binder@gmail.com>
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Subject: [PATCH] apparmor-utils: cleanup after abort in genprof
References: bnc#307067
The initial generation of the base profile is required to be written out
to put the process in complain mode for observation. If the user
decides to abort the profiling session, that base profile is left
behind.
This patch removes all profiles created during the run up to an abort.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
aa-enforce and aa-complain exist to put a profile into enforce or
complain mode respectively. The /etc/apparmor.d/disable directory
already exists to drop files into it to disable profile load via
apparmor_parser (and therefore via the apparmor initscript). What
doesn't exist is aa-disable to add a file to the disable/ directory and
unload the profile. This patch does that. This version of aa-disable is
based on aa-complain (in fact doing a diff between aa-complain and
aa-disable might make review easier) and works as well as aa-enforce and
aa-complain. In other words, aa-disable has the same limitations of not
handling the specified binary properly if the specified attachment does
not match the path naming scheme (eg, the profile doesn't use the
conventional path.to.binary naming scheme, globbing is used for
attachment within the profile, etc). Also adjust documentation to
reference aa-disable.
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
This patch fixes a logprof bug where when profiles with variable
declarations at the top level (not hidden in an include) were written
back to a file, a trailing comma was being added to the declaration
statement, which is invalid apparmor policy syntax. This patch corrects
this and no longer adds the trailing comma.
Subject: apparmor: Fix network event parsing
References: bnc#665483
The upstream version of AppArmor had network mediation but it was
removed. There's a compability patch floating around that both openSUSE
and Ubuntu have applied to their kernels. Unfortunately, one part was
overlooked. The socket operation event names where changed from the
socket_ prefixed names they had when AppArmor was out-of-tree and
utils/SubDomain.pm was never updated to understand them.
This patch adds an operation-type table so that the code can just
do a optype($operation) call to discover what type of operation a
particular name refers to. It then uses this in place of the socket_
checks to decide whether an event is a network operation.
This allows genprof and logprof to work with networking rules again.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Bug: https://launchpad.net/bugs/706733
The testcases that were in place for the old style log messages have
had their expected output modified such that they are expected to
return invalid results, rather than deleting the testcases outright.
"SubDomain" in some way. This leaves only "subdomain.conf" and the
function names internally.
Additionally, I added a "make check" rule to the utils/Makefile to do a
simple "perl -c" sanity check just for good measure.
allows write to the ~/Desktop directory, which could conceivably allow writing
of .desktop files which could be clicked on and executed by the user. This is
based on the firefox base profile as included in Ubuntu. Notable features:
- allows for using the browser to navigate through directories
- allows reads from @{HOME}/Public/**
- allows writes to @{HOME}/Downloads/**
The intent of this profile is to restrict code execution, writes to $HOME
and information leaks while allowing basic web browsing and reading of
system documentation. It does not allow for plugins, extensions or other
helpers (but these can be added via the local/ mechanism).
- allow net_admin capability for DHCP server
- allow net_raw and network inet raw for ICMP pings when used as a DHCP
server
- allow read and write access to libvirt pid files for dnsmasq
See the FAQ in the dnsmasq source for details. This fixes
https://launchpad.net/bugs/697239
toolchain has gotten stricter about linking order; in short, linked
libraries need to come after the objects referring to them. Adding to
LDLIBS is the correct solution for this.
See https://wiki.ubuntu.com/NattyNarwhal/ToolchainTransition for more
details.
use by more and more applications, including empathy and evolution. It
is listed on freedesktop.org. See:
http://www.abisource.com/projects/enchant/
This abstraction gives access to enchant itself, files in the user's home
directory for enchant and various dictionaries for:
- aspell
- ispell
- hunspell
- myspell
- hspell
- zemberek
- voikko
start to use it. Additionally, the 'rw' on the @{HOME}/.config/ibus/bus/
probably only needs 'create' and 'chmod', so that could be tightened up once
those are exposed in the tools. LP: #649497.
$config->{repository}{enabled} = "no" (LP: #692406). We need to do this
since opensuse's site is down and there is no current alternative. Can
reenable once we have an alternative.
$config->{repository}{enabled} = "no" (LP: #692406). We need to do this
since opensuse's site is down and there is no current alternative. Can
reenable once we have an alternative.
When doing permission merging in the dfa minimization phase the information
about whether a rule is dominant or not has been lost so the merge of
xtransitions can not be handled correctly.
When two conflicting x transitions are merged the results are unpredicitable
and not currently detected. So default dfa minimization to set up its
initial partitions with permission hashing, this ensures that dfa states
that have different xtransitions in the minimization stage will never
be merged thus will not result in a conflict.
x permission checking is still enforced at the dfa creation phase where
the originial information is available to check whether the conflicting
permissions came from exact match or re rules so that conflict resolution
can be properly applied.
The end result is that dfa minimization does not result in a truely minimal
dfa (the minimization phase is also slightly faster).
Signed-off-by: John Johansen <john.johansen@canonical.com>
Currently apparmor provides the unsafe keyword to indicate an xtransition
is not scrubbing its environment variables. This can be used to be
explicit about which transition are unsafe instead of relying on people
remembering which of px Px is safe or unsafe.
Add the orthogonal keyword safe to allow specifying a transition is
safe.
Signed-off-by: John Johansen <john.johansen@canonical.com>
x Permissions when specified as a the start of the rule had a differnt
meaning than when they appeared at the tail of a rule.
Specifically px,cx,ux were not treated as unsafe when they appeared at
the start of the rule.
px /foo,
instead of at the tail of the rule
/foo px,
the keyword unsafe had to be used to force the rule to cause the x transitio
to be its unsafe variant.
Fix leading permissions so that they are consistent with file rules that
use trailing permissions.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Test the leading permission form of an xrule against its trailing permission
form, to verify that they are generating the same xtransition and thus
don't conflict (assumes xtransition conflict checking is working).
eg.
px /foo,
/foo px,
should generate the same rule and thus not result in any conflicts
Signed-off-by: John Johansen <john.johansen@canonical.com>
All the combiniation of xtransition conflics where not well represented in
the regression test suite. Instead of relying on multiple static test
files, automatically generate all possible conflicts.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The is_merged_x_consistend macro was incorrect in that is tested for
USER_EXEC_TYPE to determine if there was an x transition. This fails
for unconfined execs so an unconfined exec would not correctly conflict
with another exec type.
The dfa match flag table for xtransitions was not large enough and not
indexed properly for pux, and cux transitions. The index calculation did
not take into account the pux flag so that pux and px aliased to the same
location and cux and cx aliased to the same location.
This would result in the first rule being processed defining what the
transition type was for all following rules of the type following. So
if a px transition was processed first all pux, transitions in the profile
would be treated pux.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The dfa engine uses the defines from immunix.h for permission conflict
checking, so make the build depend on it.
Signed-off-by: John Johansen <john.johansen@canonical.com>
During some of the dfa cleanups, the checks for conflicting xtransition
was removed. This adds the conflict checking back in and makes it part
of dfa creation.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Several of the x-trans tests where failing because of the include file was
bad. This kept the test from testing what it was supposed as the test
was expected to fail. Thus hidding a bug :(
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add the ability to specify the name and attachment of the profile
separately. It does not allow for the attachment specification to
begin with a variable however since variables in profile names is not
currently support this shouldn't be and issue.
Signed-off-by: John Johansen <john.johansen@canonical.com>
clean up profile parsing by merging profile and :namespace:profile parsing
into a single rule.
This also fixes a bug where the profile keyword was not allowed to proceed
profiles with a namespace declaration.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Short summary: Unloading of profiles with a space in the name fails,
therefore "rcapparmor stop" (or restart) causes a funny message - and
the profile is still loaded.
Thanks to Christian Boltz <apparmor@cboltz.de>
parser that interact with the regex DFA generation library, and thus
need to be recompiled when the header file changes.
(This patch isn't particularly of interest to distros, as they
typically won't be doing incremental compilation.)
The other changes have made it so that using a macro really isn't justified
so rework the code to get rid of the hiddeous update_for_nodes macro.
Signed-off-by: John Johansen <john.johansen@canonical.com>
With the addition of the nodes field to the state we can make the work
queue, be based off of the state instead of the node, and avoid doing
the node to map lookup to get back to the state.
This means that the NodeMap is now only used for duplicate elimination.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Factoring the updating of the state transitions doesn't save on any code
but it provides a nice logical seperation and makes the dfa work_queue
loop and the updating of the state transitions easier to understand as
units.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The match_count variable is a sum of the number of duplicates node sets
that have been encountered and discarded. Rename it to better reflect what
it is doing.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Embedding the nodes are part of the state gives fast back reference from
the state to the nodes that created it. This is useful for the state to
nodes mapping dump as it lets us output the states in order. It will also
let us avoid certain nodemap lookup in the future.
Overlay the nodes field (used only in dfa construction) with the partition
field which is only used during dfa minimization to avoid making the state
any larger.
Signed-off-by: John Johansen <john.johansen@canonical.com>
commits were made (as well as a few other minor warnings elsewhere).
The Makefile change is to avoid passing -Wstrict-prototypes and
-Wnested-externs to the C++ compiler, which the compiler yells about and
then ignores.
Since we compile with -Wmissing-field-initializers I dropped the
unreferenced zero-width fields in the header structs, and then explicitly
initialized the remaining fields.
I tagged several unused function parameters to silence those warnings.
And finally, I dropped the unused filter_escapes() too.
Embedding the the partition mapping into the State structure significantly
speeds up dfa minimization, by converting rbtree finds to straight direct
references when checking for same mappings.
The overall time improvement is small but it can half the time spent in
minimization.
The nodemap.size() increases by one with each node added, every time we
add a state we label it so this provides the proper labeling without needing
a separate variable.
add short options to turn on all stats, and all progress indicators,
also allow adding "no-" prefix to dump options to allow subtracting
individual options when short options are used.
eg.
-D stats -D no-expr-simplify
Move the -O and -D options into tables, that keep the option and its
description. This will help keep the options consistent and the description
up to date, as all information is now in one place.
Previously the options, and descriptions kept getting out of sync as all
relavent parts were spread out.
help reduce peak memory usage in some cases.
Also disbale remove_unreachable, as the current dfa code isn't generating
unreachable states, and minimization removes any states that are connected
but redundant.
hold permission information. We currently keep them in a table with a
refcount so that they don't go away, until we delete the table.
We can simulate this by getting rid of the refcount, and making dup and release
virtual, and overriding it for the special accept nodes.
improves minimization performance, it can slow down total creation time and
result in larger compressed dfas.
This is because it results in the dfa not being completely minimized which
with the current O(n2) dfa table compression algorithm can result in slower
compressed dfa generation.
first hash does hashing on state just state transitions, which always results
in a performance improvement.
The second does hashing based off of accept permissions, which can create
more initial states but can result in not being able to achieve a true
minimum dfa. This can also lead to slowing down total dfa creation because
while minimization, compression can take longer if the dfa isn't completely
minimized.
permission hashing is currently required, as minimization does not accumulate
redundant Node permissions.
memory than just using the NodeSet size to short circuit comparison but it
improves on the case where compared sets have the same size. It is possible
that this will slow down small dfa generation slightly but the trade off for
large dfa's (which are the slow ones to generate) is worth it.
This results in another performance bump over using the NodeSize is NodeSet
comparison, and the amount of improvement increases with larger dfas
of pointers when it isn't necessary. This results in a nice little
performance increase in dfa creation.
This is more of a proof of concept patch, and is replaced by the next
patch which does better short circuiting via hashing
the large side, and I experimented with different ways to split this up but in
the end, anything I could do would result in a series of dependent patches
that would require all of them to be applied to get meaningful functional
changes.
The patch structural reworks the dfa so that
- there is a new State class, it takes the place of sets of nodes in the
dfa, and allows storing state information within the state
- removes the dfa transition table, which mapped sets of nodes to a
transition table, by moving the transition into the new state class
- computes dfa state permissions once (stored in the state)
- expression tree nodes are independent from a created dfa. This allows
computed expression trees, and sets of Nodes (used as protostates when
computing the dfa). To be managed independent of the dfa life time.
This will allow reducing the amount of memory used, in the future,
and will also allow separating the expression tree logic out into
its own file.
The patch has some effect on reducing peak memory usage, and computation
time. The actual amount of reduction is dependent on the number of states
in the dfa with larger saving being achieved on larger dfas. Eg. for
the test evince profile I was using it makes the parser about 7% faster with a
peak memory usage about 12% less.
This patch changes the initial partition hashing of minimization resulting
in slightly smaller dfas.
of a mix of symlinks to non-prefixed comands, and "apparmor_" prefixed
commands.
This also refactors the manpage generation slightly since we no longer
need special cases for the manpages, and drops aa-eventd from the default
list of tools to install (it also lacks a manpage).
exported in the environment. Without it, merely setting the CFLAGS
environment variable would not affect the compilation of the parser,
though it was still possible to override it by passing the variable
as an argument (e.g. make all CFLAGS="-Oinsane -Wextra-special").
It also makes the default CFLAGS for the parser consistent with
the default for the C++ dfa library, and passes the flags on to
the library.
An audit of the other bits of C showed that they either supported
CFLAGS during configure or were otherwise honoring CFLAGS when set
as environment variable.
the common/Make.rules file into common/Version so that libapparmor's
configure.in can make use of it, meaning there's one less thing to
adjust when updating the version. It also bumps the trunk version
from 2.5 to 2.5.90 in (perhaps excessively long) preparation for the
2.6.0 release, and to indicate that it's newer than the 2.5.x branch.
tarballs and converts some of the common/Make.rules targets to get
version information from bzr. As part of this, the tarball generation
creates a .stamp_rev file in the common directory which contains both
the name of the bzr repo exported from as well as the revision.
This just adds prototypes to all functions to make further cleanup
slightly easier by getting perl to complain if not enough args are
passed to a function. Perl doesn't appear to complain about this in
every case even with prototypes, which is kind of annoying.
One of the uses of eval { } wasn't checking $@ for errors, so if
something bad happened, it'd be silently ignored. This just adds in
an extra check to die if we hit a failure.
loopback mounted filesystem to operate on, to guarantee that the mount
option user_xattr is enabled (it's disabled by default on Ubuntu).
With this change, a number of the user xattr testcases that were
expected to pass but weren't started working; however, some of the
ones that were failing as expected are now passing. I've touched up
the expectations as well.
script and add an additional sleep before the parser invocation that
generates the cache file for the first time, to avoid failures in the
"Profiles are cached when requested:" test on ext3 and other filesystems
without fine-grained enough timestamps.
parsing, and precompilation of policy. This allows finding the most
recent text time stamp during parsing and this is then compared to
the cache file time stamp.
While this is slightly slower than the cache file check that only
validated against the profile file it fixes the bug where abstraction
updates do not cause the cache file to become invalid.
capability is reported by LSM_AUDIT and is just the capability number.
capname is reported by the apparmor module and is the name the kernel
knows the capability as.
For now just use capname and silently drop capability when it is found.
started. Since apparmor_notify is not installed by default and not started
by default, the act of installing and starting it implies the desire to
get messages.
https://bugs.launchpad.net/apparmor/+bug/623467
This patch adds some additional testcases to the log parsing
testsuite, to cover rejections for operations that aren't covered by
other testcase (truncate, rename_src, rename_dest, mkdir) as well
as fixing SubDomain.pm to take those operations into account when
parsing log files.
The operations link, unlink, and possibly setattr still need to be
covered by SubDomain.pm
kernel when the hat that was passed does not exist in the profile (but
other hats exist). It also removes the very old EPERM case, which hasn't
been accurate for a while. (LP: #619521)
this results in
Unable to open output file - Success
to be output to standard error.
This occurs because despite specifying kernel_load = 0, the kernel load
parts are still being done, and failing.
- create profiles/apparmor.d/local/README to explain it all
- adjust shipped profiles in profiles/apparmor.d to include the local changes
- adjust profiles/Makefile for local files
- add profiles/local/README
- adjust profiles/apparmor.d/{bin,sbin,usr}* to include a file from local/
- adjust profiles/apparmor.d/{bin,sbin,usr}* for for copyright, some whitespace
and svn conventions
the testsuite. It looks like coredump mediation may have been removed,
since it is rather a corner-case, so I have currently marked it as XFAIL.
In hooking it back up, the "prologue.inc" was reviewed, dead code dropped,
and the "image=" argument changed to correctly handle the imageperms
syntax used elsewhere. It was working in other tests out of coincidence.
tree. It is limited in that it doesn't currently handle the permissions of a rule.
conversion output presents an aare -> prce conversion followed by 1 or more expression
tree rules, governed by what the rule does.
eg.
aare: /** -> /[^/\x00][^\x00]*
rule: /[^/\x00][^\x00]* -> /[^\0000/]([^\0000])*
eg.
echo "/foo { /** rwlkmix, } " | ./apparmor_parser -QT -D rule-exprs -D expr-tree
aare: /foo -> /foo
aare: /** -> /[^/\x00][^\x00]*
rule: /[^/\x00][^\x00]* -> /[^\0000/]([^\0000])*
rule: /[^/\x00][^\x00]*\x00/[^/].* -> /[^\0000/]([^\0000])*\0000/[^/](.)*
DFA: Expression Tree
(/[^\0000/]([^\0000])*(((((((((((((<513>|<2>)|<4>)|<8>)|<16>)|<32>)|<64>)|<8404992>)|<32768>)|<65536>)|<131072>)|<262144>)|<524288>)|<1048576>)|/[^\0000/]([^\0000])*\0000/[^/](.)*((<16>|<32>)|<262144>))
This simple example shows many things
1. The profile name under goes pcre conversion. But since no regular expressions where found
it doesn't generate any expr rules
2. /** is converted into the pcre expression /[^\0000/]([^\0000])*
3. The pcre expression /[^\0000/]([^\0000])* is converted into two rules that are then
converted into expression trees.
The reason for this can not be seen by the output as this is actually triggered by
permissions separation for the rule. In this case the link permission is separated
into what is shown as the second rule: statement.
4. DFA: Expression Tree dump shows how these rules are combined together
You will notice that the rule conversion statement is fairly redundant currently as it just
show pcre to expression tree pcre. This will change when direct aare parsing occurs,
but currently serves to verify the pcre conversion step.
It is not the prettiest patch, as its touching some ugly code that is schedule to be cleaned
up/replaced. eg. convert_aaregex_to_pcre is going to replaced with native parse conversion
from an aare straight to the expression tree, and dfaflag passing will become part of the
rule set.
It changes the table resizing so that there is always sufficient
high entries in the table, preventing bounds violations from
occurring.
Previously the resize allocation was always based on the character
set range for a state, which could be more or less than actually
required, and packing would waste some space when over allocation
was done.
As a result this patch in general results in slightly smaller
transition tables even though it enforcing the minimum required
padding to avoid bounds violations.
are computed and stored in a map, that is not cleaned up. This means that the labeling
is retained across different dfas.
Move the labeling into expr node as this takes less memory than using a map and will
also separates node labeling so its per dfa instead of global. In addition this means
the labeling is cleanedup/freed when the expr tree is freed without any extra work.
each expression tree node and then used as input to create the dfa states.
Currently they are not being freed until the nodes are destroyed, but the information
is no longer needed once the dfa has been created. Cleaning them up early reduces
peak memory usage.
* a non-include related syntax error (errors/modefail.sd)
* multiple successful includes followed by a failed include
(errors/multi_include.sd)
It also fixes two issues with the parser's line counting:
* the count began at 0 (demonstrated by the first testcase's error
being reporting on one line less than it should be), and
* an extra line increment when includes were detected (demonstrated
by the second testcase's error being reported at a line beyond the
correct linenumber.
The existing testcases did not catch these because they were all
based on the first include in the file failing and so the start of
the count from 0 counteracted the extra counted line.
paths. Secondly, the /lib64 -> /lib symlink would mean the
/lib64/ld-linux symlink would incorrectly be generated as
/lib64/ld-N.NN.so which still has a symlink in its path, and thus
apparmor wouldn't permit the access. Fixing by having readlink
canonicalize the entire path.
ack thppt.
when auditd logs get rotated)
- use getgrnam() with setgid when dropping to nobody_group
- add '-u USER' option to drop to this user when running priviliged but
not under sudo. Useful for starting when logged in as root.
- add a read access check before get_logfile_inode() so we don't have to
wait for the timeout in get_logfile_inode()
- set euid only when dropping privileges, instead of using POSIX::setuid()
which sets uid, euid and saved id when starting privileged
- create send_message() function which fork/execs so that we can set the
real uid before calling notify-send (notify-send looks at the real uid
when trying to connect to dbus)
- adjust reopen_logfile() to raise privileges (via euid) before accessing
logfile when $< != $>. Drop them again after open().
- also check for inode change
- update size to use stat
- treat logfile_size like logfile_inode
- update logfile_size and logfile_inode in reopen_logfile()
- add -f option to optionally specify the logfile
- when polling, check to see if the logfile size decreased, and if so, reopen
it. Currently this only works if you can read the file after dropping
privileges
tests. I don't like the solution because it exposes a data structure
definition outside of the only file that should know it's layout.
Also, fixed the Makefile to fail the build when one of the unit test
programs fails. :-(
killall-ing a few things in order to make it stop. And alas, it does seem
to eventually cause kernel hangs with 2.6.32-16. (Committing now before ext4
eats my changes and brain.)
Instead of updating the profile name, allow a profile to have multiple
alternate names. Aliases are now added as alternate names and matched
through the xmatch dfa.
Alias was broken because it when an alias was made the old path was completely
removed and there was no way to specify it. Update it so aliases just add
an new duplicate rule instead.
These replacement routines allow an application to avoid the probing
behavior of earlier version of change_hat. Allowing them to be faster
and have better learning characteristics.
xfail instead of known_{pass,fail}, also have it only reports unexpected
results, error for when result != what it should, and Alert for when it
result is what is should be but is a known problem and hence expected
to report something else.
Also update the regression tests for known problems under AppArmor 2.5,
this does not fix all known problems, (ie hats being removed differently
and hence resulting in unable to load profile errors, and the mknod
problem on alternate runs of the test suite, nor xattrs tests not ensuring
that the fs supports xattrs).
imediately after the current partition being considered, instead of
at the back of the parition list. This does two things, it makes it
more likely the data is in cache, and it also in general results in
more partitions being created in a single pass.
not an algorithmic improvement. It does the same basic algorithm of
test until it can insert the data, but instead of only tracking the
first free entry (and recomputing it each pass). It tracks all
free entries reducing the number of comparisons done and the table
grows in size.
This may actually result in a small loss on small tables, but is a win
for larger tables.
Update the hash calculation to guarentee that states with a different
number of transition entries will be placed in seperate partitions.
This will allow for a better character transition based state comparison.
Add basic Hopcroft based dfa minimization. It currently does a simple
straight state comparison that can be quadratic in time to split partitions.
This is offset however by using hashing to setup the initial partitions so
that the number of states within a partition are relative few.
The hashing of states for initial partition setup is linear in time. This
means the closer the initial partition set is to the final set, the closer
the algorithm is to completing in a linear time. The hashing works as
follows: For each state we know the number of transitions that are not
the default transition. For each of of these we hash the set of letters
it can transition on using a simple djb2 hash algorithm. This creates
a unique hash based on the number of transitions and the input it can
transition on. If a state does not have the same hash we know it can not
the same as another because it either has a different number of transitions
or or transitions on a different set.
To further distiguish states, the number of transitions of each transitions
target state are added into the hash. This serves to further distiguish
states as a transition to a state with a different number of transitions
can not possibly be reduced to an equivalent state.
A further distinction of states is made for accepting states in that
we know each state with a unique set of accept permissions must be in
its own partition to ensure the unique accept permissions are in the
final dfa.
The unreachable state removal is a basic walk of the dfa from the start
state marking all states that are reached. It then sweeps any state not
reached away. This does not do dead state removal where a non accepting
state gets into a loop that will never result in an accepting state.
For now just look at 'name=...' which is usually the last in the log entry,
so validate input against this and output based on it.
TODO: better handle other cases too
This will allow turning on and off various debug dumps as needed.
Multiple dump options can be specified as needed by using multiple
options.
eg. apparmor_parser -D variables
apparmor_parser -D dfa-tree -D dfa-simple-tree
The help option has also been updated to take an optional argument
to display help about give parameters, currently only dump is supported.
eg. apparmor_parser -h # standard help
apparmor_parser -h=dump # dump info about --dump options
Also Enable the dfa expression tree dumps
thing again. Fix to use the kernel's definition of AF_MAX in
linux/socket.h if it's larger than glibc's AF_MAX definition in
sys/socket.h and add a wrapper function so that we don't have include
af_names.h everywhere.
Also, fix memory leaks around the handling of network entries of
policies.
Change_profile was broken so that it couldn't parse expressions that
weren't path based or started with a variable. Furthermore if the name
held any expressions it was not hanlded correctly, as it was being passed
directly to dfa conversion without going through glob -> pcre conversion.
* move network families to filter out into a separate variable to
so that the list doesn't get lost in a complex sed invocation
* pull out the actual macro definitions from linux/socket.h and use
them if glibc's sys/socket.h (really bit/socket.h) hasn't caught up
with the family definitions.
- Update matching regex for reordered kernel audit messages (when they
come through syslog). Ideally, rather than use a regex, the utils would
just use the log parsing library to determine whether it's a log even
of interest.
- fix debugging code write a logfile in /var/log/apparmor and not a
predictable location in /tmp; File::Temp would be the right solution
except that the log file is created in a BEGIN clause, and
File::Temp.new() ends up returning an unopened filehandle in that
situation, so logging fails. Someone with more perl-fu may know how to
fix that.
- fix "Namespcae" tyop
- get rid of sub_name and default_deny from the main profile struct as
they haven't been used for a long time; also eliminates their output
from the debugging output.
- emit dumped parsing structure with only one -d, users were confuzzled
and it was not documented that you needed to use -dd to get it to
output anything if DEBUG wasn't set when compiling.
doesn't work. Making the parser match the documentation, though either
form should still work.
(Based on a secondary element of https://bugs.launchpad.net/bugs/341205)
Change the globbing conversion to include [^\x00]. This reduces cases of
artifical overlap between globbing rules, and link rules. Link rules
are encoded to use a \0 char to seperate the 2 match parts of the rule.
Before this fix a glob * or ** could match against the \0 seperator
resulting the generation of dfa states for that overlap. This of course
can never happen as \0 is not a valid path name character.
In one example stress policy when adding the rule
owner /** rwl,
this change made the difference between having a dfa with 55152 states
and one with 30019
- disable charter, charset merging. This can actually hamper optimization
in some cases and needs special cases added to the factoring code.
The charset code is merged off into its own routines that can be
reenabled at a later time.
- fix a couple bugs in tree simplifications that would cause earlier
exit before the tree had even reached a local minima
I particular the t != c portion of the simplify_tree, would cause
the loop to exit early if it didn't change but other modifications
had been made.
- remove the extra epsnode that was getting added to the created tree
- optimize the forward factor alt loop so that it will find all left
factor matches down the alt subtree without having to loop and recompare
against nodes that were already checked
These changes result in small improvements in most cases, but in some
policies the changes result in very large wins. The early bailout of
optimizations was causing 2.5* as many dfa states in one particular
stress test policy.
- fix-complain.diff
Fixes deny rules in complain mode so that they don't reject events
- mount-capability.diff
Allow confined applications to mount and unmount as long as they
have capability sys_admin
- fix-config.diff
Add the missing SECURITY_NETWORK dependency
- fix-security-param.diff
Make apparmor respect the security= parameter
- securit_default.diff
Add a new kernel config option to allow setting the default LSM,
When multiple LSMs are compiled into the kernel this is often
more desirable than taking the first LSM to register
- fork-tracking.diff
Newer kernels have changed the allocation of child pid until after
the security_clone hook. This breaks AppArmor's fork tracking
for processes that enter the null-complain-profile.
To fix this the parent pid is output with every message. A corresponding
update in the tools also must be done.
- fix-d_namespace_path.diff
It is possible that the root.mnt->mnt_ns has been unmounted, resulting
in an oops. In this case just test for it, and if it happens the
ns_root.mnt passed to __d_path will be NULL resulting in a disconnected
path.
- AppArmor-misc-cleanups.diff
Some miscelleanous cleanups from Miklos Szeredi, covering some
kernel coding style and defaults cleanups
- AppArmor-checkpatch.diff
patch from Miklos Szeredi, to cleanup sparse warnings, and other misc
coding style errors.
Needs love in the form of enhancements to support regexs, all the added
features in upcoming 2.3 release, etc.
Could also stand a bit of refactoring to make the ruby program not suck
up so much ram by writing out profiles as things go along rather than
generating a bunch of large objects and keeping them around.
Fork tracking is broken by the kernel message for clone no longer supplying
the child pid correctly. Instead the parent pid will be output with each
message and the tools will fake a fork when they detect a previously
unknow parent child relationship.
/usr/bin/rsyncd) bnc#408869
The unconfined tool shows:
[...]
29799 /usr/bin/rsync not confined
29799 /usr/bin/rsync not confined
This is because unconfined is grabbing the post symlink resolved exe filename
which for /usr/sbin/rsyncd is /usr/bin/rsync.
To fix this provide both the cmdline and exec name in parenthesis when the
exe name and the cmdline name differ.
For the above example you would see
29799 /usr/bin/rsync (/usr/sbin/rsyncd) not confined
been made but only from the top level. This allows us to get the
optimizations that were missed, while not causing the massive recursive call
explosion we had before.
Description: fix compile on build
Patch from Gentoo community:
- fix up a couple of missing semicolons in syntax (bison compensates
by emitting it's own)
- Fix yet another variable tyop in rc.apparmor.functions
- dump stderr of ls in rc.apparmor.functions to /dev/null
- add an install-unknown make target
alias rules and variable declarations within the preamble of a profile.
This commit adds another testcase for alias rules; one in which there is
an overlapping pair of aliases. The parser parses it, but based on -dd
output, I don't believe it's treating it properly.
Apply tree factoring and simplification techniques to reduce the number of
states used in computing the dfa. This can have an exponential impact
on both space and time for dfa generation.
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
The format of audit messages that are redirected to syslog because
auditd isn't running changed between Hardy and Intrepid and now have
the type=NNNN field before the audit tag like--
Nov 1 22:24:43 box kernel: [ 158.113592] type=1503
audit(1225603483.635:5): operation="inode_permission" requested_mask="r::"
denied_mask="r::" fsuid=7 name="/proc/7034/net/" pid=7034
profile="/usr/sbin/cupsd"
I believe this patch will address the moved type=NNNN field as well as
capturing non-matching logfile input instead of printing it to stdout.
Patch modified by Steve Beattie <sbeattie@ubuntu.com> to take into
account a couple of different situations.
https://bugs.launchpad.net/bugs/271252https://bugzilla.novell.com/show_bug.cgi?id=441381
- flags being dropped from hats
- rules can be poorly split on writing the profile
- identical rules with different permissions are not properly combined, so
that only permissions of the last rule are kept
Added missing capabilities names.
Simple rlimits support. It doesn't care about range of individual limit,
you can add ie -100G stack size or 100M nice. But maybe sufficient?
of rlimits supported by the kernel.
- remove hat rules
- add hat flag for each profile
- fix apparmorfs profile listing code. Used to only return the first
80 or so profiles, and then refuse to output more
removing profiles, as the list is unstable after additions or removals.
- Add the ability to loaded precompiled policy by specifying the -B
option, which can be combined with --add or --replace
- rc.apparmor.functions were not correctly removing profiles on replace and
reload, also convert to using the module interface directly bypassing the
parser.
- fix cx -> named transitions
- fix apparmor_parser -N so that it emits hats as profiles under new kernel
modules. This is the correct behavior as hats are promoted to profiles.
- rpc was failing when passing arrays because the perl is_utf8 string flag
was set even though its only sending numbers but newer HTTP::Message
checks for this is_utf8 and if it finds it aborts.
- fix local profiles
local profiles were failing because
1.) the parameters to serialize_profile were bad
2.) the file location was not getting updated so they would get written
back to the inactive profiles directory
- rework how null transitions are done.
M fix-profile-namespaces.diff
- fix namespaces to use the :namespace: syntax
A cap-set.diff
- allow a profile to set a tasks capabilities similar to fscap
A rlimits.diff
- allow control of a tasks rlimits
key words. Deny is also used to subtract permissions from the
profiles permission set.
the audit key word can be prepended to any file, network, or capability
rule, to force a selective audit when that rule is matched. Audit
permissions accumulate just like standard permissions.
eg.
audit /bin/foo rw,
will force an audit message when the file /bin/foo is opened for
read or write.
audit /etc/shadow w,
/etc/shadow r,
will force an audit message when /etc/shadow is opened for writing.
The audit message is per permission bit so only opening the file
for read access will not, force an audit message.
audit can also be used in block form instead of prepending audit
to every rule.
audit {
/bin/foo rw,
/etc/shadow w,
}
/etc/shadow r, # don't audit r access to /etc/shadow
the deny key word can be prepended to file, network and capability
rules, to result in a denial of permissions when matching that rule.
The deny rule specifically does 3 things
- it gives AppArmor the ability to remember what has been denied
so that the tools don't prompt for what has been denied in
previous profiling sessions.
- it subtracts globally from the allowed permissions. Deny permissions
accumulate in the the deny set just as allow permissions accumulate
then, the deny set is subtracted from the allow set.
- it quiets known rejects. The default audit behavior of deny rules
is to quiet known rejects so that audit logs are not flooded
with already known rejects. To have known rejects logged prepend
the audit keyword to the deny rule. Deny rules do not have a
block form.
eg.
deny /foo/bar rw,
audit deny /etc/shadow w,
audit {
deny owner /blah w,
deny other /foo w,
deny /etc/shadow w,
}
- fix split init so that apparmor can be enabled at the boot command line.
The init was broken so that apparmor couldn't be enabled unless enabled
by default.
M apparmor-fix-lock-letter.diff
- fix the lock letter being reported (z -> k) and update some comments
A apparmor-create-append.diff
- fix semanitc bug where full write perms were needed to create a new file,
where only append is needed.
M fix-link-subset.diff
- partial fix of link subset
A no-safex-link-subset.diff
- more link subset fixes
A audit-log-type-in-syslog.diff
- fix audit type being missing when messages go to syslog. This patch
is needed for apparmor to work when messages go to syslog instead of
auditd. This patch can be dropped when upstream includes the
patch to report audit number when reporting to syslog
A audit-uid.diff
- report the fsuid to the log
A hat_perm.diff
- setup to use hat permissions instead of just profile search for
2.3
A apparmor-failed-name-error.diff
- fix a bug where on failed name resolution no error or information is
output. It now reports info in the status field and includes an
error_code
A extend-x-mods.diff
- extend the x-mods in preparation of audit ctl
A apparmor-secondary-accept.diff
- extend the dfa to have a second accept table used for audit ctl
A apparmor-audit-flags2.diff
- extend apparmor to support audit ctl of individual permissions.
- finish fixing link-subset
A fix-change_profile-namespace.diff
- Not applied, ignore
exits but doesn't have a flags=(X) component.
Use of uninitialized value in substitution (s///) at
/usr/lib/perl5/vendor_perl/Immunix/SubDomain.pm line 4687 (#1)
(W uninitialized) An undefined value was used as if it were already
defined. It was interpreted as a "" or a 0, but maybe it was a mistake.
To suppress this warning assign a defined value to your variables.
To help you figure out what was undefined, perl tells you what operation
you used the undefined value in. Note, however, that perl optimizes your
program and the operation displayed in the warning may not necessarily
appear literally in your program. For example, "that $foo" is
usually optimized into "that " . $foo, and the warning will refer to
the concatenation (.) operator, even though there is no . in your
program.
sends messages to dispatcheres without the type=X string prepended.
So update the library so the dbus dispatcher doesn't have to prepend
the audit type information before trying to parse the message.
users to push/pull/search for profiles in remote
repositories. It is not fully functional at the
moment (the official repository is down) but I'd
like to get feedback on the basic usage. The
options for
push/pull/search/status/getconfig/setconfig
are working (usage/help below). I think the next
step could be a basic gtk UI to give users a
decent UI to manage profiles/repositories.
Feedback welcomed about the usage model -
would a graphical tool make sense?
--------------------------------------------------------
aa-repo.pl --command args
--search [author=XXX] [prog=XXX] [id=XXX]
Search the repository for profiles matching the search criteria
and return the results.
NOTE: One --search switch per option
--verbose|v
Verbosity level. Supply either one or two switches. Two switches
adds full profile text in returned search results.
--push [--profile=XXX|all] [--changelog=XXX]
Push local profiles to repository, uses configured user and upon
overwrite of an existing profile in the repository then prompt
user with a diff for confirmation XXX the name of the application
whose profile should be uploaded or "all" to upload all
profiles. Multiple --profile switches may be passed to supply
multiple profile names
e.g. --push --profile /usr/sbin/mdnsd --profile /usr/sbin/ftp
e.g. --push --profile all
--pull [--author=XXX] [--profile=XXX] or [--id=XXX] [--mode=complain]
pull remote profiles and install on local system
If operation will change local profiles then prompt user with
diff for confirmation
NOTE: One --pull switch per option and there are three acceptable
combinations
--pull --author=XXX
* pull all profiles in the repo for the author
--pull --author=XXX --profile=XXXX
* pull the profile for prog owned by author
--pull --id=XXXX
* pull the profile with id
--pull --mode=complain
* set the profile(s) to complain mode when installed
Profiles are checked for conflicts with currently installed
profiles and presented as a list to the user to confirm and view.
--sync [--up] [--down] [--noconfirm]
Synchronize local profile set with the repository - showing
changes and allowing prompting the user with the diffs and
suggest the newest version to be activated. If the --all option
is passed then treat profiles not marked as remote as new
profiles that will be uploaded to the repository.
--status
Show the current status of the local profile set. This operation
is similar to sync but does not prompt the user to up|down load
changes
--setconfig [url=xxx] [username=xxxx] [password=xxxx] [enabled=(yes|no)]
[upload=(yes|no)]
Set the configuration options for the repository.
NOTE: One --setconfig switch per option
--getconfig|c
Print the current configuration for the repsository
--quiet|q Don't prompt user - assume that all changes should be made.
routines into a standalone perl module.
Factor out the config file reading/writing into a
standalone perl module. The goal here was to
start to break out some of the basic routines
that the tools use into their own independent
modules.
- pass vfsmnt param for cgroups
A fix-user-audit.diff
- nothing
A fix-link-subset.diff
- fix reporting of failed link subsets
A apparmor-fix-lock-letter.diff
- fix the reported lock letter in apparmorfs/matching
- reverted audit request_mask back to requested_mask
A apparmor-fix-sysctl-refcount.diff
- fix a refcount leak in sysctl audit
which means the failure of the tests is known. So known_fail
means the test should fail but is known to succeed and similar
for known_pass.
This allows tests to be marked as having a known problem so that
regressions are useful to those less familure with what is failing
repository. This makes the repository agnostic to profile mode
(complain/enforce) - users must manage this locally via
aa-complain/aa-enforce.
Addresses novell bug: https://bugzilla.novell.com/show_bug.cgi?id=328033
- processing an unknown hat/execute rejection if its not already in the profile
- at the start of processing all the remain events for the profile
Addresses novell bug: https://bugzilla.novell.com/show_bug.cgi?id=328707
$msg="type=APPARMOR msg=audit(1168662182.495:58): PERMITTING r access to /home/matt/projects/change_hat_test/test (test_hat(27871) profile /home/matt/projects/change_hat_test/test_hat active null-complain-profile)";
Sep 13 13:11:13 lizaveta kernel: AppArmor: REJECTING exec(2) of image '/usr/lib/mailman/mail/mailman'. Profile mandatory and not found (local(20700) profile /usr/lib/postfix/local active /usr/lib/postfix/local)
@@ -34,7 +34,7 @@ class ProfileToolFrame : public wxFrame
public:
ProfileToolFrame(constwxString&title,
constwxPoint&pos,
constwxSize&pos,
constwxSize&size,
constwxString&startingProfile,
constwxString&startingHighlight);
~ProfileToolFrame();
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
