parser+libapparmor: partially address issues building with musl

adjust macros and header inclusion to make progress on building with the musl C library. Acked-by: Steve Beattie <steve@nxnw.org>
profiles: add attach_disconnected flags to example apache profile
2025-09-01 14:55:10 +00:00 · 2017-10-27 17:12:24 -07:00 · 2017-10-27 10:59:33 -07:00 · 2017-10-26 16:58:26 -07:00 · 2017-09-27 11:38:35 +02:00 · 2017-09-27 11:31:10 +02:00
7 changed files with 63 additions and 13 deletions
--- a/libraries/libapparmor/include/sys/apparmor.h
+++ b/libraries/libapparmor/include/sys/apparmor.h
@@ -22,7 +22,9 @@
 #include <stdint.h>
 #include <sys/types.h>

-__BEGIN_DECLS
+#ifdef __cplusplus
+extern "C" {
+#endif

 /*
 * Class of public mediation types in the AppArmor policy db
@@ -191,6 +193,8 @@ extern int aa_policy_cache_remove(int dirfd, const char *path);
 extern int aa_policy_cache_replace_all(aa_policy_cache *policy_cache,
 				       aa_kernel_interface *kernel_interface);

-__END_DECLS
+#ifdef __cplusplus
+}
+#endif

 #endif	/* sys/apparmor.h */
--- a/libraries/libapparmor/include/sys/apparmor_private.h
+++ b/libraries/libapparmor/include/sys/apparmor_private.h
@@ -20,7 +20,9 @@
 #include <stdio.h>
 #include <sys/stat.h>

-__BEGIN_DECLS
+#ifdef __cplusplus
+extern "C" {
+#endif

 int _aa_is_blacklisted(const char *name);

@@ -33,6 +35,8 @@ int _aa_asprintf(char **strp, const char *fmt, ...);
 int _aa_dirat_for_each(int dirfd, const char *name, void *data,
 		       int (* cb)(int, const char *, struct stat *, void *));

-__END_DECLS
+#ifdef __cplusplus
+}
+#endif

 #endif	/* sys/apparmor_private.h */
--- a/parser/parser_include.c
+++ b/parser/parser_include.c
@@ -45,6 +45,7 @@
 #include <unistd.h>
 #include <errno.h>
 #include <dirent.h>
+#include <limits.h>

 #include "lib.h"
 #include "parser.h"
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -124,7 +124,9 @@ static struct keyword_table rlimit_table[] = {
 	{"core",		RLIMIT_CORE},
 	{"rss",			RLIMIT_RSS},
 	{"nofile",		RLIMIT_NOFILE},
+#ifdef RLIMIT_OFILE
 	{"ofile",		RLIMIT_OFILE},
+#endif
 	{"as",			RLIMIT_AS},
 	{"nproc",		RLIMIT_NPROC},
 	{"memlock",		RLIMIT_MEMLOCK},
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -902,6 +902,7 @@ rules: rules TOK_SET TOK_RLIMIT TOK_ID TOK_LE TOK_VALUE opt_id TOK_END_OF_RULE
 					pwarn(_("RLIMIT 'cpu' no units specified using default units of seconds\n"));
 				value = tmp;
 				break;
+#ifdef RLIMIT_RTTIME
 			case RLIMIT_RTTIME:
 				/* RTTIME is measured in microseconds */
 				if (!end || $6 == end || tmp < 0)
@@ -913,6 +914,7 @@ rules: rules TOK_SET TOK_RLIMIT TOK_ID TOK_LE TOK_VALUE opt_id TOK_END_OF_RULE
 					pwarn(_("RLIMIT 'rttime' no units specified using default units of microseconds\n"));
 				value = tmp;
 				break;
+#endif
 			case RLIMIT_NOFILE:
 			case RLIMIT_NPROC:
 			case RLIMIT_LOCKS:
--- a/profiles/apparmor.d/usr.sbin.apache2
+++ b/profiles/apparmor.d/usr.sbin.apache2
@@ -1,7 +1,7 @@
 # Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>

 #include <tunables/global>
-/usr/sbin/apache2 {
+/usr/sbin/apache2 flags=(attach_disconnected) {

  # This profile is completely permissive.
  # It is designed to target specific applications using mod_apparmor,
@@ -84,7 +84,7 @@
  /** mrwlkix,


-  ^DEFAULT_URI {
+  ^DEFAULT_URI flags=(attach_disconnected) {
    #include <abstractions/base>
    #include <abstractions/apache2-common>

@@ -92,7 +92,7 @@
    /** mrwlkix,
  }

-  ^HANDLING_UNTRUSTED_INPUT {
+  ^HANDLING_UNTRUSTED_INPUT flags=(attach_disconnected) {
    #include <abstractions/apache2-common>

    / rw,
--- a/profiles/apparmor/profiles/extras/usr.bin.wireshark
+++ b/profiles/apparmor/profiles/extras/usr.bin.wireshark
@@ -16,29 +16,66 @@
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/consoles>
+  #include <abstractions/dconf>
+  #include <abstractions/dbus-session-strict>
+  #include <abstractions/ibus>
  #include <abstractions/kde>
  #include <abstractions/nameservice>
  #include <abstractions/gnome>
  #include <abstractions/user-write>
  #include <abstractions/X>

+  #include <abstractions/dbus-accessibility-strict>
+  dbus (send)
+       bus=session
+       peer=(name=org.a11y.Bus),
+  dbus (receive)
+       bus=session
+       interface=org.a11y.atspi**,
+  dbus (receive, send)
+       bus=accessibility,
+
  capability net_raw,

-  /etc/ethers r,
+  # From abstractions/evince
+  deny /run/udev/data/** r,

-  @{HOME}/.wireshark/* rw,
-  @{HOME}/.fonts.cache-* r,
+  /etc/ethers r,
+  /etc/udev/udev.conf r,
+  /etc/wireshark/** r,
+
+  owner @{HOME}/.wireshark/* rw,
+  owner @{HOME}/.config/wireshark/* rw,
+  owner @{HOME}/.config/QtProject.conf rw,
+  owner @{HOME}/.config/QtProject.conf.lock rw,
+  owner @{HOME}/.fonts.cache-* r,
+
+  owner @{HOME}/.config/dconf/user w,
+  owner /{,var/}run/user/*/dconf/user w,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/fd/ r,
+  @{PROC}/@{pid}/net/dev r,
+  /sys/devices/pci[0-9]*/**/uevent r,

  /etc/pango/pango.modules r,
  /usr/lib/gtk-*/*/loaders/* mr,
-  /usr/share/* r,
-  /usr/share/icons/** r,
+  /usr/share/icons/   r,
+  /usr/share/icons/** rk,
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/mime/* r,
  /usr/lib/firefox/firefox.sh rPx,
  /usr/bin/wireshark mixr,
-  /usr/share/icons r,
  /usr/share/mime/* r,
  /usr/share/snmp/mibs r,
  /usr/share/snmp/mibs/* r,
  /usr/share/snmp/mibs/.index rw,
+  /usr/share/wireshark/** r,
+  /usr/share/GeoIP/ r,
+  /usr/share/GeoIP/** r,
+  /usr/lib/@{multiarch}/wireshark/extcap/* ix,
+  /usr/lib/@{multiarch}/wireshark/plugins/**/   r,
+  /usr/lib/@{multiarch}/wireshark/plugins/**.so mr,
+
+  # for reading pcaps
+  /**.pcap r,
 }
Author	SHA1	Message	Date
Steve Beattie	df0f20f32b	parser+libapparmor: partially address issues building with musl adjust macros and header inclusion to make progress on building with the musl C library. Acked-by: Steve Beattie <steve@nxnw.org>	2017-10-27 17:12:24 -07:00
Steve Beattie	c4a4e5bb82	profiles: add attach_disconnected flags to example apache profile Without it, seeing rejections like: apparmor="ALLOWED" operation="file_mmap" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/apache2" name="" pid=13777 comm="apache2" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 Acked-by: Steve Beattie <steve@nxnw.org> Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875892	2017-10-27 10:59:33 -07:00
Steve Beattie	d2f7f21b04	profiles: update wireshark profile for modern releases Acked-by: Steve Beattie <steve@nxnw.org>	2017-10-26 16:58:26 -07:00
Patrick Steinhardt	ca42518c1d	parser: include <limits.h> for `PATH_MAX` macro The macro `PATH_MAX` macro is typically defined in the <limits.h> header by the system's libc implementation. While we do not include it right now, glibc indirectly includes it via other headers already and thus compilation of the file succeeds. For other libc implementations this may not be the case, which would then lead to a compilation error. This is the case for musl libc. Explicitly include <limits.h> to fix this. Signed-off-by: Patrick Steinhardt <ps@pks.im>	2017-09-27 11:38:35 +02:00
Patrick Steinhardt	41c1e30e9b	parser: fix compilation with missing RLIMIT macros The define `RLIMIT_OFILE` is a historic macro originating from the BSDs, which is nowadays an alias for `RLIMIT_NOFILE`. On some implementations, it has thus been dropped in favor of the new define, but we still assume it will always be defined in our rlimit keywords table. Wrap it in an `ifdef` to fix compilation on systems where it does not exist. For the second macro `RLIMIT_RTTIME`, we do check for its existence in our keywords table, but then forgot to do so in the YACC rules. Wrap it into an `ifdef`, as well. Both patches serve the goal to fix compilation on musl libc. Signed-off-by: Patrick Steinhardt <ps@pks.im>	2017-09-27 11:31:10 +02:00
Patrick Steinhardt	b973c9b473	libapparmor: do not use __BEGIN_DECLS/__END_DECLS macros The macros __BEGIN_DECLS and __END_DECLS are not conforming to any standard, but are a custom extension of the glibc library. As such, it may not be available in other libc implementations, with one example being musl libc. So compiling libapparmor won't work with a strictly standards-conforming library. These macros are typically used for header files which might be included in a C++ project. Depending on whether the header is seen by a C or C++ compiler, it will hint that functions have C linkage. The macros themselves are rather simple: #ifdef __cplusplus # define __BEGIN_DECLS extern "C" { # define __END_DECLS } #else # define __BEGIN_DECLS # define __END_DECLS #endif To fix compilation with musl libc, simply expand those macros to explicitly use `extern "C"`. This is already used in other parts of apparmor and should thus be safe to use. Signed-off-by: Patrick Steinhardt <ps@pks.im>	2017-09-27 11:26:51 +02:00
intrigeri	c79dd88edb	apache2: use attach_disconnected Otherwise we fail with: apparmor="ALLOWED" operation="file_mmap" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/apache2" name="" pid=13777 comm="apache2" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 Patch by Guido Günther <agx@sigxcpu.org>.	2017-09-20 16:45:09 +02:00
Simon Deziel	bb981d54f0	usr.bin.wireshark: refresh for Xenial Bug: https://launchpad.net/bugs/1665535	2016-04-13 16:52:32 -04:00