mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-09-01 06:45:38 +00:00
Compare commits
27 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
df0ac742f7 | ||
|
d779dbf88a | ||
|
|
979d544b48 | ||
|
|
9d4571aac9 | ||
|
8b297f2589 | ||
|
a863279f06 | ||
|
|
a657924262 | ||
|
85bafde501 | ||
|
|
d3b92788e9 | ||
|
|
370c9292ed | ||
|
|
fd50663ec5 | ||
|
|
ae74d9344a | ||
|
|
99c652c769 | ||
|
|
937c5a15b2 | ||
|
81f6724747 | ||
|
6f817f6233 | ||
|
c557b89045 | ||
|
89fdc1b532 | ||
|
|
4c9fe34310 | ||
|
|
e821a018d9 | ||
|
e78ef3f7ba | ||
|
|
ed9ccbdd31 | ||
|
|
14a11e67a5 | ||
|
8b766451d5 | ||
|
|
46b1c7a3bb | ||
|
515cb80901 | ||
|
4baccd12ef |
54
.gitlab-ci.yml
Normal file
54
.gitlab-ci.yml
Normal file
@@ -0,0 +1,54 @@
|
||||
---
|
||||
image: ubuntu:latest
|
||||
before_script:
|
||||
- export DEBIAN_FRONTEND=noninteractive && apt-get update -qq && apt-get install --no-install-recommends -y build-essential apache2-dev autoconf automake bison dejagnu flex libpam-dev libtool perl liblocale-gettext-perl pkg-config python-all-dev python3-all-dev pyflakes3 ruby-dev swig lsb-release python3-notify2 python3-psutil zlib1g-dev
|
||||
- lsb_release -a
|
||||
- uname -a
|
||||
|
||||
# XXX - add a deploy stage to publish man pages, docs, and coverage
|
||||
# reports
|
||||
|
||||
stages:
|
||||
- build
|
||||
- test
|
||||
|
||||
build-all:
|
||||
stage: build
|
||||
artifacts:
|
||||
name: ${CI_COMMIT_REF_NAME}-${CI_COMMIT_SHA}
|
||||
expire_in: 30 days
|
||||
untracked: true
|
||||
paths:
|
||||
- libraries/libapparmor/
|
||||
- parser/
|
||||
- binutils/
|
||||
- utils/
|
||||
- changehat/mod_apparmor/
|
||||
- changehat/pam_apparmor/
|
||||
- profiles/
|
||||
script:
|
||||
- cd libraries/libapparmor && ./autogen.sh && PYTHON=/usr/bin/python3 ./configure --with-perl --with-python --prefix=/usr && make PYTHON=/usr/bin/python3 && cd ../.. || { cat config.log ; exit 1 ; }
|
||||
- make -C parser
|
||||
- make -C binutils
|
||||
- make -C utils
|
||||
- make -C changehat/mod_apparmor
|
||||
- make -C changehat/pam_apparmor
|
||||
- make -C profiles
|
||||
|
||||
test-all:
|
||||
stage: test
|
||||
script:
|
||||
- make -C libraries/libapparmor check PYTHON=/usr/bin/python3
|
||||
- make -C parser check
|
||||
- make -C binutils check
|
||||
- make -C utils check PYFLAKES=/usr/bin/pyflakes3 PYTHON_VERSIONS=/usr/bin/python3
|
||||
- make -C changehat/mod_apparmor check
|
||||
- make -C profiles check-parser
|
||||
|
||||
# Disabled due to aa-logprof dependency on /sbin/apparmor_parser existing
|
||||
# - make -C profiles check-profiles
|
||||
|
||||
# test-pam_apparmor:
|
||||
# - stage: test
|
||||
# - script:
|
||||
# - cd changehat/pam_apparmor && make check
|
||||
@@ -133,7 +133,7 @@ Utilities:
|
||||
```
|
||||
$ cd utils
|
||||
$ make
|
||||
$ make check
|
||||
$ make check PYFLAKES=/usr/bin/pyflakes3
|
||||
$ make install
|
||||
```
|
||||
|
||||
|
||||
@@ -1 +1 @@
|
||||
2.13.3
|
||||
2.13.4
|
||||
|
||||
@@ -139,7 +139,7 @@ sys.stdout.write('%s\n' % distutils.sysconfig.get_python_lib(0,0));"`
|
||||
if test -z "$PYTHON_EXTRA_LIBS"; then
|
||||
PYTHON_EXTRA_LIBS=`$PYTHON -c "import sys; import distutils.sysconfig; \
|
||||
conf = distutils.sysconfig.get_config_var; \
|
||||
sys.stdout.write('%s %s\n' % (conf('LOCALMODLIBS'), conf('LIBS')))"`
|
||||
sys.stdout.write('%s %s %s\n' % (conf('BLDLIBRARY'), conf('LOCALMODLIBS'), conf('LIBS')))"`
|
||||
fi
|
||||
AC_MSG_RESULT([$PYTHON_EXTRA_LIBS])
|
||||
AC_SUBST(PYTHON_EXTRA_LIBS)
|
||||
@@ -164,7 +164,7 @@ sys.stdout.write('%s\n' % conf('LINKFORSHARED'))"`
|
||||
# save current global flags
|
||||
ac_save_LIBS="$LIBS"
|
||||
ac_save_CPPFLAGS="$CPPFLAGS"
|
||||
LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
|
||||
LIBS="$ac_save_LIBS $PYTHON_LDFLAGS $PYTHON_EXTRA_LIBS"
|
||||
CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
|
||||
AC_TRY_LINK([
|
||||
#include <Python.h>
|
||||
|
||||
@@ -27,7 +27,7 @@ INCLUDES = $(all_includes)
|
||||
# http://www.gnu.org/software/libtool/manual/html_node/Libtool-versioning.html
|
||||
#
|
||||
AA_LIB_CURRENT = 7
|
||||
AA_LIB_REVISION = 1
|
||||
AA_LIB_REVISION = 2
|
||||
AA_LIB_AGE = 6
|
||||
|
||||
SUFFIXES = .pc.in .pc
|
||||
|
||||
@@ -19,7 +19,12 @@
|
||||
%{
|
||||
|
||||
/* set the following to non-zero to get bison to emit debugging
|
||||
* information about tokens given and rules matched. */
|
||||
* information about tokens given and rules matched.
|
||||
* Also:
|
||||
* Uncomment the %defines
|
||||
* parse.error
|
||||
* parse.trace
|
||||
*/
|
||||
#define YYDEBUG 0
|
||||
#include <string.h>
|
||||
#include <aalogparse.h>
|
||||
@@ -34,7 +39,9 @@ aa_log_record *ret_record;
|
||||
* emit messages when asked for. */
|
||||
void aalogparse_error(void *scanner, char const *s)
|
||||
{
|
||||
//printf("ERROR: %s\n", s);
|
||||
#if (YYDEBUG != 0)
|
||||
printf("ERROR: %s\n", s);
|
||||
#endif
|
||||
ret_record->event = AA_RECORD_INVALID;
|
||||
}
|
||||
|
||||
@@ -68,6 +75,11 @@ aa_record_event_type lookup_aa_event(unsigned int type)
|
||||
%}
|
||||
|
||||
%defines
|
||||
/* uncomment for debugging
|
||||
%define parse.error verbose
|
||||
%define parse.trace
|
||||
*/
|
||||
|
||||
%define api.pure
|
||||
%lex-param{void *scanner}
|
||||
%parse-param{void *scanner}
|
||||
@@ -128,6 +140,8 @@ aa_record_event_type lookup_aa_event(unsigned int type)
|
||||
%token TOK_KEY_PEER_PID
|
||||
%token TOK_KEY_PROFILE
|
||||
%token TOK_KEY_PEER_PROFILE
|
||||
%token TOK_KEY_LABEL
|
||||
%token TOK_KEY_PEER_LABEL
|
||||
%token TOK_KEY_PEER
|
||||
%token TOK_AUDIT
|
||||
%token TOK_KEY_FAMILY
|
||||
@@ -194,7 +208,7 @@ new_syntax:
|
||||
| TOK_TYPE_AA_ERROR audit_msg key_list { ret_record->event = AA_RECORD_ERROR; }
|
||||
| TOK_TYPE_UNKNOWN audit_msg key_list { ret_record->event = lookup_aa_event($1); }
|
||||
| TOK_TYPE_LSM_AVC audit_msg key_list
|
||||
| TOK_TYPE_USER_AVC audit_user_msg TOK_SINGLE_QUOTE key_list TOK_SINGLE_QUOTE
|
||||
| TOK_TYPE_USER_AVC audit_user_msg
|
||||
;
|
||||
|
||||
other_audit: TOK_TYPE_OTHER audit_msg TOK_MSG_REST
|
||||
@@ -218,6 +232,11 @@ syslog_type:
|
||||
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
|
||||
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP key_type audit_id key_list
|
||||
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
|
||||
/* needs update: hard newline in handling mutiline log messages */
|
||||
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_partial_tail
|
||||
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
|
||||
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_tail
|
||||
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
|
||||
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list
|
||||
{ ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
|
||||
| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_AUDIT TOK_COLON key_type audit_id key_list
|
||||
@@ -234,7 +253,13 @@ audit_dispatch:
|
||||
audit_msg: TOK_KEY_MSG TOK_EQUALS audit_id
|
||||
;
|
||||
|
||||
audit_user_msg: TOK_KEY_MSG TOK_EQUALS audit_id ignored_pid ignored_uid ignored_auid ignored_ses TOK_KEY_MSG TOK_EQUALS
|
||||
audit_user_msg_partial_tail: ignored_pid ignored_uid ignored_auid ignored_ses TOK_KEY_MSG TOK_EQUALS TOK_SINGLE_QUOTE key_list
|
||||
;
|
||||
|
||||
audit_user_msg_tail: audit_user_msg_partial_tail TOK_SINGLE_QUOTE
|
||||
;
|
||||
|
||||
audit_user_msg: TOK_KEY_MSG TOK_EQUALS audit_id audit_user_msg_tail
|
||||
;
|
||||
|
||||
audit_id: TOK_AUDIT TOK_OPEN_PAREN TOK_AUDIT_DIGITS TOK_PERIOD TOK_AUDIT_DIGITS TOK_COLON TOK_AUDIT_DIGITS TOK_CLOSE_PAREN TOK_COLON
|
||||
@@ -292,6 +317,10 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
|
||||
{ ret_record->profile = $3;}
|
||||
| TOK_KEY_PEER_PROFILE TOK_EQUALS safe_string
|
||||
{ ret_record->peer_profile = $3;}
|
||||
| TOK_KEY_LABEL TOK_EQUALS safe_string
|
||||
{ ret_record->profile = $3;}
|
||||
| TOK_KEY_PEER_LABEL TOK_EQUALS safe_string
|
||||
{ ret_record->peer_profile = $3;}
|
||||
| TOK_KEY_FAMILY TOK_EQUALS TOK_QUOTED_STRING
|
||||
{ ret_record->net_family = $3;}
|
||||
| TOK_KEY_SOCK_TYPE TOK_EQUALS TOK_QUOTED_STRING
|
||||
|
||||
@@ -131,6 +131,8 @@ key_pid "pid"
|
||||
key_peer_pid "peer_pid"
|
||||
key_profile "profile"
|
||||
key_peer_profile "peer_profile"
|
||||
key_label "label"
|
||||
key_peer_label "peer_label"
|
||||
key_family "family"
|
||||
key_sock_type "sock_type"
|
||||
key_protocol "protocol"
|
||||
@@ -314,6 +316,8 @@ yy_flex_debug = 0;
|
||||
{key_peer_pid} { return(TOK_KEY_PEER_PID); }
|
||||
{key_profile} { BEGIN(safe_string); return(TOK_KEY_PROFILE); }
|
||||
{key_peer_profile} { BEGIN(safe_string); return(TOK_KEY_PEER_PROFILE); }
|
||||
{key_label} { BEGIN(safe_string); return(TOK_KEY_LABEL); }
|
||||
{key_peer_label} { BEGIN(safe_string); return(TOK_KEY_PEER_LABEL); }
|
||||
{key_family} { return(TOK_KEY_FAMILY); }
|
||||
{key_sock_type} { return(TOK_KEY_SOCK_TYPE); }
|
||||
{key_protocol} { return(TOK_KEY_PROTOCOL); }
|
||||
|
||||
@@ -14,6 +14,7 @@ int main(int argc, char **argv)
|
||||
FILE *testcase;
|
||||
char log_line[1024];
|
||||
aa_log_record *test = NULL;
|
||||
size_t size;
|
||||
int ret = -1;
|
||||
|
||||
if (argc != 2)
|
||||
@@ -32,14 +33,14 @@ int main(int argc, char **argv)
|
||||
return(1);
|
||||
}
|
||||
|
||||
if (fgets(log_line, 1023, testcase) == NULL)
|
||||
{
|
||||
size = fread(log_line, 1, 1023, testcase);
|
||||
if (ferror(testcase)) {
|
||||
fprintf(stderr, "Could not read testcase.\n");
|
||||
fclose(testcase);
|
||||
return(1);
|
||||
}
|
||||
|
||||
fclose(testcase);
|
||||
log_line[size] = 0;
|
||||
|
||||
test = parse_record(log_line);
|
||||
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
Jun 20 17:57:06 ns1 kernel: [4835959.046111] audit: type=1107 audit(1561053426.749:186): pid=640 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="LookupDynamicUserByName" mask="send" name="org.freedesktop.systemd1" pid=20596 label="/tmp/apparmor-2.8.0/tests/regression/apparmor/dbus_service" peer_pid=1 peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
|
||||
@@ -0,0 +1,18 @@
|
||||
START
|
||||
File: testcase_dbus_08.in
|
||||
Event type: AA_RECORD_ALLOWED
|
||||
Audit ID: 1561053426.749:186
|
||||
Operation: dbus_method_call
|
||||
Denied Mask: send
|
||||
Profile: /tmp/apparmor-2.8.0/tests/regression/apparmor/dbus_service
|
||||
Peer profile: unconfined
|
||||
Name: org.freedesktop.systemd1
|
||||
Command: /usr/bin/dbus-daemon
|
||||
PID: 20596
|
||||
Peer PID: 1
|
||||
DBus bus: system
|
||||
DBus path: /org/freedesktop/systemd1
|
||||
DBus interface: org.freedesktop.systemd1.Manager
|
||||
DBus member: LookupDynamicUserByName
|
||||
Epoch: 1561053426
|
||||
Audit subid: 186
|
||||
@@ -0,0 +1,4 @@
|
||||
/tmp/apparmor-2.8.0/tests/regression/apparmor/dbus_service {
|
||||
dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName peer=(label=unconfined),
|
||||
|
||||
}
|
||||
@@ -0,0 +1,2 @@
|
||||
Jun 20 17:57:06 ns1 kernel: [4835959.046111] audit: type=1107 audit(1561053426.749:186): pid=640 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="LookupDynamicUserByName" mask="send" name="org.freedesktop.systemd1" pid=20596 label="/tmp/apparmor-2.8.0/tests/regression/apparmor/dbus_service" peer_pid=1 peer_label="unconfined"
|
||||
exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
|
||||
@@ -0,0 +1,18 @@
|
||||
START
|
||||
File: testcase_dbus_09.in
|
||||
Event type: AA_RECORD_ALLOWED
|
||||
Audit ID: 1561053426.749:186
|
||||
Operation: dbus_method_call
|
||||
Denied Mask: send
|
||||
Profile: /tmp/apparmor-2.8.0/tests/regression/apparmor/dbus_service
|
||||
Peer profile: unconfined
|
||||
Name: org.freedesktop.systemd1
|
||||
Command: /usr/bin/dbus-daemon
|
||||
PID: 20596
|
||||
Peer PID: 1
|
||||
DBus bus: system
|
||||
DBus path: /org/freedesktop/systemd1
|
||||
DBus interface: org.freedesktop.systemd1.Manager
|
||||
DBus member: LookupDynamicUserByName
|
||||
Epoch: 1561053426
|
||||
Audit subid: 186
|
||||
@@ -0,0 +1,3 @@
|
||||
/tmp/apparmor-2.8.0/tests/regression/apparmor/dbus_service {
|
||||
dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName peer=( name=org.freedesktop.systemd1, label=unconfined),
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
Jun 20 17:57:06 ns1 kernel: [4835959.046111] audit: type=1107 audit(1561053426.749:186): pid=640 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="LookupDynamicUserByName" mask="send" name="org.freedesktop.systemd1" pid=20596 label="/tmp/apparmor-2.8.0/tests/regression/apparmor/dbus_service" peer_pid=1 peer_label="unconfined"
|
||||
@@ -0,0 +1,17 @@
|
||||
START
|
||||
File: testcase_dbus_10.in
|
||||
Event type: AA_RECORD_ALLOWED
|
||||
Audit ID: 1561053426.749:186
|
||||
Operation: dbus_method_call
|
||||
Denied Mask: send
|
||||
Profile: /tmp/apparmor-2.8.0/tests/regression/apparmor/dbus_service
|
||||
Peer profile: unconfined
|
||||
Name: org.freedesktop.systemd1
|
||||
PID: 20596
|
||||
Peer PID: 1
|
||||
DBus bus: system
|
||||
DBus path: /org/freedesktop/systemd1
|
||||
DBus interface: org.freedesktop.systemd1.Manager
|
||||
DBus member: LookupDynamicUserByName
|
||||
Epoch: 1561053426
|
||||
Audit subid: 186
|
||||
@@ -0,0 +1,4 @@
|
||||
/tmp/apparmor-2.8.0/tests/regression/apparmor/dbus_service {
|
||||
dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName peer=(label=unconfined),
|
||||
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
type=AVC msg=audit(1562529588.082:3153): apparmor="DENIED" operation="open" profile="unbalanced_parenthesis" name="/dev/shm/test(me" pid=888 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
|
||||
@@ -0,0 +1,15 @@
|
||||
START
|
||||
File: unbalanced_parenthesis.in
|
||||
Event type: AA_RECORD_DENIED
|
||||
Audit ID: 1562529588.082:3153
|
||||
Operation: open
|
||||
Mask: r
|
||||
Denied Mask: r
|
||||
fsuid: 1000
|
||||
ouid: 1000
|
||||
Profile: unbalanced_parenthesis
|
||||
Name: /dev/shm/test(me
|
||||
Command: cat
|
||||
PID: 888
|
||||
Epoch: 1562529588
|
||||
Audit subid: 3153
|
||||
@@ -0,0 +1,4 @@
|
||||
profile unbalanced_parenthesis {
|
||||
owner /dev/shm/test(me r,
|
||||
|
||||
}
|
||||
@@ -24,6 +24,8 @@ include $(COMMONDIR)/Make.rules
|
||||
|
||||
DESTDIR=/
|
||||
APPARMOR_BIN_PREFIX=${DESTDIR}/lib/apparmor
|
||||
SBINDIR=${DESTDIR}/sbin
|
||||
USR_SBINDIR=${DESTDIR}/usr/sbin
|
||||
SYSTEMD_UNIT_DIR=${DESTDIR}/usr/lib/systemd/system
|
||||
CONFDIR=/etc/apparmor
|
||||
INSTALL_CONFDIR=${DESTDIR}${CONFDIR}
|
||||
@@ -318,8 +320,8 @@ install-redhat:
|
||||
|
||||
.PHONY: install-suse
|
||||
install-suse: install-systemd
|
||||
install -m 755 -d $(DESTDIR)/sbin
|
||||
ln -sf service $(DESTDIR)/sbin/rcapparmor
|
||||
install -m 755 -d $(SBINDIR)
|
||||
ln -sf service $(SBINDIR)/rcapparmor
|
||||
|
||||
.PHONY: install-slackware
|
||||
install-slackware:
|
||||
@@ -365,8 +367,8 @@ install: install-indep install-arch
|
||||
|
||||
.PHONY: install-arch
|
||||
install-arch: $(INSTALLDEPS)
|
||||
install -m 755 -d $(DESTDIR)/sbin
|
||||
install -m 755 ${TOOLS} $(DESTDIR)/sbin
|
||||
install -m 755 -d $(SBINDIR)
|
||||
install -m 755 ${TOOLS} $(SBINDIR)
|
||||
|
||||
.PHONY: install-indep
|
||||
install-indep: indep
|
||||
@@ -384,8 +386,8 @@ install-systemd:
|
||||
install -m 755 -d $(SYSTEMD_UNIT_DIR)
|
||||
install -m 644 apparmor.service $(SYSTEMD_UNIT_DIR)
|
||||
install -m 755 apparmor.systemd $(APPARMOR_BIN_PREFIX)
|
||||
install -m 755 -d $(DESTDIR)/usr/sbin
|
||||
install -m 755 aa-teardown $(DESTDIR)/usr/sbin
|
||||
install -m 755 -d $(USR_SBINDIR)
|
||||
install -m 755 aa-teardown $(USR_SBINDIR)
|
||||
|
||||
ifndef VERBOSE
|
||||
.SILENT: clean
|
||||
|
||||
@@ -1047,7 +1047,7 @@ Example AppArmor DBus rules:
|
||||
peer=(name=(com.example.ExampleName1|com.example.ExampleName2)),
|
||||
|
||||
# Allow receive access for all unconfined peers
|
||||
dbus receive peer=(label=unconfined)),
|
||||
dbus receive peer=(label=unconfined),
|
||||
|
||||
# Allow eavesdropping on the system bus
|
||||
dbus eavesdrop bus=system,
|
||||
@@ -1167,7 +1167,7 @@ E.G.
|
||||
|
||||
network unix stream, => unix stream,
|
||||
|
||||
Fine grained mediation rules however can not be lossly converted back
|
||||
Fine grained mediation rules however can not be losslessly converted back
|
||||
to the coarse grained network rule; e.g.
|
||||
|
||||
unix bind addr=@example,
|
||||
|
||||
@@ -10,6 +10,7 @@ endif
|
||||
|
||||
TARGET=libapparmor_re.a
|
||||
|
||||
AR ?= ar
|
||||
CFLAGS ?= -g -Wall -O2 ${EXTRA_CFLAGS} -std=gnu++0x
|
||||
CXXFLAGS := ${CFLAGS} ${INCLUDE_APPARMOR}
|
||||
|
||||
@@ -22,7 +23,7 @@ all : ${TARGET}
|
||||
UNITTESTS = tst_parse
|
||||
|
||||
libapparmor_re.a: parse.o expr-tree.o hfa.o chfa.o aare_rules.o
|
||||
ar ${ARFLAGS} $@ $^
|
||||
${AR} ${ARFLAGS} $@ $^
|
||||
|
||||
expr-tree.o: expr-tree.cc expr-tree.h
|
||||
|
||||
|
||||
@@ -206,7 +206,7 @@ static void display_usage(const char *command)
|
||||
" --skip-bad-cache Don't clear cache if out of sync\n"
|
||||
" --purge-cache Clear cache regardless of its state\n"
|
||||
" --debug-cache Debug cache file checks\n"
|
||||
" --print-cache_dir Print the cache directory path\n"
|
||||
" --print-cache-dir Print the cache directory path\n"
|
||||
"-L, --cache-loc n Set the location of the profile caches\n"
|
||||
"-q, --quiet Don't emit warnings\n"
|
||||
"-v, --verbose Show profile names as they load\n"
|
||||
|
||||
@@ -52,3 +52,7 @@
|
||||
# mouse themes
|
||||
/etc/X11/cursors/ r,
|
||||
/etc/X11/cursors/** r,
|
||||
|
||||
# Xwayland
|
||||
owner /run/user/*/.mutter-Xwaylandauth.* r,
|
||||
|
||||
|
||||
@@ -2,6 +2,7 @@
|
||||
#
|
||||
# Copyright (C) 2002-2009 Novell/SUSE
|
||||
# Copyright (C) 2009-2012 Canonical Ltd
|
||||
# Copyright (C) 2019 Christian Boltz
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
@@ -14,13 +15,13 @@
|
||||
# Some services need to perform authentication of users
|
||||
# Such authentication almost certainly needs access to the local users
|
||||
# databases containing passwords, PAM configuration files, PAM libraries
|
||||
/etc/nologin r,
|
||||
/etc/pam.d/* r,
|
||||
/etc/securetty r,
|
||||
/etc/security/* r,
|
||||
/etc/shadow r,
|
||||
/etc/gshadow r,
|
||||
/etc/pwdb.conf r,
|
||||
/{usr/,}etc/nologin r,
|
||||
/{usr/,}etc/pam.d/* r,
|
||||
/{usr/,}etc/securetty r,
|
||||
/{usr/,}etc/security/* r,
|
||||
/{usr/,}etc/shadow r,
|
||||
/{usr/,}etc/gshadow r,
|
||||
/{usr/,}etc/pwdb.conf r,
|
||||
|
||||
/{usr/,}lib{,32,64}/security/pam_filter/* mr,
|
||||
/{usr/,}lib{,32,64}/security/pam_*.so mr,
|
||||
@@ -32,8 +33,8 @@
|
||||
# kerberos
|
||||
#include <abstractions/kerberosclient>
|
||||
# SuSE's pwdutils are different:
|
||||
/etc/default/passwd r,
|
||||
/etc/login.defs r,
|
||||
/{usr/,}etc/default/passwd r,
|
||||
/{usr/,}etc/login.defs r,
|
||||
|
||||
# nis
|
||||
#include <abstractions/nis>
|
||||
|
||||
@@ -23,6 +23,10 @@
|
||||
/dev/log w,
|
||||
/dev/random r,
|
||||
/dev/urandom r,
|
||||
# Allow access to the uuidd daemon (this daemon is a thin wrapper around
|
||||
# time and getrandom()/{,u}random and, when available, runs under an
|
||||
# unprivilged, dedicated user).
|
||||
/run/uuidd/request r,
|
||||
/etc/locale/** r,
|
||||
/etc/locale.alias r,
|
||||
/etc/localtime r,
|
||||
@@ -155,7 +159,9 @@
|
||||
# prevents access to the files from processes running under a different uid.
|
||||
|
||||
# encrypted ~/.Private and old-style encrypted $HOME
|
||||
owner @{HOME}/.Private/ r,
|
||||
owner @{HOME}/.Private/** mrixwlk,
|
||||
# new-style encrypted $HOME
|
||||
owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r,
|
||||
owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
|
||||
|
||||
|
||||
@@ -45,7 +45,7 @@
|
||||
owner @{HOME}/.local/share/fonts/** r,
|
||||
owner @{HOME}/.fonts.cache-2 mr,
|
||||
owner @{HOME}/.{,cache/}fontconfig/ rw,
|
||||
owner @{HOME}/.{,cache/}fontconfig/** mrwl,
|
||||
owner @{HOME}/.{,cache/}fontconfig/** mrl,
|
||||
owner @{HOME}/.fonts.conf.d/ r,
|
||||
owner @{HOME}/.fonts.conf.d/** r,
|
||||
owner @{HOME}/.config/fontconfig/ r,
|
||||
|
||||
@@ -51,6 +51,8 @@
|
||||
owner @{HOME}/.gtk-bookmarks r,
|
||||
owner @{HOME}/.themes/ r,
|
||||
owner @{HOME}/.themes/** r,
|
||||
owner @{user_share_dirs}/themes/ r,
|
||||
owner @{user_share_dirs}/themes/** r,
|
||||
|
||||
# for gtk file dialog
|
||||
owner @{HOME}/.config/gtk-2.0/ w,
|
||||
@@ -96,7 +98,7 @@
|
||||
|
||||
# mime-types
|
||||
/etc/gnome/defaults.list r,
|
||||
/etc/xdg/*-mimeapps.list r,
|
||||
/etc/xdg/{,*-}mimeapps.list r,
|
||||
/usr/share/gnome/applications/ r,
|
||||
/usr/share/gnome/applications/mimeinfo.cache r,
|
||||
|
||||
|
||||
@@ -22,6 +22,8 @@
|
||||
|
||||
/etc/krb5.keytab rk,
|
||||
/etc/krb5.conf r,
|
||||
/etc/krb5.conf.d/ r,
|
||||
/etc/krb5.conf.d/* r,
|
||||
|
||||
# config files found via strings on libs
|
||||
/etc/krb.conf r,
|
||||
|
||||
@@ -38,3 +38,7 @@
|
||||
/etc/letsencrypt/archive/*/cert*.pem r,
|
||||
/etc/letsencrypt/archive/*/chain*.pem r,
|
||||
/etc/letsencrypt/archive/*/fullchain*.pem r,
|
||||
|
||||
/etc/certbot/archive/*/cert*.pem r,
|
||||
/etc/certbot/archive/*/chain*.pem r,
|
||||
/etc/certbot/archive/*/fullchain*.pem r,
|
||||
|
||||
@@ -26,3 +26,5 @@
|
||||
|
||||
# certbot / letsencrypt
|
||||
/etc/letsencrypt/archive/*/privkey*.pem r,
|
||||
|
||||
/etc/certbot/archive/*/privkey*.pem r,
|
||||
|
||||
@@ -55,7 +55,7 @@ mkdirperm_fail=r
|
||||
linkperm=rl
|
||||
readperm=r
|
||||
|
||||
dd if=/dev/zero of=$image bs=4096 count=20 > /dev/null 2>&1
|
||||
dd if=/dev/zero of=$image bs=4096 count=128 > /dev/null 2>&1
|
||||
mkfs.ext2 -F -m 0 -N 10 $image > /dev/null 2>&1
|
||||
|
||||
mkdir $mp1 $mp2
|
||||
|
||||
@@ -148,7 +148,7 @@ def get_profiles():
|
||||
sys.exit(4)
|
||||
|
||||
for p in f.readlines():
|
||||
match = re.search("^([^\(]+)\s+\((\w+)\)$", p)
|
||||
match = re.search("^(.+)\s+\((\w+)\)$", p)
|
||||
profiles[match.group(1)] = match.group(2)
|
||||
|
||||
f.close()
|
||||
|
||||
@@ -2365,8 +2365,6 @@ def parse_profile_data(data, file, do_include):
|
||||
elif re_match_include(line):
|
||||
# Include files
|
||||
include_name = re_match_include(line)
|
||||
if include_name.startswith('local/'):
|
||||
profile_data[profile][hat]['localinclude'][include_name] = True
|
||||
|
||||
if profile:
|
||||
profile_data[profile][hat]['include'][include_name] = True
|
||||
|
||||
@@ -213,6 +213,9 @@ def hasher():
|
||||
def convert_regexp(regexp):
|
||||
regex_paren = re.compile('^(.*){([^}]*)}(.*)$')
|
||||
regexp = regexp.strip()
|
||||
|
||||
regexp = regexp.replace('(', '\\(').replace(')', '\\)') # escape '(' and ')'
|
||||
|
||||
new_reg = re.sub(r'(?<!\\)(\.|\+|\$)', r'\\\1', regexp)
|
||||
|
||||
while regex_paren.search(new_reg):
|
||||
|
||||
@@ -35,7 +35,7 @@ class ReadLog:
|
||||
'kernel:\s+(' + RE_kernel_time + '\s+)?(audit:\s+)?type=' + RE_type_num + '\s+' + RE_audit_time_id + RE_aa_or_op, # v2_6 syslog
|
||||
'kernel:\s+(' + RE_kernel_time + '\s+)?' + RE_audit_time_id + 'type=' + RE_type_num + '\s+' + RE_aa_or_op,
|
||||
'type=(AVC|APPARMOR[_A-Z]*|' + RE_type_num + ')\s+' + RE_audit_time_id + '(type=' + RE_type_num + '\s+)?' + RE_aa_or_op, # v2_6 audit and dmesg
|
||||
'type=USER_AVC\s+' + RE_audit_time_id + '.*apparmor=', # dbus
|
||||
'type=(USER_AVC|1107)\s+' + RE_audit_time_id + '.*apparmor=', # dbus
|
||||
'type=UNKNOWN\[' + RE_type_num + '\]\s+' + RE_audit_time_id + RE_aa_or_op,
|
||||
'dbus\[[0-9]+\]:\s+apparmor=', # dbus
|
||||
]
|
||||
|
||||
@@ -54,7 +54,6 @@ class ProfileStorage:
|
||||
data['alias'] = dict()
|
||||
data['abi'] = []
|
||||
data['include'] = dict()
|
||||
data['localinclude'] = dict()
|
||||
data['lvar'] = dict()
|
||||
data['repo'] = dict()
|
||||
|
||||
|
||||
@@ -19,6 +19,7 @@ import apparmor.aa
|
||||
from apparmor.logparser import ReadLog
|
||||
from apparmor.profile_list import ProfileList
|
||||
|
||||
|
||||
class TestLibapparmorTestMulti(AATest):
|
||||
'''Parse all libraries/libapparmor/testsuite/test_multi tests and compare the result with the *.out files'''
|
||||
|
||||
@@ -26,6 +27,9 @@ class TestLibapparmorTestMulti(AATest):
|
||||
|
||||
def _run_test(self, params, expected):
|
||||
# tests[][expected] is a dummy, replace it with the real values
|
||||
if params.split('/')[-1] in log_to_skip:
|
||||
return
|
||||
|
||||
expected = self._parse_libapparmor_test_multi(params)
|
||||
|
||||
with open_file_read('%s.in' % params) as f_in:
|
||||
@@ -139,6 +143,10 @@ class TestLibapparmorTestMulti(AATest):
|
||||
|
||||
return exresult
|
||||
|
||||
# tests that cause crashes or need user interaction (will be skipped)
|
||||
log_to_skip = [
|
||||
'testcase_dbus_09', # multiline log not currently supported
|
||||
]
|
||||
|
||||
# tests that do not produce the expected profile (checked with assertNotEqual)
|
||||
log_to_profile_known_failures = [
|
||||
@@ -184,6 +192,7 @@ log_to_profile_skip = [
|
||||
'testcase_syslog_changehat_negative_error', # fails in write_header -> quote_if_needed because data is None
|
||||
|
||||
'testcase_changehat_01', # interactive, asks to add a hat
|
||||
'testcase_dbus_09', # multiline log not currently supported
|
||||
]
|
||||
|
||||
class TestLogToProfile(AATest):
|
||||
|
||||
@@ -19,7 +19,7 @@ danger_caps = ["audit_control",
|
||||
"audit_write",
|
||||
"mac_override",
|
||||
"mac_admin",
|
||||
"set_fcap",
|
||||
"setfcap",
|
||||
"sys_admin",
|
||||
"sys_module",
|
||||
"sys_rawio"]
|
||||
|
||||
Reference in New Issue
Block a user