mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-09-05 08:45:22 +00:00
Compare commits
11 Commits
v2.7.1
...
apparmor-2
| Author | SHA1 | Date | |
|---|---|---|---|
|
cac95f10ce | ||
|
|
8c6e3a9724 | ||
|
|
3f29d38f0f | ||
|
d0bde41d90 | ||
|
|
823a2f71dd | ||
|
f5c4d066e8 | ||
|
|
805f51c7da | ||
|
|
ec87c2e552 | ||
|
3bff5df489 | ||
|
|
ba01770cfc | ||
|
3ffe77d087 |
2
Makefile
2
Makefile
@@ -12,7 +12,7 @@ DIRS=parser \
|
||||
changehat/pam_apparmor \
|
||||
tests
|
||||
|
||||
REPO_URL?=lp:apparmor
|
||||
REPO_URL?=lp:apparmor/2.7
|
||||
# alternate possibilities to export from
|
||||
#REPO_URL=.
|
||||
#REPO_URL="bzr+ssh://bazaar.launchpad.net/~sbeattie/+junk/apparmor-dev/"
|
||||
|
||||
@@ -1 +1 @@
|
||||
2.7.1
|
||||
2.7.2
|
||||
|
||||
@@ -158,6 +158,8 @@ $ac_distutils_result])
|
||||
AC_MSG_CHECKING([consistency of all components of python development environment])
|
||||
AC_LANG_PUSH([C])
|
||||
# save current global flags
|
||||
ac_save_LIBS="$LIBS"
|
||||
ac_save_CPPFLAGS="$CPPFLAGS"
|
||||
LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
|
||||
CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
|
||||
AC_TRY_LINK([
|
||||
|
||||
@@ -3,7 +3,8 @@ INCLUDES = $(all_includes)
|
||||
BUILT_SOURCES = grammar.h scanner.h af_protos.h
|
||||
AM_LFLAGS = -v
|
||||
AM_YFLAGS = -d -p aalogparse_
|
||||
AM_CFLAGS = @CFLAGS@ -D_GNU_SOURCE -Wall
|
||||
AM_CFLAGS = -Wall
|
||||
AM_CPPFLAGS = -D_GNU_SOURCE
|
||||
scanner.h: scanner.l
|
||||
$(LEX) -v $<
|
||||
|
||||
|
||||
@@ -141,6 +141,10 @@ typedef struct
|
||||
char *net_family;
|
||||
char *net_protocol;
|
||||
char *net_sock_type;
|
||||
char *net_local_addr;
|
||||
unsigned long net_local_port;
|
||||
char *net_foreign_addr;
|
||||
unsigned long net_foreign_port;
|
||||
} aa_log_record;
|
||||
|
||||
/**
|
||||
|
||||
@@ -83,6 +83,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
|
||||
%token <t_str> TOK_QUOTED_STRING TOK_ID TOK_MODE TOK_DMESG_STAMP
|
||||
%token <t_str> TOK_AUDIT_DIGITS TOK_DATE_MONTH TOK_DATE_TIME
|
||||
%token <t_str> TOK_HEXSTRING TOK_TYPE_OTHER TOK_MSG_REST
|
||||
%token <t_str> TOK_IP_ADDR
|
||||
|
||||
%token TOK_EQUALS
|
||||
%token TOK_COLON
|
||||
@@ -133,6 +134,10 @@ aa_record_event_type lookup_aa_event(unsigned int type)
|
||||
%token TOK_KEY_CAPNAME
|
||||
%token TOK_KEY_OFFSET
|
||||
%token TOK_KEY_TARGET
|
||||
%token TOK_KEY_LADDR
|
||||
%token TOK_KEY_FADDR
|
||||
%token TOK_KEY_LPORT
|
||||
%token TOK_KEY_FPORT
|
||||
|
||||
%token TOK_SYSLOG_KERNEL
|
||||
|
||||
@@ -268,6 +273,14 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
|
||||
{ /* target was always name2 in the past */
|
||||
ret_record->name2 = $3;
|
||||
}
|
||||
| TOK_KEY_LADDR TOK_EQUALS TOK_IP_ADDR
|
||||
{ ret_record->net_local_addr = $3;}
|
||||
| TOK_KEY_FADDR TOK_EQUALS TOK_IP_ADDR
|
||||
{ ret_record->net_foreign_addr = $3;}
|
||||
| TOK_KEY_LPORT TOK_EQUALS TOK_DIGITS
|
||||
{ ret_record->net_local_port = $3;}
|
||||
| TOK_KEY_FPORT TOK_EQUALS TOK_DIGITS
|
||||
{ ret_record->net_foreign_port = $3;}
|
||||
| TOK_MSG_REST
|
||||
{
|
||||
ret_record->event = AA_RECORD_INVALID;
|
||||
|
||||
@@ -133,8 +133,15 @@ key_capability "capability"
|
||||
key_capname "capname"
|
||||
key_offset "offset"
|
||||
key_target "target"
|
||||
key_laddr "laddr"
|
||||
key_faddr "faddr"
|
||||
key_lport "lport"
|
||||
key_fport "fport"
|
||||
audit "audit"
|
||||
|
||||
/* network addrs */
|
||||
ip_addr [a-f[:digit:].:]{3,}
|
||||
|
||||
/* syslog tokens */
|
||||
syslog_kernel kernel{colon}
|
||||
syslog_month Jan(uary)?|Feb(ruary)?|Mar(ch)?|Apr(il)?|May|Jun(e)?|Jul(y)?|Aug(ust)?|Sep(tember)?|Oct(ober)?|Nov(ember)?|Dec(ember)?
|
||||
@@ -149,6 +156,7 @@ dmesg_timestamp \[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]
|
||||
%x dmesg_timestamp
|
||||
%x safe_string
|
||||
%x audit_types
|
||||
%x ip_addr
|
||||
%x other_audit
|
||||
%x unknown_message
|
||||
|
||||
@@ -201,6 +209,12 @@ yy_flex_debug = 0;
|
||||
. { /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
|
||||
}
|
||||
|
||||
<ip_addr>{
|
||||
{ip_addr} { yylval->t_str = strdup(yytext); yy_pop_state(yyscanner); return(TOK_IP_ADDR); }
|
||||
{equals} { return(TOK_EQUALS); }
|
||||
. { /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
|
||||
}
|
||||
|
||||
<audit_types>{
|
||||
{equals} { return(TOK_EQUALS); }
|
||||
{digits} { yylval->t_long = atol(yytext); BEGIN(INITIAL); return(TOK_DIGITS); }
|
||||
@@ -270,6 +284,10 @@ yy_flex_debug = 0;
|
||||
{key_capname} { return(TOK_KEY_CAPNAME); }
|
||||
{key_offset} { return(TOK_KEY_OFFSET); }
|
||||
{key_target} { return(TOK_KEY_TARGET); }
|
||||
{key_laddr} { yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
|
||||
{key_faddr} { yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
|
||||
{key_lport} { return(TOK_KEY_LPORT); }
|
||||
{key_fport} { return(TOK_KEY_FPORT); }
|
||||
|
||||
{syslog_kernel} { BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
|
||||
{syslog_month} { yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
|
||||
|
||||
@@ -10,7 +10,7 @@ WriteMakefile(
|
||||
'FIRST_MAKEFILE' => 'Makefile.perl',
|
||||
'ABSTRACT' => q[Perl interface to AppArmor] ,
|
||||
'VERSION' => q[@VERSION@],
|
||||
'INC' => q[-I@top_srcdir@/src @CFLAGS@],
|
||||
'INC' => q[@CPPFLAGS@ -I@top_srcdir@/src @CFLAGS@],
|
||||
'LIBS' => q[-L@top_builddir@/src/.libs/ -lapparmor @LIBS@],
|
||||
'OBJECT' => 'libapparmor_wrap.o', # $(OBJ_EXT)
|
||||
) ;
|
||||
|
||||
@@ -10,8 +10,7 @@ AM_CFLAGS = -Wall
|
||||
noinst_PROGRAMS = test_multi.multi
|
||||
|
||||
test_multi_multi_SOURCES = test_multi.c
|
||||
test_multi_multi_CFLAGS = $(CFLAGS) -Wall
|
||||
test_multi_multi_LDFLAGS = $(LDFLAGS)
|
||||
test_multi_multi_CFLAGS = -Wall
|
||||
test_multi_multi_LDADD = -L../src/.libs -lapparmor
|
||||
|
||||
clean-local:
|
||||
|
||||
@@ -51,6 +51,18 @@ int main(int argc, char **argv)
|
||||
return ret;
|
||||
}
|
||||
|
||||
#define print_string(description, var) \
|
||||
if ((var) != NULL) { \
|
||||
printf("%s: %s\n", (description), (var)); \
|
||||
}
|
||||
|
||||
/* unset is the value that the library sets to the var to indicate
|
||||
that it is unset */
|
||||
#define print_long(description, var, unset) \
|
||||
if ((var) != (unsigned long) (unset)) { \
|
||||
printf("%s: %ld\n", (description), (var)); \
|
||||
}
|
||||
|
||||
int print_results(aa_log_record *record)
|
||||
{
|
||||
printf("Event type: ");
|
||||
@@ -185,6 +197,11 @@ int print_results(aa_log_record *record)
|
||||
{
|
||||
printf("Protocol: %s\n", record->net_protocol);
|
||||
}
|
||||
print_string("Local addr", record->net_local_addr);
|
||||
print_string("Foreign addr", record->net_foreign_addr);
|
||||
print_long("Local port", record->net_local_port, 0);
|
||||
print_long("Foreign port", record->net_foreign_port, 0);
|
||||
|
||||
printf("Epoch: %lu\n", record->epoch);
|
||||
printf("Audit subid: %u\n", record->audit_sub_id);
|
||||
return(0);
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
Apr 5 19:30:56 precise-amd64 kernel: [153073.826757] type=1400 audit(1308766940.698:3704): apparmor="DENIED" operation="sendmsg" parent=24737 profile="/usr/bin/evince-thumbnailer" pid=24743 comm="evince-thumbnai" laddr=192.168.66.150 lport=765 faddr=192.168.66.200 fport=2049 family="inet" sock_type="stream" protocol=6
|
||||
@@ -0,0 +1,18 @@
|
||||
START
|
||||
File: test_multi/testcase_network_01.in
|
||||
Event type: AA_RECORD_DENIED
|
||||
Audit ID: 1308766940.698:3704
|
||||
Operation: sendmsg
|
||||
Profile: /usr/bin/evince-thumbnailer
|
||||
Command: evince-thumbnai
|
||||
Parent: 24737
|
||||
PID: 24743
|
||||
Network family: inet
|
||||
Socket type: stream
|
||||
Protocol: tcp
|
||||
Local addr: 192.168.66.150
|
||||
Foreign addr: 192.168.66.200
|
||||
Local port: 765
|
||||
Foreign port: 2049
|
||||
Epoch: 1308766940
|
||||
Audit subid: 3704
|
||||
@@ -0,0 +1 @@
|
||||
Apr 5 19:31:04 precise-amd64 kernel: [153073.826757] type=1400 audit(1308766940.698:3704): apparmor="DENIED" operation="sendmsg" parent=24737 profile="/usr/bin/evince-thumbnailer" pid=24743 comm="evince-thumbnai" lport=765 fport=2049 family="inet" sock_type="stream" protocol=6
|
||||
@@ -0,0 +1,16 @@
|
||||
START
|
||||
File: test_multi/testcase_network_02.in
|
||||
Event type: AA_RECORD_DENIED
|
||||
Audit ID: 1308766940.698:3704
|
||||
Operation: sendmsg
|
||||
Profile: /usr/bin/evince-thumbnailer
|
||||
Command: evince-thumbnai
|
||||
Parent: 24737
|
||||
PID: 24743
|
||||
Network family: inet
|
||||
Socket type: stream
|
||||
Protocol: tcp
|
||||
Local port: 765
|
||||
Foreign port: 2049
|
||||
Epoch: 1308766940
|
||||
Audit subid: 3704
|
||||
@@ -0,0 +1 @@
|
||||
type=AVC msg=audit(1333648169.009:11707146): apparmor="ALLOWED" operation="accept" parent=25932 profile="/usr/lib/dovecot/imap-login" pid=5049 comm="imap-login" lport=143 family="inet6" sock_type="stream" protocol=6
|
||||
@@ -0,0 +1,15 @@
|
||||
START
|
||||
File: test_multi/testcase_network_03.in
|
||||
Event type: AA_RECORD_ALLOWED
|
||||
Audit ID: 1333648169.009:11707146
|
||||
Operation: accept
|
||||
Profile: /usr/lib/dovecot/imap-login
|
||||
Command: imap-login
|
||||
Parent: 25932
|
||||
PID: 5049
|
||||
Network family: inet6
|
||||
Socket type: stream
|
||||
Protocol: tcp
|
||||
Local port: 143
|
||||
Epoch: 1333648169
|
||||
Audit subid: 11707146
|
||||
@@ -0,0 +1 @@
|
||||
type=AVC msg=audit(1333697181.284:273901): apparmor="DENIED" operation="recvmsg" parent=1596 profile="/home/ubuntu/tmp/nc" pid=1056 comm="nc" laddr=::1 lport=2048 faddr=::1 fport=33986 family="inet6" sock_type="stream" protocol=6
|
||||
@@ -0,0 +1,18 @@
|
||||
START
|
||||
File: test_multi/testcase_network_04.in
|
||||
Event type: AA_RECORD_DENIED
|
||||
Audit ID: 1333697181.284:273901
|
||||
Operation: recvmsg
|
||||
Profile: /home/ubuntu/tmp/nc
|
||||
Command: nc
|
||||
Parent: 1596
|
||||
PID: 1056
|
||||
Network family: inet6
|
||||
Socket type: stream
|
||||
Protocol: tcp
|
||||
Local addr: ::1
|
||||
Foreign addr: ::1
|
||||
Local port: 2048
|
||||
Foreign port: 33986
|
||||
Epoch: 1333697181
|
||||
Audit subid: 273901
|
||||
@@ -0,0 +1 @@
|
||||
type=AVC msg=audit(1333698107.128:273917): apparmor="DENIED" operation="recvmsg" parent=1596 profile="/home/ubuntu/tmp/nc" pid=1875 comm="nc" laddr=::ffff:127.0.0.1 lport=2048 faddr=::ffff:127.0.0.1 fport=59180 family="inet6" sock_type="stream" protocol=6
|
||||
@@ -0,0 +1,18 @@
|
||||
START
|
||||
File: test_multi/testcase_network_05.in
|
||||
Event type: AA_RECORD_DENIED
|
||||
Audit ID: 1333698107.128:273917
|
||||
Operation: recvmsg
|
||||
Profile: /home/ubuntu/tmp/nc
|
||||
Command: nc
|
||||
Parent: 1596
|
||||
PID: 1875
|
||||
Network family: inet6
|
||||
Socket type: stream
|
||||
Protocol: tcp
|
||||
Local addr: ::ffff:127.0.0.1
|
||||
Foreign addr: ::ffff:127.0.0.1
|
||||
Local port: 2048
|
||||
Foreign port: 59180
|
||||
Epoch: 1333698107
|
||||
Audit subid: 273917
|
||||
@@ -17,7 +17,7 @@
|
||||
|
||||
# .Xauthority files required for X connections, per user
|
||||
@{HOME}/.Xauthority r,
|
||||
owner /{,var/}run/gdm/*/database r,
|
||||
owner /{,var/}run/gdm{,3}/*/database r,
|
||||
owner /{,var/}run/lightdm/authority/[0-9]* r,
|
||||
|
||||
# the unix socket to use to connect to the display
|
||||
|
||||
@@ -86,6 +86,7 @@
|
||||
@{PROC}/meminfo r,
|
||||
@{PROC}/stat r,
|
||||
@{PROC}/cpuinfo r,
|
||||
/sys/devices/system/cpu/online r,
|
||||
|
||||
# glibc's *printf protections read the maps file
|
||||
@{PROC}/*/maps r,
|
||||
|
||||
@@ -28,6 +28,10 @@
|
||||
# and abrowser)
|
||||
/usr/lib/firefox-*/firefox.sh PUx,
|
||||
|
||||
# Iceweasel
|
||||
/usr/bin/iceweasel PUx,
|
||||
/usr/lib/iceweasel/iceweasel PUx,
|
||||
|
||||
# some unpackaged, but popular browsers
|
||||
/usr/lib/icecat-*/icecat PUx,
|
||||
/usr/bin/opera PUx,
|
||||
|
||||
@@ -11,6 +11,7 @@
|
||||
capability sys_chroot,
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
||||
/usr/lib/dovecot/imap-login mr,
|
||||
/{,var/}run/dovecot/login/ r,
|
||||
|
||||
@@ -9,7 +9,7 @@
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
@{TFTP_DIR}=/var/tftp
|
||||
@{TFTP_DIR}=/var/tftp /srv/tftpboot
|
||||
|
||||
#include <tunables/global>
|
||||
/usr/sbin/dnsmasq {
|
||||
|
||||
@@ -28,7 +28,7 @@
|
||||
/bin/cat rmix,
|
||||
/bin/bash rmix,
|
||||
/dev/log w,
|
||||
/etc/.pwd.lock rw,
|
||||
/etc/.pwd.lock rwk,
|
||||
/etc/cron.deny r,
|
||||
/etc/default/useradd r,
|
||||
/etc/group* rwl,
|
||||
|
||||
@@ -4797,13 +4797,9 @@ sub sub_mode_to_str($) {
|
||||
$str .= "a" if ($mode & $AA_MAY_APPEND);
|
||||
$str .= "l" if ($mode & $AA_MAY_LINK);
|
||||
$str .= "k" if ($mode & $AA_MAY_LOCK);
|
||||
if ($mode & $AA_EXEC_UNCONFINED) {
|
||||
if ($mode & $AA_EXEC_UNSAFE) {
|
||||
$str .= "u";
|
||||
} else {
|
||||
$str .= "U";
|
||||
}
|
||||
}
|
||||
|
||||
# modes P and C *must* come before I and U; otherwise syntactically
|
||||
# invalid profiles result
|
||||
if ($mode & ($AA_EXEC_PROFILE | $AA_EXEC_NT)) {
|
||||
if ($mode & $AA_EXEC_UNSAFE) {
|
||||
$str .= "p";
|
||||
@@ -4818,7 +4814,18 @@ sub sub_mode_to_str($) {
|
||||
$str .= "C";
|
||||
}
|
||||
}
|
||||
|
||||
# modes P and C *must* come before I and U; otherwise syntactically
|
||||
# invalid profiles result
|
||||
if ($mode & $AA_EXEC_UNCONFINED) {
|
||||
if ($mode & $AA_EXEC_UNSAFE) {
|
||||
$str .= "u";
|
||||
} else {
|
||||
$str .= "U";
|
||||
}
|
||||
}
|
||||
$str .= "i" if ($mode & $AA_EXEC_INHERIT);
|
||||
|
||||
$str .= "x" if ($mode & $AA_MAY_EXEC);
|
||||
|
||||
return $str;
|
||||
|
||||
Reference in New Issue
Block a user