Fix change_profile to grant access to api

http://bugs.launchpad.net/bugs/979135

Currently a change_profile rule does not grant access to the
/proc/<pid>/attr/{current,exec} interfaces that are needed to perform
a change_profile or change_onexec, requiring that an explicit rule allowing
access to the interface be granted.

Make it so change_profile implies the necessary
  /proc/@{PID}/attr/{current,exec} w,

rule just like the presence of hats does for change_hat


Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>

Makefile

@@ -7,7 +7,7 @@ include common/Make.rules
 DIRS=parser \
      profiles \
      utils \
-     changehat/libapparmor \
+     libraries/libapparmor \
      changehat/mod_apparmor \
      changehat/pam_apparmor \
      tests

common/Make.rules

@@ -150,6 +150,40 @@ _clean:
 	-rm -f ${NAME}-${VERSION}-*.tar.gz
 	-rm -f ${MANPAGES} *.[0-9].gz ${HTMLMANPAGES} pod2htm*.tmp
 
+# =====================
+# generate list of capabilities based on
+# /usr/include/linux/capabilities.h for use in multiple locations in
+# the source tree
+# =====================
+
+# emits defined capabilities in a simple list, e.g. "CAP_NAME CAP_NAME2"
+CAPABILITIES=$(shell echo "\#include <linux/capability.h>" | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | sort)
+
+.PHONY: list_capabilities
+list_capabilities: /usr/include/linux/capability.h
+	@echo "$(CAPABILITIES)"
+
+# =====================
+# generate list of network protocols based on
+# sys/socket.h for use in multiple locations in
+# the source tree
+# =====================
+
+# These are the families that it doesn't make sense for apparmor
+# to mediate. We use PF_ here since that is what is required in
+# bits/socket.h, but we will rewrite these as AF_.
+
+FILTER_FAMILIES=PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK
+
+__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
+
+# emits the AF names in a "AF_NAME NUMBER," pattern
+AF_NAMES=$(shell echo "\#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2)
+
+.PHONY: list_af_names
+list_af_names:
+	@echo "$(AF_NAMES)"
+
 # =====================
 # manpages
 # =====================
@@ -172,29 +206,8 @@ install_manpages: $(MANPAGES)
 
 MAN_RELEASE="AppArmor ${VERSION}"
 
-%.1: %.pod
-	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=1 > $@
-
-%.2: %.pod
-	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=2 > $@
-
-%.3: %.pod
-	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=3 > $@
-
-%.4: %.pod
-	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=4 > $@
-
-%.5: %.pod
-	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=5 > $@
-
-%.6: %.pod
-	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=6 > $@
-
-%.7: %.pod
-	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=7 > $@
-
-%.8: %.pod
-	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --section=8 > $@
+%.1 %.2 %.3 %.4 %.5 %.6 %.7 %.8: %.pod
+	$(POD2MAN) $< --release=$(MAN_RELEASE) --center=AppArmor --stderr --section=$(subst .,,$(suffix $@)) > $@
 
 %.1.html: %.pod
 	$(POD2HTML) --header --css apparmor.css --infile=$< --outfile=$@

common/Version

@@ -1 +1 @@
-2.7.99
+2.7.102

libraries/libapparmor/doc/aa_getcon.pod

@@ -69,7 +69,8 @@ does not handle buffer allocation.
 
 =head1 RETURN VALUE
 
-On success zero is returned. On error, -1 is returned, and
+On success size of data placed in the buffer is returned, this includes the
+mode if present and any terminating characters. On error, -1 is returned, and
 errno(3) is set appropriately.
 
 =head1 ERRORS

libraries/libapparmor/src/aalogparse.h

@@ -141,6 +141,10 @@ typedef struct
 	char *net_family;
 	char *net_protocol;
 	char *net_sock_type;
+	char *net_local_addr;
+	unsigned long net_local_port;
+	char *net_foreign_addr;
+	unsigned long net_foreign_port;
 } aa_log_record;
 
 /**

libraries/libapparmor/src/grammar.y

@@ -83,6 +83,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token <t_str> TOK_QUOTED_STRING TOK_ID TOK_MODE TOK_DMESG_STAMP
 %token <t_str> TOK_AUDIT_DIGITS TOK_DATE_MONTH TOK_DATE_TIME
 %token <t_str> TOK_HEXSTRING TOK_TYPE_OTHER TOK_MSG_REST
+%token <t_str> TOK_IP_ADDR
 
 %token TOK_EQUALS
 %token TOK_COLON
@@ -133,6 +134,10 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_CAPNAME
 %token TOK_KEY_OFFSET
 %token TOK_KEY_TARGET
+%token TOK_KEY_LADDR
+%token TOK_KEY_FADDR
+%token TOK_KEY_LPORT
+%token TOK_KEY_FPORT
 
 %token TOK_SYSLOG_KERNEL
 
@@ -268,6 +273,14 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ /* target was always name2 in the past */
 	  ret_record->name2 = $3;
 	}
+	| TOK_KEY_LADDR TOK_EQUALS TOK_IP_ADDR
+	{ ret_record->net_local_addr = $3;}
+	| TOK_KEY_FADDR TOK_EQUALS TOK_IP_ADDR
+	{ ret_record->net_foreign_addr = $3;}
+	| TOK_KEY_LPORT TOK_EQUALS TOK_DIGITS
+	{ ret_record->net_local_port = $3;}
+	| TOK_KEY_FPORT TOK_EQUALS TOK_DIGITS
+	{ ret_record->net_foreign_port = $3;}
 	| TOK_MSG_REST
 	{
 		ret_record->event = AA_RECORD_INVALID;

libraries/libapparmor/src/kernel_interface.c

@@ -278,11 +278,12 @@ int aa_getprocattr(pid_t tid, const char *attr, char **buf, char **mode)
 
 	if (rc == -1) {
 		free(buffer);
-		size = -1;
+		*buf = NULL;
+		*mode = NULL;
 	} else
 		*buf = buffer;
 
-	return size;
+	return rc;
 }
 
 static int setprocattr(pid_t tid, const char *attr, const char *buf, int len)
@@ -617,6 +618,7 @@ int aa_getpeercon(int fd, char **con)
 
 	if (rc == -1) {
 		free(buffer);
+		*con = NULL;
 		size = -1;
 	} else
 		*con = buffer;

libraries/libapparmor/src/scanner.l

@@ -133,8 +133,15 @@ key_capability		"capability"
 key_capname		"capname"
 key_offset		"offset"
 key_target		"target"
+key_laddr		"laddr"
+key_faddr		"faddr"
+key_lport		"lport"
+key_fport		"fport"
 audit			"audit"
 
+/* network addrs */
+ip_addr			[a-f[:digit:].:]{3,}
+
 /* syslog tokens */
 syslog_kernel		kernel{colon}
 syslog_month 		Jan(uary)?|Feb(ruary)?|Mar(ch)?|Apr(il)?|May|Jun(e)?|Jul(y)?|Aug(ust)?|Sep(tember)?|Oct(ober)?|Nov(ember)?|Dec(ember)?
@@ -149,6 +156,7 @@ dmesg_timestamp		\[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]
 %x dmesg_timestamp
 %x safe_string
 %x audit_types
+%x ip_addr
 %x other_audit
 %x unknown_message
 
@@ -201,6 +209,12 @@ yy_flex_debug = 0;
 	.		{ /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
 	}
 
+<ip_addr>{
+	{ip_addr}	{ yylval->t_str = strdup(yytext); yy_pop_state(yyscanner); return(TOK_IP_ADDR); }
+	{equals}	{ return(TOK_EQUALS); }
+	.		{ /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
+	}
+
 <audit_types>{
 	{equals}	{ return(TOK_EQUALS); }
 	{digits}	{ yylval->t_long = atol(yytext); BEGIN(INITIAL); return(TOK_DIGITS); }
@@ -270,6 +284,10 @@ yy_flex_debug = 0;
 {key_capname}		{ return(TOK_KEY_CAPNAME); }
 {key_offset}		{ return(TOK_KEY_OFFSET); }
 {key_target}		{ return(TOK_KEY_TARGET); }
+{key_laddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
+{key_faddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
+{key_lport}		{ return(TOK_KEY_LPORT); }
+{key_fport}		{ return(TOK_KEY_FPORT); }
 
 {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
 {syslog_month}		{ yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }

libraries/libapparmor/testsuite/test_multi.c

@@ -51,6 +51,18 @@ int main(int argc, char **argv)
 	return ret;
 }
 
+#define print_string(description, var) \
+	if ((var) != NULL) { \
+		printf("%s: %s\n", (description), (var)); \
+	}
+
+/* unset is the value that the library sets to the var to indicate
+   that it is unset */
+#define print_long(description, var, unset) \
+	if ((var) != (unsigned long) (unset)) { \
+		printf("%s: %ld\n", (description), (var)); \
+	}
+
 int print_results(aa_log_record *record)
 {
 		printf("Event type: ");
@@ -185,6 +197,11 @@ int print_results(aa_log_record *record)
 		{
 			printf("Protocol: %s\n", record->net_protocol);
 		}
+		print_string("Local addr", record->net_local_addr);
+		print_string("Foreign addr", record->net_foreign_addr);
+		print_long("Local port", record->net_local_port, 0);
+		print_long("Foreign port", record->net_foreign_port, 0);
+
 		printf("Epoch: %lu\n", record->epoch);
 		printf("Audit subid: %u\n", record->audit_sub_id);
 	return(0);

libraries/libapparmor/testsuite/test_multi/testcase_network_01.in

@@ -0,0 +1 @@
+Apr  5 19:30:56 precise-amd64 kernel: [153073.826757] type=1400 audit(1308766940.698:3704): apparmor="DENIED" operation="sendmsg" parent=24737 profile="/usr/bin/evince-thumbnailer" pid=24743 comm="evince-thumbnai" laddr=192.168.66.150 lport=765 faddr=192.168.66.200 fport=2049 family="inet" sock_type="stream" protocol=6

libraries/libapparmor/testsuite/test_multi/testcase_network_01.out

@@ -0,0 +1,18 @@
+START
+File: test_multi/testcase_network_01.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1308766940.698:3704
+Operation: sendmsg
+Profile: /usr/bin/evince-thumbnailer
+Command: evince-thumbnai
+Parent: 24737
+PID: 24743
+Network family: inet
+Socket type: stream
+Protocol: tcp
+Local addr: 192.168.66.150
+Foreign addr: 192.168.66.200
+Local port: 765
+Foreign port: 2049
+Epoch: 1308766940
+Audit subid: 3704

libraries/libapparmor/testsuite/test_multi/testcase_network_02.in

@@ -0,0 +1 @@
+Apr  5 19:31:04 precise-amd64 kernel: [153073.826757] type=1400 audit(1308766940.698:3704): apparmor="DENIED" operation="sendmsg" parent=24737 profile="/usr/bin/evince-thumbnailer" pid=24743 comm="evince-thumbnai" lport=765 fport=2049 family="inet" sock_type="stream" protocol=6

libraries/libapparmor/testsuite/test_multi/testcase_network_02.out

@@ -0,0 +1,16 @@
+START
+File: test_multi/testcase_network_02.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1308766940.698:3704
+Operation: sendmsg
+Profile: /usr/bin/evince-thumbnailer
+Command: evince-thumbnai
+Parent: 24737
+PID: 24743
+Network family: inet
+Socket type: stream
+Protocol: tcp
+Local port: 765
+Foreign port: 2049
+Epoch: 1308766940
+Audit subid: 3704

libraries/libapparmor/testsuite/test_multi/testcase_network_03.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1333648169.009:11707146): apparmor="ALLOWED" operation="accept" parent=25932 profile="/usr/lib/dovecot/imap-login" pid=5049 comm="imap-login" lport=143 family="inet6" sock_type="stream" protocol=6

libraries/libapparmor/testsuite/test_multi/testcase_network_03.out

@@ -0,0 +1,15 @@
+START
+File: test_multi/testcase_network_03.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1333648169.009:11707146
+Operation: accept
+Profile: /usr/lib/dovecot/imap-login
+Command: imap-login
+Parent: 25932
+PID: 5049
+Network family: inet6
+Socket type: stream
+Protocol: tcp
+Local port: 143
+Epoch: 1333648169
+Audit subid: 11707146

libraries/libapparmor/testsuite/test_multi/testcase_network_04.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1333697181.284:273901): apparmor="DENIED" operation="recvmsg" parent=1596 profile="/home/ubuntu/tmp/nc" pid=1056 comm="nc" laddr=::1 lport=2048 faddr=::1 fport=33986 family="inet6" sock_type="stream" protocol=6

libraries/libapparmor/testsuite/test_multi/testcase_network_04.out

@@ -0,0 +1,18 @@
+START
+File: test_multi/testcase_network_04.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1333697181.284:273901
+Operation: recvmsg
+Profile: /home/ubuntu/tmp/nc
+Command: nc
+Parent: 1596
+PID: 1056
+Network family: inet6
+Socket type: stream
+Protocol: tcp
+Local addr: ::1
+Foreign addr: ::1
+Local port: 2048
+Foreign port: 33986
+Epoch: 1333697181
+Audit subid: 273901

libraries/libapparmor/testsuite/test_multi/testcase_network_05.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1333698107.128:273917): apparmor="DENIED" operation="recvmsg" parent=1596 profile="/home/ubuntu/tmp/nc" pid=1875 comm="nc" laddr=::ffff:127.0.0.1 lport=2048 faddr=::ffff:127.0.0.1 fport=59180 family="inet6" sock_type="stream" protocol=6

libraries/libapparmor/testsuite/test_multi/testcase_network_05.out

@@ -0,0 +1,18 @@
+START
+File: test_multi/testcase_network_05.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1333698107.128:273917
+Operation: recvmsg
+Profile: /home/ubuntu/tmp/nc
+Command: nc
+Parent: 1596
+PID: 1875
+Network family: inet6
+Socket type: stream
+Protocol: tcp
+Local addr: ::ffff:127.0.0.1
+Foreign addr: ::ffff:127.0.0.1
+Local port: 2048
+Foreign port: 59180
+Epoch: 1333698107
+Audit subid: 273917

parser/Makefile

@@ -207,22 +207,18 @@ parser_version.h: Makefile
 	@echo \#define PARSER_VERSION \"$(VERSION)\" > .ver
 	@mv -f .ver $@
 
-# These are the families that it doesn't make sense for apparmor to mediate.
-# We use PF_ here since that is what is required in bits/socket.h, but we will
-# rewrite these as AF_.
-FILTER_FAMILIES=PF_MAX PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK
-
-
-__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
+# af_names and capabilities generation has moved to common/Make.rules,
+# as well as the filtering that occurs for network protocols that
+# apparmor should not mediate.
 
 .PHONY: af_names.h
 af_names.h:
-	echo "#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e "s/^\#define[ \\t]\\+PF_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/#ifndef AF_\\1\\n#  define AF_\\1 \\2\\n#endif\\nAA_GEN_NET_ENT(\"\\L\\1\", \\UAF_\\1)\\n/p" > $@
-	echo "#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e "s/^\#define[ \\t]\\+PF_MAX[ \\t]\\+\\([0-9]\\+\\)\\+.*/#define AA_AF_MAX \\1\n/p" >> $@
+	echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g'  -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n#  define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n\n/pg' > $@
+	echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/.*,[ \t]\+AF_MAX[ \t]\+\([0-9]\+\),\?.*/#define AA_AF_MAX \1\n/p' >> $@
 	# cat $@
 
 cap_names.h: /usr/include/linux/capability.h
-	LC_ALL=C sed -n -e "/CAP_EMPTY_SET/d" -e "s/^\#define[ \\t]\\+CAP_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9xa-f]\\+\\)\\(.*\\)\$$/\{\"\\L\\1\", \\UCAP_\\1\},/p" $< > $@
+	echo "$(CAPABILITIES)" | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
 
 tst_%: parser_%.c parser.h $(filter-out parser_%.o, ${TEST_OBJECTS})
 	$(CC) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS}) $(TEST_LDFLAGS)

parser/apparmor.d.pod

@@ -54,7 +54,7 @@ B<COMMENT> = '#' I<TEXT>
 
 B<TEXT> = any characters
 
-B<PROFILE> = [ I<COMMENT> ... ] [ I<VARIABLE ASSIGNMENT> ... ] ( '"' I<PROGRAM> '"' | I<PROGRAM> ) [ 'flags=(complain)' ]'{' [ ( I<RESOURCE RULE> | I<COMMENT> | I<INCLUDE> | I<SUBPROFILE> | 'capability ' I<CAPABILITY> | I<NETWORK RULE> | 'change_profile -> ' I<PROGRAMCHILD> ) ... ] '}'
+B<PROFILE> = [ I<COMMENT> ... ] [ I<VARIABLE ASSIGNMENT> ... ] ( '"' I<PROGRAM> '"' | I<PROGRAM> ) [ 'flags=(complain)' ]'{' [ ( I<RESOURCE RULE> | I<COMMENT> | I<INCLUDE> | I<SUBPROFILE> | 'capability ' I<CAPABILITY> | I<NETWORK RULE> | I<MOUNT RULE> | I<FILE RULE> | 'change_profile -> ' I<PROGRAMCHILD> ) ... ] '}'
 
 B<SUBPROFILE> = [ I<COMMENT> ... ] ( I<PROGRAMHAT> | 'profile ' I<PROGRAMCHILD> ) '{' [ ( I<FILE RULE> | I<COMMENT> | I<INCLUDE> ) ... ] '}'
 
@@ -75,11 +75,37 @@ B<PROGRAMHAT> = '^'  (non-whitespace characters; see aa_change_hat(2) for a desc
 
 B<PROGRAMCHILD> = I<SUBPROFILE> name
 
+B<MOUNT RULE> = ( I<MOUNT> | I<REMOUNT> | I<UMOUNT> | I<PIVOT ROOT> )
+
+B<MOUNT> = [ 'audit' ] [ 'deny' ] 'mount' [ I<MOUNT CONDITIONS> ] [ I<SOURCE FILEGLOB> ] [ -> [ I<MOUNTPOINT FILEGLOB> ]
+
+B<REMOUNT> = [ 'audit' ] [ 'deny' ] 'remount' [ I<MOUNT CONDITIONS> ] I<MOUNTPOINT FILEGLOB>
+
+B<UMOUNT> = [ 'audit' ] [ 'deny' ] 'umount' [ I<MOUNT CONDITIONS> ] I<MOUNTPOINT FILEGLOB>
+
+B<PIVOT ROOT> = [ 'audit' ] [ 'deny' ] pivot_root [ I<OLD ABS PATH> ] [ I<MOUNTPOINT ABS PATH> ] [ -> I<PROGRAMCHILD> ]
+
+B<MOUNT CONDITIONS> = [ ( 'fstype' | 'vfstype' ) ( '=' | 'in' ) I<MOUNT FSTYPE EXPRESSION> ] [ 'options' ( '=' | 'in' ) I<MOUNT FLAGS EXPRESSION> ]
+
+B<MOUNT FSTYPE EXPRESSION> = ( I<MOUNT FSTYPE LIST> | I<MOUNT EXPRESSION> )
+
+B<MOUNT FSTYPE LIST> = Comma separated list of valid filesystem and virtual filesystem types (eg ext4, debugfs, devfs, etc)
+
+B<MOUNT FLAGS EXPRESSION> = ( I<MOUNT FLAGS LIST> | I<MOUNT EXPRESSION> )
+
+B<MOUNT FLAGS LIST> = Comma separated list of I<MOUNT FLAGS>.
+
+B<MOUNT FLAGS> = ( 'ro' | 'rw' | 'nosuid' | 'suid' | 'nodev' | 'dev' | 'noexec' | 'exec' | 'sync' | 'async' | 'remount' | 'mand' | 'nomand' | 'dirsync' | 'nodirsync' | 'noatime' | 'atime' | 'nodiratime' | 'diratime' | 'bind' | 'move' | 'rec' | 'verbose' | 'silent' | 'load' | 'acl' | 'noacl' | 'unbindable' | 'private' | 'slave' | 'shared' | 'relative' | 'norelative' | 'iversion' | 'noiversion' | 'strictatime' | 'nouser' | 'user' )
+
+B<MOUNT EXPRESSION> = ( I<ALPHANUMERIC> | I<AARE> ) ...
+
+B<AARE> = B<?*[]{}^> (see below for meanings)
+
 B<FILE RULE> = I<RULE QUALIFIER> ( '"' I<FILEGLOB> '"' | I<FILEGLOB> ) I<ACCESS> ','
 
 B<RULE QUALIFIER> = [ 'audit' ] [ 'deny' ] [ 'owner' ]
 
-B<FILEGLOB> = (must start with '/' (after variable expansion), B<?*[]{}^> have special meanings; see below. May include I<VARIABLE>. Rules with embedded spaces or tabs must be quoted. Rules must end with '/' to apply to directories.)
+B<FILEGLOB> = (must start with '/' (after variable expansion), B<AARE> have special meanings; see below. May include I<VARIABLE>. Rules with embedded spaces or tabs must be quoted. Rules must end with '/' to apply to directories.)
 
 B<ACCESS> = ( 'r' | 'w' | 'l' | 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx -> ' I<PROGRAMCHILD> | 'Cx -> ' I<PROGRAMCHILD> | 'm' ) [ I<ACCESS> ... ]  (not all combinations are allowed; see below.)
 
@@ -303,10 +329,6 @@ access is not granted, some capabilities allow loading kernel modules,
 arbitrary access to IPC, ability to bypass discretionary access controls,
 and other operations that are typically reserved for the root user.
 
-The only operations that cannot be controlled in this manner are mount(2),
-umount(2), and loading new AppArmor policy into the kernel, which are
-always denied to confined processes.
-
 =head2 Network Rules
 
 AppArmor supports simple coarse grained network mediation.  The network
@@ -328,6 +350,281 @@ eg.
  network inet tcp,	#allow access to tcp only for inet4 addresses
  network inet6 tcp,	#allow access to tcp only for inet6 addresses
 
+=head2 Mount Rules
+
+AppArmor supports mount mediation and allows specifying filesystem types and
+mount flags. The syntax of mount rules in AppArmor is based on the mount(8)
+command syntax. Mount rules must contain one of the mount, remount, umount or
+pivot_root keywords, but all mount conditions are optional. Unspecified
+optional conditionals are assumed to match all entries (eg, not specifying
+fstype means all fstypes are matched). Due to the complexity of the mount
+command and how options may be specified, AppArmor allows specifying
+conditionals three different ways:
+
+=over 4
+
+=item 1.
+
+If a conditional is specified using '=', then the rule only grants permission
+for mounts matching the exactly specified options. For example, an AppArmor
+policy with the following rule:
+
+=over 4
+
+mount options=ro /dev/foo -> /mnt/,
+
+=back
+
+Would match:
+
+=over 4
+
+$ mount -o ro /dev/foo /mnt
+
+=back
+
+but not either of these:
+
+=over 4
+
+$ mount -o ro,atime /dev/foo /mnt
+
+$ mount -o rw /dev/foo /mnt
+
+=back
+
+=item 2.
+
+If a conditional is specified using 'in', then the rule grants permission for
+mounts matching any combination of the specified options. For example, if an
+AppArmor policy has the following rule:
+
+=over 4
+
+mount options in (ro,atime) /dev/foo -> /mnt/,
+
+=back
+
+all of these mount commands will match:
+
+=over 4
+
+$ mount -o ro /dev/foo /mnt
+
+$ mount -o ro,atime /dev/foo /mnt
+
+$ mount -o atime /dev/foo /mnt
+
+=back
+
+but none of these will:
+
+=over 4
+
+$ mount -o ro,sync /dev/foo /mnt
+
+$ mount -o ro,atime,sync /dev/foo /mnt
+
+$ mount -o rw /dev/foo /mnt
+
+$ mount -o rw,noatime /dev/foo /mnt
+
+$ mount /dev/foo /mnt
+
+=back
+
+=item 3.
+
+If multiple conditionals are specified in a single mount rule, then the rule
+grants permission for each set of options. This provides a shorthand when
+writing mount rules which might help to logically break up a conditional. For
+example, if an AppArmor policy has the following rule:
+
+=over 4
+
+mount options=ro options=atime
+
+=back
+
+both of these mount commands will match:
+
+=over 4
+
+$ mount -o ro /dev/foo /mnt
+
+$ mount -o atime /dev/foo /mnt
+
+=back
+
+but this one will not:
+
+=over 4
+
+$ mount -o ro,atime /dev/foo /mnt
+
+=back
+
+=back
+
+Note that separate mount rules are distinct and the options do not accumulate.
+For example, these AppArmor mount rules:
+
+=over 4
+
+mount options=ro,
+mount options=atime,
+
+=back
+
+are not equivalent to either of these mount rules:
+
+=over 4
+
+mount options=(ro,atime),
+
+mount options in (ro,atime),
+
+=back
+
+To help clarify the flexibility and complexity of mount rules, here are some
+example rules with accompanying matching commands:
+
+=over 4
+
+=item B<mount,>
+
+the 'mount' rule without any conditionals is the most generic and allows any
+mount. Equivalent to 'mount fstype=** options=** ** -> /**'.
+
+=item B<mount /dev/foo,>
+
+allow mounting of /dev/foo anywhere with any options. Some matching mount
+commands:
+
+=over 4
+
+$ mount /dev/foo /mnt
+
+$ mount -t ext3 /dev/foo /mnt
+
+$ mount -t vfat /dev/foo /mnt
+
+$ mount -o ro,atime,noexec,nodiratime /dev/foo /srv/some/mountpoint
+
+=back
+
+=item B<mount options=ro /dev/foo,>
+
+allow mounting of /dev/foo anywhere, as read only. Some matching mount
+commands:
+
+=over 4
+
+$ mount -o ro /dev/foo /mnt
+
+$ mount -o ro /dev/foo /some/where/else
+
+=back
+
+=item B<mount options=(ro,atime) /dev/foo,>
+
+allow mount of /dev/foo anywhere, as read only and using inode access times.
+Some matching mount commands:
+
+=over 4
+
+$ mount -o ro,atime /dev/foo /mnt
+
+$ mount -o ro,atime /dev/foo /some/where/else
+
+=back
+
+=item B<mount options in (ro,atime) /dev/foo,>
+
+allow mount of /dev/foo anywhere using some combination of 'ro' and 'atime'
+(see above). Some matching mount commands:
+
+=over 4
+
+$ mount -o ro /dev/foo /mnt
+
+$ mount -o atime /dev/foo /some/where/else
+
+$ mount -o ro,atime /dev/foo /some/other/place
+
+=back
+
+=item B<mount options=ro /dev/foo, mount options=atime /dev/foo,>
+
+allow mount of /dev/foo anywhere as read only, and allow mount of /dev/foo
+anywhere using inode access times. Note this is expressed as two different
+rules. Matches:
+
+=over 4
+
+$ mount -o ro /dev/foo /mnt/1
+
+$ mount -o atime /dev/foo /mnt/2
+
+=back
+
+=item B<< mount -> /mnt/**, >>
+
+allow mounting anything under a directory in /mnt/**. Some matching mount
+commands:
+
+=over 4
+
+$ mount /dev/foo1 /mnt/1
+
+$ mount -o ro,atime,noexec,nodiratime /dev/foo2 /mnt/deep/path/foo2
+
+=back
+
+=item B<< mount options=ro -> /mnt/**, >>
+
+allow mounting anything under /mnt/**, as read only. Some matching mount
+commands:
+
+=over 4
+
+$ mount -o ro /dev/foo1 /mnt/1
+
+$ mount -o ro /dev/foo2 /mnt/deep/path/foo2
+
+=back
+
+=item B<< mount fstype=ext3 options=(rw,atime) /dev/sdb1 -> /mnt/stick/, >>
+
+allow mounting an ext3 filesystem in /dev/sdb1 on /mnt/stick as read/write and
+using inode access times. Matches only:
+
+=over 4
+
+$ mount -o rw,atime /dev/sdb1 /mnt/stick
+
+=back
+
+=item B<< mount options=(ro, atime) options in (nodev, user) /dev/foo -> /mnt/, >>
+
+allow mounting /dev/foo on /mmt/ read only and using inode access times or
+allow mounting /dev/foo on /mnt/ with some combination of 'nodev' and 'user'.
+Matches only:
+
+=over 4
+
+$ mount -o ro,atime /dev/foo /mnt
+
+$ mount -o nodev /dev/foo /mnt
+
+$ mount -o user /dev/foo /mnt
+
+$ mount -o nodev,user /dev/foo /mnt
+
+=back
+
+=back
+
 =head2 Variables
 
 AppArmor's policy language allows embedding variables into file rules
@@ -605,6 +902,29 @@ An example AppArmor profile:
 
 =back
 
+=head1 KNOWN BUGS
+
+=over 4
+
+Mount options support the use of pattern matching but mount flags are not
+correctly intersected against specified patterns. Eg, 'mount options=**,'
+should be equivalent to 'mount,', but it is not. (LP: #965690)
+
+The fstype may not be matched against when certain mount command flags are
+used. Specifically fstype matching currently only works when creating a new
+mount and not remount, bind, etc.
+
+Mount rules with multiple 'options' conditionals are not applied as documented
+but instead merged such that 'options in (ro,nodev) options in (atime)' is
+equivalent to 'options in (ro,nodev,atime)'.
+
+When specifying mount options with the 'in' conditional, both the positive and
+negative values match when specifying one or the other. Eg, 'rw' matches when
+'ro' is specified and 'dev' matches when 'nodev' is specified such that
+'options in (ro,nodev)' is equivalent to 'options in (rw,dev)'.
+
+=back
+
 =head1 SEE ALSO
 
 apparmor(7), apparmor_parser(8), aa-complain(1),

parser/apparmor.vim.pod

@@ -16,7 +16,7 @@
 #    GNU General Public License for more details.
 #
 #    You should have received a copy of the GNU General Public License
-#    along with this program; if not, contact Novell, Inc.
+#    along with this program; if not, contact Canonical, Ltd.
 # ----------------------------------------------------------------------
 
 
@@ -28,13 +28,11 @@ apparmor.vim - vim syntax highlighting file for AppArmor profiles
 
 =head1 SYNOPSIS
 
-The SUSE vim package is configured to automatically use syntax
-highlighting for AppArmor policies stored in /etc/apparmor.d/ and the
-extra policies stored in /etc/apparmor/profiles/extras/. If you wish to
-use the syntax highlighting in a specific vim session, you may run:
+Your system may be configured to automatically use syntax highlighting
+for installed AppArmor policies. If not, you can enable syntax highlighting in
+a specific vim session by performing:
 
- :syntax on
- :setf apparmor
+ :set syntax=apparmor
 
 =head1 DESCRIPTION
 

parser/immunix.h

@@ -61,6 +61,7 @@
 #define AA_PTRACE_PERMS			(AA_USER_PTRACE | AA_OTHER_PTRACE)
 
 #define AA_CHANGE_HAT			(1 << 30)
+#define AA_ONEXEC			(1 << 30)
 #define AA_CHANGE_PROFILE		(1 << 31)
 #define AA_SHARED_PERMS			(AA_CHANGE_HAT | AA_CHANGE_PROFILE)
 

parser/libapparmor_re/hfa.cc

@@ -340,14 +340,8 @@ void DFA::remove_unreachable(dfaflags_t flags)
 					cerr << "unreachable: " << **i;
 					if (*i == start)
 						cerr << " <==";
-					if (!(*i)->perms.is_null()) {
-						cerr << " (0x" << hex 
-						     << (*i)->perms.allow << " " 
-						     << (*i)->perms.deny << " "
-						     << (*i)->perms.audit << " "
-						     << (*i)->perms.quiet << dec
-						     << ')';
-					}
+					if ((*i)->perms.is_accept())
+						(*i)->perms.dump(cerr);
 					cerr << "\n";
 				}
 				State *current = *i;
@@ -366,26 +360,17 @@ void DFA::remove_unreachable(dfaflags_t flags)
 /* test if two states have the same transitions under partition_map */
 bool DFA::same_mappings(State *s1, State *s2)
 {
-	if (s1->otherwise != nonmatching) {
-		if (s2->otherwise == nonmatching)
-			return false;
-		Partition *p1 = s1->otherwise->partition;
-		Partition *p2 = s2->otherwise->partition;
-		if (p1 != p2)
-			return false;
-	} else if (s2->otherwise != nonmatching) {
+	if (s1->otherwise->partition != s2->otherwise->partition)
 		return false;
-	}
 
 	if (s1->trans.size() != s2->trans.size())
 		return false;
+
 	for (StateTrans::iterator j1 = s1->trans.begin(); j1 != s1->trans.end(); j1++) {
 		StateTrans::iterator j2 = s2->trans.find(j1->first);
 		if (j2 == s2->trans.end())
 			return false;
-		Partition *p1 = j1->second->partition;
-		Partition *p2 = j2->second->partition;
-		if (p1 != p2)
+		if (j1->second->partition != j2->second->partition)
 			return false;
 	}
 
@@ -553,10 +538,8 @@ void DFA::minimize(dfaflags_t flags)
 			cerr << *rep << " : ";
 
 		/* update representative state's transitions */
-		if (rep->otherwise != nonmatching) {
-			Partition *partition = rep->otherwise->partition;
-			rep->otherwise = *partition->begin();
-		}
+		rep->otherwise = *rep->otherwise->partition->begin();
+
 		for (StateTrans::iterator c = rep->trans.begin(); c != rep->trans.end(); c++) {
 			Partition *partition = c->second->partition;
 			c->second = *partition->begin();
@@ -573,7 +556,7 @@ void DFA::minimize(dfaflags_t flags)
 			(*i)->label = -1;
 			rep->perms.add((*i)->perms);
 		}
-		if (!rep->perms.is_null())
+		if (rep->perms.is_accept())
 			final_accept++;
 //if ((*p)->size() > 1)
 //cerr << "\n";
@@ -628,16 +611,12 @@ out:
 void DFA::dump(ostream & os)
 {
 	for (Partition::iterator i = states.begin(); i != states.end(); i++) {
-		if (*i == start || !(*i)->perms.is_null()) {
+		if (*i == start || (*i)->perms.is_accept()) {
 			os << **i;
 			if (*i == start)
 				os << " <== (allow/deny/audit/quiet)";
-			if (!(*i)->perms.is_null()) {
-				os << " (0x " << hex << (*i)->perms.allow << "/"
-				   << (*i)->perms.deny << "/"
-				   << (*i)->perms.audit << "/"
-				   << (*i)->perms.quiet << ')';
-			}
+			if ((*i)->perms.is_accept())
+				(*i)->perms.dump(os);
 			os << "\n";
 		}
 	}
@@ -651,16 +630,22 @@ void DFA::dump(ostream & os)
 			if (j->second == nonmatching) {
 				excluded.insert(j->first);
 			} else {
-				os << **i << " -> " << *(j)->second << ": 0x"
+				os << **i;
+				if ((*i)->perms.is_accept())
+					os << " ", (*i)->perms.dump(os);
+				os << " -> " << *(j)->second << ": 0x"
 				   << hex << (int) j->first;
 				if (isprint(j->first))
 					os << " " << j->first;
-				os << "\n";
+				os << dec << "\n";
 			}
 		}
 
 		if ((*i)->otherwise != nonmatching) {
-			os << **i << " -> " << *(*i)->otherwise << ": [";
+			os << **i;
+			if ((*i)->perms.is_accept())
+				os << " ", (*i)->perms.dump(os);
+			os << " -> " << *(*i)->otherwise << ": [";
 			if (!excluded.empty()) {
 				os << "^";
 				for (Chars::iterator k = excluded.begin();
@@ -668,7 +653,7 @@ void DFA::dump(ostream & os)
 					if (isprint(*k))
 						os << *k;
 					else
-						os << "\\0x" << hex << (int) *k;
+						os << "\\0x" << hex << (int) *k << dec;
 				}
 			}
 			os << "]\n";
@@ -692,12 +677,10 @@ void DFA::dump_dot_graph(ostream & os)
 		if (*i == start) {
 			os << "\t\tstyle=bold" << "\n";
 		}
-		if (!(*i)->perms.is_null()) {
-			os << "\t\tlabel=\"" << **i << "\\n(0x " << hex
-			   << (*i)->perms.allow << "/"
-			   << (*i)->perms.deny << "/"
-			   << (*i)->perms.audit << "/"
-			   << (*i)->perms.quiet << ")\"\n";
+		if ((*i)->perms.is_accept()) {
+			os << "\t\tlabel=\"" << **i << "\\n";
+			(*i)->perms.dump(os);
+			os << "\"\n";
 		}
 		os << "\t]" << "\n";
 	}
@@ -714,7 +697,7 @@ void DFA::dump_dot_graph(ostream & os)
 				if (isprint(j->first))
 					os << j->first;
 				else
-					os << "\\0xhex" << (int) j->first;
+					os << "\\0x" << hex << (int) j->first << dec;
 
 				os << "\"\n\t]" << "\n";
 			}
@@ -729,7 +712,7 @@ void DFA::dump_dot_graph(ostream & os)
 					if (isprint(*i))
 						os << *i;
 					else
-						os << "\\0x" << hex << (int) *i;
+						os << "\\0x" << hex << (int) *i << dec;
 				}
 				os << "]\"" << "\n";
 			}

parser/libapparmor_re/hfa.h

@@ -43,7 +43,14 @@ class perms_t {
 public:
 	perms_t(void) throw(int): allow(0), deny(0), audit(0), quiet(0), exact(0) { };
 
-	bool is_null(void) { return !(allow | deny | audit | quiet); }
+	bool is_accept(void) { return (allow | audit | quiet); }
+
+	void dump(ostream &os)
+	{
+		os << " (0x " << hex
+		   << allow << "/" << deny << "/" << audit << "/" << quiet
+		   << ')' << dec;
+	}
 
 	void clear(void) { allow = deny = audit = quiet = 0; }
 	void add(perms_t &rhs)
@@ -99,7 +106,7 @@ public:
 			allow &= ~deny;
 			quiet &= deny;
 			deny = 0;
-			return is_null();
+			return !is_accept();
 		}
 		return 0;
 	}

parser/mount.c

@@ -362,15 +362,16 @@ static struct value_list *extract_fstype(struct cond_entry **conds)
 	return list;
 }
 
-static struct value_list *extract_options(struct cond_entry **conds)
+static struct value_list *extract_options(struct cond_entry **conds, int eq)
 {
 	struct value_list *list = NULL;
 
 	struct cond_entry *entry, *tmp, *prev = NULL;
 
 	list_for_each_safe(*conds, entry, tmp) {
-		if (strcmp(entry->name, "options") == 0 ||
-		    strcmp(entry->name, "option") == 0) {
+		if ((strcmp(entry->name, "options") == 0 ||
+		     strcmp(entry->name, "option") == 0) &&
+		    entry->eq == eq) {
 			if (prev)
 				prev->next = tmp;
 			if (entry == *conds)
@@ -402,12 +403,31 @@ struct mnt_entry *new_mnt_entry(struct cond_entry *src_conds, char *device,
 		ent->dev_type = extract_fstype(&src_conds);
 
 		ent->flags = 0;
+		ent->inv_flags = 0;
 
 		if (src_conds) {
-			ent->opts = extract_options(&src_conds);
+			unsigned int flags = 0, inv_flags = 0;
+			struct value_list *list = extract_options(&src_conds, 0);
+
+			ent->opts = extract_options(&src_conds, 1);
 			if (ent->opts)
 				ent->flags = extract_flags(&ent->opts,
 							   &ent->inv_flags);
+
+			if (list) {
+				flags = extract_flags(&list, &inv_flags);
+				/* these flags are optional so set both */
+				flags |= inv_flags;
+				inv_flags |= flags;
+
+				ent->flags |= flags;
+				ent->inv_flags |= inv_flags;
+
+				if (ent->opts)
+					list_append(ent->opts, list);
+				else if (list)
+					ent->opts = list;
+			}
 		}
 
 		if (allow & AA_DUMMY_REMOUNT) {
@@ -416,8 +436,8 @@ struct mnt_entry *new_mnt_entry(struct cond_entry *src_conds, char *device,
 			ent->inv_flags = 0;
 		} else if (!(ent->flags | ent->inv_flags)) {
 			/* no flag options, and not remount, allow everything */
-			ent->flags = 0xffffffff;
-			ent->inv_flags = 0xffffffff;
+			ent->flags = MS_ALL_FLAGS;
+			ent->inv_flags = MS_ALL_FLAGS;
 		}
 
 		ent->allow = allow;

parser/mount.h

@@ -85,7 +85,6 @@
 			 MS_BORN | MS_NOATIME | MS_NODIRATIME | MS_RELATIME| \
 			 MS_KERNMOUNT | MS_STRICTATIME)
 
-#define MS_REMOUNT_FLAGS (MS_REMOUNT | MNT_FLAGS)
 #define MS_BIND_FLAGS (MS_BIND | MS_REC)
 #define MS_MAKE_FLAGS ((MS_UNBINDABLE | MS_PRIVATE | MS_SLAVE | MS_SHARED | \
 			MS_REC) | (MS_ALL_FLAGS & ~(MNT_FLAGS)))
@@ -93,6 +92,7 @@
 
 #define MS_CMDS (MS_MOVE | MS_REMOUNT | MS_BIND | MS_PRIVATE | MS_SLAVE | \
 		 MS_SHARED | MS_UNBINDABLE)
+#define MS_REMOUNT_FLAGS (MS_ALL_FLAGS & ~(MS_CMDS & ~MS_REMOUNT))
 
 #define MNT_SRC_OPT 1
 #define MNT_DST_OPT 2
@@ -103,8 +103,10 @@
 #define AA_MAY_PIVOTROOT 1
 #define AA_MAY_MOUNT 2
 #define AA_MAY_UMOUNT 4
-#define AA_DUMMY_REMOUNT 32	/* dummy perm for remount rule - is remapped
-				 * to a mount option*/
+#define AA_MATCH_CONT 0x40
+#define AA_AUDIT_MNT_DATA AA_MATCH_CONT
+#define AA_DUMMY_REMOUNT 0x40000000	/* dummy perm for remount rule - is
+					 * remapped to a mount option*/
 
 
 struct mnt_entry {

parser/parser.h

@@ -62,6 +62,7 @@ struct value_list {
 
 struct cond_entry {
 	char *name;
+	int eq;			/* where equals was used in specifying list */
 	struct value_list *vals;
 
 	struct cond_entry *next;
@@ -316,7 +317,7 @@ extern struct value_list *new_value_list(char *value);
 extern struct value_list *dup_value_list(struct value_list *list);
 extern void free_value_list(struct value_list *list);
 extern void print_value_list(struct value_list *list);
-extern struct cond_entry *new_cond_entry(char *name, struct value_list *list);
+extern struct cond_entry *new_cond_entry(char *name, int eq, struct value_list *list);
 extern void free_cond_entry(struct cond_entry *ent);
 extern void print_cond_entry(struct cond_entry *ent);
 extern char *processid(char *string, int len);
@@ -380,7 +381,7 @@ extern int cache_fd;
 extern void add_to_list(struct codomain *codomain);
 extern void add_hat_to_policy(struct codomain *policy, struct codomain *hat);
 extern void add_entry_to_policy(struct codomain *policy, struct cod_entry *entry);
-extern void post_process_nt_entries(struct codomain *cod);
+extern void post_process_file_entries(struct codomain *cod);
 extern void post_process_mnt_entries(struct codomain *cod);
 extern int post_process_policy(int debug_only);
 extern int process_hat_regex(struct codomain *cod);

parser/parser_lex.l

@@ -280,6 +280,18 @@ LT_EQUAL	<=
 				yy_push_state(EXTCOND_MODE);
 				return TOK_CONDID;
 			}
+	{VARIABLE_NAME}/{WS}+in{WS}*\(	{
+				/* we match to 'in' in the lexer so that
+				 * we can switch scanner state.  By the time
+				 * the parser see the 'in' it may be to late
+				 * as bison may have requested the next
+				 * token from the scanner
+				 */
+				PDEBUG("conditional %s=\n", yytext);
+				yylval.id = processid(yytext, yyleng);
+				yy_push_state(EXTCOND_MODE);
+				return TOK_CONDID;
+			}
 }
 
 <SUB_ID>{
@@ -384,6 +396,11 @@ LT_EQUAL	<=
 			return TOK_OPENPAREN;
 		}
 
+	in	{
+			DUMP_PREPROCESS;
+			return TOK_IN;
+		}
+
 	[^\n]	{
 			DUMP_PREPROCESS;
 			/* Something we didn't expect */

parser/parser_main.c

@@ -801,6 +801,8 @@ static void get_match_string(void) {
 		handle_features_dir(FLAGS_FILE, &flags_string, FLAGS_STRING_SIZE, flags_string);
 		if (strstr(flags_string, "network"))
 			kernel_supports_network = 1;
+		else
+			kernel_supports_network = 0;
 		if (strstr(flags_string, "mount"))
 			kernel_supports_mount = 1;
 		return;

parser/parser_misc.c

@@ -83,7 +83,8 @@ static struct keyword_table keyword_table[] = {
 	{"remount",		TOK_REMOUNT},
 	{"umount",		TOK_UMOUNT},
 	{"unmount",		TOK_UMOUNT},
-	{"pivotroot",		TOK_PIVOTROOT},
+	{"pivot_root",		TOK_PIVOTROOT},
+	{"in",			TOK_IN},
 	/* terminate */
 	{NULL, 0}
 };
@@ -1025,12 +1026,13 @@ void print_value_list(struct value_list *list)
 	}
 }
 
-struct cond_entry *new_cond_entry(char *name, struct value_list *list)
+struct cond_entry *new_cond_entry(char *name, int eq, struct value_list *list)
 {
 	struct cond_entry *ent = calloc(1, sizeof(struct cond_entry));
 	if (ent) {
 		ent->name = name;
 		ent->vals = list;
+		ent->eq = eq;
 	}
 
 	return ent;

parser/parser_policy.c

@@ -172,9 +172,10 @@ void add_entry_to_policy(struct codomain *cod, struct cod_entry *entry)
 	cod->entries = entry;
 }
 
-void post_process_nt_entries(struct codomain *cod)
+void post_process_file_entries(struct codomain *cod)
 {
 	struct cod_entry *entry;
+	int cp_mode = 0;
 
 	list_for_each(cod->entries, entry) {
 		if (entry->nt_name) {
@@ -193,6 +194,27 @@ void post_process_nt_entries(struct codomain *cod)
 			entry->namespace = NULL;
 			entry->nt_name = NULL;
 		}
+		/* FIXME: currently change_profile also implies onexec */
+		cp_mode |= entry->mode & (AA_CHANGE_PROFILE);
+	}
+
+	/* if there are change_profile rules, this implies that we need
+	 * access to /proc/self/attr/current
+	 */
+	if (cp_mode & AA_CHANGE_PROFILE) {
+		/* FIXME: should use @{PROC}/@{PID}/attr/{current,exec} */
+		struct cod_entry *new_ent;
+		char *buffer = strdup("/proc/*/attr/{current,exec}");
+		if (!buffer) {
+			PERROR("Memory allocation error\n");
+			exit(1);
+		}
+		new_ent = new_entry(NULL, buffer, AA_MAY_WRITE, NULL);
+		if (!new_ent) {
+			PERROR("Memory allocation error\n");
+			exit(1);
+		}
+		add_entry_to_policy(cod, new_ent);
 	}
 }
 

parser/parser_regex.c

@@ -510,19 +510,28 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
 			return FALSE;
 	}
 	if (entry->mode & AA_CHANGE_PROFILE) {
+		char *vec[3];
+		char lbuf[PATH_MAX + 8];
+		int index = 1;
+
+		/* allow change_profile for all execs */
+		vec[0] = "/[^\\x00]*";
+
 		if (entry->namespace) {
-			char *vec[2];
-			char lbuf[PATH_MAX + 8];
 			int pos;
 			ptype = convert_aaregex_to_pcre(entry->namespace, 0, lbuf, PATH_MAX + 8, &pos);
-			vec[0] = lbuf;
-			vec[1] = tbuf;
-			if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE, 0, 2, vec, dfaflags))
-			    return FALSE;
-		} else {
-		  if (!aare_add_rule(dfarules, tbuf, 0, AA_CHANGE_PROFILE, 0, dfaflags))
-				return FALSE;
+			vec[index++] = lbuf;
 		}
+		vec[index++] = tbuf;
+
+		/* regular change_profile rule */
+		if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE | AA_ONEXEC, 0, index - 1, &vec[1], dfaflags))
+			return FALSE;
+		/* onexec rules - both rules are needed for onexec */
+		if (!aare_add_rule_vec(dfarules, 0, AA_ONEXEC, 0, 1, vec, dfaflags))
+			return FALSE;
+		if (!aare_add_rule_vec(dfarules, 0, AA_ONEXEC, 0, index, vec, dfaflags))
+			return FALSE;
 	}
 	if (entry->mode & (AA_USER_PTRACE | AA_OTHER_PTRACE)) {
 		int mode = entry->mode & (AA_USER_PTRACE | AA_OTHER_PTRACE);
@@ -692,7 +701,7 @@ static int build_mnt_flags(char *buffer, int size, unsigned int flags,
 	char *p = buffer;
 	int i, len = 0;
 
-	if (flags == 0xffffffff) {
+	if (flags == MS_ALL_FLAGS) {
 		/* all flags are optional */
 		len = snprintf(p, size, "[^\\000]*");
 		if (len < 0 || len >= size)
@@ -704,7 +713,8 @@ static int build_mnt_flags(char *buffer, int size, unsigned int flags,
 			len = snprintf(p, size, "(\\x%02x|)", i + 1);
 		else if (flags & (1 << i))
 			len = snprintf(p, size, "\\x%02x", i + 1);
-		/* else     no entry = not set */
+		else	/* no entry = not set */
+			continue;
 
 		if (len < 0 || len >= size)
 			return FALSE;
@@ -712,6 +722,7 @@ static int build_mnt_flags(char *buffer, int size, unsigned int flags,
 		size -= len;
 	}
 
+	/* this needs to go once the backend is updated. */
 	if (buffer == p) {
 		/* match nothing - use impossible 254 as regex parser doesn't
 		 * like the empty string
@@ -719,7 +730,7 @@ static int build_mnt_flags(char *buffer, int size, unsigned int flags,
 		if (size < 9)
 			return FALSE;
 
-		strcpy(p, "(\\0xfe|)");
+		strcpy(p, "(\\xfe|)");
 	}
 
 	return TRUE;
@@ -774,6 +785,7 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
 	char optsbuf[PATH_MAX + 3];
 	char *p, *vec[5];
 	int count = 0;
+	unsigned int flags, inv_flags;
 
 	/* a single mount rule may result in multiple matching rules being
 	 * created in the backend to cover all the possible choices
@@ -781,6 +793,7 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
 
 	if ((entry->allow & AA_MAY_MOUNT) && (entry->flags & MS_REMOUNT)
 	    && !entry->device && !entry->dev_type) {
+		int allow;
 		/* remount can't be conditional on device and type */
 		p = mntbuf;
 		/* rule class single byte header */
@@ -801,18 +814,43 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
 		vec[1] = devbuf;
 		/* skip type */
 		vec[2] = devbuf;
-		if (!build_mnt_flags(flagsbuf, PATH_MAX,
-				     entry->flags & MS_REMOUNT_FLAGS,
-				     entry->inv_flags & MS_REMOUNT_FLAGS))
+
+		flags = entry->flags;
+		inv_flags = entry->inv_flags;
+		if (flags != MS_ALL_FLAGS)
+			flags &= MS_REMOUNT_FLAGS;
+		if (inv_flags != MS_ALL_FLAGS)
+			flags &= MS_REMOUNT_FLAGS;
+		if (!build_mnt_flags(flagsbuf, PATH_MAX, flags, inv_flags))
 			goto fail;
 		vec[3] = flagsbuf;
 		if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
 			goto fail;
-		vec[4] = optsbuf;
-		if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
-				       entry->audit, 5, vec, dfaflags))
+
+		if (entry->opts)
+			allow = AA_MATCH_CONT;
+		else
+			allow = entry->allow;
+
+		/* rule for match without required data || data MATCH_CONT */
+		if (!aare_add_rule_vec(dfarules, entry->deny, allow,
+				       entry->audit | AA_AUDIT_MNT_DATA, 4,
+				       vec, dfaflags))
 			goto fail;
 		count++;
+
+		if (entry->opts) {
+			/* rule with data match required */
+			if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
+				goto fail;
+			vec[4] = optsbuf;
+			if (!aare_add_rule_vec(dfarules, entry->deny,
+					       entry->allow,
+					       entry->audit | AA_AUDIT_MNT_DATA,
+					       5, vec, dfaflags))
+				goto fail;
+			count++;
+		}
 	}
 	if ((entry->allow & AA_MAY_MOUNT) && (entry->flags & MS_BIND)
 	    && !entry->dev_type && !entry->opts) {
@@ -829,9 +867,14 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
 		if (!convert_entry(typebuf, PATH_MAX +3, NULL))
 			goto fail;
 		vec[2] = typebuf;
-		if (!build_mnt_flags(flagsbuf, PATH_MAX,
-				     entry->flags & MS_BIND_FLAGS,
-				     entry->inv_flags & MS_BIND_FLAGS))
+
+		flags = entry->flags;
+		inv_flags = entry->inv_flags;
+		if (flags != MS_ALL_FLAGS)
+			flags &= MS_BIND_FLAGS;
+		if (inv_flags != MS_ALL_FLAGS)
+			flags &= MS_BIND_FLAGS;
+		if (!build_mnt_flags(flagsbuf, PATH_MAX, flags, inv_flags))
 			goto fail;
 		vec[3] = flagsbuf;
 		if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
@@ -856,9 +899,14 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
 			goto fail;
 		vec[1] = devbuf;
 		vec[2] = devbuf;
-		if (!build_mnt_flags(flagsbuf, PATH_MAX,
-				     entry->flags & MS_MAKE_FLAGS,
-				     entry->inv_flags & MS_MAKE_FLAGS))
+
+		flags = entry->flags;
+		inv_flags = entry->inv_flags;
+		if (flags != MS_ALL_FLAGS)
+			flags &= MS_MAKE_FLAGS;
+		if (inv_flags != MS_ALL_FLAGS)
+			flags &= MS_MAKE_FLAGS;
+		if (!build_mnt_flags(flagsbuf, PATH_MAX, flags, inv_flags))
 			goto fail;
 		vec[3] = flagsbuf;
 		if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
@@ -884,9 +932,14 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
 		if (!convert_entry(typebuf, PATH_MAX +3, NULL))
 			goto fail;
 		vec[2] = typebuf;
-		if (!build_mnt_flags(flagsbuf, PATH_MAX,
-				     entry->flags & MS_MOVE_FLAGS,
-				     entry->inv_flags & MS_MOVE_FLAGS))
+
+		flags = entry->flags;
+		inv_flags = entry->inv_flags;
+		if (flags != MS_ALL_FLAGS)
+			flags &= MS_MOVE_FLAGS;
+		if (inv_flags != MS_ALL_FLAGS)
+			flags &= MS_MOVE_FLAGS;
+		if (!build_mnt_flags(flagsbuf, PATH_MAX, flags, inv_flags))
 			goto fail;
 		vec[3] = flagsbuf;
 		if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
@@ -896,6 +949,7 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
 	}
 	if ((entry->allow & AA_MAY_MOUNT) &&
 	    (entry->flags | entry->inv_flags) & ~MS_CMDS) {
+		int allow;
 		/* generic mount if flags are set that are not covered by
 		 * above commands
 		 */
@@ -911,18 +965,41 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
 		if (!build_list_val_expr(typebuf, PATH_MAX+2, entry->dev_type))
 			goto fail;
 		vec[2] = typebuf;
-		if (!build_mnt_flags(flagsbuf, PATH_MAX,
-				     entry->flags & ~MS_CMDS,
-				     entry->inv_flags & ~MS_CMDS))
+
+		flags = entry->flags;
+		inv_flags = entry->inv_flags;
+		if (flags != MS_ALL_FLAGS)
+			flags &= ~MS_CMDS;
+		if (inv_flags != MS_ALL_FLAGS)
+			flags &= ~MS_CMDS;
+		if (!build_mnt_flags(flagsbuf, PATH_MAX, flags, inv_flags))
 			goto fail;
 		vec[3] = flagsbuf;
-		if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
-			goto fail;
-		vec[4] = optsbuf;
-		if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
-				       entry->audit, 5, vec, dfaflags))
+
+		if (entry->opts)
+			allow = AA_MATCH_CONT;
+		else
+			allow = entry->allow;
+
+		/* rule for match without required data || data MATCH_CONT */
+		if (!aare_add_rule_vec(dfarules, entry->deny, allow,
+				       entry->audit | AA_AUDIT_MNT_DATA, 4,
+				       vec, dfaflags))
 			goto fail;
 		count++;
+
+		if (entry->opts) {
+			/* rule with data match required */
+			if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
+				goto fail;
+			vec[4] = optsbuf;
+			if (!aare_add_rule_vec(dfarules, entry->deny,
+					       entry->allow,
+					       entry->audit | AA_AUDIT_MNT_DATA,
+					       5, vec, dfaflags))
+				goto fail;
+			count++;
+		}
 	}
 	if (entry->allow & AA_MAY_UMOUNT) {
 		p = mntbuf;

parser/parser_yacc.y

@@ -121,6 +121,7 @@ void add_local_entry(struct codomain *cod);
 %token TOK_REMOUNT
 %token TOK_UMOUNT
 %token TOK_PIVOTROOT
+%token TOK_IN
 
  /* rlimits */
 %token TOK_RLIMIT
@@ -256,7 +257,7 @@ profile_base: TOK_ID opt_id flags TOK_OPEN rules TOK_CLOSE
 		if (force_complain)
 			cod->flags.complain = 1;
 
-		post_process_nt_entries(cod);
+		post_process_file_entries(cod);
 		post_process_mnt_entries(cod);
 		PDEBUG("%s: flags='%s%s'\n",
 		       $2,
@@ -435,10 +436,6 @@ flagvals:	flagvals flagval
 		    (PATH_CHROOT_REL | PATH_NS_REL))
 			yyerror(_("Profile flag chroot_relative conflicts with namespace_relative"));
 
-		if (!($1.path & PATH_NS_REL))
-			/* default to chroot relative profiles */
-			$1.path |= PATH_CHROOT_REL;
-
 		if (($1.path & (PATH_MEDIATE_DELETED | PATH_DELEGATE_DELETED)) ==
 		    (PATH_MEDIATE_DELETED | PATH_DELEGATE_DELETED))
 			yyerror(_("Profile flag mediate_deleted conflicts with delegate_deleted"));
@@ -963,7 +960,7 @@ frule:	file_mode opt_subset_flag id_or_var opt_named_transition TOK_END_OF_RULE
 
 file_rule: TOK_FILE TOK_END_OF_RULE
 	{
-		char *path = strdup("/**");
+		char *path = strdup("/{**,}");
 		int perms = ((AA_BASE_PERMS & ~AA_EXEC_TYPE) |
 			     (AA_EXEC_INHERIT | AA_MAY_EXEC));
 		/* duplicate to other permission set */
@@ -1072,7 +1069,7 @@ cond: TOK_CONDID TOK_EQUALS TOK_VALUE
 		struct value_list *value = new_value_list($3);
 		if (!value)
 			yyerror(_("Memory allocation error."));
-		ent = new_cond_entry($1, value);
+		ent = new_cond_entry($1, 1, value);
 		if (!ent) {
 			free_value_list(value);
 			yyerror(_("Memory allocation error."));
@@ -1082,7 +1079,17 @@ cond: TOK_CONDID TOK_EQUALS TOK_VALUE
 
 cond: TOK_CONDID TOK_EQUALS TOK_OPENPAREN valuelist TOK_CLOSEPAREN
 	{
-		struct cond_entry *ent = new_cond_entry($1, $4);
+		struct cond_entry *ent = new_cond_entry($1, 1, $4);
+
+		if (!ent)
+			yyerror(_("Memory allocation error."));
+		$$ = ent;
+	}
+
+
+cond: TOK_CONDID TOK_IN TOK_OPENPAREN valuelist TOK_CLOSEPAREN
+	{
+		struct cond_entry *ent = new_cond_entry($1, 0, $4);
 
 		if (!ent)
 			yyerror(_("Memory allocation error."));
@@ -1116,14 +1123,23 @@ mnt_rule: TOK_UMOUNT opt_conds opt_id TOK_END_OF_RULE
 		$$ = do_mnt_rule($2, NULL, NULL, $3, AA_MAY_UMOUNT);
 	}
 
-mnt_rule: TOK_PIVOTROOT opt_conds opt_id TOK_END_OF_RULE
+mnt_rule: TOK_PIVOTROOT opt_conds opt_id opt_named_transition TOK_END_OF_RULE
 	{
-		$$ = do_pivot_rule($2, $3, NULL);
-	}
+		char *name = NULL;
+		if ($4.present && $4.namespace) {
+			name = malloc(strlen($4.namespace) +
+				      strlen($4.name) + 3);
+			if (!name) {
+				PERROR("Memory allocation error\n");
+				exit(1);
+			}
+			sprintf(name, ":%s:%s", $4.namespace, $4.name);
+			free($4.namespace);
+			free($4.name);
+		} else if ($4.present)
+			name = $4.name;
 
-mnt_rule: TOK_PIVOTROOT opt_conds opt_id TOK_ARROW TOK_ID TOK_END_OF_RULE
-	{
-		$$ = do_pivot_rule($2, $3, $5);
+		$$ = do_pivot_rule($2, $3, name);
 	}
 
 hat_start: TOK_CARET {}
@@ -1315,18 +1331,20 @@ struct mnt_entry *do_pivot_rule(struct cond_entry *old, char *root,
 				char *transition)
 {
 	struct mnt_entry *ent = NULL;
-
+	char *device = NULL;
 	if (old) {
 		if (strcmp(old->name, "oldroot") != 0)
 			yyerror(_("invalid pivotroot conditional '%s'"), old->name);
+		if (old->vals) {
+			device = old->vals->value;
+			old->vals->value = NULL;
+		}
+		free_cond_entry(old);
 	}
 
-	ent = new_mnt_entry(NULL, old->vals->value, NULL, root,
+	ent = new_mnt_entry(NULL, device, NULL, root,
 			    AA_MAY_PIVOTROOT);
 	ent->trans = transition;
 
-	old->vals->value = NULL;
-	free_cond_entry(old);
-
 	return ent;
 }

parser/tst/minimize.sh

@@ -75,7 +75,7 @@
 # {a} (0x 40030/0/0/0)
 
 echo -n "Minimize profiles basic perms "
-if [ `echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, /** w, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '(.*)$' | wc -l` -ne 6 ] ; then
+if [ `echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, /** w, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '^{.*} (.*)$' | wc -l` -ne 6 ] ; then
     echo "failed"
     exit 1;
 fi
@@ -90,7 +90,7 @@ echo "ok"
 # {9} (0x 12804a/0/2800a/0)
 # {c} (0x 40030/0/0/0)
 echo -n "Minimize profiles audit perms "
-if [ `echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit /** w, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '(.*)$' | wc -l` -ne 6 ] ; then
+if [ `echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit /** w, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '^{.*} (.*)$' | wc -l` -ne 6 ] ; then
     echo "failed"
     exit 1;
 fi
@@ -109,7 +109,7 @@ echo "ok"
 # {c} (0x 40030/0/0/0)
 
 echo -n "Minimize profiles deny perms "
-if [ `echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, deny /** w, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '(.*)$' | wc -l` -ne 6 ] ; then
+if [ `echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, deny /** w, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '^{.*} (.*)$' | wc -l` -ne 6 ] ; then
     echo "failed"
     exit 1;
 fi
@@ -127,7 +127,7 @@ echo "ok"
 # {c} (0x 40030/0/0/0)
 
 echo -n "Minimize profiles audit deny perms "
-if [ `echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '(.*)$' | wc -l` -ne 6 ] ; then
+if [ `echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '^{.*} (.*)$' | wc -l` -ne 5 ] ; then
     echo "failed"
     exit 1;
 fi
@@ -159,7 +159,7 @@ echo "ok"
 #
 
 echo -n "Minimize profiles xtrans "
-if [ `echo "/t { /b px, /* Pixr, /a Cx -> foo, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '(.*)$' | wc -l` -ne 3 ] ; then
+if [ `echo "/t { /b px, /* Pixr, /a Cx -> foo, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '^{.*} (.*)$' | wc -l` -ne 3 ] ; then
     echo "failed"
     exit 1;
 fi
@@ -167,7 +167,7 @@ echo "ok"
 
 # same test as above + audit
 echo -n "Minimize profiles audit xtrans "
-if [ `echo "/t { /b px, audit /* Pixr, /a Cx -> foo, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '(.*)$' | wc -l` -ne 3 ] ; then
+if [ `echo "/t { /b px, audit /* Pixr, /a Cx -> foo, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '^{.*} (.*)$' | wc -l` -ne 3 ] ; then
     echo "failed"
     exit 1;
 fi
@@ -180,7 +180,7 @@ echo "ok"
 # {3} (0x 0/fe17f85/0/14005)
 
 echo -n "Minimize profiles deny xtrans "
-if [ `echo "/t { /b px, deny /* xr, /a Cx -> foo, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '(.*)$' | wc -l` -ne 1 ] ; then
+if [ `echo "/t { /b px, deny /* xr, /a Cx -> foo, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '^{.*} (.*)$' | wc -l` -ne 1 ] ; then
     echo "failed"
     exit 1;
 fi
@@ -192,7 +192,7 @@ echo "ok"
 # {3} (0x 0/fe17f85/0/0)
 
 echo -n "Minimize profiles audit deny xtrans "
-if [ `echo "/t { /b px, audit deny /* xr, /a Cx -> foo, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '(.*)$' | wc -l` -ne 1 ] ; then
+if [ `echo "/t { /b px, audit deny /* xr, /a Cx -> foo, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '^{.*} (.*)$' | wc -l` -ne 0 ] ; then
     echo "failed"
     exit 1;
 fi

parser/tst/simple_tests/mount/in_1.sd

@@ -0,0 +1,7 @@
+#
+#=Description basic mount rule
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+  mount options in (rw) -> /foo,
+}

parser/tst/simple_tests/mount/in_2.sd

@@ -0,0 +1,7 @@
+#
+#=Description basic mount rule
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+  mount options in (rw, ro) -> /foo,
+}

parser/tst/simple_tests/mount/in_3.sd

@@ -0,0 +1,7 @@
+#
+#=Description basic mount rule
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+  mount options in (rw ro) -> /foo,
+}

parser/tst/simple_tests/mount/in_4.sd

@@ -0,0 +1,7 @@
+#
+#=Description basic mount rule
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+  mount options in (rw ro) fstype=procfs -> /foo,
+}

profiles/apparmor.d/usr.lib.dovecot.imap-login

@@ -11,6 +11,7 @@
   capability sys_chroot,
 
   network inet stream,
+  network inet6 stream,
 
   /usr/lib/dovecot/imap-login mr,
   /{,var/}run/dovecot/login/ r,

tests/regression/apparmor/Makefile

@@ -8,6 +8,7 @@
 SRC=access.c \
     introspect.c \
     changeprofile.c \
+    onexec.c \
     changehat.c \
     changehat_fork.c \
     changehat_misc.c \
@@ -110,6 +111,7 @@ TESTS=access \
       introspect \
       capabilities \
       changeprofile \
+      onexec \
       changehat \
       changehat_fork \
       changehat_misc \

tests/regression/apparmor/capabilities.sh

@@ -109,16 +109,16 @@ for TEST in ${TESTS} ; do
 	# okay, now check to see if the capability functions from within
 	# a subprofile.
 	settest ${testwrapper}
-	genprofile hat:${TEST} addimage:${bin}/${TEST} ${my_entries}
-	runchecktest "${TEST} changehat -- no caps" fail ${TEST} ${my_arg}
+	genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} ${my_entries}
+	runchecktest "${TEST} changehat -- no caps" fail $bin/${TEST} ${my_arg}
 	for cap in ${CAPABILITIES} ; do
 		if [ "X$(eval echo \${${TEST}_${cap}})" == "XTRUE" ] ; then
 			expected_result=pass
 		else
 			expected_result=fail
 		fi
-		genprofile hat:${TEST} addimage:${bin}/${TEST} cap:${cap} ${my_entries}
-		runchecktest "${TEST} changehat -- capability ${cap}" ${expected_result} ${TEST} ${my_arg}
+		genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} cap:${cap} ${my_entries}
+		runchecktest "${TEST} changehat -- capability ${cap}" ${expected_result} $bin/${TEST} ${my_arg}
 	done
 
 done

tests/regression/apparmor/changehat_wrapper.c

@@ -154,7 +154,7 @@ int main(int argc, char *argv[]) {
 			perror ("FAIL: child malloc");
 			return -1;
 		}
-		sprintf (pname, "./%s", argv[optind]);
+		sprintf (pname, "%s", argv[optind]);
 		
 		rc = !manual ? change_hat(argv[optind], magic_token) 
 			     : manual_change_hat(argv[optind], manual_string); 
@@ -173,7 +173,7 @@ int main(int argc, char *argv[]) {
 			perror("FAIL: pipe failed");
 			exit(1);
 		}
-		
+
 		exit(execv(pname, &argv[optind]));
 	}
 
@@ -190,7 +190,7 @@ int main(int argc, char *argv[]) {
 
 	if ((WEXITSTATUS(waitstatus) == 0) && strcmp("PASS\n", buf) == 0) {
 		printf("PASS\n");
-	} 
+	}
 
 	return WEXITSTATUS(waitstatus);
 }

tests/regression/apparmor/introspect.c

@@ -31,7 +31,8 @@ int main(int argc, char *argv[])
         }
 
         if (strcmp(argv[1], "self") == 0){
-		if (aa_getcon(&profile, &mode) == -1) {
+		rc = aa_getcon(&profile, &mode);
+		if (rc == -1) {
 			int serrno = errno;
                         fprintf(stderr,
 				"FAIL: introspect_confinement %s failed - %s\n",
@@ -47,12 +48,15 @@ int main(int argc, char *argv[])
 				"FAIL: query_confinement - invalid pid: %s\n",
 				argv[1]);
 			exit(serrno);
-		} else if (aa_gettaskcon(pid, &profile, &mode) == -1) {
-			int serrno = errno;
-                        fprintf(stderr,
-				"FAIL: query_confinement %s failed - %s\n",
-                                argv[1], strerror(errno));
-                        exit(serrno);
+		} else {
+			rc = aa_gettaskcon(pid, &profile, &mode);
+			if (rc == -1) {
+				int serrno = errno;
+				fprintf(stderr,
+					"FAIL: query_confinement %s failed - %s\n",
+					argv[1], strerror(errno));
+				exit(serrno);
+			}
 		}
 	}
 	if (strcmp(profile, argv[2]) != 0) {
@@ -61,6 +65,21 @@ int main(int argc, char *argv[])
 			profile);
 		exit(1);
 	}
+	if (mode) {
+		if (rc != strlen(profile) + strlen(mode) + 4) {
+			/* rc includes mode. + 2 null term + 1 ( + 1 space */
+			fprintf(stderr,
+				"FAIL: expected return len %d != actual %d\n",
+				strlen(profile) + strlen(mode) + 4, rc);
+			exit(1);
+		}
+	} else if (rc != strlen(profile) + 1) {
+		/* rc includes null termination */
+		fprintf(stderr,
+			"FAIL: expected return len %d != actual %d\n",
+			strlen(profile) + 1, rc);
+		exit(1);
+	}
 	if (argv[3] && (!mode || strcmp(mode, argv[3]) != 0)) {
 		fprintf(stderr,
 			"FAIL: expected mode \"%s\" != \"%s\"\n", argv[3],

tests/regression/apparmor/mkprofile.pl

@@ -16,6 +16,7 @@ my $nowarn = '';
 my $nodefault;
 my $noimage;
 my $escape = '';
+my $usestdin = '';
 my %output_rules;
 my $hat = "__no_hat";
 my %flags;
@@ -26,19 +27,22 @@ GetOptions(
   'help|h' => \$help,
   'nodefault|N' => \$nodefault,
   'noimage|I' => \$noimage,
+  'stdin' => \$usestdin,
 );
 
 sub usage {
   print STDERR "$__VERSION__\n";
   print STDERR "Usage $0 [--nowarn|--escape] execname [rules]\n";
   print STDERR "      $0 --help\n";
+  print STDERR "      $0 --stdin\n";
   print STDERR "  nowarn:      don't warn if execname does not exist\n";
   print STDERR "  nodefault:   don't include default rules/ldd output\n";
   print STDERR "  escape:      escape stuff that would be treated as regexs\n";
   print STDERR "  help:        print this message\n";
 }
 
-&usage && exit 0 if ($help || @ARGV < 1);
+# genprofile passes in $bin:w as default rule atm
+&usage && exit 0 if ($help || (!$usestdin && @ARGV < 1) || ($usestdin && @ARGV != 2));
 
 sub head ($) {
   my $file = shift;
@@ -214,34 +218,6 @@ sub gen_addimage($) {
   }
 }
 
-my $bin = shift @ARGV;
-!(-e $bin || $nowarn) && print STDERR "Warning: execname '$bin': no such file or directory\n";
-
-unless ($nodefault) {
-  gen_default_rules();
-  gen_binary($bin);
-}
-
-for my $rule (@ARGV) {
-  #($fn, @rules) = split (/:/, $rule);
-  if ($rule =~ /^(tcp|udp)/) {
-    # netdomain rules
-    gen_netdomain($rule);
-  } elsif ($rule =~ /^network:/) {
-    gen_network($rule);
-  } elsif ($rule =~ /^cap:/) {
-    gen_cap($rule);
-  } elsif ($rule =~ /^flag:/) {
-    gen_flag($rule);
-  } elsif ($rule =~ /^hat:/) {
-    gen_hat($rule);
-  } elsif ($rule =~ /^addimage:/) {
-    gen_addimage($rule);
-  } else {
-    gen_file($rule);
-  }
-}
-
 sub emit_flags($) {
   my $hat = shift;
 
@@ -255,26 +231,99 @@ sub emit_flags($) {
   }
 }
 
-print STDOUT "# Profile autogenerated by $__VERSION__\n";
-print STDOUT "$bin ";
-emit_flags('__no_hat');
-print STDOUT "{\n";
-foreach my $outrule (@{$output_rules{'__no_hat'}}) {
-  print STDOUT $outrule;
-}
-foreach my $hat (keys %output_rules) {
-  if (not $hat =~ /^__no_hat$/) {
-    print STDOUT "\n  ^$hat";
-    emit_flags($hat);
-    print STDOUT " {\n";
-    foreach my $outrule (@{$output_rules{$hat}}) {
-      print STDOUT "  $outrule";
+# generate profiles based on cmd line arguments
+sub gen_from_args() {
+  my $bin = shift @ARGV;
+  !(-e $bin || $nowarn) && print STDERR "Warning: execname '$bin': no such file or directory\n";
+
+  unless ($nodefault) {
+    gen_default_rules();
+    gen_binary($bin);
+  }
+
+  for my $rule (@ARGV) {
+    #($fn, @rules) = split (/:/, $rule);
+    if ($rule =~ /^(tcp|udp)/) {
+      # netdomain rules
+      gen_netdomain($rule);
+    } elsif ($rule =~ /^network:/) {
+      gen_network($rule);
+    } elsif ($rule =~ /^cap:/) {
+      gen_cap($rule);
+    } elsif ($rule =~ /^flag:/) {
+      gen_flag($rule);
+    } elsif ($rule =~ /^hat:/) {
+      gen_hat($rule);
+    } elsif ($rule =~ /^addimage:/) {
+      gen_addimage($rule);
+    } else {
+      gen_file($rule);
+    }
+  }
+
+  print STDOUT "# Profile autogenerated by $__VERSION__\n";
+  print STDOUT "$bin ";
+  emit_flags('__no_hat');
+  print STDOUT "{\n";
+  foreach my $outrule (@{$output_rules{'__no_hat'}}) {
+    print STDOUT $outrule;
+  }
+  foreach my $hat (keys %output_rules) {
+    if (not $hat =~ /^__no_hat$/) {
+      print STDOUT "\n  ^$hat";
+      emit_flags($hat);
+      print STDOUT " {\n";
+      foreach my $outrule (@{$output_rules{$hat}}) {
+        print STDOUT "  $outrule";
+      }
+      print STDOUT "  }\n";
+    }
+  }
+  #foreach my $hat keys
+  #foreach my $outrule (@output_rules) {
+  #  print STDOUT $outrule;
+  #}
+  print STDOUT "}\n";
+}
+
+#generate the profiles from stdin, interpreting and replacing the following sequences
+# @{gen_elf name} - generate rules for elf binaries
+# @{gen_bin name} - generate rules for a binary
+# @{gen_def} - generate default rules
+# @{gen name} - do @{gen_def} @{gen_bin name}
+
+sub emit_and_clear_rules() {
+  foreach my $outrule (@{$output_rules{'__no_hat'}}) {
+    print STDOUT $outrule;
+  }
+
+  undef %output_rules;
+}
+
+sub gen_from_stdin() {
+  while(<STDIN>) {
+    chomp;
+    if ($_ =~ m/@\{gen_def}/) {
+      gen_default_rules();
+      emit_and_clear_rules();
+    } elsif ($_ =~ m/@\{gen_bin\s+(.+)\}/) {
+      gen_binary($1);
+      emit_and_clear_rules();
+    } elsif ($_ =~ m/@\{gen_elf\s+(.+)\}/) {
+      gen_elf_binary($1);
+      emit_and_clear_rules();
+    } elsif ($_ =~ m/@\{gen\s+(.+)\}/) {
+      gen_default_rules();
+      gen_binary($1);
+      emit_and_clear_rules();
+    } else {
+      print STDOUT "$_\n" ;
     }
-    print STDOUT "  }\n";
   }
 }
-#foreach my $hat keys
-#foreach my $outrule (@output_rules) {
-#  print STDOUT $outrule;
-#}
-print STDOUT "}\n";
+
+if ($usestdin) {
+  gen_from_stdin();
+} else {
+  gen_from_args();
+}

tests/regression/apparmor/onexec.c

@@ -0,0 +1,58 @@
+/*
+ *	Copyright (C) 2002-2005 Novell/SUSE
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License as
+ *	published by the Free Software Foundation, version 2 of the
+ *	License.
+ */
+
+#include <stdio.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <string.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <linux/unistd.h>
+
+#include <sys/apparmor.h>
+#include "changehat.h"
+
+int main(int argc, char *argv[])
+{
+	int rc = 0;
+
+	extern char **environ;
+
+	if (argc < 3){
+		fprintf(stderr, "usage: %s profile executable args\n",
+			argv[0]);
+		return 1;
+	}
+
+	/* change profile if profile name != nochange */
+	if (strcmp(argv[1], "nochange") != 0){
+		rc = aa_change_onexec(argv[1]);
+		if (rc == -1){
+			fprintf(stderr, "FAIL: change_onexec %s failed - %s\n",
+				argv[1], strerror(errno));
+			exit(errno);
+		}
+	}
+
+	/* stop after onexec and wait to for continue before exec so
+	 * caller can introspect task */
+	(void)kill(getpid(), SIGSTOP);
+
+	(void)execve(argv[2], &argv[2], environ);
+	/* exec failed, kill outselves to flag parent */
+
+	rc = errno;
+
+	fprintf(stderr, "FAIL: exec to '%s' failed\n", argv[2]);
+
+	return rc;
+}

tests/regression/apparmor/onexec.sh

@@ -0,0 +1,181 @@
+#! /bin/bash
+#	Copyright (C) 2012 Canonical, Ltd.
+#
+#	This program is free software; you can redistribute it and/or
+#	modify it under the terms of the GNU General Public License as
+#	published by the Free Software Foundation, version 2 of the
+#	License.
+
+#=NAME onexec
+#=DESCRIPTION 
+# Verifies basic file access permission checks for change_onexec
+#=END
+
+pwd=`dirname $0`
+pwd=`cd $pwd ; /bin/pwd`
+
+bin=$pwd
+
+. $bin/prologue.inc
+
+file=$tmpdir/file
+subfile=$tmpdir/file2
+okperm=rw
+
+othertest="$pwd/rename"
+subtest="sub"
+fqsubbase="$pwd/onexec"
+fqsubtest="$fqsubbase//$subtest"
+subtest2="$pwd//sub2"
+subtest3="$pwd//sub3"
+
+onexec="/proc/*/attr/exec"
+
+touch $file $subfile
+
+check_exec()
+{
+    local rc
+    local actual
+    actual=`cat /proc/$1/attr/exec 2>/dev/null`
+    rc=$?
+
+    # /proc/$1/attr/exec returns invalid argument if onexec has not been called
+    if [ $rc -ne 0 ] ; then
+	if [ "$2" == "nochange" ] ; then
+	    return 0
+	fi
+	echo "ONEXEC - exec transition not set"
+	return $rc
+    fi
+    if [ "${actual% (*)}" != "$2" ] ; then
+	echo "ONEXEC - check exec '${actual% (*)}' != expected '$2'"
+	return 1
+    fi
+
+    return 0
+}
+
+check_current()
+{
+    local rc
+    local actual
+    actual=`cat /proc/$1/attr/current 2>/dev/null`
+    rc=$?
+
+    # /proc/$1/attr/current return enoent if the onexec process already exited due to error
+    if [ $rc -ne 0 ] ; then
+	return $rc
+    fi
+
+    if [ "${actual% (*)}" != "$2" ] ; then
+	echo "ONEXEC - check current '${actual% (*)}' != expected '$2'"
+	return 1
+    fi
+
+    return 0
+}
+
+do_test()
+{
+    local desc="$1"
+    local prof="$2"
+    local target_prof="$3"
+    local res="$4"
+    shift 4
+
+    #ignore prologue.inc error trapping that catches our subfn return values
+
+    runtestbg "ONEXEC $desc ($prof -> $target_prof)" $res $target_prof "$@"
+    # check that transition does not happen before exec, and that transition
+    # is set
+    
+    if ! check_current $_pid $prof ; then
+	checktestfg
+	return
+    fi
+
+    if ! check_exec $_pid $target_prof ; then
+	checktestfg
+	return
+    fi
+
+    kill -CONT $_pid
+
+    checktestbg
+}
+
+
+# ONEXEC from UNCONFINED - don't change profile
+do_test "" unconfined nochange pass $bin/open $file
+
+# ONEXEC from UNCONFINED - target does NOT exist
+genprofile image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
+do_test "" unconfined noexist fail $bin/open $file
+
+# ONEXEC from UNCONFINED - change to rw profile, no exec profile to override
+genprofile image=$bin/rw $bin/open:rix $file:rw
+do_test "no px profile" unconfined $bin/rw pass $bin/open $file
+
+# ONEXEC from UNCONFINED - don't change profile, make sure exec profile is applied
+genprofile image=$bin/rw $bin/open:px $file:rw  -- image=$bin/open $file:rw
+do_test "nochange px" unconfined nochange pass $bin/open $file
+
+# ONEXEC from UNCONFINED - change to rw profile, override regular exec profile, exec profile doesn't have perms
+genprofile image=$bin/rw $bin/open:px $file:rw  -- image=$bin/open
+do_test "override px" unconfined $bin/rw pass $bin/open $file
+
+#------
+
+# ONEXEC from CONFINED - don't change profile, open can't exec
+genprofile 'change_profile->':$bin/rw $onexec:w
+do_test "no px perm" $bin/onexec nochange fail $bin/open $file
+
+# ONEXEC from CONFINED - don't change profile, open is run unconfined
+genprofile 'change_profile->':$bin/rw $bin/open:rux $onexec:w
+do_test "nochange rux" $bin/onexec nochange pass $bin/open $file
+
+# ONEXEC from CONFINED - don't change profile, open is run confined without necessary perms
+genprofile 'change_profile->':$bin/rw $onexec:w -- image=$bin/open $file:rw
+do_test "nochange px - no px perm" $bin/onexec nochange fail $bin/open $file
+
+# ONEXEC from CONFINED - don't change profile, open is run confined without necessary perms
+genprofile 'change_profile->':$bin/rw $bin/open:rpx $onexec:w -- image=$bin/open
+do_test "nochange px - no file perm" $bin/onexec nochange fail $bin/open $file
+
+# ONEXEC from CONFINED - target does NOT exist
+genprofile 'change_profile->':$bin/open $onexec:w -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
+do_test "noexist px" $bin/onexec noexist fail $bin/open $file
+
+# ONEXEC from CONFINED - change to rw profile, no exec profile to override
+genprofile 'change_profile->':$bin/rw $onexec:w -- image=$bin/rw $bin/open:rix $file:rw
+do_test "change profile - override rix" $bin/onexec $bin/rw pass $bin/open $file
+
+# ONEXEC from CONFINED - change to rw profile, no exec profile to override
+genprofile 'change_profile->':$bin/rw -- image=$bin/rw $bin/open:rix $file:rw
+do_test "change profile - no onexec:w" $bin/onexec $bin/rw fail $bin/open $file
+
+# ONEXEC from CONFINED - don't change profile, make sure exec profile is applied
+genprofile 'change_profile->':$bin/rw $onexec:w $bin/open:rpx -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open $file:rw
+do_test "nochange px" $bin/onexec nochange pass $bin/open $file
+
+# ONEXEC from CONFINED - change to rw profile, override regular exec profile, exec profile doesn't have perms
+genprofile 'change_profile->':$bin/rw $onexec:w -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
+do_test "override px" $bin/onexec $bin/rw pass $bin/open $file
+
+# ONEXEC from - change to rw profile, override regular exec profile, exec profile has perms, rw doesn't
+genprofile 'change_profile->':$bin/rw $onexec:w -- image=$bin/rw $bin/open:rix  -- image=$bin/open $file:rw
+do_test "override px" $bin/onexec $bin/rw fail $bin/open $file
+
+# ONEXEC from COFINED - change to rw profile via glob rule, override exec profile, exec profile doesn't have perms
+genprofile 'change_profile->':/** $onexec:w -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
+do_test "glob override px" $bin/onexec $bin/rw pass $bin/open $file
+
+# ONEXEC from COFINED - change to exec profile via glob rule, override exec profile, exec profile doesn't have perms
+genprofile 'change_profile->':/** $onexec:w -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
+do_test "glob override px" $bin/onexec $bin/open fail $bin/open $file
+
+# ONEXEC from COFINED - change to exec profile via glob rule, override exec profile, exec profile has perms
+genprofile 'change_profile->':/** $onexec:w -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open $file:rw
+do_test "glob override px" $bin/onexec $bin/rw pass $bin/open $file
+

tests/regression/apparmor/prologue.inc

@@ -42,6 +42,12 @@ testfailed()
 	# global num_testfailures teststatus
 	num_testfailures=$(($num_testfailures + 1))
 	teststatus="fail"
+
+	# if we are retaining the tmpdir we are debugging failures so
+	# stop so it can be looked at
+	if [ $retaintmpdir == "true" ] ; then
+	   exit 127
+	fi
 }
 
 error_handler()

tests/regression/apparmor/readdir.sh

@@ -26,14 +26,20 @@ badperm=ix
 
 mkdir $dir
 
-# CHDIR TEST
-
+# READDIR TEST
 genprofile $dir/:$okperm
-
 runchecktest "READDIR" pass $dir
 
-# CHDIR TEST (no perm)
-
+# READDIR TEST (no perm)
 genprofile $dir/:$badperm
-
 runchecktest "READDIR (no perm)" fail $dir
+
+# this test is to make sure the raw 'file' rule allows access
+# to directories
+genprofile file
+runchecktest "READDIR 'file' dir" pass $dir
+
+# this test is to make sure the raw 'file' rule allows access
+# to '/'
+genprofile file
+runchecktest "READDIR 'file' '/'" pass '/'

utils/Immunix/AppArmor.pm

@@ -748,22 +748,12 @@ sub create_new_profile($) {
     my $fqdbin = shift;
 
     my $profile;
-    if ($fqdbin =~ /^\// ) {
-	$profile = {
-	    $fqdbin => {
-		flags   => "complain",
-		include => { "abstractions/base" => 1    },
-		path    => { $fqdbin => { mode => str_to_mode("mr") } },
-	    }
-	};
-    } else {
-	$profile = {
-	    $fqdbin => {
-		flags   => "complain",
-		include => { "abstractions/base" => 1    },
-	    }
-	};
-    }
+    $profile = {
+	$fqdbin => {
+	    flags   => "complain",
+	    include => { "abstractions/base" => 1    },
+	}
+    };
 
     # if the executable exists on this system, pull in extra dependencies
     if (-f $fqdbin) {
@@ -771,12 +761,12 @@ sub create_new_profile($) {
         if ($hashbang && $hashbang =~ /^#!\s*(\S+)/) {
             my $interpreter = get_full_path($1);
             $profile->{$fqdbin}{allow}{path}->{$fqdbin}{mode} |= str_to_mode("r");
-            $profile->{$fqdbin}{allow}{path}->{$fqdbin}{mode} |= 0;
+            $profile->{$fqdbin}{allow}{path}->{$fqdbin}{audit} |= 0;
             $profile->{$fqdbin}{allow}{path}->{$interpreter}{mode} |= str_to_mode("ix");
             $profile->{$fqdbin}{allow}{path}->{$interpreter}{audit} |= 0;
             if ($interpreter =~ /perl/) {
                 $profile->{$fqdbin}{include}->{"abstractions/perl"} = 1;
-            } elsif ($interpreter =~ m/\/bin\/(bash|sh)/) {
+            } elsif ($interpreter =~ m/\/bin\/(bash|dash|sh)/) {
                 $profile->{$fqdbin}{include}->{"abstractions/bash"} = 1;
             } elsif ($interpreter =~ m/python/) {
                 $profile->{$fqdbin}{include}->{"abstractions/python"} = 1;
@@ -785,6 +775,8 @@ sub create_new_profile($) {
             }
             handle_binfmt($profile->{$fqdbin}, $interpreter);
         } else {
+          $profile->{$fqdbin}{allow}{path}->{$fqdbin}{mode} |= str_to_mode("mr");
+          $profile->{$fqdbin}{allow}{path}->{$fqdbin}{audit} |= 0;
           handle_binfmt($profile->{$fqdbin}, $fqdbin);
         }
     }
@@ -798,6 +790,7 @@ sub create_new_profile($) {
         }
     }
     push @created, $fqdbin;
+    $DEBUGGING && debug( Data::Dumper->Dump([$profile], [qw(*profile)]));
     return { $fqdbin => $profile };
 }
 
@@ -2398,8 +2391,18 @@ sub handlechildren($$$) {
 				# put in enforce mode with genprof
 				$sd{$profile}{$hat}{flags} = $sd{$profile}{$profile}{flags} if $profile ne $hat;
 
+				# autodep our new child
+				my $stub_profile = create_new_profile($hat);
+
 				$sd{$profile}{$hat}{flags} = 'complain';
 				$sd{$profile}{$hat}{allow}{path} = { };
+				if (defined $stub_profile->{$hat}{$hat}{allow}{path}) {
+				  $sd{$profile}{$hat}{allow}{path} = $stub_profile->{$hat}{$hat}{allow}{path};
+				}
+				$sd{$profile}{$hat}{include} = { };
+				if (defined $stub_profile->{$hat}{$hat}{include}) {
+				  $sd{$profile}{$hat}{include} = $stub_profile->{$hat}{$hat}{include};
+				}
 				$sd{$profile}{$hat}{allow}{netdomain} = { };
 				my $file = $sd{$profile}{$profile}{filename};
 				$filelist{$file}{profiles}{$profile}{$hat} = 1;
@@ -2850,7 +2853,21 @@ sub add_event_to_tree ($) {
                           $e->{name},
 			  ""
                         );
-        }
+        } elsif (defined $e->{name}) {
+            add_to_tree( $e->{pid},
+			 $e->{parent},
+                          "exec",
+                          $profile,
+                          $hat,
+                          $prog,
+                          $sdmode,
+                          $e->{denied_mask},
+                          $e->{name},
+			  ""
+                        );
+        } else {
+            $DEBUGGING && debug "add_event_to_tree: dropped exec event in $e->{profile}";
+	}
     } elsif ($e->{operation} =~ m/file_/) {
         add_to_tree( $e->{pid},
 		     $e->{parent},

utils/Makefile

@@ -28,7 +28,7 @@ endif
 
 MODDIR = Immunix
 PERLTOOLS = aa-genprof aa-logprof aa-autodep aa-audit aa-complain aa-enforce \
-	aa-unconfined aa-notify aa-disable
+	aa-unconfined aa-notify aa-disable aa-exec
 TOOLS = ${PERLTOOLS} aa-decode aa-status
 MODULES = ${MODDIR}/AppArmor.pm ${MODDIR}/Repository.pm \
 	${MODDIR}/Config.pm ${MODDIR}/Severity.pm
@@ -37,6 +37,7 @@ MANPAGES = ${TOOLS:=.8} logprof.conf.5
 
 all: ${MANPAGES} ${HTMLMANPAGES}
 	$(MAKE) -C po all
+	$(MAKE) -C vim all
 
 # need some better way of determining this
 DESTDIR=/
@@ -59,16 +60,35 @@ install: ${MANPAGES} ${HTMLMANPAGES}
 	install -m 644 ${MODULES} ${PERLDIR}
 	$(MAKE) -C po install DESTDIR=${DESTDIR} NAME=${NAME}
 	$(MAKE) install_manpages DESTDIR=${DESTDIR}
+	$(MAKE) -C vim install DESTDIR=${DESTDIR}
 	ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8
 
 .PHONY: clean
+ifndef VERBOSE
 .SILENT: clean
+endif
 clean: _clean
 	rm -f core core.* *.o *.s *.a *~
 	rm -f Make.rules
 	$(MAKE) -C po clean
+	$(MAKE) -C vim clean
 
-check:
+# ${CAPABILITIES} is defined in common/Make.rules
+.PHONY: check_severity_db
+.SILENT: check_severity_db
+check_severity_db: /usr/include/linux/capability.h severity.db
+	# The sed statement is based on the one in the parser's makefile
+	RC=0 ; for cap in ${CAPABILITIES} ; do \
+	    if !  grep -q -w $${cap} severity.db ; then \
+		echo "Warning! capability $${cap} not found in severity.db" ; \
+		RC=1 ; \
+	    fi ;\
+	done ; \
+	test "$$RC" -eq 0
+
+.PHONY: check
+.SILENT: check
+check: check_severity_db
 	for i in ${MODULES} ${PERLTOOLS} ; do \
 		perl -c $$i || exit 1; \
 	done

utils/aa-exec

@@ -0,0 +1,124 @@
+#!/usr/bin/perl
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2011-2012 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+use strict;
+use warnings;
+use Errno;
+
+require LibAppArmor;
+require POSIX;
+require Time::Local;
+require File::Basename;
+
+my $opt_d = '';
+my $opt_h = '';
+my $opt_p = '';
+my $opt_n = '';
+my $opt_i = '';
+my $opt_v = '';
+my $opt_f = '';
+
+sub _warn {
+    my $msg = $_[0];
+    print STDERR "aa-exec: WARN: $msg\n";
+}
+sub _error {
+    my $msg = $_[0];
+    print STDERR "aa-exec: ERROR: $msg\n";
+    exit 1
+}
+
+sub _debug {
+    $opt_d or return;
+    my $msg = $_[0];
+    print STDERR "aa-exec: DEBUG: $msg\n";
+}
+
+sub _verbose {
+    $opt_v or return;
+    my $msg = $_[0];
+    print STDERR "$msg\n";
+}
+
+sub usage() {
+    my $s = <<'EOF';
+USAGE: aa-exec [OPTIONS] <prog> <args>
+
+Confine <prog> with the specified PROFILE.
+
+OPTIONS:
+  -p PROFILE, --profile=PROFILE		PROFILE to confine <prog> with
+  -n NAMESPACE, --namespace=NAMESPACE	NAMESPACE to confine <prog> in
+  -f FILE, --file FILE		profile file to load
+  -i, --immediate		change profile immediately instead of at exec
+  -v, --verbose			show messages with stats
+  -h, --help			display this help
+
+EOF
+    print $s;
+}
+
+use Getopt::Long;
+
+GetOptions(
+    'debug|d'        => \$opt_d,
+    'help|h'         => \$opt_h,
+    'profile|p=s'    => \$opt_p,
+    'namespace|n=s'  => \$opt_n,
+    'file|f=s'       => \$opt_f,
+    'immediate|i'    => \$opt_i,
+    'verbose|v'      => \$opt_v,
+);
+
+if ($opt_h) {
+    usage();
+    exit(0);
+}
+
+if ($opt_n || $opt_p) {
+   my $test;
+   my $prof;
+
+   if ($opt_n) {
+      $prof = ":$opt_n:";
+   }
+
+   $prof .= $opt_p;
+
+   if ($opt_f) {
+       system("apparmor_parser", "-r", "$opt_f") == 0
+	   or _error("\'aborting could not load $opt_f\'");
+   }
+
+   if ($opt_i) {
+       _verbose("aa_change_profile(\"$prof\")");
+       $test = LibAppArmor::aa_change_profile($prof);
+       _debug("$test = aa_change_profile(\"$prof\"); $!");
+   } else {
+       _verbose("aa_change_onexec(\"$prof\")");
+       $test = LibAppArmor::aa_change_onexec($prof);
+       _debug("$test = aa_change_onexec(\"$prof\"); $!");
+   }
+
+   if ($test != 0) {
+       if ($!{ENOENT} || $!{EACCESS}) {
+	   my $pre = ($opt_p) ? "profile" : "namespace";
+	   _error("$pre \'$prof\' does not exist\n");
+       } elsif ($!{EINVAL}) {
+	   _error("AppArmor interface not available\n");
+       } else {
+	   _error("$!\n");
+       }
+   }
+}
+
+_verbose("exec @ARGV");
+exec @ARGV;

utils/aa-exec.pod

@@ -0,0 +1,97 @@
+# This publication is intellectual property of Canonical Ltd. Its contents
+# can be duplicated, either in part or in whole, provided that a copyright
+# label is visibly located on each copy.
+#
+# All information found in this book has been compiled with utmost
+# attention to detail. However, this does not guarantee complete accuracy.
+# Neither Canonical Ltd, the authors, nor the translators shall be held
+# liable for possible errors or the consequences thereof.
+#
+# Many of the software and hardware descriptions cited in this book
+# are registered trademarks. All trade names are subject to copyright
+# restrictions and may be registered trade marks. Canonical Ltd
+# essentially adheres to the manufacturer's spelling.
+#
+# Names of products and trademarks appearing in this book (with or without
+# specific notation) are likewise subject to trademark and trade protection
+# laws and may thus fall under copyright restrictions.
+#
+
+
+=pod
+
+=head1 NAME
+
+aa-exec - confine a program with the specified AppArmor profile
+
+=head1 SYNOPSIS
+
+B<aa-exec> [options] [--] [I<E<lt>commandE<gt>> ...]
+
+=head1 DESCRIPTION
+
+B<aa-exec> is used to launch a program confined by the specified profile
+and or namespace.  If both a profile and namespace are specified command
+will be confined by profile in the new policy namespace.  If only a namespace
+is specified, the profile name of the current confinement will be used.  If
+neither a profile or namespace is specified command will be run using
+standard profile attachment (ie. as if run without the aa-exec command).
+
+If the arguments are to be pasted to the I<E<lt>commandE<gt>> being invoked
+by aa-exec then -- should be used to separate aa-exec arguments from the
+command.
+  aa-exec -p profile1 -- ls -l
+
+=head1 OPTIONS
+B<aa-exec> accepts the following arguments:
+
+=over 4
+
+=item -p PROFILE, --profile=PROFILE
+
+confine I<E<lt>commandE<gt>> with PROFILE. If the PROFILE is not specified
+use the current profile name (likely unconfined).
+
+=item -n NAMESPACE, --namespace=NAMESPACE
+
+use profiles in NAMESPACE.  This will result in confinement transitioning
+to using the new profile namespace.
+
+=item -f FILE, --file=FILE
+
+a file or directory containing profiles to load before confining the program.
+
+=item -i, --immediate
+
+transition to PROFILE before doing executing I<E<lt>commandE<gt>>.  This
+subjects the running of I<E<lt>commandE<gt>> to the exec transition rules
+of the current profile.
+
+=item -v, --verbose
+
+show commands being performed
+
+=item -d, --debug
+
+show commands and error codes
+
+=item --
+
+Signal the end of options and disables further option processing. Any
+arguments after the -- are treated as arguments of the command.  This is
+useful when passing arguments to the I<E<lt>commandE<gt>> being invoked by
+aa-exec.
+
+=back
+
+=head1 BUGS
+
+If you find any bugs, please report them at
+L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+
+=head1 SEE ALSO
+
+aa-stack(8), aa-namespace(8), apparmor(7), apparmor.d(5), aa_change_profile(3),
+aa_change_onexec(3) and L<http://wiki.apparmor.net>.
+
+=cut

utils/apparmor.vim

@@ -1,234 +0,0 @@
-" $Id: apparmor.vim,v 1.11 2011/01/31 22:48:07 cb Exp $
-"
-" ----------------------------------------------------------------------
-"    Copyright (c) 2005 Novell, Inc. All Rights Reserved.
-"    Copyright (c) 2006-2011 Christian Boltz. All Rights Reserved.
-"      
-"    This program is free software; you can redistribute it and/or
-"    modify it under the terms of version 2 of the GNU General Public
-"    License as published by the Free Software Foundation.
-"      
-"    This program is distributed in the hope that it will be useful,
-"    but WITHOUT ANY WARRANTY; without even the implied warranty of
-"    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-"    GNU General Public License for more details.
-"      
-"    You should have received a copy of the GNU General Public License
-"    along with this program; if not, contact Novell, Inc.
-"      
-"    To contact Novell about this file by physical or electronic mail, 
-"    you may find current contact information at www.novell.com.
-"
-"    To contact Christian Boltz about this file by physical or electronic
-"    mail, you may find current contact information at www.cboltz.de/en/kontakt.
-"
-"    If you want to report a bug via bugzilla.novell.com, please assign it
-"    to suse-beta[AT]cboltz.de (replace [AT] with @).
-" ----------------------------------------------------------------------
-"
-" stick this file into ~/.vim/syntax/ and add these commands into your .vimrc 
-" to have vim automagically use this syntax file for these directories:
-"
-" autocmd BufNewFile,BufRead /etc/apparmor.d/*        set syntax=apparmor
-" autocmd BufNewFile,BufRead /etc/apparmor/profiles/* set syntax=apparmor
-
-" profiles are case sensitive
-syntax case match
-
-" color setup...
-
-" adjust colors according to the background
-
-" switching colors depending on the background color doesn't work
-" unfortunately, so we use colors that work with light and dark background.
-" Patches welcome ;-)
-
-"if &background == "light"
-" light background
-	hi sdProfileName ctermfg=lightblue
-	hi sdHatName ctermfg=darkblue
-	hi sdExtHat ctermfg=darkblue
-"	hi sdComment2 ctermfg=darkblue
-	hi sdGlob       ctermfg=darkmagenta
-	hi sdAlias      ctermfg=darkmagenta
-	hi sdEntryWriteExec     ctermfg=black ctermbg=yellow
-	hi sdEntryUX     ctermfg=darkred cterm=underline
-	hi sdEntryUXe     ctermfg=darkred
-	hi sdEntryIX     ctermfg=darkcyan
-	hi sdEntryM     ctermfg=darkcyan
-	hi sdEntryPX     ctermfg=darkgreen cterm=underline
-	hi sdEntryPXe     ctermfg=darkgreen
-	hi sdEntryW     ctermfg=darkyellow
-	hi sdCap	ctermfg=lightblue
-	hi sdSetCap     ctermfg=black ctermbg=yellow
-	hi sdNetwork	ctermfg=lightblue
-	hi sdNetworkDanger ctermfg=darkred
-	hi sdCapKey	cterm=underline ctermfg=lightblue
-	hi sdCapDanger ctermfg=darkred
-	hi sdRLimit ctermfg=lightblue
-	hi def link sdEntryR Normal
-	hi def link sdEntryK Normal
-	hi def link sdFlags Normal
-	hi sdEntryChangeProfile     ctermfg=darkgreen cterm=underline
-"else 
-" dark background
-"	hi sdProfileName ctermfg=white
-"	hi sdHatName ctermfg=white
-"	hi sdGlob       ctermfg=magenta
-"	hi sdEntryWriteExec     ctermfg=black ctermbg=yellow
-"	hi sdEntryUX     ctermfg=red cterm=underline
-"	hi sdEntryUXe     ctermfg=red
-"	hi sdEntryIX     ctermfg=cyan
-"	hi sdEntryM     ctermfg=cyan
-"	hi sdEntryPX     ctermfg=green cterm=underline
-"	hi sdEntryPXe     ctermfg=green
-"	hi sdEntryW     ctermfg=yellow
-"	hi sdCap	ctermfg=lightblue
-"	hi sdCapKey	cterm=underline ctermfg=lightblue
-"	hi def link sdEntryR Normal
-"	hi def link sdFlags Normal
-"	hi sdCapDanger ctermfg=red
-"endif
-
-hi def link sdInclude     Include
-high def link sdComment     Comment
-"high def link sdComment2     Comment
-high def link sdFlagKey     TODO
-high def link sdError      ErrorMsg
-
-
-" always sync from the start.  should be relatively quick since we don't have
-" that many rules and profiles shouldn't be _extremely_ large...
-syn sync fromstart
-
-syn keyword	sdFlagKey	complain debug
-
-" highlight invalid syntax
-syn match sdError /{/ contained
-syn match sdError /}/
-syn match sdError /^.*$/ contains=sdComment "highlight all non-valid lines as error
-" TODO: do not mark lines containing only whitespace as error
-
-" TODO: the sdGlob pattern is not anchored with ^ and $, so it matches all lines matching ^@{...}.*
-" This allows incorrect lines also and should be checked better.
-" This also (accidently ;-) includes variable definitions (@{FOO}=/bar)
-" TODO: make a separate pattern for variable definitions, then mark sdGlob as contained
-syn match sdGlob /\v\?|\*|\{.*,.*\}|[[^\]]\+\]|\@\{[a-zA-Z][a-zA-Z0-9_]*\}/
-
-syn match sdAlias /\v^alias\s+(\/|\@\{\S*\})\S*\s+-\>\s+(\/|\@\{\S*\})\S*\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob
-
-" syn match sdComment /#.*/
-
-syn cluster sdEntry contains=sdEntryWriteExec,sdEntryR,sdEntryW,sdEntryIX,sdEntryPX,sdEntryPXe,sdEntryUX,sdEntryUXe,sdEntryM,sdCap,sdSetCap,sdExtHat,sdRLimit,sdNetwork,sdNetworkDanger,sdEntryChangeProfile
-
-
-" TODO: support audit and deny keywords for all rules (not only for files)
-" TODO: higlight audit and deny keywords everywhere
-
-" Capability line
-
-" normal capabilities - really keep this list? syn match sdCap should be enough... (difference: sdCapKey words would loose underlining)
-syn keyword  sdCapKey          chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease
-
-" dangerous capabilities - highlighted separately
-syn keyword sdCapDanger	       sys_admin audit_control audit_write set_fcap mac_override mac_admin
-
-" full line. Keywords are from sdCapKey + sdCapDanger
-syn match  sdCap /\v^\s*(audit\s+)?(deny\s+)?capability\s+(chown|dac_override|dac_read_search|fowner|fsetid|kill|setgid|setuid|setpcap|linux_immutable|net_bind_service|net_broadcast|net_admin|net_raw|ipc_lock|ipc_owner|sys_module|sys_rawio|sys_chroot|sys_ptrace|sys_pacct|sys_boot|sys_nice|sys_resource|sys_time|sys_tty_config|mknod|lease|sys_admin|audit_control|audit_write|set_fcap|mac_override|mac_admin)\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdCapKey,sdCapDanger,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" set capability was removed - TODO: remove everywhere in apparmor.vim
-" syn match  sdSetCap /\v^\s*set\s+capability\s+(chown|dac_override|dac_read_search|fowner|fsetid|kill|setgid|setuid|setpcap|linux_immutable|net_bind_service|net_broadcast|net_admin|net_raw|ipc_lock|ipc_owner|sys_module|sys_rawio|sys_chroot|sys_ptrace|sys_pacct|sys_boot|sys_nice|sys_resource|sys_time|sys_tty_config|mknod|lease|sys_admin|audit_control|audit_write|set_fcap|mac_override|mac_admin)\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdCapKey,sdCapDanger,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-
-" Network line
-" Syntax: network domain (inet, ...) type (stream, ...) protocol (tcp, ...)
-" TODO: 'owner' isn't supported, but will be (JJ, 2011-01-11)
-syn match  sdNetwork         /\v^\s*(audit\s+)?(deny\s+)?network(\s+(inet|ax25|ipx|appletalk|netrom|bridge|atmpvc|x25|inet6|rose|netbeui|security|key|packet|ash|econet|atmsvc|sna|irda|pppox|wanpipe|bluetooth))?(\s+(stream|dgram|seqpacket|rdm|packet))?(\s+tcp|\s+udp|\s+icmp)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" network rules containing 'raw'
-syn match  sdNetworkDanger         /\v^\s*(audit\s+)?(deny\s+)?network(\s+(inet|ax25|ipx|appletalk|netrom|bridge|atmpvc|x25|inet6|rose|netbeui|security|key|packet|ash|econet|atmsvc|sna|irda|pppox|wanpipe|bluetooth))?(\s+(raw))(\s+tcp|\s+udp|\s+icmp)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" 'all networking' includes raw -> mark as dangerous
-syn match  sdNetworkDanger         /\v^\s*(audit\s+)?(deny\s+)?network\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-
-" Change Profile
-" TODO: audit and deny support will be added (JJ, 2011-01-11)
-syn match   sdEntryChangeProfile    /\v^\s*change_profile\s+-\>\s+\S+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-
-" rlimit
-" TODO: audit and deny support will be added (JJ, 2011-01-11)
-"
-"syn match sdRLimit /\v^\s*rlimit\s+()\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment
-syn match sdRLimit /\v^\s*set\s+rlimit\s+(nofile|nproc|rtprio)\s+[0-9]+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment
-syn match sdRLimit /\v^\s*set\s+rlimit\s+(locks|sigpending)\s+\<\=\s+[0-9]+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment
-syn match sdRLimit /\v^\s*set\s+rlimit\s+(fsize|data|stack|core|rss|as|memlock|msgqueue)\s+\<\=\s+[0-9]+([KMG])?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment
-syn match sdRLimit /\v^\s*set\s+rlimit\s+nice\s+\<\=\s+(-1?[0-9]|-20|1?[0-9])\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment
-
-" link rules
-syn match sdEntryW /\v^\s+(audit\s+)?(deny\s+)?(owner\s+)?link\s+(subset\s+)?(\/|\@\{\S*\})\S*\s+-\>\s+(\/|\@\{\S*\})\S*\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob
-
-
-" file permissions
-"
-" TODO: Support filenames enclosed in quotes ("/home/foo/My Documents/") - ideally by only allowing quotes pair-wise
-"
-" write + exec/mmap - danger!
-" known bug: accepts 'aw' to keep things simple
-syn match  sdEntryWriteExec /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(l|r|w|a|m|k|[iuUpPcC]x)+(\s+-\>\s+\S+)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-" ux(mr) - unconstrained entry, flag the line red
-syn match  sdEntryUX /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(r|m|k|ux)+(\s+-\>\s+\S+)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" Ux(mr) - like ux + clean environment
-syn match  sdEntryUXe /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(r|m|k|Ux)+(\s+-\>\s+\S+)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" px/cx/pix/cix(mrk) - standard exec entry, flag the line blue
-syn match  sdEntryPX /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(r|m|k|px|cx|pix|cix)+(\s+-\>\s+\S+)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" Px/Cx/Pix/Cix(mrk) - like px/cx + clean environment
-syn match  sdEntryPXe /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(r|m|k|Px|Cx|Pix|Cix)+(\s+-\>\s+\S+)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" ix(mr) - standard exec entry, flag the line green
-syn match  sdEntryIX /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(r|m|k|ix)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" mr - mmap with PROT_EXEC
-syn match  sdEntryM /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(r|m|k)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-" if we've got u or i without x, it's an error
-" rule is superfluous because of the '/.*/ is an error' rule ;-)
-"syn match  sdError /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(l|r|w|k|u|p|i)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-" write + append is an error also
-"syn match  sdError /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(\S*r\S*a\S*|\S*a\S*w\S*)\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-syn match  sdError /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+\S*(w\S*a|a\S*w)\S*\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-" write entry, flag the line yellow
-syn match  sdEntryW /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(l|r|w|k)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" append entry, flag the line yellow
-syn match  sdEntryW /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(l|r|a|k)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-" read entry + locking, currently no highlighting
-syn match  sdEntryK /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+[rlk]+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" read entry, no highlighting
-syn match  sdEntryR /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+[rl]+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-syn match sdExtHat  /\v^\s+(\^|profile\s+)\S+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment " hat without {...}
-
-
-
-
-syn match sdProfileName /\v^((profile\s+)?\/\S+|profile\s+([a-zA-Z0-9]\S*\s)?\S+)\s+((flags\s*\=\s*)?\(\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)(\s*,\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative))*\s*\)\s+)=\{/ contains=sdProfileStart,sdHatName,sdFlags,sdComment,sdGlob
-syn match sdProfileStart /{/ contained 
-syn match sdProfileEnd /^}\s*(#.*)?$/ contained " TODO: syn region does not (yet?) allow usage of comment in end=
-                                                " TODO: Removing the $ mark from end= will allow non-comments also :-(
-syn match sdHatName /\v^\s+(\^|profile\s+)\S+\s+((flags\s*\=\s*)?\(\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)(\s*,\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative))*\s*\)\s+)=\{/ contains=sdProfileStart,sdFlags,sdComment
-syn match sdHatStart /{/ contained 
-syn match sdHatEnd /}/ contained " TODO: allow comments + [same as for syn match sdProfileEnd]
-syn match sdFlags /\v((flags\s*\=\s*)?\(\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)(\s*,\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative))*\s*\)\s+)/ contained contains=sdFlagKey
-
-syn match sdComment /\s*#.*$/
-" NOTE: contains=sdComment changes #include highlighting to comment color.
-" NOTE: Comment highlighting still works without contains=sdComment.
-syn match sdInclude /\s*#include\s<\S*>/ " TODO: doesn't check until $
-syn match sdInclude /\s*include\s<\S*>/  " TODO: doesn't check until $
-
-" basic profile block...
-" \s+ does not work in end=, therefore using \s\s*
-syn region Normal start=/\v^(profile\s+)?\S+\s+((flags\s*\=\s*)?\(\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)(\s*,\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative))*\s*\)\s+)=\{/ matchgroup=sdProfileEnd end=/^}\s*$/ contains=sdProfileName,Hat,@sdEntry,sdComment,sdError,sdInclude
-syn region Hat start=/\v^\s+(\^|profile\s+)\S+\s+((flags\s*\=\s*)?\(\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)(\s*,\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative))*\s*\)\s+)=\{/ matchgroup=sdHatEnd end=/^\s\s*}\s*$/ contains=sdHatName,@sdEntry,sdComment,sdError,sdInclude
-
-

utils/severity.db

@@ -14,9 +14,12 @@
        CAP_SYS_MODULE 10
        CAP_SYS_PTRACE 10
        CAP_SYS_RAWIO 10
+       CAP_MAC_ADMIN 10
+       CAP_MAC_OVERRIDE 10
 # Allow other processes to 0wn the machine:
        CAP_SETPCAP 9
-       CAP_CHOWN 9 
+       CAP_SETFCAP 9
+       CAP_CHOWN 9
        CAP_FSETID 9
        CAP_MKNOD 9
        CAP_LINUX_IMMUTABLE 9
@@ -38,9 +41,11 @@
        CAP_LEASE 8
        CAP_IPC_LOCK 8
        CAP_SYS_TTY_CONFIG 8
-       CAP_DAC_READ_SEARCH 7
        CAP_AUDIT_CONTROL 8
        CAP_AUDIT_WRITE 8
+       CAP_SYSLOG 8
+       CAP_WAKE_ALARM 8
+       CAP_DAC_READ_SEARCH 7
 # unused
        CAP_NET_BROADCAST 0
 

utils/vim/Makefile

@@ -1,5 +1,25 @@
-apparmor.vim: apparmor.vim.in Makefile create-apparmor.vim.sh
-	sh create-apparmor.vim.sh
+COMMONDIR=../../common/
+
+all:
+include common/Make.rules
+
+COMMONDIR_EXISTS=$(strip $(shell [ -d ${COMMONDIR} ] && echo true))
+ifeq ($(COMMONDIR_EXISTS), true)
+common/Make.rules: $(COMMONDIR)/Make.rules
+	ln -sf $(COMMONDIR) .
+endif
+
+VIM_INSTALL_PATH=${DESTDIR}/usr/share/apparmor
+
+all: apparmor.vim
+
+apparmor.vim: apparmor.vim.in Makefile create-apparmor.vim.py
+	python create-apparmor.vim.py > $@
+
+install: apparmor.vim
+	install -d $(VIM_INSTALL_PATH)
+	install -m 644 $< $(VIM_INSTALL_PATH)
+
 
 clean:
-	rm -f apparmor.vim
+	rm -f apparmor.vim common

utils/vim/create-apparmor.vim.py

@@ -0,0 +1,118 @@
+#!/usr/bin/python
+#
+#    Copyright (C) 2012 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+#    Written by Steve Beattie <steve@nxnw.org>, based on work by
+#    Christian Boltz <apparmor@cboltz.de>
+
+import os
+import re
+import subprocess
+import sys
+
+# dangerous capabilities
+danger_caps=["audit_control",
+             "audit_write",
+             "mac_override",
+             "mac_admin",
+             "set_fcap",
+             "sys_admin",
+             "sys_module",
+             "sys_rawio"]
+
+def cmd(command, input = None, stderr = subprocess.STDOUT, stdout = subprocess.PIPE, stdin = None, timeout = None):
+    '''Try to execute given command (array) and return its stdout, or
+    return a textual error if it failed.'''
+
+    try:
+        sp = subprocess.Popen(command, stdin=stdin, stdout=stdout, stderr=stderr, close_fds=True)
+    except OSError, e:
+        return [127, str(e)]
+
+    out, outerr = sp.communicate(input)
+
+    # Handle redirection of stdout
+    if out == None:
+        out = ''
+    # Handle redirection of stderr
+    if outerr == None:
+        outerr = ''
+    return [sp.returncode,out+outerr]
+
+# get capabilities list
+(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_capabilities'])
+if rc != 0:
+    print >>sys.stderr, ("make list_capabilities failed: " + output)
+    exit(rc)
+
+capabilities = re.sub('CAP_', '', output.strip()).lower().split(" ")
+benign_caps =[]
+for cap in capabilities:
+    if cap not in danger_caps:
+        benign_caps.append(cap)
+
+# get network protos list
+(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_af_names'])
+if rc != 0:
+    print >>sys.stderr, ("make list_af_names failed: " + output)
+    exit(rc)
+
+af_names = []
+af_pairs = re.sub('AF_', '', output.strip()).lower().split(",")
+for af_pair in af_pairs:
+    af_name = af_pair.lstrip().split(" ")[0]
+    # skip max af name definition
+    if len(af_name) > 0 and af_name != "max":
+        af_names.append(af_name)
+
+# TODO: does a "debug" flag exist? Listed in apparmor.vim.in sdFlagKey,
+# but not in aa_flags...
+# -> currently (2011-01-11) not, but might come back
+
+aa_network_types=r'\s+tcp|\s+udp|\s+icmp'
+
+aa_flags=['complain',
+          'audit',
+          'attach_disconnect',
+          'no_attach_disconnected',
+          'chroot_attach',
+          'chroot_no_attach',
+          'chroot_relative',
+          'namespace_relative']
+
+filename=r'(\/|\@\{\S*\})\S*'
+
+aa_regex_map = {
+    'FILENAME':         filename,
+    'FILE':             r'\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?' + filename + r'\s+', # Start of a file rule
+                        # (whitespace_+_, owner etc. flag_?_, filename pattern, whitespace_+_)
+    'DENYFILE':         r'\v^\s*(audit\s+)?deny\s+(owner\s+)?' + filename + r'\s+', # deny, otherwise like FILE
+    'auditdenyowner':   r'(audit\s+)?(deny\s+)?(owner\s+)?',
+    'auditdeny':        r'(audit\s+)?(deny\s+)?',
+    'EOL':              r'\s*,(\s*$|(\s*#.*$)\@=)', # End of a line (whitespace_?_, comma, whitespace_?_ comment.*)
+    'TRANSITION':       r'(\s+-\>\s+\S+)?',
+    'sdKapKey':         " ".join(benign_caps),
+    'sdKapKeyDanger':   " ".join(danger_caps),
+    'sdKapKeyRegex':    "|".join(capabilities),
+    'sdNetworkType':    aa_network_types,
+    'sdNetworkProto':   "|".join(af_names),
+    'flags':            r'((flags\s*\=\s*)?\(\s*(' + '|'.join(aa_flags) + r')(\s*,\s*(' + '|'.join(aa_flags) + r'))*\s*\)\s+)',
+}
+
+def my_repl(matchobj):
+    #print matchobj.group(1)
+    if matchobj.group(1) in aa_regex_map:
+        return aa_regex_map[matchobj.group(1)]
+
+    return matchobj.group(0)
+
+regex = "@@(" + "|".join(aa_regex_map) + ")@@"
+
+with file("apparmor.vim.in") as template:
+    for line in template:
+        line = re.sub(regex, my_repl, line.rstrip())
+        print line

utils/vim/create-apparmor.vim.sh

@@ -1,129 +0,0 @@
-#!/bin/bash
-
-# not-too-dangerous capabilities
-sdKapKey="chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config syslog mknod lease"
-
-# dangerous capabilities
-sdKapKeyDanger="audit_control audit_write mac_override mac_admin set_fcap sys_admin sys_module sys_rawio"
-
-sdNetworkProto="inet|ax25|ipx|appletalk|netrom|bridge|atmpvc|x25|inet6|rose|netbeui|security|key|packet|ash|econet|atmsvc|sna|irda|pppox|wanpipe|bluetooth"
-
-sdNetworkType='\s+tcp|\s+udp|\s+icmp'
-
-sdFlags="complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative"
-# TODO: does a "debug" flag exist? Listed in apparmor.vim.in sdFlagKey, but not in sdFlags...
-# -> currently (2011-01-11) not, but might come back
-
-sdKapKeyRegex="$(echo "$sdKapKey $sdKapKeyDanger" | sed 's/ /|/g')"
-
-sdFlagsRegex="($sdFlags)"
-
-#	'@@FILE@@'            '\v^\s*((owner\s+)|(audit\s+)|(deny\s+))*(\/|\@\{\S*\})\S*\s+'   \
-replace                                                                                    \
-	'@@FILE@@'            '\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+'     \
-	'@@DENYFILE@@'        '\v^\s*(audit\s+)?deny\s+(owner\s+)?(\/|\@\{\S*\})\S*\s+'        \
-    '@@auditdenyowner@@'  '(audit\s+)?(deny\s+)?(owner\s+)?'                               \
-    '@@auditdeny@@'       '(audit\s+)?(deny\s+)?'                                          \
-	'@@FILENAME@@'        '(\/|\@\{\S*\})\S*'                                              \
-	'@@EOL@@'             '\s*,(\s*$|(\s*#.*$)\@=)'                                        \
-	'@@TRANSITION@@'      '(\s+-\>\s+\S+)?'                                                \
-	'@@sdKapKey@@'        "$sdKapKey"                                                      \
-	'@@sdKapKeyDanger@@'  "$sdKapKeyDanger"                                                \
-	'@@sdKapKeyRegex@@'   "$sdKapKeyRegex"                                                 \
-	'@@sdNetworkProto@@'  "$sdNetworkProto"                                                \
-	'@@sdNetworkType@@'   "$sdNetworkType"                                                 \
-	'@@flags@@'           "((flags\s*\=\s*)?\(\s*$sdFlagsRegex(\s*,\s*$sdFlagsRegex)*\s*\)\s+)"         \
-	                                                                                       \
-< apparmor.vim.in                                                                          \
-> apparmor.vim
-
-
-# @@FILE@@: Start of a file rule (whitespace_+_, owner etc. flag_?_, filename pattern, whitespace_+_)
-# @@FILENAME@@: Just a filename (taken from @@FILE@@)
-# @@EOL@@: End of a line (whitespace_?_, comma, whitespace_?_ comment.*)
-
-
-# I had to learn that vim has a restriction on the number of (...) I may use in
-# a RegEx (up to 9 are allowed), and therefore had to change the RegEx that
-# matches tcp/udp/icmp from "(\s+(tcp|udp|icmp))?" to
-# "(\s+tcp|\s+udp|\s+icmp)?". *argh*
-# (sdNetworkProto could be changed the same way if needed)
-
-
-# TODO: permissions first
-# valid rules:
-# owner rw /foo,
-# owner /foo rw,
-
-# INVALID rules
-# rw owner /foo,
-# rw /foo owner,
-# /foo owner rw,
-# /foo rw owner,
-
-
-# the *** proposed *** syntax for owner= and user= is
-# 
-# owner=<name> <whitespace> <rule>
-# owner='('<names>')' <whitespace> <rule>
-# 
-# where the list followed the syntax for the flags value, however the list
-# syntax part needs to be made consistent, ie. we either need to fix the
-# flags list separator or make the list separator here the same as flags
-# and also fix it for variables, etc.  switching flags to use just whitespace
-# is by far the easiest.
-# 
-# So going with the whitespace separator we would have
-# owner=jj /foo r,
-# owner=(jj) /foo r,
-# owner=(jj smb) /foo r,
-
-# > capability dac_override {
-# >     /file/bar rw,
-# > }
-# > capability chown {
-# >    /file/bar (user1, user2),
-# > }
-# > (Are those things specific to dac_override and chown?)
-# > 
-# Hehe, now your veering even more into unimplemented stuff :)  Those where
-# merely proposed syntax and I don't believe we are using them now.
-# The idea behind those was a way to enhance the capabilities and remain
-# backwards compatible.
-# 
-# And use the syntax for each would have to be capability (or type specific)
-# 
-# eg. for chown we could have a path and user
-# 
-#   chown /foo to (user1 user2),
-# 
-# but for setuid it wouldn't have a path.
-#    setuid to (user1 user2)
-#  
-# 
-# > uses ipc,
-# > ipc rw /profile,
-# > ipc signal w (child) /profile,
-# > deny ipc signal w (kill) /profile,
-# > 
-# > Which keywords can apply to ipc? I'd guess audit and deny. What about 
-# > owner?
-# > 
-# owner and user could be selectively applied but not to allow of ipc
-# 
-# owner doesn't really make sense for signal, but user might this is just
-# another place we need to look at before we commit to the syntax.
-#
-# ipc may hit spring 2011
- 
- 
-# > That all said: are there some example profiles I could use to test 
-# > apparmor.vim?
-# > 
-# Hrmmm, yes.  The goal is to keep adding to the parser test suite, and
-# get it to contain at least on example of every valid syntax and also
-# example profiles of invalid syntax.  I won't say that the coverage
-# is complete yet but it does have hundreds of simple examples.
-# 
-# it can be found in parser/tst/simple_tests/
-#