Subject: add apparmor.vim install target to utils/ install

This patch adds a make install target for the generated apparmor.vim
file, installing by default into /usr/share/apparmor based on IRC
discussions; alternate suggestions welcome. (Installing directly
into the vim syntax tree is difficult as the system path by default
contains the vim version number.)

Makefile

@@ -7,7 +7,7 @@ include common/Make.rules
 DIRS=parser \
      profiles \
      utils \
-     changehat/libapparmor \
+     libraries/libapparmor \
      changehat/mod_apparmor \
      changehat/pam_apparmor \
      tests

common/Make.rules

@@ -150,6 +150,40 @@ _clean:
 	-rm -f ${NAME}-${VERSION}-*.tar.gz
 	-rm -f ${MANPAGES} *.[0-9].gz ${HTMLMANPAGES} pod2htm*.tmp
 
+# =====================
+# generate list of capabilities based on
+# /usr/include/sys/capabilities.h for use in multiple locations in
+# the source tree
+# =====================
+
+# emits defined capabilities in a simple list, e.g. "CAP_NAME CAP_NAME2"
+CAPABILITIES=$(shell echo "\#include <sys/capability.h>" | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | sort)
+
+.PHONY: list_capabilities
+list_capabilities: /usr/include/linux/capability.h
+	@echo "$(CAPABILITIES)"
+
+# =====================
+# generate list of network protocols based on
+# sys/socket.h for use in multiple locations in
+# the source tree
+# =====================
+
+# These are the families that it doesn't make sense for apparmor
+# to mediate. We use PF_ here since that is what is required in
+# bits/socket.h, but we will rewrite these as AF_.
+
+FILTER_FAMILIES=PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK
+
+__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
+
+# emits the AF names in a "AF_NAME NUMBER," pattern
+AF_NAMES=$(shell echo "\#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2)
+
+.PHONY: list_af_names
+list_af_names:
+	@echo "$(AF_NAMES)"
+
 # =====================
 # manpages
 # =====================

common/Version

@@ -1 +1 @@
-2.7.100
+2.7.101

libraries/libapparmor/doc/aa_getcon.pod

@@ -69,7 +69,8 @@ does not handle buffer allocation.
 
 =head1 RETURN VALUE
 
-On success zero is returned. On error, -1 is returned, and
+On success size of data placed in the buffer is returned, this includes the
+mode if present and any terminating characters. On error, -1 is returned, and
 errno(3) is set appropriately.
 
 =head1 ERRORS

libraries/libapparmor/src/kernel_interface.c

@@ -278,11 +278,12 @@ int aa_getprocattr(pid_t tid, const char *attr, char **buf, char **mode)
 
 	if (rc == -1) {
 		free(buffer);
-		size = -1;
+		*buf = NULL;
+		*mode = NULL;
 	} else
 		*buf = buffer;
 
-	return size;
+	return rc;
 }
 
 static int setprocattr(pid_t tid, const char *attr, const char *buf, int len)
@@ -617,6 +618,7 @@ int aa_getpeercon(int fd, char **con)
 
 	if (rc == -1) {
 		free(buffer);
+		*con = NULL;
 		size = -1;
 	} else
 		*con = buffer;

parser/Makefile

@@ -207,22 +207,18 @@ parser_version.h: Makefile
 	@echo \#define PARSER_VERSION \"$(VERSION)\" > .ver
 	@mv -f .ver $@
 
-# These are the families that it doesn't make sense for apparmor to mediate.
-# We use PF_ here since that is what is required in bits/socket.h, but we will
-# rewrite these as AF_.
-FILTER_FAMILIES=PF_MAX PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK
-
-
-__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
+# af_names and capabilities generation has moved to common/Make.rules,
+# as well as the filtering that occurs for network protocols that
+# apparmor should not mediate.
 
 .PHONY: af_names.h
 af_names.h:
-	echo "#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e "s/^\#define[ \\t]\\+PF_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/#ifndef AF_\\1\\n#  define AF_\\1 \\2\\n#endif\\nAA_GEN_NET_ENT(\"\\L\\1\", \\UAF_\\1)\\n/p" > $@
-	echo "#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e "s/^\#define[ \\t]\\+PF_MAX[ \\t]\\+\\([0-9]\\+\\)\\+.*/#define AA_AF_MAX \\1\n/p" >> $@
+	echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g'  -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n#  define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n\n/pg' > $@
+	echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/.*,[ \t]\+AF_MAX[ \t]\+\([0-9]\+\),\?.*/#define AA_AF_MAX \1\n/p' >> $@
 	# cat $@
 
 cap_names.h: /usr/include/linux/capability.h
-	LC_ALL=C sed -n -e "/CAP_EMPTY_SET/d" -e "s/^\#define[ \\t]\\+CAP_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9xa-f]\\+\\)\\(.*\\)\$$/\{\"\\L\\1\", \\UCAP_\\1\},/p" $< > $@
+	echo "$(CAPABILITIES)" | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
 
 tst_%: parser_%.c parser.h $(filter-out parser_%.o, ${TEST_OBJECTS})
 	$(CC) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS}) $(TEST_LDFLAGS)

parser/apparmor.vim.pod

@@ -16,7 +16,7 @@
 #    GNU General Public License for more details.
 #
 #    You should have received a copy of the GNU General Public License
-#    along with this program; if not, contact Novell, Inc.
+#    along with this program; if not, contact Canonical, Ltd.
 # ----------------------------------------------------------------------
 
 
@@ -28,13 +28,11 @@ apparmor.vim - vim syntax highlighting file for AppArmor profiles
 
 =head1 SYNOPSIS
 
-The SUSE vim package is configured to automatically use syntax
-highlighting for AppArmor policies stored in /etc/apparmor.d/ and the
-extra policies stored in /etc/apparmor/profiles/extras/. If you wish to
-use the syntax highlighting in a specific vim session, you may run:
+Your system may be configured to automatically use syntax highlighting
+for installed AppArmor policies. If not, you can enable syntax highlighting in
+a specific vim session by performing:
 
- :syntax on
- :setf apparmor
+ :set syntax=apparmor
 
 =head1 DESCRIPTION
 

parser/libapparmor_re/hfa.cc

@@ -340,14 +340,8 @@ void DFA::remove_unreachable(dfaflags_t flags)
 					cerr << "unreachable: " << **i;
 					if (*i == start)
 						cerr << " <==";
-					if (!(*i)->perms.is_null()) {
-						cerr << " (0x" << hex 
-						     << (*i)->perms.allow << " " 
-						     << (*i)->perms.deny << " "
-						     << (*i)->perms.audit << " "
-						     << (*i)->perms.quiet << dec
-						     << ')';
-					}
+					if ((*i)->perms.is_accept())
+						(*i)->perms.dump(cerr);
 					cerr << "\n";
 				}
 				State *current = *i;
@@ -366,26 +360,17 @@ void DFA::remove_unreachable(dfaflags_t flags)
 /* test if two states have the same transitions under partition_map */
 bool DFA::same_mappings(State *s1, State *s2)
 {
-	if (s1->otherwise != nonmatching) {
-		if (s2->otherwise == nonmatching)
-			return false;
-		Partition *p1 = s1->otherwise->partition;
-		Partition *p2 = s2->otherwise->partition;
-		if (p1 != p2)
-			return false;
-	} else if (s2->otherwise != nonmatching) {
+	if (s1->otherwise->partition != s2->otherwise->partition)
 		return false;
-	}
 
 	if (s1->trans.size() != s2->trans.size())
 		return false;
+
 	for (StateTrans::iterator j1 = s1->trans.begin(); j1 != s1->trans.end(); j1++) {
 		StateTrans::iterator j2 = s2->trans.find(j1->first);
 		if (j2 == s2->trans.end())
 			return false;
-		Partition *p1 = j1->second->partition;
-		Partition *p2 = j2->second->partition;
-		if (p1 != p2)
+		if (j1->second->partition != j2->second->partition)
 			return false;
 	}
 
@@ -553,10 +538,8 @@ void DFA::minimize(dfaflags_t flags)
 			cerr << *rep << " : ";
 
 		/* update representative state's transitions */
-		if (rep->otherwise != nonmatching) {
-			Partition *partition = rep->otherwise->partition;
-			rep->otherwise = *partition->begin();
-		}
+		rep->otherwise = *rep->otherwise->partition->begin();
+
 		for (StateTrans::iterator c = rep->trans.begin(); c != rep->trans.end(); c++) {
 			Partition *partition = c->second->partition;
 			c->second = *partition->begin();
@@ -573,7 +556,7 @@ void DFA::minimize(dfaflags_t flags)
 			(*i)->label = -1;
 			rep->perms.add((*i)->perms);
 		}
-		if (!rep->perms.is_null())
+		if (rep->perms.is_accept())
 			final_accept++;
 //if ((*p)->size() > 1)
 //cerr << "\n";
@@ -628,16 +611,12 @@ out:
 void DFA::dump(ostream & os)
 {
 	for (Partition::iterator i = states.begin(); i != states.end(); i++) {
-		if (*i == start || !(*i)->perms.is_null()) {
+		if (*i == start || (*i)->perms.is_accept()) {
 			os << **i;
 			if (*i == start)
 				os << " <== (allow/deny/audit/quiet)";
-			if (!(*i)->perms.is_null()) {
-				os << " (0x " << hex << (*i)->perms.allow << "/"
-				   << (*i)->perms.deny << "/"
-				   << (*i)->perms.audit << "/"
-				   << (*i)->perms.quiet << ')';
-			}
+			if ((*i)->perms.is_accept())
+				(*i)->perms.dump(os);
 			os << "\n";
 		}
 	}
@@ -651,16 +630,22 @@ void DFA::dump(ostream & os)
 			if (j->second == nonmatching) {
 				excluded.insert(j->first);
 			} else {
-				os << **i << " -> " << *(j)->second << ": 0x"
+				os << **i;
+				if ((*i)->perms.is_accept())
+					os << " ", (*i)->perms.dump(os);
+				os << " -> " << *(j)->second << ": 0x"
 				   << hex << (int) j->first;
 				if (isprint(j->first))
 					os << " " << j->first;
-				os << "\n";
+				os << dec << "\n";
 			}
 		}
 
 		if ((*i)->otherwise != nonmatching) {
-			os << **i << " -> " << *(*i)->otherwise << ": [";
+			os << **i;
+			if ((*i)->perms.is_accept())
+				os << " ", (*i)->perms.dump(os);
+			os << " -> " << *(*i)->otherwise << ": [";
 			if (!excluded.empty()) {
 				os << "^";
 				for (Chars::iterator k = excluded.begin();
@@ -668,7 +653,7 @@ void DFA::dump(ostream & os)
 					if (isprint(*k))
 						os << *k;
 					else
-						os << "\\0x" << hex << (int) *k;
+						os << "\\0x" << hex << (int) *k << dec;
 				}
 			}
 			os << "]\n";
@@ -692,12 +677,10 @@ void DFA::dump_dot_graph(ostream & os)
 		if (*i == start) {
 			os << "\t\tstyle=bold" << "\n";
 		}
-		if (!(*i)->perms.is_null()) {
-			os << "\t\tlabel=\"" << **i << "\\n(0x " << hex
-			   << (*i)->perms.allow << "/"
-			   << (*i)->perms.deny << "/"
-			   << (*i)->perms.audit << "/"
-			   << (*i)->perms.quiet << ")\"\n";
+		if ((*i)->perms.is_accept()) {
+			os << "\t\tlabel=\"" << **i << "\\n";
+			(*i)->perms.dump(os);
+			os << "\"\n";
 		}
 		os << "\t]" << "\n";
 	}
@@ -714,7 +697,7 @@ void DFA::dump_dot_graph(ostream & os)
 				if (isprint(j->first))
 					os << j->first;
 				else
-					os << "\\0xhex" << (int) j->first;
+					os << "\\0x" << hex << (int) j->first << dec;
 
 				os << "\"\n\t]" << "\n";
 			}
@@ -729,7 +712,7 @@ void DFA::dump_dot_graph(ostream & os)
 					if (isprint(*i))
 						os << *i;
 					else
-						os << "\\0x" << hex << (int) *i;
+						os << "\\0x" << hex << (int) *i << dec;
 				}
 				os << "]\"" << "\n";
 			}

parser/libapparmor_re/hfa.h

@@ -43,7 +43,14 @@ class perms_t {
 public:
 	perms_t(void) throw(int): allow(0), deny(0), audit(0), quiet(0), exact(0) { };
 
-	bool is_null(void) { return !(allow | deny | audit | quiet); }
+	bool is_accept(void) { return (allow | audit | quiet); }
+
+	void dump(ostream &os)
+	{
+		os << " (0x " << hex
+		   << allow << "/" << deny << "/" << audit << "/" << quiet
+		   << ')' << dec;
+	}
 
 	void clear(void) { allow = deny = audit = quiet = 0; }
 	void add(perms_t &rhs)
@@ -99,7 +106,7 @@ public:
 			allow &= ~deny;
 			quiet &= deny;
 			deny = 0;
-			return is_null();
+			return !is_accept();
 		}
 		return 0;
 	}

parser/mount.h

@@ -85,7 +85,6 @@
 			 MS_BORN | MS_NOATIME | MS_NODIRATIME | MS_RELATIME| \
 			 MS_KERNMOUNT | MS_STRICTATIME)
 
-#define MS_REMOUNT_FLAGS (MS_REMOUNT | MNT_FLAGS)
 #define MS_BIND_FLAGS (MS_BIND | MS_REC)
 #define MS_MAKE_FLAGS ((MS_UNBINDABLE | MS_PRIVATE | MS_SLAVE | MS_SHARED | \
 			MS_REC) | (MS_ALL_FLAGS & ~(MNT_FLAGS)))
@@ -93,6 +92,7 @@
 
 #define MS_CMDS (MS_MOVE | MS_REMOUNT | MS_BIND | MS_PRIVATE | MS_SLAVE | \
 		 MS_SHARED | MS_UNBINDABLE)
+#define MS_REMOUNT_FLAGS (MS_ALL_FLAGS & ~(MS_CMDS & ~MS_REMOUNT))
 
 #define MNT_SRC_OPT 1
 #define MNT_DST_OPT 2

parser/tst/minimize.sh

@@ -127,7 +127,7 @@ echo "ok"
 # {c} (0x 40030/0/0/0)
 
 echo -n "Minimize profiles audit deny perms "
-if [ `echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '^{.*} (.*)$' | wc -l` -ne 6 ] ; then
+if [ `echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '^{.*} (.*)$' | wc -l` -ne 5 ] ; then
     echo "failed"
     exit 1;
 fi
@@ -192,7 +192,7 @@ echo "ok"
 # {3} (0x 0/fe17f85/0/0)
 
 echo -n "Minimize profiles audit deny xtrans "
-if [ `echo "/t { /b px, audit deny /* xr, /a Cx -> foo, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '^{.*} (.*)$' | wc -l` -ne 1 ] ; then
+if [ `echo "/t { /b px, audit deny /* xr, /a Cx -> foo, }" | ../apparmor_parser -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep '^{.*} (.*)$' | wc -l` -ne 0 ] ; then
     echo "failed"
     exit 1;
 fi

tests/regression/apparmor/introspect.c

@@ -31,7 +31,8 @@ int main(int argc, char *argv[])
         }
 
         if (strcmp(argv[1], "self") == 0){
-		if (aa_getcon(&profile, &mode) == -1) {
+		rc = aa_getcon(&profile, &mode);
+		if (rc == -1) {
 			int serrno = errno;
                         fprintf(stderr,
 				"FAIL: introspect_confinement %s failed - %s\n",
@@ -47,12 +48,15 @@ int main(int argc, char *argv[])
 				"FAIL: query_confinement - invalid pid: %s\n",
 				argv[1]);
 			exit(serrno);
-		} else if (aa_gettaskcon(pid, &profile, &mode) == -1) {
-			int serrno = errno;
-                        fprintf(stderr,
-				"FAIL: query_confinement %s failed - %s\n",
-                                argv[1], strerror(errno));
-                        exit(serrno);
+		} else {
+			rc = aa_gettaskcon(pid, &profile, &mode);
+			if (rc == -1) {
+				int serrno = errno;
+				fprintf(stderr,
+					"FAIL: query_confinement %s failed - %s\n",
+					argv[1], strerror(errno));
+				exit(serrno);
+			}
 		}
 	}
 	if (strcmp(profile, argv[2]) != 0) {
@@ -61,6 +65,21 @@ int main(int argc, char *argv[])
 			profile);
 		exit(1);
 	}
+	if (mode) {
+		if (rc != strlen(profile) + strlen(mode) + 4) {
+			/* rc includes mode. + 2 null term + 1 ( + 1 space */
+			fprintf(stderr,
+				"FAIL: expected return len %d != actual %d\n",
+				strlen(profile) + strlen(mode) + 4, rc);
+			exit(1);
+		}
+	} else if (rc != strlen(profile) + 1) {
+		/* rc includes null termination */
+		fprintf(stderr,
+			"FAIL: expected return len %d != actual %d\n",
+			strlen(profile) + 1, rc);
+		exit(1);
+	}
 	if (argv[3] && (!mode || strcmp(mode, argv[3]) != 0)) {
 		fprintf(stderr,
 			"FAIL: expected mode \"%s\" != \"%s\"\n", argv[3],

tests/regression/apparmor/readdir.sh

@@ -26,14 +26,20 @@ badperm=ix
 
 mkdir $dir
 
-# CHDIR TEST
-
+# READDIR TEST
 genprofile $dir/:$okperm
-
 runchecktest "READDIR" pass $dir
 
-# CHDIR TEST (no perm)
-
+# READDIR TEST (no perm)
 genprofile $dir/:$badperm
-
 runchecktest "READDIR (no perm)" fail $dir
+
+# this test is to make sure the raw 'file' rule allows access
+# to directories
+genprofile file
+runchecktest "READDIR 'file' dir" pass $dir
+
+# this test is to make sure the raw 'file' rule allows access
+# to '/'
+genprofile file
+runchecktest "READDIR 'file' '/'" pass '/'

utils/Makefile

@@ -28,7 +28,7 @@ endif
 
 MODDIR = Immunix
 PERLTOOLS = aa-genprof aa-logprof aa-autodep aa-audit aa-complain aa-enforce \
-	aa-unconfined aa-notify aa-disable
+	aa-unconfined aa-notify aa-disable aa-exec
 TOOLS = ${PERLTOOLS} aa-decode aa-status
 MODULES = ${MODDIR}/AppArmor.pm ${MODDIR}/Repository.pm \
 	${MODDIR}/Config.pm ${MODDIR}/Severity.pm
@@ -37,6 +37,7 @@ MANPAGES = ${TOOLS:=.8} logprof.conf.5
 
 all: ${MANPAGES} ${HTMLMANPAGES}
 	$(MAKE) -C po all
+	$(MAKE) -C vim all
 
 # need some better way of determining this
 DESTDIR=/
@@ -59,6 +60,7 @@ install: ${MANPAGES} ${HTMLMANPAGES}
 	install -m 644 ${MODULES} ${PERLDIR}
 	$(MAKE) -C po install DESTDIR=${DESTDIR} NAME=${NAME}
 	$(MAKE) install_manpages DESTDIR=${DESTDIR}
+	$(MAKE) -C vim install DESTDIR=${DESTDIR}
 	ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8
 
 .PHONY: clean
@@ -67,8 +69,24 @@ clean: _clean
 	rm -f core core.* *.o *.s *.a *~
 	rm -f Make.rules
 	$(MAKE) -C po clean
+	$(MAKE) -C vim clean
 
-check:
+# ${CAPABILITIES} is defined in common/Make.rules
+.PHONY: check_severity_db
+.SILENT: check_severity_db
+check_severity_db: /usr/include/sys/capability.h severity.db
+	# The sed statement is based on the one in the parser's makefile
+	RC=0 ; for cap in ${CAPABILITIES} ; do \
+	    if !  grep -q -w $${cap} severity.db ; then \
+		echo "Warning! capability $${cap} not found in severity.db" ; \
+		RC=1 ; \
+	    fi ;\
+	done ; \
+	test "$$RC" -eq 0
+
+.PHONY: check
+.SILENT: check
+check: check_severity_db
 	for i in ${MODULES} ${PERLTOOLS} ; do \
 		perl -c $$i || exit 1; \
 	done

utils/aa-exec

@@ -0,0 +1,124 @@
+#!/usr/bin/perl
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2011 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+use strict;
+use warnings;
+use Errno;
+
+require LibAppArmor;
+require POSIX;
+require Time::Local;
+require File::Basename;
+
+my $opt_d = '';
+my $opt_h = '';
+my $opt_p = '';
+my $opt_n = '';
+my $opt_i = '';
+my $opt_v = '';
+my $opt_f = '';
+
+sub _warn {
+    my $msg = $_[0];
+    print STDERR "aa-exec: WARN: $msg\n";
+}
+sub _error {
+    my $msg = $_[0];
+    print STDERR "aa-exec: ERROR: $msg\n";
+    exit 1
+}
+
+sub _debug {
+    $opt_d or return;
+    my $msg = $_[0];
+    print STDERR "aa-exec: DEBUG: $msg\n";
+}
+
+sub _verbose {
+    $opt_v or return;
+    my $msg = $_[0];
+    print STDERR "$msg\n";
+}
+
+sub usage() {
+    my $s = <<'EOF';
+USAGE: aa-exec [OPTIONS] <prog> <args>
+
+Confine <prog> with the specified PROFILE.
+
+OPTIONS:
+  -p PROFILE, --profile=PROFILE		PROFILE to confine <prog> with
+  -n NAMESPACE, --namespace=NAMESPACE	NAMESPACE to confine <prog> in
+  -f FILE, --file FILE		profile file to load
+  -i, --immediate		change profile immediately instead of at exec
+  -v, --verbose			show messages with stats
+  -h, --help			display this help
+
+EOF
+    print $s;
+}
+
+use Getopt::Long;
+
+GetOptions(
+    'debug|d'        => \$opt_d,
+    'help|h'         => \$opt_h,
+    'profile|p=s'    => \$opt_p,
+    'namespace|n=s'  => \$opt_n,
+    'file|f=s'       => \$opt_f,
+    'immediate|i'    => \$opt_i,
+    'verbose|v'      => \$opt_v,
+);
+
+if ($opt_h) {
+    usage();
+    exit(0);
+}
+
+if ($opt_n || $opt_p) {
+   my $test;
+   my $prof;
+
+   if ($opt_n) {
+      $prof = ":$opt_n:";
+   }
+
+   $prof .= $opt_p;
+
+   if ($opt_f) {
+       system("apparmor_parser", "-r", "$opt_f") == 0
+	   or _error("\'aborting could not load $opt_f\'");
+   }
+
+   if ($opt_i) {
+       _verbose("aa_change_profile(\"$prof\")");
+       $test = LibAppArmor::aa_change_profile($prof);
+       _debug("$test = aa_change_profile(\"$prof\"); $!");
+   } else {
+       _verbose("aa_change_onexec(\"$prof\")");
+       $test = LibAppArmor::aa_change_onexec($prof);
+       _debug("$test = aa_change_onexec(\"$prof\"); $!");
+   }
+
+   if ($test != 0) {
+       if ($!{ENOENT} || $!{EACCESS}) {
+	   my $pre = ($opt_p) ? "profile" : "namespace";
+	   _error("$pre \'$prof\' does not exist\n");
+       } elsif ($!{EINVAL}) {
+	   _error("AppArmor interface not available\n");
+       } else {
+	   _error("$!\n");
+       }
+   }
+}
+
+_verbose("exec @ARGV");
+exec @ARGV;

utils/aa-exec.pod

@@ -0,0 +1,95 @@
+# This publication is intellectual property of Canonical Ltd. Its contents
+# can be duplicated, either in part or in whole, provided that a copyright
+# label is visibly located on each copy.
+#
+# All information found in this book has been compiled with utmost
+# attention to detail. However, this does not guarantee complete accuracy.
+# Neither Canonical Ltd, the authors, nor the translators shall be held
+# liable for possible errors or the consequences thereof.
+#
+# Many of the software and hardware descriptions cited in this book
+# are registered trademarks. All trade names are subject to copyright
+# restrictions and may be registered trade marks. Canonical Ltd
+# essentially adheres to the manufacturer's spelling.
+#
+# Names of products and trademarks appearing in this book (with or without
+# specific notation) are likewise subject to trademark and trade protection
+# laws and may thus fall under copyright restrictions.
+#
+
+
+=pod
+
+=head1 NAME
+
+aa-exec - confine a program with the specified AppArmor profile
+
+=head1 SYNOPSIS
+
+B<aa-exec> [options] [--] [I<E<lt>commandE<gt>> ...]
+
+=head1 DESCRIPTION
+
+B<aa-exec> is used to launch a program confined by the specified profile
+and or namespace.  If both a profile and namespace are specified command
+will be confined by profile in the new policy namespace.  If only a namespace
+is specified, the profile name of the current confinement will be used.  If
+neither a profile or namespace is specified command will be run using
+standard profile attachment (ie. as if run without the aa-exec command).
+
+If the arguments are to be pasted to the I<E<lt>commandE<gt>> being invoked
+by aa-exec then -- should be used to separate aa-exec arguments from the
+command.
+  aa-exec -p profile1 -- ls -l
+
+=head1 OPTIONS
+B<aa-exec> accepts the following arguments:
+
+=over 4
+
+=item -p PROFILE, --profile=PROFILE
+
+confine I<E<lt>commandE<gt>> with PROFILE. If the PROFILE is not specified
+use the current profile name (likely unconfined).
+
+=item -n NAMESPACE, --namespace=NAMESPACE
+
+use profiles in NAMESPACE.  This will result in confinement transitioning
+to using the new profile namespace.
+
+=item -f FILE, --file=FILE
+
+a file or directory containing profiles to load before confining the program.
+
+=item -i, --immediate
+
+transition to PROFILE before doing executing I<E<lt>commandE<gt>>.  This
+subjects the running of I<E<lt>commandE<gt>> to the exec transition rules
+of the current profile.
+
+=item -v, --verbose
+
+show commands being performed
+
+=item -d, --debug
+
+show commands and error codes
+
+=item --
+
+Signal the end of options and disables further option processing. Any
+arguments after the -- are treated as arguments of the command.  This is
+useful when passing arguments to the I<E<lt>commandE<gt>> being invoked by
+aa-exec.
+
+=head1 BUGS
+
+If you find any bugs, please report them at
+L<http://https://bugs.launchpad.net/apparmor/+filebug>.
+
+=head1 SEE ALSO
+
+aa-stack(8), aa-namespace(8), apparmor(7), apparmor.d(5), aa_change_profile(3),
+aa_change_onexec(3) and L<http://wiki.apparmor.net>.
+
+=cut

utils/apparmor.vim

@@ -1,234 +0,0 @@
-" $Id: apparmor.vim,v 1.11 2011/01/31 22:48:07 cb Exp $
-"
-" ----------------------------------------------------------------------
-"    Copyright (c) 2005 Novell, Inc. All Rights Reserved.
-"    Copyright (c) 2006-2011 Christian Boltz. All Rights Reserved.
-"      
-"    This program is free software; you can redistribute it and/or
-"    modify it under the terms of version 2 of the GNU General Public
-"    License as published by the Free Software Foundation.
-"      
-"    This program is distributed in the hope that it will be useful,
-"    but WITHOUT ANY WARRANTY; without even the implied warranty of
-"    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-"    GNU General Public License for more details.
-"      
-"    You should have received a copy of the GNU General Public License
-"    along with this program; if not, contact Novell, Inc.
-"      
-"    To contact Novell about this file by physical or electronic mail, 
-"    you may find current contact information at www.novell.com.
-"
-"    To contact Christian Boltz about this file by physical or electronic
-"    mail, you may find current contact information at www.cboltz.de/en/kontakt.
-"
-"    If you want to report a bug via bugzilla.novell.com, please assign it
-"    to suse-beta[AT]cboltz.de (replace [AT] with @).
-" ----------------------------------------------------------------------
-"
-" stick this file into ~/.vim/syntax/ and add these commands into your .vimrc 
-" to have vim automagically use this syntax file for these directories:
-"
-" autocmd BufNewFile,BufRead /etc/apparmor.d/*        set syntax=apparmor
-" autocmd BufNewFile,BufRead /etc/apparmor/profiles/* set syntax=apparmor
-
-" profiles are case sensitive
-syntax case match
-
-" color setup...
-
-" adjust colors according to the background
-
-" switching colors depending on the background color doesn't work
-" unfortunately, so we use colors that work with light and dark background.
-" Patches welcome ;-)
-
-"if &background == "light"
-" light background
-	hi sdProfileName ctermfg=lightblue
-	hi sdHatName ctermfg=darkblue
-	hi sdExtHat ctermfg=darkblue
-"	hi sdComment2 ctermfg=darkblue
-	hi sdGlob       ctermfg=darkmagenta
-	hi sdAlias      ctermfg=darkmagenta
-	hi sdEntryWriteExec     ctermfg=black ctermbg=yellow
-	hi sdEntryUX     ctermfg=darkred cterm=underline
-	hi sdEntryUXe     ctermfg=darkred
-	hi sdEntryIX     ctermfg=darkcyan
-	hi sdEntryM     ctermfg=darkcyan
-	hi sdEntryPX     ctermfg=darkgreen cterm=underline
-	hi sdEntryPXe     ctermfg=darkgreen
-	hi sdEntryW     ctermfg=darkyellow
-	hi sdCap	ctermfg=lightblue
-	hi sdSetCap     ctermfg=black ctermbg=yellow
-	hi sdNetwork	ctermfg=lightblue
-	hi sdNetworkDanger ctermfg=darkred
-	hi sdCapKey	cterm=underline ctermfg=lightblue
-	hi sdCapDanger ctermfg=darkred
-	hi sdRLimit ctermfg=lightblue
-	hi def link sdEntryR Normal
-	hi def link sdEntryK Normal
-	hi def link sdFlags Normal
-	hi sdEntryChangeProfile     ctermfg=darkgreen cterm=underline
-"else 
-" dark background
-"	hi sdProfileName ctermfg=white
-"	hi sdHatName ctermfg=white
-"	hi sdGlob       ctermfg=magenta
-"	hi sdEntryWriteExec     ctermfg=black ctermbg=yellow
-"	hi sdEntryUX     ctermfg=red cterm=underline
-"	hi sdEntryUXe     ctermfg=red
-"	hi sdEntryIX     ctermfg=cyan
-"	hi sdEntryM     ctermfg=cyan
-"	hi sdEntryPX     ctermfg=green cterm=underline
-"	hi sdEntryPXe     ctermfg=green
-"	hi sdEntryW     ctermfg=yellow
-"	hi sdCap	ctermfg=lightblue
-"	hi sdCapKey	cterm=underline ctermfg=lightblue
-"	hi def link sdEntryR Normal
-"	hi def link sdFlags Normal
-"	hi sdCapDanger ctermfg=red
-"endif
-
-hi def link sdInclude     Include
-high def link sdComment     Comment
-"high def link sdComment2     Comment
-high def link sdFlagKey     TODO
-high def link sdError      ErrorMsg
-
-
-" always sync from the start.  should be relatively quick since we don't have
-" that many rules and profiles shouldn't be _extremely_ large...
-syn sync fromstart
-
-syn keyword	sdFlagKey	complain debug
-
-" highlight invalid syntax
-syn match sdError /{/ contained
-syn match sdError /}/
-syn match sdError /^.*$/ contains=sdComment "highlight all non-valid lines as error
-" TODO: do not mark lines containing only whitespace as error
-
-" TODO: the sdGlob pattern is not anchored with ^ and $, so it matches all lines matching ^@{...}.*
-" This allows incorrect lines also and should be checked better.
-" This also (accidently ;-) includes variable definitions (@{FOO}=/bar)
-" TODO: make a separate pattern for variable definitions, then mark sdGlob as contained
-syn match sdGlob /\v\?|\*|\{.*,.*\}|[[^\]]\+\]|\@\{[a-zA-Z][a-zA-Z0-9_]*\}/
-
-syn match sdAlias /\v^alias\s+(\/|\@\{\S*\})\S*\s+-\>\s+(\/|\@\{\S*\})\S*\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob
-
-" syn match sdComment /#.*/
-
-syn cluster sdEntry contains=sdEntryWriteExec,sdEntryR,sdEntryW,sdEntryIX,sdEntryPX,sdEntryPXe,sdEntryUX,sdEntryUXe,sdEntryM,sdCap,sdSetCap,sdExtHat,sdRLimit,sdNetwork,sdNetworkDanger,sdEntryChangeProfile
-
-
-" TODO: support audit and deny keywords for all rules (not only for files)
-" TODO: higlight audit and deny keywords everywhere
-
-" Capability line
-
-" normal capabilities - really keep this list? syn match sdCap should be enough... (difference: sdCapKey words would loose underlining)
-syn keyword  sdCapKey          chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease
-
-" dangerous capabilities - highlighted separately
-syn keyword sdCapDanger	       sys_admin audit_control audit_write set_fcap mac_override mac_admin
-
-" full line. Keywords are from sdCapKey + sdCapDanger
-syn match  sdCap /\v^\s*(audit\s+)?(deny\s+)?capability\s+(chown|dac_override|dac_read_search|fowner|fsetid|kill|setgid|setuid|setpcap|linux_immutable|net_bind_service|net_broadcast|net_admin|net_raw|ipc_lock|ipc_owner|sys_module|sys_rawio|sys_chroot|sys_ptrace|sys_pacct|sys_boot|sys_nice|sys_resource|sys_time|sys_tty_config|mknod|lease|sys_admin|audit_control|audit_write|set_fcap|mac_override|mac_admin)\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdCapKey,sdCapDanger,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" set capability was removed - TODO: remove everywhere in apparmor.vim
-" syn match  sdSetCap /\v^\s*set\s+capability\s+(chown|dac_override|dac_read_search|fowner|fsetid|kill|setgid|setuid|setpcap|linux_immutable|net_bind_service|net_broadcast|net_admin|net_raw|ipc_lock|ipc_owner|sys_module|sys_rawio|sys_chroot|sys_ptrace|sys_pacct|sys_boot|sys_nice|sys_resource|sys_time|sys_tty_config|mknod|lease|sys_admin|audit_control|audit_write|set_fcap|mac_override|mac_admin)\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdCapKey,sdCapDanger,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-
-" Network line
-" Syntax: network domain (inet, ...) type (stream, ...) protocol (tcp, ...)
-" TODO: 'owner' isn't supported, but will be (JJ, 2011-01-11)
-syn match  sdNetwork         /\v^\s*(audit\s+)?(deny\s+)?network(\s+(inet|ax25|ipx|appletalk|netrom|bridge|atmpvc|x25|inet6|rose|netbeui|security|key|packet|ash|econet|atmsvc|sna|irda|pppox|wanpipe|bluetooth))?(\s+(stream|dgram|seqpacket|rdm|packet))?(\s+tcp|\s+udp|\s+icmp)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" network rules containing 'raw'
-syn match  sdNetworkDanger         /\v^\s*(audit\s+)?(deny\s+)?network(\s+(inet|ax25|ipx|appletalk|netrom|bridge|atmpvc|x25|inet6|rose|netbeui|security|key|packet|ash|econet|atmsvc|sna|irda|pppox|wanpipe|bluetooth))?(\s+(raw))(\s+tcp|\s+udp|\s+icmp)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" 'all networking' includes raw -> mark as dangerous
-syn match  sdNetworkDanger         /\v^\s*(audit\s+)?(deny\s+)?network\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-
-" Change Profile
-" TODO: audit and deny support will be added (JJ, 2011-01-11)
-syn match   sdEntryChangeProfile    /\v^\s*change_profile\s+-\>\s+\S+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-
-" rlimit
-" TODO: audit and deny support will be added (JJ, 2011-01-11)
-"
-"syn match sdRLimit /\v^\s*rlimit\s+()\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment
-syn match sdRLimit /\v^\s*set\s+rlimit\s+(nofile|nproc|rtprio)\s+[0-9]+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment
-syn match sdRLimit /\v^\s*set\s+rlimit\s+(locks|sigpending)\s+\<\=\s+[0-9]+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment
-syn match sdRLimit /\v^\s*set\s+rlimit\s+(fsize|data|stack|core|rss|as|memlock|msgqueue)\s+\<\=\s+[0-9]+([KMG])?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment
-syn match sdRLimit /\v^\s*set\s+rlimit\s+nice\s+\<\=\s+(-1?[0-9]|-20|1?[0-9])\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment
-
-" link rules
-syn match sdEntryW /\v^\s+(audit\s+)?(deny\s+)?(owner\s+)?link\s+(subset\s+)?(\/|\@\{\S*\})\S*\s+-\>\s+(\/|\@\{\S*\})\S*\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob
-
-
-" file permissions
-"
-" TODO: Support filenames enclosed in quotes ("/home/foo/My Documents/") - ideally by only allowing quotes pair-wise
-"
-" write + exec/mmap - danger!
-" known bug: accepts 'aw' to keep things simple
-syn match  sdEntryWriteExec /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(l|r|w|a|m|k|[iuUpPcC]x)+(\s+-\>\s+\S+)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-" ux(mr) - unconstrained entry, flag the line red
-syn match  sdEntryUX /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(r|m|k|ux)+(\s+-\>\s+\S+)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" Ux(mr) - like ux + clean environment
-syn match  sdEntryUXe /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(r|m|k|Ux)+(\s+-\>\s+\S+)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" px/cx/pix/cix(mrk) - standard exec entry, flag the line blue
-syn match  sdEntryPX /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(r|m|k|px|cx|pix|cix)+(\s+-\>\s+\S+)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" Px/Cx/Pix/Cix(mrk) - like px/cx + clean environment
-syn match  sdEntryPXe /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(r|m|k|Px|Cx|Pix|Cix)+(\s+-\>\s+\S+)?\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" ix(mr) - standard exec entry, flag the line green
-syn match  sdEntryIX /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(r|m|k|ix)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" mr - mmap with PROT_EXEC
-syn match  sdEntryM /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(r|m|k)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-" if we've got u or i without x, it's an error
-" rule is superfluous because of the '/.*/ is an error' rule ;-)
-"syn match  sdError /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(l|r|w|k|u|p|i)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-" write + append is an error also
-"syn match  sdError /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(\S*r\S*a\S*|\S*a\S*w\S*)\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-syn match  sdError /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+\S*(w\S*a|a\S*w)\S*\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-" write entry, flag the line yellow
-syn match  sdEntryW /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(l|r|w|k)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" append entry, flag the line yellow
-syn match  sdEntryW /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+(l|r|a|k)+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-" read entry + locking, currently no highlighting
-syn match  sdEntryK /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+[rlk]+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-" read entry, no highlighting
-syn match  sdEntryR /\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+[rl]+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdGlob,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
-
-syn match sdExtHat  /\v^\s+(\^|profile\s+)\S+\s*,(\s*$|(\s*#.*$)\@=)/ contains=sdComment " hat without {...}
-
-
-
-
-syn match sdProfileName /\v^((profile\s+)?\/\S+|profile\s+([a-zA-Z0-9]\S*\s)?\S+)\s+((flags\s*\=\s*)?\(\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)(\s*,\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative))*\s*\)\s+)=\{/ contains=sdProfileStart,sdHatName,sdFlags,sdComment,sdGlob
-syn match sdProfileStart /{/ contained 
-syn match sdProfileEnd /^}\s*(#.*)?$/ contained " TODO: syn region does not (yet?) allow usage of comment in end=
-                                                " TODO: Removing the $ mark from end= will allow non-comments also :-(
-syn match sdHatName /\v^\s+(\^|profile\s+)\S+\s+((flags\s*\=\s*)?\(\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)(\s*,\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative))*\s*\)\s+)=\{/ contains=sdProfileStart,sdFlags,sdComment
-syn match sdHatStart /{/ contained 
-syn match sdHatEnd /}/ contained " TODO: allow comments + [same as for syn match sdProfileEnd]
-syn match sdFlags /\v((flags\s*\=\s*)?\(\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)(\s*,\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative))*\s*\)\s+)/ contained contains=sdFlagKey
-
-syn match sdComment /\s*#.*$/
-" NOTE: contains=sdComment changes #include highlighting to comment color.
-" NOTE: Comment highlighting still works without contains=sdComment.
-syn match sdInclude /\s*#include\s<\S*>/ " TODO: doesn't check until $
-syn match sdInclude /\s*include\s<\S*>/  " TODO: doesn't check until $
-
-" basic profile block...
-" \s+ does not work in end=, therefore using \s\s*
-syn region Normal start=/\v^(profile\s+)?\S+\s+((flags\s*\=\s*)?\(\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)(\s*,\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative))*\s*\)\s+)=\{/ matchgroup=sdProfileEnd end=/^}\s*$/ contains=sdProfileName,Hat,@sdEntry,sdComment,sdError,sdInclude
-syn region Hat start=/\v^\s+(\^|profile\s+)\S+\s+((flags\s*\=\s*)?\(\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)(\s*,\s*(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative))*\s*\)\s+)=\{/ matchgroup=sdHatEnd end=/^\s\s*}\s*$/ contains=sdHatName,@sdEntry,sdComment,sdError,sdInclude
-
-

utils/severity.db

@@ -14,9 +14,12 @@
        CAP_SYS_MODULE 10
        CAP_SYS_PTRACE 10
        CAP_SYS_RAWIO 10
+       CAP_MAC_ADMIN 10
+       CAP_MAC_OVERRIDE 10
 # Allow other processes to 0wn the machine:
        CAP_SETPCAP 9
-       CAP_CHOWN 9 
+       CAP_SETFCAP 9
+       CAP_CHOWN 9
        CAP_FSETID 9
        CAP_MKNOD 9
        CAP_LINUX_IMMUTABLE 9
@@ -38,9 +41,11 @@
        CAP_LEASE 8
        CAP_IPC_LOCK 8
        CAP_SYS_TTY_CONFIG 8
-       CAP_DAC_READ_SEARCH 7
        CAP_AUDIT_CONTROL 8
        CAP_AUDIT_WRITE 8
+       CAP_SYSLOG 8
+       CAP_WAKE_ALARM 8
+       CAP_DAC_READ_SEARCH 7
 # unused
        CAP_NET_BROADCAST 0
 

utils/vim/Makefile

@@ -1,5 +1,25 @@
-apparmor.vim: apparmor.vim.in Makefile create-apparmor.vim.sh
-	sh create-apparmor.vim.sh
+COMMONDIR=../../common/
+
+all:
+include common/Make.rules
+
+COMMONDIR_EXISTS=$(strip $(shell [ -d ${COMMONDIR} ] && echo true))
+ifeq ($(COMMONDIR_EXISTS), true)
+common/Make.rules: $(COMMONDIR)/Make.rules
+	ln -sf $(COMMONDIR) .
+endif
+
+VIM_INSTALL_PATH=${DESTDIR}/usr/share/apparmor
+
+all: apparmor.vim
+
+apparmor.vim: apparmor.vim.in Makefile create-apparmor.vim.py
+	python create-apparmor.vim.py > $@
+
+install: apparmor.vim
+	install -d $(VIM_INSTALL_PATH)
+	install -m 644 $< $(VIM_INSTALL_PATH)
+
 
 clean:
 	rm -f apparmor.vim

utils/vim/create-apparmor.vim.py

@@ -0,0 +1,108 @@
+#!/usr/bin/python
+#
+#    Copyright (C) 2012 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+#    Written by Steve Beattie <steve@nxnw.org>, based on work by
+#    Christian Boltz <apparmor@cboltz.de>
+
+import os
+import re
+import subprocess
+import sys
+
+# dangerous capabilities
+danger_caps=["audit_control",
+             "audit_write",
+             "mac_override",
+             "mac_admin",
+             "set_fcap",
+             "sys_admin",
+             "sys_module",
+             "sys_rawio"]
+
+aa_network_types=r'\s+tcp|\s+udp|\s+icmp'
+
+aa_flags=r'(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)'
+
+def cmd(command, input = None, stderr = subprocess.STDOUT, stdout = subprocess.PIPE, stdin = None, timeout = None):
+    '''Try to execute given command (array) and return its stdout, or
+    return a textual error if it failed.'''
+
+    try:
+        sp = subprocess.Popen(command, stdin=stdin, stdout=stdout, stderr=stderr, close_fds=True)
+    except OSError, e:
+        return [127, str(e)]
+
+    out, outerr = sp.communicate(input)
+
+    # Handle redirection of stdout
+    if out == None:
+        out = ''
+    # Handle redirection of stderr
+    if outerr == None:
+        outerr = ''
+    return [sp.returncode,out+outerr]
+
+# get capabilities list
+(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_capabilities'])
+if rc != 0:
+    print >>sys.stderr, ("make list_capabilities failed: " + output)
+    exit(rc)
+
+capabilities = re.sub('CAP_', '', output.strip()).lower().split(" ")
+benign_caps =[]
+for cap in capabilities:
+    if cap not in danger_caps:
+        benign_caps.append(cap)
+
+# get network protos list
+(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_af_names'])
+if rc != 0:
+    print >>sys.stderr, ("make list_af_names failed: " + output)
+    exit(rc)
+
+af_names = []
+af_pairs = re.sub('AF_', '', output.strip()).lower().split(",")
+for af_pair in af_pairs:
+    af_name = af_pair.lstrip().split(" ")[0]
+    # skip max af name definition
+    if len(af_name) > 0 and af_name != "max":
+        af_names.append(af_name)
+
+# TODO: does a "debug" flag exist? Listed in apparmor.vim.in sdFlagKey,
+# but not in aa_flags...
+# -> currently (2011-01-11) not, but might come back
+
+aa_regex_map = {
+    'FILE':             r'\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+',
+    'DENYFILE':         r'\v^\s*(audit\s+)?deny\s+(owner\s+)?(\/|\@\{\S*\})\S*\s+',
+    'auditdenyowner':   r'(audit\s+)?(deny\s+)?(owner\s+)?',
+    'auditdeny':        r'(audit\s+)?(deny\s+)?',
+    'FILENAME':         r'(\/|\@\{\S*\})\S*',
+    'EOL':              r'\s*,(\s*$|(\s*#.*$)\@=)',
+    'TRANSITION':       r'(\s+-\>\s+\S+)?',
+    'sdKapKey':         " ".join(benign_caps),
+    'sdKapKeyDanger':   " ".join(danger_caps),
+    'sdKapKeyRegex':    "|".join(capabilities),
+    'sdNetworkType':    aa_network_types,
+    'sdNetworkProto':   "|".join(af_names),
+    'flags':            r'((flags\s*\=\s*)?\(\s*' + aa_flags + r'(\s*,\s*' + aa_flags + r')*\s*\)\s+)',
+}
+
+def my_repl(matchobj):
+    #print matchobj.group(1)
+    if matchobj.group(1) in aa_regex_map:
+        return aa_regex_map[matchobj.group(1)]
+
+    return matchobj.group(0)
+
+regex = "@@(" + "|".join(aa_regex_map) + ")@@"
+
+with file("apparmor.vim.in") as template:
+    for line in template:
+        line = re.sub(regex, my_repl, line.rstrip())
+        print line

utils/vim/create-apparmor.vim.sh

@@ -1,129 +0,0 @@
-#!/bin/bash
-
-# not-too-dangerous capabilities
-sdKapKey="chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config syslog mknod lease"
-
-# dangerous capabilities
-sdKapKeyDanger="audit_control audit_write mac_override mac_admin set_fcap sys_admin sys_module sys_rawio"
-
-sdNetworkProto="inet|ax25|ipx|appletalk|netrom|bridge|atmpvc|x25|inet6|rose|netbeui|security|key|packet|ash|econet|atmsvc|sna|irda|pppox|wanpipe|bluetooth"
-
-sdNetworkType='\s+tcp|\s+udp|\s+icmp'
-
-sdFlags="complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative"
-# TODO: does a "debug" flag exist? Listed in apparmor.vim.in sdFlagKey, but not in sdFlags...
-# -> currently (2011-01-11) not, but might come back
-
-sdKapKeyRegex="$(echo "$sdKapKey $sdKapKeyDanger" | sed 's/ /|/g')"
-
-sdFlagsRegex="($sdFlags)"
-
-#	'@@FILE@@'            '\v^\s*((owner\s+)|(audit\s+)|(deny\s+))*(\/|\@\{\S*\})\S*\s+'   \
-replace                                                                                    \
-	'@@FILE@@'            '\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?(\/|\@\{\S*\})\S*\s+'     \
-	'@@DENYFILE@@'        '\v^\s*(audit\s+)?deny\s+(owner\s+)?(\/|\@\{\S*\})\S*\s+'        \
-    '@@auditdenyowner@@'  '(audit\s+)?(deny\s+)?(owner\s+)?'                               \
-    '@@auditdeny@@'       '(audit\s+)?(deny\s+)?'                                          \
-	'@@FILENAME@@'        '(\/|\@\{\S*\})\S*'                                              \
-	'@@EOL@@'             '\s*,(\s*$|(\s*#.*$)\@=)'                                        \
-	'@@TRANSITION@@'      '(\s+-\>\s+\S+)?'                                                \
-	'@@sdKapKey@@'        "$sdKapKey"                                                      \
-	'@@sdKapKeyDanger@@'  "$sdKapKeyDanger"                                                \
-	'@@sdKapKeyRegex@@'   "$sdKapKeyRegex"                                                 \
-	'@@sdNetworkProto@@'  "$sdNetworkProto"                                                \
-	'@@sdNetworkType@@'   "$sdNetworkType"                                                 \
-	'@@flags@@'           "((flags\s*\=\s*)?\(\s*$sdFlagsRegex(\s*,\s*$sdFlagsRegex)*\s*\)\s+)"         \
-	                                                                                       \
-< apparmor.vim.in                                                                          \
-> apparmor.vim
-
-
-# @@FILE@@: Start of a file rule (whitespace_+_, owner etc. flag_?_, filename pattern, whitespace_+_)
-# @@FILENAME@@: Just a filename (taken from @@FILE@@)
-# @@EOL@@: End of a line (whitespace_?_, comma, whitespace_?_ comment.*)
-
-
-# I had to learn that vim has a restriction on the number of (...) I may use in
-# a RegEx (up to 9 are allowed), and therefore had to change the RegEx that
-# matches tcp/udp/icmp from "(\s+(tcp|udp|icmp))?" to
-# "(\s+tcp|\s+udp|\s+icmp)?". *argh*
-# (sdNetworkProto could be changed the same way if needed)
-
-
-# TODO: permissions first
-# valid rules:
-# owner rw /foo,
-# owner /foo rw,
-
-# INVALID rules
-# rw owner /foo,
-# rw /foo owner,
-# /foo owner rw,
-# /foo rw owner,
-
-
-# the *** proposed *** syntax for owner= and user= is
-# 
-# owner=<name> <whitespace> <rule>
-# owner='('<names>')' <whitespace> <rule>
-# 
-# where the list followed the syntax for the flags value, however the list
-# syntax part needs to be made consistent, ie. we either need to fix the
-# flags list separator or make the list separator here the same as flags
-# and also fix it for variables, etc.  switching flags to use just whitespace
-# is by far the easiest.
-# 
-# So going with the whitespace separator we would have
-# owner=jj /foo r,
-# owner=(jj) /foo r,
-# owner=(jj smb) /foo r,
-
-# > capability dac_override {
-# >     /file/bar rw,
-# > }
-# > capability chown {
-# >    /file/bar (user1, user2),
-# > }
-# > (Are those things specific to dac_override and chown?)
-# > 
-# Hehe, now your veering even more into unimplemented stuff :)  Those where
-# merely proposed syntax and I don't believe we are using them now.
-# The idea behind those was a way to enhance the capabilities and remain
-# backwards compatible.
-# 
-# And use the syntax for each would have to be capability (or type specific)
-# 
-# eg. for chown we could have a path and user
-# 
-#   chown /foo to (user1 user2),
-# 
-# but for setuid it wouldn't have a path.
-#    setuid to (user1 user2)
-#  
-# 
-# > uses ipc,
-# > ipc rw /profile,
-# > ipc signal w (child) /profile,
-# > deny ipc signal w (kill) /profile,
-# > 
-# > Which keywords can apply to ipc? I'd guess audit and deny. What about 
-# > owner?
-# > 
-# owner and user could be selectively applied but not to allow of ipc
-# 
-# owner doesn't really make sense for signal, but user might this is just
-# another place we need to look at before we commit to the syntax.
-#
-# ipc may hit spring 2011
- 
- 
-# > That all said: are there some example profiles I could use to test 
-# > apparmor.vim?
-# > 
-# Hrmmm, yes.  The goal is to keep adding to the parser test suite, and
-# get it to contain at least on example of every valid syntax and also
-# example profiles of invalid syntax.  I won't say that the coverage
-# is complete yet but it does have hundreds of simple examples.
-# 
-# it can be found in parser/tst/simple_tests/
-#