Prepare for AppArmor 4.0 beta4 release

- update version file

Signed-off-by: John Johansen <john.johansen@canonical.com>

.gitignore

@@ -266,8 +266,8 @@ tests/regression/apparmor/mmap
 tests/regression/apparmor/mount
 tests/regression/apparmor/move_mount
 tests/regression/apparmor/named_pipe
-tests/regression/apparmor/net_finegrained_rcv
-tests/regression/apparmor/net_finegrained_snd
+tests/regression/apparmor/net_inet_rcv
+tests/regression/apparmor/net_inet_snd
 tests/regression/apparmor/net_raw
 tests/regression/apparmor/open
 tests/regression/apparmor/openat

common/Version

@@ -1 +1 @@
-4.0.0~beta3
+4.0.0~beta4

parser/all_rule.h

@@ -29,8 +29,6 @@
 class all_rule: public prefix_rule_t {
 	void move_conditionals(struct cond_entry *conds);
 public:
-	char *label;
-
 	all_rule(void): prefix_rule_t(RULE_TYPE_ALL) { }
 
 	virtual bool valid_prefix(const prefixes &p, const char *&error) {

parser/mqueue.cc

@@ -231,10 +231,10 @@ int mqueue_rule::gen_policy_re(Profile &prof)
 			/* store perms at name match so label doesn't need
 			 * to be checked
 			 */
-			if (!label && !prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, 1, vec, parseopts, false))
+			if (!label && !prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, map_mqueue_perms(perms), audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, 1, vec, parseopts, false))
 				goto fail;
 			/* also provide label match with perm */
-			if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, size, vec, parseopts, false))
+			if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, map_mqueue_perms(perms), audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, size, vec, parseopts, false))
 				goto fail;
 		}
 	}
@@ -266,10 +266,10 @@ int mqueue_rule::gen_policy_re(Profile &prof)
 		}
 
 		if (perms & AA_VALID_SYSV_MQ_PERMS) {
-			if (!label && !prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, 1, vec, parseopts, false))
+			if (!label && !prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, map_mqueue_perms(perms), audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, 1, vec, parseopts, false))
 				goto fail;
 			/* also provide label match with perm */
-			if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, size, vec, parseopts, false))
+			if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, map_mqueue_perms(perms), audit == AUDIT_FORCE ? map_mqueue_perms(perms) : 0, size, vec, parseopts, false))
 				goto fail;
 		}
 	}

parser/mqueue.h

@@ -52,13 +52,13 @@
  * kernel doesn't allow for us to control
  * - posix
  *   - notify
- *   - getattr/setattr
  *   - labels at anything other than mqueue label, via mqueue inode.
  */
 
 #define AA_VALID_POSIX_MQ_PERMS (AA_MQUEUE_WRITE | AA_MQUEUE_READ |    \
 				 AA_MQUEUE_CREATE | AA_MQUEUE_DELETE | \
-				 AA_MQUEUE_OPEN)
+				 AA_MQUEUE_OPEN |		       \
+				 AA_MQUEUE_SETATTR | AA_MQUEUE_GETATTR)
 
  /* TBD - for now make it wider than posix */
 #define AA_VALID_SYSV_MQ_PERMS (AA_MQUEUE_WRITE | AA_MQUEUE_READ |    \
@@ -78,6 +78,11 @@ typedef enum mqueue_type {
 	mqueue_sysv
 } mqueue_type;
 
+static inline uint32_t map_mqueue_perms(uint32_t mask)
+{
+	return (mask & 0x7f) |
+		((mask & (AA_MQUEUE_GETATTR | AA_MQUEUE_SETATTR)) << (AA_OTHER_SHIFT - 8));
+}
 
 int parse_mqueue_perms(const char *str_perms, perms_t *perms, int fail);
 

parser/network.cc

@@ -344,8 +344,8 @@ bool parse_port_number(const char *port_entry, uint16_t *port) {
 	char *eptr;
 	unsigned long port_tmp = strtoul(port_entry, &eptr, 10);
 
-	if (port_tmp >= 0 && port_entry != eptr &&
-	    *eptr == '\0' && port_tmp <= UINT16_MAX) {
+	if (port_entry != eptr && *eptr == '\0' &&
+	    port_tmp <= UINT16_MAX) {
 		*port = port_tmp;
 		return true;
 	}

parser/network.h

@@ -157,7 +157,7 @@ public:
 	/* empty constructor used only for the profile to access
 	 * static elements to maintain compatibility with
 	 * AA_CLASS_NET */
-	network_rule(): dedup_perms_rule_t(AA_CLASS_NETV8) { }
+	network_rule(): dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL) { }
 	network_rule(perms_t perms_p, struct cond_entry *conds,
 		     struct cond_entry *peer_conds);
 	network_rule(perms_t perms_p, const char *family, const char *type,

parser/tst/simple_tests/mount/ok_opt_85.sd

@@ -0,0 +1,9 @@
+#
+#=Description test globbed destination MR 1195
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=(rw, make-slave) -> **,
+  mount options=(rw) foo -> **,
+  mount fstype=tmpfs options=(rw) foo -> **,
+  mount -> **,
+}

profiles/apparmor.d/abstractions/authentication

@@ -35,6 +35,13 @@
   owner /proc/@{pid}/loginuid r,
   /{,usr/}{,s}bin/unix_chkpwd Px,
 
+  # pam_env
+  @{etc_ro}/environment r,
+
+  # pam_limit
+  @{etc_ro}/security/limits.d/ r,
+  @{etc_ro}/security/limits.d/*.conf  r,
+
   # gssapi
   @{etc_ro}/gss/mech               r,
   @{etc_ro}/gss/mech.d/            r,

profiles/apparmor.d/abstractions/samba

@@ -12,6 +12,7 @@
   abi <abi/4.0>,
 
   /etc/samba/* r,
+  /etc/gnutls/config r,
   /usr/lib*/ldb/*.so mr,
   /usr/lib*/ldb2/*.so mr,
   /usr/lib*/ldb2/modules/ldb/*.so mr,

profiles/apparmor.d/firefox

@@ -4,7 +4,7 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile firefox /usr/lib/firefox{,-esr,-beta,-devedition,-nightly}/firefox{,-esr,-bin} flags=(unconfined) {
+profile firefox /{usr/lib/firefox{,-esr,-beta,-devedition,-nightly},opt/firefox}/firefox{,-esr,-bin} flags=(unconfined) {
   userns,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/samba-rpcd-classic

@@ -19,6 +19,8 @@ profile samba-rpcd-classic /usr/lib*/samba/{,samba/}rpcd_classic {
 
   /usr/lib*/samba/{,samba/}rpcd_classic mr,
 
+  @{HOMEDIRS}/** lrwk,
+
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/samba-rpcd-classic>
 }

profiles/apparmor.d/tuxedo-control-center

@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label unconfined
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile tuxedo-control-center /opt/tuxedo-control-center/tuxedo-control-center flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/tuxedo-control-center>
+}

profiles/apparmor.d/usr.sbin.smbd

@@ -32,9 +32,6 @@ profile smbd /usr/{bin,sbin}/smbd {
   /etc/samba/* rwk,
   @{PROC}/@{pid}/mounts r,
   @{PROC}/sys/kernel/core_pattern r,
-  /usr/etc/environment r,
-  /usr/etc/security/limits.d/ r,
-  /usr/etc/security/limits.d/*.conf  r,
   /usr/lib*/samba/vfs/*.so mr,
   /usr/lib*/samba/auth/*.so mr,
   /usr/lib*/samba/charset/*.so mr,

profiles/apparmor/profiles/extras/bwrap-userns-restrict

@@ -0,0 +1,68 @@
+# This profile allows almost everything and only exists to allow
+# bwrap to work on a system with user namespace restrictions
+# being enforced.
+# bwrap is allowed access to user namespaces and capabilities
+# within the user namespace, but its children do not have
+# capabilities, blocking bwrap from being able to be used to
+# arbitrarily by-pass the user namespace restrictions.
+#
+# Note: the bwrap child is stacked against the bwrap profile due to
+# bwraps use of no-new-privs
+
+# disabled by default as it can break some use cases on a system that
+# doesn't have or has disable user namespace restrictions for unconfined
+# use aa-enforce to enable it
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile bwrap /usr/bin/bwrap flags=(attach_disconnected) {
+  allow capability,
+  # not allow all, to allow for pix stack
+  # sadly we have to allow  m every where to allow children to work under
+  # stacking.
+  allow file rwlkm /{**,},
+  allow network,
+  allow unix,
+  allow ptrace,
+  allow signal,
+  allow mqueue,
+  allow io_uring,
+  allow userns,
+  allow mount,
+  allow umount,
+  allow pivot_root,
+  allow dbus,
+  allow px /** -> bwrap//&unpriv_bwrap,
+
+  # the local include should not be used without understanding the userns
+  # restriction.
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/bwrap-userns-restrict>
+}
+
+profile unpriv_bwrap flags=(attach_disconnected) {
+  # not allow all, to allow for pix stack
+  allow file rwlkm /{**,},
+  allow network,
+  allow unix,
+  allow ptrace,
+  allow signal,
+  allow mqueue,
+  allow io_uring,
+  allow userns,
+  allow mount,
+  allow umount,
+  allow pivot_root,
+  allow dbus,
+
+  allow pix /** -> &unpriv_bwrap,
+
+  audit deny capability,
+
+  # the local include should not be used without understanding the userns
+  # restriction.
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/unpriv_bwrap>
+}

profiles/apparmor/profiles/extras/firefox

@@ -241,7 +241,7 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
   owner @{HOME}/.gnome2/firefox* rwk,
   owner @{HOME}/.cache/mozilla/{,@{MOZ_APP_NAME}/} rw,
   owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/** rw,
-  owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/**/*.sqlite k,
+  owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/**/*.sqlite{,-shm} k,
   owner @{HOME}/.config/gtk-3.0/bookmarks r,
   owner @{HOME}/.config/dconf/user w,
   owner @{run}/user/[0-9]*/dconf/ w,

profiles/apparmor/profiles/extras/unshare-userns-restrict

@@ -0,0 +1,65 @@
+# This profile allows almost everything and only exists to allow
+# unshare to work on a system with user namespace restrictions
+# being enforced.
+# unshare is allowed access to user namespaces and capabilities
+# within the user namespace, but its children do not have
+# capabilities, blocking unshare from being able to be used to
+# arbitrarily by-pass the user namespace restrictions.
+# We restrict x mapping of any code that is unknown while unshare
+# has privilige within the namespace. To help ensure unshare can't
+# be used to attack the kernel.
+#
+# disabled by default as it can break some use cases on a system that
+# doesn't have or has disable user namespace restrictions for unconfined
+# use aa-enforce to enable it
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile unshare /usr/bin/unshare flags=(attach_disconnected) {
+  # not allow all, to allow for cix transition
+  # and to limit executable mapping to just unshare
+  allow capability,
+  allow file rwlk /{**,},
+  allow network,
+  allow unix,
+  allow ptrace,
+  allow signal,
+  allow mqueue,
+  allow io_uring,
+  allow userns,
+  allow mount,
+  allow umount,
+  allow pivot_root,
+  allow dbus,
+  audit allow cx /** -> unpriv,
+
+  allow file m /usr/lib/@{multiarch}/libc.so.6,
+  allow file m /usr/bin/unshare,
+
+  # the local include should not be used without understanding the userns
+  # restriction.
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/unshare-userns-restrict>
+
+  profile unpriv flags=(attach_disconnected) {
+    # not allow all, to allow for pix stack
+    allow file rwlkm /{**,},
+    allow network,
+    allow unix,
+    allow ptrace,
+    allow signal,
+    allow mqueue,
+    allow io_uring,
+    allow userns,
+    allow mount,
+    allow umount,
+    allow pivot_root,
+    allow dbus,
+
+    allow pix /** -> &unshare//unpriv,
+
+    audit deny capability,
+  }
+}

profiles/apparmor/profiles/extras/usr.sbin.sshd

@@ -50,6 +50,15 @@ include <tunables/global>
   # needed when /proc is mounted with hidepid>=1
   ptrace (read,trace) peer="unconfined",
 
+  unix (bind) type=stream addr="@*/bus/sshd/system",
+
+  dbus (send)
+       bus=system
+       path=/org/freedesktop/login1
+       interface=org.freedesktop.login1.Manager
+       member=CreateSessionWithPIDFD
+       peer=(label=unconfined),
+
   /dev/ptmx rw,
   /dev/pts/[0-9]* rw,
   /dev/urandom r,

tests/regression/apparmor/Makefile

@@ -111,8 +111,8 @@ SRC=access.c \
     mount.c \
     move_mount.c \
     named_pipe.c \
-    net_finegrained_rcv.c \
-    net_finegrained_snd.c \
+    net_inet_rcv.c \
+    net_inet_snd.c \
     net_raw.c \
     open.c \
     openat.c \
@@ -364,10 +364,10 @@ unix_fd_client: unix_fd_client.c unix_fd_common.o
 attach_disconnected: attach_disconnected.c unix_fd_common.o
 	${CC} ${CFLAGS} ${LDFLAGS} $^ -o $@ ${LDLIBS}
 
-userns: userns.c userns.h
+userns: userns.c pipe_helper.h
 	${CC} ${CFLAGS} ${LDFLAGS} $^ -o $@ ${LDLIBS}
 
-userns_setns: userns_setns.c userns.h
+userns_setns: userns_setns.c pipe_helper.h
 	${CC} ${CFLAGS} ${LDFLAGS} $^ -o $@ ${LDLIBS}
 
 mount: mount.c

tests/regression/apparmor/net_inet.sh

@@ -6,9 +6,9 @@
 #published by the Free Software Foundation, version 2 of the
 #License.
 
-#=NAME posix_mq
+#=NAME net_inet
 #=DESCRIPTION
-# This test verifies if mediation of posix message queues is working
+# This test verifies if finegrained inet mediation is working
 #=END
 
 pwd=`dirname $0`
@@ -18,13 +18,13 @@ bin=$pwd
 
 . $bin/prologue.inc
 
-#requires_kernel_features network_v8/finegrained
+requires_kernel_features network_v8/af_inet
 requires_parser_support "network ip=::1,"
 
-settest net_finegrained_rcv
+settest net_inet_rcv
 
-sender="$bin/net_finegrained_snd"
-receiver="$bin/net_finegrained_rcv"
+sender="$bin/net_inet_snd"
+receiver="$bin/net_inet_rcv"
 
 # local ipv6 address generated according to https://www.rfc-editor.org/rfc/rfc4193.html
 #ipv6_subnet=fd74:1820:b03a:b361::/64
@@ -47,7 +47,7 @@ do_onexit="cleanup"
 
 do_test()
 {
-	local desc="FINEGRAINED NETWORK ($1)"
+	local desc="NETWORK INET ($1)"
 	shift
 	runchecktest "$desc" "$@"
 }
@@ -65,12 +65,11 @@ do_tests()
 	protocol=$8
 	generate_profile=$9
 
-	settest net_finegrained_rcv
+	settest net_inet_rcv
 	$generate_profile
 	do_test "$prefix - root" $expect_rcv --bind_ip $bind_ip --bind_port $bind_port --remote_ip $remote_ip --remote_port $remote_port --protocol $protocol --timeout 5 --sender $sender
 
-
-	settest -u "foo" net_finegrained_rcv
+	settest -u "foo" net_inet_rcv
 	$generate_profile
 	do_test "$prefix - user" $expect_rcv --bind_ip $bind_ip --bind_port $bind_port --remote_ip $remote_ip --remote_port $remote_port --protocol $protocol --timeout 5 --sender $sender
 
@@ -97,7 +96,7 @@ do_tests "ipv4 udp no conds" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remot
 generate_profile="genprofile network $sender:px -- image=$sender network"
 do_tests "ipv4 tcp no conds" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port tcp "$generate_profile"
 
-setsockopt_rules="network;(setopt,getopt);ip=0.0.0.0;port=0"
+setsockopt_rules="network;(setopt,getopt);ip=0.0.0.0;port=0" # INADDR_ANY
 rcv_rules="network;ip=$bind_ipv4;peer=(ip=anon)"
 snd_rules="network;ip=$remote_ipv4;peer=(ip=anon)"
 
@@ -126,7 +125,7 @@ do_tests "ipv6 udp no conds" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remot
 generate_profile="genprofile network $sender:px -- image=$sender network"
 do_tests "ipv6 tcp no conds" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port tcp "$generate_profile"
 
-setsockopt_rules="network;(setopt,getopt);ip=::0;port=0"
+setsockopt_rules="network;(setopt,getopt);ip=::0;port=0" # IN6ADDR_ANY_INIT
 rcv_rules="network;ip=$bind_ipv6;peer=(ip=anon)"
 snd_rules="network;ip=$remote_ipv6;peer=(ip=anon)"
 
@@ -135,5 +134,3 @@ do_tests "ipv6 udp generic perms" pass pass $bind_ipv6 $bind_port $remote_ipv6 $
 
 generate_profile="genprofile network;ip=$bind_ipv6;port=$bind_port;peer=(ip=$remote_ipv6,port=$remote_port) $setsockopt_rules $rcv_rules $sender:px -- image=$sender network;ip=$remote_ipv6;port=$remote_port;peer=(ip=$bind_ipv6,port=$bind_port) $setsockopt_rules $snd_rules"
 do_tests "ipv6 tcp generic perms" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port tcp "$generate_profile"
-
-

tests/regression/apparmor/net_inet_rcv.c

@@ -9,7 +9,13 @@
 #include <string.h>
 #include <getopt.h>
 #include <sys/stat.h>
-#include "net_finegrained.h"
+#include "net_inet.h"
+
+enum protocol {
+	UDP,
+	TCP,
+	ICMP
+};
 
 struct connection_info {
 	char *bind_ip;
@@ -17,17 +23,72 @@ struct connection_info {
 	char *remote_ip;
 	char *remote_port;
 	char *protocol;
+	enum protocol prot;
 	int timeout;
 } net_info;
 
-
-int receive_udp()
+int receive_bind()
 {
-
 	int sock;
-	char *buf;
 	struct sockaddr_in local;
 	struct sockaddr_in6 local6;
+
+	struct ip_address bind_addr;
+
+	if (!parse_ip(net_info.bind_ip, net_info.bind_port, &bind_addr)) {
+		fprintf(stderr, "FAIL - could not parse bind ip address\n");
+		return -1;
+	}
+
+	switch(net_info.prot) {
+	case UDP:
+		sock = socket(bind_addr.family, SOCK_DGRAM, 0);
+		break;
+	case TCP:
+		sock = socket(bind_addr.family, SOCK_STREAM, 0);
+		break;
+	case ICMP:
+		sock = socket(bind_addr.family, SOCK_DGRAM, IPPROTO_ICMP);
+		break;
+	}
+
+	if (sock < 0) {
+		perror("FAIL - Socket error: ");
+		return -1;
+	}
+
+	const int enable = 1;
+	if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR | SO_REUSEPORT, &enable, sizeof(int)) < 0)
+		perror("FAIL - setsockopt(SO_REUSEADDR) failed");
+
+	if (bind_addr.family == AF_INET) {
+		local = convert_to_sockaddr_in(bind_addr);
+		if (bind(sock, (struct sockaddr *) &local, sizeof(local)) < 0) {
+			perror("FAIL - Bind error: ");
+			return -1;
+		}
+	} else {
+		local6 = convert_to_sockaddr_in6(bind_addr);
+		if (bind(sock, (struct sockaddr *) &local6, sizeof(local6)) < 0) {
+			perror("FAIL - Bind error: ");
+			return -1;
+		}
+	}
+
+	if (net_info.prot == TCP) {
+		if (listen(sock, 5) == -1) {
+			perror("FAIL - Could not listen: ");
+			return -1;
+		}
+	}
+
+	return sock;
+}
+
+int receive_udp(int sock)
+{
+
+	char *buf;
 	int ret = -1;
 	int select_return;
 
@@ -37,38 +98,6 @@ int receive_udp()
 	buf = (char *) malloc(255);
 	memset(buf, '\0', 255);
 
-	struct ip_address bind_addr;
-	if (!parse_ip(net_info.bind_ip, net_info.bind_port, &bind_addr)) {
-		fprintf(stderr, "FAIL - could not parse bind ip address\n");
-		return -1;
-	}
-
-	if ((sock = socket(bind_addr.family, SOCK_DGRAM, 0)) < 0) {
-		perror("FAIL - Socket error: ");
-		return(-1);
-	}
-
-	const int enable = 1;
-	if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR | SO_REUSEPORT, &enable, sizeof(int)) < 0)
-		perror("FAIL - setsockopt(SO_REUSEADDR) failed");
-
-	if (bind_addr.family == AF_INET) {
-		local = convert_to_sockaddr_in(bind_addr);
-		if (bind(sock, (struct sockaddr *) &local, sizeof(local)) < 0)
-		{
-			perror("FAIL - Bind error: ");
-			return(-1);
-		}
-	} else {
-		local6 = convert_to_sockaddr_in6(bind_addr);
-		if (bind(sock, (struct sockaddr *) &local6, sizeof(local6)) < 0)
-		{
-			printf("errno %d\n", errno);
-			perror("FAIL - Bind error: ");
-			return(-1);
-		}
-	}
-
 	FD_ZERO(&read_set);
 	FD_SET(sock, &read_set);
 	FD_ZERO(&err_set);
@@ -77,39 +106,30 @@ int receive_udp()
 	timeout.tv_usec = 0;
 
 	select_return = select(sock + 1, &read_set, NULL, &err_set, &timeout);
-	if (select_return < 0)
-	{
+	if (select_return < 0) {
 		perror("FAIL - Select error: ");
 		ret = -1;
-	}
-
-
-
-	if ((select_return > 0) && (FD_ISSET(sock, &read_set)) && (!FD_ISSET(sock, &err_set)))
-	{
-
-		if (recvfrom(sock, buf, 255, 0, (struct sockaddr *)0, (unsigned int *)0) >= 1)
-		{
+	} else if (select_return == 0) {
+		printf("FAIL - select timeout\n");
+	} else if (select_return > 0 && FD_ISSET(sock, &read_set) && !FD_ISSET(sock, &err_set)) {
+		if (recvfrom(sock, buf, 255, 0, NULL, NULL) >= 1) {
 			//printf("MESSAGE: %s\n", buf);
 			ret = 0;
-		}
-		else
-		{
+		} else {
 			printf("FAIL - recvfrom failed\n");
 			ret = -1;
 		}
 	}
+
 	free(buf);
 	return(ret);
 
 }
 
-int receive_tcp()
+int receive_tcp(int sock)
 {
-	int sock, cli_sock;
+	int cli_sock;
 	char *buf;
-	struct sockaddr_in local;
-	struct sockaddr_in6 local6;
 	int ret = -1;
 	int select_return;
 
@@ -119,44 +139,6 @@ int receive_tcp()
 	buf = (char *) malloc(255);
 	memset(buf, '\0', 255);
 
-	struct ip_address bind_addr;
-	if (!parse_ip(net_info.bind_ip, net_info.bind_port, &bind_addr)) {
-		fprintf(stderr, "FAIL - could not parse bind ip address\n");
-		return -1;
-	}
-
-	if ((sock = socket(bind_addr.family, SOCK_STREAM, 0)) < 0)
-	{
-		perror("FAIL - Socket error:");
-		return(-1);
-	}
-
-	const int enable = 1;
-	if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR | SO_REUSEPORT, &enable, sizeof(int)) < 0)
-		perror("FAIL - setsockopt(SO_REUSEADDR) failed");
-
-	if (bind_addr.family == AF_INET) {
-		local = convert_to_sockaddr_in(bind_addr);
-		if (bind(sock, (struct sockaddr *) &local, sizeof(local)) < 0)
-		{
-			perror("FAIL - Bind error: ");
-			return(-1);
-		}
-	} else {
-		local6 = convert_to_sockaddr_in6(bind_addr);
-		if (bind(sock, (struct sockaddr *) &local6, sizeof(local6)) < 0)
-		{
-			perror("FAIL - Bind error: ");
-			return(-1);
-		}
-	}
-
-	if (listen(sock, 5) == -1)
-	{
-		perror("FAIL - Could not listen: ");
-		return(-1);
-	}
-
 	FD_ZERO(&read_set);
 	FD_SET(sock, &read_set);
 	FD_ZERO(&err_set);
@@ -165,48 +147,33 @@ int receive_tcp()
 	timeout.tv_usec = 0;
 
 	select_return = select(sock + 1, &read_set, NULL, &err_set, &timeout);
-	if (select_return < 0)
-	{
+	if (select_return < 0) {
 		perror("FAIL - Select failed: ");
 		ret = -1;
-	}
-
-	if ((select_return > 0) && (FD_ISSET(sock, &read_set)) && (!FD_ISSET(sock, &err_set)))
-	{
-		if ((cli_sock = accept(sock, NULL, NULL)) < 0)
-		{
+	} else if (select_return == 0) {
+		printf("FAIL - select timeout\n");
+	} else if (select_return > 0 && FD_ISSET(sock, &read_set) && !FD_ISSET(sock, &err_set)) {
+		if ((cli_sock = accept(sock, NULL, NULL)) < 0) {
 			perror("FAIL - Accept failed: ");
 			ret = -1;
-		}
-		else
-		{
-			if (recv(cli_sock, buf, 255, 0) >= 1)
-			{
+		} else {
+			if (recv(cli_sock, buf, 255, 0) >= 1) {
 				//printf("MESSAGE: %s\n", buf);
 				ret = 0;
-			}
-			else
-			{
+			} else {
 				perror("FAIL - recv failure: ");
 				ret = -1;
 			}
 		}
 	}
-	else
-	{
-		perror("FAIL - There were select failures: ");
-		ret = -1;
-	}
+
 	free(buf);
 	return(ret);
 }
 
-int receive_icmp()
+int receive_icmp(int sock)
 {
-
-	int sock;
 	char *buf;
-	struct sockaddr_in local;
 	int ret = -1;
 	int select_return;
 
@@ -215,25 +182,6 @@ int receive_icmp()
 
 	buf = (char *) malloc(255);
 	memset(buf, '\0', 255);
-	if ((sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP)) < 0)
-	{
-		perror("FAIL - Socket error: ");
-		return(-1);
-	}
-
-	const int enable = 1;
-	if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR | SO_REUSEPORT, &enable, sizeof(int)) < 0)
-		perror("FAIL - setsockopt(SO_REUSEADDR) failed");
-
-	local.sin_family  = AF_INET;
-	local.sin_port = htons(atoi(net_info.bind_port));
-	inet_aton(net_info.bind_ip, &local.sin_addr);
-
-	if (bind(sock, (struct sockaddr *) &local, sizeof(local)) < 0)
-	{
-		perror("FAIL - Bind error: ");
-		return(-1);
-	}
 
 	FD_ZERO(&read_set);
 	FD_SET(sock, &read_set);
@@ -243,28 +191,21 @@ int receive_icmp()
 	timeout.tv_usec = 0;
 
 	select_return = select(sock + 1, &read_set, NULL, &err_set, &timeout);
-	if (select_return < 0)
-	{
+	if (select_return < 0) {
 		perror("FAIL - Select error: ");
 		ret = -1;
-	}
-
-
-
-	if ((select_return > 0) && (FD_ISSET(sock, &read_set)) && (!FD_ISSET(sock, &err_set)))
-	{
-
-		if (recvfrom(sock, buf, 255, 0, (struct sockaddr *)0, (unsigned int *)0) >= 1)
-		{
+	} else if (select_return == 0) {
+		printf("FAIL - select timeout\n");
+	} else if (select_return > 0 && FD_ISSET(sock, &read_set) && !FD_ISSET(sock, &err_set)) {
+		if (recvfrom(sock, buf, 255, 0, NULL, NULL) >= 1) {
 			//printf("MESSAGE: %s\n", buf);
 			ret = 0;
-		}
-		else
-		{
+		} else {
 			printf("FAIL - recvfrom failed\n");
 			ret = -1;
 		}
 	}
+
 	free(buf);
 	return(ret);
 
@@ -302,7 +243,7 @@ int main(int argc, char *argv[])
 		{"protocol",    required_argument, 0,  'p' },
 		{"timeout",     required_argument, 0,  't' },
 		{"sender",      required_argument, 0,  's' },
-		{0,           0,                 0,  0   }
+		{0,             0,                 0,  0   }
 	};
 
 	while ((opt = getopt_long(argc, argv,"i:o:r:e:p:t:s:", long_options, 0)) != -1) {
@@ -321,6 +262,14 @@ int main(int argc, char *argv[])
 			break;
 		case 'p':
 			net_info.protocol = optarg;
+			if (strcmp(net_info.protocol, "udp") == 0)
+				net_info.prot = UDP;
+			else if (strcmp(net_info.protocol, "tcp") == 0)
+				net_info.prot = TCP;
+			else if (strcmp(net_info.protocol, "icmp") == 0)
+				net_info.prot = ICMP;
+			else
+				printf("FAIL - Unknown protocol.\n");
 			break;
 		case 't':
 			net_info.timeout = atoi(optarg);
@@ -333,6 +282,13 @@ int main(int argc, char *argv[])
 		}
 	}
 
+	/* get the server to bind/listen, so the child has something
+	 * to connect to if it wins the race. */
+	int sockfd = receive_bind();
+	if (sockfd == -1) {
+		exit(1);
+	}
+
 	/* exec the sender */
 	pid = fork();
 	if (pid == -1) {
@@ -357,22 +313,23 @@ int main(int argc, char *argv[])
 		exit(EXIT_FAILURE);
 	}
 
-	if (strcmp(net_info.protocol, "udp") == 0)
-		ret = receive_udp(net_info);
-	else if (strcmp(net_info.protocol, "tcp") == 0)
-		ret = receive_tcp(net_info);
-	else if (strcmp(net_info.protocol, "icmp") == 0)
-		ret = receive_icmp(net_info);
-	else
-		printf("FAIL - Unknown protocol.\n");
+	switch(net_info.prot) {
+	case UDP:
+		ret = receive_udp(sockfd);
+		break;
+	case TCP:
+		ret = receive_tcp(sockfd);
+		break;
+	case ICMP:
+		ret = receive_icmp(sockfd);
+		break;
+	}
 
-	if (ret == -1)
-	{
+	if (ret == -1) {
 		printf("FAIL - Receive message failed.\n");
 		exit(1);
 	}
 
 	printf("PASS\n");
-
 	return 0;
 }

tests/regression/apparmor/net_inet_snd.c

@@ -12,7 +12,7 @@
 #include <arpa/inet.h>
 #include <errno.h>
 #include <string.h>
-#include "net_finegrained.h"
+#include "net_inet.h"
 
 struct connection_info {
 	char *bind_ip;
@@ -40,8 +40,7 @@ int send_udp(char *message)
 		return -1;
 	}
 
-	if ((sock = socket(bind_addr.family, SOCK_DGRAM, 0)) < 0)
-	{
+	if ((sock = socket(bind_addr.family, SOCK_DGRAM, 0)) < 0) {
 		perror("FAIL SND - Could not open socket: ");
 		return(-1);
 	}
@@ -53,15 +52,13 @@ int send_udp(char *message)
 
 	if (bind_addr.family == AF_INET) {
 		local = convert_to_sockaddr_in(bind_addr);
-		if (bind(sock, (struct sockaddr *) &local, sizeof(local)) < 0)
-		{
+		if (bind(sock, (struct sockaddr *) &local, sizeof(local)) < 0) {
 			perror("FAIL SND - Bind error: ");
 			return(-1);
 		}
 	} else {
 		local6 = convert_to_sockaddr_in6(bind_addr);
-		if (bind(sock, (struct sockaddr *) &local6, sizeof(local6)) < 0)
-		{
+		if (bind(sock, (struct sockaddr *) &local6, sizeof(local6)) < 0) {
 			perror("FAIL SND - Bind error: ");
 			return(-1);
 		}
@@ -70,22 +67,19 @@ int send_udp(char *message)
 	if (remote_addr.family == AF_INET) {
 		remote = convert_to_sockaddr_in(remote_addr);
 		//printf("Sending \"%s\"\n", message);
-		if (sendto(sock, message, strlen(message), 0, (struct sockaddr *) &remote, sizeof(remote)) <= 0)
-		{
+		if (sendto(sock, message, strlen(message), 0, (struct sockaddr *) &remote, sizeof(remote)) <= 0) {
 			perror("FAIL SND - Send failed: ");
 			return(-1);
 		}
 	} else {
 		remote6 = convert_to_sockaddr_in6(remote_addr);
 		//printf("Sending \"%s\"\n", message);
-		if (sendto(sock, message, strlen(message), 0, (struct sockaddr *) &remote6, sizeof(remote6)) <= 0)
-		{
+		if (sendto(sock, message, strlen(message), 0, (struct sockaddr *) &remote6, sizeof(remote6)) <= 0) {
 			perror("FAIL SND - Send failed: ");
 			return(-1);
 		}
 	}
 
-
 	close(sock);
 	return(0);
 
@@ -121,15 +115,13 @@ int send_tcp(char *message)
 
 	if (bind_addr.family == AF_INET) {
 		local = convert_to_sockaddr_in(bind_addr);
-		if (bind(sock, (struct sockaddr *) &local, sizeof(local)) < 0)
-		{
+		if (bind(sock, (struct sockaddr *) &local, sizeof(local)) < 0) {
 			perror("FAIL SND - Bind error: ");
 			return(-1);
 		}
 	} else {
 		local6 = convert_to_sockaddr_in6(bind_addr);
-		if (bind(sock, (struct sockaddr *) &local6, sizeof(local6)) < 0)
-		{
+		if (bind(sock, (struct sockaddr *) &local6, sizeof(local6)) < 0) {
 			perror("FAIL SND - Bind error: ");
 			return(-1);
 		}
@@ -138,24 +130,21 @@ int send_tcp(char *message)
 	if (remote_addr.family == AF_INET) {
 		remote = convert_to_sockaddr_in(remote_addr);
 		//printf("Sending \"%s\"\n", message);
-		if (connect(sock, (struct sockaddr *) &remote, sizeof(remote)) < 0)
-		{
+		if (connect(sock, (struct sockaddr *) &remote, sizeof(remote)) < 0) {
 			perror("FAIL SND - Could not connect: ");
 			return(-1);
 		}
 	} else {
 		remote6 = convert_to_sockaddr_in6(remote_addr);
 		//printf("Sending \"%s\"\n", message);
-		if (connect(sock, (struct sockaddr *) &remote6, sizeof(remote6)) < 0)
-		{
+		if (connect(sock, (struct sockaddr *) &remote6, sizeof(remote6)) < 0) {
 			perror("FAIL SND - Could not connect: ");
 			return(-1);
 		}
 	}
 
 	//printf("Sending \"%s\"\n", message);
-	if (send(sock, message, strlen(message), 0) <= 0)
-	{
+	if (send(sock, message, strlen(message), 0) <= 0) {
 		perror("FAIL SND - Send failed: ");
 		return(-1);
 	}
@@ -171,8 +160,7 @@ int send_icmp(char *message)
 	char packetdata[sizeof(icmp_hdr) + 4];
 
 
-	if ((sock = socket(AF_INET | AF_INET6, SOCK_DGRAM, IPPROTO_ICMP)) < 0)
-	{
+	if ((sock = socket(AF_INET | AF_INET6, SOCK_DGRAM, IPPROTO_ICMP)) < 0) {
 		perror("FAIL SND - Could not open socket: ");
 		return(-1);
 	}
@@ -199,8 +187,7 @@ int send_icmp(char *message)
 	memcpy(packetdata, &icmp_hdr, sizeof(icmp_hdr));
 	memcpy(packetdata + sizeof(icmp_hdr), message, strlen(message));
 
-	if (bind(sock, (struct sockaddr *) &local, sizeof(local)) < 0)
-	{
+	if (bind(sock, (struct sockaddr *) &local, sizeof(local)) < 0) {
 		perror("FAIL SND - Could not bind: ");
 		return(-1);
 	}
@@ -208,8 +195,7 @@ int send_icmp(char *message)
 	//printf("Sending \"%s\"\n", message);
 
 	// Send the packet
-	if(sendto(sock, packetdata, sizeof(packetdata), 0, (struct sockaddr*) &remote, sizeof(remote)) < 0)
-	{
+	if(sendto(sock, packetdata, sizeof(packetdata), 0, (struct sockaddr*) &remote, sizeof(remote)) < 0) {
 		perror("FAIL SND - Send failed: ");
 		close(sock);
 		return(-1);
@@ -231,8 +217,7 @@ int main(int argc, char *argv[])
 {
 	int send_ret;
 
-	if (argc < 6)
-	{
+	if (argc < 6) {
 		printf("Usage: %s bind_ip bind_port remote_ip remote_port proto\n", argv[0]);
 		exit(1);
 	}
@@ -253,8 +238,7 @@ int main(int argc, char *argv[])
 	else
 		printf("FAIL SND - Unknown protocol.\n");
 
-	if (send_ret == -1)
-	{
+	if (send_ret == -1) {
 		printf("FAIL SND - Send message failed.\n");
 		exit(1);
 	}

tests/regression/apparmor/posix_mq.h

@@ -12,6 +12,7 @@
 #define QNAME "/testmq"
 #define SHM_PATH "/unnamedsemtest"
 #define SEM_PATH "/namedsemtest"
+#define PIPENAME "/tmp/mqueuepipe";
 #define OBJ_PERMS (S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH)
 
 #define BUF_SIZE 1024

tests/regression/apparmor/posix_mq.sh

@@ -27,6 +27,7 @@ sender="$bin/posix_mq_snd"
 receiver="$bin/posix_mq_rcv"
 queuename="/queuename"
 queuename2="/queuename2"
+pipe="/tmp/mqueuepipe"
 
 user="foo"
 adduser --gecos "First Last,RoomNumber,WorkPhone,HomePhone" --no-create-home --disabled-password $user >/dev/null
@@ -41,6 +42,7 @@ cleanup()
 {
     rm -f /dev/mqueue/$queuename
     rm -f /dev/mqueue/$queuename2
+    rm -f $pipe
     deluser foo >/dev/null
 }
 do_onexit="cleanup"
@@ -66,7 +68,7 @@ do_tests()
     do_test "$prefix" "$expect_send" $sender "$expect_recv" -c $sender -k $queuename "${rest_args[@]}"
 
     # notify requires netlink permissions
-    do_test "$prefix : mq_notify" "$expect_send" $sender "$expect_recv" -c $sender -k $queuename -n mq_notify "${rest_args[@]}"
+    do_test "$prefix : mq_notify" "$expect_send" $sender "$expect_recv" -c $sender -k $queuename -n mq_notify -p $pipe "${rest_args[@]}"
 
     do_test "$prefix : select" "$expect_open" -c $sender -k $queuename -n select "${rest_args[@]}"
 
@@ -86,11 +88,11 @@ for username in "root" "$userid" ; do
     do_tests "unconfined $username" pass pass pass pass $usercmd
 
     # No mqueue perms
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "$sender:px" -- image=$sender
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "$sender:px" "$pipe:rw" -- image=$sender "$pipe:rw"
     do_tests "confined $username - no perms" fail fail fail fail $usercmd
 
 
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "deny:mqueue" "$sender:px" -- image=$sender "deny mqueue"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "deny:mqueue" "$sender:px" "$pipe:rw" -- image=$sender "deny mqueue" "$pipe:rw"
     do_tests "confined $username - deny perms" fail fail fail fail $usercmd
 
 
@@ -102,46 +104,46 @@ for username in "root" "$userid" ; do
     #   apparmor when doing "root" username tests
     # * if doing the $userid set of tests and you see
     #   Permission denied in the test output
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue" "$sender:px" -- image=$sender "mqueue"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue" "$sender:px" "$pipe:rw" -- image=$sender "mqueue" "$pipe:rw"
     do_tests "confined $username - mqueue" pass pass pass pass $usercmd
 
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:type=posix" "$sender:px" -- image=$sender "mqueue:type=posix"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:type=posix" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:type=posix" "$pipe:rw"
     do_tests "confined $username - mqueue type=posix" pass pass pass pass $usercmd
 
     # queue name
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:$queuename" "$sender:px" -- image=$sender "mqueue:$queuename"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:$queuename" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:$queuename" "$pipe:rw"
     do_tests "confined $username - mqueue /name 1" pass pass pass pass $usercmd
 
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue" "$sender:px" -- image=$sender "mqueue:$queuename"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:$queuename" "$pipe:rw"
     do_tests "confined $username - mqueue /name 2" pass pass pass pass $usercmd
 
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:$queuename" "$sender:px" -- image=$sender "mqueue"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:$queuename" "$sender:px" "$pipe:rw" -- image=$sender "mqueue" "$pipe:rw"
     do_tests "confined $username - mqueue /name 3" pass pass pass pass $usercmd
 
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:$queuename" "$sender:px" -- image=$sender "mqueue:$queuename2"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:$queuename" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:$queuename2" "$pipe:rw"
     do_tests "confined $username - mqueue /name 4" fail fail fail fail $usercmd -t 1
 
 
     # specific permissions
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:write"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:write" "$pipe:rw"
     do_tests "confined $username - specific 1" pass pass pass pass $usercmd
 
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(read,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:write"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(read,delete,getattr,setattr)" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:write" "$pipe:rw"
     do_tests "confined $username - specific 2" fail fail fail fail $usercmd -t 1
 
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:write"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,delete,getattr,setattr)" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:write" "$pipe:rw"
     do_tests "confined $username - specific 3" fail fail fail fail $usercmd -t 1
 
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:write"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,getattr,setattr)" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:write" "$pipe:rw"
     do_tests "confined $username - specific 4" fail fail fail fail $usercmd -t 1
 
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,setattr)" "$sender:px" -- image=$sender "mqueue:write"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,setattr)" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:write" "$pipe:rw"
     do_tests "confined $username - specific 5" pass pass pass pass $usercmd
 
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,getattr)" "$sender:px" -- image=$sender "mqueue:write"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,getattr)" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:write" "$pipe:rw"
     do_tests "confined $username - specific 6" pass pass pass pass $usercmd
 
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:read"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:read" "$pipe:rw"
     do_tests "confined $username - specific 7" fail fail fail fail $usercmd -t 1
 
     # unconfined receiver
@@ -150,17 +152,17 @@ for username in "root" "$userid" ; do
 
 
     # unconfined sender
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink"  "mqueue" "$sender:ux"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink"  "mqueue" "$sender:ux" "$pipe:rw"
     do_tests "confined receiver $username - unconfined sender" pass pass pass pass $usercmd
 
 
     # queue label
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:label=$receiver" "$sender:px" -- image=$sender "mqueue:label=$receiver"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:label=$receiver" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:label=$receiver" "$pipe:rw"
     do_tests "confined $username - mqueue label 1" xpass xpass xpass xpass $usercmd
 
 
     # queue name and label
-    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete):type=posix:label=$receiver:$queuename" "$sender:px" -- image=$sender "mqueue:(open,write):type=posix:label=$receiver:$queuename"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete):type=posix:label=$receiver:$queuename" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:(open,write):type=posix:label=$receiver:$queuename" "$pipe:rw"
     do_tests "confined $username - mqueue label 2" xpass xpass xpass xpass $usercmd
 
     # ensure we are cleaned up for next pass

tests/regression/apparmor/posix_mq_rcv.c

@@ -1,3 +1,4 @@
+#define _GNU_SOURCE
 #include <mqueue.h>
 #include <stdlib.h>
 #include <signal.h>
@@ -6,9 +7,11 @@
 #include <time.h>
 
 #include "posix_mq.h"
+#include "pipe_helper.h"
 
 int timeout = 5; //seconds
 char *queuename = QNAME;
+char *pipepath = PIPENAME;
 
 enum notify_options {
 	DO_NOT_NOTIFY,
@@ -18,10 +21,13 @@ enum notify_options {
 	EPOLL
 };
 
+enum notify_options notify = DO_NOT_NOTIFY;
+
 int receive_message(mqd_t mqd, char needs_timeout) {
 	ssize_t nbytes;
 	struct mq_attr attr;
 	char *buf = NULL;
+	int ret = EXIT_FAILURE;
 
 	if (mq_getattr(mqd, &attr) == -1) {
 		perror("FAIL - could not mq_getattr");
@@ -62,20 +68,24 @@ int receive_message(mqd_t mqd, char needs_timeout) {
 	}
 
 	printf("PASS\n");
+	ret = EXIT_SUCCESS;
 
 out:
 	free(buf);
 
 	if (mq_close(mqd) == (mqd_t) -1) {
 		perror("FAIL - could not close mq");
-		exit(EXIT_FAILURE);
+		ret = EXIT_FAILURE;
 	}
 	if (mq_unlink(queuename) == (mqd_t) -1) {
-		perror("FAIL - could unlink mq");
-		exit(EXIT_FAILURE);
+		perror("FAIL - could not unlink mq");
+		ret = EXIT_FAILURE;
 	}
-
-	exit(EXIT_SUCCESS);
+	if (notify == MQ_NOTIFY && unlink(pipepath) == -1) {
+		perror("FAIL - could not remove pipe");
+		ret = EXIT_FAILURE;
+	}
+	exit(ret);
 }
 
 static void handle_signal(union sigval sv) {
@@ -96,6 +106,7 @@ static void usage(char *prog_name, char *msg)
 	fprintf(stderr, "-c        path of the client binary\n");
 	fprintf(stderr, "-u        run test as specified UID\n");
 	fprintf(stderr, "-t        timeout in seconds\n");
+	fprintf(stderr, "-p        named pipe path. used by mq_notify\n");
 	exit(EXIT_FAILURE);
 }
 
@@ -108,9 +119,15 @@ void receive_mq_notify(mqd_t mqd)
 	sev.sigev_value.sival_ptr = &mqd;
 
 	if (mq_notify(mqd, &sev) == -1) {
-		perror(" FAIL - could not mq_notify");
-		exit(EXIT_FAILURE);
+		perror("FAIL - could not mq_notify");
+		return;
 	}
+
+	if (write_to_pipe(pipepath) == -1) { // let sender know mq_notify is ready
+		fprintf(stderr, "FAIL - could not write to pipe\n");
+		return;
+	}
+
 	sleep(timeout);
 	fprintf(stderr, "FAIL - could not mq_notify: Connection timed out\n");
 }
@@ -127,7 +144,7 @@ void receive_select(mqd_t mqd)
 
 	if (select(mqd + 1, &read_fds, NULL, NULL, &tv) == -1) {
 		perror("FAIL - could not select");
-		exit(EXIT_FAILURE);
+		return;
 	} else {
 		if (FD_ISSET(mqd, &read_fds))
 			receive_message(mqd, 0);
@@ -142,7 +159,7 @@ void receive_poll(mqd_t mqd)
 
 	if (poll(fds, 1, timeout * 1000) == -1) {
 		perror("FAIL - could not poll");
-		exit(EXIT_FAILURE);
+		return;
 	} else {
 		if (fds[0].revents & POLLIN)
 			receive_message(mqd, 0);
@@ -154,7 +171,7 @@ void receive_epoll(mqd_t mqd)
 	int epfd = epoll_create(1);
 	if (epfd == -1) {
 		perror("FAIL - could not create epoll");
-		exit(EXIT_FAILURE);
+		return;
 	}
 
 	struct epoll_event ev, rev[1];
@@ -162,12 +179,12 @@ void receive_epoll(mqd_t mqd)
 	ev.data.fd = mqd;
 	if (epoll_ctl(epfd, EPOLL_CTL_ADD, mqd, &ev) == -1) {
 		perror("FAIL - could not add mqd to epoll");
-		exit(EXIT_FAILURE);
+		return;
 	}
 
 	if (epoll_wait(epfd, rev, 1, timeout * 1000) == -1) {
 		perror("FAIL - could not epoll_wait");
-		exit(EXIT_FAILURE);
+		return;
 	} else {
 		if (rev[0].data.fd == mqd && rev[0].events & EPOLLIN)
 			receive_message(mqd, 0);
@@ -198,17 +215,17 @@ void receive(enum notify_options notify, mqd_t mqd)
 int main(int argc, char *argv[])
 {
 	int opt = 0;
-	enum notify_options notify = DO_NOT_NOTIFY;
 	mqd_t mqd;
 	char *client = NULL;
 	int uid;
+	int pipefd;
 	struct mq_attr attr;
 	attr.mq_flags = 0;
 	attr.mq_maxmsg = 10;
 	attr.mq_msgsize = BUF_SIZE;
 	attr.mq_curmsgs = 0;
 
-	while ((opt = getopt(argc, argv, "n:k:c:u:t:")) != -1) {
+	while ((opt = getopt(argc, argv, "n:k:c:u:t:p:")) != -1) {
 		switch (opt) {
 		case 'n':
 			if (strcmp(optarg, "mq_notify") == 0)
@@ -258,6 +275,9 @@ int main(int argc, char *argv[])
 		case 't':
 			timeout = atoi(optarg);
 			break;
+		case 'p':
+			pipepath = optarg;
+			break;
 		default:
 			usage(argv[0], "Unrecognized option\n");
 		}
@@ -269,11 +289,24 @@ int main(int argc, char *argv[])
 		exit(EXIT_FAILURE);
 	}
 
+	if (notify == MQ_NOTIFY) {
+		if (mkfifo(pipepath, 0666) == -1) {
+			perror("FAIL - could not mkfifo");
+			goto nopipeout;
+		}
+
+		pipefd = open_read_pipe(pipepath);
+		if (pipefd == -1) {
+			fprintf(stderr, "FAIL - couldn't open pipe\n");
+			goto out;
+		}
+	}
+
 	/* exec the client */
 	int pid = fork();
 	if (pid == -1) {
 		perror("FAIL - could not fork");
-		exit(EXIT_FAILURE);
+		goto out;
 	} else if (!pid) {
 		if (client == NULL) {
 			usage(argv[0], "client not specified");
@@ -282,25 +315,30 @@ int main(int argc, char *argv[])
 			 * in case the client will be manually executed
 			 */
 		}
-		execl(client, client, queuename, NULL);
-		printf("FAIL %d - execlp %s %s- %m\n", getuid(), client, queuename);
+		if (notify == MQ_NOTIFY) {
+			char strpipefd[12];
+			sprintf(strpipefd, "%d", pipefd);
+			execl(client, client, queuename, strpipefd, NULL);
+			printf("FAIL %d - execlp %s %s %s- %m\n", getuid(), client, queuename, strpipefd);
+		} else {
+			execl(client, client, queuename, NULL);
+			printf("FAIL %d - execlp %s %s- %m\n", getuid(), client, queuename);
+		}
 		exit(EXIT_FAILURE);
 	}
 
 	receive(notify, mqd);
 
 	/* when the notification fails because of timeout, it ends up here
-	 * so, clean up the mqueue
+	 * so, clean up the mqueue and exit_failure
 	 */
-
-	if (mq_close(mqd) == (mqd_t) -1) {
+out:
+	if (notify == MQ_NOTIFY && unlink(pipepath) == -1)
+		perror("FAIL - could not remove pipe");
+nopipeout:
+	if (mq_close(mqd) == (mqd_t) -1)
 		perror("FAIL - could not close mq");
-		exit(EXIT_FAILURE);
-	}
-	if (mq_unlink(queuename) == (mqd_t) -1) {
+	if (mq_unlink(queuename) == (mqd_t) -1)
 		perror("FAIL - could unlink mq");
-		exit(EXIT_FAILURE);
-	}
-
-	return 0;
+	return EXIT_FAILURE;
 }

tests/regression/apparmor/posix_mq_snd.c

@@ -1,16 +1,27 @@
+#define _GNU_SOURCE
 #include <mqueue.h>
 #include <stdlib.h>
 
 #include "posix_mq.h"
+#include "pipe_helper.h"
 
 int main(int argc, char * argv[])
 {
 	mqd_t mqd;
 	char *queuename = QNAME;
+	int pipefd;
 
 	if (argc > 1) {
 		queuename = argv[1];
 	}
+	if (argc > 2) {
+		pipefd = atoi(argv[2]);
+		if (read_from_pipe(pipefd) == -1) { // wait for receiver to mq_notify
+			fprintf(stderr, "FAIL - could not read from pipe\n");
+			return 1;
+		}
+	}
+
 	mqd = mq_open(queuename, O_WRONLY);
 	if (mqd == (mqd_t) -1) {
 		perror("FAIL sender - could not open mq");

tests/regression/apparmor/userns.c

@@ -23,7 +23,7 @@
 #include <sys/stat.h>
 #include <fcntl.h>
 #include <linux/limits.h>
-#include "userns.h"
+#include "pipe_helper.h"
 
 static void usage(char *pname)
 {

tests/regression/apparmor/userns_setns.c

@@ -6,7 +6,7 @@
 #include <fcntl.h>
 #include <unistd.h>
 
-#include "userns.h"
+#include "pipe_helper.h"
 
 int main(int argc, char *argv[])
 {

utils/apparmor/rule/mount.py

@@ -15,7 +15,7 @@ import re
 
 from apparmor.common import AppArmorBug, AppArmorException
 
-from apparmor.regex import RE_PROFILE_MOUNT, RE_PROFILE_PATH_OR_VAR, strip_parenthesis
+from apparmor.regex import RE_PROFILE_MOUNT, strip_parenthesis
 from apparmor.rule import AARE
 from apparmor.rule import BaseRule, BaseRuleset, parse_modifiers, logprof_value_or_all, check_and_split_list
 
@@ -34,7 +34,7 @@ valid_fs = [
     'securityfs', 'sockfs', 'bpf', 'npipefs', 'ramfs', 'hugetlbfs', 'devpts', 'ext3', 'ext2', 'ext4', 'squashfs',
     'vfat', 'ecryptfs', 'fuseblk', 'fuse', 'fusectl', 'efivarfs', 'mqueue', 'store', 'autofs', 'binfmt_misc', 'overlay',
     'none', 'bdev', 'proc', 'pipefs', 'pstore', 'btrfs', 'xfs', '9p', 'resctrl', 'zfs', 'iso9660', 'udf', 'ntfs3',
-    'nfs', 'cifs',
+    'nfs', 'cifs', 'overlayfs', 'aufs', 'rpc_pipefs', 'msdos', 'nfs4',
 ]
 
 flags_keywords = [
@@ -72,9 +72,13 @@ mount_condition_pattern = rf'({fs_type_pattern})?\s*({option_pattern})?'
 # - A filesystem    : sysfs         (sudo mount -t tmpfs tmpfs /tmp/bar)
 # - Any label       : mntlabel      (sudo mount -t tmpfs mntlabel /tmp/bar)
 # Thus we cannot use directly RE_PROFILE_PATH_OR_VAR
+# Destination can also be
+# - A path          : /foo
+# - A globbed Path  : **
 
-source_fileglob_pattern = r'(\s*(?P<source_file>([/{]\S*|"[/{][^"]*"|@{\S+}\S*|"@{\S+}[^"]*")|\w+))'
-dest_fileglob_pattern = r'(\s*' + RE_PROFILE_PATH_OR_VAR % 'dest_file' + r')'
+glob_pattern = r'(\s*(?P<%s>(([/{]|\*\*)\S*|"([/{]|\*\*)[^"]*"|@{\S+}\S*|"@{\S+}[^"]*")|\w+))'
+source_fileglob_pattern = glob_pattern % 'source_file'
+dest_fileglob_pattern = glob_pattern % 'dest_file'
 
 RE_MOUNT_DETAILS = re.compile(r'^\s*' + mount_condition_pattern + rf'(\s+{source_fileglob_pattern})?' + rf'(\s+->\s+{dest_fileglob_pattern})?\s*' + r'$')
 RE_UMOUNT_DETAILS = re.compile(r'^\s*' + mount_condition_pattern + rf'(\s+{dest_fileglob_pattern})?\s*' + r'$')
@@ -142,7 +146,7 @@ class MountRule(BaseRule):
         if self.operation == 'mount' and not self.all_source and not self.all_options and flags_forbidden_with_source & self.options != set():
             raise AppArmorException(f'Operation {flags_forbidden_with_source & self.options} cannot have a source. Source = {self.source}')
 
-        self.dest, self.all_dest = self._aare_or_all(dest, 'dest', is_path=True, log_event=log_event)
+        self.dest, self.all_dest = self._aare_or_all(dest, 'dest', is_path=False, log_event=log_event)
 
         self.can_glob = not self.all_source and not self.all_dest and not self.all_options
 

utils/test/test-mount.py

@@ -29,6 +29,8 @@ class MountTestParse(AATest):
 
     tests = (
         #                   Rule                                                     Operation   Filesystem                Options                  Source          Destination     Audit  Deny   Allow  Comment
+        ('mount -> **,',                                                    MountRule('mount',   MountRule.ALL,            MountRule.ALL,           MountRule.ALL,  '**',           False, False, False, ''     )),
+        ('mount options=(rw, shared) -> **,',                               MountRule('mount',   MountRule.ALL,            ('=', ('rw', 'shared')), MountRule.ALL,  '**',           False, False, False, ''     )),
         ('mount fstype=bpf options=rw bpf -> /sys/fs/bpf/,',                MountRule('mount',   ('=', ('bpf')),           ('=', ('rw')),           'bpf',          '/sys/fs/bpf/', False, False, False, ''     )),
         ('mount fstype=fuse.obex* options=rw bpf -> /sys/fs/bpf/,',         MountRule('mount',   ('=', ('fuse.obex*')),    ('=', ('rw')),           'bpf',          '/sys/fs/bpf/', False, False, False, ''     )),
         ('mount fstype=fuse.* options=rw bpf -> /sys/fs/bpf/,',             MountRule('mount',   ('=', ('fuse.*')),        ('=', ('rw')),           'bpf',          '/sys/fs/bpf/', False, False, False, ''     )),