mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-30 22:05:27 +00:00
Code Issues Releases Wiki Activity
Files
78a7df6711f949f44872c2551fe44e21f6c10a5a
apparmor/parser
History
Eric Chiang 78a7df6711 parser: determine xmatch priority based on smallest DFA match 
The length of a xmatch is used to prioritize multiple profiles that
match the same path, with the intent that the more specific match wins.
Currently, the length of a xmatch is computed by the position of the
first regex character.

While trying to work around issues with no_new_privs by combining
profiles, we noticed that the xmatch length computation doesn't work as
expected for multiple regexs. Consider the following two profiles:

    profile all /** { }
    profile bins /{,usr/,usr/local/}bin/** { }

xmatch_len is currently computed as "1" for both profiles, even though
"bins" is clearly more specific.

When determining the length of a regex, compute the smallest possible
match and use that for xmatch priority instead of the position of the
first regex character.

(cherry picked from commit cc09794fbd)
Signed-off-by: John Johansen <john.johansen@canonical.com>
2019-03-12 04:29:57 -07:00
..
libapparmor_re
parser: determine xmatch priority based on smallest DFA match
2019-03-12 04:29:57 -07:00
po
Launchpad automatic translations update.
2016-06-01 05:15:41 +00:00
tst
Merge branch 'cboltz-strict-todo-check' into 'master'
2018-11-06 21:15:03 +00:00
af_rule.cc
parser: fix more gcc 5 compilation problems
2015-02-26 14:55:13 -08:00
af_rule.h
C tools: rename __unused macro to unused
2014-10-02 12:58:54 -07:00
af_unix.cc
with unix rules we output a downgraded rule compatible with network rules
2017-09-07 02:26:15 -07:00
af_unix.h
C tools: rename __unused macro to unused
2014-10-02 12:58:54 -07:00
apparmor_parser.pod
all: Use HTTPS links for apparmor.net
2018-09-13 11:51:04 -07:00
apparmor.d.pod
all: Use HTTPS links for apparmor.net
2018-09-13 11:51:04 -07:00
apparmor.pod
apparmor(7): Document various debugging options.
2018-11-04 12:04:27 +00:00
common_optarg.c
Split dfa optimization and dump flag handling into a separate file so that it can be shared with DFA test programs
2014-04-23 11:10:41 -07:00
common_optarg.h
Split dfa optimization and dump flag handling into a separate file so that it can be shared with DFA test programs
2014-04-23 11:10:41 -07:00
COPYING.GPL
rpmlint complains about an outdated FSF address in parser/COPYING.GPL.
2011-11-27 13:52:06 +01:00
dbus.cc
parser/dbus.cc: fix "accesss" typo.
2015-05-01 10:25:57 +02:00
dbus.h
C tools: rename __unused macro to unused
2014-10-02 12:58:54 -07:00
frob_slack_rc
as ACKed on IRC, drop the unused $Id$ tags everywhere
2010-12-20 12:29:10 -08:00
immunix.h
Rename AA_MAY_XXX permission bits that conflict with new layout
2015-06-06 01:25:49 -07:00
lib.c
libapparmor: Use directory file descriptor in _aa_dirat_for_each()
2015-06-15 15:11:51 -05:00
lib.h
libapparmor: Use directory file descriptor in _aa_dirat_for_each()
2015-06-15 15:11:51 -05:00
Makefile
Merge branch 'fix-bison' into 'master'
2018-10-05 19:03:56 +00:00
mount.cc
And the related patch to fix globbing for af_unix abstract names
2015-02-12 10:19:16 -08:00
mount.h
Fix remount with bind
2015-09-21 12:20:19 -07:00
network.c
Use the gcc cleanup extension attribute to handle closing temp files
2015-03-25 17:09:26 -05:00
network.h
Remove unused net_find_af_val function, and network_families array
2015-02-27 16:20:31 +00:00
parser_alias.c
C tools: rename __unused macro to unused
2014-10-02 12:58:54 -07:00
parser_common.c
parser: Check kernel stacking support when handling stacked transitions
2016-03-18 17:28:51 -05:00
parser_include.c
parser: include <limits.h> for PATH_MAX macro
2017-09-27 11:38:35 +02:00
parser_include.h
allow directories to be passed to the parser
2013-10-26 00:15:13 -07:00
parser_interface.c
libapparmor: Move the aa_kernel_interface API
2015-03-25 17:09:27 -05:00
parser_lex.l
parser: ignore feature abi rules
2018-10-13 22:18:05 -07:00
parser_main.c
parser: Fix parser failing to handle errors when setting up work
2019-02-22 02:42:43 -08:00
parser_merge.c
parser: Stop splitting the namespace from the named transition targets
2016-03-18 17:28:51 -05:00
parser_misc.c
parser: ignore feature abi rules
2018-10-13 22:18:05 -07:00
parser_policy.c
parser: Stop splitting the namespace from the named transition targets
2016-03-18 17:28:51 -05:00
parser_regex.c
parser: determine xmatch priority based on smallest DFA match
2019-03-12 04:29:57 -07:00
parser_symtab.c
C tools: rename __unused macro to unused
2014-10-02 12:58:54 -07:00
parser_variable.c
parser: fix memory leaks in unit tests
2016-01-25 12:05:50 -08:00
parser_yacc.y
parser: ignore feature abi rules
2018-10-13 22:18:05 -07:00
parser.conf
parser: adjust parser.conf example Include statements
2015-03-09 10:43:13 -07:00
parser.h
parser: Fix parser failing to handle errors when setting up work
2019-02-22 02:42:43 -08:00
policy_cache.c
parser: fix parser so that cache creation failure doesn't cause load failure
2018-01-05 01:14:57 -08:00
policy_cache.h
Set cache file tstamp to the mtime of most recent policy file tstamp
2015-06-06 01:22:53 -07:00
policydb.h
Add the ability to mediate signals.
2014-04-23 11:35:29 -07:00
profile.cc
parser: first step implementing fine grained mediation for unix domain sockets
2014-09-03 13:22:26 -07:00
profile.h
Fix: parser: incorrect output of child profile names
2016-04-18 13:26:53 -07:00
ptrace.cc
And the related patch to fix globbing for af_unix abstract names
2015-02-12 10:19:16 -08:00
ptrace.h
C tools: rename __unused macro to unused
2014-10-02 12:58:54 -07:00
rc.apparmor.debian
as ACKed on IRC, drop the unused $Id$ tags everywhere
2010-12-20 12:29:10 -08:00
rc.apparmor.functions
Ignore *.orig and *.rej files when loading profiles
2018-12-08 00:18:29 -08:00
rc.apparmor.redhat
as ACKed on IRC, drop the unused $Id$ tags everywhere
2010-12-20 12:29:10 -08:00
rc.apparmor.slackware
as ACKed on IRC, drop the unused $Id$ tags everywhere
2010-12-20 12:29:10 -08:00
rc.apparmor.suse
Fix aa_log_end_msg() in rc.apparmor.suse
2015-07-24 00:06:57 +02:00
README
README: Move project contact info into the main README
2018-09-13 11:51:04 -07:00
README.devel
parser: add some developer documentation
2013-12-10 14:15:02 -08:00
rule.cc
Move C++ files from .c suffix to .cc suffix
2014-05-09 15:34:34 -07:00
rule.h
Add missing rule.[hc] files that should have been part of commit 2449
2014-04-07 11:41:25 -07:00
signal.cc
And the related patch to fix globbing for af_unix abstract names
2015-02-12 10:19:16 -08:00
signal.h
C tools: rename __unused macro to unused
2014-10-02 12:58:54 -07:00
subdomain.conf
Here's an update to rename another chunk of things that still used
2011-01-13 13:58:26 -08:00
subdomain.conf.pod
all: Use HTTPS links for apparmor.net
2018-09-13 11:51:04 -07:00
techdoc.tex
various changes in building techdoc.tex:
2012-05-09 00:41:06 +02:00
unit_test.h
Convert codomain to a class
2013-09-27 16:16:37 -07:00

README 

The apparmor_parser allows you to add, replace, and remove AppArmor
policy through the use of command line options. The default is to add.
`apparmor_parser --help` shows what the command line options are.

You can also find more information at https://wiki.apparmor.net

-- The AppArmor development team