mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 01:57:43 +00:00
Code Issues Releases Wiki Activity
apparmor/parser
History
John Johansen af64328cf7 Merge parser: bug fix do not change auditing information when applying deny 
The parser recently changed how/where deny information is applied.
commit 1fa45b7c1 ("parser: dfa minimization prepare for extended
permissions") removed the implicit filtering of explicit denies during
the minimization pass. The implicit clear allowed the explicit
information to be carried into the minimization pass and merged with
implicit denies. The end result being a minimized dfa with the explicit
deny information available to be applied post minimization, and
then dropped later at permission encoding in the accept entries.

Extended permission however enable carrying explicit deny information
into the kernel to fix certain bugs like complain mode not being
able to distinguish between implicit and explicit deny rules (ie.
deny rules get ignored in complain mode). However keeping explicit
deny information when unnecessary result in a larger state machine
than necessary and slower compiles.

commit 179c1c1ba ("parser: fix minimization check for filtering_deny")
Moved the explicit apply_and_clear_deny() pass to before minimization
to restore mnimization's ability to create a minimized dfa with
explicit and implicit deny information merged but this also cleared
the explicit deny information that used to be carried through
minimization. This meant that when the deny information was applied
post minimization it resulted in the audit and quiet information
being cleared.

This resulted in the query_label tests failing as they are checking
for the expected audit infomation in the permissions.

Fixes: 179c1c1ba ("parser: fix minimization check for filtering_deny")
Bug: https://gitlab.com/apparmor/apparmor/-/issues/461
Signed-off-by: John Johansen <john.johansen@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1408
Approved-by: Ryan Lee <rlee287@yahoo.com>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit eb365b374df7b85c13a0119063a807743771bf5a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
2024-12-21 19:46:26 -08:00
..
libapparmor_re
Merge parser: bug fix do not change auditing information when applying deny
2024-12-21 19:46:26 -08:00
po
translations: update generated pot files
2020-10-14 03:56:38 -07:00
tst
Merge parser: fix integer overflow bug in rule priority comparisons
2024-10-28 04:58:35 -07:00
aa-teardown
aa-teardown: Replace /bin/bash with /bin/sh
2018-05-05 17:46:19 -07:00
aa-teardown.pod
docs: update documentation to point bug reporting to gitlab
2020-05-05 00:10:53 -07:00
af_rule.cc
parser: consolidate rule class handling into aa_class
2023-03-31 02:21:19 -07:00
af_rule.h
parser: rework perms rule merging
2023-07-10 20:04:53 -07:00
af_unix.cc
parser: add the ability to specify a priority prefix to rules
2024-08-14 17:15:24 -07:00
af_unix.h
parser: add the ability to specify a priority prefix to rules
2024-08-14 17:15:24 -07:00
all_rule.cc
parser: make ix of file, rule have lower priority so it can be overridden
2024-08-14 18:21:26 -07:00
all_rule.h
parser: add the ability to specify a priority prefix to rules
2024-08-14 17:15:24 -07:00
apparmor_parser.pod
fix typo: aggressive
2024-03-29 10:52:25 +01:00
apparmor_xattrs.pod
apparmor_xattrs.7: fix whatis entry
2020-10-25 11:54:47 +00:00
apparmor.d.pod
Merge parser: add port range support on network policy
2024-10-28 04:53:20 -07:00
apparmor.pod
fix typo: globally
2024-03-29 10:57:33 +01:00
apparmor.service
Add Documentation=... to apparmor.service
2023-10-29 10:49:33 +01:00
apparmor.systemd
apparmor.systemd: fix shellcheck false positive
2024-04-30 18:30:01 -03:00
base_af_names.h
Add 'mctp' network domain keyword
2022-02-08 19:09:24 +01:00
base_cap_names.h
parser: Add support for CAP_CHECKPOINT_RESTORE
2020-10-13 21:30:19 -07:00
bignum.h
parser: fix coverity issues found in snapshot 70858
2024-02-28 10:24:08 -03:00
capability.h
parser/capability.h: add missing <cstdint> include
2022-05-23 23:13:14 +01:00
common_flags.h
parser: Cleanup parser control flags, so they display as expected to user
2023-07-08 19:58:59 -07:00
common_optarg.c
parser: fix 16 bit state limitation
2024-08-14 17:01:30 -07:00
common_optarg.h
parser: Cleanup parser control flags, so they display as expected to user
2023-07-08 19:58:59 -07:00
cond_expr.cc
parser: refactor conditional logic into its own class
2024-08-14 17:22:48 -03:00
cond_expr.h
parser: refactor conditional logic into its own class
2024-08-14 17:22:48 -03:00
COPYING.GPL
rpmlint complains about an outdated FSF address in parser/COPYING.GPL.
2011-11-27 13:52:06 +01:00
dbus.cc
parser: minimization - remove unnecessary second minimization pass
2024-08-14 17:15:24 -07:00
dbus.h
convert owner to an enum
2024-08-14 15:47:13 -07:00
default_features.c
parser: Move to a pre-generated cap_names.h
2020-07-07 09:43:48 -07:00
file_cache.h
Fix comment wording in file_cache.h
2021-05-02 11:29:41 +02:00
frob_slack_rc
as ACKed on IRC, drop the unused $Id$ tags everywhere
2010-12-20 12:29:10 -08:00
immunix.h
Merge parser: fix integer overflow bug in rule priority comparisons
2024-10-28 04:58:35 -07:00
io_uring.cc
Merge parser: fix rule priority destroying rule permissions for some classes
2024-10-28 04:51:48 -07:00
io_uring.h
parser: rename rules.h perms_t to perm32_t
2024-08-14 14:39:18 -07:00
lib.c
Fix comment typo in parser/lib.c
2021-12-05 18:16:53 +01:00
lib.h
libapparmor: Use directory file descriptor in _aa_dirat_for_each()
2015-06-15 15:11:51 -05:00
Makefile
parser: refactor conditional logic into its own class
2024-08-14 17:22:48 -03:00
mount.cc
parser: minimization - remove unnecessary second minimization pass
2024-08-14 17:15:24 -07:00
mount.h
convert owner to an enum
2024-08-14 15:47:13 -07:00
mqueue.cc
parser: minimization - remove unnecessary second minimization pass
2024-08-14 17:15:24 -07:00
mqueue.h
parser: rename rules.h perms_t to perm32_t
2024-08-14 14:39:18 -07:00
network.cc
Merge parser: add port range support on network policy
2024-10-28 04:53:20 -07:00
network.h
Merge parser: add port range support on network policy
2024-10-28 04:53:20 -07:00
parser_alias.c
parser: make alias_ignore a bool
2023-03-31 02:17:28 -07:00
parser_common.c
Merge parser: fix minimization check for filtering deny
2024-10-28 04:58:49 -07:00
parser_include.c
parser: fix definitely and possibly lost memory leaks
2023-03-16 18:03:57 -03:00
parser_include.h
parser: add include dedup cache to handle include loops
2021-04-27 20:26:57 -07:00
parser_interface.c
parser: fix protocol error on older kernels caused by additional xtable
2024-08-14 15:47:13 -07:00
parser_lex.l
parser: add the ability to specify a priority prefix to rules
2024-08-14 17:15:24 -07:00
parser_main.c
parser: enable extended perms if supported by the kernel
2024-08-14 17:15:24 -07:00
parser_merge.c
parser: Cleanup parser control flags, so they display as expected to user
2023-07-08 19:58:59 -07:00
parser_misc.c
parser: add the ability to specify a priority prefix to rules
2024-08-14 17:15:24 -07:00
parser_policy.c
parser: don't set xbits when using permstable32_v1
2024-08-14 15:47:13 -07:00
parser_regex.c
Merge parser: fix integer overflow bug in rule priority comparisons
2024-10-28 04:58:35 -07:00
parser_symtab.c
treewide: spelling/typo fixes in code strings
2020-12-01 12:47:18 -08:00
parser_variable.c
parser: add support for attach_disconnected.path
2023-08-14 01:42:28 -07:00
parser_yacc.y
Merge parser: fix integer overflow bug in rule priority comparisons
2024-10-28 04:58:35 -07:00
parser.conf
Revert "policy: pin policy to 4.0 abi for dev"
2023-07-19 17:37:24 -03:00
parser.h
Merge parser: fix integer overflow bug in rule priority comparisons
2024-10-28 04:58:35 -07:00
perms.h
parser: add note of what perms.h is
2024-08-14 15:47:13 -07:00
policy_cache.c
Fix wording of some warnings
2020-10-11 12:22:23 +02:00
policy_cache.h
drop unused extern int debug_cache
2021-02-07 16:02:20 +01:00
policydb.h
parser: consolidate rule class handling into aa_class
2023-03-31 02:21:19 -07:00
profile-load
profile-load: use less ambiguous if/then construct
2022-02-15 07:34:17 +00:00
profile.cc
parser: frontend carry use of prompt rules flag on profile
2024-08-14 15:45:58 -07:00
profile.h
parser: Add prompt dev compat support
2024-08-14 15:47:13 -07:00
ptrace.cc
parser: minimization - remove unnecessary second minimization pass
2024-08-14 17:15:24 -07:00
ptrace.h
convert owner to an enum
2024-08-14 15:47:13 -07:00
rc.apparmor.functions
aa-teardown: print out which profile removal failed
2024-06-08 23:35:02 +02:00
rc.apparmor.slackware
added missing functions to slackware init script
2019-11-08 13:49:48 +01:00
README
README: Move project contact info into the main README
2018-09-13 16:54:09 +00:00
README.devel
parser: add some developer documentation
2013-12-10 14:15:02 -08:00
rule.cc
parser: consolidate rule class handling into aa_class
2023-03-31 02:21:19 -07:00
rule.h
parser: add the ability to specify a priority prefix to rules
2024-08-14 17:15:24 -07:00
signal.cc
parser: minimization - remove unnecessary second minimization pass
2024-08-14 17:15:24 -07:00
signal.h
convert owner to an enum
2024-08-14 15:47:13 -07:00
techdoc.tex
treewide: spelling/typo fixes in comments and docs
2020-12-01 12:47:11 -08:00
unit_test.h
Convert codomain to a class
2013-09-27 16:16:37 -07:00
userns.cc
Merge parser: fix rule priority destroying rule permissions for some classes
2024-10-28 04:51:48 -07:00
userns.h
parser: rename rules.h perms_t to perm32_t
2024-08-14 14:39:18 -07:00

README 

The apparmor_parser allows you to add, replace, and remove AppArmor
policy through the use of command line options. The default is to add.
`apparmor_parser --help` shows what the command line options are.

You can also find more information at https://wiki.apparmor.net

-- The AppArmor development team