mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 10:07:12 +00:00
Code Issues Releases Wiki Activity
apparmor/parser
History
John Johansen cfe20d2b63 Add support for profiles with xattrs matching 
Add userland support for matching based on extended file attributes. This
leverages DFA based matching already in the kernel:

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8e51f908
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=73f488cd

Matching is exposed via flags on the profile:

    /usr/bin/* xattrs=(user.foo=bar user.bar=foo) {
        # ...
    }

xattr values are appended to the existing xmatch via a null transition.

    $ echo '/usr/bin/* xattrs=(user.foo=foo user.bar=bar) {}' | \
        ./parser/apparmor_parser -QT -D expr-tree
    DFA: Expression Tree
    /usr/bin/[^\0000/]([^\0000/])*(\0000bar)?(\0000foo)?< 0x1>
    DFA: Expression Tree
    (\a|(\n|(\0002|\t)))< 0x4>

Tested manually on a 4.19 kernel via QEMU+KVM.

TODO:

  * ~~Add regression tests~~ (EDIT: done)
  * ~~EDIT: add support in the tools~~ (EDIT: done)

Questions for reviewers:

  * ~~parser/libapparmor: regex construction probably needs cleaning up~~ (EDIT: done)
  * ~~parser/parser_regex.c: confused what xmatch length is for~~ (EDIT: done)

/cc @mjg59

PR: https://gitlab.com/apparmor/apparmor/merge_requests/270
Signed-off-by: John Johansen <john.johansen@canonical.com>
2019-03-21 08:12:07 +00:00
..
libapparmor_re
Add support for profiles with xattrs matching
2019-03-21 08:12:07 +00:00
po
translations: sync from launchpad translations
2018-04-15 06:54:44 -07:00
tst
parser: add support for matching based on extended file attributes
2019-03-14 10:47:54 -07:00
aa-teardown
aa-teardown: Replace /bin/bash with /bin/sh
2018-05-05 17:46:19 -07:00
aa-teardown.pod
all: Use HTTPS links for apparmor.net
2018-09-13 16:41:32 +00:00
af_rule.cc
parser: fix more gcc 5 compilation problems
2015-02-26 14:55:13 -08:00
af_rule.h
C tools: rename __unused macro to unused
2014-10-02 12:58:54 -07:00
af_unix.cc
with unix rules we output a downgraded rule compatible with network rules
2017-09-07 02:26:15 -07:00
af_unix.h
C tools: rename __unused macro to unused
2014-10-02 12:58:54 -07:00
apparmor_parser.pod
remove subdomainfs support
2018-11-08 18:23:21 -08:00
apparmor_xattrs.pod
parser: add a man page for xattrs
2019-03-14 10:47:54 -07:00
apparmor.d.pod
Add support for profiles with xattrs matching
2019-03-21 08:12:07 +00:00
apparmor.pod
remove subdomainfs support
2018-11-08 18:23:21 -08:00
apparmor.service
Adjust cache paths in apparmor.service
2018-06-16 23:14:19 +02:00
apparmor.systemd
parser/apparmor.systemd: fix minor issues detected by shellcheck
2018-12-21 19:50:10 +01:00
common_optarg.c
Split dfa optimization and dump flag handling into a separate file so that it can be shared with DFA test programs
2014-04-23 11:10:41 -07:00
common_optarg.h
Split dfa optimization and dump flag handling into a separate file so that it can be shared with DFA test programs
2014-04-23 11:10:41 -07:00
COPYING.GPL
rpmlint complains about an outdated FSF address in parser/COPYING.GPL.
2011-11-27 13:52:06 +01:00
dbus.cc
parser/dbus.cc: fix "accesss" typo.
2015-05-01 10:25:57 +02:00
dbus.h
C tools: rename __unused macro to unused
2014-10-02 12:58:54 -07:00
frob_slack_rc
as ACKed on IRC, drop the unused $Id$ tags everywhere
2010-12-20 12:29:10 -08:00
immunix.h
Rename AA_MAY_XXX permission bits that conflict with new layout
2015-06-06 01:25:49 -07:00
lib.c
libapparmor: Use directory file descriptor in _aa_dirat_for_each()
2015-06-15 15:11:51 -05:00
lib.h
libapparmor: Use directory file descriptor in _aa_dirat_for_each()
2015-06-15 15:11:51 -05:00
Makefile
parser: add a man page for xattrs
2019-03-14 10:47:54 -07:00
mount.cc
And the related patch to fix globbing for af_unix abstract names
2015-02-12 10:19:16 -08:00
mount.h
Fix remount with bind
2015-09-21 12:20:19 -07:00
network.c
Use the gcc cleanup extension attribute to handle closing temp files
2015-03-25 17:09:26 -05:00
network.h
Remove unused net_find_af_val function, and network_families array
2015-02-27 16:20:31 +00:00
parser_alias.c
parser: provide typedefs for comparison_fn_t and __free_fn_t
2018-05-09 13:15:42 -07:00
parser_common.c
parser: Check kernel stacking support when handling stacked transitions
2016-03-18 17:28:51 -05:00
parser_include.c
parser: fix warnings about unused functions
2019-01-24 02:36:42 -08:00
parser_include.h
allow directories to be passed to the parser
2013-10-26 00:15:13 -07:00
parser_interface.c
parser: add support for matching based on extended file attributes
2019-03-14 10:47:54 -07:00
parser_lex.l
parser: add support for matching based on extended file attributes
2019-03-14 10:47:54 -07:00
parser_main.c
parser: update indentation of work_spawn() macro
2019-02-22 02:28:43 -08:00
parser_merge.c
parser: Stop splitting the namespace from the named transition targets
2016-03-18 17:28:51 -05:00
parser_misc.c
parser: ignore feature abi rules
2018-10-12 22:14:38 -07:00
parser_policy.c
parser: Stop splitting the namespace from the named transition targets
2016-03-18 17:28:51 -05:00
parser_regex.c
parser: add support for matching based on extended file attributes
2019-03-14 10:47:54 -07:00
parser_symtab.c
parser: provide typedefs for comparison_fn_t and __free_fn_t
2018-05-09 13:15:42 -07:00
parser_variable.c
parser: fix memory leaks in unit tests
2016-01-25 12:05:50 -08:00
parser_yacc.y
parser: add support for matching based on extended file attributes
2019-03-14 10:47:54 -07:00
parser.conf
parser: adjust parser.conf example Include statements
2015-03-09 10:43:13 -07:00
parser.h
parser: Fix parser failing to handle errors when setting up work
2019-02-22 02:28:30 -08:00
policy_cache.c
libapparmor: Add support for overlaycache directories
2018-04-14 15:51:23 -07:00
policy_cache.h
libapparmor: Add support for overlaycache directories
2018-04-14 15:51:23 -07:00
policydb.h
Add the ability to mediate signals.
2014-04-23 11:35:29 -07:00
profile.cc
parser: first step implementing fine grained mediation for unix domain sockets
2014-09-03 13:22:26 -07:00
profile.h
parser: add support for matching based on extended file attributes
2019-03-14 10:47:54 -07:00
ptrace.cc
And the related patch to fix globbing for af_unix abstract names
2015-02-12 10:19:16 -08:00
ptrace.h
C tools: rename __unused macro to unused
2014-10-02 12:58:54 -07:00
rc.apparmor.debian
as ACKed on IRC, drop the unused $Id$ tags everywhere
2010-12-20 12:29:10 -08:00
rc.apparmor.functions
Get rid of $MODULE, replace usage with hardcoded "apparmor"
2019-03-21 08:10:12 +00:00
rc.apparmor.redhat
as ACKed on IRC, drop the unused $Id$ tags everywhere
2010-12-20 12:29:10 -08:00
rc.apparmor.slackware
as ACKed on IRC, drop the unused $Id$ tags everywhere
2010-12-20 12:29:10 -08:00
README
README: Move project contact info into the main README
2018-09-13 16:54:09 +00:00
README.devel
parser: add some developer documentation
2013-12-10 14:15:02 -08:00
rule.cc
Move C++ files from .c suffix to .cc suffix
2014-05-09 15:34:34 -07:00
rule.h
Add missing rule.[hc] files that should have been part of commit 2449
2014-04-07 11:41:25 -07:00
signal.cc
And the related patch to fix globbing for af_unix abstract names
2015-02-12 10:19:16 -08:00
signal.h
C tools: rename __unused macro to unused
2014-10-02 12:58:54 -07:00
techdoc.tex
various changes in building techdoc.tex:
2012-05-09 00:41:06 +02:00
unit_test.h
Convert codomain to a class
2013-09-27 16:16:37 -07:00

README 

The apparmor_parser allows you to add, replace, and remove AppArmor
policy through the use of command line options. The default is to add.
`apparmor_parser --help` shows what the command line options are.

You can also find more information at https://wiki.apparmor.net

-- The AppArmor development team