mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 01:57:43 +00:00
Code Issues Releases Wiki Activity
apparmor/parser
History
John Johansen d4a76c456d Merge profiles: force read permission to their attachment path 
Unconfined delegates access to open file descriptors. Therefore when running a confined binary from unconfined, it will work even when the attachment path is not read-allowed.

However, as soon as these confined binaries are run from another confined process, this delegation is not permitted anymore and the program breaks.

This has been the cause of several bugs such as https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2107455 or https://github.com/canonical/snapd/pull/15181 .

This MR makes sure every confining AppArmor profiles explicitly allow (at least) read access to their attachment path.

This Merge request:
 - Introduce `test_profile.sh`, a helper script that ensures confining AppArmor profiles explicitly allow (at least) read access to their attachment path.
 - Modifies a lot of profiles so that all profiles have r/mr access to their attachment path
 - Extends `make check` to automatically ensure all AppArmor profile grant explicit read access to their attachment path, preventing future omissions.
 - Modifies apparmor_parser to show attachment in --debug output

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1637
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
2025-04-28 12:02:18 +00:00
..
libapparmor_re
parser: hfa.cc debug promt->prompt typofix
2025-02-18 11:53:35 -08:00
po
Import translations from launchpad
2025-02-24 01:28:04 -08:00
tst
Add a script to verify attachment-path permissions
2025-04-18 12:41:54 +02:00
aa-teardown
aa-teardown: Replace /bin/bash with /bin/sh
2018-05-05 17:46:19 -07:00
aa-teardown.pod
docs: update documentation to point bug reporting to gitlab
2020-05-05 00:10:53 -07:00
af_rule.cc
parser: consolidate rule class handling into aa_class
2023-03-31 02:21:19 -07:00
af_rule.h
parser: rework perms rule merging
2023-07-10 20:04:53 -07:00
af_unix.cc
parser: add the ability to specify a priority prefix to rules
2024-08-14 17:15:24 -07:00
af_unix.h
parser: add the ability to specify a priority prefix to rules
2024-08-14 17:15:24 -07:00
all_rule.cc
parser: make ix of file, rule have lower priority so it can be overridden
2024-08-14 18:21:26 -07:00
all_rule.h
parser: add the ability to specify a priority prefix to rules
2024-08-14 17:15:24 -07:00
apparmor_parser.pod
fix typo: aggressive
2024-03-29 10:52:25 +01:00
apparmor_xattrs.pod
apparmor_xattrs.7: fix whatis entry
2020-10-25 11:54:47 +00:00
apparmor.d.pod
Merge parser: add an abi <default> that is equivalent to not specifying an abi
2025-04-12 10:30:28 +00:00
apparmor.pod
Replace 'scrub the environment' wording in man pages with something more accurate
2024-08-28 11:22:08 -07:00
apparmor.service
Add Documentation=... to apparmor.service
2023-10-29 10:49:33 +01:00
apparmor.systemd
apparmor.systemd: fix shellcheck false positive
2024-04-30 18:30:01 -03:00
base_af_names.h
Add 'mctp' network domain keyword
2022-02-08 19:09:24 +01:00
base_cap_names.h
parser: Add support for CAP_CHECKPOINT_RESTORE
2020-10-13 21:30:19 -07:00
bignum.h
parser: fix coverity issues found in snapshot 70858
2024-02-28 10:24:08 -03:00
capability.h
Make capabilities tracker into a class
2024-11-08 14:55:43 -08:00
common_flags.h
parser: Cleanup parser control flags, so they display as expected to user
2023-07-08 19:58:59 -07:00
common_optarg.c
parser: change priority so that it accumulates based on permissions
2025-02-06 11:02:20 -08:00
common_optarg.h
parser: Cleanup parser control flags, so they display as expected to user
2023-07-08 19:58:59 -07:00
cond_expr.cc
parser: refactor conditional logic into its own class
2024-08-14 17:22:48 -03:00
cond_expr.h
parser: refactor conditional logic into its own class
2024-08-14 17:22:48 -03:00
COPYING.GPL
rpmlint complains about an outdated FSF address in parser/COPYING.GPL.
2011-11-27 13:52:06 +01:00
dbus.cc
parser: minimization - remove unnecessary second minimization pass
2024-08-14 17:15:24 -07:00
dbus.h
convert owner to an enum
2024-08-14 15:47:13 -07:00
default_features.c
parser: Move to a pre-generated cap_names.h
2020-07-07 09:43:48 -07:00
file_cache.h
Fix comment wording in file_cache.h
2021-05-02 11:29:41 +02:00
frob_slack_rc
as ACKed on IRC, drop the unused $Id$ tags everywhere
2010-12-20 12:29:10 -08:00
immunix.h
parser: change priority so that it accumulates based on permissions
2025-02-06 11:02:20 -08:00
io_uring.cc
parser: fix rule priority destroying rule permissions for some classes
2024-08-15 03:51:20 -07:00
io_uring.h
parser: rename rules.h perms_t to perm32_t
2024-08-14 14:39:18 -07:00
lib.c
Fix comment typo in parser/lib.c
2021-12-05 18:16:53 +01:00
lib.h
libapparmor: Use directory file descriptor in _aa_dirat_for_each()
2015-06-15 15:11:51 -05:00
Makefile
Use the $(AWK) variable for the awk binary in the Makefiles
2025-03-18 09:28:52 -07:00
mount.cc
parser: Fix special casing for detached move mounts
2025-04-07 03:07:06 -07:00
mount.h
Allow make-* flags with remount operations
2024-12-17 11:59:54 -08:00
mqueue.cc
parser: minimization - remove unnecessary second minimization pass
2024-08-14 17:15:24 -07:00
mqueue.h
parser: rename rules.h perms_t to perm32_t
2024-08-14 14:39:18 -07:00
network.cc
parser: fix mapping of AA_CONT_MATCH for policydb compat entries
2024-11-06 12:33:36 -08:00
network.h
parser: add port range support on network policy
2024-09-05 17:01:46 -03:00
parser_alias.c
Clarify duplicate insertion logic in parser_alias.c:process_entries
2024-11-13 14:34:55 -08:00
parser_common.c
parser: add special casing for detached move mounts
2025-04-05 00:19:09 -07:00
parser_include.c
Make parser_include push_include_stack take const char because it doesn't actually modify it
2024-10-28 12:35:26 +01:00
parser_include.h
Make parser_include push_include_stack take const char because it doesn't actually modify it
2024-10-28 12:35:26 +01:00
parser_interface.c
parser: add support for attach_disconnected.ipc flag
2025-03-13 14:51:18 -03:00
parser_lex.l
parser: add the ability to specify a priority prefix to rules
2024-08-14 17:15:24 -07:00
parser_main.c
parser: add special casing for detached move mounts
2025-04-05 00:19:09 -07:00
parser_merge.c
parser: fix priority for file rules.
2024-12-22 15:02:04 -08:00
parser_misc.c
parser: fix rlimit ofile when built on musl libc
2025-04-22 23:26:54 -07:00
parser_policy.c
rule_ents from conditional block are dropped
2025-02-18 16:47:36 +00:00
parser_regex.c
apparmor_parser: show attachment in --debug output
2025-04-18 10:26:20 +02:00
parser_symtab.c
treewide: spelling/typo fixes in code strings
2020-12-01 12:47:18 -08:00
parser_variable.c
parser: add support for attach_disconnected.ipc flag
2025-03-13 14:51:18 -03:00
parser_yacc.y
parser: make abi=<kenrel> respect the command line specied kernel features
2025-04-12 03:07:53 -07:00
parser.conf
Revert "policy: pin policy to 4.0 abi for dev"
2023-07-19 17:37:24 -03:00
parser.h
apparmor_parser: show attachment in --debug output
2025-04-18 10:26:20 +02:00
perms.h
Merge parser: improve libapparmor_re build and dump info
2024-11-15 00:32:30 +00:00
policy_cache.c
Fix wording of some warnings
2020-10-11 12:22:23 +02:00
policy_cache.h
drop unused extern int debug_cache
2021-02-07 16:02:20 +01:00
policydb.h
parser: consolidate rule class handling into aa_class
2023-03-31 02:21:19 -07:00
profile-load
profile-load: use less ambiguous if/then construct
2022-02-15 07:34:17 +00:00
profile.cc
parser: add support for attach_disconnected.ipc flag
2025-03-13 14:51:18 -03:00
profile.h
apparmor_parser: show attachment in --debug output
2025-04-18 10:26:20 +02:00
ptrace.cc
parser: minimization - remove unnecessary second minimization pass
2024-08-14 17:15:24 -07:00
ptrace.h
convert owner to an enum
2024-08-14 15:47:13 -07:00
rc.apparmor.functions
Support unloading profiles in kill and prompt mode
2025-01-13 18:07:39 +01:00
rc.apparmor.slackware
added missing functions to slackware init script
2019-11-08 13:49:48 +01:00
README
README: Move project contact info into the main README
2018-09-13 16:54:09 +00:00
README.devel
parser: add some developer documentation
2013-12-10 14:15:02 -08:00
rule.cc
parser: consolidate rule class handling into aa_class
2023-03-31 02:21:19 -07:00
rule.h
parser: fix prefix dump to include priority
2025-02-06 10:54:42 -08:00
signal.cc
Make signal.cc:signal_map an unordered_map
2024-11-18 15:25:56 -08:00
signal.h
convert owner to an enum
2024-08-14 15:47:13 -07:00
techdoc.tex
treewide: spelling/typo fixes in comments and docs
2020-12-01 12:47:11 -08:00
unit_test.h
Convert codomain to a class
2013-09-27 16:16:37 -07:00
userns.cc
parser: fix rule priority destroying rule permissions for some classes
2024-08-15 03:51:20 -07:00
userns.h
parser: rename rules.h perms_t to perm32_t
2024-08-14 14:39:18 -07:00

README 

The apparmor_parser allows you to add, replace, and remove AppArmor
policy through the use of command line options. The default is to add.
`apparmor_parser --help` shows what the command line options are.

You can also find more information at https://wiki.apparmor.net

-- The AppArmor development team