Add support for profiles with xattrs matching (!270) · Merge requests · AppArmor / apparmor

Eric Chiang requested to merge ericchiang/apparmor:parser-xattrs into master Nov 12, 2018

Add userland support for matching based on extended file attributes. This leverages DFA based matching already in the kernel:

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8e51f908 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=73f488cd

Matching is exposed via flags on the profile:

/usr/bin/* xattrs=(user.foo=bar user.bar=foo) {
    # ...
}

xattr values are appended to the existing xmatch via a null transition.

$ echo '/usr/bin/* xattrs=(user.foo=foo user.bar=bar) {}' | \
    ./parser/apparmor_parser -QT -D expr-tree
DFA: Expression Tree
/usr/bin/[^\0000/]([^\0000/])*(\0000bar)?(\0000foo)?< 0x1>
DFA: Expression Tree
(\a|(\n|(\0002|\t)))< 0x4>

Tested manually on a 4.19 kernel via QEMU+KVM.

TODO:

~~Add regression tests~~ (EDIT: done)
~~EDIT: add support in the tools~~ (EDIT: done)

Questions for reviewers:

~~parser/libapparmor: regex construction probably needs cleaning up~~ (EDIT: done)
~~parser/parser_regex.c: confused what xmatch length is for~~ (EDIT: done)

/cc @mjg59

Edited Dec 18, 2018 by Eric Chiang

Admin message

Add support for profiles with xattrs matching

Merge request reports