1. 27 Sep, 2013 2 commits
  2. 20 Sep, 2013 2 commits
    • Steve Beattie's avatar
      add optional allow prefix to the language · 17f0565a
      Steve Beattie authored
      From: John Johansen <john.johansen@canonical.com>
      
      let allow be used as a prefix in place of deny.  Allow is the default
      and is implicit so it is not needed but some user keep tripping over
      it, and it makes the language more symmetric
      
         eg.
            /foo rw,
            allow /foo rw,
            deny /foo rw,
      
      Patch history:
        v1: - initial revision
      
        v2: - rename yacc target rule from opt_deny to opt_perm_mode to
      reflect
              that it can be either an allow or deny modifier
            - break apart tests into more digestible chunks and to clarify
              their purpose
            - fix some tests to exercise 'audit allow'
            - add negative tests for 'allow' and 'deny' in the same rule
            - add support for 'allow' keyword to apparmor.vim
            - fix a bug in apparmor.vim to let it recognize multiple
              capability entries in a single line.
      
        v3: - add support for optional keywords on capability rules in
              regression tests, as well as the bare capability keyword (via
              'cap:ALL')
            - add allow, deny, and conflicting capability behavioral
              regression tests
            - fix vim syntax modeline to refer to apparmor in parser tests
            - adjust FILE regex in vim syntax file creator script
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: Steve Beattie's avatarSteve Beattie <steve@nxnw.org>
      Acked-by: default avatarSeth Arnold <seth.arnold@canonical.com>
      17f0565a
    • Christian Boltz's avatar
      aa-unconfined displays less unconfined processes in some languages (for · ec738148
      Christian Boltz authored
      example with LANG=pt_BR) because a regex relies on netstat output.
      
      Enforce LANG=C to make sure aa-unconfined always sees the expected output.
      Acked-by: Steve Beattie's avatarSteve Beattie <steve@nxnw.org>
      ec738148
  3. 19 Sep, 2013 1 commit
  4. 16 Sep, 2013 2 commits
  5. 13 Sep, 2013 1 commit
  6. 12 Sep, 2013 4 commits
  7. 11 Sep, 2013 6 commits
  8. 06 Sep, 2013 12 commits
  9. 04 Sep, 2013 2 commits
    • Tyler Hicks's avatar
      libapparmor: Clarify that mode strings are not to be freed · ebabb30a
      Tyler Hicks authored
      The aa_getcon man page only implies that the *mode strings returned by
      aa_getprocattr(), aa_gettaskcon(), aa_getcon(), and aa_getpeercon()
      should not be freed. A developer using the man page to build against
      libapparmor may miss that subtlety and end up hitting double free issues.
      
      This patch makes the man page more clear, makes the function comments
      more clear, and changes the aa_getprocattr() *buf param to *con. The use
      of *buf should reserved for the aa_get*_raw() functions that do not
      allocate a buffer for the confinement context and all documents now
      clearly mention that *con must be freed.
      
      Additionally, this patch removes the line wrapping of the
      aa_getprocattr_raw() prototype in the aa_getcon man page source. The
      line wrapping caused incorrect formatting of the function prototype when
      viewing the man page.
      Signed-off-by: Tyler Hicks's avatarTyler Hicks <tyhicks@canonical.com>
      Acked-by: default avatarSeth Arnold <seth.arnold@canonical.com>
      ebabb30a
    • Tyler Hicks's avatar
      libappamor: Fix mode string NUL-termination of aa_getcon() functions · 54382a9b
      Tyler Hicks authored
      r2125 caused a regression in aa_getpeercon_raw() when a NULL pointer was
      passed into the mode parameter. Instead of unconditionally
      NUL-terminating the con string before the mode portion of the security
      context, it made it to where the NUL byte was only put into place when
      mode was non-NULL.
      
      This resulted in the con string incorrectly containing the label and the
      mode.
      Signed-off-by: Tyler Hicks's avatarTyler Hicks <tyhicks@canonical.com>
      Acked-by: default avatarSeth Arnold <seth.arnold@canonical.com>
      54382a9b
  10. 29 Aug, 2013 1 commit
  11. 26 Aug, 2013 2 commits
  12. 23 Aug, 2013 1 commit
  13. 20 Aug, 2013 2 commits
  14. 13 Aug, 2013 1 commit
  15. 10 Aug, 2013 1 commit