...
 
Commits (265)
apparmor-*
cscope.*
binutils/aa-enabled
binutils/aa-enabled.1
binutils/aa-exec
binutils/aa-exec.1
binutils/po/*.mo
parser/po/*.mo
parser/af_names.h
parser/cap_names.h
parser/tst_lib
parser/tst_misc
parser/tst_regex
parser/tst_symtab
......@@ -12,6 +19,37 @@ parser/parser_version.h
parser/parser_yacc.c
parser/parser_yacc.h
parser/pod2htm*.tmp
parser/af_rule.o
parser/af_unix.o
parser/common_optarg.o
parser/dbus.o
parser/lib.o
parser/libapparmor_re/aare_rules.o
parser/libapparmor_re/chfa.o
parser/libapparmor_re/expr-tree.o
parser/libapparmor_re/hfa.o
parser/libapparmor_re/libapparmor_re.a
parser/libapparmor_re/parse.o
parser/mount.o
parser/network.o
parser/parser_alias.o
parser/parser_common.o
parser/parser_include.o
parser/parser_interface.o
parser/parser_lex.o
parser/parser_main.o
parser/parser_merge.o
parser/parser_misc.o
parser/parser_policy.o
parser/parser_regex.o
parser/parser_symtab.o
parser/parser_variable.o
parser/parser_yacc.o
parser/policy_cache.o
parser/profile.o
parser/ptrace.o
parser/rule.o
parser/signal.o
parser/*.7
parser/*.5
parser/*.8
......@@ -19,12 +57,14 @@ parser/*.7.html
parser/*.5.html
parser/*.8.html
parser/apparmor_parser
parser/libapparmor_re/parse.cc
parser/libapparmor_re/regexp.cc
parser/techdoc.aux
parser/techdoc.log
parser/techdoc.pdf
parser/techdoc.toc
profiles/apparmor.d/local/*.*
profiles/apparmor.d/local/*
!profiles/apparmor.d/local/README
libraries/libapparmor/Makefile
libraries/libapparmor/Makefile.in
libraries/libapparmor/aclocal.m4
......@@ -55,17 +95,27 @@ libraries/libapparmor/src/.deps
libraries/libapparmor/src/.libs
libraries/libapparmor/src/Makefile
libraries/libapparmor/src/Makefile.in
libraries/libapparmor/src/PMurHash.lo
libraries/libapparmor/src/PMurHash.o
libraries/libapparmor/src/af_protos.h
libraries/libapparmor/src/change_hat.lo
libraries/libapparmor/src/features.lo
libraries/libapparmor/src/features.o
libraries/libapparmor/src/grammar.lo
libraries/libapparmor/src/grammar.o
libraries/libapparmor/src/kernel.lo
libraries/libapparmor/src/kernel.o
libraries/libapparmor/src/kernel_interface.lo
libraries/libapparmor/src/kernel_interface.o
libraries/libapparmor/src/libaalogparse.lo
libraries/libapparmor/src/libaalogparse.o
libraries/libapparmor/src/libimmunix_warning.lo
libraries/libapparmor/src/policy_cache.lo
libraries/libapparmor/src/policy_cache.o
libraries/libapparmor/src/private.lo
libraries/libapparmor/src/private.o
libraries/libapparmor/src/scanner.lo
libraries/libapparmor/src/scanner.o
libraries/libapparmor/src/libapparmor.pc
libraries/libapparmor/src/libapparmor.la
libraries/libapparmor/src/libimmunix.la
......@@ -73,7 +123,19 @@ libraries/libapparmor/src/grammar.c
libraries/libapparmor/src/grammar.h
libraries/libapparmor/src/scanner.c
libraries/libapparmor/src/scanner.h
libraries/libapparmor/src/test-suite.log
libraries/libapparmor/src/tst_aalogmisc
libraries/libapparmor/src/tst_aalogmisc.log
libraries/libapparmor/src/tst_aalogmisc.o
libraries/libapparmor/src/tst_aalogmisc.trs
libraries/libapparmor/src/tst_features
libraries/libapparmor/src/tst_features.log
libraries/libapparmor/src/tst_features.o
libraries/libapparmor/src/tst_features.trs
libraries/libapparmor/src/tst_kernel
libraries/libapparmor/src/tst_kernel.log
libraries/libapparmor/src/tst_kernel.o
libraries/libapparmor/src/tst_kernel.trs
libraries/libapparmor/swig/Makefile
libraries/libapparmor/swig/Makefile.in
libraries/libapparmor/swig/perl/LibAppArmor.bs
......@@ -87,8 +149,9 @@ libraries/libapparmor/swig/perl/MYMETA.json
libraries/libapparmor/swig/perl/MYMETA.yml
libraries/libapparmor/swig/perl/blib
libraries/libapparmor/swig/perl/libapparmor_wrap.c
libraries/libapparmor/swig/perl/libapparmor_wrap.o
libraries/libapparmor/swig/perl/pm_to_blib
libraries/libapparmor/swig/python/__init__.py
libraries/libapparmor/swig/python/LibAppArmor.py
libraries/libapparmor/swig/python/build/
libraries/libapparmor/swig/python/libapparmor_wrap.c
libraries/libapparmor/swig/python/Makefile
......@@ -96,8 +159,18 @@ libraries/libapparmor/swig/python/Makefile.in
libraries/libapparmor/swig/python/setup.py
libraries/libapparmor/swig/python/test/Makefile
libraries/libapparmor/swig/python/test/Makefile.in
libraries/libapparmor/swig/python/test/test-suite.log
libraries/libapparmor/swig/python/test/test_python.py
libraries/libapparmor/swig/python/test/test_python.py.log
libraries/libapparmor/swig/python/test/test_python.py.trs
libraries/libapparmor/swig/ruby/LibAppArmor.so
libraries/libapparmor/swig/ruby/LibAppArmor_wrap.c
libraries/libapparmor/swig/ruby/LibAppArmor_wrap.o
libraries/libapparmor/swig/ruby/Makefile
libraries/libapparmor/swig/ruby/Makefile.in
libraries/libapparmor/swig/ruby/Makefile.new
libraries/libapparmor/swig/ruby/Makefile.ruby
libraries/libapparmor/swig/ruby/mkmf.log
libraries/libapparmor/testsuite/.deps
libraries/libapparmor/testsuite/.libs
libraries/libapparmor/testsuite/Makefile
......@@ -113,6 +186,7 @@ libraries/libapparmor/testsuite/lib/Makefile.in
libraries/libapparmor/testsuite/libaalogparse.test/Makefile
libraries/libapparmor/testsuite/libaalogparse.test/Makefile.in
libraries/libapparmor/testsuite/test_multi/out
libraries/libapparmor/testsuite/test_multi_multi-test_multi.o
changehat/mod_apparmor/.libs
utils/*.8
utils/*.8.html
......@@ -120,6 +194,15 @@ utils/*.5
utils/*.5.html
utils/*.tmp
utils/po/*.mo
utils/apparmor/*.pyc
utils/apparmor/rule/*.pyc
utils/test/common_test.pyc
utils/test/.coverage
utils/test/htmlcov/
utils/vim/apparmor.vim
utils/vim/apparmor.vim.5
utils/vim/apparmor.vim.5.html
utils/vim/pod2htmd.tmp
tests/regression/apparmor/access
tests/regression/apparmor/changehat
tests/regression/apparmor/changehat_fail
......
......@@ -16,12 +16,9 @@ DIRS=parser \
changehat/pam_apparmor \
tests
#REPO_URL?=lp:apparmor
# --per-file-timestamps is failing over SSH, https://bugs.launchpad.net/bzr/+bug/1257078
REPO_URL?=https://code.launchpad.net/~apparmor-dev/apparmor/master
# alternate possibilities to export from
#REPO_URL=.
#REPO_URL="bzr+ssh://bazaar.launchpad.net/~sbeattie/+junk/apparmor-dev/"
# with conversion to git, we don't export from the remote
REPO_URL?=git@gitlab.com:apparmor/apparmor.git
REPO_BRANCH?=apparmor-2.10
RELEASE_DIR=apparmor-${VERSION}
__SETUP_DIR?=.
......@@ -29,7 +26,9 @@ __SETUP_DIR?=.
# We create a separate version for tags because git can't handle tags
# with embedded ~s in them. No spaces around '-' or they'll get
# embedded in ${VERSION}
TAG_VERSION=$(subst ~,-,${VERSION})
# apparmor version tag format 'vX.Y.ZZ'
# apparmor branch name format 'apparmor-X.Y'
TAG_VERSION="v$(subst ~,-,${VERSION})"
# Add exclusion entries arguments for tar here, of the form:
# --exclude dir_to_exclude --exclude other_dir
......@@ -44,18 +43,18 @@ tarball: clean
.PHONY: snapshot
snapshot: clean
REPO_VERSION=`$(value REPO_VERSION_CMD)` ; \
SNAPSHOT_DIR=apparmor-${VERSION}~$${REPO_VERSION} ;\
make export_dir __EXPORT_DIR=$${SNAPSHOT_DIR} __REPO_VERSION=$${REPO_VERSION} ; \
make setup __SETUP_DIR=$${SNAPSHOT_DIR} ; \
tar ${TAR_EXCLUSIONS} -cvzf $${SNAPSHOT_DIR}.tar.gz $${SNAPSHOT_DIR} ;
$(eval REPO_VERSION:=$(shell $(value REPO_VERSION_CMD)))
$(eval SNAPSHOT_NAME=apparmor-$(VERSION)~$(shell echo $(REPO_VERSION) | cut -d '-' -f 2-))
$(MAKE) export_dir __EXPORT_DIR=${SNAPSHOT_NAME} __REPO_VERSION=${REPO_VERSION} && \
$(MAKE) setup __SETUP_DIR=${SNAPSHOT_NAME} && \
tar ${TAR_EXCLUSIONS} -cvzf ${SNAPSHOT_NAME}.tar.gz ${SNAPSHOT_NAME}
.PHONY: export_dir
export_dir:
mkdir $(__EXPORT_DIR)
/usr/bin/bzr export --per-file-timestamps -r $(__REPO_VERSION) $(__EXPORT_DIR) $(REPO_URL)
echo "$(REPO_URL) $(__REPO_VERSION)" > $(__EXPORT_DIR)/common/.stamp_rev
/usr/bin/git archive --prefix=$(__EXPORT_DIR)/ --format tar $(__REPO_VERSION) | tar xv
echo "$(REPO_URL) $(REPO_BRANCH) $(__REPO_VERSION)" > $(__EXPORT_DIR)/common/.stamp_rev
.PHONY: clean
clean:
......@@ -70,5 +69,4 @@ setup:
.PHONY: tag
tag:
bzr tag apparmor_${TAG_VERSION}
git tag -m 'AppArmor $(VERSION)' -s $(TAG_VERSION)
# AppArmor
[![Build status](https://gitlab.com/apparmor/apparmor/badges/master/build.svg)](https://gitlab.com/apparmor/apparmor/commits/master)
[![Overall test coverage](https://gitlab.com/apparmor/apparmor/badges/master/coverage.svg)](https://gitlab.com/apparmor/apparmor/pipelines)
[![Core Infrastructure Initiative Best Practices](https://bestpractices.coreinfrastructure.org/projects/1699/badge)](https://bestpractices.coreinfrastructure.org/projects/1699)
------------
Introduction
------------
......@@ -17,9 +23,27 @@ library, available under the LGPL license, which allows change_hat(2)
and change_profile(2) to be used by non-GPL binaries).
For more information, you can read the techdoc.pdf (available after
building the parser) and by visiting the http://apparmor.net/ web
building the parser) and by visiting the https://apparmor.net/ web
site.
----------------
Getting in Touch
----------------
Please send all complaints, feature requests, rants about the software,
and questions to the
[AppArmor mailing list](https://lists.ubuntu.com/mailman/listinfo/apparmor).
Bug reports can be filed against the AppArmor project on
[launchpad](https://bugs.launchpad.net/apparmor) or reported to the mailing
list directly for those who wish not to register for an account on
launchpad. See the
[wiki page](https://gitlab.com/apparmor/apparmor/wikis/home#reporting-bugs)
for more information.
Security issues can be filed as security bugs on launchpad
or directed to `security@apparmor.net`. Additional details can be found
in the [wiki](https://gitlab.com/apparmor/apparmor/wikis/home#reporting-security-vulnerabilities).
-------------
Source Layout
......@@ -36,6 +60,7 @@ parser/ source for parser/loader and corresponding documentation
profiles/ configuration files, reference profiles and abstractions
tests/ regression and stress testsuites
utils/ high-level utilities for working with AppArmor
```
--------------------------------------
Important note on AppArmor kernel code
......@@ -56,16 +81,27 @@ Building and Installing AppArmor Userspace
------------------------------------------
To build and install AppArmor userspace on your system, build and install in
the following order.
the following order. Some systems may need to export various python-related
environment variables to complete the build. For example, before building
anything on these systems, use something along the lines of:
```
$ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python)
$ export PYTHON=/usr/bin/python3
$ export PYTHON_VERSION=3
$ export PYTHON_VERSIONS=python3
```
libapparmor:
```
$ cd ./libraries/libapparmor
$ sh ./autogen.sh
$ sh ./configure --prefix=/usr --with-perl --with-python # see below
$ make
$ make check
$ make install
```
[an additional optional argument to libapparmor's configure is --with-ruby, to
generate Ruby bindings to libapparmor.]
......@@ -76,33 +112,44 @@ $ cd utils
$ make
$ make check
$ make install
```
parser:
```
$ cd parser
$ make # depends on libapparmor having been built first
$ make check
$ make install
```
Apache mod_apparmor:
```
$ cd changehat/mod_apparmor
$ make # depends on libapparmor having been built first
$ make install
```
PAM AppArmor:
```
$ cd changehat/pam_apparmor
$ make # depends on libapparmor having been built first
$ make install
```
Profiles:
```
$ cd profiles
$ make
$ make check # depends on the parser having been built first
$ make install
```
[Note that for the parser and the utils, if you only with to build/use
some of the locale languages, you can override the default by passing
......@@ -123,38 +170,50 @@ For details on structure and adding tests, see
tests/regression/apparmor/README.
To run:
```
$ cd tests/regression/apparmor (requires root)
$ make
$ sudo make tests
$ sudo bash open.sh -r # runs and saves the last testcase from open.sh
```
Parser tests
------------
For details on structure and adding tests, see parser/tst/README.
To run:
```
$ cd parser/tst
$ make
$ make tests
```
Libapparmor
-----------
For details on structure and adding tests, see libraries/libapparmor/README.
```
$ cd libraries/libapparmor
$ make check
```
Utils
-----
Tests for the Python utilities exist in the test/ subdirectory.
```
$ cd utils
$ make check
```
The aa-decode utility to be tested can be overridden by
setting up environment variable APPARMOR_DECODE; e.g.:
```
$ APPARMOR_DECODE=/usr/bin/aa-decode make check
```
Profile checks
--------------
......@@ -162,29 +221,44 @@ A basic consistency check to ensure that the parser and aa-logprof parse
successfully the current set of shipped profiles. The system or other
parser and logprof can be passed in by overriding the PARSER and LOGPROF
variables.
```
$ cd profiles
$ make && make check
```
Stress Tests
------------
To run AppArmor stress tests:
```
$ make all
```
Use these:
```
$ ./change_hat
$ ./child
$ ./kill.sh
$ ./open
$ ./s.sh
```
Or run all at once:
```
$ ./stress.sh
```
Please note that the above will stress the system so much it may end up
invoking the OOM killer.
To run parser stress tests (requires /usr/bin/ruby):
```
$ ./stress.sh
```
(see stress.sh -h for options)
......
# This publication is intellectual property of Canonical Ltd. Its contents
# can be duplicated, either in part or in whole, provided that a copyright
# label is visibly located on each copy.
#
# All information found in this book has been compiled with utmost
# attention to detail. However, this does not guarantee complete accuracy.
# Neither Canonical Ltd, the authors, nor the translators shall be held
# liable for possible errors or the consequences thereof.
#
# Many of the software and hardware descriptions cited in this book
# are registered trademarks. All trade names are subject to copyright
# restrictions and may be registered trade marks. Canonical Ltd
# essentially adheres to the manufacturer's spelling.
#
# Names of products and trademarks appearing in this book (with or without
# specific notation) are likewise subject to trademark and trade protection
# laws and may thus fall under copyright restrictions.
#
=pod
=head1 NAME
aa-enabled - test whether AppArmor is enabled
=head1 SYNOPSIS
B<aa-enabled> [options]
=head1 DESCRIPTION
B<aa-enabled> is used to determine if AppArmor is enabled.
=head1 OPTIONS
B<aa-enabled> accepts the following arguments:
=over 4
=item -h, --help
Display a brief usage guide.
=item -q, --quiet
Do not output anything to stdout. This option is intended to be used by
scripts that simply want to use the exit code to determine if AppArmor is
enabled.
=back
=head1 EXIT STATUS
Upon exiting, B<aa-enabled> will set its exit status to the following values:
=over 4
=item 0:
if AppArmor is enabled.
=item 1:
if AppArmor is not enabled/loaded.
=item 2:
intentionally not used as an B<aa-enabled> exit status.
=item 3:
if the AppArmor control files aren't available under /sys/kernel/security/.
=item 4:
if B<aa-enabled> doesn't have enough privileges to read the apparmor control files.
=item 64:
if any unexpected error or condition is encountered.
=back
=head1 BUGS
If you find any bugs, please report them at
L<https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
apparmor(7), apparmor.d(5), aa_is_enabled(2), and L<https://wiki.apparmor.net>.
=cut
......@@ -65,7 +65,7 @@ provides the AAHatName and AADefaultHatName Apache configuration options.
AAHatName allows you to specify a hat to be used for a given Apache
E<lt>DirectoryE<gt>, E<lt>DirectoryMatchE<gt>, E<lt>LocationE<gt> or
E<lt>LocationMatchE<gt> directive (see the Apache documenation for more
E<lt>LocationMatchE<gt> directive (see the Apache documentation for more
details). Note that mod_apparmor behavior can become confused if
E<lt>Directory*E<gt> and E<lt>Location*E<gt> directives are intermingled
and it is recommended to use one type of directive. If the hat specified by
......@@ -140,6 +140,6 @@ them at L<https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
apparmor(7), subdomain.conf(5), apparmor_parser(8), aa_change_hat(2) and
L<http://wiki.apparmor.net>.
L<https://wiki.apparmor.net>.
=cut
......@@ -111,6 +111,7 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
sizeof(magic_token));
if (retval < 0) {
pam_syslog(pamh, LOG_ERR, "Can't read from /dev/urandom\n");
close(fd);
return PAM_PERM_DENIED;
}
} while ((magic_token == 0) || (retval != sizeof(magic_token)));
......
......@@ -42,10 +42,9 @@ endif
define nl
endef
REPO_VERSION_CMD=([ -x /usr/bin/bzr ] && /usr/bin/bzr version-info . 2> /dev/null || awk '{ print "revno: "$2 }' common/.stamp_rev) | awk '/^revno:/ { print $2 }'
REPO_VERSION_CMD=[ -x /usr/bin/git ] && /usr/bin/git describe --tags --long --abbrev=16 --match 'v*' 2> /dev/null || awk '{ print $2 }' common/.stamp_rev
ifndef PYTHON_VERSIONS
PYTHON_VERSIONS = $(call map, pathsearch, python2 python3)
......@@ -98,7 +97,7 @@ list_capabilities: /usr/include/linux/capability.h
# to mediate. We use PF_ here since that is what is required in
# bits/socket.h, but we will rewrite these as AF_.
FILTER_FAMILIES=PF_UNSPEC PF_UNIX
FILTER_FAMILIES=PF_UNIX
__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
......
......@@ -138,7 +138,7 @@ my $ratelimit_saved = sysctl_read($ratelimit_sysctl);
END { sysctl_write($ratelimit_sysctl, $ratelimit_saved); }
sysctl_write($ratelimit_sysctl, 0);
UI_Info(gettext("\nBefore you begin, you may wish to check if a\nprofile already exists for the application you\nwish to confine. See the following wiki page for\nmore information:\nhttp://wiki.apparmor.net/index.php/Profiles"));
UI_Info(gettext("\nBefore you begin, you may wish to check if a\nprofile already exists for the application you\nwish to confine. See the following wiki page for\nmore information:\nhttps://gitlab.com/apparmor/apparmor/wikis/Profiles"));
UI_Important(gettext("Please start the application to be profiled in \nanother window and exercise its functionality now.\n\nOnce completed, select the \"Scan\" button below in \norder to scan the system logs for AppArmor events. \n\nFor each AppArmor event, you will be given the \nopportunity to choose whether the access should be \nallowed or denied."));
......@@ -195,7 +195,7 @@ for my $p (sort keys %helpers) {
}
UI_Info(gettext("Reloaded AppArmor profiles in enforce mode."));
UI_Info(gettext("\nPlease consider contributing your new profile! See\nthe following wiki page for more information:\nhttp://wiki.apparmor.net/index.php/Profiles\n"));
UI_Info(gettext("\nPlease consider contributing your new profile! See\nthe following wiki page for more information:\nhttps://gitlab.com/apparmor/apparmor/wikis/Profiles\n"));
UI_Info(sprintf(gettext('Finished generating profile for %s.'), $fqdbin));
exit 0;
......
......@@ -38,6 +38,6 @@ aclocal
echo "Running autoconf"
autoconf --force
echo "Running libtoolize"
libtoolize --automake -c
libtoolize --automake -c --force
echo "Running automake"
automake -ac
......@@ -257,6 +257,6 @@ should be used.
apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_profile(2),
aa_getcon(2) and
L<http://wiki.apparmor.net>.
L<https://wiki.apparmor.net>.
=cut
......@@ -40,16 +40,15 @@ An AppArmor profile applies to an executable program; if a portion of
the program needs different access permissions than other portions,
the program can "change profile" to a different profile. To change into a
new profile, it can use the aa_change_profile() function to do so. It passes
in a pointer to the I<profile> to transition to. Transitioning to another
profile via aa_change_profile() is permanent and the process is not
permitted to transition back to the original profile. Confined programs
wanting to use aa_change_profile() need to have rules permitting changing
to the named profile. See apparmor.d(8) for details.
in a pointer to the I<profile> to transition to. Confined programs wanting to
use aa_change_profile() need to have rules permitting changing to the named
profile. See apparmor.d(8) for details.
If a program wants to return out of the current profile to the
original profile, it should use aa_change_hat(2) instead.
original profile, it may use aa_change_hat(2). Otherwise, the two profiles must
have rules permitting changing between the two profiles.
Open file descriptors are not remediated after a call to aa_change_profile()
Open file descriptors may not be remediated after a call to aa_change_profile()
so the calling program must close(2) open file descriptors to ensure they
are not available after calling aa_change_profile(). As aa_change_profile()
is typically used just before execve(2), you may want to use open(2) or
......@@ -84,8 +83,8 @@ Insufficient kernel memory was available.
=item B<EPERM>
The calling application is not confined by apparmor, or the no_new_privs
bit is set.
The calling application is confined by apparmor and the no_new_privs bit is
set.
=item B<EACCES>
......@@ -205,6 +204,6 @@ separate processes should be used.
=head1 SEE ALSO
apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_hat(2) and
L<http://wiki.apparmor.net>.
L<https://wiki.apparmor.net>.
=cut
......@@ -143,6 +143,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
openat(2) and L<http://wiki.apparmor.net>.
openat(2) and L<https://wiki.apparmor.net>.
=cut
......@@ -115,6 +115,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
apparmor(7), apparmor.d(5), apparmor_parser(8), and
L<http://wiki.apparmor.net>.
L<https://wiki.apparmor.net>.
=cut
......@@ -132,6 +132,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_profile(2),
aa_splitcon(3) and L<http://wiki.apparmor.net>.
aa_splitcon(3) and L<https://wiki.apparmor.net>.
=cut
......@@ -157,6 +157,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
aa_features(3), openat(2) and L<http://wiki.apparmor.net>.
aa_features(3), openat(2) and L<https://wiki.apparmor.net>.
=cut
......@@ -120,6 +120,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
aa_features(3), aa_kernel_interface(3), openat(2) and
L<http://wiki.apparmor.net>.
L<https://wiki.apparmor.net>.
=cut
......@@ -132,6 +132,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
apparmor(7), apparmor.d(5), apparmor_parser(8), aa_getcon(2), aa_splitcon(3)
and L<http://wiki.apparmor.net>.
and L<https://wiki.apparmor.net>.
=cut
......@@ -67,6 +67,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
aa_getcon(2) and L<http://wiki.apparmor.net>.
aa_getcon(2) and L<https://wiki.apparmor.net>.
=cut
# This publication is intellectual property of Canonical Ltd. Its contents
# can be duplicated, either in part or in whole, provided that a copyright
# label is visibly located on each copy.
#
# All information found in this book has been compiled with utmost
# attention to detail. However, this does not guarantee complete accuracy.
# Neither Canonical Ltd, the authors, nor the translators shall be held
# liable for possible errors or the consequences thereof.
#
# Many of the software and hardware descriptions cited in this book
# are registered trademarks. All trade names are subject to copyright
# restrictions and may be registered trade marks. Canonical Ltd.
# essentially adhere to the manufacturer's spelling.
#
# Names of products and trademarks appearing in this book (with or without
# specific notation) are likewise subject to trademark and trade protection
# laws and may thus fall under copyright restrictions.
#
=pod
=head1 NAME
aa_stack_profile, aa_stack_onexec - combine multiple profiles to confine a task
=head1 SYNOPSIS
B<#include E<lt>sys/apparmor.hE<gt>>
B<int aa_stack_profile(const char *profile);>
B<int aa_stack_onexec(const char *profile);>
Link with B<-lapparmor> when compiling.
=head1 DESCRIPTION
AppArmor supports stacking two or more profiles when confining a task. The
result is an intersection of all profiles which are stacked. Stacking profiles
together is desirable when wanting to ensure that confinement will never become
more permissive. When changing between two profiles, as performed with
aa_change_profile(2), there is always the possibility that the new profile is
more permissive than the old profile but that possibility is eliminated when
using aa_stack_profile().
To stack a profile with the current confinement context, a task can use the
aa_stack_profile() function. The I<profile> parameter is a NUL-terminated
string indicating a profile name that should be stacked with the current
confinement.
Calling aa_stack_profile("profile_a") while unconfined is equivalent to calling
aa_change_profile("profile_a") since the intersection of unconfined and
"profile_a" is "profile_a". Calling aa_stack_profile("profile_b") while
confined by "profile_a" results in the task's confinement to be the
intersection of "profile_a" and "profile_b". The resulting confinement context
will be represented as "profile_a//&profile_b" in audit log messages, the
return value of aa_getcon(2), etc.
Confined programs wanting to use aa_stack_profile() need to have rules
permitting stacking the named profile. See apparmor.d(8) for details.
Open file descriptors may not be remediated after a call to aa_stack_profile()
so the calling program must close(2) open file descriptors to ensure they
are not available after calling aa_stack_profile().
The aa_stack_onexec() function is like the aa_stack_profile() function
except it specifies that the stacking should take place on the next exec
instead of immediately. The delayed profile change takes precedence over any
exec transition rules within the confining profile. Delaying the stacking
boundary has a couple of advantages, it removes the need for stub transition
profiles and the exec boundary is a natural security layer where potentially
sensitive memory is unmapped.
=head1 RETURN VALUE
On success zero is returned. On error, -1 is returned, and
errno(3) is set appropriately.
=head1 ERRORS
=over 4
=item B<EINVAL>
AppArmor is not loaded, neither a profile nor a namespace was specified,
or the communication via the F</proc/*/attr/current> file did not conform
to protocol.
=item B<ENOMEM>
Insufficient kernel memory was available.
=item B<ENOENT>
The specified profile does not exist, or is not visible from the current
namespace.
=back
=head1 NOTES
Using aa_stack_profile() and related libapparmor functions are the only way to
ensure compatibility between varying kernel versions. However, there may be
some situations where libapparmor is not available and directly interacting
with the AppArmor filesystem is required to stack a profile.
To immediately stack a profile named "profile_a", as performed with
aa_stack_profile("profile_a"), the equivalent of this shell command can be
used:
$ echo -n "stackprofile profile_a" > /proc/self/attr/current
To stack a profile named "profile_a" at the next exec, as performed with
aa_stack_onexec("profile_a"), the equivalent of this shell command can be used:
$ echo -n "stackexec profile_a" > /proc/self/attr/exec
These raw AppArmor filesystem operations must only be used when using
libapparmor is not a viable option.
=head1 EXAMPLE
The following example shows a simple, if contrived, use of
aa_stack_profile().
#include <stdlib.h>
#include <string.h>
#include <sys/apparmor.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
static void read_passwd()
{
int fd;
char buf[10];
if ((fd=open("/etc/passwd", O_RDONLY)) < 0) {
perror("Failure opening /etc/passwd");
_exit(1);
}
/* Verify that we can read /etc/passwd */
memset(&buf, 0, 10);
if (read(fd, &buf, 10) == -1) {
perror("Failure reading /etc/passwd");
_exit(1);
}
buf[9] = '\0';
printf("/etc/passwd: %s\n", buf);
close(fd);
}
int main(int argc, char * argv[])
{
printf("Before aa_stack_profile():\n");
read_passwd();
/* stack the "i_cant_be_trusted_anymore" profile, which
* should not have read access to /etc/passwd. */
if (aa_stack_profile("i_cant_be_trusted_anymore") < 0) {
perror("Failure changing profile -- aborting");
_exit(1);
}
printf("After aa_stack_profile():\n");
read_passwd();
_exit(0);
}
This code example requires a profile similar to the following to be loaded
with apparmor_parser(8):
# Confine stack_p to be able to read /etc/passwd and aa_stack_profile()
# to the 'i_cant_be_trusted_anymore' profile.
/tmp/stack_p {
/etc/ld.so.cache mr,
/lib/ld-*.so* mrix,
/lib/libc*.so* mr,
/etc/passwd r,
# Needed for aa_stack_profile()
/usr/lib/libapparmor*.so* mr,
/proc/[0-9]*/attr/current w,
}
As well as the profile to stack:
profile i_cant_be_trusted_anymore {
/etc/ld.so.cache mr,
/lib/ld-*.so* mrix,
/lib/libc*.so* mr,
}
The output when run:
$ /tmp/stack_p
Before aa_stack_profile():
/etc/passwd: root:x:0:
After aa_stack_profile():
Failure opening /etc/passwd: Permission denied
$
=head1 BUGS
None known. If you find any, please report them at
L<https://bugs.launchpad.net/apparmor/+filebug>. Note that using
aa_stack_profile(2) without execve(2) provides no memory barriers between
different areas of a program; if address space separation is required, then
separate processes should be used.
=head1 SEE ALSO
apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_profile(2),
aa_getcon(2) and L<https://wiki.apparmor.net>.
=cut
......@@ -66,7 +66,7 @@ extern int aa_is_enabled(void);
extern int aa_find_mountpoint(char **mnt);
/* Prototypes for self directed domain transitions
* see <http://apparmor.net>
* see <https://apparmor.net>
* Please see the change_hat(2) manpage for information.
*/
......
......@@ -27,7 +27,7 @@ INCLUDES = $(all_includes)
# http://www.gnu.org/software/libtool/manual/html_node/Libtool-versioning.html
#
AA_LIB_CURRENT = 4
AA_LIB_REVISION = 0
AA_LIB_REVISION = 1
AA_LIB_AGE = 3
SUFFIXES = .pc.in .pc
......
......@@ -178,7 +178,7 @@ syslog_month Jan(uary)?|Feb(ruary)?|Mar(ch)?|Apr(il)?|May|Jun(e)?|Jul(y)?|Aug(
hhmmss {digit}{2}{colon}{digit}{2}{colon}{digit}{2}
timezone ({plus}|{minus}){digit}{2}{colon}{digit}{2}
syslog_time {hhmmss}({period}{digits})?{timezone}?
syslog_hostname [[:alnum:]_-]+
syslog_hostname [[:alnum:]._-]+
dmesg_timestamp \[[[:digit:] ]{5,}\.[[:digit:]]{6,}\]
%x single_quoted_string
......
......@@ -12,6 +12,7 @@ LibAppArmor.pm: libapparmor_wrap.c
Makefile.perl: Makefile.PL LibAppArmor.pm
$(PERL) $< PREFIX=$(prefix) MAKEFILE=$@
sed -ie 's/LD_RUN_PATH="\x24(LD_RUN_PATH)"//g' Makefile.perl
sed -ie 's/^LD_RUN_PATH.*//g' Makefile.perl
LibAppArmor.so: libapparmor_wrap.c Makefile.perl
......
......@@ -6,9 +6,8 @@ SUBDIRS = test
libapparmor_wrap.c: $(srcdir)/../SWIG/libapparmor.i
$(SWIG) -python -I$(srcdir)/../../include -module LibAppArmor -o $@ $(srcdir)/../SWIG/libapparmor.i
mv LibAppArmor.py __init__.py
MOSTLYCLEANFILES=libapparmor_wrap.c __init__.py
MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.py
all-local: libapparmor_wrap.c setup.py
if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi
......
import sys
if sys.version_info[0] >= 3:
from LibAppArmor.LibAppArmor import *
else:
from .LibAppArmor import *
......@@ -5,7 +5,7 @@ setup(name = 'LibAppArmor',
version = '@VERSION@',
author = 'AppArmor Dev Team',
author_email = 'apparmor@lists.ubuntu.com',
url = 'http://wiki.apparmor.net',
url = 'https://wiki.apparmor.net',
description = 'AppArmor python bindings',
download_url = 'https://launchpad.net/apparmor/+download',
package_dir = {'LibAppArmor': '@srcdir@'},
......
......@@ -121,7 +121,7 @@ class AAPythonBindingsTests(unittest.TestCase):
continue
else:
new_record[key] = str(value)
elif record.__getattr__(key):
elif value or value == '':
new_record[key] = str(value)
return new_record
......
[103975.623545] audit: type=1400 audit(1481284511.494:2807): apparmor="DENIED" operation="change_onexec" info="no new privs" error=-1 namespace="root//lxd-tor_<var-lib-lxd>" profile="unconfined" name="system_tor" pid=18593 comm="(tor)" target="system_tor"
START
File: change_onexec_lp1648143.in
Event type: AA_RECORD_DENIED
Audit ID: 1481284511.494:2807
Operation: change_onexec
Profile: unconfined
Name: system_tor
Command: (tor)
Name2: system_tor
Namespace: root//lxd-tor_<var-lib-lxd>
Info: no new privs
ErrorCode: 1
PID: 18593
Epoch: 1481284511
Audit subid: 2807
type=AVC msg=audit(1465133533.431:728): apparmor="DENIED" operation="chown" profile="/usr/sbin/cupsd" name="/run/cups/certs/" pid=8515 comm="cupsd" requested_mask="w" denied_mask="w" fsuid=0 ouid=4
START
File: file_chown.in
Event type: AA_RECORD_DENIED
Audit ID: 1465133533.431:728
Operation: chown
Mask: w
Denied Mask: w
fsuid: 0
ouid: 4
Profile: /usr/sbin/cupsd
Name: /run/cups/certs/
Command: cupsd
PID: 8515
Epoch: 1465133533
Audit subid: 728
Oct 22 15:57:38 NR021AA kernel: [ 69.827705] audit: type=1400 audit(1445522258.769:1054): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=2407 comm="nm-dhcp-client." lport=10580 family="inet6" sock_type="dgram" protocol=17
START
File: file_inherit_network_lp1509030.in
Event type: AA_RECORD_DENIED
Audit ID: 1445522258.769:1054
Operation: file_inherit
Profile: /usr/lib/NetworkManager/nm-dhcp-client.action
Command: nm-dhcp-client.
PID: 2407
Network family: inet6
Socket type: dgram
Protocol: udp
Local port: 10580
Epoch: 1445522258
Audit subid: 1054
Jun 19 12:00:55 piorun kernel: [4475115.459952] audit: type=1400 audit(1434708055.676:19629): apparmor="ALLOWED" operation="file_perm" profile="/usr/sbin/apache2" pid=3512 comm="apache2" laddr=::ffff:192.168.236.159 lport=80 faddr=::ffff:192.168.103.80 fport=61985 family="inet6" sock_type="stream" protocol=6
START
File: file_perm_network_lp1466812.in
Event type: AA_RECORD_ALLOWED
Audit ID: 1434708055.676:19629
Operation: file_perm
Profile: /usr/sbin/apache2
Command: apache2
PID: 3512
Network family: inet6
Socket type: stream
Protocol: tcp
Local addr: ::ffff:192.168.236.159
Foreign addr: ::ffff:192.168.103.80
Local port: 80
Foreign port: 61985
Epoch: 1434708055
Audit subid: 19629
type=AVC msg=audit(1463403689.381:267599): apparmor="ALLOWED" operation="file_perm" profile="/usr/sbin/apache2//www.xxxxxxxxxx.co.uk" pid=13215 comm="apache2" laddr=::ffff:192.168.1.100 lport=80 faddr=::ffff:192.168.1.100 fport=45658 family="inet6" sock_type="stream" protocol=6 requested_mask="send" denied_mask="send"
START
File: file_perm_network_receive_lp1577051.in
Event type: AA_RECORD_ALLOWED
Audit ID: 1463403689.381:267599
Operation: file_perm
Mask: send
Denied Mask: send
Profile: /usr/sbin/apache2//www.xxxxxxxxxx.co.uk
Command: apache2
PID: 13215
Network family: inet6
Socket type: stream
Protocol: tcp
Local addr: ::ffff:192.168.1.100
Foreign addr: ::ffff:192.168.1.100
Local port: 80
Foreign port: 45658
Epoch: 1463403689
Audit subid: 267599
Apr 30 21:53:05 nova kernel: [24668.960760] audit: type=1400 audit(1462045985.636:2154): apparmor="ALLOWED" operation="file_perm" profile="/usr/local/apache-tomcat-8.0.33/bin/catalina.sh///usr/local/jdk1.8.0_92/bin/java" pid=12529 comm="java" laddr=::ffff:127.0.0.1 lport=8080 faddr=::ffff:127.0.0.1 fport=52308 family="inet6" sock_type="stream" protocol=6 requested_mask="receive" denied_mask="receive"
START
File: file_perm_network_receive_lp1582374.in
Event type: AA_RECORD_ALLOWED
Audit ID: 1462045985.636:2154
Operation: file_perm
Mask: receive
Denied Mask: receive
Profile: /usr/local/apache-tomcat-8.0.33/bin/catalina.sh///usr/local/jdk1.8.0_92/bin/java
Command: java
PID: 12529
Network family: inet6
Socket type: stream
Protocol: tcp
Local addr: ::ffff:127.0.0.1
Foreign addr: ::ffff:127.0.0.1
Local port: 8080
Foreign port: 52308
Epoch: 1462045985
Audit subid: 2154
Sep 14 18:49:13 mfa-mia-74-app-rabbitmq-1.mia.ix.int kernel: [964718.247816] type=1400 audit(1442256553.643:40143): apparmor="ALLOWED" operation="open" profile="/opt/evoke/venv/bin/gunicorn" name="/opt/evoke/venv/lib/python2.7/warnings.pyc" pid=28943 comm="gunicorn" requested_mask="r" denied_mask="r" fsuid=1000 ouid=110
START
File: syslog_hostname_with_dot.in
Event type: AA_RECORD_ALLOWED
Audit ID: 1442256553.643:40143
Operation: open
Mask: r
Denied Mask: r
fsuid: 1000
ouid: 110
Profile: /opt/evoke/venv/bin/gunicorn
Name: /opt/evoke/venv/lib/python2.7/warnings.pyc
Command: gunicorn
PID: 28943