...
 
Commits (206)
......@@ -63,7 +63,8 @@ parser/techdoc.aux
parser/techdoc.log
parser/techdoc.pdf
parser/techdoc.toc
profiles/apparmor.d/local/*.*
profiles/apparmor.d/local/*
!profiles/apparmor.d/local/README
libraries/libapparmor/Makefile
libraries/libapparmor/Makefile.in
libraries/libapparmor/aclocal.m4
......@@ -94,6 +95,8 @@ libraries/libapparmor/src/.deps
libraries/libapparmor/src/.libs
libraries/libapparmor/src/Makefile
libraries/libapparmor/src/Makefile.in
libraries/libapparmor/src/PMurHash.lo
libraries/libapparmor/src/PMurHash.o
libraries/libapparmor/src/af_protos.h
libraries/libapparmor/src/change_hat.lo
libraries/libapparmor/src/features.lo
......@@ -160,8 +163,14 @@ libraries/libapparmor/swig/python/test/test-suite.log
libraries/libapparmor/swig/python/test/test_python.py
libraries/libapparmor/swig/python/test/test_python.py.log
libraries/libapparmor/swig/python/test/test_python.py.trs
libraries/libapparmor/swig/ruby/LibAppArmor.so
libraries/libapparmor/swig/ruby/LibAppArmor_wrap.c
libraries/libapparmor/swig/ruby/LibAppArmor_wrap.o
libraries/libapparmor/swig/ruby/Makefile
libraries/libapparmor/swig/ruby/Makefile.in
libraries/libapparmor/swig/ruby/Makefile.new
libraries/libapparmor/swig/ruby/Makefile.ruby
libraries/libapparmor/swig/ruby/mkmf.log
libraries/libapparmor/testsuite/.deps
libraries/libapparmor/testsuite/.libs
libraries/libapparmor/testsuite/Makefile
......@@ -187,6 +196,7 @@ utils/*.tmp
utils/po/*.mo
utils/apparmor/*.pyc
utils/apparmor/rule/*.pyc
utils/test/common_test.pyc
utils/test/.coverage
utils/test/htmlcov/
utils/vim/apparmor.vim
......
......@@ -19,7 +19,7 @@ DIRS=libraries/libapparmor \
# with conversion to git, we don't export from the remote
REPO_URL?=git@gitlab.com:apparmor/apparmor.git
REPO_BRANCH?=master
REPO_BRANCH?=apparmor-2.13
COVERITY_DIR=cov-int
RELEASE_DIR=apparmor-${VERSION}
......@@ -55,9 +55,11 @@ snapshot: clean
coverity: snapshot
cd $(SNAPSHOT_NAME)/libraries/libapparmor && ./configure --with-python
$(foreach dir, $(filter-out utils profiles tests, $(DIRS)), \
cov-build --dir $(COVERITY_DIR) -- $(MAKE) -C $(SNAPSHOT_NAME)/$(dir);)
cov-build --dir $(COVERITY_DIR) -- $(MAKE) -C $(SNAPSHOT_NAME)/$(dir); \
mv $(COVERITY_DIR)/build-log.txt $(COVERITY_DIR)/build-log-$(subst /,.,$(dir)).txt ;)
$(foreach dir, libraries/libapparmor utils, \
cov-build --dir $(COVERITY_DIR) --no-command --fs-capture-search $(SNAPSHOT_NAME)/$(dir);)
cov-build --dir $(COVERITY_DIR) --no-command --fs-capture-search $(SNAPSHOT_NAME)/$(dir); \
mv $(COVERITY_DIR)/build-log.txt $(COVERITY_DIR)/build-log-python-$(subst /,.,$(dir)).txt ;)
tar -cvzf $(SNAPSHOT_NAME)-$(COVERITY_DIR).tar.gz $(COVERITY_DIR)
.PHONY: export_dir
......
......@@ -23,9 +23,27 @@ library, available under the LGPL license, which allows change_hat(2)
and change_profile(2) to be used by non-GPL binaries).
For more information, you can read the techdoc.pdf (available after
building the parser) and by visiting the http://apparmor.net/ web
building the parser) and by visiting the https://apparmor.net/ web
site.
----------------
Getting in Touch
----------------
Please send all complaints, feature requests, rants about the software,
and questions to the
[AppArmor mailing list](https://lists.ubuntu.com/mailman/listinfo/apparmor).
Bug reports can be filed against the AppArmor project on
[launchpad](https://bugs.launchpad.net/apparmor) or reported to the mailing
list directly for those who wish not to register for an account on
launchpad. See the
[wiki page](https://gitlab.com/apparmor/apparmor/wikis/home#reporting-bugs)
for more information.
Security issues can be filed as security bugs on launchpad
or directed to `security@apparmor.net`. Additional details can be found
in the [wiki](https://gitlab.com/apparmor/apparmor/wikis/home#reporting-security-vulnerabilities).
-------------
Source Layout
......@@ -33,6 +51,7 @@ Source Layout
AppArmor consists of several different parts:
```
binutils/ source for basic utilities written in compiled languages
changehat/ source for using changehat with Apache, PAM and Tomcat
common/ common makefile rules
......@@ -43,6 +62,7 @@ parser/ source for parser/loader and corresponding documentation
profiles/ configuration files, reference profiles and abstractions
tests/ regression and stress testsuites
utils/ high-level utilities for working with AppArmor
```
--------------------------------------
Important note on AppArmor kernel code
......@@ -67,63 +87,82 @@ the following order. Some systems may need to export various python-related
environment variables to complete the build. For example, before building
anything on these systems, use something along the lines of:
```
$ export PYTHONPATH=$(realpath libraries/libapparmor/swig/python)
$ export PYTHON=/usr/bin/python3
$ export PYTHON_VERSION=3
$ export PYTHON_VERSIONS=python3
```
libapparmor:
```
$ cd ./libraries/libapparmor
$ sh ./autogen.sh
$ sh ./configure --prefix=/usr --with-perl --with-python # see below
$ make
$ make check
$ make install
```
[an additional optional argument to libapparmor's configure is --with-ruby, to
generate Ruby bindings to libapparmor.]
Binary Utilities:
```
$ cd binutils
$ make
$ make check
$ make install
```
parser:
```
$ cd parser
$ make # depends on libapparmor having been built first
$ make check
$ make install
```
Utilities:
```
$ cd utils
$ make
$ make check
$ make install
```
Apache mod_apparmor:
```
$ cd changehat/mod_apparmor
$ make # depends on libapparmor having been built first
$ make install
```
PAM AppArmor:
```
$ cd changehat/pam_apparmor
$ make # depends on libapparmor having been built first
$ make install
```
Profiles:
```
$ cd profiles
$ make
$ make check # depends on the parser having been built first
$ make install
```
[Note that for the parser, binutils, and utils, if you only wish to build/use
some of the locale languages, you can override the default by passing
......@@ -144,38 +183,50 @@ For details on structure and adding tests, see
tests/regression/apparmor/README.
To run:
```
$ cd tests/regression/apparmor (requires root)
$ make
$ sudo make tests
$ sudo bash open.sh -r # runs and saves the last testcase from open.sh
```
Parser tests
------------
For details on structure and adding tests, see parser/tst/README.
To run:
```
$ cd parser/tst
$ make
$ make tests
```
Libapparmor
-----------
For details on structure and adding tests, see libraries/libapparmor/README.
```
$ cd libraries/libapparmor
$ make check
```
Utils
-----
Tests for the Python utilities exist in the test/ subdirectory.
```
$ cd utils
$ make check
```
The aa-decode utility to be tested can be overridden by
setting up environment variable APPARMOR_DECODE; e.g.:
```
$ APPARMOR_DECODE=/usr/bin/aa-decode make check
```
Profile checks
--------------
......@@ -183,29 +234,44 @@ A basic consistency check to ensure that the parser and aa-logprof parse
successfully the current set of shipped profiles. The system or other
parser and logprof can be passed in by overriding the PARSER and LOGPROF
variables.
```
$ cd profiles
$ make && make check
```
Stress Tests
------------
To run AppArmor stress tests:
```
$ make all
```
Use these:
```
$ ./change_hat
$ ./child
$ ./kill.sh
$ ./open
$ ./s.sh
```
Or run all at once:
```
$ ./stress.sh
```
Please note that the above will stress the system so much it may end up
invoking the OOM killer.
To run parser stress tests (requires /usr/bin/ruby):
```
$ ./stress.sh
```
(see stress.sh -h for options)
......@@ -220,7 +286,10 @@ https://scan.coverity.com/download?tab=cxx to obtain a pre-built copy of
cov-build.
To generate a compressed tarball of an intermediate Coverity directory:
```
$ make coverity
```
The compressed tarball is written to
apparmor-<SNAPSHOT_VERSION>-cov-int.tar.gz, where <SNAPSHOT_VERSION>
......
......@@ -89,6 +89,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
apparmor(7), apparmor.d(5), aa_is_enabled(2), and L<http://wiki.apparmor.net>.
apparmor(7), apparmor.d(5), aa_is_enabled(2), and L<https://wiki.apparmor.net>.
=cut
......@@ -88,6 +88,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
aa-stack(8), aa-namespace(8), apparmor(7), apparmor.d(5), aa_change_profile(3),
aa_change_onexec(3) and L<http://wiki.apparmor.net>.
aa_change_onexec(3) and L<https://wiki.apparmor.net>.
=cut
......@@ -140,6 +140,6 @@ them at L<https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
apparmor(7), subdomain.conf(5), apparmor_parser(8), aa_change_hat(2) and
L<http://wiki.apparmor.net>.
L<https://wiki.apparmor.net>.
=cut
......@@ -138,7 +138,7 @@ my $ratelimit_saved = sysctl_read($ratelimit_sysctl);
END { sysctl_write($ratelimit_sysctl, $ratelimit_saved); }
sysctl_write($ratelimit_sysctl, 0);
UI_Info(gettext("\nBefore you begin, you may wish to check if a\nprofile already exists for the application you\nwish to confine. See the following wiki page for\nmore information:\nhttp://wiki.apparmor.net/index.php/Profiles"));
UI_Info(gettext("\nBefore you begin, you may wish to check if a\nprofile already exists for the application you\nwish to confine. See the following wiki page for\nmore information:\nhttps://gitlab.com/apparmor/apparmor/wikis/Profiles"));
UI_Important(gettext("Please start the application to be profiled in \nanother window and exercise its functionality now.\n\nOnce completed, select the \"Scan\" button below in \norder to scan the system logs for AppArmor events. \n\nFor each AppArmor event, you will be given the \nopportunity to choose whether the access should be \nallowed or denied."));
......@@ -195,7 +195,7 @@ for my $p (sort keys %helpers) {
}
UI_Info(gettext("Reloaded AppArmor profiles in enforce mode."));
UI_Info(gettext("\nPlease consider contributing your new profile! See\nthe following wiki page for more information:\nhttp://wiki.apparmor.net/index.php/Profiles\n"));
UI_Info(gettext("\nPlease consider contributing your new profile! See\nthe following wiki page for more information:\nhttps://gitlab.com/apparmor/apparmor/wikis/Profiles\n"));
UI_Info(sprintf(gettext('Finished generating profile for %s.'), $fqdbin));
exit 0;
......
......@@ -81,7 +81,7 @@ AM_CONDITIONAL(HAVE_RUBY, test x$with_ruby = xyes)
AC_HEADER_STDC
AC_CHECK_HEADERS(unistd.h stdint.h syslog.h)
AC_CHECK_FUNCS([asprintf __secure_getenv secure_getenv])
AC_CHECK_FUNCS([asprintf __secure_getenv secure_getenv reallocarray])
AM_PROG_CC_C_O
AC_C_CONST
......
......@@ -257,6 +257,6 @@ should be used.
apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_profile(2),
aa_getcon(2) and
L<http://wiki.apparmor.net>.
L<https://wiki.apparmor.net>.
=cut
......@@ -204,6 +204,6 @@ separate processes should be used.
=head1 SEE ALSO
apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_hat(2) and
L<http://wiki.apparmor.net>.
L<https://wiki.apparmor.net>.
=cut
......@@ -161,6 +161,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
openat(2) and L<http://wiki.apparmor.net>.
openat(2) and L<https://wiki.apparmor.net>.
=cut
......@@ -115,6 +115,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
apparmor(7), apparmor.d(5), apparmor_parser(8), and
L<http://wiki.apparmor.net>.
L<https://wiki.apparmor.net>.
=cut
......@@ -132,6 +132,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_profile(2),
aa_splitcon(3) and L<http://wiki.apparmor.net>.
aa_splitcon(3) and L<https://wiki.apparmor.net>.
=cut
......@@ -160,6 +160,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
aa_features(3), openat(2) and L<http://wiki.apparmor.net>.
aa_features(3), openat(2) and L<https://wiki.apparmor.net>.
=cut
......@@ -175,6 +175,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
aa_features(3), aa_kernel_interface(3), openat(2) and
L<http://wiki.apparmor.net>.
L<https://wiki.apparmor.net>.
=cut
......@@ -128,6 +128,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
apparmor(7), apparmor.d(5), apparmor_parser(8), aa_getcon(2), aa_splitcon(3)
and L<http://wiki.apparmor.net>.
and L<https://wiki.apparmor.net>.
=cut
......@@ -67,6 +67,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
aa_getcon(2) and L<http://wiki.apparmor.net>.
aa_getcon(2) and L<https://wiki.apparmor.net>.
=cut
......@@ -216,6 +216,6 @@ separate processes should be used.
=head1 SEE ALSO
apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_profile(2),
aa_getcon(2) and L<http://wiki.apparmor.net>.
aa_getcon(2) and L<https://wiki.apparmor.net>.
=cut
......@@ -68,7 +68,7 @@ extern int aa_is_enabled(void);
extern int aa_find_mountpoint(char **mnt);
/* Prototypes for self directed domain transitions
* see <http://apparmor.net>
* see <https://apparmor.net>
* Please see the change_hat(2) manpage for information.
*/
......
......@@ -26,13 +26,13 @@ INCLUDES = $(all_includes)
# For more information, see:
# http://www.gnu.org/software/libtool/manual/html_node/Libtool-versioning.html
#
AA_LIB_CURRENT = 6
AA_LIB_CURRENT = 7
AA_LIB_REVISION = 0
AA_LIB_AGE = 5
AA_LIB_AGE = 6
SUFFIXES = .pc.in .pc
BUILT_SOURCES = grammar.h scanner.h af_protos.h PMurHash.h
BUILT_SOURCES = grammar.h scanner.h af_protos.h
AM_LFLAGS = -v
AM_YFLAGS = -d -p aalogparse_
AM_CFLAGS = -Wall
......@@ -42,8 +42,8 @@ scanner.h: scanner.l
scanner.c: scanner.l
af_protos.h: /usr/include/netinet/in.h
LC_ALL=C sed -n -e "/IPPROTO_MAX/d" -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" $< > $@
af_protos.h:
echo '#include <netinet/in.h>' | $(CC) -E -dM - | LC_ALL=C sed -n -e "/IPPROTO_MAX/d" -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" > $@
lib_LTLIBRARIES = libapparmor.la
noinst_HEADERS = grammar.h parser.h scanner.h af_protos.h private.h PMurHash.h
......
......@@ -108,6 +108,13 @@ APPARMOR_2.13 {
*;
} APPARMOR_2.11;
APPARMOR_2.13.1 {
global:
aa_policy_cache_add_ro_dir;
local:
*;
} APPARMOR_2.13;
PRIVATE {
global:
_aa_is_blacklisted;
......
......@@ -301,8 +301,10 @@ static int cache_dir_from_path_and_features(char **cache_path,
PDEBUG("cache_dir_from_path_and_features() callback found '%s'\n", data.cache_name);
*cache_path = data.cache_name;
return 0;
} else if (rc)
} else if (rc) {
PDEBUG("cache_dir_from_path_and_features() callback returned an error'%m'\n");
return -1;
}
/* no dir found use 1 higher than highest dir n searched */
len = asprintf(&cache_dir, "%s/%s.%d", path, features_id, data.n + 1);
if (len == -1)
......@@ -313,18 +315,20 @@ static int cache_dir_from_path_and_features(char **cache_path,
return 0;
}
/* will return the cache_dir or NULL */
static int open_or_create_cache_dir(aa_features *features, int dirfd,
const char *path, bool create)
const char *path, bool create,
char **cache_dir)
{
autofree char *cache_dir = NULL;
int fd;
if (cache_dir_from_path_and_features(&cache_dir, dirfd, path,
*cache_dir = NULL;
if (cache_dir_from_path_and_features(cache_dir, dirfd, path,
features))
return -1;
open:
fd = openat(dirfd, cache_dir, O_RDONLY | O_CLOEXEC | O_DIRECTORY);
fd = openat(dirfd, *cache_dir, O_RDONLY | O_CLOEXEC | O_DIRECTORY);
if (fd < 0) {
/* does the dir exist? */
if (create && errno == ENOENT) {
......@@ -336,23 +340,24 @@ open:
* /etc/apparmor.d/cache.d/<features_id>/
* 3) Try to reopen the cache directory
*/
if (mkdirat(fd, path, 0700) == -1 &&
if (mkdirat(dirfd, path, 0700) == -1 &&
errno != EEXIST) {
PERROR("Can't create cache location '%s': %m\n",
path);
} else if (mkdirat(dirfd, cache_dir, 0700) == -1 &&
} else if (mkdirat(dirfd, *cache_dir, 0700) == -1 &&
errno != EEXIST) {
PERROR("Can't create cache directory '%s': %m\n",
cache_dir);
*cache_dir);
} else {
goto open;
}
} else if (create) {
PERROR("Can't update cache directory '%s': %m\n", cache_dir);
PERROR("Can't update cache directory '%s': %m\n", *cache_dir);
} else {
PDEBUG("Cache directory '%s' does not exist\n", cache_dir);
PDEBUG("Cache directory '%s' does not exist\n", *cache_dir);
}
PDEBUG("Could not open cache_dir: %m");
return -1;
}
......@@ -380,6 +385,7 @@ int aa_policy_cache_new(aa_policy_cache **policy_cache,
aa_features *kernel_features,
int dirfd, const char *path, uint16_t max_caches)
{
autofree char *cache_dir = NULL;
aa_policy_cache *pc;
bool create = max_caches > 0;
autofree const char *features_id = NULL;
......@@ -407,13 +413,16 @@ int aa_policy_cache_new(aa_policy_cache **policy_cache,
aa_features_ref(kernel_features);
} else if (aa_features_new_from_kernel(&kernel_features) == -1) {
aa_policy_cache_unref(pc);
PDEBUG("%s: Failed to obtain features %m\n", __FUNCTION__);
return -1;
}
pc->features = kernel_features;
fd = open_or_create_cache_dir(kernel_features, dirfd, path, create);
fd = open_or_create_cache_dir(kernel_features, dirfd, path, create,
&cache_dir);
if (fd == -1) {
aa_policy_cache_unref(pc);
PDEBUG("%s: Failed to open_or_create_dir %m\n", __FUNCTION__);
return -1;
}
pc->dirfd[0] = fd;
......@@ -443,16 +452,20 @@ int aa_policy_cache_new(aa_policy_cache **policy_cache,
int aa_policy_cache_add_ro_dir(aa_policy_cache *policy_cache, int dirfd,
const char *path)
{
autofree char *cache_dir = NULL;
int fd;
if (policy_cache->n >= MAX_POLICY_CACHE_OVERLAY_DIRS) {
errno = ENOSPC;
PDEBUG("%s: exceeded number of supported cache overlays\n", __FUNCTION__);
return -1;
}
fd = open_or_create_cache_dir(policy_cache->features, dirfd, path,
false);
if (fd == -1)
false, &cache_dir);
if (fd == -1) {
PDEBUG("%s: failed to open_or_create_cache_dir %m\n", __FUNCTION__);
return -1;
}
policy_cache->dirfd[policy_cache->n++] = fd;
return 0;
......
......@@ -38,11 +38,24 @@
#ifndef HAVE_SECURE_GETENV
#ifdef HAVE___SECURE_GETENV
#define secure_getenv __secure_getenv
#elif ENABLE_DEBUG_OUTPUT
#error Debug output is not possible without a secure_getenv() implementation.
#else
#error neither secure_getenv nor __secure_getenv is available
#define secure_getenv(env) NULL
#endif
#endif
/**
* Allow libapparmor to build on older glibcs and other libcs that do
* not support reallocarray.
*/
#ifndef HAVE_REALLOCARRY
void *reallocarray(void *ptr, size_t nmemb, size_t size)
{
return realloc(ptr, nmemb * size);
}
#endif
struct ignored_suffix_t {
const char * text;
int len;
......@@ -173,16 +186,6 @@ int _aa_asprintf(char **strp, const char *fmt, ...)
return rc;
}
static int dot_or_dot_dot_filter(const struct dirent *ent)
{
if (strcmp(ent->d_name, ".") == 0 ||
strcmp(ent->d_name, "..") == 0)
return 0;
return 1;
}
/* stops on first error, can use errno or return value to communicate
* the goal is to use this to replace _aa_dirat_for_each, but that will
* be a different patch.
......@@ -191,6 +194,7 @@ int _aa_dirat_for_each2(int dirfd, const char *name, void *data,
int (* cb)(int, const struct dirent *, void *))
{
autoclose int cb_dirfd = -1;
int fd_for_dir = -1;
const struct dirent *ent;
DIR *dir;
int save, rc;
......@@ -206,15 +210,16 @@ int _aa_dirat_for_each2(int dirfd, const char *name, void *data,
PDEBUG("could not open directory fd '%d' '%s': %m\n", dirfd, name);
return -1;
}
dir = fdopendir(cb_dirfd);
if (!dir) {
PDEBUG("could not open directory '%s' from fd '%d': %m\n", name, cb_dirfd);
/* dup cd_dirfd because fdopendir has claimed the fd passed to it */
fd_for_dir = dup(cb_dirfd);
if (fd_for_dir == -1) {
PDEBUG("could not dup directory fd '%s': %m\n", name);
return -1;
}
/* dup cd_dirfd because fdopendir has claimed the fd passed to it */
cb_dirfd = dup(cb_dirfd);
dir = fdopendir(fd_for_dir);
if (!dir) {
PDEBUG("could not dup directory fd '%s': %m\n", name);
PDEBUG("could not open directory '%s' from fd '%d': %m\n", name, fd_for_dir);
close(fd_for_dir);
return -1;
}
......@@ -273,39 +278,112 @@ static int insert(struct overlaydir **overlayptr, int *max_size, int *size,
#define merge(overlay, n_overlay, max_size, list, n_list, dirfd) \
({ \
int i, j; \
int y, z; \
int rc = 0; \
\
for (i = 0, j = 0; i < n_overlay && j < n_list; ) { \
int res = strcmp(overlay[i].dent->d_name, list[j]->d_name);\
for (y = 0, z = 0; y < n_overlay && z < n_list; ) { \
int res = strcmp(overlay[y].dent->d_name, list[z]->d_name);\
if (res < 0) { \
i++; \
y++; \
continue; \
} else if (res == 0) { \
free(list[j]); \
list[j] = NULL; \
i++; \
j++; \
free(list[z]); \
list[z] = NULL; \
y++; \
z++; \
} else { \
if ((rc = insert(&overlay, &max_size, &n_overlay, i,\
n_list - j, dirfd, list[j]))) \
if ((rc = insert(&overlay, &max_size, &n_overlay, y,\
n_list - z, dirfd, list[z]))) \
goto fail; \
i++; \
list[j++] = NULL; \
y++; \
list[z++] = NULL; \
} \
} \
while (j < n_list) { \
if ((rc = insert(&overlay, &max_size, &n_overlay, i, \
n_list - j, dirfd,list[j]))) \
while (z < n_list) { \
if ((rc = insert(&overlay, &max_size, &n_overlay, y, \
n_list - z, dirfd,list[z]))) \
goto fail; \
i++; \
list[j++] = NULL; \
y++; \
list[z++] = NULL; \
} \
\
fail: \
rc; \
})
static ssize_t readdirfd(int dirfd, struct dirent ***out,
int (*dircmp)(const struct dirent **, const struct dirent **))
{
struct dirent **dents = NULL, *dent;
ssize_t n = 0;
size_t i;
int save;
DIR *dir;
*out = NULL;
/*
* closedir(dir) will close the underlying fd, so we need
* to dup first
*/
if ((dirfd = dup(dirfd)) < 0) {
PDEBUG("dup of dirfd failed: %m\n");
return -1;
}
if ((dir = fdopendir(dirfd)) == NULL) {
PDEBUG("fdopendir of dirfd failed: %m\n");
close(dirfd);
return -1;
}
/* Get number of directory entries */
while ((dent = readdir(dir)) != NULL) {
if (!strcmp(dent->d_name, ".") || !strcmp(dent->d_name, ".."))
continue;
n++;
}
rewinddir(dir);
dents = calloc(n, sizeof(struct dirent *));
if (!dents)
goto fail;
for (i = 0; i < n; ) {
if ((dent = readdir(dir)) == NULL) {
PDEBUG("readdir of entry[%d] failed: %m\n", i);
goto fail;
}
if (!strcmp(dent->d_name, ".") || !strcmp(dent->d_name, ".."))
continue;
dents[i] = malloc(sizeof(*dents[i]));
if (!dents[i])
goto fail;
memcpy(dents[i], dent, sizeof(*dent));
i++;
}
if (dircmp)
qsort(dents, n, sizeof(struct dirent *), (int (*)(const void *, const void *))dircmp);
*out = dents;
closedir(dir);
return n;
fail:
save = errno;
if (dents) {
for (i = 0; i < n; i++)
free(dents[i]);
}
free(dents);
closedir(dir);
errno = save;
return -1;
}
int _aa_overlaydirat_for_each(int dirfd[], int n, void *data,
int (* cb)(int, const char *, struct stat *, void *))
{
......@@ -316,15 +394,14 @@ int _aa_overlaydirat_for_each(int dirfd[], int n, void *data,
int rc = 0;
for (i = 0; i < n; i++) {
n_list = scandirat(dirfd[i], ".", &list, dot_or_dot_dot_filter,
alphasort);
n_list = readdirfd(dirfd[i], &list, alphasort);
if (n_list == -1) {
PDEBUG("scandirat of dirfd[%d] failed: %m\n", i);
return -1;
}
if (merge(overlay, size, max_size, list, n_list, dirfd[i])) {
for (k = 0; k < n_list; k++)
free(list[i]);
free(list[k]);
for (k = 0; k < size; k++)
free(overlay[k].dent);
return -1;
......@@ -398,8 +475,7 @@ int _aa_dirat_for_each(int dirfd, const char *name, void *data,
return -1;
}
num_dirs = scandirat(cb_dirfd, ".", &namelist,
dot_or_dot_dot_filter, NULL);
num_dirs = readdirfd(cb_dirfd, &namelist, NULL);
if (num_dirs == -1) {
PDEBUG("scandirat of directory '%s' failed: %m\n", name);
return -1;
......
......@@ -12,6 +12,7 @@ LibAppArmor.pm: libapparmor_wrap.c
Makefile.perl: Makefile.PL LibAppArmor.pm
$(PERL) $< PREFIX=$(prefix) MAKEFILE=$@
sed -ie 's/LD_RUN_PATH="\x24(LD_RUN_PATH)"//g' Makefile.perl
sed -ie 's/^LD_RUN_PATH.*//g' Makefile.perl
LibAppArmor.so: libapparmor_wrap.c Makefile.perl
......
......@@ -5,7 +5,7 @@ setup(name = 'LibAppArmor',
version = '@VERSION@',
author = 'AppArmor Dev Team',
author_email = 'apparmor@lists.ubuntu.com',
url = 'http://wiki.apparmor.net',
url = 'https://wiki.apparmor.net',
description = 'AppArmor python bindings',
download_url = 'https://launchpad.net/apparmor/+download',
package_dir = {'LibAppArmor': '@srcdir@'},
......
......@@ -30,9 +30,9 @@ INSTALL_CONFDIR=${DESTDIR}${CONFDIR}
LOCALEDIR=/usr/share/locale
MANPAGES=apparmor.d.5 apparmor.7 apparmor_parser.8 subdomain.conf.5 aa-teardown.8
YACC := /usr/bin/bison
YACC := bison
YFLAGS := -d
LEX := /usr/bin/flex
LEX := flex
LEXFLAGS = -B -v
WARNINGS = -Wall
EXTRA_WARNINGS = -Wsign-compare -Wmissing-field-initializers -Wformat-security -Wunused-parameter
......@@ -383,9 +383,9 @@ install-indep: indep
install-systemd:
install -m 755 -d $(SYSTEMD_UNIT_DIR)
install -m 644 apparmor.service $(SYSTEMD_UNIT_DIR)
install -m 644 apparmor.systemd $(APPARMOR_BIN_PREFIX)
install -m 755 -d $(DESTDIR)/sbin
install -m 755 aa-teardown $(DESTDIR)/sbin
install -m 755 apparmor.systemd $(APPARMOR_BIN_PREFIX)
install -m 755 -d $(DESTDIR)/usr/sbin
install -m 755 aa-teardown $(DESTDIR)/usr/sbin
ifndef VERBOSE
.SILENT: clean
......
......@@ -2,19 +2,6 @@ The apparmor_parser allows you to add, replace, and remove AppArmor
policy through the use of command line options. The default is to add.
`apparmor_parser --help` shows what the command line options are.
You can also find more information at http://wiki.apparmor.net
Please send all complaints, feature requests, rants about the software,
and questions to the apparmor@lists.ubuntu.com mailing list. Bug
reports can be filed against the AppArmor project on launchpad.net at
https://launchpad.net/apparmor or reported to the mailing list directly
for those who wish not to register for an account on launchpad.
Security issues can be filed as security bugs on launchpad
or directed to security@ubuntu.com. We will attempt to
conform to the RFP vulnerability disclosure protocol:
http://www.wiretrip.net/rfp/policy.html
Thanks.
You can also find more information at https://wiki.apparmor.net
-- The AppArmor development team
......@@ -35,6 +35,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
apparmor(7), apparmor.d(5), and L<http://wiki.apparmor.net>.
apparmor(7), apparmor.d(5), and L<https://wiki.apparmor.net>.
=cut
......@@ -111,7 +111,7 @@ capabilities(7))
B<NETWORK RULE> = [ I<QUALIFIERS> ] 'network' [ I<DOMAIN> ] [ I<TYPE> | I<PROTOCOL> ]
B<DOMAIN> = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'bluetooth' | 'netlink' | 'unix' | 'rds' | 'llc' | 'can' | 'tipc' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' | 'mpls' | 'ib' | 'kcm' | 'smc' ) ','
B<DOMAIN> = ( 'unix' | 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'netlink' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'rds' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'llc' | 'ib' | 'mpls' | 'can' | 'tipc' | 'bluetooth' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' | 'kcm' | 'qipcrtr' | 'smc' | 'xdp' ) ','
B<TYPE> = ( 'stream' | 'dgram' | 'seqpacket' | 'rdm' | 'raw' | 'packet' )
......@@ -271,7 +271,7 @@ B<EXEC TRANSITION> = ( 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx' | 'Cx' | 'pix' |
B<EXEC TARGET> = name
Requires I<EXEC TRANSITION> specified.
B<LINK RULE> = I<QUALIFIERS> [ 'owner' ] 'link' [ 'subset' ] I<FILEGLOB> ( 'to' | '-E<gt>' ) I<FILEGLOB>
B<LINK RULE> = I<QUALIFIERS> [ 'owner' ] 'link' [ 'subset' ] I<FILEGLOB> '-E<gt>' I<FILEGLOB>
B<ALPHA> = ('a', 'b', 'c', ... 'z', 'A', 'B', ... 'Z')
......@@ -1611,6 +1611,6 @@ negative values match when specifying one or the other. Eg, 'rw' matches when
apparmor(7), apparmor_parser(8), aa-complain(1),
aa-enforce(1), aa_change_hat(2), mod_apparmor(5), and
L<http://wiki.apparmor.net>.
L<https://wiki.apparmor.net>.
=cut
......@@ -143,6 +143,56 @@ messages with the KERN facility. Thus, REJECTING and PERMITTING messages
may go to either F</var/log/audit/audit.log> or F</var/log/messages>,
depending upon local configuration.
=head1 DEBUGGING
AppArmor provides a few facilities to log more information,
which can help debugging profiles.
=head2 Enable debug mode
When debug mode is enabled, AppArmor will log a few extra messages to
dmesg (not via the audit subsystem). For example, the logs will tell
whether environment scrubbing has been applied.
To enable debug mode, run:
echo 1 > /sys/module/apparmor/parameters/debug
=head2 Turn off deny audit quieting
By default, operations that trigger C<deny> rules are not logged.
This is called I<deny audit quieting>.
To turn off deny audit quieting, run:
echo -n noquiet >/sys/module/apparmor/parameters/audit
=head2 Force audit mode
AppArmor can log a message for every operation that triggers a rule
configured in the policy. This is called I<force audit mode>.
B<Warning!> Force audit mode can be extremely noisy even for a single profile,
let alone when enabled globally.
To set a specific profile in force audit mode, add the C<audit> flag:
profile foo flags=(audit) { ... }
To enable force audit mode globally, run:
echo -n all > /sys/module/apparmor/parameters/audit
If auditd is not running, to avoid losing too many of the extra log
messages, you will likely have to turn off rate limiting by doing:
echo 0 > /proc/sys/kernel/printk_ratelimit
But even then the kernel ring buffer may overflow and you might
lose messages.
Else, if auditd is running, see auditd(8) and auditd.conf(5).
=head1 FILES
=over 4
......@@ -165,6 +215,6 @@ apparmor_parser(8), aa_change_hat(2), apparmor.d(5),
subdomain.conf(5), aa-autodep(1), clean(1),
auditd(8),
aa-unconfined(8), aa-enforce(1), aa-complain(1), and
L<http://wiki.apparmor.net>.
L<https://wiki.apparmor.net>.
=cut
......@@ -19,7 +19,7 @@ APPARMOR_FUNCTIONS=/lib/apparmor/rc.apparmor.functions
aa_action()
{
echo $1
echo "$1"
shift
"$@"
return $?
......@@ -27,12 +27,12 @@ aa_action()
aa_log_warning_msg()
{
echo "Warning: $@"
echo "Warning: $*"
}
aa_log_failure_msg()
{
echo "Error: $@"
echo "Error: $*"
}
aa_log_action_start()
......@@ -42,7 +42,7 @@ aa_log_action_start()
aa_log_action_end()
{
echo -n
printf ""
}
aa_log_daemon_msg()
......@@ -52,17 +52,18 @@ aa_log_daemon_msg()
aa_log_skipped_msg()
{
echo "Skipped: $@"
echo "Skipped: $*"
}
aa_log_end_msg()
{
echo -n
printf ""
}
# source apparmor function library
if [ -f "${APPARMOR_FUNCTIONS}" ]; then
. ${APPARMOR_FUNCTIONS}
# shellcheck source=rc.apparmor.functions
. "${APPARMOR_FUNCTIONS}"
else
aa_log_failure_msg "Unable to find AppArmor initscript functions"
exit 1
......@@ -97,4 +98,4 @@ case "$1" in
exit 1
;;
esac
exit $rc
exit "$rc"
......@@ -247,7 +247,7 @@ If a cache directory name needs to have a comma as part of the name, it
can be specified by using a backslash to escape the comma character in
the directory name.
If not specified the cache location defaults to /etc/apparmor.d/cache.d
If not specified the cache location defaults to /var/cache/apparmor
=item --print-cache-dir
......@@ -355,6 +355,17 @@ This option tells the parser to not attempt to rebuild the cache on
failure, instead the parser continues on with processing the remaining
profiles.
=item --config-file
Specify the config file to use instead of
/etc/apparmor/parser.conf. This option will be processed early before
regular options regardless of the order it is specified in.
=item --print-config-file
Print the config file location that will be used.
=back
=head1 CONFIG FILE
......@@ -397,6 +408,6 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
apparmor(7), apparmor.d(5), subdomain.conf(5), aa_change_hat(2), and
L<http://wiki.apparmor.net>.
L<https://wiki.apparmor.net>.
=cut
......@@ -126,9 +126,10 @@ bool aare_rules::add_rule_vec(int deny, uint32_t perms, uint32_t audit,
/* create a dfa from the ruleset
* returns: buffer contain dfa tables, @size set to the size of the tables
* else NULL on failure
* else NULL on failure, @min_match_len set to the shortest string
* that can match the dfa for determining xmatch priority.
*/
void *aare_rules::create_dfa(size_t *size, dfaflags_t flags)
void *aare_rules::create_dfa(size_t *size, int *min_match_len, dfaflags_t flags)
{
char *buffer = NULL;
......@@ -150,6 +151,7 @@ void *aare_rules::create_dfa(size_t *size, dfaflags_t flags)
root = new AltNode(root, new CatNode(tmp, i->first));
}
}
*min_match_len = root->min_match_len();
/* dumping of the none simplified tree without -O no-expr-simplify
* is broken because we need to build the tree above first, and
......
......@@ -104,7 +104,7 @@ class aare_rules {
uint32_t audit, dfaflags_t flags);
bool add_rule_vec(int deny, uint32_t perms, uint32_t audit, int count,
const char **rulev, dfaflags_t flags);
void *create_dfa(size_t *size, dfaflags_t flags);
void *create_dfa(size_t *size, int *min_match_len, dfaflags_t flags);
};
#endif /* __LIBAA_RE_RULES_H */
......@@ -123,6 +123,19 @@ public:
virtual void compute_firstpos() = 0;
virtual void compute_lastpos() = 0;
virtual void compute_followpos() { }
/*
* min_match_len determines the smallest string that can match the
* syntax tree. This is used to determine the priority of a regex.
*/
virtual int min_match_len() { return 0; }
/*
* contains_null returns if the expression tree contains a null character.
* Null characters indicate that the rest of the DFA matches the xattrs and
* not the path. This is used to compute min_match_len.
*/
virtual bool contains_null() { return false; }
virtual int eq(Node *other) = 0;
virtual ostream &dump(ostream &os) = 0;
void dump_syntax_tree(ostream &os);
......@@ -257,6 +270,17 @@ public:
return os << c;
}
int min_match_len()
{
if (c == 0) {
// Null character indicates end of string.
return 0;
}
return 1;
}
bool contains_null() { return c == 0; }
uchar c;
};
......@@ -298,6 +322,24 @@ public:
return os << ']';
}
int min_match_len()
{
if (contains_null()) {
return 0;
}
return 1;
}
bool contains_null()
{
for (Chars::iterator i = chars.begin(); i != chars.end(); i++) {
if (*i == 0) {
return true;
}
}
return false;
}
Chars chars;
};
......@@ -346,6 +388,24 @@ public:
return os << ']';
}
int min_match_len()
{
if (contains_null()) {
return 0;
}
return 1;
}
bool contains_null()
{
for (Chars::iterator i = chars.begin(); i != chars.end(); i++) {
if (*i == 0) {
return false;
}
}
return true;
}
Chars chars;
};
......@@ -369,6 +429,8 @@ public:
return 0;
}
ostream &dump(ostream &os) { return os << "."; }
bool contains_null() { return true; }
};
/* Match a node zero or more times. (This is a unary operator.) */
......@@ -396,6 +458,8 @@ public:
child[0]->dump(os);
return os << ")*";
}
bool contains_null() { return child[0]->contains_null(); }
};
/* Match a node one or more times. (This is a unary operator.) */
......@@ -423,6 +487,8 @@ public:
child[0]->dump(os);
return os << ")+";
}
int min_match_len() { return child[0]->min_match_len(); }
bool contains_null() { return child[0]->contains_null(); }
};
/* Match a pair of consecutive nodes. */
......@@ -470,6 +536,22 @@ public:
return os;
}
void normalize(int dir);
int min_match_len()
{
int len = child[0]->min_match_len();
if (child[0]->contains_null()) {
// Null characters are used to indicate when the DFA transitions
// from matching the path to matching the xattrs. If the left child
// contains a null character, the right side doesn't contribute to
// the path match.
return len;
}
return len + child[1]->min_match_len();
}
bool contains_null()
{
return child[0]->contains_null() || child[1]->contains_null();
}
};
/* Match one of two alternative nodes. */
......@@ -507,6 +589,20 @@ public:
return os;
}
void normalize(int dir);
int min_match_len()
{
int m1, m2;
m1 = child[0]->min_match_len();
m2 = child[1]->min_match_len();
if (m1 < m2) {
return m1;
}
return m2;
}
bool contains_null()
{
return child[0]->contains_null() || child[1]->contains_null();
}
};
class SharedNode: public ImportantNode {
......
......@@ -171,13 +171,23 @@ extern int preprocess_only;
#ifdef DEBUG
#define PDEBUG(fmt, args...) fprintf(stderr, "parser: " fmt, ## args)
#define PDEBUG(fmt, args...) \
do { \
int pdebug_error = errno; \
fprintf(stderr, "parser: " fmt, ## args); \
errno = pdebug_error; \
} while (0)
#else
#define PDEBUG(fmt, args...) /* Do nothing */
#endif
#define NPDEBUG(fmt, args...) /* Do nothing */
#define PERROR(fmt, args...) fprintf(stderr, fmt, ## args)
#define PERROR(fmt, args...) \
do { \
int perror_error = errno; \
fprintf(stderr, fmt, ## args); \
errno = perror_error; \
} while (0)
#ifndef TRUE
#define TRUE (1)
......
......@@ -25,6 +25,8 @@
#include "parser.h"
#include "profile.h"
typedef int (*comparison_fn_t)(const void *, const void *);
struct alias_rule {
char *from;
char *to;
......