[apparmor] [patch 1/6] toplevel makefile: correct location of libapparmor
This patch fixes an issue with the toplevel make clean target that did not take into account where the libapparmor tree had been moved to. --- Makefile |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: b/Makefile === --- a/Makefile +++ b/Makefile @@ -7,7 +7,7 @@ include common/Make.rules DIRS=parser \ profiles \ utils \ - changehat/libapparmor \ + libraries/libapparmor \ changehat/mod_apparmor \ changehat/pam_apparmor \ tests -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [patch 2/6] abstract out cap and net proto generation to common/Make.rules
This patch abstracts out the generation of the lists of capabilities and network protocol names to the common Make.rules file that is included in most locations in the build tree, to allow it to be re-used in the utils/ tree and possibly elsewhere. It provides the lists in both make variables and as make targets. It also sorts the resulting lists, which causes it to output differently than the before case. I did confirm that the results for the generated files used in the parser build were the same after taking the sorting into account. --- common/Make.rules | 34 ++ parser/Makefile | 16 ++-- 2 files changed, 40 insertions(+), 10 deletions(-) Index: b/common/Make.rules === --- a/common/Make.rules +++ b/common/Make.rules @@ -151,6 +151,40 @@ _clean: -rm -f ${MANPAGES} *.[0-9].gz ${HTMLMANPAGES} pod2htm*.tmp # = +# generate list of capabilities based on +# /usr/include/sys/capabilities.h for use in multiple locations in +# the source tree +# = + +# emits defined capabilities in a simple list, e.g. CAP_NAME CAP_NAME2 +CAPABILITIES=$(shell echo \#include sys/capability.h | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | sort) + +.PHONY: list_capabilities +list_capabilities: /usr/include/linux/capability.h + @echo $(CAPABILITIES) + +# = +# generate list of network protocols based on +# sys/socket.h for use in multiple locations in +# the source tree +# = + +# These are the families that it doesn't make sense for apparmor +# to mediate. We use PF_ here since that is what is required in +# bits/socket.h, but we will rewrite these as AF_. + +FILTER_FAMILIES=PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK + +__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g') + +# emits the AF names in a AF_NAME NUMBER, pattern +AF_NAMES=$(shell echo \#include sys/socket.h | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2) + +.PHONY: list_af_names +list_af_names: + @echo $(AF_NAMES) + +# = # manpages # = Index: b/parser/Makefile === --- a/parser/Makefile +++ b/parser/Makefile @@ -207,22 +207,18 @@ parser_version.h: Makefile @echo \#define PARSER_VERSION \$(VERSION)\ .ver @mv -f .ver $@ -# These are the families that it doesn't make sense for apparmor to mediate. -# We use PF_ here since that is what is required in bits/socket.h, but we will -# rewrite these as AF_. -FILTER_FAMILIES=PF_MAX PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK - - -__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g') +# af_names and capabilities generation has moved to common/Make.rules, +# as well as the filtering that occurs for network protocols that +# apparmor should not mediate. .PHONY: af_names.h af_names.h: - echo #include sys/socket.h | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e s/^\#define[ \\t]\\+PF_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/#ifndef AF_\\1\\n# define AF_\\1 \\2\\n#endif\\nAA_GEN_NET_ENT(\\\L\\1\, \\UAF_\\1)\\n/p $@ - echo #include sys/socket.h | cpp -dM | LC_ALL=C sed -n -e s/^\#define[ \\t]\\+PF_MAX[ \\t]\\+\\([0-9]\\+\\)\\+.*/#define AA_AF_MAX \\1\n/p $@ + echo $(AF_NAMES) | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g' -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n# define AF_\1 \2\n#endif\nAA_GEN_NET_ENT(\L\1, \UAF_\1)\n\n/pg' $@ + echo $(AF_NAMES) | LC_ALL=C sed -n -e 's/.*,[ \t]\+AF_MAX[ \t]\+\([0-9]\+\),\?.*/#define AA_AF_MAX \1\n/p' $@ # cat $@ cap_names.h: /usr/include/linux/capability.h - LC_ALL=C sed -n -e /CAP_EMPTY_SET/d -e s/^\#define[ \\t]\\+CAP_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9xa-f]\\+\\)\\(.*\\)\$$/\{\\\L\\1\, \\UCAP_\\1\},/p $ $@ + echo $(CAPABILITIES) | LC_ALL=C sed -n -e s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\\\L\\1\, \\UCAP_\\1\},\\n/pg $@ tst_%: parser_%.c parser.h $(filter-out parser_%.o, ${TEST_OBJECTS}) $(CC) $(TEST_CFLAGS) -o $@ $ $(filter-out $(:.c=.o), ${TEST_OBJECTS}) $(TEST_LDFLAGS) -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 2/6] abstract out cap and net proto generation to common/Make.rules
On Thu, Mar 22, 2012 at 10:06:09AM -0700, Steve Beattie wrote: It also sorts the resulting lists, which causes it to output differently than the before case. I did confirm that the results for the generated files used in the parser build were the same after taking the sorting into account. Okay, good. I'm still nervous that this sorting will break something, but I suppose it would be better to be more robust in this regard anyway. -- Kees Cook -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [PATCH 1/3] Rename and invert logic of is_null to is_accept to better reflect its use
Signed-off-by: John Johansen john.johan...@canonical.com --- parser/libapparmor_re/hfa.cc | 14 +++--- parser/libapparmor_re/hfa.h |4 ++-- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/parser/libapparmor_re/hfa.cc b/parser/libapparmor_re/hfa.cc index 3e796ad..5ace9df 100644 --- a/parser/libapparmor_re/hfa.cc +++ b/parser/libapparmor_re/hfa.cc @@ -340,7 +340,7 @@ void DFA::remove_unreachable(dfaflags_t flags) cerr unreachable: **i; if (*i == start) cerr ==; - if (!(*i)-perms.is_null()) + if ((*i)-perms.is_accept()) (*i)-perms.dump(cerr); cerr \n; } @@ -556,7 +556,7 @@ void DFA::minimize(dfaflags_t flags) (*i)-label = -1; rep-perms.add((*i)-perms); } - if (!rep-perms.is_null()) + if (rep-perms.is_accept()) final_accept++; //if ((*p)-size() 1) //cerr \n; @@ -611,11 +611,11 @@ out: void DFA::dump(ostream os) { for (Partition::iterator i = states.begin(); i != states.end(); i++) { - if (*i == start || !(*i)-perms.is_null()) { + if (*i == start || (*i)-perms.is_accept()) { os **i; if (*i == start) os == (allow/deny/audit/quiet); - if (!(*i)-perms.is_null()) + if ((*i)-perms.is_accept()) (*i)-perms.dump(os); os \n; } @@ -631,7 +631,7 @@ void DFA::dump(ostream os) excluded.insert(j-first); } else { os **i; - if (!(*i)-perms.is_null()) + if ((*i)-perms.is_accept()) os , (*i)-perms.dump(os); os - *(j)-second : 0x hex (int) j-first; @@ -643,7 +643,7 @@ void DFA::dump(ostream os) if ((*i)-otherwise != nonmatching) { os **i; - if (!(*i)-perms.is_null()) + if ((*i)-perms.is_accept()) os , (*i)-perms.dump(os); os - *(*i)-otherwise : [; if (!excluded.empty()) { @@ -677,7 +677,7 @@ void DFA::dump_dot_graph(ostream os) if (*i == start) { os \t\tstyle=bold \n; } - if (!(*i)-perms.is_null()) { + if ((*i)-perms.is_accept()) { os \t\tlabel=\ **i \\n; (*i)-perms.dump(os); os \\n; diff --git a/parser/libapparmor_re/hfa.h b/parser/libapparmor_re/hfa.h index 73bbfc0..9e022a6 100644 --- a/parser/libapparmor_re/hfa.h +++ b/parser/libapparmor_re/hfa.h @@ -43,7 +43,7 @@ class perms_t { public: perms_t(void) throw(int): allow(0), deny(0), audit(0), quiet(0), exact(0) { }; - bool is_null(void) { return !(allow | audit | quiet); } + bool is_accept(void) { return (allow | audit | quiet); } void dump(ostream os) { @@ -106,7 +106,7 @@ public: allow = ~deny; quiet = deny; deny = 0; - return is_null(); + return !is_accept(); } return 0; } -- 1.7.9.1 -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [PATCH 2/3] Fix permission mapping for change_profile onexec
The kernel has an extended test for change_profile when used with onexec, that allows it to only work against set executables. The parser is not correctly mapping change_profile for this test update the mapping so change_onexec will work when confined. Note: the parser does not currently support the extended syntax that the kernel test allows for, this just enables it to work for the generic case. Signed-off-by: John Johansen john.johan...@canonical.com --- parser/immunix.h |1 + parser/parser_regex.c | 26 +- 2 files changed, 18 insertions(+), 9 deletions(-) diff --git a/parser/immunix.h b/parser/immunix.h index 8dc157a..ebb2d2e 100644 --- a/parser/immunix.h +++ b/parser/immunix.h @@ -61,6 +61,7 @@ #define AA_PTRACE_PERMS(AA_USER_PTRACE | AA_OTHER_PTRACE) #define AA_CHANGE_HAT (1 30) +#define AA_ONEXEC (1 30) #define AA_CHANGE_PROFILE (1 31) #define AA_SHARED_PERMS(AA_CHANGE_HAT | AA_CHANGE_PROFILE) diff --git a/parser/parser_regex.c b/parser/parser_regex.c index 8c34799..d0293e1 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -510,19 +510,27 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry) return FALSE; } if (entry-mode AA_CHANGE_PROFILE) { + char *vec[3]; + char lbuf[PATH_MAX + 8]; + int index = 1; + + /* allow change_profile for all execs */ + vec[0] = /[^/\x00]*; + if (entry-namespace) { - char *vec[2]; - char lbuf[PATH_MAX + 8]; int pos; ptype = convert_aaregex_to_pcre(entry-namespace, 0, lbuf, PATH_MAX + 8, pos); - vec[0] = lbuf; - vec[1] = tbuf; - if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE, 0, 2, vec, dfaflags)) - return FALSE; - } else { - if (!aare_add_rule(dfarules, tbuf, 0, AA_CHANGE_PROFILE, 0, dfaflags)) - return FALSE; + vec[index++] = lbuf; } + vec[index++] = tbuf; + + /* regular change_profile rule */ + if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE, 0, index -1, vec[1], dfaflags)) + return FALSE; + /* onexec rule - both rules are needed for onexec */ + if (!aare_add_rule_vec(dfarules, 0, AA_ONEXEC, 0, index, vec, dfaflags)) + return FALSE; + } if (entry-mode (AA_USER_PTRACE | AA_OTHER_PTRACE)) { int mode = entry-mode (AA_USER_PTRACE | AA_OTHER_PTRACE); -- 1.7.9.1 -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [PATCH 3/3] Update the parser to support the 'in' keyword for value lists
Signed-off-by: John Johansen john.johan...@canonical.com --- parser/parser.h|3 ++- parser/parser_lex.l| 17 + parser/parser_misc.c |4 +++- parser/parser_yacc.y | 15 +-- parser/tst/simple_tests/mount/in_1.sd |7 +++ parser/tst/simple_tests/mount/in_1.sd~ |7 +++ parser/tst/simple_tests/mount/in_2.sd |7 +++ parser/tst/simple_tests/mount/in_2.sd~ |7 +++ parser/tst/simple_tests/mount/in_3.sd |7 +++ parser/tst/simple_tests/mount/in_3.sd~ |7 +++ parser/tst/simple_tests/mount/in_4.sd |7 +++ parser/tst/simple_tests/mount/in_4.sd~ |7 +++ 12 files changed, 91 insertions(+), 4 deletions(-) create mode 100644 parser/tst/simple_tests/mount/in_1.sd create mode 100644 parser/tst/simple_tests/mount/in_1.sd~ create mode 100644 parser/tst/simple_tests/mount/in_2.sd create mode 100644 parser/tst/simple_tests/mount/in_2.sd~ create mode 100644 parser/tst/simple_tests/mount/in_3.sd create mode 100644 parser/tst/simple_tests/mount/in_3.sd~ create mode 100644 parser/tst/simple_tests/mount/in_4.sd create mode 100644 parser/tst/simple_tests/mount/in_4.sd~ diff --git a/parser/parser.h b/parser/parser.h index 799d44b..fa2d191 100644 --- a/parser/parser.h +++ b/parser/parser.h @@ -62,6 +62,7 @@ struct value_list { struct cond_entry { char *name; + int eq; /* where equals was used in specifying list */ struct value_list *vals; struct cond_entry *next; @@ -316,7 +317,7 @@ extern struct value_list *new_value_list(char *value); extern struct value_list *dup_value_list(struct value_list *list); extern void free_value_list(struct value_list *list); extern void print_value_list(struct value_list *list); -extern struct cond_entry *new_cond_entry(char *name, struct value_list *list); +extern struct cond_entry *new_cond_entry(char *name, int eq, struct value_list *list); extern void free_cond_entry(struct cond_entry *ent); extern void print_cond_entry(struct cond_entry *ent); extern char *processid(char *string, int len); diff --git a/parser/parser_lex.l b/parser/parser_lex.l index b5627ad..529c079 100644 --- a/parser/parser_lex.l +++ b/parser/parser_lex.l @@ -280,6 +280,18 @@ LT_EQUAL = yy_push_state(EXTCOND_MODE); return TOK_CONDID; } + {VARIABLE_NAME}/{WS}*in { + /* we match to 'in' in the lexer so that +* we can switch scanner state. By the time +* the parser see the 'in' it may be to late +* as bison may have requested the next +* token from the scanner +*/ + PDEBUG(conditional %s=\n, yytext); + yylval.id = processid(yytext, yyleng); + yy_push_state(EXTCOND_MODE); + return TOK_CONDID; + } } SUB_ID{ @@ -384,6 +396,11 @@ LT_EQUAL = return TOK_OPENPAREN; } + in { + DUMP_PREPROCESS; + return TOK_IN; + } + [^\n] { DUMP_PREPROCESS; /* Something we didn't expect */ diff --git a/parser/parser_misc.c b/parser/parser_misc.c index 7ff6348..9d2fc4b 100644 --- a/parser/parser_misc.c +++ b/parser/parser_misc.c @@ -84,6 +84,7 @@ static struct keyword_table keyword_table[] = { {umount, TOK_UMOUNT}, {unmount, TOK_UMOUNT}, {pivot_root, TOK_PIVOTROOT}, + {in, TOK_IN}, /* terminate */ {NULL, 0} }; @@ -1025,12 +1026,13 @@ void print_value_list(struct value_list *list) } } -struct cond_entry *new_cond_entry(char *name, struct value_list *list) +struct cond_entry *new_cond_entry(char *name, int eq, struct value_list *list) { struct cond_entry *ent = calloc(1, sizeof(struct cond_entry)); if (ent) { ent-name = name; ent-vals = list; + ent-eq = eq; } return ent; diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y index 65cf365..a79be85 100644 --- a/parser/parser_yacc.y +++ b/parser/parser_yacc.y @@ -121,6 +121,7 @@ void add_local_entry(struct codomain *cod); %token TOK_REMOUNT %token TOK_UMOUNT %token TOK_PIVOTROOT +%token TOK_IN /* rlimits */ %token TOK_RLIMIT @@ -1072,7 +1073,7 @@ cond: TOK_CONDID TOK_EQUALS TOK_VALUE struct value_list *value = new_value_list($3); if (!value) yyerror(_(Memory allocation error.)); - ent = new_cond_entry($1,
Re: [apparmor] [patch 6/6] add apparmor.vim install target to utils/ install
On 03/22/2012 10:06 AM, Steve Beattie wrote: This patch adds a make install target for the generated apparmor.vim file, installing by default into /usr/share/apparmor based on IRC discussions; alternate suggestions welcome. (Installing directly into the vim syntax tree is difficult as the system path by default contains the vim version number.) This is kept as a separate patch in case it's felt that it's too late in the dev cycle to add an additional installed file, even if it's one that won't get automatically used by anything. So I am okay with this, I'll defer to others whether its to late in the dev cycle, but I think its okay for a leaf item like this Acked-by: John Johansen john.johan...@canonical.com --- utils/Makefile |1 + utils/vim/Makefile |7 +++ 2 files changed, 8 insertions(+) Index: b/utils/Makefile === --- a/utils/Makefile +++ b/utils/Makefile @@ -60,6 +60,7 @@ install: ${MANPAGES} ${HTMLMANPAGES} install -m 644 ${MODULES} ${PERLDIR} $(MAKE) -C po install DESTDIR=${DESTDIR} NAME=${NAME} $(MAKE) install_manpages DESTDIR=${DESTDIR} + $(MAKE) -C vim install DESTDIR=${DESTDIR} ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8 .PHONY: clean Index: b/utils/vim/Makefile === --- a/utils/vim/Makefile +++ b/utils/vim/Makefile @@ -9,10 +9,17 @@ common/Make.rules: $(COMMONDIR)/Make.rul ln -sf $(COMMONDIR) . endif +VIM_INSTALL_PATH=${DESTDIR}/usr/share/apparmor + all: apparmor.vim apparmor.vim: apparmor.vim.in Makefile create-apparmor.vim.py python create-apparmor.vim.py $@ +install: apparmor.vim + install -d $(VIM_INSTALL_PATH) + install -m 644 $ $(VIM_INSTALL_PATH) + + clean: rm -f apparmor.vim -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 5/6] rewrite apparmor.vim generation and integrate into build
On 03/22/2012 10:06 AM, Steve Beattie wrote: This patch replaces the apparmor.vim generating script with a python version that eliminates the need for using the replace tool from the mysql-server package. It makes use of the automatically generated lists of capabilities and network protocols provided by the build infrastructure. I did not capture all the notes and TODOs that Christian had in the shell script; I can do so if desired. It also hooks the generation of the apparmor.vim file into the utils/ build and clean stages. [Note: the patch doesn't reflect the deletion of the script or the apparmor.vim file in the utils/ directory as handling deletions in quilt is problematic. But it's intended that the actual commits into bzr will also remove these files.] So I am good with this (tentative Ack) but I want to hear from Christian first. --- utils/Makefile |2 utils/vim/Makefile | 17 +- utils/vim/create-apparmor.vim.py | 108 +++ 3 files changed, 125 insertions(+), 2 deletions(-) Index: b/utils/Makefile === --- a/utils/Makefile +++ b/utils/Makefile @@ -37,6 +37,7 @@ MANPAGES = ${TOOLS:=.8} logprof.conf.5 all: ${MANPAGES} ${HTMLMANPAGES} $(MAKE) -C po all + $(MAKE) -C vim all # need some better way of determining this DESTDIR=/ @@ -67,6 +68,7 @@ clean: _clean rm -f core core.* *.o *.s *.a *~ rm -f Make.rules $(MAKE) -C po clean + $(MAKE) -C vim clean # ${CAPABILITIES} is defined in common/Make.rules .PHONY: check_severity_db Index: b/utils/vim/Makefile === --- a/utils/vim/Makefile +++ b/utils/vim/Makefile @@ -1,5 +1,18 @@ -apparmor.vim: apparmor.vim.in Makefile create-apparmor.vim.sh - sh create-apparmor.vim.sh +COMMONDIR=../../common/ + +all: +include common/Make.rules + +COMMONDIR_EXISTS=$(strip $(shell [ -d ${COMMONDIR} ] echo true)) +ifeq ($(COMMONDIR_EXISTS), true) +common/Make.rules: $(COMMONDIR)/Make.rules + ln -sf $(COMMONDIR) . +endif + +all: apparmor.vim + +apparmor.vim: apparmor.vim.in Makefile create-apparmor.vim.py + python create-apparmor.vim.py $@ clean: rm -f apparmor.vim Index: b/utils/vim/create-apparmor.vim.py === --- /dev/null +++ b/utils/vim/create-apparmor.vim.py @@ -0,0 +1,108 @@ +#!/usr/bin/python +# +#Copyright (C) 2012 Canonical Ltd. +# +#This program is free software; you can redistribute it and/or +#modify it under the terms of version 2 of the GNU General Public +#License published by the Free Software Foundation. +# +#Written by Steve Beattie st...@nxnw.org, based on work by +#Christian Boltz appar...@cboltz.de + +import os +import re +import subprocess +import sys + +# dangerous capabilities +danger_caps=[audit_control, + audit_write, + mac_override, + mac_admin, + set_fcap, + sys_admin, + sys_module, + sys_rawio] + +aa_network_types=r'\s+tcp|\s+udp|\s+icmp' + +aa_flags=r'(complain|audit|attach_disconnect|no_attach_disconnected|chroot_attach|chroot_no_attach|chroot_relative|namespace_relative)' + +def cmd(command, input = None, stderr = subprocess.STDOUT, stdout = subprocess.PIPE, stdin = None, timeout = None): +'''Try to execute given command (array) and return its stdout, or +return a textual error if it failed.''' + +try: +sp = subprocess.Popen(command, stdin=stdin, stdout=stdout, stderr=stderr, close_fds=True) +except OSError, e: +return [127, str(e)] + +out, outerr = sp.communicate(input) + +# Handle redirection of stdout +if out == None: +out = '' +# Handle redirection of stderr +if outerr == None: +outerr = '' +return [sp.returncode,out+outerr] + +# get capabilities list +(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_capabilities']) +if rc != 0: +print sys.stderr, (make list_capabilities failed: + output) +exit(rc) + +capabilities = re.sub('CAP_', '', output.strip()).lower().split( ) +benign_caps =[] +for cap in capabilities: +if cap not in danger_caps: +benign_caps.append(cap) + +# get network protos list +(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_af_names']) +if rc != 0: +print sys.stderr, (make list_af_names failed: + output) +exit(rc) + +af_names = [] +af_pairs = re.sub('AF_', '', output.strip()).lower().split(,) +for af_pair in af_pairs: +af_name = af_pair.lstrip().split( )[0] +# skip max af name definition +if len(af_name) 0 and af_name != max: +af_names.append(af_name) + +# TODO: does a debug flag
Re: [apparmor] [PATCH 1/3] Rename and invert logic of is_null to is_accept to better reflect its use
On Thu, Mar 22, 2012 at 11:44:53AM -0700, John Johansen wrote: Signed-off-by: John Johansen john.johan...@canonical.com Acked-By: Steve Beattie sbeat...@ubuntu.com --- parser/libapparmor_re/hfa.cc | 14 +++--- parser/libapparmor_re/hfa.h |4 ++-- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/parser/libapparmor_re/hfa.cc b/parser/libapparmor_re/hfa.cc index 3e796ad..5ace9df 100644 --- a/parser/libapparmor_re/hfa.cc +++ b/parser/libapparmor_re/hfa.cc @@ -340,7 +340,7 @@ void DFA::remove_unreachable(dfaflags_t flags) cerr unreachable: **i; if (*i == start) cerr ==; - if (!(*i)-perms.is_null()) + if ((*i)-perms.is_accept()) (*i)-perms.dump(cerr); cerr \n; } @@ -556,7 +556,7 @@ void DFA::minimize(dfaflags_t flags) (*i)-label = -1; rep-perms.add((*i)-perms); } - if (!rep-perms.is_null()) + if (rep-perms.is_accept()) final_accept++; //if ((*p)-size() 1) //cerr \n; @@ -611,11 +611,11 @@ out: void DFA::dump(ostream os) { for (Partition::iterator i = states.begin(); i != states.end(); i++) { - if (*i == start || !(*i)-perms.is_null()) { + if (*i == start || (*i)-perms.is_accept()) { os **i; if (*i == start) os == (allow/deny/audit/quiet); - if (!(*i)-perms.is_null()) + if ((*i)-perms.is_accept()) (*i)-perms.dump(os); os \n; } @@ -631,7 +631,7 @@ void DFA::dump(ostream os) excluded.insert(j-first); } else { os **i; - if (!(*i)-perms.is_null()) + if ((*i)-perms.is_accept()) os , (*i)-perms.dump(os); os - *(j)-second : 0x hex (int) j-first; @@ -643,7 +643,7 @@ void DFA::dump(ostream os) if ((*i)-otherwise != nonmatching) { os **i; - if (!(*i)-perms.is_null()) + if ((*i)-perms.is_accept()) os , (*i)-perms.dump(os); os - *(*i)-otherwise : [; if (!excluded.empty()) { @@ -677,7 +677,7 @@ void DFA::dump_dot_graph(ostream os) if (*i == start) { os \t\tstyle=bold \n; } - if (!(*i)-perms.is_null()) { + if ((*i)-perms.is_accept()) { os \t\tlabel=\ **i \\n; (*i)-perms.dump(os); os \\n; diff --git a/parser/libapparmor_re/hfa.h b/parser/libapparmor_re/hfa.h index 73bbfc0..9e022a6 100644 --- a/parser/libapparmor_re/hfa.h +++ b/parser/libapparmor_re/hfa.h @@ -43,7 +43,7 @@ class perms_t { public: perms_t(void) throw(int): allow(0), deny(0), audit(0), quiet(0), exact(0) { }; - bool is_null(void) { return !(allow | audit | quiet); } + bool is_accept(void) { return (allow | audit | quiet); } void dump(ostream os) { @@ -106,7 +106,7 @@ public: allow = ~deny; quiet = deny; deny = 0; - return is_null(); + return !is_accept(); } return 0; } -- 1.7.9.1 -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor -- Steve Beattie sbeat...@ubuntu.com http://NxNW.org/~steve/ signature.asc Description: Digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [PATCH] fix distro-specific apparmor.vim man page
Acked-By: Steve Beattie sbeat...@ubuntu.com Thanks. -- Steve Beattie sbeat...@ubuntu.com http://NxNW.org/~steve/ signature.asc Description: Digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [PATCH 2/3] Fix permission mapping for change_profile onexec
On 03/22/2012 12:46 PM, Steve Beattie wrote: On Thu, Mar 22, 2012 at 11:44:54AM -0700, John Johansen wrote: The kernel has an extended test for change_profile when used with onexec, that allows it to only work against set executables. The parser is not correctly mapping change_profile for this test update the mapping so change_onexec will work when confined. Note: the parser does not currently support the extended syntax that the kernel test allows for, this just enables it to work for the generic case. With this change, there are about 18 failures in the parser testsuite. Do you know what's going wrong there? yeah sorry it didn't get refreshed, new patch will be incoming soon once they go through parser and regression tests -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [Bug 962521] Re: aa_getcon returns garbage on error path
** Changed in: apparmor (Ubuntu) Milestone: None = ubuntu-12.04-beta-2 -- You received this bug notification because you are a member of AppArmor Developers, which is the registrant for AppArmor. https://bugs.launchpad.net/bugs/962521 Title: aa_getcon returns garbage on error path Status in AppArmor Linux application security framework: Confirmed Status in “apparmor” package in Ubuntu: In Progress Status in “apparmor” source package in Precise: In Progress Bug description: when calling aa_getcon it returns a garbage filled buffer if it fails To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/962521/+subscriptions -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [Bug 962521] Re: aa_getcon returns garbage on error path
** Changed in: apparmor Status: New = Confirmed -- You received this bug notification because you are a member of AppArmor Developers, which is the registrant for AppArmor. https://bugs.launchpad.net/bugs/962521 Title: aa_getcon returns garbage on error path Status in AppArmor Linux application security framework: Confirmed Status in “apparmor” package in Ubuntu: In Progress Status in “apparmor” source package in Precise: In Progress Bug description: when calling aa_getcon it returns a garbage filled buffer if it fails To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/962521/+subscriptions -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [Bug 962521] [NEW] aa_getcon returns garbage on error path
Public bug reported: when calling aa_getcon it returns a garbage filled buffer if it fails ** Affects: apparmor Importance: High Assignee: John Johansen (jjohansen) Status: Confirmed ** Affects: apparmor (Ubuntu) Importance: High Assignee: John Johansen (jjohansen) Status: In Progress ** Affects: apparmor (Ubuntu Precise) Importance: High Assignee: John Johansen (jjohansen) Status: In Progress -- You received this bug notification because you are a member of AppArmor Developers, which is the registrant for AppArmor. https://bugs.launchpad.net/bugs/962521 Title: aa_getcon returns garbage on error path Status in AppArmor Linux application security framework: Confirmed Status in “apparmor” package in Ubuntu: In Progress Status in “apparmor” source package in Precise: In Progress Bug description: when calling aa_getcon it returns a garbage filled buffer if it fails To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/962521/+subscriptions -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [Bug 962521] Re: aa_getcon returns garbage on error path
** Tags added: rls-p-tracking ** Changed in: apparmor Status: Confirmed = Fix Committed -- You received this bug notification because you are a member of AppArmor Developers, which is the registrant for AppArmor. https://bugs.launchpad.net/bugs/962521 Title: aa_getcon returns garbage on error path Status in AppArmor Linux application security framework: Fix Committed Status in “apparmor” package in Ubuntu: In Progress Status in “apparmor” source package in Precise: In Progress Bug description: when calling aa_getcon it returns a garbage filled buffer if it fails To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/962521/+subscriptions -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [patch] small fix for capability series
When creating the prior abstraction patches, I mistakenly converted /usr/include/linux/capability.h to sys/capability.h. This patch corrects the issue. === modified file 'common/Make.rules' --- common/Make.rules 2012-03-22 20:19:27 + +++ common/Make.rules 2012-03-22 21:29:40 + @@ -157,7 +157,7 @@ # = # emits defined capabilities in a simple list, e.g. CAP_NAME CAP_NAME2 -CAPABILITIES=$(shell echo \#include sys/capability.h | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | sort) +CAPABILITIES=$(shell echo \#include linux/capability.h | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | sort) .PHONY: list_capabilities list_capabilities: /usr/include/linux/capability.h -- Steve Beattie sbeat...@ubuntu.com http://NxNW.org/~steve/ signature.asc Description: Digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch] small fix for capability series
On Thu, 2012-03-22 at 14:33 -0700, Steve Beattie wrote: When creating the prior abstraction patches, I mistakenly converted /usr/include/linux/capability.h to sys/capability.h. This patch corrects the issue. === modified file 'common/Make.rules' --- common/Make.rules 2012-03-22 20:19:27 + +++ common/Make.rules 2012-03-22 21:29:40 + @@ -157,7 +157,7 @@ # = # emits defined capabilities in a simple list, e.g. CAP_NAME CAP_NAME2 -CAPABILITIES=$(shell echo \#include sys/capability.h | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | sort) +CAPABILITIES=$(shell echo \#include linux/capability.h | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | sort) .PHONY: list_capabilities list_capabilities: /usr/include/linux/capability.h NAK. Isn't this needed in addition? -- Jamie Strandboge | http://www.canonical.com Index: apparmor-2.7.102/common/Make.rules === --- apparmor-2.7.102.orig/common/Make.rules 2012-03-22 16:34:20.0 -0500 +++ apparmor-2.7.102/common/Make.rules 2012-03-22 16:36:29.0 -0500 @@ -152,12 +152,12 @@ # = # generate list of capabilities based on -# /usr/include/sys/capabilities.h for use in multiple locations in +# /usr/include/linux/capabilities.h for use in multiple locations in # the source tree # = # emits defined capabilities in a simple list, e.g. CAP_NAME CAP_NAME2 -CAPABILITIES=$(shell echo \#include sys/capability.h | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | sort) +CAPABILITIES=$(shell echo \#include linux/capability.h | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | sort) .PHONY: list_capabilities list_capabilities: /usr/include/linux/capability.h Index: apparmor-2.7.102/utils/Makefile === --- apparmor-2.7.102.orig/utils/Makefile 2012-03-22 16:34:20.0 -0500 +++ apparmor-2.7.102/utils/Makefile 2012-03-22 16:36:38.0 -0500 @@ -74,7 +74,7 @@ # ${CAPABILITIES} is defined in common/Make.rules .PHONY: check_severity_db .SILENT: check_severity_db -check_severity_db: /usr/include/sys/capability.h severity.db +check_severity_db: /usr/include/linux/capability.h severity.db # The sed statement is based on the one in the parser's makefile RC=0 ; for cap in ${CAPABILITIES} ; do \ if ! grep -q -w $${cap} severity.db ; then \ signature.asc Description: This is a digitally signed message part -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [PATCH] clean up utils/vim/common symlink on clean
-- Jamie Strandboge | http://www.canonical.com Author: Jamie Strandboge ja...@canonical.com Description: clean up utils/vim/common Forwarded: yes Index: apparmor-2.7.102/utils/vim/Makefile === --- apparmor-2.7.102.orig/utils/vim/Makefile 2012-03-22 15:27:29.0 -0500 +++ apparmor-2.7.102/utils/vim/Makefile 2012-03-22 16:09:18.0 -0500 @@ -22,4 +22,4 @@ clean: - rm -f apparmor.vim + rm -f apparmor.vim common signature.asc Description: This is a digitally signed message part -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 4/6] add missing capabilities to severity.db
Hello, Am Donnerstag, 22. März 2012 schrieb Steve Beattie: CAP_WAKE_ALARM 8 This one is missing in apparmor.vim. I assume it translates to capability wake_alarm, in the profiles, therefore I propose the following patch: === modified file 'utils/vim/create-apparmor.vim.sh' --- utils/vim/create-apparmor.vim.sh2011-08-21 21:49:25 + +++ utils/vim/create-apparmor.vim.sh2012-03-22 22:04:14 + @@ -1,7 +1,7 @@ #!/bin/bash # not-too-dangerous capabilities -sdKapKey=chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config syslog mknod lease +sdKapKey=chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config syslog mknod lease wake_alarm # dangerous capabilities sdKapKeyDanger=audit_control audit_write mac_override mac_admin set_fcap sys_admin sys_module sys_rawio Regards, Christian Boltz -- DAS kenne ich! Learning by carrying of annoying heavy hardware. So'nen Strafmonitor habe ich hier auch. Wenn ich mal wieder meinen kleinen Server an die Wand gefahren hab, müssen 40 kg/21 den Flur hochgewuchtet werden :-) [Ratti] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 4/6] add missing capabilities to severity.db
On 03/22/2012 03:08 PM, Christian Boltz wrote: Hello, Am Donnerstag, 22. März 2012 schrieb Steve Beattie: CAP_WAKE_ALARM 8 yep This one is missing in apparmor.vim. I assume it translates to capability wake_alarm, in the profiles, therefore I propose the following patch: === modified file 'utils/vim/create-apparmor.vim.sh' --- utils/vim/create-apparmor.vim.sh2011-08-21 21:49:25 + +++ utils/vim/create-apparmor.vim.sh2012-03-22 22:04:14 + @@ -1,7 +1,7 @@ #!/bin/bash # not-too-dangerous capabilities -sdKapKey=chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config syslog mknod lease +sdKapKey=chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config syslog mknod lease wake_alarm # dangerous capabilities sdKapKeyDanger=audit_control audit_write mac_override mac_admin set_fcap sys_admin sys_module sys_rawio Regards, Christian Boltz looks good Acked-by: John Johansen john.johan...@canonical.com -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 2/6] abstract out cap and net proto generation to common/Make.rules
Hello, (also affects patch 3/6, but splitting the mail wouldn't make sense) Am Donnerstag, 22. März 2012 schrieb Steve Beattie: This patch abstracts out the generation of the lists of capabilities and network protocol names to the common Make.rules file that is included in most locations in the build tree, to allow it to be re-used in the utils/ tree and possibly elsewhere. I like the idea, but the implementation is, well, suboptimal... --- a/common/Make.rules +++ b/common/Make.rules @@ -151,6 +151,40 @@ _clean: -rm -f ${MANPAGES} *.[0-9].gz ${HTMLMANPAGES} pod2htm*.tmp # = +# generate list of capabilities based on +# /usr/include/sys/capabilities.h for use in multiple locations in I don't have /usr/include/sys/capability.h on my system (openSUSE 12.1) Either I need to install another package (thanks to OBS, I don't have too many devel packages on my system) or it's at another location. # locate capability.h /usr/include/linux/capability.h /usr/src/linux-3.1.0-1.2/include/linux/capability.h /usr/src/linux-3.1.9-1.4/include/linux/capability.h Do I miss a package or are the paths really different on openSUSE? +# emits defined capabilities in a simple list, e.g. CAP_NAME CAP_NAME2 +CAPABILITIES=$(shell echo \#include sys/capability.h | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A- Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | sort) Now let me paste a sniplet from patch 3/6 (utils/Makefile): +# ${CAPABILITIES} is defined in common/Make.rules +.PHONY: check_severity_db +.SILENT: check_severity_db +check_severity_db: /usr/include/sys/capability.h severity.db The problem I see here is that the Makefile contains an indirect dependency. IMHO that's not a clean solution and might cause maintenance fun if capability.h ever moves. I'd like to propose an alternative solution that avoids this problem: In common/Make.rules, write the capability list to a file instead of storing it in a variable: capability_list: /usr/include/linux/capability.h echo \#include sys/capability.h | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | sort capability_list now back to utils/Makefile: +check_severity_db: /usr/include/sys/capability.h severity.db + # The sed statement is based on the one in the parser's makefile Outdated comment? I see no sed in the check_severity_db target. + RC=0 ; for cap in ${CAPABILITIES} ; do \ Would then be check_severity_db: capability_list severity.db RC=0 ; for cap in `cat capability_list` ; do \ AF_NAMES shares this problem and should also be implemented with a file instead of using a make variable. Note that everything above is untested ;-) BTW: make clean should delete the capability_list file. Regards, Christian Boltz -- Unix: Alles ist ein File, und was kein File ist, hat sich gefaelligst als ein solches zu tarnen. [Wolfgang Weisselberg in linux-liste] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 2/6] abstract out cap and net proto generation to common/Make.rules
On Thu, 2012-03-22 at 23:20 +0100, Christian Boltz wrote: --- a/common/Make.rules +++ b/common/Make.rules @@ -151,6 +151,40 @@ _clean: -rm -f ${MANPAGES} *.[0-9].gz ${HTMLMANPAGES} pod2htm*.tmp # = +# generate list of capabilities based on +# /usr/include/sys/capabilities.h for use in multiple locations in I don't have /usr/include/sys/capability.h on my system (openSUSE 12.1) Either I need to install another package (thanks to OBS, I don't have too many devel packages on my system) or it's at another location. # locate capability.h /usr/include/linux/capability.h /usr/src/linux-3.1.0-1.2/include/linux/capability.h /usr/src/linux-3.1.9-1.4/include/linux/capability.h Do I miss a package or are the paths really different on openSUSE? There was a mistake. You need r2008. -- Jamie Strandboge | http://www.canonical.com signature.asc Description: This is a digitally signed message part -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 6/6] add apparmor.vim install target to utils/ install
Installing the apparmor.vim file by default sounds like a great idea. It's too useful to leave it out and changes often enough that upstream vim or vim packaging doesn't feel right. Yet. -Original Message- From: John Johansen john.johan...@canonical.com Sender: apparmor-boun...@lists.ubuntu.com Date: Thu, 22 Mar 2012 11:51:17 To: Steve Beattiest...@nxnw.org Cc: apparmor@lists.ubuntu.com Subject: Re: [apparmor] [patch 6/6] add apparmor.vim install target to utils/ install On 03/22/2012 10:06 AM, Steve Beattie wrote: This patch adds a make install target for the generated apparmor.vim file, installing by default into /usr/share/apparmor based on IRC discussions; alternate suggestions welcome. (Installing directly into the vim syntax tree is difficult as the system path by default contains the vim version number.) This is kept as a separate patch in case it's felt that it's too late in the dev cycle to add an additional installed file, even if it's one that won't get automatically used by anything. So I am okay with this, I'll defer to others whether its to late in the dev cycle, but I think its okay for a leaf item like this Acked-by: John Johansen john.johan...@canonical.com --- utils/Makefile |1 + utils/vim/Makefile |7 +++ 2 files changed, 8 insertions(+) Index: b/utils/Makefile === --- a/utils/Makefile +++ b/utils/Makefile @@ -60,6 +60,7 @@ install: ${MANPAGES} ${HTMLMANPAGES} install -m 644 ${MODULES} ${PERLDIR} $(MAKE) -C po install DESTDIR=${DESTDIR} NAME=${NAME} $(MAKE) install_manpages DESTDIR=${DESTDIR} + $(MAKE) -C vim install DESTDIR=${DESTDIR} ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8 .PHONY: clean Index: b/utils/vim/Makefile === --- a/utils/vim/Makefile +++ b/utils/vim/Makefile @@ -9,10 +9,17 @@ common/Make.rules: $(COMMONDIR)/Make.rul ln -sf $(COMMONDIR) . endif +VIM_INSTALL_PATH=${DESTDIR}/usr/share/apparmor + all: apparmor.vim apparmor.vim: apparmor.vim.in Makefile create-apparmor.vim.py python create-apparmor.vim.py $@ +install: apparmor.vim + install -d $(VIM_INSTALL_PATH) + install -m 644 $ $(VIM_INSTALL_PATH) + + clean: rm -f apparmor.vim -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [PATCH 2/3] Fix permission mapping for change_profile onexec
On 03/22/2012 03:35 PM, Seth Arnold wrote: I'm always worried when I see shared magic numbers. If AA_ONEXEC is supposed to share with AA_CHANGE_HAT, please define one in terms of the other or provide a comment to warn the future. Thanks :) Well in fact they aren't exactly the same and could change. A boring explanation follows AA_CHANGE_HAT can be set in a base entry. Think of a dfa encoding change_profile /a, Start - state1 - state2 / a with the change_profile flag set on the permissions hanging off of state2 AA_ONEXEC can only be set on the second in a pair entry. change_profile /e - /a, Start - state1 - state2 - state3 - state4 - state5 / a \0/ e with the onexec info hanging off of state5 \0 is not a valid match character for paths, so no path will be able to step across and start matching the exec portion of the rule. The kernel makes a deliberate \0 transition to get into the second match and then tests the exec. The permissions in the second match part don't have to be the same as those in the first, and in fact are not. -Original Message- From: John Johansen john.johan...@canonical.com Sender: apparmor-boun...@lists.ubuntu.com Date: Thu, 22 Mar 2012 11:44:54 To: apparmor@lists.ubuntu.com Subject: [apparmor] [PATCH 2/3] Fix permission mapping for change_profile onexec The kernel has an extended test for change_profile when used with onexec, that allows it to only work against set executables. The parser is not correctly mapping change_profile for this test update the mapping so change_onexec will work when confined. Note: the parser does not currently support the extended syntax that the kernel test allows for, this just enables it to work for the generic case. Signed-off-by: John Johansen john.johan...@canonical.com --- parser/immunix.h |1 + parser/parser_regex.c | 26 +- 2 files changed, 18 insertions(+), 9 deletions(-) diff --git a/parser/immunix.h b/parser/immunix.h index 8dc157a..ebb2d2e 100644 --- a/parser/immunix.h +++ b/parser/immunix.h @@ -61,6 +61,7 @@ #define AA_PTRACE_PERMS (AA_USER_PTRACE | AA_OTHER_PTRACE) #define AA_CHANGE_HAT(1 30) +#define AA_ONEXEC(1 30) #define AA_CHANGE_PROFILE(1 31) #define AA_SHARED_PERMS (AA_CHANGE_HAT | AA_CHANGE_PROFILE) diff --git a/parser/parser_regex.c b/parser/parser_regex.c index 8c34799..d0293e1 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -510,19 +510,27 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry) return FALSE; } if (entry-mode AA_CHANGE_PROFILE) { + char *vec[3]; + char lbuf[PATH_MAX + 8]; + int index = 1; + + /* allow change_profile for all execs */ + vec[0] = /[^/\x00]*; + if (entry-namespace) { - char *vec[2]; - char lbuf[PATH_MAX + 8]; int pos; ptype = convert_aaregex_to_pcre(entry-namespace, 0, lbuf, PATH_MAX + 8, pos); - vec[0] = lbuf; - vec[1] = tbuf; - if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE, 0, 2, vec, dfaflags)) - return FALSE; - } else { - if (!aare_add_rule(dfarules, tbuf, 0, AA_CHANGE_PROFILE, 0, dfaflags)) - return FALSE; + vec[index++] = lbuf; } + vec[index++] = tbuf; + + /* regular change_profile rule */ + if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE, 0, index -1, vec[1], dfaflags)) + return FALSE; + /* onexec rule - both rules are needed for onexec */ + if (!aare_add_rule_vec(dfarules, 0, AA_ONEXEC, 0, index, vec, dfaflags)) + return FALSE; + } if (entry-mode (AA_USER_PTRACE | AA_OTHER_PTRACE)) { int mode = entry-mode (AA_USER_PTRACE | AA_OTHER_PTRACE); -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [Bug 962521] Re: aa_getcon returns garbage on error path
This bug was fixed in the package apparmor - 2.7.102-0ubuntu1 --- apparmor (2.7.102-0ubuntu1) precise; urgency=low * New upstream release. Fixes the following issues in support of LXC AppArmor support for beta-2: - Fix the return size of aa_getprocattr (LP: #962521) - Fix mnt_flags passed for remount - Fix dfa minimization around the nonmatching state - Factor all the permissions dump code into a single perms method * debian/apparmor-utils.install: - AppArmor now installs apparmor.vim. Move it into place - install aa-exec * debian/apparmor-utils.manpages: install aa-exec man page * debian/patches/0003-add-aa-easyprof.patch: refresh for Makefile changes * debian/patches/0005-clean-common-from-vim.patch: clean up 'common' symlink * 0006-use-linux-capability-h.patch: Use linux/capability.h instead of sys/capability.h -- Jamie Strandboge ja...@ubuntu.com Thu, 22 Mar 2012 15:39:56 -0500 ** Changed in: apparmor (Ubuntu Precise) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of AppArmor Developers, which is the registrant for AppArmor. https://bugs.launchpad.net/bugs/962521 Title: aa_getcon returns garbage on error path Status in AppArmor Linux application security framework: Fix Committed Status in “apparmor” package in Ubuntu: Fix Released Status in “apparmor” source package in Precise: Fix Released Bug description: when calling aa_getcon it returns a garbage filled buffer if it fails To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/962521/+subscriptions -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [Bug 962521] Re: aa_getcon returns garbage on error path
** Branch linked: lp:ubuntu/apparmor -- You received this bug notification because you are a member of AppArmor Developers, which is the registrant for AppArmor. https://bugs.launchpad.net/bugs/962521 Title: aa_getcon returns garbage on error path Status in AppArmor Linux application security framework: Fix Committed Status in “apparmor” package in Ubuntu: Fix Released Status in “apparmor” source package in Precise: Fix Released Bug description: when calling aa_getcon it returns a garbage filled buffer if it fails To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/962521/+subscriptions -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 5/6] rewrite apparmor.vim generation and integrate into build
Hello, (I should have read all mails before replying to the 4/6 patch ;-) Am Donnerstag, 22. März 2012 schrieb Steve Beattie: This patch replaces the apparmor.vim generating script with a python version that eliminates the need for using the replace tool from the mysql-server package. I'm fine with rewriting the generation of apparmor.vim with a p* language - it's a long-standing issue on my TODO list, but usually there's ENOTIME ;-) Let me warn you that I know nothing about python. This means you'll probably have to maintain the script yourself - or teach me python ;-) It makes use of the automatically generated lists of capabilities and network protocols provided by the build infrastructure. :-) I did not capture all the notes and TODOs that Christian had in the shell script; I can do so if desired. I won't object ;-) Index: b/utils/vim/Makefile === --- a/utils/vim/Makefile +++ b/utils/vim/Makefile @@ -1,5 +1,18 @@ -apparmor.vim: apparmor.vim.in Makefile create-apparmor.vim.sh - sh create-apparmor.vim.sh +COMMONDIR=../../common/ + +all: +include common/Make.rules + +COMMONDIR_EXISTS=$(strip $(shell [ -d ${COMMONDIR} ] echo true)) +ifeq ($(COMMONDIR_EXISTS), true) +common/Make.rules: $(COMMONDIR)/Make.rules + ln -sf $(COMMONDIR) . +endif What's the reason for this COMMONDIR magic? I'd just use include $(COMMONDIR)/Make.rules but probably I'm overlooking the reason why you did it this way ;-) Index: b/utils/vim/create-apparmor.vim.py === --- /dev/null +++ b/utils/vim/create-apparmor.vim.py @@ -0,0 +1,108 @@ +#!/usr/bin/python +# +#Copyright (C) 2012 Canonical Ltd. +# +#This program is free software; you can redistribute it and/or +#modify it under the terms of version 2 of the GNU General Public +#License published by the Free Software Foundation. +# +#Written by Steve Beattie st...@nxnw.org, based on work by +#Christian Boltz appar...@cboltz.de + +import os +import re +import subprocess +import sys + +# dangerous capabilities +danger_caps=[audit_control, + audit_write, + mac_override, + mac_admin, + set_fcap, + sys_admin, + sys_module, + sys_rawio] Hmm, would it make sense to get this list from severity.db? Just handle everything with severity 10 (and 9?) as dangerous. +aa_network_types=r'\s+tcp|\s+udp|\s+icmp' +aa_flags=r'(complain|audit|attach_disconnect|no_attach_disconnected|c hroot_attach|chroot_no_attach|chroot_relative|namespace_relative)' Writing aa_network_types and aa_flags as array and later join'ing them would be better readable. I didn't do this in the shell script because it would have been too difficult, but now that we finally have it in another language, it's an easy change. +for cap in capabilities: +if cap not in danger_caps: +benign_caps.append(cap) IIRC 2.8 will allow to specify more than one capability per line, for example capability sys_admin syslog, This means I'll probably change apparmor.vim to do inline coloring here so that only sys_admin will look dangerous instead of the whole line. On the script side, this means the capability list should contain all capabilities including the dangerous ones, and I still need the dangerous capabilities list. That's nothing you need to change now. I just wanted to point it out so that you know which changes you have to expect ;-) +def my_repl(matchobj): +#print matchobj.group(1) +if matchobj.group(1) in aa_regex_map: +return aa_regex_map[matchobj.group(1)] + +return matchobj.group(0) + +regex = @@( + |.join(aa_regex_map) + )@@ + +with file(apparmor.vim.in) as template: +for line in template: +line = re.sub(regex, my_repl, line.rstrip()) +print line This looks too easy to be true ;-) There's another thing I'd like to request. You might have noticed that the file rules still contain lots of duplication in apparmor.vim.in - with the exception of deny x, the only differences between the file rules are - the highlighting name (sdEntryXYZ) - the permission flags Therefore I'd like to have a function that writes out the file rules. Pseudocode for calling it: filerule( 'sdEntryW' , '(l|r|w|k)+' ) filerule( 'sdEntryUX' , '(r|m|k|ux|pux)+@@TRANSITION@@' ) It would probably also be possible to use an array as long as it uses the permissions as key: $filerules = array( '(l|r|w|k)+' = 'sdEntryW' '(r|m|k|ux|pux)+@@TRANSITION@@' = 'sdEntryUX' ); In theory there can be multiple lines for one highlighting name, and given the restriction of 9 (...) groups per line in vim, I'll probably have to split up some rules sooner or later. In other words: don't even think about using sdEntryXY as array