Re: [apparmor] Fwd: MariaDB AppArmor
Hello! Just as a reminder about this topic: at the moment MariaDB 5.5 has no effective AppArmor profile. I am happy to accept pull requests / patches for it, if somebody more knowledgeable in AppArmor profile generation wants to supply one. Debian official packaging repo: http://anonscm.debian.org/gitweb/?p=pkg-mysql/mariadb-5.5.git A Github mirror for easy pull requests: https://github.com/ottok/mariadb-5.5 2014-02-22 19:49 GMT+02:00 Otto Kekäläinen o...@seravo.fi: Helllo! 2014-02-22 19:41 GMT+02:00 Felix Geyer de...@ubuntu.com: -Slave_open_temp_tables 0 +Slave_open_temp_tables 1 mysqltest: Result content mismatch not ok This is ok, this error is not marked as an actual error in the test suite and it happens at least in all of the build environments I use. There are a few denied permissions: apparmor=DENIED operation=mknod parent=13650 profile=/usr/sbin/mysqld name=/usr/share/mysql/mysql-test/hostname.lower-test pid=13654 comm=mysqld requested_mask=c denied_mask=c fsuid=0 ouid=0 apparmor=DENIED operation=open parent=26824 profile=/usr/sbin/mysqld name=/etc/ pid=26826 comm=mysqld requested_mask=r denied_mask=r fsuid=0 ouid=0 apparmor=DENIED operation=open parent=26863 profile=/usr/sbin/mysqld name=/etc/pam.d/other pid=26895 comm=mysqld requested_mask=r denied_mask=r fsuid=0 ouid=0 apparmor=DENIED operation=capable parent=27197 profile=/usr/sbin/mysqld pid=27231 comm=mysqld pid=27231 comm=mysqld capability=36 capname=block_suspend Just before the access to /etc/pam.d/other mariadb logs: mysqld: PAM pam_end: NULL pam handle passed The first one is obviously only requested by the test suite, not sure about the others. I guess it is ok to add mysql-test paths to the profile, as an attacker would not benefit of such access anyway. Unlike MySQL, MariaDB has PAM authentication integration. So that probably needs some extra AppArmor rules too? Please send me a updated profile if you are handy at writing them :) - Otto -- Check out our blog at http://seravo.fi/blog and follow @ottokekalainen -- Check out our blog at http://seravo.fi/blog and follow @ottokekalainen -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [patch] winbindd profile update
Hello,
this patch updates the usr.sbin.winbindd profile
- allow rw access to /var/cache/krb5rcache/
- treat passdb.tdb.tmp as passdb.tdb
Patch from Lars Müller lmue...@suse.com
References: https://bugzilla.novell.com/show_bug.cgi?id=870607
=== modified file 'profiles/apparmor.d/usr.sbin.winbindd'
--- profiles/apparmor.d/usr.sbin.winbindd 2014-01-23 14:04:12
+++ profiles/apparmor.d/usr.sbin.winbindd 2014-04-18 14:10:35
@@ -10,7 +10,7 @@
capability ipc_lock,
capability setuid,
- /etc/samba/passdb.tdb rwk,
+ /etc/samba/passdb.tdb{,.tmp} rwk,
/etc/samba/secrets.tdb rwk,
@{PROC}/sys/kernel/core_pattern r,
/tmp/.winbindd/ w,
@@ -19,6 +19,7 @@
/usr/lib*/samba/nss_info/*.so mr,
/usr/lib*/samba/pdb/*.so mr,
/usr/sbin/winbindd mr,
+ /var/cache/krb5rcache/* rw,
/var/cache/samba/*.tdb rwk,
/var/lib/samba/smb_krb5/krb5.conf.* rw,
/var/lib/samba/smb_tmp_krb5.* rw,
Regards,
Christian Boltz
--
Der Pinguin ist ein gutes Logo für Linux,
denn was nicht fliegt, stürzt auch nicht ab.
Francis Kuhlen (IBM-Vice President Sales)
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [PATCH] parser: Document pivot_root in the apparmor.d(5) man page
Hello,
Am Montag, 14. April 2014 schrieb Tyler Hicks:
diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
index 853cd5c..ff7887d 100644
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
+BPROFILE = [ ICOMMENT ... ] [ IVARIABLE ASSIGNMENT
... ] ( '' IPROGRAM '' | IPROGRAM ) [ 'flags=(complain)' ]'{'
[...]
Unrelated, but:
There are more flags, not only complain. The manpage should also have a
section explaining what all those flags do.
Are you bored enough to fix this now (I'm not, sorry), or do you prefer
a bugreport? ;-)
Regards,
Christian Boltz
--
http://www1.giga.de/gigahelp/index_gigahelp/0,3597,,00.html
| Leider scheint Euer Browser den Aufbau von Frames zu unterstützen ...
*Leider?* :)
Tut Lynx doch gar nicht. :) [Andreas Kneib in suse-linux]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [PATCH] parser: Document pivot_root in the apparmor.d(5) man page
On 2014-04-18 16:30:36, Christian Boltz wrote:
Hello,
Am Montag, 14. April 2014 schrieb Tyler Hicks:
diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
index 853cd5c..ff7887d 100644
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
+BPROFILE = [ ICOMMENT ... ] [ IVARIABLE ASSIGNMENT
... ] ( '' IPROGRAM '' | IPROGRAM ) [ 'flags=(complain)' ]'{'
[...]
Unrelated, but:
There are more flags, not only complain. The manpage should also have a
section explaining what all those flags do.
Are you bored enough to fix this now (I'm not, sorry), or do you prefer
a bugreport? ;-)
I'm not interested in fixing that right now. I don't know all of the
flags and would have to dig through the parser code to find them.
Tyler
Regards,
Christian Boltz
--
http://www1.giga.de/gigahelp/index_gigahelp/0,3597,,00.html
| Leider scheint Euer Browser den Aufbau von Frames zu unterstützen ...
*Leider?* :)
Tut Lynx doch gar nicht. :) [Andreas Kneib in suse-linux]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
signature.asc
Description: Digital signature
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 17/26] Add the ability to mediate signals.
On Tue, Apr 15, 2014 at 10:22:24AM -0700, john.johan...@canonical.com wrote:
Add signal rules and make sure the parser encodes support for them
if the supported feature set reports supporting them.
Acked-by: Seth Arnold seth.arn...@canonical.com
Would it make more sense to put exists as entry 0 in the following
tables? It is exercised by sending signal 0, so it'd make more sense to me
to pick the userspace number here.
Thanks
+/* Signal names mapped to and internal ordering */
+static struct signal_map { const char *name; int num; } signal_map[] = {
+ {hup, 1},
+ {int, 2},
+ {quit,3},
+ {ill, 4},
+ {trap,5},
+ {abrt,6},
+ {bus, 7},
+ {fpe, 8},
+ {kill,9},
+ {usr1,10},
+ {segv,11},
+ {usr2,12},
+ {pipe,13},
+ {alrm,14},
+ {term,15},
+ {stkflt, 16},
+ {chld,17},
+ {cont,18},
+ {stop,19},
+ {stp, 20},
+ {ttin,21},
+ {ttou,22},
+ {urg, 23},
+ {xcpu,24},
+ {xfsz,25},
+ {vtalrm, 26},
+ {prof,27},
+ {winch, 28},
+ {io, 29},
+ {pwr, 30},
+ {sys, 31},
+ {emt, 32},
+ {exists, 35},
+
+ /* terminate */
+ {NULL, 0}
+};
+
+/* this table is ordered post sig_map[sig] mapping */
+static const char *const sig_names[MAXMAPPED_SIG + 1] = {
+ unknown,
+ hup,
+ int,
+ quit,
+ ill,
+ trap,
+ abrt,
+ bus,
+ fpe,
+ kill,
+ usr1,
+ segv,
+ usr2,
+ pipe,
+ alrm,
+ term,
+ stkflt,
+ chld,
+ cont,
+ stop,
+ stp,
+ ttin,
+ ttou,
+ urg,
+ xcpu,
+ xfsz,
+ vtalrm,
+ prof,
+ winch,
+ io,
+ pwr,
+ sys,
+ emt,
+ lost,
+ unused,
+
+ exists, /* always last existance test mapped to MAXMAPPED_SIG */
+};
signature.asc
Description: Digital signature
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 02/26] Add stub rules to indicate compilation support for given features.
On Tue, Apr 15, 2014 at 10:22:09AM -0700, john.johan...@canonical.com wrote:
Policy enforcement needs to be able to support older userspaces and
compilers that don't know about new features. The absence of a feature
in the policydb indicates that feature mediation is not present for
it.
We add stub rules, that provide a none 0 start state for features that
are supported at compile time. This can be used by the kernel to
indicate that it should enforce a given feature. This does not indicate
the feature is allowed, in an abscence of other rules for the feature
the feature will be denied.
Note: this will break the minimize tests when run with kernels that
support mount or dbus rules. A patch to specify these features to
the parser is needed to fix this.
Signed-off-by: John Johansen john.johan...@canonical.com
Acked-by: Steve Beattie st...@nxnw.org
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
parser/parser_regex.c | 20
1 file changed, 20 insertions(+)
--- 2.9-test.orig/parser/parser_regex.c
+++ 2.9-test/parser/parser_regex.c
@@ -673,6 +673,12 @@
return TRUE;
}
+#define MAKE_STR(X) #X
+#define CLASS_STR(X) \\d MAKE_STR(X)
+
+static const char *mediates_mount = CLASS_STR(AA_CLASS_MOUNT);
+static const char *mediates_dbus = CLASS_STR(AA_CLASS_DBUS);
+
int process_profile_policydb(Profile *prof)
{
int error = -1;
@@ -684,6 +690,20 @@
if (!post_process_policydb_ents(prof))
goto out;
+ /* insert entries to show indicate what compiler/policy expects
+ * to be supported
+ */
+
+ if (kernel_supports_mount) {
+ if (!aare_add_rule(prof-policy.rules, mediates_mount, 0,
AA_MAY_READ, 0, dfaflags))
+ goto out;
+ prof-policy.count++;
+ }
+ if (kernel_supports_dbus) {
+ if (!aare_add_rule(prof-policy.rules, mediates_dbus, 0,
AA_MAY_READ, 0, dfaflags))
+ goto out;
+ prof-policy.count++;
+ }
if (prof-policy.count 0) {
prof-policy.dfa = aare_create_dfa(prof-policy.rules,
prof-policy.size,
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
signature.asc
Description: Digital signature
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 18/26] fix: the what names can treated as a condlistid
On Tue, Apr 15, 2014 at 10:22:25AM -0700, john.johan...@canonical.com wrote:
The match
{VARIABLE_NAME}/{WS}*={WS}*\(
is too broad causing mount and dbus rules to fail for sets of values eg.
mount options=(ro bind)
Instead of doing a broad match, for now lets lock it down to just
peer=(...) being the only cond that can cause entry into CONDLISTID
Signed-off-by: John Johansen john.johan...@canonical.com
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
parser/dbus.c| 22 ++
parser/parser.h |8
parser/parser_lex.l | 18 ++
parser/parser_misc.c | 11 +++
parser/parser_yacc.y | 25 ++---
parser/signal.c |7 ---
parser/signal.h |2 +-
7 files changed, 54 insertions(+), 39 deletions(-)
--- 2.9-test.orig/parser/dbus.c
+++ 2.9-test/parser/dbus.c
@@ -38,16 +38,6 @@
return parse_X_mode(DBus, AA_VALID_DBUS_PERMS, str_mode, mode, fail);
}
-static void move_conditional_value(char **dst_ptr, struct cond_entry
*cond_ent)
-{
- if (*dst_ptr)
- yyerror(dbus conditional \%s\ can only be specified once\n,
- cond_ent-name);
-
- *dst_ptr = cond_ent-vals-value;
- cond_ent-vals-value = NULL;
-}
-
void dbus_rule::move_conditionals(struct cond_entry *conds)
{
struct cond_entry *cond_ent;
@@ -61,17 +51,17 @@
cond_ent-name);
if (strcmp(cond_ent-name, bus) == 0) {
- move_conditional_value(bus, cond_ent);
+ move_conditional_value(dbus, bus, cond_ent);
} else if (strcmp(cond_ent-name, name) == 0) {
- move_conditional_value(name, cond_ent);
+ move_conditional_value(dbus, name, cond_ent);
} else if (strcmp(cond_ent-name, label) == 0) {
- move_conditional_value(peer_label, cond_ent);
+ move_conditional_value(dbus, peer_label, cond_ent);
} else if (strcmp(cond_ent-name, path) == 0) {
- move_conditional_value(path, cond_ent);
+ move_conditional_value(dbus, path, cond_ent);
} else if (strcmp(cond_ent-name, interface) == 0) {
- move_conditional_value(interface, cond_ent);
+ move_conditional_value(dbus, interface, cond_ent);
} else if (strcmp(cond_ent-name, member) == 0) {
- move_conditional_value(member, cond_ent);
+ move_conditional_value(dbus, member, cond_ent);
} else {
yyerror(invalid dbus conditional \%s\\n,
cond_ent-name);
--- 2.9-test.orig/parser/parser.h
+++ 2.9-test/parser/parser.h
@@ -78,6 +78,12 @@
struct cond_entry *next;
};
+struct cond_entry_list {
+ char *name;
+
+ struct cond_entry *list;
+};
+
struct cod_entry {
char *ns;
char *name;
@@ -362,6 +368,8 @@
extern void free_value_list(struct value_list *list);
extern void print_value_list(struct value_list *list);
extern struct cond_entry *new_cond_entry(char *name, int eq, struct
value_list *list);
+extern void move_conditional_value(const char *rulename, char **dst_ptr,
+struct cond_entry *cond_ent);
extern void free_cond_entry(struct cond_entry *ent);
extern void free_cond_list(struct cond_entry *ents);
extern void print_cond_entry(struct cond_entry *ent);
--- 2.9-test.orig/parser/parser_lex.l
+++ 2.9-test/parser/parser_lex.l
@@ -295,19 +295,21 @@
}
INITIAL,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE{
+ {VARIABLE_NAME}/{WS}*={WS}*\( {
+ /* we match to the = in the lexer so that we can switch scanner
+ * state. By the time the parser see the = it may be too late
+ * as bison may have requested the next token from the scanner
+ */
+ yylval.id = processid(yytext, yyleng);
+ PUSH_AND_RETURN(EXTCONDLIST_MODE, TOK_CONDLISTID);
+ }
{VARIABLE_NAME}/{WS}*= {
/* we match to the = in the lexer so that we can switch scanner
* state. By the time the parser see the = it may be too late
* as bison may have requested the next token from the scanner
*/
- int token = get_keyword_token(yytext);
-
- if (token == TOK_PEER) {
- PUSH_AND_RETURN(EXTCONDLIST_MODE, TOK_CONDLISTID);
- } else {
- yylval.id = processid(yytext, yyleng);
- PUSH_AND_RETURN(EXTCOND_MODE, TOK_CONDID);
- }
+ yylval.id = processid(yytext, yyleng);
+ PUSH_AND_RETURN(EXTCOND_MODE, TOK_CONDID);
}
{VARIABLE_NAME}/{WS}+in{WS}*\( {
Re: [apparmor] [patch 19/26] fix: the what conditional names can be a condlistid
On Tue, Apr 15, 2014 at 10:22:26AM -0700, john.johan...@canonical.com wrote:
The match
{VARIABLE_NAME}/{WS}*={WS}*\(
is too broad causing mount and dbus rules to fail for sets of values eg.
mount options=(ro bind)
Instead of doing a broad match, for now lets lock it down to just
peer=(...) being the only cond that can cause entry into CONDLISTID
Signed-off-by: John Johansen john.johan...@canonical.com
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
parser/parser_lex.l |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- 2.9-test.orig/parser/parser_lex.l
+++ 2.9-test/parser/parser_lex.l
@@ -295,7 +295,7 @@
}
INITIAL,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE{
- {VARIABLE_NAME}/{WS}*={WS}*\( {
+ peer/{WS}*={WS}*\( {
/* we match to the = in the lexer so that we can switch scanner
* state. By the time the parser see the = it may be too late
* as bison may have requested the next token from the scanner
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
signature.asc
Description: Digital signature
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 17/26] Add the ability to mediate signals.
On 04/18/2014 04:38 PM, Seth Arnold wrote:
On Tue, Apr 15, 2014 at 10:22:24AM -0700, john.johan...@canonical.com wrote:
Add signal rules and make sure the parser encodes support for them
if the supported feature set reports supporting them.
Acked-by: Seth Arnold seth.arn...@canonical.com
Would it make more sense to put exists as entry 0 in the following
tables? It is exercised by sending signal 0, so it'd make more sense to me
to pick the userspace number here.
No. I considered doing this, and nearly did it. It is remapped higher for
a few reasons. Having it not be 0 allowed catching a few things during
dev, where an 0 initialized value was being passed through (remapping
after that could have been done). However 0 is used a lot of places
in the dfa to indicate a special transition between certain elements
and I wanted to keep that flexibility here, if we ever decided to
use it.
Finally the biggest reason being now that we have shipped it having it
move back to 0 means an abi bump and more code to handle that.
Just think of it as internal coding. Userspace has to map to it and
kernel map to/from it. We have to do this for several types, like
rlimits, and signals which can have different positional values for
different architectures.
Thanks
+/* Signal names mapped to and internal ordering */
+static struct signal_map { const char *name; int num; } signal_map[] = {
+{hup, 1},
+{int, 2},
+{quit,3},
+{ill, 4},
+{trap,5},
+{abrt,6},
+{bus, 7},
+{fpe, 8},
+{kill,9},
+{usr1,10},
+{segv,11},
+{usr2,12},
+{pipe,13},
+{alrm,14},
+{term,15},
+{stkflt, 16},
+{chld,17},
+{cont,18},
+{stop,19},
+{stp, 20},
+{ttin,21},
+{ttou,22},
+{urg, 23},
+{xcpu,24},
+{xfsz,25},
+{vtalrm, 26},
+{prof,27},
+{winch, 28},
+{io, 29},
+{pwr, 30},
+{sys, 31},
+{emt, 32},
+{exists, 35},
+
+/* terminate */
+{NULL, 0}
+};
+
+/* this table is ordered post sig_map[sig] mapping */
+static const char *const sig_names[MAXMAPPED_SIG + 1] = {
+unknown,
+hup,
+int,
+quit,
+ill,
+trap,
+abrt,
+bus,
+fpe,
+kill,
+usr1,
+segv,
+usr2,
+pipe,
+alrm,
+term,
+stkflt,
+chld,
+cont,
+stop,
+stp,
+ttin,
+ttou,
+urg,
+xcpu,
+xfsz,
+vtalrm,
+prof,
+winch,
+io,
+pwr,
+sys,
+emt,
+lost,
+unused,
+
+exists, /* always last existance test mapped to MAXMAPPED_SIG */
+};
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch 20/26] Add the ability to specify ptrace rules
On Tue, Apr 15, 2014 at 10:22:27AM -0700, john.johan...@canonical.com wrote:
ptrace rules currently take the form of
ptrace [ptrace_perms] [peer_profile_name],
ptrace_perm := read|trace|readby|tracedby
ptrace_perms := ptrace_perm | '(' ptrace_perm+ ')'
After having used the cross check (permission needed in both profiles)
I am not sure it is correct for ptrace.
Signed-off-by: John Johansen john.johan...@canonical.com
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
parser/Makefile|7 +-
parser/parser.h|1
parser/parser_common.c |1
parser/parser_lex.l| 25 ++-
parser/parser_main.c |2
parser/parser_misc.c |3
parser/parser_regex.c |4 +
parser/parser_yacc.y | 73 ++
parser/ptrace.c| 159
+
parser/ptrace.h| 52
10 files changed, 320 insertions(+), 7 deletions(-)
--- 2.9-test.orig/parser/Makefile
+++ 2.9-test/parser/Makefile
@@ -80,9 +80,9 @@
parser_main.c parser_misc.c parser_merge.c parser_symtab.c \
parser_yacc.c parser_regex.c parser_variable.c parser_policy.c \
parser_alias.c mount.c dbus.c lib.c profile.cc rule.c common_optarg.c
\
- signal.c
+ signal.c ptrace.c
HDRS = parser.h parser_include.h immunix.h mount.h dbus.h lib.h profile.h \
- rule.h common_optarg.h signal.h
+ rule.h common_optarg.h signal.h ptrace.h
TOOLS = apparmor_parser
OBJECTS = $(SRCS:.c=.o)
@@ -248,6 +248,9 @@
signal.o: signal.c signal.h parser.h immunix.h parser_yacc.h rule.h
$(APPARMOR_H)
$(CXX) $(EXTRA_CFLAGS) -c -o $@ $
+ptrace.o: ptrace.c ptrace.h parser.h immunix.h parser_yacc.h rule.h
$(APPARMOR_H)
+ $(CXX) $(EXTRA_CFLAGS) -c -o $@ $
+
profile.o: profile.cc profile.h parser.h
$(CXX) $(EXTRA_CFLAGS) -c -o $@ $
--- 2.9-test.orig/parser/parser.h
+++ 2.9-test/parser/parser.h
@@ -305,6 +305,7 @@
extern int kernel_supports_mount;
extern int kernel_supports_dbus;
extern int kernel_supports_signal;
+extern int kernel_supports_ptrace;
extern int conf_verbose;
extern int conf_quiet;
extern int names_only;
--- 2.9-test.orig/parser/parser_common.c
+++ 2.9-test/parser/parser_common.c
@@ -72,6 +72,7 @@
int kernel_supports_dbus = 0;/* kernel supports dbus rules */
int kernel_supports_diff_encode = 0; /* kernel supports diff_encode */
int kernel_supports_signal = 0; /* kernel supports signal rules
*/
+int kernel_supports_ptrace = 0; /* kernel supports ptrace rules
*/
int conf_verbose = 0;
int conf_quiet = 0;
int names_only = 0;
--- 2.9-test.orig/parser/parser_lex.l
+++ 2.9-test/parser/parser_lex.l
@@ -254,6 +254,7 @@
%x MOUNT_MODE
%x DBUS_MODE
%x SIGNAL_MODE
+%x PTRACE_MODE
%x CHANGE_PROFILE_MODE
%x INCLUDE
@@ -268,7 +269,7 @@
}
%}
-INITIAL,INCLUDE,LIST_VAL_MODE,EXTCOND_MODE,LIST_COND_VAL,LIST_COND_PAREN_VAL,LIST_COND_MODE,EXTCONDLIST_MODE,ASSIGN_MODE,NETWORK_MODE,CHANGE_PROFILE_MODE,RLIMIT_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE{
+INITIAL,INCLUDE,LIST_VAL_MODE,EXTCOND_MODE,LIST_COND_VAL,LIST_COND_PAREN_VAL,LIST_COND_MODE,EXTCONDLIST_MODE,ASSIGN_MODE,NETWORK_MODE,CHANGE_PROFILE_MODE,RLIMIT_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE{
{WS}+ { DUMP_PREPROCESS; /* Ignoring whitespace */ }
}
@@ -294,7 +295,7 @@
yyterminate();
}
-INITIAL,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE{
+INITIAL,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE{
peer/{WS}*={WS}*\( {
/* we match to the = in the lexer so that we can switch scanner
* state. By the time the parser see the = it may be too late
@@ -472,6 +473,15 @@
DBUS_MODE,SIGNAL_MODE{
send{ RETURN_TOKEN(TOK_SEND); }
receive { RETURN_TOKEN(TOK_RECEIVE); }
+}
+
+PTRACE_MODE{
+ trace { RETURN_TOKEN(TOK_TRACE); }
+ readby { RETURN_TOKEN(TOK_READBY); }
+ tracedby{ RETURN_TOKEN(TOK_TRACEDBY); }
+}
+
+DBUS_MODE,SIGNAL_MODE,PTRACE_MODE{
read{ RETURN_TOKEN(TOK_READ); }
write { RETURN_TOKEN(TOK_WRITE); }
{OPEN_PAREN}{
@@ -483,9 +493,11 @@
}
}
-MOUNT_MODE,DBUS_MODE,SIGNAL_MODE{
+MOUNT_MODE{
{ARROW} { RETURN_TOKEN(TOK_ARROW); }
+}
+MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE{
({IDS_NOEQ}|{PATHNAME}|{QUOTED_ID}) {
yylval.id = processid(yytext, yyleng);
RETURN_TOKEN(TOK_ID);
@@ -575,13 +587,15 @@
case TOK_SIGNAL:
state = SIGNAL_MODE;
break;
+ case TOK_PTRACE:
+ state = PTRACE_MODE;
default: /* nothing */
break;
}
PUSH_AND_RETURN(state, token);
}
-INITIAL,NETWORK_MODE,RLIMIT_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE{
Re: [apparmor] [patch 17/26] Add the ability to mediate signals.
On Fri, Apr 18, 2014 at 05:03:08PM -0700, John Johansen wrote: No. I considered doing this, and nearly did it. It is remapped higher for a few reasons. Having it not be 0 allowed catching a few things during dev, where an 0 initialized value was being passed through (remapping after that could have been done). However 0 is used a lot of places in the dfa to indicate a special transition between certain elements and I wanted to keep that flexibility here, if we ever decided to use it. Ah, I like the catching errors approach.. Finally the biggest reason being now that we have shipped it having it move back to 0 means an abi bump and more code to handle that. ... and I had figured this would be the response. :) Thanks signature.asc Description: Digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
