Re: [apparmor] AppArmor APIs
On 12/14/2015 02:49 PM, Seth Arnold wrote: > On Mon, Dec 14, 2015 at 03:44:56PM +, Colin Ian King wrote: >> I'm looking at writing some stress tests for AppArmor, so I'd like to >> construct some simple rules and insert/remove them. I looked for some >> API documentation, but all I can find is: >> >> http://wiki.apparmor.net/index.php/AppArmorAPIs > > Excellent, thanks! > >> Are there any API docs, guides or worked examples for libaaparse and >> libapparmor? > > libaaparse doesn't yet exist. There is work underway to make the > apparmor_parser suitable for use as a library but it is currently only > usable as an executable. > Actually it does, its pretty rudimentary though, but gen/logprof has been using it since 2.3. It consists of 2 fns parse_record and free_record > The simplest way to create rules, load, and unload would be something like > this: > > echo "profile profile_name /attachement/specification { /rules/ r, }" | \ > apparmor_parser --replace > > (I always use --replace because it's idempotent. --add is not.) > > echo "profile profile_name /attachment/specification { }" | \ > apparmor_parser --remove > sure, this is a parser level view. I think Colin is really looking to stress the underlying interfaces, which are in desperate need of documentation > If this is too onerous for integrating into stress-ng, then the next best > starting point is probably process_profile() in parser_main.c. That > orchestrates loading either a binary blob from the cache or the compiled > profile into the kernel. Since there's extensive use of global variables > in the parser it probably still makes sense to fork off new processes for > each use as needed. (Even this seems like it might be a lot of work > compared to stealing the 'interface' code from parser_interface.c and > using that on stress-ng-supplied binary blobs.) > the parser has decent documentation between man apparmor_parser man apparmor.d and apparmor_parser -h but yes the underlying code is a mess, and I don't see much point in documenting it until we are finished the transition (from C to more C++). Currently the front and mid are in the parser/ dir the main work is done in parser/libapparmor_re/ and with the loading being driven by the from in parser/ and libapparmor the bulk of the parser tests are either unit tests that are inlined unit tests and build by defining some macros. And tests under the tst/ dir which with simple_tests/ dir having profile syntax examples and other tests focused on other parts -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [PATCH] parser: Honor the --namespace-string commandline option
On Mon, Dec 14, 2015 at 05:21:40PM -0600, Tyler Hicks wrote: > https://launchpad.net/bugs/1526085 > > Revno 2934 'Add fns to handle profile removal to the kernel interface' > introduced a regression in the parser's namespace support by causing the > --namespace-string option to be ignored. This resulted in the profile(s) > being loaded into the global namespace rather than the namespace > specified on the command line. > > This patch fixes the bug by setting the Profile object's ns member, if > the --namespace-string option was specified, immediately after the > Profile object is allocated. > > Signed-off-by: Tyler HicksAcked-by: Seth Arnold Acked for both trunk and 2.10. Thanks > --- > > Nominated for 2.10 and trunk. > > Tyler > > parser/parser_yacc.y | 22 +- > 1 file changed, 17 insertions(+), 5 deletions(-) > > diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y > index d17eab9..2a48367 100644 > --- a/parser/parser_yacc.y > +++ b/parser/parser_yacc.y > @@ -318,6 +318,13 @@ profile_base: TOK_ID opt_id_or_var flags TOK_OPEN rules > TOK_CLOSE > yyerror(_("Memory allocation error.")); > } > > + /* Honor the --namespace-string command line option */ > + if (profile_ns) { > + prof->ns = strdup(profile_ns); > + if (!prof->ns) > + yyerror(_("Memory allocation error.")); > + } > + > prof->name = $1; > prof->attachment = $2; > if ($2 && !($2[0] == '/' || strncmp($2, "@{", 2) == 0)) > @@ -351,12 +358,17 @@ profile: opt_profile_flag opt_ns profile_base > if ($3->name[0] != '/' && !($1 || $2)) > yyerror(_("Profile names must begin with a '/', > namespace or keyword 'profile' or 'hat'.")); > > - if ($2 && profile_ns) { > - pwarn("%s: -n %s overriding policy specified namespace > :%s:\n", progname, profile_ns, $2); > + if (prof->ns) { > + /** > + * Print warning if the profile specified a namespace > + * different than the one specified with the > + * --namespace-string commandline option > + */ > + if ($2 && strcmp(prof->ns, $2)) { > + pwarn("%s: -n %s overriding policy specified > namespace :%s:\n", > + progname, prof->ns, $2); > + } > free($2); > - prof->ns = strdup(profile_ns); > - if (!prof->ns) > - yyerror(_("Memory allocation error.")); > } else > prof->ns = $2; > if ($1 == 2) signature.asc Description: Digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] AppArmor APIs
On 12/14/2015 07:44 AM, Colin Ian King wrote: > Hi there, > > I'm looking at writing some stress tests for AppArmor, so I'd like to > construct some simple rules and insert/remove them. I looked for some > API documentation, but all I can find is: > > http://wiki.apparmor.net/index.php/AppArmorAPIs > > Are there any API docs, guides or worked examples for libaaparse and > libapparmor? > Hey Colin, sorry the interfaces aren't better documented. It is one of those perpetual todo items. There is a quick view of the basic apis bellow and I'll work on getting you some better docs The libapparmor api, is fairly well documented in the man pages (though it seems the cross refs to find them could stand to be updated) man aa_change_hat aa_change_hatv aa_change_hat_vargs man aa_change_profile aa_change_onexec man aa_getprocattr_raw aa_getprocattr aa_gettaskcon aa_getcon aa_getpeercon_raw aa_getpeercon man aa_splitcon man aa_features aa_features_new aa_features_new_from_string aa_features_new_from_kernel aa_features_ref aa_features_unref aa_features_write_to_file aa_features_is_equal aa_features_supports man aa_is_enabled aa_find_mountpoint man aa_kernel_interface aa_kernel_interface_new aa_kernel_interface_ref aa_kernel_interface_unref aa_kernel_interface_load_policy aa_kernel_interface_load_policy_from_file aa_kernel_interface_load_policy_from_fd aa_kernel_interface_replace_policy aa_kernel_interface_replace_policy_from_file aa_kernel_interface_replace_policy_from_fd aa_kernel_interface_remove_policy aa_kernel_interface_write_policy man aa_policy_cache aa_policy_cache_new aa_policy_cache_ref aa_policy_cache_unref aa_policy_cache_remove aa_policy_cache_replace_all man aa_query_label aa_query_file_path aa_query_file_path_len aa_query_link_path_len aa_query_link_path the logparsing doesn't seem to be documented at all :( The 2 exported functions are aa_log_record *parse_record(char *str) void free_record(aa_log_record *record) with aa_log_record being defined in include/aalogparse.h there are a fair number of log parsing tests in libraries/libapparmor/testsuite/ there are a set of private functions that a pseudo exported but being private apis may change at any time _aa_is_blacklisted; _aa_autofree; _aa_autoclose; _aa_autofclose; _aa_dirat_for_each; the apparmor_parser flags are fairly well documented in man apparmor_parser the lowlevel interfaces are not well documented at all reading of a sockets label is done via getsockopt(fd, SOL_SOCKET, SO_PEERSEC, buf, ); read of a tasks label is done via /proc//attr/current read of a scheduled change at exec via /proc//attr/exec read of parent while in a hat /proc//attr/prev setting self label (another tasks label can not be directly set) is done by writing to /proc//attr/current setting of self label at exec (again another tasks is not allow) is done via writing to /proc//attr/exec the /proc//attr/ fscreate keycreate sockcreate files are currently not used the sock and proc/attr interface are limited to pagesize reads and writes atm the apparmor filesystem used for loading and introspecting policy is usually mounted at /sys/kernel/security/apparmor. Well its not really the apparmor filesystem anymore as it is a sub of the securityfs filesystem. Under this there is ls apparmor/ .access features .load .null policy profiles .remove .replace .access - is a file that allows querying permissions. I'll work on getting you some docs on its format profiles - flattened, virtualized view of what policy is visible to the inquiring task. I'll work on some better docs for you features - dir of features supported by the kernel (should be read only) policy - dir of policy currently visible (actually currently this is always from root policy ns, but ideally it should get virtualized (except doing that properly with the way the vfs is setup is impossible, so there will be something half assed for 16.04). This represents an expanded view of what is available in the profiles file, and is currently entirely read only. the hierarch is basically policy/namespaces/ #subnamespaces follow exactly same format as whats in policy /profiles/.uniq#/ name #name of profile attach #exec profile attachment mode #mode of profile sha1 #sha1 of
Re: [apparmor] [PATCH 4/4] dconf patch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, Here is another iteration of the patch set, including the kernel patch from June which went stale due to upstream changes over the past six months. Please review these and let me know of any revisions required as soon as possible since the work on the dconf side has already begun and is currently waiting on us. Thanks, Will On 10/06/2015 03:24 PM, Christian Boltz wrote: > Hello, > > Am Dienstag, 6. Oktober 2015 schrieb John Johansen: >> On 10/06/2015 11:05 AM, Christian Boltz wrote: >>> Am Dienstag, 6. Oktober 2015 schrieb John Johansen: diff --git a/parser/Makefile b/parser/Makefile index 1f0db8d..ec54f96 100644 --- a/parser/Makefile +++ b/parser/Makefile > ... >>> I know that list is chaotic already (probably for historical >>> reasons?), but what about sorting the HDRS files by alphabet? >>> (same question for SRCS and maybe some other file lists in the >>> Makefile) >> >> yeah we can get to doing something like that, once my make file >> patches land. > > Most of them are acked, so feel free to commit those ;-) I'd also > accept a *.h wildcard to make maintaining the Makefile easier. > >> This is based on work William did months ago and I am only now >> getting a reply out to. > > no problem ;-) > --- a/parser/tst/equality.sh +++ b/parser/tst/equality.sh +verify_binary_equality "dconf read" \ + "/t { dconf / r, }" \ +"/t { dconf / read, }" + +verify_binary_equality "dconf write" \ + "/t { dconf / w, }" \ + "/t { dconf / write, }" + +verify_binary_equality "dconf read-write" \ +"/t { dconf / rw, }" \ + "/t { dconf / wr, }" \ +"/t { dconf / readwrite, }" \ + "/t { dconf / writeread, }" \ + "/t { dconf / read-write, }" \ + "/t { dconf / write-read, }" \ +"/t { dconf / read_write, }" \ + "/t { dconf / write_read, }" > > BTW: I'd add another test here: "/t { dconf / r, dconf / w, }" > >>> Seriously? >>> >>> I have to admit that I don't really know dconf, but having 8 >>> different ways to allow read and write (one letter vs. word, no >>> separator vs - vs. _) is too much. We don't win anything with >>> it, but it makes implementation of the parser and the tools >>> more difficult than needed. >>> >>> IMHO the single-letter syntax we already use in file rules >>> ("rw" or "wr") is enough and will save us some headache. >> >> gah, no that was supposed to be cut out, notice in my intro >> reply that I moved it back to an apparmor style syntax. I must >> have either missed this block or missed git adding the change >> back into the patch > > Note that it's not only in the tests. The parsing code > (parser_lex.l) also allows "r(ead)?" and "w(rite)?", and maybe I > missed another place > > I also just noticed another interesting bit in parser_yacc.y [1] > > + | TOK_WRITE { $$ = AA_DCONF_READWRITE; /* writable implies > readable */ } > > This sounds like surprising behaviour to me - does this really > make sense?,If yes, this needs to be documented in bold letters or > - IMHO better - rules with only w permissions should be rejected > as invalid to enforce that the profile always contains rw > permissions, not only w. > > > Regards, > > Christian Boltz > > [1] I should have read the patch a bit slower before writing the > previous mail ;-) > -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWboYEAAoJEGaNijJ4Mbw+QL8IAJZn4KlJBiYmsy+NQbNd732h be2h8oI5kh/OzH/PMaPWaJF0WJKWM78py/pHwby5Jvksptw8cpsjoEV7fl9PfoNZ RVrJ361YsgrEq0ibtVP9i4HqV+TUOCyrw7XNdJ+aWGO9kFaSSc5pPGyr0qo6otvI OP99BJatf3THi/Ou6qill4P+KmSMIHSHJrZmtvTHFc3wspKkkmK4wffKFgo/tBN+ gDM1Zn+CCGSqBAlTdzwIu57GPP5FB/zMx4Zn80l+wZ484QrQsktjZnVDJavoQCz3 Wb1he1V8+EQbP20LuQR43rmx1RqA8LN5NYINemsiqpxNs4eRpchvZU1QotSNCHY= =2ka8 -END PGP SIGNATURE- From 8378c86b0b9b602d92a78bd1dd354d34a9f6f492 Mon Sep 17 00:00:00 2001 From: William HuaDate: Mon, 14 Dec 2015 03:35:54 -0500 Subject: [PATCH] apparmor: add data query support --- security/apparmor/apparmorfs.c | 112 +++-- security/apparmor/include/policy.h | 18 +- security/apparmor/policy.c | 22 security/apparmor/policy_unpack.c | 63 + 4 files changed, 209 insertions(+), 6 deletions(-) diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c index 8afb5f6..2cd4134 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -190,6 +190,94 @@ static const struct file_operations aa_fs_profile_remove = { }; /** + * query_data - queries a policy and writes its data to buf + * @buf: the resulting data is stored here (NOT NULL) + * @buf_len: size of buf + * @query: query string used to retrieve data + * @query_len: size of query including second NUL byte + * + * The buffers pointed to by buf and query may overlap. The query buffer is + * parsed
Re: [apparmor] [PATCH 4/4] dconf patch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Just made one minor change to make dconf rules more consistent with other rules (parsing permissions after paths). On 12/14/2015 04:04 AM, William Hua wrote: > Hello, > > Here is another iteration of the patch set, including the kernel > patch from June which went stale due to upstream changes over the > past six months. Please review these and let me know of any > revisions required as soon as possible since the work on the dconf > side has already begun and is currently waiting on us. > > Thanks, Will > > > > On 10/06/2015 03:24 PM, Christian Boltz wrote: >> Hello, > >> Am Dienstag, 6. Oktober 2015 schrieb John Johansen: >>> On 10/06/2015 11:05 AM, Christian Boltz wrote: Am Dienstag, 6. Oktober 2015 schrieb John Johansen: > diff --git a/parser/Makefile b/parser/Makefile index > 1f0db8d..ec54f96 100644 --- a/parser/Makefile +++ > b/parser/Makefile >> ... I know that list is chaotic already (probably for historical reasons?), but what about sorting the HDRS files by alphabet? (same question for SRCS and maybe some other file lists in the Makefile) >>> >>> yeah we can get to doing something like that, once my make file >>> patches land. > >> Most of them are acked, so feel free to commit those ;-) I'd also >> accept a *.h wildcard to make maintaining the Makefile easier. > >>> This is based on work William did months ago and I am only now >>> getting a reply out to. > >> no problem ;-) > > --- a/parser/tst/equality.sh +++ b/parser/tst/equality.sh > > +verify_binary_equality "dconf read" \ + "/t { dconf / r, > }" \ +"/t { dconf / read, }" + +verify_binary_equality > "dconf write" \ + "/t { dconf / w, }" \ + "/t { dconf / > write, }" + +verify_binary_equality "dconf read-write" \ + > "/t { dconf / rw, }" \ + "/t { dconf / wr, }" \ +"/t { > dconf / readwrite, }" \ + "/t { dconf / writeread, }" \ + > "/t { dconf / read-write, }" \ + "/t { dconf / write-read, > }" \ +"/t { dconf / read_write, }" \ +"/t { dconf / > write_read, }" > >> BTW: I'd add another test here: "/t { dconf / r, dconf / w, }" > Seriously? I have to admit that I don't really know dconf, but having 8 different ways to allow read and write (one letter vs. word, no separator vs - vs. _) is too much. We don't win anything with it, but it makes implementation of the parser and the tools more difficult than needed. IMHO the single-letter syntax we already use in file rules ("rw" or "wr") is enough and will save us some headache. >>> >>> gah, no that was supposed to be cut out, notice in my intro >>> reply that I moved it back to an apparmor style syntax. I must >>> have either missed this block or missed git adding the change >>> back into the patch > >> Note that it's not only in the tests. The parsing code >> (parser_lex.l) also allows "r(ead)?" and "w(rite)?", and maybe I >> missed another place > >> I also just noticed another interesting bit in parser_yacc.y [1] > >> + | TOK_WRITE { $$ = AA_DCONF_READWRITE; /* writable >> implies readable */ } > >> This sounds like surprising behaviour to me - does this really >> make sense?,If yes, this needs to be documented in bold letters >> or - IMHO better - rules with only w permissions should be >> rejected as invalid to enforce that the profile always contains >> rw permissions, not only w. > > >> Regards, > >> Christian Boltz > >> [1] I should have read the patch a bit slower before writing the >> previous mail ;-) > > -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWbu7ZAAoJEGaNijJ4Mbw+OXQH/3mBrwqseHh0+bROwc5K4CUT ke8NLSRm7W+yhU59XQ4R+9lsIUuqyZCJCsWz2gdDHjrq3wK/AjybIi4WAtnsZ1i1 2pXiZCNfwaBFZceMYwRztDa+jjJkyACzLfvMJ7aqP0qNF1Cq/i4ks1J/uyIGknhO k0gysuZhRa3fBCaWDgpwLBNL12i1WdvZ6pbJPSBS8fwQdEBjER5Ha+C3Rkxona+Q K1FrA6j6mq+b6yIBmIhAtp4T7KoZ1zlJrf8HORFgAI3UCqqHQLoX/s3gxjoRH66t 1yA4BuISHcBfKmpw/yjt+kka9N5guoXmpgHfgUN4e4UZSqlrcg49XUtDnLfAi20= =pCp3 -END PGP SIGNATURE- >From 8378c86b0b9b602d92a78bd1dd354d34a9f6f492 Mon Sep 17 00:00:00 2001 From: William HuaDate: Mon, 14 Dec 2015 03:35:54 -0500 Subject: [PATCH] apparmor: add data query support --- security/apparmor/apparmorfs.c | 112 +++-- security/apparmor/include/policy.h | 18 +- security/apparmor/policy.c | 22 security/apparmor/policy_unpack.c | 63 + 4 files changed, 209 insertions(+), 6 deletions(-) diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c index 8afb5f6..2cd4134 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -190,6 +190,94 @@ static const struct file_operations aa_fs_profile_remove = { }; /** + * query_data - queries a policy and writes its data to buf + * @buf: the resulting data is stored
[apparmor] AppArmor APIs
Hi there, I'm looking at writing some stress tests for AppArmor, so I'd like to construct some simple rules and insert/remove them. I looked for some API documentation, but all I can find is: http://wiki.apparmor.net/index.php/AppArmorAPIs Are there any API docs, guides or worked examples for libaaparse and libapparmor? Colin -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] AppArmor APIs
On Mon, Dec 14, 2015 at 03:44:56PM +, Colin Ian King wrote: > I'm looking at writing some stress tests for AppArmor, so I'd like to > construct some simple rules and insert/remove them. I looked for some > API documentation, but all I can find is: > > http://wiki.apparmor.net/index.php/AppArmorAPIs Excellent, thanks! > Are there any API docs, guides or worked examples for libaaparse and > libapparmor? libaaparse doesn't yet exist. There is work underway to make the apparmor_parser suitable for use as a library but it is currently only usable as an executable. The simplest way to create rules, load, and unload would be something like this: echo "profile profile_name /attachement/specification { /rules/ r, }" | \ apparmor_parser --replace (I always use --replace because it's idempotent. --add is not.) echo "profile profile_name /attachment/specification { }" | \ apparmor_parser --remove If this is too onerous for integrating into stress-ng, then the next best starting point is probably process_profile() in parser_main.c. That orchestrates loading either a binary blob from the cache or the compiled profile into the kernel. Since there's extensive use of global variables in the parser it probably still makes sense to fork off new processes for each use as needed. (Even this seems like it might be a lot of work compared to stealing the 'interface' code from parser_interface.c and using that on stress-ng-supplied binary blobs.) libapparmor is in better shape: the aa_change_hat(), aa_change_profile() and aa_change_onexec() calls are documented in manpages in libapparmor-dev. Thanks signature.asc Description: Digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [PATCH] parser: Honor the --namespace-string commandline option
https://launchpad.net/bugs/1526085 Revno 2934 'Add fns to handle profile removal to the kernel interface' introduced a regression in the parser's namespace support by causing the --namespace-string option to be ignored. This resulted in the profile(s) being loaded into the global namespace rather than the namespace specified on the command line. This patch fixes the bug by setting the Profile object's ns member, if the --namespace-string option was specified, immediately after the Profile object is allocated. Signed-off-by: Tyler Hicks--- Nominated for 2.10 and trunk. Tyler parser/parser_yacc.y | 22 +- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y index d17eab9..2a48367 100644 --- a/parser/parser_yacc.y +++ b/parser/parser_yacc.y @@ -318,6 +318,13 @@ profile_base: TOK_ID opt_id_or_var flags TOK_OPEN rules TOK_CLOSE yyerror(_("Memory allocation error.")); } + /* Honor the --namespace-string command line option */ + if (profile_ns) { + prof->ns = strdup(profile_ns); + if (!prof->ns) + yyerror(_("Memory allocation error.")); + } + prof->name = $1; prof->attachment = $2; if ($2 && !($2[0] == '/' || strncmp($2, "@{", 2) == 0)) @@ -351,12 +358,17 @@ profile: opt_profile_flag opt_ns profile_base if ($3->name[0] != '/' && !($1 || $2)) yyerror(_("Profile names must begin with a '/', namespace or keyword 'profile' or 'hat'.")); - if ($2 && profile_ns) { - pwarn("%s: -n %s overriding policy specified namespace :%s:\n", progname, profile_ns, $2); + if (prof->ns) { + /** +* Print warning if the profile specified a namespace +* different than the one specified with the +* --namespace-string commandline option +*/ + if ($2 && strcmp(prof->ns, $2)) { + pwarn("%s: -n %s overriding policy specified namespace :%s:\n", + progname, prof->ns, $2); + } free($2); - prof->ns = strdup(profile_ns); - if (!prof->ns) - yyerror(_("Memory allocation error.")); } else prof->ns = $2; if ($1 == 2) -- 2.5.0 -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor