Re: [apparmor] [patch 11/11] utils: add simple parsing of multi-line rules

Hello, Am Donnerstag, 6. März 2014 schrieb Steve Beattie: On Thu, Mar 06, 2014 at 10:10:16PM +0100, Christian Boltz wrote: Am Mittwoch, 5. März 2014 schrieb Steve Beattie: D-Bus rules in particular seem to get written as multi-line rules. This patch adds very simple hackish support for

[apparmor] [patch 01/24] Remove the old unused ptrace code that snuck in years ago.

It was never used, never supported, and we are doing it differently now. Signed-off-by: John Johansen john.johan...@canonical.com --- parser/immunix.h |7 +-- parser/parser_alias.c |3 +-- parser/parser_merge.c |6 -- parser/parser_regex.c | 15 ---

[apparmor] [patch 09/24] fix: network detection

The features file patch broke detection of network support. Signed-off-by: John Johansen john.johan...@canonical.com --- parser/parser_common.c |2 +- parser/parser_main.c |2 +- 2 files changed, 2 insertions(+), 2 deletions(-) --- 2.9-test.orig/parser/parser_common.c +++

[apparmor] [patch 06/24] Add stub rules to indicate compilation support for given features.

Policy enforcement needs to be able to support older userspaces and compilers that don't know about new features. The absence of a feature in the policydb indicates that feature mediation is not present for it. We add stub rules, that provide a none 0 start state for features that are supported

[apparmor] [patch 10/24] Convert aare_rules into a class

This cleans things up a bit and fixes a bug where not all rules are getting properly counted so that the addition of policy_mediation rules fails to generate the policy dfa in some cases. Because the policy dfa is being generated correctly now we need to fix some tests to use the new -M flag to

[apparmor] [patch 08/24] Hack rework of the feature/match file support

This is not the cleanup this code needs, but a quick hack to add the -M flag so we can specify a feature file (or directory) to use for the compile. It mostly just moves around existing code and adds the -M option, though it does introduce a few changes. While I didn't do it in this patch I

[apparmor] [patch 12/24] Add the ability to separate policy_version from kernel and parser abi

This will allow for the parser to invalidate its caches separate of whether the kernel policy version has changed. This can be desirable if a parser bug is discovered, a new version the parser is shipped and we need to force cache files to be regenerated. Policy current stores a 32 bit version

[apparmor] [patch 16/24] A few fixes/improvements to the lexer debug output

Signed-off-by: John Johansen john.johan...@canonical.com --- parser/parser_lex.l | 19 +-- 1 file changed, 9 insertions(+), 10 deletions(-) --- 2.9-test.orig/parser/parser_lex.l +++ 2.9-test/parser/parser_lex.l @@ -52,7 +52,7 @@ /* #define DEBUG */ #ifdef DEBUG static int

[apparmor] [patch 13/24] Dont use the parser time stamp to determine if policy is newer.

Using the parser timestamp was a work around to force recompilation of policy that was built with a buggy parser. There are better ways to handle this so remove checking of the parser timestamp. Signed-off-by: John Johansen john.johan...@canonical.com --- parser/parser_main.c |7 ---

[apparmor] [patch 14/24] add label class to the policydb

The label class is used to lookup object permissions based off of label alone when the labeling is not path dependent. Some rules will not generate label entries, some will generate only label entries and some will generate both label and path entries. This is left to the particular rule

[apparmor] [patch 11/24] Add tag indicating file policy is mediated.

Tag start of entries in the policydb as being mediated. This makes the start state for any class being mediated be none 0. The kernel can detect this to determine whether the parser expected mediation for the class. This is just a way of encoding what features expect mediation within the policydb

[apparmor] [patch 19/24] Move buffer management for the interface to C++ ostringstream class

Signed-off-by: John Johansen john.johan...@canonical.com --- parser/parser.h |5 parser/parser_interface.c | 510 +- parser/parser_policy.c|8 3 files changed, 151 insertions(+), 372 deletions(-) ---

[apparmor] [patch 23/24] Make dbus tests be conditionally run based on pkg-config

The addition of the dbus tests requires dbus dev libraries be installed to run the test suite. This is not always desirable or even possible. So make building and running the dbus tests conditional on the pkg-config info from those libs. If they are not present output a message about skipping the

[apparmor] [patch 22/24] Move feature handling code into its own file

Signed-off-by: John Johansen john.johan...@canonical.com --- parser/Makefile |7 + parser/features.c| 214 +++ parser/features.h| 22 + parser/parser_main.c | 192 - 4 files

[apparmor] [patch 21/24] Split dfa optimization and dump flag handling into a separate file so that it can be shared with DFA test programs

Signed-off-by: John Johansen john.johan...@canonical.com --- parser/Makefile|7 +- parser/common_optarg.c | 170 + parser/common_optarg.h | 47 + parser/parser.h|1 parser/parser_main.c | 157

[apparmor] [patch 17/24] Add the ability to specify ptrace rules

ptrace rules currently take the form of ptrace [ptrace_perms] [peer_profile_name], ptrace_perm := read|trace|readby|tracedby ptrace_perms := ptrace_perm | '(' ptrace_perm+ ')' After having used the cross check (permission needed in both profiles) I am not sure it is correct for ptrace.

Re: [apparmor] [patch 11/11] utils: add simple parsing of multi-line rules

On Fri, Mar 07, 2014 at 01:49:54PM +0100, Christian Boltz wrote: I found another evil testcase: parser/tst/simple_tests/vars/vars_alternation_3.sd (and I'm slightly ;-) surprised about EXRESULT PASS - I wouldn't be surprised if it breaks the tools) As an aside, one of my future goals is to