On 04/15/2014 07:06 PM, Seth Arnold wrote:
> On Tue, Apr 15, 2014 at 10:22:13AM -0700, john.johan...@canonical.com wrote:
>> This cleans things up a bit and fixes a bug where not all rules are
>> getting properly counted so that the addition of policy_mediation
>> rules fails to generate the policy
On Tue, Apr 15, 2014 at 10:22:13AM -0700, john.johan...@canonical.com wrote:
> This cleans things up a bit and fixes a bug where not all rules are
> getting properly counted so that the addition of policy_mediation
> rules fails to generate the policy dfa in some cases.
>
> Because the policy dfa
On Tue, Apr 15, 2014 at 10:22:12AM -0700, john.johan...@canonical.com wrote:
> The features file patch broke detection of network support.
>
> Signed-off-by: John Johansen
Acked-by: Seth Arnold
Thanks
> ---
> parser/parser_common.c |2 +-
> parser/parser_main.c |2 +-
> 2 files cha
On Tue, Apr 15, 2014 at 05:11:10PM -0700, John Johansen wrote:
> we could do
>
> if (prof->policy.count > 0) {
> prof->policy.dfa = aare_create_dfa(prof->policy.rules,
> &prof->policy.size,
>
On Tue, Apr 15, 2014 at 10:22:11AM -0700, john.johan...@canonical.com wrote:
> This is not the cleanup this code needs, but a quick hack to add the
> -M flag so we can specify a feature file (or directory) to use for
> the compile.
>
> It mostly just moves around existing code and adds the -M opti
On 04/15/2014 04:48 PM, Seth Arnold wrote:
> On Tue, Apr 15, 2014 at 10:22:10AM -0700, john.johan...@canonical.com wrote:
>> Signed-off-by: John Johansen
>> Acked-by: Steve Beattie
>>
>
> There's a lot of extra code duplication here. I don't particularly like
> the way this thing turned out.. it
On Tue, Apr 15, 2014 at 10:22:10AM -0700, john.johan...@canonical.com wrote:
> Signed-off-by: John Johansen
> Acked-by: Steve Beattie
>
There's a lot of extra code duplication here. I don't particularly like
the way this thing turned out.. it's more obvious with the full code, I'll
paste it in
On 04/15/2014 03:42 PM, Seth Arnold wrote:
> On Tue, Apr 15, 2014 at 10:22:09AM -0700, john.johan...@canonical.com wrote:
>> Policy enforcement needs to be able to support older userspaces and
>> compilers that don't know about new features. The absence of a feature
>> in the policydb indicates tha
On Tue, Apr 15, 2014 at 10:22:09AM -0700, john.johan...@canonical.com wrote:
> Policy enforcement needs to be able to support older userspaces and
> compilers that don't know about new features. The absence of a feature
> in the policydb indicates that feature mediation is not present for
> it.
>
On 04/15/2014 12:33 PM, Seth Arnold wrote:
> On Tue, Apr 15, 2014 at 04:11:06AM -0700, John Johansen wrote:
>> new version
>> - address Seth's feedback
>> - add missing strn_escseq tests
>> - expand strn_escseq to take a 3rd parameter to allow specifying chars to
>> convert straight across. . eg
On Tue, Apr 15, 2014 at 04:11:06AM -0700, John Johansen wrote:
> new version
> - address Seth's feedback
> - add missing strn_escseq tests
> - expand strn_escseq to take a 3rd parameter to allow specifying chars to
> convert straight across. . eg "+" will cause it to convert \+ as +
> - fix libap
includes sbeattie's pad calculation fix.
Signed-off-by: John Johansen
---
parser/parser.h |5
parser/parser_interface.c | 510 +-
parser/parser_policy.c|8
3 files changed, 151 insertions(+), 372 deletions(-)
--- 2.9-test.orig
This patch makes use of the htoleXX() functions (see endian(3))
defined as part of endian.h (already included in parser_interface.c),
instead of defining a function differently based on the detection of
endian related macros.
This fixes a build failure experienced on powerpc with John's patch
set
Using the parser timestamp was a work around to force recompilation of
policy that was built with a buggy parser. There are better ways to
handle this so remove checking of the parser timestamp.
Signed-off-by: John Johansen
---
parser/parser_main.c |7 ---
parser/tst/caching.py |6 +
The match
{VARIABLE_NAME}/{WS}*={WS}*\(
is too broad causing mount and dbus rules to fail for sets of values eg.
mount options=(ro bind)
Instead of doing a broad match, for now lets lock it down to just
peer=(...) being the only cond that can cause entry into CONDLISTID
Signed-off-by: John
Update mkprofile.pl to generate ptrace rules and update test scripts to
test ptrace mediation.
Signed-off-by: John Johansen
---
tests/regression/apparmor/capabilities.sh | 23 +-
tests/regression/apparmor/mkprofile.pl| 18 ++
tests/regression/apparmor/ptrace.sh | 144 +--
tes
For some rules the output of apparmor_parser -p has a double comma
Eg.
ptrace (tracedby),
dbus (send,receive),
is output as
ptrace (tracedby),,
dbus (send,receive),,
Signed-off-by: John Johansen
Acked-by: Seth Arnold
---
parser/parser_lex.l |2 +-
1 file changed, 1 insertion(+
The previous test patches where done with the hardcoded bypass for
unconfined.
This semantic was changed so that a confined app can now block unconfined
processes from tracing or sending signals to it.
Signed-off-by: John Johansen
---
tests/regression/apparmor/dbus.inc |1
tests/regr
apparmor_parser -p is broken. Outputting garbage charcters after every
include statement.
eg.
##included
^@^@V>^?^@^@^NV>^?^@^@^Pu^@# ---
---
#
This is happening because includes are handled specially and should not
go through the usua
ptrace rules currently take the form of
ptrace [] [],
ptrace_perm := read|trace|readby|tracedby
ptrace_perms := ptrace_perm | '(' ptrace_perm+ ')'
After having used the cross check (permission needed in both profiles)
I am not sure it is correct for ptrace.
Signed-off-by: John Johansen
-
Signed-off-by: John Johansen
---
parser/parser_lex.l | 19 +--
1 file changed, 9 insertions(+), 10 deletions(-)
--- 2.9-test.orig/parser/parser_lex.l
+++ 2.9-test/parser/parser_lex.l
@@ -52,7 +52,7 @@
/* #define DEBUG */
#ifdef DEBUG
static int yy_top_state(void);
-#define P
change from
ptrace /foo,
to
ptrace peer=/foo,
Signed-off-by: John Johansen
---
parser/parser_yacc.y |7 +--
parser/ptrace.c | 13 -
parser/ptrace.h |2 +-
3 files changed, 10 insertions(+), 12 deletions(-)
--- 2.9-test.orig/parser/parser_yacc.y
+++ 2.9
Update mkprofile.pl to generate signal rules and update test scripts to
grant signal permissions when needed.
Signed-off-by: John Johansen
Acked-by: Tyler Hicks
---
tests/regression/apparmor/exec.sh | 6 +++---
tests/regression/apparmor/mkprofile.pl | 18 ++
tests/regressi
Add signal rules and make sure the parser encodes support for them
if the supported feature set reports supporting them.
The current format of the signal rule is
[audit] [deny] signal [] [] ,
signal_perm := 'send'|'receive'|'r'|'w'|'rw'
signal_perms := | '(' ([,])* ')'
signal := ("hup
Signed-off-by: John Johansen
Acked-by: Seth Arnold
Acked-by: Steve Beattie
---
parser/Makefile|9 ++
parser/common_optarg.c | 170 +
parser/common_optarg.h | 47 +
parser/parser.h|1
parser/parser_mai
The label class is used to lookup object permissions based off of label
alone when the labeling is not path dependent.
Some rules will not generate label entries, some will generate only
label entries and some will generate both label and path entries.
This is left to the particular rule encoding.
The addition of the dbus tests requires dbus dev libraries be installed
to run the test suite. This is not always desirable or even possible.
So make building and running the dbus tests conditional on the
pkg-config info from those libs. If they are not present output a
message about skipping the
Tag start of entries in the policydb as being mediated. This makes
the start state for any class being mediated be none 0. The kernel
can detect this to determine whether the parser expected mediation
for the class.
This is just a way of encoding what features expect mediation within
the policydb
The match
{VARIABLE_NAME}/{WS}*={WS}*\(
is too broad causing mount and dbus rules to fail for sets of values eg.
mount options=(ro bind)
Instead of doing a broad match, for now lets lock it down to just
peer=(...) being the only cond that can cause entry into CONDLISTID
Signed-off-by: John
Signed-off-by: John Johansen
---
parser/parser.h|1 +
parser/parser_common.c |3 ++-
parser/parser_main.c |6 ++
3 files changed, 9 insertions(+), 1 deletion(-)
--- 2.9-test.orig/parser/parser.h
+++ 2.9-test/parser/parser.h
@@ -298,6 +298,7 @@
extern int kernel_load;
This will allow for the parser to invalidate its caches separate of whether
the kernel policy version has changed. This can be desirable if a parser
bug is discovered, a new version the parser is shipped and we need to
force cache files to be regenerated.
Policy current stores a 32 bit version num
This cleans things up a bit and fixes a bug where not all rules are
getting properly counted so that the addition of policy_mediation
rules fails to generate the policy dfa in some cases.
Because the policy dfa is being generated correctly now we need to
fix some tests to use the new -M flag to sp
This is not the cleanup this code needs, but a quick hack to add the
-M flag so we can specify a feature file (or directory) to use for
the compile.
It mostly just moves around existing code and adds the -M option,
though it does introduce a few changes.
While I didn't do it in this patch I propo
Policy enforcement needs to be able to support older userspaces and
compilers that don't know about new features. The absence of a feature
in the policydb indicates that feature mediation is not present for
it.
We add stub rules, that provide a none 0 start state for features that
are supported at
The features file patch broke detection of network support.
Signed-off-by: John Johansen
---
parser/parser_common.c |2 +-
parser/parser_main.c |2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- 2.9-test.orig/parser/parser_common.c
+++ 2.9-test/parser/parser_common.c
@@ -25,7
Unify escape sequence processing into a set of library fns.
Fix the octal escape sequence that was broken, so that short escapes \0,
\00 \xa, didn't work and actually resulted in some encoding bugs.
Also we were missing support for the decimal # conversion \d123
Incorporate and update Steve Beat
So the v5 was getting quite messy and hard to follow. This is just
a refresh with the latest versions, updates and acks.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Signed-off-by: John Johansen
Acked-by: Steve Beattie
---
parser/parser_regex.c |6 ++
1 file changed, 6 insertions(+)
--- 2.9-test.orig/parser/parser_regex.c
+++ 2.9-test/parser/parser_regex.c
@@ -712,6 +712,9 @@
prof->policy.rules = NULL;
if (!prof->pol
new version
- address Seth's feedback
- add missing strn_escseq tests
- expand strn_escseq to take a 3rd parameter to allow specifying chars to
convert straight across. . eg "+" will cause it to convert \+ as +
- fix libapparmor/parse.y failed escape pass through to match processunqoted
---
cle
39 matches
Mail list logo