pool/apparmor
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 59064 from security:apparmor:factory

Browse Source 
Accepted submit request 59064 from user jeff_mahoney

OBS-URL: https://build.opensuse.org/request/show/59064
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=5
This commit is contained in:
Lars Vogdt 2011-01-25 12:16:44 +00:00 committed by Git OBS Bridge
parent b880b93fed
commit a535402f17
14 changed files with 1091 additions and 422 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

705
apparmor-2.5-r1445 Normal file
View File

@ -0,0 +1,705 @@
=== added file '.bzrignore'
--- a/.bzrignore 1970-01-01 00:00:00 +0000
+++ b/.bzrignore 2011-01-10 18:12:33 +0000
@@ -0,0 +1,1 @@
+parser/tst/simple_tests/generated_x/*.sd
=== modified file 'libraries/libapparmor/testsuite/Makefile.am'
--- a/libraries/libapparmor/testsuite/Makefile.am 2008-05-19 22:48:31 +0000
+++ b/libraries/libapparmor/testsuite/Makefile.am 2011-01-10 18:12:33 +0000
@@ -12,7 +12,7 @@
test_multi_multi_SOURCES = test_multi.c
test_multi_multi_CFLAGS = $(CFLAGS) -Wall
test_multi_multi_LDFLAGS = $(LDFLAGS)
-test_multi_multi_LDADD = ../src/.libs/libapparmor.a
+test_multi_multi_LDADD = -L../src/.libs -lapparmor
clean-local:
rm -f tmp.err.* tmp.out.* site.exp site.bak
=== modified file 'parser/Makefile'
--- a/parser/Makefile 2009-11-11 18:58:57 +0000
+++ b/parser/Makefile 2011-01-10 18:12:33 +0000
@@ -45,11 +45,14 @@
echo "$${warning}"; \
fi ; \
done)
-CFLAGS = -O2 -pipe
+ifndef CFLAGS
+CFLAGS = -g -O2 -pipe
ifdef DEBUG
CFLAGS = -g
endif
+endif #CFLAGS
+
EXTRA_CFLAGS = ${CFLAGS} ${WARNINGS} -D_GNU_SOURCE
#LEXLIB := -lfl
@@ -125,9 +128,20 @@
techdoc.txt: techdoc/index.html
w3m -dump $< > $@
-all: $(TOOLS) $(MANPAGES) ${HTMLMANPAGES} techdoc.pdf
+# targets arranged this way so that people who don't want full docs can
+# pick specific targets they want.
+main: $(TOOLS)
$(Q)make -C po all
- $(Q)make -s tests
+
+manpages: $(MANPAGES)
+
+htmlmanpages: $(HTMLMANPAGES)
+
+pdf: techdoc.pdf
+
+docs: manpages htmlmanpages pdf
+
+all: main docs tests
apparmor_parser: $(OBJECTS) $(PCREOBJECTS) $(AAREOBJECTS)
rm -f ./libstdc++.a
@@ -191,7 +205,7 @@
af_names.h: /usr/include/bits/socket.h
LC_ALL=C sed -n -e '/$(__FILTER)/d' -e "s/^\#define[ \\t]\\+PF_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/#ifndef AF_\\1\\n# define AF_\\1 \\2\\n#endif\\nAA_GEN_NET_ENT(\"\\L\\1\", \\UAF_\\1)\\n/p" $< > $@
LC_ALL=C sed -n -e "s/^\#define[ \\t]\\+PF_MAX[ \\t]\\+\\([0-9]\\+\\)[ \\t]\\+.*/#define AA_AF_MAX \\1\n/p" $< >> $@
- cat $@
+ # cat $@
cap_names.h: /usr/include/linux/capability.h
LC_ALL=C sed -n -e "/CAP_EMPTY_SET/d" -e "s/^\#define[ \\t]\\+CAP_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9xa-f]\\+\\)\\(.*\\)\$$/\{\"\\L\\1\", \\UCAP_\\1\},/p" $< > $@
@@ -224,7 +238,7 @@
.SILENT: $(AAREOBJECTS)
.PHONY: $(AAREOBJECTS)
$(AAREOBJECTS):
- make -C $(AAREDIR)
+ make -C $(AAREDIR) CFLAGS="$(CFLAGS)"
.SILENT: $(PCREOBJECTS)
.PHONY: $(PCREOBJECTS)
=== modified file 'parser/immunix.h'
--- a/parser/immunix.h 2009-08-20 15:41:10 +0000
+++ b/parser/immunix.h 2011-01-10 18:12:33 +0000
@@ -148,12 +148,12 @@
#include <stdio.h>
static inline int is_merged_x_consistent(int a, int b)
{
- if ((a & AA_USER_EXEC_TYPE) && (b & AA_USER_EXEC_TYPE) &&
+ if ((a & AA_USER_EXEC) && (b & AA_USER_EXEC) &&
((a & AA_USER_EXEC_TYPE) != (b & AA_USER_EXEC_TYPE)))
{ fprintf(stderr, "failed user merge 0x%x 0x%x\n", a, b);
return 0;
}
- if ((a & AA_OTHER_EXEC_TYPE) && (b & AA_OTHER_EXEC_TYPE) &&
+ if ((a & AA_OTHER_EXEC) && (b & AA_OTHER_EXEC) &&
((a & AA_OTHER_EXEC_TYPE) != (b & AA_OTHER_EXEC_TYPE)))
{ fprintf(stderr, "failed other merge 0x%x 0x%x\n", a, b);
return 0;
=== modified file 'parser/libapparmor_re/regexp.y'
--- a/parser/libapparmor_re/regexp.y 2010-07-24 14:16:14 +0000
+++ b/parser/libapparmor_re/regexp.y 2011-01-10 18:12:33 +0000
@@ -720,17 +720,19 @@
Node *i = t->child[!dir];
for (;dynamic_cast<AltNode *>(i); p = i, i = i->child[!dir]) {
if (t->child[dir]->eq(i->child[dir])) {
+ Node *old = t;
t->child[!dir]->dup();
- t->release();
t = t->child[!dir];
+ old->release();
continue;
}
}
// last altnode of chain check other dir as well
if (t->child[dir]->eq(p->child[!dir])) {
+ Node *old = t;
t->child[!dir]->dup();
- t->release();
t = t->child[!dir];
+ old->release();
continue;
}
@@ -2581,9 +2583,9 @@
#define MATCH_FLAGS_SIZE (sizeof(uint32_t) * 8 - 1)
MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
-#define EXEC_MATCH_FLAGS_SIZE ((AA_EXEC_COUNT << 2) * 2)
-MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix *u::o*/
-ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe +ix *u::o*/
+#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2) /* double for each of ix pux, unsafe x bits * u::o */
+MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux * u::o*/
+ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe + ix + pux *u::o*/
extern "C" void aare_reset_matchflags(void)
{
@@ -2644,8 +2646,8 @@
flip_tree(tree);
-/* 0x3f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, after shift */
-#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f)
+/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */
+#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f)
//if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS))
// fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]);
=== modified file 'parser/tst/Makefile'
--- a/parser/tst/Makefile 2010-09-15 18:34:38 +0000
+++ b/parser/tst/Makefile 2011-01-10 18:12:33 +0000
@@ -11,8 +11,11 @@
all: tests
-.PHONY: tests error_output parser_sanity caching
-tests: error_output parser_sanity caching
+.PHONY: tests error_output gen_xtrans parser_sanity caching
+tests: error_output gen_xtrans parser_sanity caching
+
+gen_xtrans:
+ perl ./gen-xtrans.pl
error_output: $(PARSER)
$(PARSER) -S -I errors >/dev/null errors/okay.sd
@@ -34,3 +37,6 @@
$(PARSER):
make -C $(PARSER_DIR) $(PARSER_BIN)
+
+clean:
+ rm -f simple_tests/generated_x/*
=== added file 'parser/tst/gen-xtrans.pl'
--- a/parser/tst/gen-xtrans.pl 1970-01-01 00:00:00 +0000
+++ b/parser/tst/gen-xtrans.pl 2011-01-10 18:12:33 +0000
@@ -0,0 +1,152 @@
+#!/usr/bin/perl
+
+use strict;
+use Locale::gettext;
+use POSIX;
+
+setlocale(LC_MESSAGES, "");
+
+my $prefix="simple_tests/generated_x";
+
+my @trans_types = ("p", "P", "c", "C", "u", "i");
+my @modifiers = ("i", "u");
+my %trans_modifiers = (
+ "p" => \@modifiers,
+ "P" => \@modifiers,
+ "c" => \@modifiers,
+ "C" => \@modifiers,
+ );
+
+my @targets = ("", "target", "target2");
+my @null_target = ("");
+
+my %named_trans = (
+ "p" => \@targets,
+ "P" => \@targets,
+ "c" => \@targets,
+ "C" => \@targets,
+ "u" => \@null_target,
+ "i" => \@null_target,
+ );
+
+# audit qualifier disabled for now it really shouldn't affect the conflict
+# test but it may be worth checking every once in awhile
+#my @qualifiers = ("", "owner", "audit", "audit owner");
+my @qualifiers = ("", "owner");
+
+my $count = 0;
+
+gen_conflicting_x();
+gen_overlap_re_exact();
+gen_dominate_re_re();
+gen_ambiguous_re_re();
+
+print "Generated $count xtransition interaction tests\n";
+
+sub gen_list {
+ my @output;
+ foreach my $trans (@trans_types) {
+ if ($trans_modifiers{$trans}) {
+ foreach my $mod (@{$trans_modifiers{$trans}}) {
+ push @output, "${trans}${mod}x";
+ }
+ }
+ push @output, "${trans}x";
+ }
+ return @output;
+}
+
+sub print_rule($$$$) {
+ my ($file, $name, $perm, $target) = @_;
+ print $file "\t${name} ${perm}";
+ if ($target ne "") {
+ print $file " -> $target";
+ }
+ print $file ",\n";
+}
+
+sub gen_file($$$$$$$$) {
+ my ($name, $xres, $rule1, $perm1, $target1, $rule2, $perm2, $target2) = @_;
+
+# print "$xres $rule1 $perm1 $target1 $rule2 $perm2 $target2\n";
+
+ my $file;
+ unless (open $file, ">$name") {
+ print("couldn't open $name\n");
+ exit 1;
+ }
+
+ print $file "#\n";
+ print $file "#=DESCRIPTION ${name}\n";
+ print $file "#=EXRESULT ${xres}\n";
+ print $file "#\n";
+ print $file "/usr/bin/foo {\n";
+ print_rule($file, $rule1, $perm1, $target1);
+ print_rule($file, $rule2, $perm2, $target2);
+ print $file "}";
+ close($file);
+
+ $count++;
+}
+
+#NOTE: currently we don't do px to cx, or cx to px conversion
+# so
+# /foo {
+# /* px -> /foo//bar,
+# /* cx -> bar,
+#
+# will conflict
+#
+#NOTE: conflict tests don't tests leading permissions or using unsafe keywords
+# It is assumed that there are extra tests to verify 1 to 1 coorispondance
+sub gen_files($$$$) {
+ my ($name, $rule1, $rule2, $default) = @_;
+
+ my @perms = gen_list();
+
+# print "@perms\n";
+
+ foreach my $i (@perms) {
+ foreach my $t (@{$named_trans{substr($i, 0, 1)}}) {
+ foreach my $q (@qualifiers) {
+ foreach my $j (@perms) {
+ foreach my $u (@{$named_trans{substr($j, 0, 1)}}) {
+ foreach my $r (@qualifiers) {
+ my $file="${prefix}/${name}-$q$i$t-$r$j$u.sd";
+# print "$file\n";
+
+ #override failures when transitions are the same
+ my $xres = ${default};
+ if ($i eq $j && $t eq $u) {
+ $xres = "PASS";
+ }
+
+
+# print "foo $xres $rule1 $i $t $rule2 $j $u\n";
+ gen_file($file, $xres, "$q $rule1", $i, $t, "$r $rule2", $j, $u);
+ }
+ }
+ }
+ }
+ }
+ }
+
+}
+
+sub gen_conflicting_x {
+ gen_files("conflict", "/bin/cat", "/bin/cat", "FAIL");
+}
+
+sub gen_overlap_re_exact {
+
+ gen_files("exact", "/bin/cat", "/bin/*", "PASS");
+}
+
+# we currently don't support this, once supported change to "PASS"
+sub gen_dominate_re_re {
+ gen_files("dominate", "/bin/*", "/bin/**", "FAIL");
+}
+
+sub gen_ambiguous_re_re {
+ gen_files("ambiguous", "/bin/a*", "/bin/*b", "FAIL");
+}
=== added directory 'parser/tst/simple_tests/generated_x'
=== added file 'parser/tst/simple_tests/generated_x/readme'
--- a/parser/tst/simple_tests/generated_x/readme 1970-01-01 00:00:00 +0000
+++ b/parser/tst/simple_tests/generated_x/readme 2011-01-10 18:12:33 +0000
@@ -0,0 +1,2 @@
+Directory for auto generated x-transition tests
+
=== modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers'
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers 2010-09-10 15:28:28 +0000
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers 2011-01-10 18:12:33 +0000
@@ -18,7 +18,7 @@
/usr/bin/prism PUx,
/usr/bin/rekonq PUx,
/usr/bin/seamonkey PUx,
- /usr/bin/sensible-browser PUxr,
+ /usr/bin/sensible-browser Pixr,
/usr/bin/chromium-browser PUx,
/usr/lib/chromium-browser/chromium-browser PUx,
=== modified file 'profiles/apparmor.d/abstractions/ubuntu-email'
--- a/profiles/apparmor.d/abstractions/ubuntu-email 2010-09-10 15:28:28 +0000
+++ b/profiles/apparmor.d/abstractions/ubuntu-email 2011-01-10 18:12:33 +0000
@@ -15,5 +15,5 @@
/usr/bin/tkrat PUx,
/usr/lib/thunderbird/thunderbird PUx,
- /usr/lib/thunderbird-3*/thunderbird PUx,
+ /usr/lib/thunderbird-3*/thunderbird{,.sh} PUx,
=== modified file 'tests/regression/subdomain/changehat_misc.sh'
--- a/tests/regression/subdomain/changehat_misc.sh 2006-05-19 17:32:14 +0000
+++ b/tests/regression/subdomain/changehat_misc.sh 2011-01-10 18:12:33 +0000
@@ -64,7 +64,7 @@
echo "*** A 'Killed' message from bash is expected for the following test"
runchecktest "CHANGEHAT (subprofile->subprofile w/ bad magic)" signal9 $subtest $subtest2 badmagic $file
-# 1. ATTEMPT TO CHANGEGAT TO AN INVALUD PROFILE, SHOULD PUT US INTO A NULL
+# 1. ATTEMPT TO CHANGEHAT TO AN INVALID PROFILE, SHOULD PUT US INTO A NULL
# PROFILE
# 2. ATTEMPT TO CHANGEHAT OUT WITH BAD TOKEN
settest changehat_fail
=== modified file 'tests/regression/subdomain/deleted.c'
--- a/tests/regression/subdomain/deleted.c 2006-05-19 17:32:14 +0000
+++ b/tests/regression/subdomain/deleted.c 2011-01-10 18:12:33 +0000
@@ -90,7 +90,7 @@
}
/* test that we can create the file. Not necessarily a (deleted)
- * case but lets use flush out other combinations
+ * case but lets us flush out other combinations.
*/
fd2=creat(argv[2], S_IRUSR | S_IWUSR);
if (fd2 == -1){
=== modified file 'tests/regression/subdomain/deleted.sh'
--- a/tests/regression/subdomain/deleted.sh 2007-12-23 01:00:19 +0000
+++ b/tests/regression/subdomain/deleted.sh 2011-01-10 18:12:33 +0000
@@ -1,7 +1,7 @@
#! /bin/bash
-# $Id$
-
+#
# Copyright (C) 2002-2005 Novell/SUSE
+# Copyright (C) 2010 Canonical, Ltd
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
@@ -10,7 +10,7 @@
#=NAME deleted
#=DESCRIPTION
-# Test subdomain is properly working around a kernel in which the kernel
+# Test AppArmor is properly working around a kernel in which the kernel
# appends (deleted) to deleted files verifies that the d_path appending
# (deleted) fix is working
#=END
@@ -24,6 +24,7 @@
file=$tmpdir/file
file2="$tmpdir/file (deleted)"
+file3="$tmpdir/unavailable"
okperm=rwl
subtest=sub
@@ -40,8 +41,8 @@
# NO CHANGEHAT TEST - doesn't force revalidation
genprofile $file:$okperm
-
runchecktest "NO CHANGEHAT (access file)" pass nochange $file
+runchecktest "NO CHANGEHAT (cannot access unavailable)" fail nochange $file3
genprofile "$file2":$okperm
runchecktest "NO CHANGEHAT (access file (delete))" pass nochange "$file2"
@@ -49,6 +50,7 @@
# CHANGEHAT TEST - force revalidation using changehat
genprofile $file:$okperm hat:$subtest $file:$okperm
runchecktest "CHANGEHAT (access file)" pass $subtest $file
+runchecktest "CHANGEHAT (cannot access unavailable)" fail $subtest $file3
genprofile "$file2":$okperm hat:$subtest "$file2":$okperm
runchecktest "CHANGEHAT (access file (deleted))" pass $subtest "$file2"
@@ -115,7 +117,7 @@
# FAIL - confined client, w access to the file
genprofile $file:$okperm $socket:rw $fd_client:px -- image=$fd_client $file:$badperm $socket:rw
-runchecktest "fd passing; confined client w/ w only" pass $file $socket $fd_client "delete_file"
+runchecktest "fd passing; confined client w/ w only" fail $file $socket $fd_client "delete_file"
sleep 1
rm -f ${socket}
=== modified file 'tests/regression/subdomain/mkprofile.pl'
--- a/tests/regression/subdomain/mkprofile.pl 2009-11-11 18:44:26 +0000
+++ b/tests/regression/subdomain/mkprofile.pl 2011-01-10 18:12:33 +0000
@@ -5,7 +5,7 @@
#
# Gawd, I hate writing perl. It shows, too.
#
-my $__VERSION__='$Id$';
+my $__VERSION__=$0;
use strict;
use Getopt::Long;
=== modified file 'tests/regression/subdomain/prologue.inc'
--- a/tests/regression/subdomain/prologue.inc 2010-08-26 18:24:41 +0000
+++ b/tests/regression/subdomain/prologue.inc 2011-01-10 18:12:33 +0000
@@ -93,8 +93,10 @@
while [ -h ${link} ]
do
- if [ -x /usr/bin/readlink ] ; then
- target=$(/usr/bin/readlink ${link})
+ if [ -x /usr/bin/readlink ] ; then
+ target=$(/usr/bin/readlink -f ${link})
+ elif [ -x /bin/readlink ] ; then
+ target=$(/bin/readlink -f ${link})
else
# I'm sure there's a more perlish way to do this
target=$( perl -e "printf (\"%s\n\", readlink(\"${link}\"));")
=== modified file 'tests/regression/subdomain/pwrite.sh'
--- a/tests/regression/subdomain/pwrite.sh 2007-12-23 00:58:47 +0000
+++ b/tests/regression/subdomain/pwrite.sh 2011-01-10 18:12:33 +0000
@@ -27,7 +27,7 @@
genprofile $file:$okperm
-runtestbg "PWRITE with w" pass $file
+runtestbg "PREAD/PWRITE with rw" pass $file
sleep 2
=== modified file 'tests/regression/subdomain/swap.sh'
--- a/tests/regression/subdomain/swap.sh 2006-05-19 17:32:14 +0000
+++ b/tests/regression/subdomain/swap.sh 2011-01-10 18:12:33 +0000
@@ -32,7 +32,7 @@
swap_file=$tmpdir/swapfile
dd if=/dev/zero of=${swap_file} bs=1024 count=512 2> /dev/null
-/sbin/mkswap ${swap_file} > /dev/null
+/sbin/mkswap -f ${swap_file} > /dev/null
# TEST 1. Make sure can enable and disable swap unconfined
=== modified file 'tests/regression/subdomain/syscall.sh'
--- a/tests/regression/subdomain/syscall.sh 2007-12-23 01:02:50 +0000
+++ b/tests/regression/subdomain/syscall.sh 2011-01-10 18:12:33 +0000
@@ -1,7 +1,7 @@
#! /bin/bash
-# $Id$
-
+#
# Copyright (C) 2002-2005 Novell/SUSE
+# Copyright (C) 2010 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
@@ -114,9 +114,9 @@
runchecktest "MKNOD sock (permissions)" fail s $mknod_file
##
-## D. SETHOSTNAME
+## C. SYSCTL
##
-sh syscall_sysctl.sh
+bash syscall_sysctl.sh
##
## D. SETHOSTNAME
=== modified file 'tests/regression/subdomain/unix_fd_server.c'
--- a/tests/regression/subdomain/unix_fd_server.c 2006-05-19 17:32:14 +0000
+++ b/tests/regression/subdomain/unix_fd_server.c 2011-01-10 18:12:33 +0000
@@ -2,6 +2,7 @@
/*
* Copyright (C) 2002-2005 Novell/SUSE
+ * Copyright (C) 2010 Canonical, Ltd.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
@@ -134,6 +135,7 @@
}
/* Check for info re: reading the file */
+ memset(inbound_buffer, 0, sizeof(inbound_buffer));
if (recv(in_sock, inbound_buffer, 16,0) == -1 ) {
fprintf(stderr, "FAIL - recv %s\n",
strerror(errno));
=== modified file 'tests/regression/subdomain/xattrs.sh'
--- a/tests/regression/subdomain/xattrs.sh 2010-02-07 07:04:57 +0000
+++ b/tests/regression/subdomain/xattrs.sh 2011-01-10 18:12:33 +0000
@@ -38,41 +38,59 @@
. $bin/prologue.inc
-file=$tmpdir/testfile
-link=$tmpdir/testlink
-dir=$tmpdir/testdir/
+tmpmount=$tmpdir/mountpoint
+diskimg=$tmpdir/disk.img
+file=$tmpmount/testfile
+link=$tmpmount/testlink
+dir=$tmpmount/testdir/
okperm=rw
badperm=r
+# guarantee fs supports user_xattrs
+dd if=/dev/zero of=${diskimg} bs=4096 count=4096 2> /dev/null
+mkfs.ext3 -q -F ${diskimg}
+mkdir ${tmpmount}
+mount -o loop,user_xattr ${diskimg} ${tmpmount}
+
touch $file
ln -s $file $link
mkdir $dir
+add_attrs()
+{
+ #set the xattr for thos that passed above again so we can test removing it
+ setfattr -h -n security.sdtest -v hello "$1"
+ setfattr -h -n trusted.sdtest -v hello "$1"
+ if [ "$1" != $link ] ; then
+ setfattr -h -n user.sdtest -v hello "$1"
+ fi
+}
+
for var in $file $link $dir ; do
#write xattr
genprofile $var:$badperm
xattrtest $var $badperm write security fail
#xattrtest $var $badperm write system fail
xattrtest $var $badperm write trusted fail
- if [ $var != $link ] ; then xattrtest $var $badperm write user fail ; fi
+ if [ $var != $link ] ; then xattrtest $var $badperm write user xfail ; fi
genprofile $var:$badperm capability:sys_admin
xattrtest $var "$badperm+cap SYS_ADMIN" write security xfail
#xattrtest $var "$badperm+cap SYS_ADMIN" write system fail
xattrtest $var "$badperm+cap SYS_ADMIN" write trusted xfail
- if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" write user fail ; fi
+ if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" write user xfail ; fi
genprofile $var:$okperm
xattrtest $var $okperm write security xpass
#xattrtest $var $okperm write system fail
xattrtest $var $okperm write trusted fail
- if [ $var != $link ] ; then xattrtest $var $okperm write user xpass ; fi
+ if [ $var != $link ] ; then xattrtest $var $okperm write user pass ; fi
genprofile $var:$okperm capability:sys_admin
xattrtest $var "$okperm+cap SYS_ADMIN" write security pass
#xattrtest $var "$okperm+cap SYS_ADMIN" write system pass
xattrtest $var "$okperm+cap SYS_ADMIN" write trusted pass
- if [ $var != $link ] ; then xattrtest $var "$okperm+cap SYS_ADMIN" write user xpass ; fi
+ if [ $var != $link ] ; then xattrtest $var "$okperm+cap SYS_ADMIN" write user pass ; fi
#read xattr
@@ -80,13 +98,13 @@
xattrtest $var $badperm read security pass
#xattrtest $var $badperm read system fail
xattrtest $var $badperm read trusted fail
- if [ $var != $link ] ; then xattrtest $var $badperm read user xpass ; fi
+ if [ $var != $link ] ; then xattrtest $var $badperm read user pass ; fi
genprofile $var:$badperm capability:sys_admin
xattrtest $var "$badperm+cap SYS_ADMIN" read security pass
#xattrtest $var "$badperm+cap SYS_ADMIN" read system pass
xattrtest $var "$badperm+cap SYS_ADMIN" read trusted pass
- if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" read user xpass ; fi
+ if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" read user pass ; fi
#remove xattr
@@ -94,23 +112,25 @@
xattrtest $var $badperm remove security fail
#xattrtest $var $badperm remove system fail
xattrtest $var $badperm remove trusted fail
- if [ $var != $link ] ; then xattrtest $var $badperm remove user fail ; fi
+ if [ $var != $link ] ; then xattrtest $var $badperm remove user xfail ; fi
+
+ add_attrs $var
genprofile $var:$badperm capability:sys_admin
xattrtest $var "$badperm+cap SYS_ADMIN" remove security xfail
#xattrtest $var "$badperm+cap SYS_ADMIN" remove system fail
xattrtest $var "$badperm+cap SYS_ADMIN" remove trusted xfail
- if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" remove user fail ; fi
+ if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" remove user xfail ; fi
+
+ add_attrs $var
genprofile $var:$okperm
xattrtest $var $okperm remove security xpass
#xattrtest $var $okperm remove system fail
xattrtest $var $okperm remove trusted fail
- if [ $var != $link ] ; then xattrtest $var $okperm remove user xpass ; fi
+ if [ $var != $link ] ; then xattrtest $var $okperm remove user pass ; fi
- #set the xattr for thos that passed above again so we can test removing it
- setfattr -h -n security.sdtest -v hello $var
- if [ $var != $link ] ; then setfattr -h -n user.sdtest -v hello $var ; fi
+ add_attrs $var
genprofile $var:$okperm capability:sys_admin
xattrtest $var "$okperm+cap SYS_ADMIN" remove security pass
@@ -120,3 +140,4 @@
done
+umount ${tmpmount}
=== modified file 'utils/SubDomain.pm'
--- a/utils/SubDomain.pm 2010-09-21 07:40:50 +0000
+++ b/utils/SubDomain.pm 2011-01-10 18:12:33 +0000
@@ -2420,7 +2420,7 @@
my $RE_LOG_v2_1_audit =
qr/type=(UNKNOWN\[150[1-6]\]|APPARMOR_(AUDIT|ALLOWED|DENIED|HINT|STATUS|ERROR))/;
my $RE_LOG_v2_6_audit =
- qr/type=AVC\s+audit\([\d\.\:]+\):\s+apparmor=/;
+ qr/type=AVC\s+(msg=)?audit\([\d\.\:]+\):\s+apparmor=/;
sub prefetch_next_log_entry {
# if we already have an existing cache entry, something's broken
@@ -6622,10 +6622,14 @@
LibAppArmor::free_record($event);
#map new c and d to w as logprof doesn't support them yet
- $rmask =~ s/c/w/g;
- $rmask =~ s/d/w/g;
- $dmask =~ s/c/w/g;
- $dmask =~ s/d/w/g;
+ if ($rmask) {
+ $rmask =~ s/c/w/g;
+ $rmask =~ s/d/w/g;
+ }
+ if ($dmask) {
+ $dmask =~ s/c/w/g;
+ $dmask =~ s/d/w/g;
+ }
if ($rmask && !validate_log_mode(hide_log_mode($rmask))) {
fatal_error(sprintf(gettext('Log contains unknown mode %s.'),

33
apparmor-2.5.1-dnsmasq-libvirt-profile-fix Normal file
View File

@ -0,0 +1,33 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: profiles: Add libvirt pid support to dnsmasq profile
References: bnc#666090
libvirt starts up dnsmasq with its pid file in
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
profiles/apparmor.d/usr.sbin.dnsmasq | 6 ++++++
1 file changed, 6 insertions(+)
--- a/profiles/apparmor.d/usr.sbin.dnsmasq
+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
@@ -8,6 +8,9 @@
capability setgid,
capability setuid,
capability dac_override,
+ capability net_admin, # for DHCP server
+ capability net_raw, # for DHCP server ping checks
+ network inet raw,
/etc/dnsmasq.conf r,
/etc/dnsmasq.d/ r,
@@ -19,5 +22,8 @@
/var/run/dnsmasq/ r,
/var/run/dnsmasq/* rw,
+ /var/run/libvirt/network/ r, # Required when called by libvirt
+ /var/run/libvirt/network/*.pid rw, # Required when called by libvirt
+
/var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
}

43
apparmor-2.5.1-fix-parser-use-after-free
View File

@ -1,43 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor: Fix use after free in regexp parser
There are two cases of use-after-free in the simply_tree_base code. It
worked in the past because there aren't any allocations between the
free and the use, so it was still around.
With glibc's memory perturbing feature (set _MALLOC_PERTURB to anything),
the freed memory is poisoned. This causes crashes in e.g. apparmor_parser
while parsing certain profiles.
This patch addresses it by saving a pointer to the node to free after
the node is advanced.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
parser/libapparmor_re/regexp.yy | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/parser/libapparmor_re/regexp.yy
+++ b/parser/libapparmor_re/regexp.yy
@@ -720,17 +720,19 @@ Node *simplify_tree_base(Node *t, int di
Node *i = t->child[!dir];
for (;dynamic_cast<AltNode *>(i); p = i, i = i->child[!dir]) {
if (t->child[dir]->eq(i->child[dir])) {
+ Node *old = t;
t->child[!dir]->dup();
- t->release();
t = t->child[!dir];
+ old->release();
continue;
}
}
// last altnode of chain check other dir as well
if (t->child[dir]->eq(p->child[!dir])) {
+ Node *old = t;
t->child[!dir]->dup();
- t->release();
t = t->child[!dir];
+ old->release();
continue;
}

94
apparmor-2.5.1-network-fixes Normal file
View File

@ -0,0 +1,94 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor: Fix network event parsing
References: bnc#665483
The upstream version of AppArmor had network mediation but it was
removed. There's a compability patch floating around that both openSUSE
and Ubuntu have applied to their kernels. Unfortunately, one part was
overlooked. The socket operation event names where changed from the
socket_ prefixed names they had when AppArmor was out-of-tree and
utils/SubDomain.pm was never updated to understand them.
This patch adds an operation-type table so that the code can just
do a optype($operation) call to discover what type of operation a
particular name refers to. It then uses this in place of the socket_
checks to decide whether an event is a network operation.
This allows genprof and logprof to work with networking rules again.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
utils/SubDomain.pm | 48 ++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 46 insertions(+), 2 deletions(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -233,6 +233,50 @@ my %MODE_HASH = (
N => $AA_EXEC_NT,
);
+
+# Currently only used by netdomain but there's no reason it couldn't
+# be extended to support other types.
+my %operation_types = (
+
+ # Old socket names
+ "socket_create", => "net",
+ "socket_post_create" => "net",
+ "socket_bind" => "net",
+ "socket_connect" => "net",
+ "socket_listen" => "net",
+ "socket_accept" => "net",
+ "socket_sendmsg" => "net",
+ "socket_recvmsg" => "net",
+ "socket_getsockname" => "net",
+ "socket_getpeername" => "net",
+ "socket_getsockopt" => "net",
+ "socket_setsockopt" => "net",
+ "socket_shutdown" => "net",
+
+ # New socket names
+ "create" => "net",
+ "post_create" => "net",
+ "bind" => "net",
+ "connect" => "net",
+ "listen" => "net",
+ "accept" => "net",
+ "sendmsg" => "net",
+ "recvmsg" => "net",
+ "getsockname" => "net",
+ "getpeername" => "net",
+ "getsockopt" => "net",
+ "setsockopt" => "net",
+ "sock_shutdown" => "net",
+);
+
+sub optype($) {
+ my $op = shift;
+ my $type = $operation_types{$op};
+
+ return "unknown" if !defined($type);
+ return $type;
+}
+
sub debug ($) {
my $message = shift;
chomp($message);
@@ -2911,7 +2955,7 @@ sub add_event_to_tree ($) {
}
$pid{$child} = $arrayref;
push @{$arrayref}, [ "fork", $child, $profile, $hat ];
- } elsif ($e->{operation} =~ m/socket_/) {
+ } elsif (optype($e->{operation}) eq "net") {
add_to_tree( $e->{pid},
$e->{parent},
"netdomain",
@@ -6620,7 +6664,7 @@ sub parse_event($) {
LibAppArmor::aa_log_record::swig_magic_token_get($event);
# NetDomain
- if ( $ev{'operation'} && $ev{'operation'} =~ /socket/ ) {
+ if ( $ev{'operation'} && optype($ev{'operation'}) eq "net" ) {
$ev{'family'} =
LibAppArmor::aa_log_record::swig_net_family_get($event);
$ev{'protocol'} =

20
apparmor-2.5.1-unconfined-fixes
View File

@ -35,23 +35,3 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
# just convert new null profile style names to old before we begin processing
# profile and name can contain multiple layers of null- but all we care about
# currently is single level.
@@ -6625,10 +6632,15 @@ sub parse_event($) {
LibAppArmor::free_record($event);
#map new c and d to w as logprof doesn't support them yet
- $rmask =~ s/c/w/g;
- $rmask =~ s/d/w/g;
- $dmask =~ s/c/w/g;
- $dmask =~ s/d/w/g;
+ if ($rmask) {
+ $rmask =~ s/c/w/g;
+ $rmask =~ s/d/w/g;
+ }
+
+ if ($dmask) {
+ $dmask =~ s/c/w/g;
+ $dmask =~ s/d/w/g;
+ }
if ($rmask && !validate_log_mode(hide_log_mode($rmask))) {
fatal_error(sprintf(gettext('Log contains unknown mode %s.'),

130
apparmor-2.5.1-unified-build
View File

@ -1,4 +1,92 @@
AUTHORS | 1
ChangeLog | 1
INSTALL | 365
Makefile.am | 2
NEWS | 1
README | 1
changehat/Makefile.am | 1
changehat/mod_apparmor/Makefile.am | 19
changehat/mod_apparmor/apache2-mod_apparmor.spec.in | 216
changehat/pam_apparmor/COPYING | 39
changehat/pam_apparmor/Makefile.am | 9
changehat/pam_apparmor/pam_apparmor.changes | 49
changehat/pam_apparmor/pam_apparmor.spec.in | 83
changehat/tomcat_apparmor/Makefile.am | 1
changehat/tomcat_apparmor/tomcat_5_0/Makefile.am | 2
changehat/tomcat_apparmor/tomcat_5_5/Makefile.am | 13
changehat/tomcat_apparmor/tomcat_5_5/build.xml | 11
changehat/tomcat_apparmor/tomcat_5_5/src/Makefile.am | 1
changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/Makefile.am | 17
config.rpath | 666
configure.in | 220
deprecated/Makefile.am | 2
deprecated/management/Makefile.am | 1
deprecated/management/apparmor-dbus/Makefile.am | 2
deprecated/management/apparmor-dbus/src/Makefile.am | 3
deprecated/management/applets/Makefile.am | 1
deprecated/management/applets/apparmorapplet-gnome/Makefile.am | 4
deprecated/management/applets/apparmorapplet-gnome/po/Makefile | 30
deprecated/management/applets/apparmorapplet-gnome/po/Makefile.in.in | 258
deprecated/management/applets/apparmorapplet-gnome/src/Makefile.am | 8
deprecated/management/profile-editor/Makefile.am | 2
deprecated/management/profile-editor/src/Makefile.am | 6
deprecated/management/profile-editor/src/wxStyledTextCtrl/Makefile.am | 4
libraries/Makefile.am | 1
libraries/libapparmor/AUTHORS | 2
libraries/libapparmor/ChangeLog | 1
libraries/libapparmor/INSTALL | 236
libraries/libapparmor/NEWS | 1
libraries/libapparmor/README | 1
libraries/libapparmor/autogen.sh | 42
libraries/libapparmor/compile | 143
libraries/libapparmor/config.guess | 1502 -
libraries/libapparmor/config.sub | 1714 -
libraries/libapparmor/configure |13962 ----------
AUTHORS | 1
ChangeLog | 1
INSTALL | 365
Makefile.am | 2
NEWS | 1
README | 1
changehat/Makefile.am | 1
changehat/mod_apparmor/Makefile.am | 19
changehat/mod_apparmor/apache2-mod_apparmor.spec.in | 216
changehat/pam_apparmor/COPYING | 39
changehat/pam_apparmor/Makefile.am | 9
changehat/pam_apparmor/pam_apparmor.changes | 49
changehat/pam_apparmor/pam_apparmor.spec.in | 83
changehat/tomcat_apparmor/Makefile.am | 1
changehat/tomcat_apparmor/tomcat_5_0/Makefile.am | 2
changehat/tomcat_apparmor/tomcat_5_5/Makefile.am | 13
changehat/tomcat_apparmor/tomcat_5_5/build.xml | 11
changehat/tomcat_apparmor/tomcat_5_5/src/Makefile.am | 1
changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/Makefile.am | 17
config.rpath | 666
configure.in | 220
deprecated/Makefile.am | 2
deprecated/management/Makefile.am | 1
deprecated/management/apparmor-dbus/Makefile.am | 2
deprecated/management/apparmor-dbus/src/Makefile.am | 3
deprecated/management/applets/Makefile.am | 1
deprecated/management/applets/apparmorapplet-gnome/Makefile.am | 4
deprecated/management/applets/apparmorapplet-gnome/po/Makefile | 30
deprecated/management/applets/apparmorapplet-gnome/po/Makefile.in.in | 258
deprecated/management/applets/apparmorapplet-gnome/src/Makefile.am | 8
deprecated/management/profile-editor/Makefile.am | 2
deprecated/management/profile-editor/src/Makefile.am | 6
deprecated/management/profile-editor/src/wxStyledTextCtrl/Makefile.am | 4
libraries/Makefile.am | 1
libraries/libapparmor/AUTHORS | 2
libraries/libapparmor/ChangeLog | 1
libraries/libapparmor/INSTALL | 236
libraries/libapparmor/NEWS | 1
libraries/libapparmor/README | 1
libraries/libapparmor/autogen.sh | 42
libraries/libapparmor/compile | 143
libraries/libapparmor/config.guess | 1502 -
libraries/libapparmor/config.sub | 1714 -
libraries/libapparmor/configure |13962 ----------
AUTHORS | 1
ChangeLog | 1
INSTALL | 365
@ -64,8 +152,8 @@
m4/wxwidgets.m4 | 37
parser/Makefile.am | 81
parser/libapparmor_re/Makefile.am | 4
parser/libapparmor_re/regexp.y | 2800 --
parser/libapparmor_re/regexp.yy | 2800 ++
parser/libapparmor_re/regexp.y | 2802 --
parser/libapparmor_re/regexp.yy | 2802 ++
parser/parser_alias.c | 1
parser/parser_main.c | 3
parser/parser_policy.c | 1
@ -80,7 +168,7 @@
utils/Makefile.PL | 15
utils/Makefile.am | 39
utils/po/Makefile | 8
81 files changed, 4902 insertions(+), 22094 deletions(-)
81 files changed, 4904 insertions(+), 22096 deletions(-)
--- /dev/null
+++ b/AUTHORS
@ -21585,7 +21673,7 @@
+libapparmor_re_la_SOURCES = regexp.yy
--- a/parser/libapparmor_re/regexp.y
+++ /dev/null
@@ -1,2800 +0,0 @@
@@ -1,2802 +0,0 @@
-/*
- * regexp.y -- Regular Expression Matcher Generator
- * (C) 2006, 2007 Andreas Gruenbacher <agruen@suse.de>
@ -22308,17 +22396,19 @@
- Node *i = t->child[!dir];
- for (;dynamic_cast<AltNode *>(i); p = i, i = i->child[!dir]) {
- if (t->child[dir]->eq(i->child[dir])) {
- Node *old = t;
- t->child[!dir]->dup();
- t->release();
- t = t->child[!dir];
- old->release();
- continue;
- }
- }
- // last altnode of chain check other dir as well
- if (t->child[dir]->eq(p->child[!dir])) {
- Node *old = t;
- t->child[!dir]->dup();
- t->release();
- t = t->child[!dir];
- old->release();
- continue;
- }
-
@ -24169,9 +24259,9 @@
-#define MATCH_FLAGS_SIZE (sizeof(uint32_t) * 8 - 1)
-MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
-DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
-#define EXEC_MATCH_FLAGS_SIZE ((AA_EXEC_COUNT << 2) * 2)
-MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix *u::o*/
-ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe +ix *u::o*/
-#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2) /* double for each of ix pux, unsafe x bits * u::o */
-MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux * u::o*/
-ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe + ix + pux *u::o*/
-
-extern "C" void aare_reset_matchflags(void)
-{
@ -24232,8 +24322,8 @@
- flip_tree(tree);
-
-
-/* 0x3f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, after shift */
-#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f)
-/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */
-#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f)
-
-//if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS))
-// fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]);
@ -24388,7 +24478,7 @@
-}
--- /dev/null
+++ b/parser/libapparmor_re/regexp.yy
@@ -0,0 +1,2800 @@
@@ -0,0 +1,2802 @@
+/*
+ * regexp.y -- Regular Expression Matcher Generator
+ * (C) 2006, 2007 Andreas Gruenbacher <agruen@suse.de>
@ -25111,17 +25201,19 @@
+ Node *i = t->child[!dir];
+ for (;dynamic_cast<AltNode *>(i); p = i, i = i->child[!dir]) {
+ if (t->child[dir]->eq(i->child[dir])) {
+ Node *old = t;
+ t->child[!dir]->dup();
+ t->release();
+ t = t->child[!dir];
+ old->release();
+ continue;
+ }
+ }
+ // last altnode of chain check other dir as well
+ if (t->child[dir]->eq(p->child[!dir])) {
+ Node *old = t;
+ t->child[!dir]->dup();
+ t->release();
+ t = t->child[!dir];
+ old->release();
+ continue;
+ }
+
@ -26972,9 +27064,9 @@
+#define MATCH_FLAGS_SIZE (sizeof(uint32_t) * 8 - 1)
+MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
+DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
+#define EXEC_MATCH_FLAGS_SIZE ((AA_EXEC_COUNT << 2) * 2)
+MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix *u::o*/
+ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe +ix *u::o*/
+#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2) /* double for each of ix pux, unsafe x bits * u::o */
+MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux * u::o*/
+ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe + ix + pux *u::o*/
+
+extern "C" void aare_reset_matchflags(void)
+{
@ -27035,8 +27127,8 @@
+ flip_tree(tree);
+
+
+/* 0x3f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, after shift */
+#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f)
+/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */
+#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f)
+
+//if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS))
+// fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]);

10
apparmor-no-caching-test
View File

@ -7,9 +7,9 @@
@@ -12,7 +12,7 @@ endif
all: tests
.PHONY: tests error_output parser_sanity caching
-tests: error_output parser_sanity caching
+tests: error_output parser_sanity
.PHONY: tests error_output gen_xtrans parser_sanity caching
-tests: error_output gen_xtrans parser_sanity caching
+tests: error_output gen_xtrans parser_sanity
error_output: $(PARSER)
$(PARSER) -S -I errors >/dev/null errors/okay.sd
gen_xtrans:
perl ./gen-xtrans.pl

58
apparmor-utils-inherit-flags-during-profile-generation Normal file
View File

@ -0,0 +1,58 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor-utils: Inherit flags in sub-profiles when generating profiles
References: bnc#496204
When creating profiles with cx subprofiles, genprof will set the
sub-profile in enforce mode. When genprof cycles multiple times, it
prohibits the sub-profile from working correctly.
e.g.
# Last Modified: Mon Jan 24 13:52:26 2011
#include <tunables/global>
/home/jeffm/mycat flags=(complain) {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
/bin/bash ix,
/bin/cat cx,
/home/jeffm/mycat r,
profile /bin/cat {
#include <abstractions/base>
/bin/cat r,
/home/jeffm/mycat r,
}
}
This patch allows sub-profiles to inherit the flags from the parent
profile, which allows it to be created in complain mode (if appropriate).
The temporary complain flags are cleaned up at genprof completion as
expected.
This issue was reported at: https://bugzilla.novell.com/show_bug.cgi?id=496204
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
utils/SubDomain.pm | 6 ++++++
1 file changed, 6 insertions(+)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -2337,6 +2337,12 @@ sub handlechildren {
# we have seen more than a declaration so clear it
$sd{$profile}{$hat}{'declared'} = 0;
$sd{$profile}{$hat}{profile} = 1;
+
+ # Otherwise sub-profiles end up getting
+ # put in enforce mode with genprof
+ $sd{$profile}{$hat}{flags} = $sd{$profile}{$profile}{flags} if $profile ne $hat;
+
+ $sd{$profile}{$hat}{flags} = 'complain';
$sd{$profile}{$hat}{allow}{path} = { };
$sd{$profile}{$hat}{allow}{netdomain} = { };
my $file = $sd{$profile}{$profile}{filename};

24
apparmor-utils-support-newer-auditd-formatted-messages
View File

@ -1,24 +0,0 @@
From: Steve Beattie <sbeattie@ubuntu.com>
Subject: apparmor-utils: Support newer auditd formatted messages.
Patch from mancha on irc.
This is lp:apparmor/2.5 commit r1444.
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: Jeff Mahoney <jeffm@suse.com>
---
utils/SubDomain.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -2420,7 +2420,7 @@
my $RE_LOG_v2_1_audit =
qr/type=(UNKNOWN\[150[1-6]\]|APPARMOR_(AUDIT|ALLOWED|DENIED|HINT|STATUS|ERROR))/;
my $RE_LOG_v2_6_audit =
- qr/type=AVC\s+audit\([\d\.\:]+\):\s+apparmor=/;
+ qr/type=AVC\s+(msg=)?audit\([\d\.\:]+\):\s+apparmor=/;
sub prefetch_next_log_entry {
# if we already have an existing cache entry, something's broken

30
apparmor.changes
View File

@ -1,3 +1,33 @@
-------------------------------------------------------------------
Mon Jan 24 20:16:03 CET 2011 - jeffm@suse.de
- Inherit flags in sub-profiles when generating profiles (bnc#496204).
-------------------------------------------------------------------
Mon Jan 24 01:02:53 CET 2011 - jeffm@suse.de
- Stop treating profiles shipped with the package as config files.
- /etc/apparmor.d will still be treated specially.
- Add support for parsing network operation events (bnc#665483)
-------------------------------------------------------------------
Mon Jan 24 00:23:35 CET 2011 - jeffm@suse.de
- Fix for sbin.klogd profile using kernel versions >= 2.6.38-rc1.
-------------------------------------------------------------------
Mon Jan 24 00:11:28 CET 2011 - jeffm@suse.de
- Update to apparmor-2.5 r1445.
- Includes 3 of the fixes below.
- Several testsuite fixes.
- Update for Thunderbird profile.
-------------------------------------------------------------------
Fri Jan 21 19:07:15 CET 2011 - jeffm@suse.de
- Add support for libvirt in usr.sbin.dnsmasq (bnc#666090)
-------------------------------------------------------------------
Tue Jan 18 10:51:33 UTC 2011 - coolo@novell.com

31
apparmor.spec
View File

@ -32,6 +32,9 @@
%define JAR_FILE changeHatValve.jar
%define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR)
%define srcversion 2.5.1
%define bzr_commit r1445
Name: apparmor
%if ! %{?distro:1}0
%if %{?suse_version:1}0
@ -45,14 +48,14 @@ Name: apparmor
%define distro suse
%endif
Summary: AppArmor userlevel parser utility
Version: 2.5.1
Release: 2
Version: %{srcversion}.%{bzr_commit}
Release: 46
Group: Productivity/Networking/Security
Source0: apparmor-%{version}.tar.bz2
Source0: apparmor-%{srcversion}.tar.bz2
Source1: %{name}-profile-editor.png
Source2: %{name}-profile-editor.desktop
Source3: update-trans.sh
Patch: testsuite-build-fix
Patch: apparmor-2.5-%{bzr_commit}
Patch1: pam-apparmor-include
Patch2: mod_apparmor-includes
Patch3: tomcat-build-fixes
@ -81,12 +84,15 @@ Patch25: apparmor-2.5.1-ntpd-proc-fixes
Patch26: apparmor-2.5.1-edirectory-profile
Patch27: apparmor-2.5.1-firefox-proc-fix
Patch28: apparmor-2.5.1-unconfined-fixes
Patch29: apparmor-2.5.1-fix-parser-use-after-free
Patch29: apparmor-utils-inherit-flags-during-profile-generation
Patch30: apparmor-2.5.1-ldapclient-profile
Patch31: apparmor-utils-support-newer-auditd-formatted-messages
Patch32: fix-two-x-transition-conflict-bugs
#Patch31:
#Patch32:
Patch33: apparmor-2.5.1-ntpd-sys_nice
Patch34: apparmor-2.5.1-ssl-fix
Patch35: apparmor-2.5.1-dnsmasq-libvirt-profile-fix
Patch36: klog-needs-CAP_SYSLOG
Patch37: apparmor-2.5.1-network-fixes
License: GPLv2+
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Url: https://launchpad.net/apparmor
@ -157,6 +163,7 @@ Provides: subdomain-parser-demo = %{version}
Provides: subdomain-parser-common = %{version}
Provides: subdomain-leaf-cert = %{version}
Provides: libimnxcert = %{version}
Provides: apparmor-parser(CAP_SYSLOG)
%description parser
The AppArmor Parser is a userlevel program that is used to load in
@ -311,6 +318,7 @@ Summary: AppArmor profiles that are loaded into the apparmor kernel modul
Group: Productivity/Security
Obsoletes: subdomain-profiles < %{version}
Provides: subdomain-profiles = %{version}
Requires: apparmor-parser(CAP_SYSLOG)
%description profiles
Base profiles. AppArmor is a file and network mandatory access control
@ -453,7 +461,7 @@ SubDomain.
%endif
%prep
%setup -q
%setup -q -n %{name}-%{srcversion}
%patch -p1
%patch1 -p1
%patch2 -p1
@ -485,10 +493,11 @@ SubDomain.
%patch28 -p1
%patch29 -p1
%patch30 -p1
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch35 -p1
%patch36 -p1
%patch37 -p1
%build
export SUSE_ASNEEDED=0
@ -658,7 +667,7 @@ fi
%files profiles
%defattr(-,root,root)
%attr(644, root, root) %config(noreplace) %{profiles_dir}/*
%attr(644, root, root) %config(noreplace) %{extras_dir}/*
%attr(644, root, root) %{extras_dir}/*
%dir %{_sysconfdir}/apparmor.d/
%dir %{_sysconfdir}/apparmor/
%dir %{_sysconfdir}/apparmor/profiles

277
fix-two-x-transition-conflict-bugs
View File

@ -1,277 +0,0 @@
From: John Johansen <john.johansen@canonical.com>
Subject: Fix two x transition conflict bugs.
References: bnc#662928 lpn#693082
This is lp:apparmor/2.5 commit r1443.
The is_merged_x_consistend macro was incorrect in that is tested for
USER_EXEC_TYPE to determine if there was an x transition. This fails
for unconfined execs so an unconfined exec would not correctly conflict
with another exec type.
The dfa match flag table for xtransitions was not large enough and not
indexed properly for pux, and cux transitions. The index calculation did
not take into account the pux flag so that pux and px aliased to the same
location and cux and cx aliased to the same location.
This would result in the first rule being processed defining what the
transition type was for all following rules of the type following. So
if a px transition was processed first all pux, transitions in the profile
would be treated pux.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Add auto generation of xtransition conflict tests
All the combiniation of xtransition conflics where not well represented in
the regression test suite. Instead of relying on multiple static test
files, automatically generate all possible conflicts.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: Jeff Mahoney <jeffm@suse.com>
diff:
=== modified file 'parser/immunix.h'
parser/immunix.h | 4
parser/libapparmor_re/regexp.yy | 10 -
parser/tst/Makefile | 10 +
parser/tst/gen-xtrans.pl | 152 +++++++++++++++++++++++++++++
parser/tst/simple_tests/generated_x/readme | 2
5 files changed, 169 insertions(+), 9 deletions(-)
--- a/parser/immunix.h 2009-08-20 15:41:10 +0000
+++ b/parser/immunix.h 2011-01-07 20:46:15 +0000
@@ -148,12 +148,12 @@
#include <stdio.h>
static inline int is_merged_x_consistent(int a, int b)
{
- if ((a & AA_USER_EXEC_TYPE) && (b & AA_USER_EXEC_TYPE) &&
+ if ((a & AA_USER_EXEC) && (b & AA_USER_EXEC) &&
((a & AA_USER_EXEC_TYPE) != (b & AA_USER_EXEC_TYPE)))
{ fprintf(stderr, "failed user merge 0x%x 0x%x\n", a, b);
return 0;
}
- if ((a & AA_OTHER_EXEC_TYPE) && (b & AA_OTHER_EXEC_TYPE) &&
+ if ((a & AA_OTHER_EXEC) && (b & AA_OTHER_EXEC) &&
((a & AA_OTHER_EXEC_TYPE) != (b & AA_OTHER_EXEC_TYPE)))
{ fprintf(stderr, "failed other merge 0x%x 0x%x\n", a, b);
return 0;
=== modified file 'parser/libapparmor_re/regexp.yy'
--- a/parser/libapparmor_re/regexp.yy 2010-07-24 14:16:14 +0000
+++ b/parser/libapparmor_re/regexp.yy 2011-01-07 20:46:15 +0000
@@ -2581,9 +2581,9 @@
#define MATCH_FLAGS_SIZE (sizeof(uint32_t) * 8 - 1)
MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
-#define EXEC_MATCH_FLAGS_SIZE ((AA_EXEC_COUNT << 2) * 2)
-MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix *u::o*/
-ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe +ix *u::o*/
+#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2) /* double for each of ix pux, unsafe x bits * u::o */
+MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux * u::o*/
+ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe + ix + pux *u::o*/
extern "C" void aare_reset_matchflags(void)
{
@@ -2644,8 +2644,8 @@
flip_tree(tree);
-/* 0x3f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, after shift */
-#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f)
+/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */
+#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f)
//if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS))
// fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]);
=== modified file 'parser/tst/Makefile'
--- a/parser/tst/Makefile 2010-09-15 18:34:38 +0000
+++ b/parser/tst/Makefile 2011-01-07 20:46:15 +0000
@@ -11,8 +11,11 @@
all: tests
-.PHONY: tests error_output parser_sanity caching
-tests: error_output parser_sanity
+.PHONY: tests error_output gen_xtrans parser_sanity caching
+tests: error_output gen_xtrans parser_sanity
+
+gen_xtrans:
+ perl ./gen-xtrans.pl
error_output: $(PARSER)
$(PARSER) -S -I errors >/dev/null errors/okay.sd
@@ -34,3 +37,6 @@
$(PARSER):
make -C $(PARSER_DIR) $(PARSER_BIN)
+
+clean:
+ rm -f simple_tests/generated_x/*
=== added file 'parser/tst/gen-xtrans.pl'
--- a/parser/tst/gen-xtrans.pl 1970-01-01 00:00:00 +0000
+++ b/parser/tst/gen-xtrans.pl 2011-01-07 20:46:15 +0000
@@ -0,0 +1,152 @@
+#!/usr/bin/perl
+
+use strict;
+use Locale::gettext;
+use POSIX;
+
+setlocale(LC_MESSAGES, "");
+
+my $prefix="simple_tests/generated_x";
+
+my @trans_types = ("p", "P", "c", "C", "u", "i");
+my @modifiers = ("i", "u");
+my %trans_modifiers = (
+ "p" => \@modifiers,
+ "P" => \@modifiers,
+ "c" => \@modifiers,
+ "C" => \@modifiers,
+ );
+
+my @targets = ("", "target", "target2");
+my @null_target = ("");
+
+my %named_trans = (
+ "p" => \@targets,
+ "P" => \@targets,
+ "c" => \@targets,
+ "C" => \@targets,
+ "u" => \@null_target,
+ "i" => \@null_target,
+ );
+
+# audit qualifier disabled for now it really shouldn't affect the conflict
+# test but it may be worth checking every once in awhile
+#my @qualifiers = ("", "owner", "audit", "audit owner");
+my @qualifiers = ("", "owner");
+
+my $count = 0;
+
+gen_conflicting_x();
+gen_overlap_re_exact();
+gen_dominate_re_re();
+gen_ambiguous_re_re();
+
+print "Generated $count xtransition interaction tests\n";
+
+sub gen_list {
+ my @output;
+ foreach my $trans (@trans_types) {
+ if ($trans_modifiers{$trans}) {
+ foreach my $mod (@{$trans_modifiers{$trans}}) {
+ push @output, "${trans}${mod}x";
+ }
+ }
+ push @output, "${trans}x";
+ }
+ return @output;
+}
+
+sub print_rule($$$$) {
+ my ($file, $name, $perm, $target) = @_;
+ print $file "\t${name} ${perm}";
+ if ($target ne "") {
+ print $file " -> $target";
+ }
+ print $file ",\n";
+}
+
+sub gen_file($$$$$$$$) {
+ my ($name, $xres, $rule1, $perm1, $target1, $rule2, $perm2, $target2) = @_;
+
+# print "$xres $rule1 $perm1 $target1 $rule2 $perm2 $target2\n";
+
+ my $file;
+ unless (open $file, ">$name") {
+ print("couldn't open $name\n");
+ exit 1;
+ }
+
+ print $file "#\n";
+ print $file "#=DESCRIPTION ${name}\n";
+ print $file "#=EXRESULT ${xres}\n";
+ print $file "#\n";
+ print $file "/usr/bin/foo {\n";
+ print_rule($file, $rule1, $perm1, $target1);
+ print_rule($file, $rule2, $perm2, $target2);
+ print $file "}";
+ close($file);
+
+ $count++;
+}
+
+#NOTE: currently we don't do px to cx, or cx to px conversion
+# so
+# /foo {
+# /* px -> /foo//bar,
+# /* cx -> bar,
+#
+# will conflict
+#
+#NOTE: conflict tests don't tests leading permissions or using unsafe keywords
+# It is assumed that there are extra tests to verify 1 to 1 coorispondance
+sub gen_files($$$$) {
+ my ($name, $rule1, $rule2, $default) = @_;
+
+ my @perms = gen_list();
+
+# print "@perms\n";
+
+ foreach my $i (@perms) {
+ foreach my $t (@{$named_trans{substr($i, 0, 1)}}) {
+ foreach my $q (@qualifiers) {
+ foreach my $j (@perms) {
+ foreach my $u (@{$named_trans{substr($j, 0, 1)}}) {
+ foreach my $r (@qualifiers) {
+ my $file="${prefix}/${name}-$q$i$t-$r$j$u.sd";
+# print "$file\n";
+
+ #override failures when transitions are the same
+ my $xres = ${default};
+ if ($i eq $j && $t eq $u) {
+ $xres = "PASS";
+ }
+
+
+# print "foo $xres $rule1 $i $t $rule2 $j $u\n";
+ gen_file($file, $xres, "$q $rule1", $i, $t, "$r $rule2", $j, $u);
+ }
+ }
+ }
+ }
+ }
+ }
+
+}
+
+sub gen_conflicting_x {
+ gen_files("conflict", "/bin/cat", "/bin/cat", "FAIL");
+}
+
+sub gen_overlap_re_exact {
+
+ gen_files("exact", "/bin/cat", "/bin/*", "PASS");
+}
+
+# we currently don't support this, once supported change to "PASS"
+sub gen_dominate_re_re {
+ gen_files("dominate", "/bin/*", "/bin/**", "FAIL");
+}
+
+sub gen_ambiguous_re_re {
+ gen_files("ambiguous", "/bin/a*", "/bin/*b", "FAIL");
+}
=== added directory 'parser/tst/simple_tests/generated_x'
=== added file 'parser/tst/simple_tests/generated_x/readme'
--- a/parser/tst/simple_tests/generated_x/readme 1970-01-01 00:00:00 +0000
+++ b/parser/tst/simple_tests/generated_x/readme 2011-01-07 20:46:15 +0000
@@ -0,0 +1,2 @@
+Directory for auto generated x-transition tests
+

35
klog-needs-CAP_SYSLOG Normal file
View File

@ -0,0 +1,35 @@
---
parser/parser_misc.c | 4 ++++
profiles/apparmor.d/sbin.klogd | 1 +
2 files changed, 5 insertions(+)
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -122,6 +122,9 @@ static int get_table_token(const char *n
static struct keyword_table capability_table[] = {
/* capabilities */
#include "cap_names.h"
+#ifndef CAP_SYSLOG
+ {"syslog", 34},
+#endif
/* terminate */
{NULL, 0}
};
@@ -820,6 +823,7 @@ static const char *capnames[] = {
"audit_control",
"setfcap",
"mac_override"
+ "syslog",
};
const char *capability_to_name(unsigned int cap)
--- a/profiles/apparmor.d/sbin.klogd
+++ b/profiles/apparmor.d/sbin.klogd
@@ -15,6 +15,7 @@
#include <abstractions/base>
capability sys_admin,
+ capability syslog,
network inet stream,

23
testsuite-build-fix
View File

@ -1,23 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: testsuite: Fix linking with shared in-tree libapparmor
This patch stops the static linking with libapparmor and uses the
shared library instead. Before it's installed, it'll have the in-tree
rpath and the testsuite will work as expected.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
libraries/libapparmor/testsuite/Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/libraries/libapparmor/testsuite/Makefile.am
+++ b/libraries/libapparmor/testsuite/Makefile.am
@@ -12,7 +12,7 @@ noinst_PROGRAMS = test_multi.multi
test_multi_multi_SOURCES = test_multi.c
test_multi_multi_CFLAGS = $(CFLAGS) -Wall
test_multi_multi_LDFLAGS = $(LDFLAGS)
-test_multi_multi_LDADD = ../src/.libs/libapparmor.a
+test_multi_multi_LDADD = -L../src/.libs -lapparmor
clean-local:
rm -f tmp.err.* tmp.out.* site.exp site.bak