diff --git a/apparmor-2.5-r1445 b/apparmor-2.5-r1445 new file mode 100644 index 0000000..d0affc5 --- /dev/null +++ b/apparmor-2.5-r1445 @@ -0,0 +1,705 @@ +=== added file '.bzrignore' +--- a/.bzrignore 1970-01-01 00:00:00 +0000 ++++ b/.bzrignore 2011-01-10 18:12:33 +0000 +@@ -0,0 +1,1 @@ ++parser/tst/simple_tests/generated_x/*.sd + +=== modified file 'libraries/libapparmor/testsuite/Makefile.am' +--- a/libraries/libapparmor/testsuite/Makefile.am 2008-05-19 22:48:31 +0000 ++++ b/libraries/libapparmor/testsuite/Makefile.am 2011-01-10 18:12:33 +0000 +@@ -12,7 +12,7 @@ + test_multi_multi_SOURCES = test_multi.c + test_multi_multi_CFLAGS = $(CFLAGS) -Wall + test_multi_multi_LDFLAGS = $(LDFLAGS) +-test_multi_multi_LDADD = ../src/.libs/libapparmor.a ++test_multi_multi_LDADD = -L../src/.libs -lapparmor + + clean-local: + rm -f tmp.err.* tmp.out.* site.exp site.bak + +=== modified file 'parser/Makefile' +--- a/parser/Makefile 2009-11-11 18:58:57 +0000 ++++ b/parser/Makefile 2011-01-10 18:12:33 +0000 +@@ -45,11 +45,14 @@ + echo "$${warning}"; \ + fi ; \ + done) +-CFLAGS = -O2 -pipe ++ifndef CFLAGS ++CFLAGS = -g -O2 -pipe + + ifdef DEBUG + CFLAGS = -g + endif ++endif #CFLAGS ++ + EXTRA_CFLAGS = ${CFLAGS} ${WARNINGS} -D_GNU_SOURCE + + #LEXLIB := -lfl +@@ -125,9 +128,20 @@ + techdoc.txt: techdoc/index.html + w3m -dump $< > $@ + +-all: $(TOOLS) $(MANPAGES) ${HTMLMANPAGES} techdoc.pdf ++# targets arranged this way so that people who don't want full docs can ++# pick specific targets they want. ++main: $(TOOLS) + $(Q)make -C po all +- $(Q)make -s tests ++ ++manpages: $(MANPAGES) ++ ++htmlmanpages: $(HTMLMANPAGES) ++ ++pdf: techdoc.pdf ++ ++docs: manpages htmlmanpages pdf ++ ++all: main docs tests + + apparmor_parser: $(OBJECTS) $(PCREOBJECTS) $(AAREOBJECTS) + rm -f ./libstdc++.a +@@ -191,7 +205,7 @@ + af_names.h: /usr/include/bits/socket.h + LC_ALL=C sed -n -e '/$(__FILTER)/d' -e "s/^\#define[ \\t]\\+PF_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/#ifndef AF_\\1\\n# define AF_\\1 \\2\\n#endif\\nAA_GEN_NET_ENT(\"\\L\\1\", \\UAF_\\1)\\n/p" $< > $@ + LC_ALL=C sed -n -e "s/^\#define[ \\t]\\+PF_MAX[ \\t]\\+\\([0-9]\\+\\)[ \\t]\\+.*/#define AA_AF_MAX \\1\n/p" $< >> $@ +- cat $@ ++ # cat $@ + + cap_names.h: /usr/include/linux/capability.h + LC_ALL=C sed -n -e "/CAP_EMPTY_SET/d" -e "s/^\#define[ \\t]\\+CAP_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9xa-f]\\+\\)\\(.*\\)\$$/\{\"\\L\\1\", \\UCAP_\\1\},/p" $< > $@ +@@ -224,7 +238,7 @@ + .SILENT: $(AAREOBJECTS) + .PHONY: $(AAREOBJECTS) + $(AAREOBJECTS): +- make -C $(AAREDIR) ++ make -C $(AAREDIR) CFLAGS="$(CFLAGS)" + + .SILENT: $(PCREOBJECTS) + .PHONY: $(PCREOBJECTS) + +=== modified file 'parser/immunix.h' +--- a/parser/immunix.h 2009-08-20 15:41:10 +0000 ++++ b/parser/immunix.h 2011-01-10 18:12:33 +0000 +@@ -148,12 +148,12 @@ + #include + static inline int is_merged_x_consistent(int a, int b) + { +- if ((a & AA_USER_EXEC_TYPE) && (b & AA_USER_EXEC_TYPE) && ++ if ((a & AA_USER_EXEC) && (b & AA_USER_EXEC) && + ((a & AA_USER_EXEC_TYPE) != (b & AA_USER_EXEC_TYPE))) + { fprintf(stderr, "failed user merge 0x%x 0x%x\n", a, b); + return 0; + } +- if ((a & AA_OTHER_EXEC_TYPE) && (b & AA_OTHER_EXEC_TYPE) && ++ if ((a & AA_OTHER_EXEC) && (b & AA_OTHER_EXEC) && + ((a & AA_OTHER_EXEC_TYPE) != (b & AA_OTHER_EXEC_TYPE))) + { fprintf(stderr, "failed other merge 0x%x 0x%x\n", a, b); + return 0; + +=== modified file 'parser/libapparmor_re/regexp.y' +--- a/parser/libapparmor_re/regexp.y 2010-07-24 14:16:14 +0000 ++++ b/parser/libapparmor_re/regexp.y 2011-01-10 18:12:33 +0000 +@@ -720,17 +720,19 @@ + Node *i = t->child[!dir]; + for (;dynamic_cast(i); p = i, i = i->child[!dir]) { + if (t->child[dir]->eq(i->child[dir])) { ++ Node *old = t; + t->child[!dir]->dup(); +- t->release(); + t = t->child[!dir]; ++ old->release(); + continue; + } + } + // last altnode of chain check other dir as well + if (t->child[dir]->eq(p->child[!dir])) { ++ Node *old = t; + t->child[!dir]->dup(); +- t->release(); + t = t->child[!dir]; ++ old->release(); + continue; + } + +@@ -2581,9 +2583,9 @@ + #define MATCH_FLAGS_SIZE (sizeof(uint32_t) * 8 - 1) + MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE]; + DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE]; +-#define EXEC_MATCH_FLAGS_SIZE ((AA_EXEC_COUNT << 2) * 2) +-MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix *u::o*/ +-ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe +ix *u::o*/ ++#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2) /* double for each of ix pux, unsafe x bits * u::o */ ++MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux * u::o*/ ++ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe + ix + pux *u::o*/ + + extern "C" void aare_reset_matchflags(void) + { +@@ -2644,8 +2646,8 @@ + flip_tree(tree); + + +-/* 0x3f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, after shift */ +-#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f) ++/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */ ++#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f) + + //if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS)) + // fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]); + +=== modified file 'parser/tst/Makefile' +--- a/parser/tst/Makefile 2010-09-15 18:34:38 +0000 ++++ b/parser/tst/Makefile 2011-01-10 18:12:33 +0000 +@@ -11,8 +11,11 @@ + + all: tests + +-.PHONY: tests error_output parser_sanity caching +-tests: error_output parser_sanity caching ++.PHONY: tests error_output gen_xtrans parser_sanity caching ++tests: error_output gen_xtrans parser_sanity caching ++ ++gen_xtrans: ++ perl ./gen-xtrans.pl + + error_output: $(PARSER) + $(PARSER) -S -I errors >/dev/null errors/okay.sd +@@ -34,3 +37,6 @@ + + $(PARSER): + make -C $(PARSER_DIR) $(PARSER_BIN) ++ ++clean: ++ rm -f simple_tests/generated_x/* + +=== added file 'parser/tst/gen-xtrans.pl' +--- a/parser/tst/gen-xtrans.pl 1970-01-01 00:00:00 +0000 ++++ b/parser/tst/gen-xtrans.pl 2011-01-10 18:12:33 +0000 +@@ -0,0 +1,152 @@ ++#!/usr/bin/perl ++ ++use strict; ++use Locale::gettext; ++use POSIX; ++ ++setlocale(LC_MESSAGES, ""); ++ ++my $prefix="simple_tests/generated_x"; ++ ++my @trans_types = ("p", "P", "c", "C", "u", "i"); ++my @modifiers = ("i", "u"); ++my %trans_modifiers = ( ++ "p" => \@modifiers, ++ "P" => \@modifiers, ++ "c" => \@modifiers, ++ "C" => \@modifiers, ++ ); ++ ++my @targets = ("", "target", "target2"); ++my @null_target = (""); ++ ++my %named_trans = ( ++ "p" => \@targets, ++ "P" => \@targets, ++ "c" => \@targets, ++ "C" => \@targets, ++ "u" => \@null_target, ++ "i" => \@null_target, ++ ); ++ ++# audit qualifier disabled for now it really shouldn't affect the conflict ++# test but it may be worth checking every once in awhile ++#my @qualifiers = ("", "owner", "audit", "audit owner"); ++my @qualifiers = ("", "owner"); ++ ++my $count = 0; ++ ++gen_conflicting_x(); ++gen_overlap_re_exact(); ++gen_dominate_re_re(); ++gen_ambiguous_re_re(); ++ ++print "Generated $count xtransition interaction tests\n"; ++ ++sub gen_list { ++ my @output; ++ foreach my $trans (@trans_types) { ++ if ($trans_modifiers{$trans}) { ++ foreach my $mod (@{$trans_modifiers{$trans}}) { ++ push @output, "${trans}${mod}x"; ++ } ++ } ++ push @output, "${trans}x"; ++ } ++ return @output; ++} ++ ++sub print_rule($$$$) { ++ my ($file, $name, $perm, $target) = @_; ++ print $file "\t${name} ${perm}"; ++ if ($target ne "") { ++ print $file " -> $target"; ++ } ++ print $file ",\n"; ++} ++ ++sub gen_file($$$$$$$$) { ++ my ($name, $xres, $rule1, $perm1, $target1, $rule2, $perm2, $target2) = @_; ++ ++# print "$xres $rule1 $perm1 $target1 $rule2 $perm2 $target2\n"; ++ ++ my $file; ++ unless (open $file, ">$name") { ++ print("couldn't open $name\n"); ++ exit 1; ++ } ++ ++ print $file "#\n"; ++ print $file "#=DESCRIPTION ${name}\n"; ++ print $file "#=EXRESULT ${xres}\n"; ++ print $file "#\n"; ++ print $file "/usr/bin/foo {\n"; ++ print_rule($file, $rule1, $perm1, $target1); ++ print_rule($file, $rule2, $perm2, $target2); ++ print $file "}"; ++ close($file); ++ ++ $count++; ++} ++ ++#NOTE: currently we don't do px to cx, or cx to px conversion ++# so ++# /foo { ++# /* px -> /foo//bar, ++# /* cx -> bar, ++# ++# will conflict ++# ++#NOTE: conflict tests don't tests leading permissions or using unsafe keywords ++# It is assumed that there are extra tests to verify 1 to 1 coorispondance ++sub gen_files($$$$) { ++ my ($name, $rule1, $rule2, $default) = @_; ++ ++ my @perms = gen_list(); ++ ++# print "@perms\n"; ++ ++ foreach my $i (@perms) { ++ foreach my $t (@{$named_trans{substr($i, 0, 1)}}) { ++ foreach my $q (@qualifiers) { ++ foreach my $j (@perms) { ++ foreach my $u (@{$named_trans{substr($j, 0, 1)}}) { ++ foreach my $r (@qualifiers) { ++ my $file="${prefix}/${name}-$q$i$t-$r$j$u.sd"; ++# print "$file\n"; ++ ++ #override failures when transitions are the same ++ my $xres = ${default}; ++ if ($i eq $j && $t eq $u) { ++ $xres = "PASS"; ++ } ++ ++ ++# print "foo $xres $rule1 $i $t $rule2 $j $u\n"; ++ gen_file($file, $xres, "$q $rule1", $i, $t, "$r $rule2", $j, $u); ++ } ++ } ++ } ++ } ++ } ++ } ++ ++} ++ ++sub gen_conflicting_x { ++ gen_files("conflict", "/bin/cat", "/bin/cat", "FAIL"); ++} ++ ++sub gen_overlap_re_exact { ++ ++ gen_files("exact", "/bin/cat", "/bin/*", "PASS"); ++} ++ ++# we currently don't support this, once supported change to "PASS" ++sub gen_dominate_re_re { ++ gen_files("dominate", "/bin/*", "/bin/**", "FAIL"); ++} ++ ++sub gen_ambiguous_re_re { ++ gen_files("ambiguous", "/bin/a*", "/bin/*b", "FAIL"); ++} + +=== added directory 'parser/tst/simple_tests/generated_x' +=== added file 'parser/tst/simple_tests/generated_x/readme' +--- a/parser/tst/simple_tests/generated_x/readme 1970-01-01 00:00:00 +0000 ++++ b/parser/tst/simple_tests/generated_x/readme 2011-01-10 18:12:33 +0000 +@@ -0,0 +1,2 @@ ++Directory for auto generated x-transition tests ++ + +=== modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers' +--- a/profiles/apparmor.d/abstractions/ubuntu-browsers 2010-09-10 15:28:28 +0000 ++++ b/profiles/apparmor.d/abstractions/ubuntu-browsers 2011-01-10 18:12:33 +0000 +@@ -18,7 +18,7 @@ + /usr/bin/prism PUx, + /usr/bin/rekonq PUx, + /usr/bin/seamonkey PUx, +- /usr/bin/sensible-browser PUxr, ++ /usr/bin/sensible-browser Pixr, + + /usr/bin/chromium-browser PUx, + /usr/lib/chromium-browser/chromium-browser PUx, + +=== modified file 'profiles/apparmor.d/abstractions/ubuntu-email' +--- a/profiles/apparmor.d/abstractions/ubuntu-email 2010-09-10 15:28:28 +0000 ++++ b/profiles/apparmor.d/abstractions/ubuntu-email 2011-01-10 18:12:33 +0000 +@@ -15,5 +15,5 @@ + /usr/bin/tkrat PUx, + + /usr/lib/thunderbird/thunderbird PUx, +- /usr/lib/thunderbird-3*/thunderbird PUx, ++ /usr/lib/thunderbird-3*/thunderbird{,.sh} PUx, + + +=== modified file 'tests/regression/subdomain/changehat_misc.sh' +--- a/tests/regression/subdomain/changehat_misc.sh 2006-05-19 17:32:14 +0000 ++++ b/tests/regression/subdomain/changehat_misc.sh 2011-01-10 18:12:33 +0000 +@@ -64,7 +64,7 @@ + echo "*** A 'Killed' message from bash is expected for the following test" + runchecktest "CHANGEHAT (subprofile->subprofile w/ bad magic)" signal9 $subtest $subtest2 badmagic $file + +-# 1. ATTEMPT TO CHANGEGAT TO AN INVALUD PROFILE, SHOULD PUT US INTO A NULL ++# 1. ATTEMPT TO CHANGEHAT TO AN INVALID PROFILE, SHOULD PUT US INTO A NULL + # PROFILE + # 2. ATTEMPT TO CHANGEHAT OUT WITH BAD TOKEN + settest changehat_fail + +=== modified file 'tests/regression/subdomain/deleted.c' +--- a/tests/regression/subdomain/deleted.c 2006-05-19 17:32:14 +0000 ++++ b/tests/regression/subdomain/deleted.c 2011-01-10 18:12:33 +0000 +@@ -90,7 +90,7 @@ + } + + /* test that we can create the file. Not necessarily a (deleted) +- * case but lets use flush out other combinations ++ * case but lets us flush out other combinations. + */ + fd2=creat(argv[2], S_IRUSR | S_IWUSR); + if (fd2 == -1){ + +=== modified file 'tests/regression/subdomain/deleted.sh' +--- a/tests/regression/subdomain/deleted.sh 2007-12-23 01:00:19 +0000 ++++ b/tests/regression/subdomain/deleted.sh 2011-01-10 18:12:33 +0000 +@@ -1,7 +1,7 @@ + #! /bin/bash +-# $Id$ +- ++# + # Copyright (C) 2002-2005 Novell/SUSE ++# Copyright (C) 2010 Canonical, Ltd + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of the GNU General Public License as +@@ -10,7 +10,7 @@ + + #=NAME deleted + #=DESCRIPTION +-# Test subdomain is properly working around a kernel in which the kernel ++# Test AppArmor is properly working around a kernel in which the kernel + # appends (deleted) to deleted files verifies that the d_path appending + # (deleted) fix is working + #=END +@@ -24,6 +24,7 @@ + + file=$tmpdir/file + file2="$tmpdir/file (deleted)" ++file3="$tmpdir/unavailable" + okperm=rwl + + subtest=sub +@@ -40,8 +41,8 @@ + # NO CHANGEHAT TEST - doesn't force revalidation + + genprofile $file:$okperm +- + runchecktest "NO CHANGEHAT (access file)" pass nochange $file ++runchecktest "NO CHANGEHAT (cannot access unavailable)" fail nochange $file3 + + genprofile "$file2":$okperm + runchecktest "NO CHANGEHAT (access file (delete))" pass nochange "$file2" +@@ -49,6 +50,7 @@ + # CHANGEHAT TEST - force revalidation using changehat + genprofile $file:$okperm hat:$subtest $file:$okperm + runchecktest "CHANGEHAT (access file)" pass $subtest $file ++runchecktest "CHANGEHAT (cannot access unavailable)" fail $subtest $file3 + + genprofile "$file2":$okperm hat:$subtest "$file2":$okperm + runchecktest "CHANGEHAT (access file (deleted))" pass $subtest "$file2" +@@ -115,7 +117,7 @@ + # FAIL - confined client, w access to the file + + genprofile $file:$okperm $socket:rw $fd_client:px -- image=$fd_client $file:$badperm $socket:rw +-runchecktest "fd passing; confined client w/ w only" pass $file $socket $fd_client "delete_file" ++runchecktest "fd passing; confined client w/ w only" fail $file $socket $fd_client "delete_file" + + sleep 1 + rm -f ${socket} + +=== modified file 'tests/regression/subdomain/mkprofile.pl' +--- a/tests/regression/subdomain/mkprofile.pl 2009-11-11 18:44:26 +0000 ++++ b/tests/regression/subdomain/mkprofile.pl 2011-01-10 18:12:33 +0000 +@@ -5,7 +5,7 @@ + # + # Gawd, I hate writing perl. It shows, too. + # +-my $__VERSION__='$Id$'; ++my $__VERSION__=$0; + + use strict; + use Getopt::Long; + +=== modified file 'tests/regression/subdomain/prologue.inc' +--- a/tests/regression/subdomain/prologue.inc 2010-08-26 18:24:41 +0000 ++++ b/tests/regression/subdomain/prologue.inc 2011-01-10 18:12:33 +0000 +@@ -93,8 +93,10 @@ + + while [ -h ${link} ] + do +- if [ -x /usr/bin/readlink ] ; then +- target=$(/usr/bin/readlink ${link}) ++ if [ -x /usr/bin/readlink ] ; then ++ target=$(/usr/bin/readlink -f ${link}) ++ elif [ -x /bin/readlink ] ; then ++ target=$(/bin/readlink -f ${link}) + else + # I'm sure there's a more perlish way to do this + target=$( perl -e "printf (\"%s\n\", readlink(\"${link}\"));") + +=== modified file 'tests/regression/subdomain/pwrite.sh' +--- a/tests/regression/subdomain/pwrite.sh 2007-12-23 00:58:47 +0000 ++++ b/tests/regression/subdomain/pwrite.sh 2011-01-10 18:12:33 +0000 +@@ -27,7 +27,7 @@ + + genprofile $file:$okperm + +-runtestbg "PWRITE with w" pass $file ++runtestbg "PREAD/PWRITE with rw" pass $file + + sleep 2 + + +=== modified file 'tests/regression/subdomain/swap.sh' +--- a/tests/regression/subdomain/swap.sh 2006-05-19 17:32:14 +0000 ++++ b/tests/regression/subdomain/swap.sh 2011-01-10 18:12:33 +0000 +@@ -32,7 +32,7 @@ + swap_file=$tmpdir/swapfile + + dd if=/dev/zero of=${swap_file} bs=1024 count=512 2> /dev/null +-/sbin/mkswap ${swap_file} > /dev/null ++/sbin/mkswap -f ${swap_file} > /dev/null + + # TEST 1. Make sure can enable and disable swap unconfined + + +=== modified file 'tests/regression/subdomain/syscall.sh' +--- a/tests/regression/subdomain/syscall.sh 2007-12-23 01:02:50 +0000 ++++ b/tests/regression/subdomain/syscall.sh 2011-01-10 18:12:33 +0000 +@@ -1,7 +1,7 @@ + #! /bin/bash +-# $Id$ +- ++# + # Copyright (C) 2002-2005 Novell/SUSE ++# Copyright (C) 2010 Canonical, Ltd. + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of the GNU General Public License as +@@ -114,9 +114,9 @@ + runchecktest "MKNOD sock (permissions)" fail s $mknod_file + + ## +-## D. SETHOSTNAME ++## C. SYSCTL + ## +-sh syscall_sysctl.sh ++bash syscall_sysctl.sh + + ## + ## D. SETHOSTNAME + +=== modified file 'tests/regression/subdomain/unix_fd_server.c' +--- a/tests/regression/subdomain/unix_fd_server.c 2006-05-19 17:32:14 +0000 ++++ b/tests/regression/subdomain/unix_fd_server.c 2011-01-10 18:12:33 +0000 +@@ -2,6 +2,7 @@ + + /* + * Copyright (C) 2002-2005 Novell/SUSE ++ * Copyright (C) 2010 Canonical, Ltd. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as +@@ -134,6 +135,7 @@ + } + + /* Check for info re: reading the file */ ++ memset(inbound_buffer, 0, sizeof(inbound_buffer)); + if (recv(in_sock, inbound_buffer, 16,0) == -1 ) { + fprintf(stderr, "FAIL - recv %s\n", + strerror(errno)); + +=== modified file 'tests/regression/subdomain/xattrs.sh' +--- a/tests/regression/subdomain/xattrs.sh 2010-02-07 07:04:57 +0000 ++++ b/tests/regression/subdomain/xattrs.sh 2011-01-10 18:12:33 +0000 +@@ -38,41 +38,59 @@ + + . $bin/prologue.inc + +-file=$tmpdir/testfile +-link=$tmpdir/testlink +-dir=$tmpdir/testdir/ ++tmpmount=$tmpdir/mountpoint ++diskimg=$tmpdir/disk.img ++file=$tmpmount/testfile ++link=$tmpmount/testlink ++dir=$tmpmount/testdir/ + okperm=rw + badperm=r + ++# guarantee fs supports user_xattrs ++dd if=/dev/zero of=${diskimg} bs=4096 count=4096 2> /dev/null ++mkfs.ext3 -q -F ${diskimg} ++mkdir ${tmpmount} ++mount -o loop,user_xattr ${diskimg} ${tmpmount} ++ + touch $file + ln -s $file $link + mkdir $dir + ++add_attrs() ++{ ++ #set the xattr for thos that passed above again so we can test removing it ++ setfattr -h -n security.sdtest -v hello "$1" ++ setfattr -h -n trusted.sdtest -v hello "$1" ++ if [ "$1" != $link ] ; then ++ setfattr -h -n user.sdtest -v hello "$1" ++ fi ++} ++ + for var in $file $link $dir ; do + #write xattr + genprofile $var:$badperm + xattrtest $var $badperm write security fail + #xattrtest $var $badperm write system fail + xattrtest $var $badperm write trusted fail +- if [ $var != $link ] ; then xattrtest $var $badperm write user fail ; fi ++ if [ $var != $link ] ; then xattrtest $var $badperm write user xfail ; fi + + genprofile $var:$badperm capability:sys_admin + xattrtest $var "$badperm+cap SYS_ADMIN" write security xfail + #xattrtest $var "$badperm+cap SYS_ADMIN" write system fail + xattrtest $var "$badperm+cap SYS_ADMIN" write trusted xfail +- if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" write user fail ; fi ++ if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" write user xfail ; fi + + genprofile $var:$okperm + xattrtest $var $okperm write security xpass + #xattrtest $var $okperm write system fail + xattrtest $var $okperm write trusted fail +- if [ $var != $link ] ; then xattrtest $var $okperm write user xpass ; fi ++ if [ $var != $link ] ; then xattrtest $var $okperm write user pass ; fi + + genprofile $var:$okperm capability:sys_admin + xattrtest $var "$okperm+cap SYS_ADMIN" write security pass + #xattrtest $var "$okperm+cap SYS_ADMIN" write system pass + xattrtest $var "$okperm+cap SYS_ADMIN" write trusted pass +- if [ $var != $link ] ; then xattrtest $var "$okperm+cap SYS_ADMIN" write user xpass ; fi ++ if [ $var != $link ] ; then xattrtest $var "$okperm+cap SYS_ADMIN" write user pass ; fi + + + #read xattr +@@ -80,13 +98,13 @@ + xattrtest $var $badperm read security pass + #xattrtest $var $badperm read system fail + xattrtest $var $badperm read trusted fail +- if [ $var != $link ] ; then xattrtest $var $badperm read user xpass ; fi ++ if [ $var != $link ] ; then xattrtest $var $badperm read user pass ; fi + + genprofile $var:$badperm capability:sys_admin + xattrtest $var "$badperm+cap SYS_ADMIN" read security pass + #xattrtest $var "$badperm+cap SYS_ADMIN" read system pass + xattrtest $var "$badperm+cap SYS_ADMIN" read trusted pass +- if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" read user xpass ; fi ++ if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" read user pass ; fi + + + #remove xattr +@@ -94,23 +112,25 @@ + xattrtest $var $badperm remove security fail + #xattrtest $var $badperm remove system fail + xattrtest $var $badperm remove trusted fail +- if [ $var != $link ] ; then xattrtest $var $badperm remove user fail ; fi ++ if [ $var != $link ] ; then xattrtest $var $badperm remove user xfail ; fi ++ ++ add_attrs $var + + genprofile $var:$badperm capability:sys_admin + xattrtest $var "$badperm+cap SYS_ADMIN" remove security xfail + #xattrtest $var "$badperm+cap SYS_ADMIN" remove system fail + xattrtest $var "$badperm+cap SYS_ADMIN" remove trusted xfail +- if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" remove user fail ; fi ++ if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" remove user xfail ; fi ++ ++ add_attrs $var + + genprofile $var:$okperm + xattrtest $var $okperm remove security xpass + #xattrtest $var $okperm remove system fail + xattrtest $var $okperm remove trusted fail +- if [ $var != $link ] ; then xattrtest $var $okperm remove user xpass ; fi ++ if [ $var != $link ] ; then xattrtest $var $okperm remove user pass ; fi + +- #set the xattr for thos that passed above again so we can test removing it +- setfattr -h -n security.sdtest -v hello $var +- if [ $var != $link ] ; then setfattr -h -n user.sdtest -v hello $var ; fi ++ add_attrs $var + + genprofile $var:$okperm capability:sys_admin + xattrtest $var "$okperm+cap SYS_ADMIN" remove security pass +@@ -120,3 +140,4 @@ + + done + ++umount ${tmpmount} + +=== modified file 'utils/SubDomain.pm' +--- a/utils/SubDomain.pm 2010-09-21 07:40:50 +0000 ++++ b/utils/SubDomain.pm 2011-01-10 18:12:33 +0000 +@@ -2420,7 +2420,7 @@ + my $RE_LOG_v2_1_audit = + qr/type=(UNKNOWN\[150[1-6]\]|APPARMOR_(AUDIT|ALLOWED|DENIED|HINT|STATUS|ERROR))/; + my $RE_LOG_v2_6_audit = +- qr/type=AVC\s+audit\([\d\.\:]+\):\s+apparmor=/; ++ qr/type=AVC\s+(msg=)?audit\([\d\.\:]+\):\s+apparmor=/; + + sub prefetch_next_log_entry { + # if we already have an existing cache entry, something's broken +@@ -6622,10 +6622,14 @@ + LibAppArmor::free_record($event); + + #map new c and d to w as logprof doesn't support them yet +- $rmask =~ s/c/w/g; +- $rmask =~ s/d/w/g; +- $dmask =~ s/c/w/g; +- $dmask =~ s/d/w/g; ++ if ($rmask) { ++ $rmask =~ s/c/w/g; ++ $rmask =~ s/d/w/g; ++ } ++ if ($dmask) { ++ $dmask =~ s/c/w/g; ++ $dmask =~ s/d/w/g; ++ } + + if ($rmask && !validate_log_mode(hide_log_mode($rmask))) { + fatal_error(sprintf(gettext('Log contains unknown mode %s.'), + diff --git a/apparmor-2.5.1-dnsmasq-libvirt-profile-fix b/apparmor-2.5.1-dnsmasq-libvirt-profile-fix new file mode 100644 index 0000000..e5ff305 --- /dev/null +++ b/apparmor-2.5.1-dnsmasq-libvirt-profile-fix @@ -0,0 +1,33 @@ +From: Jeff Mahoney +Subject: profiles: Add libvirt pid support to dnsmasq profile +References: bnc#666090 + + libvirt starts up dnsmasq with its pid file in + +Signed-off-by: Jeff Mahoney +--- + + profiles/apparmor.d/usr.sbin.dnsmasq | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/profiles/apparmor.d/usr.sbin.dnsmasq ++++ b/profiles/apparmor.d/usr.sbin.dnsmasq +@@ -8,6 +8,9 @@ + capability setgid, + capability setuid, + capability dac_override, ++ capability net_admin, # for DHCP server ++ capability net_raw, # for DHCP server ping checks ++ network inet raw, + + /etc/dnsmasq.conf r, + /etc/dnsmasq.d/ r, +@@ -19,5 +22,8 @@ + /var/run/dnsmasq/ r, + /var/run/dnsmasq/* rw, + ++ /var/run/libvirt/network/ r, # Required when called by libvirt ++ /var/run/libvirt/network/*.pid rw, # Required when called by libvirt ++ + /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage + } diff --git a/apparmor-2.5.1-fix-parser-use-after-free b/apparmor-2.5.1-fix-parser-use-after-free deleted file mode 100644 index c5110cc..0000000 --- a/apparmor-2.5.1-fix-parser-use-after-free +++ /dev/null @@ -1,43 +0,0 @@ -From: Jeff Mahoney -Subject: apparmor: Fix use after free in regexp parser - - There are two cases of use-after-free in the simply_tree_base code. It - worked in the past because there aren't any allocations between the - free and the use, so it was still around. - - With glibc's memory perturbing feature (set _MALLOC_PERTURB to anything), - the freed memory is poisoned. This causes crashes in e.g. apparmor_parser - while parsing certain profiles. - - This patch addresses it by saving a pointer to the node to free after - the node is advanced. - -Signed-off-by: Jeff Mahoney ---- - parser/libapparmor_re/regexp.yy | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - ---- a/parser/libapparmor_re/regexp.yy -+++ b/parser/libapparmor_re/regexp.yy -@@ -720,17 +720,19 @@ Node *simplify_tree_base(Node *t, int di - Node *i = t->child[!dir]; - for (;dynamic_cast(i); p = i, i = i->child[!dir]) { - if (t->child[dir]->eq(i->child[dir])) { -+ Node *old = t; - t->child[!dir]->dup(); -- t->release(); - t = t->child[!dir]; -+ old->release(); - continue; - } - } - // last altnode of chain check other dir as well - if (t->child[dir]->eq(p->child[!dir])) { -+ Node *old = t; - t->child[!dir]->dup(); -- t->release(); - t = t->child[!dir]; -+ old->release(); - continue; - } - diff --git a/apparmor-2.5.1-network-fixes b/apparmor-2.5.1-network-fixes new file mode 100644 index 0000000..015b72a --- /dev/null +++ b/apparmor-2.5.1-network-fixes @@ -0,0 +1,94 @@ +From: Jeff Mahoney +Subject: apparmor: Fix network event parsing +References: bnc#665483 + + The upstream version of AppArmor had network mediation but it was + removed. There's a compability patch floating around that both openSUSE + and Ubuntu have applied to their kernels. Unfortunately, one part was + overlooked. The socket operation event names where changed from the + socket_ prefixed names they had when AppArmor was out-of-tree and + utils/SubDomain.pm was never updated to understand them. + + This patch adds an operation-type table so that the code can just + do a optype($operation) call to discover what type of operation a + particular name refers to. It then uses this in place of the socket_ + checks to decide whether an event is a network operation. + + This allows genprof and logprof to work with networking rules again. + +Signed-off-by: Jeff Mahoney +--- + utils/SubDomain.pm | 48 ++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 46 insertions(+), 2 deletions(-) + +--- a/utils/SubDomain.pm ++++ b/utils/SubDomain.pm +@@ -233,6 +233,50 @@ my %MODE_HASH = ( + N => $AA_EXEC_NT, + ); + ++ ++# Currently only used by netdomain but there's no reason it couldn't ++# be extended to support other types. ++my %operation_types = ( ++ ++ # Old socket names ++ "socket_create", => "net", ++ "socket_post_create" => "net", ++ "socket_bind" => "net", ++ "socket_connect" => "net", ++ "socket_listen" => "net", ++ "socket_accept" => "net", ++ "socket_sendmsg" => "net", ++ "socket_recvmsg" => "net", ++ "socket_getsockname" => "net", ++ "socket_getpeername" => "net", ++ "socket_getsockopt" => "net", ++ "socket_setsockopt" => "net", ++ "socket_shutdown" => "net", ++ ++ # New socket names ++ "create" => "net", ++ "post_create" => "net", ++ "bind" => "net", ++ "connect" => "net", ++ "listen" => "net", ++ "accept" => "net", ++ "sendmsg" => "net", ++ "recvmsg" => "net", ++ "getsockname" => "net", ++ "getpeername" => "net", ++ "getsockopt" => "net", ++ "setsockopt" => "net", ++ "sock_shutdown" => "net", ++); ++ ++sub optype($) { ++ my $op = shift; ++ my $type = $operation_types{$op}; ++ ++ return "unknown" if !defined($type); ++ return $type; ++} ++ + sub debug ($) { + my $message = shift; + chomp($message); +@@ -2911,7 +2955,7 @@ sub add_event_to_tree ($) { + } + $pid{$child} = $arrayref; + push @{$arrayref}, [ "fork", $child, $profile, $hat ]; +- } elsif ($e->{operation} =~ m/socket_/) { ++ } elsif (optype($e->{operation}) eq "net") { + add_to_tree( $e->{pid}, + $e->{parent}, + "netdomain", +@@ -6620,7 +6664,7 @@ sub parse_event($) { + LibAppArmor::aa_log_record::swig_magic_token_get($event); + + # NetDomain +- if ( $ev{'operation'} && $ev{'operation'} =~ /socket/ ) { ++ if ( $ev{'operation'} && optype($ev{'operation'}) eq "net" ) { + $ev{'family'} = + LibAppArmor::aa_log_record::swig_net_family_get($event); + $ev{'protocol'} = diff --git a/apparmor-2.5.1-unconfined-fixes b/apparmor-2.5.1-unconfined-fixes index 57f8030..953d5aa 100644 --- a/apparmor-2.5.1-unconfined-fixes +++ b/apparmor-2.5.1-unconfined-fixes @@ -35,23 +35,3 @@ Signed-off-by: Jeff Mahoney # just convert new null profile style names to old before we begin processing # profile and name can contain multiple layers of null- but all we care about # currently is single level. -@@ -6625,10 +6632,15 @@ sub parse_event($) { - LibAppArmor::free_record($event); - - #map new c and d to w as logprof doesn't support them yet -- $rmask =~ s/c/w/g; -- $rmask =~ s/d/w/g; -- $dmask =~ s/c/w/g; -- $dmask =~ s/d/w/g; -+ if ($rmask) { -+ $rmask =~ s/c/w/g; -+ $rmask =~ s/d/w/g; -+ } -+ -+ if ($dmask) { -+ $dmask =~ s/c/w/g; -+ $dmask =~ s/d/w/g; -+ } - - if ($rmask && !validate_log_mode(hide_log_mode($rmask))) { - fatal_error(sprintf(gettext('Log contains unknown mode %s.'), diff --git a/apparmor-2.5.1-unified-build b/apparmor-2.5.1-unified-build index 9e4a071..bd4a441 100644 --- a/apparmor-2.5.1-unified-build +++ b/apparmor-2.5.1-unified-build @@ -1,4 +1,92 @@ + AUTHORS | 1 + ChangeLog | 1 + INSTALL | 365 + Makefile.am | 2 + NEWS | 1 + README | 1 + changehat/Makefile.am | 1 + changehat/mod_apparmor/Makefile.am | 19 + changehat/mod_apparmor/apache2-mod_apparmor.spec.in | 216 + changehat/pam_apparmor/COPYING | 39 + changehat/pam_apparmor/Makefile.am | 9 + changehat/pam_apparmor/pam_apparmor.changes | 49 + changehat/pam_apparmor/pam_apparmor.spec.in | 83 + changehat/tomcat_apparmor/Makefile.am | 1 + changehat/tomcat_apparmor/tomcat_5_0/Makefile.am | 2 + changehat/tomcat_apparmor/tomcat_5_5/Makefile.am | 13 + changehat/tomcat_apparmor/tomcat_5_5/build.xml | 11 + changehat/tomcat_apparmor/tomcat_5_5/src/Makefile.am | 1 + changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/Makefile.am | 17 + config.rpath | 666 + configure.in | 220 + deprecated/Makefile.am | 2 + deprecated/management/Makefile.am | 1 + deprecated/management/apparmor-dbus/Makefile.am | 2 + deprecated/management/apparmor-dbus/src/Makefile.am | 3 + deprecated/management/applets/Makefile.am | 1 + deprecated/management/applets/apparmorapplet-gnome/Makefile.am | 4 + deprecated/management/applets/apparmorapplet-gnome/po/Makefile | 30 + deprecated/management/applets/apparmorapplet-gnome/po/Makefile.in.in | 258 + deprecated/management/applets/apparmorapplet-gnome/src/Makefile.am | 8 + deprecated/management/profile-editor/Makefile.am | 2 + deprecated/management/profile-editor/src/Makefile.am | 6 + deprecated/management/profile-editor/src/wxStyledTextCtrl/Makefile.am | 4 + libraries/Makefile.am | 1 + libraries/libapparmor/AUTHORS | 2 + libraries/libapparmor/ChangeLog | 1 + libraries/libapparmor/INSTALL | 236 + libraries/libapparmor/NEWS | 1 + libraries/libapparmor/README | 1 + libraries/libapparmor/autogen.sh | 42 + libraries/libapparmor/compile | 143 + libraries/libapparmor/config.guess | 1502 - + libraries/libapparmor/config.sub | 1714 - + libraries/libapparmor/configure |13962 ---------- + AUTHORS | 1 + ChangeLog | 1 + INSTALL | 365 + Makefile.am | 2 + NEWS | 1 + README | 1 + changehat/Makefile.am | 1 + changehat/mod_apparmor/Makefile.am | 19 + changehat/mod_apparmor/apache2-mod_apparmor.spec.in | 216 + changehat/pam_apparmor/COPYING | 39 + changehat/pam_apparmor/Makefile.am | 9 + changehat/pam_apparmor/pam_apparmor.changes | 49 + changehat/pam_apparmor/pam_apparmor.spec.in | 83 + changehat/tomcat_apparmor/Makefile.am | 1 + changehat/tomcat_apparmor/tomcat_5_0/Makefile.am | 2 + changehat/tomcat_apparmor/tomcat_5_5/Makefile.am | 13 + changehat/tomcat_apparmor/tomcat_5_5/build.xml | 11 + changehat/tomcat_apparmor/tomcat_5_5/src/Makefile.am | 1 + changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/Makefile.am | 17 + config.rpath | 666 + configure.in | 220 + deprecated/Makefile.am | 2 + deprecated/management/Makefile.am | 1 + deprecated/management/apparmor-dbus/Makefile.am | 2 + deprecated/management/apparmor-dbus/src/Makefile.am | 3 + deprecated/management/applets/Makefile.am | 1 + deprecated/management/applets/apparmorapplet-gnome/Makefile.am | 4 + deprecated/management/applets/apparmorapplet-gnome/po/Makefile | 30 + deprecated/management/applets/apparmorapplet-gnome/po/Makefile.in.in | 258 + deprecated/management/applets/apparmorapplet-gnome/src/Makefile.am | 8 + deprecated/management/profile-editor/Makefile.am | 2 + deprecated/management/profile-editor/src/Makefile.am | 6 + deprecated/management/profile-editor/src/wxStyledTextCtrl/Makefile.am | 4 + libraries/Makefile.am | 1 + libraries/libapparmor/AUTHORS | 2 + libraries/libapparmor/ChangeLog | 1 + libraries/libapparmor/INSTALL | 236 + libraries/libapparmor/NEWS | 1 + libraries/libapparmor/README | 1 + libraries/libapparmor/autogen.sh | 42 + libraries/libapparmor/compile | 143 + libraries/libapparmor/config.guess | 1502 - + libraries/libapparmor/config.sub | 1714 - + libraries/libapparmor/configure |13962 ---------- AUTHORS | 1 ChangeLog | 1 INSTALL | 365 @@ -64,8 +152,8 @@ m4/wxwidgets.m4 | 37 parser/Makefile.am | 81 parser/libapparmor_re/Makefile.am | 4 - parser/libapparmor_re/regexp.y | 2800 -- - parser/libapparmor_re/regexp.yy | 2800 ++ + parser/libapparmor_re/regexp.y | 2802 -- + parser/libapparmor_re/regexp.yy | 2802 ++ parser/parser_alias.c | 1 parser/parser_main.c | 3 parser/parser_policy.c | 1 @@ -80,7 +168,7 @@ utils/Makefile.PL | 15 utils/Makefile.am | 39 utils/po/Makefile | 8 - 81 files changed, 4902 insertions(+), 22094 deletions(-) + 81 files changed, 4904 insertions(+), 22096 deletions(-) --- /dev/null +++ b/AUTHORS @@ -21585,7 +21673,7 @@ +libapparmor_re_la_SOURCES = regexp.yy --- a/parser/libapparmor_re/regexp.y +++ /dev/null -@@ -1,2800 +0,0 @@ +@@ -1,2802 +0,0 @@ -/* - * regexp.y -- Regular Expression Matcher Generator - * (C) 2006, 2007 Andreas Gruenbacher @@ -22308,17 +22396,19 @@ - Node *i = t->child[!dir]; - for (;dynamic_cast(i); p = i, i = i->child[!dir]) { - if (t->child[dir]->eq(i->child[dir])) { +- Node *old = t; - t->child[!dir]->dup(); -- t->release(); - t = t->child[!dir]; +- old->release(); - continue; - } - } - // last altnode of chain check other dir as well - if (t->child[dir]->eq(p->child[!dir])) { +- Node *old = t; - t->child[!dir]->dup(); -- t->release(); - t = t->child[!dir]; +- old->release(); - continue; - } - @@ -24169,9 +24259,9 @@ -#define MATCH_FLAGS_SIZE (sizeof(uint32_t) * 8 - 1) -MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE]; -DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE]; --#define EXEC_MATCH_FLAGS_SIZE ((AA_EXEC_COUNT << 2) * 2) --MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix *u::o*/ --ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe +ix *u::o*/ +-#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2) /* double for each of ix pux, unsafe x bits * u::o */ +-MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux * u::o*/ +-ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe + ix + pux *u::o*/ - -extern "C" void aare_reset_matchflags(void) -{ @@ -24232,8 +24322,8 @@ - flip_tree(tree); - - --/* 0x3f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, after shift */ --#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f) +-/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */ +-#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f) - -//if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS)) -// fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]); @@ -24388,7 +24478,7 @@ -} --- /dev/null +++ b/parser/libapparmor_re/regexp.yy -@@ -0,0 +1,2800 @@ +@@ -0,0 +1,2802 @@ +/* + * regexp.y -- Regular Expression Matcher Generator + * (C) 2006, 2007 Andreas Gruenbacher @@ -25111,17 +25201,19 @@ + Node *i = t->child[!dir]; + for (;dynamic_cast(i); p = i, i = i->child[!dir]) { + if (t->child[dir]->eq(i->child[dir])) { ++ Node *old = t; + t->child[!dir]->dup(); -+ t->release(); + t = t->child[!dir]; ++ old->release(); + continue; + } + } + // last altnode of chain check other dir as well + if (t->child[dir]->eq(p->child[!dir])) { ++ Node *old = t; + t->child[!dir]->dup(); -+ t->release(); + t = t->child[!dir]; ++ old->release(); + continue; + } + @@ -26972,9 +27064,9 @@ +#define MATCH_FLAGS_SIZE (sizeof(uint32_t) * 8 - 1) +MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE]; +DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE]; -+#define EXEC_MATCH_FLAGS_SIZE ((AA_EXEC_COUNT << 2) * 2) -+MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix *u::o*/ -+ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe +ix *u::o*/ ++#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2) /* double for each of ix pux, unsafe x bits * u::o */ ++MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux * u::o*/ ++ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe + ix + pux *u::o*/ + +extern "C" void aare_reset_matchflags(void) +{ @@ -27035,8 +27127,8 @@ + flip_tree(tree); + + -+/* 0x3f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, after shift */ -+#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f) ++/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */ ++#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f) + +//if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS)) +// fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]); diff --git a/apparmor-no-caching-test b/apparmor-no-caching-test index 8b6fac9..3c910df 100644 --- a/apparmor-no-caching-test +++ b/apparmor-no-caching-test @@ -7,9 +7,9 @@ @@ -12,7 +12,7 @@ endif all: tests - .PHONY: tests error_output parser_sanity caching --tests: error_output parser_sanity caching -+tests: error_output parser_sanity + .PHONY: tests error_output gen_xtrans parser_sanity caching +-tests: error_output gen_xtrans parser_sanity caching ++tests: error_output gen_xtrans parser_sanity - error_output: $(PARSER) - $(PARSER) -S -I errors >/dev/null errors/okay.sd + gen_xtrans: + perl ./gen-xtrans.pl diff --git a/apparmor-utils-inherit-flags-during-profile-generation b/apparmor-utils-inherit-flags-during-profile-generation new file mode 100644 index 0000000..2d9b830 --- /dev/null +++ b/apparmor-utils-inherit-flags-during-profile-generation @@ -0,0 +1,58 @@ +From: Jeff Mahoney +Subject: apparmor-utils: Inherit flags in sub-profiles when generating profiles +References: bnc#496204 + + When creating profiles with cx subprofiles, genprof will set the + sub-profile in enforce mode. When genprof cycles multiple times, it + prohibits the sub-profile from working correctly. + + e.g. + + # Last Modified: Mon Jan 24 13:52:26 2011 + #include + + /home/jeffm/mycat flags=(complain) { + #include + #include + #include + + /bin/bash ix, + /bin/cat cx, + /home/jeffm/mycat r, + + profile /bin/cat { + #include + + /bin/cat r, + /home/jeffm/mycat r, + + } + } + + This patch allows sub-profiles to inherit the flags from the parent + profile, which allows it to be created in complain mode (if appropriate). + The temporary complain flags are cleaned up at genprof completion as + expected. + + This issue was reported at: https://bugzilla.novell.com/show_bug.cgi?id=496204 + +Signed-off-by: Jeff Mahoney +--- + utils/SubDomain.pm | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/utils/SubDomain.pm ++++ b/utils/SubDomain.pm +@@ -2337,6 +2337,12 @@ sub handlechildren { + # we have seen more than a declaration so clear it + $sd{$profile}{$hat}{'declared'} = 0; + $sd{$profile}{$hat}{profile} = 1; ++ ++ # Otherwise sub-profiles end up getting ++ # put in enforce mode with genprof ++ $sd{$profile}{$hat}{flags} = $sd{$profile}{$profile}{flags} if $profile ne $hat; ++ ++ $sd{$profile}{$hat}{flags} = 'complain'; + $sd{$profile}{$hat}{allow}{path} = { }; + $sd{$profile}{$hat}{allow}{netdomain} = { }; + my $file = $sd{$profile}{$profile}{filename}; diff --git a/apparmor-utils-support-newer-auditd-formatted-messages b/apparmor-utils-support-newer-auditd-formatted-messages deleted file mode 100644 index 8e523a0..0000000 --- a/apparmor-utils-support-newer-auditd-formatted-messages +++ /dev/null @@ -1,24 +0,0 @@ -From: Steve Beattie -Subject: apparmor-utils: Support newer auditd formatted messages. - - Patch from mancha on irc. - - This is lp:apparmor/2.5 commit r1444. - -Acked-By: Steve Beattie -Acked-by: Jeff Mahoney ---- - utils/SubDomain.pm | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/utils/SubDomain.pm -+++ b/utils/SubDomain.pm -@@ -2420,7 +2420,7 @@ - my $RE_LOG_v2_1_audit = - qr/type=(UNKNOWN\[150[1-6]\]|APPARMOR_(AUDIT|ALLOWED|DENIED|HINT|STATUS|ERROR))/; - my $RE_LOG_v2_6_audit = -- qr/type=AVC\s+audit\([\d\.\:]+\):\s+apparmor=/; -+ qr/type=AVC\s+(msg=)?audit\([\d\.\:]+\):\s+apparmor=/; - - sub prefetch_next_log_entry { - # if we already have an existing cache entry, something's broken diff --git a/apparmor.changes b/apparmor.changes index 15cae81..ef0178b 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,33 @@ +------------------------------------------------------------------- +Mon Jan 24 20:16:03 CET 2011 - jeffm@suse.de + +- Inherit flags in sub-profiles when generating profiles (bnc#496204). + +------------------------------------------------------------------- +Mon Jan 24 01:02:53 CET 2011 - jeffm@suse.de + +- Stop treating profiles shipped with the package as config files. + - /etc/apparmor.d will still be treated specially. +- Add support for parsing network operation events (bnc#665483) + +------------------------------------------------------------------- +Mon Jan 24 00:23:35 CET 2011 - jeffm@suse.de + +- Fix for sbin.klogd profile using kernel versions >= 2.6.38-rc1. + +------------------------------------------------------------------- +Mon Jan 24 00:11:28 CET 2011 - jeffm@suse.de + +- Update to apparmor-2.5 r1445. + - Includes 3 of the fixes below. + - Several testsuite fixes. + - Update for Thunderbird profile. + +------------------------------------------------------------------- +Fri Jan 21 19:07:15 CET 2011 - jeffm@suse.de + +- Add support for libvirt in usr.sbin.dnsmasq (bnc#666090) + ------------------------------------------------------------------- Tue Jan 18 10:51:33 UTC 2011 - coolo@novell.com diff --git a/apparmor.spec b/apparmor.spec index ba48e18..02350ff 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -32,6 +32,9 @@ %define JAR_FILE changeHatValve.jar %define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR) +%define srcversion 2.5.1 +%define bzr_commit r1445 + Name: apparmor %if ! %{?distro:1}0 %if %{?suse_version:1}0 @@ -45,14 +48,14 @@ Name: apparmor %define distro suse %endif Summary: AppArmor userlevel parser utility -Version: 2.5.1 -Release: 2 +Version: %{srcversion}.%{bzr_commit} +Release: 46 Group: Productivity/Networking/Security -Source0: apparmor-%{version}.tar.bz2 +Source0: apparmor-%{srcversion}.tar.bz2 Source1: %{name}-profile-editor.png Source2: %{name}-profile-editor.desktop Source3: update-trans.sh -Patch: testsuite-build-fix +Patch: apparmor-2.5-%{bzr_commit} Patch1: pam-apparmor-include Patch2: mod_apparmor-includes Patch3: tomcat-build-fixes @@ -81,12 +84,15 @@ Patch25: apparmor-2.5.1-ntpd-proc-fixes Patch26: apparmor-2.5.1-edirectory-profile Patch27: apparmor-2.5.1-firefox-proc-fix Patch28: apparmor-2.5.1-unconfined-fixes -Patch29: apparmor-2.5.1-fix-parser-use-after-free +Patch29: apparmor-utils-inherit-flags-during-profile-generation Patch30: apparmor-2.5.1-ldapclient-profile -Patch31: apparmor-utils-support-newer-auditd-formatted-messages -Patch32: fix-two-x-transition-conflict-bugs +#Patch31: +#Patch32: Patch33: apparmor-2.5.1-ntpd-sys_nice Patch34: apparmor-2.5.1-ssl-fix +Patch35: apparmor-2.5.1-dnsmasq-libvirt-profile-fix +Patch36: klog-needs-CAP_SYSLOG +Patch37: apparmor-2.5.1-network-fixes License: GPLv2+ BuildRoot: %{_tmppath}/%{name}-%{version}-build Url: https://launchpad.net/apparmor @@ -157,6 +163,7 @@ Provides: subdomain-parser-demo = %{version} Provides: subdomain-parser-common = %{version} Provides: subdomain-leaf-cert = %{version} Provides: libimnxcert = %{version} +Provides: apparmor-parser(CAP_SYSLOG) %description parser The AppArmor Parser is a userlevel program that is used to load in @@ -311,6 +318,7 @@ Summary: AppArmor profiles that are loaded into the apparmor kernel modul Group: Productivity/Security Obsoletes: subdomain-profiles < %{version} Provides: subdomain-profiles = %{version} +Requires: apparmor-parser(CAP_SYSLOG) %description profiles Base profiles. AppArmor is a file and network mandatory access control @@ -453,7 +461,7 @@ SubDomain. %endif %prep -%setup -q +%setup -q -n %{name}-%{srcversion} %patch -p1 %patch1 -p1 %patch2 -p1 @@ -485,10 +493,11 @@ SubDomain. %patch28 -p1 %patch29 -p1 %patch30 -p1 -%patch31 -p1 -%patch32 -p1 %patch33 -p1 %patch34 -p1 +%patch35 -p1 +%patch36 -p1 +%patch37 -p1 %build export SUSE_ASNEEDED=0 @@ -658,7 +667,7 @@ fi %files profiles %defattr(-,root,root) %attr(644, root, root) %config(noreplace) %{profiles_dir}/* -%attr(644, root, root) %config(noreplace) %{extras_dir}/* +%attr(644, root, root) %{extras_dir}/* %dir %{_sysconfdir}/apparmor.d/ %dir %{_sysconfdir}/apparmor/ %dir %{_sysconfdir}/apparmor/profiles diff --git a/fix-two-x-transition-conflict-bugs b/fix-two-x-transition-conflict-bugs deleted file mode 100644 index f48afed..0000000 --- a/fix-two-x-transition-conflict-bugs +++ /dev/null @@ -1,277 +0,0 @@ -From: John Johansen -Subject: Fix two x transition conflict bugs. -References: bnc#662928 lpn#693082 - -This is lp:apparmor/2.5 commit r1443. - -The is_merged_x_consistend macro was incorrect in that is tested for -USER_EXEC_TYPE to determine if there was an x transition. This fails -for unconfined execs so an unconfined exec would not correctly conflict -with another exec type. - -The dfa match flag table for xtransitions was not large enough and not -indexed properly for pux, and cux transitions. The index calculation did -not take into account the pux flag so that pux and px aliased to the same -location and cux and cx aliased to the same location. - -This would result in the first rule being processed defining what the -transition type was for all following rules of the type following. So -if a px transition was processed first all pux, transitions in the profile -would be treated pux. - -Signed-off-by: John Johansen -Acked-By: Steve Beattie - -Add auto generation of xtransition conflict tests - -All the combiniation of xtransition conflics where not well represented in -the regression test suite. Instead of relying on multiple static test -files, automatically generate all possible conflicts. - -Signed-off-by: John Johansen -Acked-By: Steve Beattie -Acked-by: Jeff Mahoney -diff: -=== modified file 'parser/immunix.h' - parser/immunix.h | 4 - parser/libapparmor_re/regexp.yy | 10 - - parser/tst/Makefile | 10 + - parser/tst/gen-xtrans.pl | 152 +++++++++++++++++++++++++++++ - parser/tst/simple_tests/generated_x/readme | 2 - 5 files changed, 169 insertions(+), 9 deletions(-) - ---- a/parser/immunix.h 2009-08-20 15:41:10 +0000 -+++ b/parser/immunix.h 2011-01-07 20:46:15 +0000 -@@ -148,12 +148,12 @@ - #include - static inline int is_merged_x_consistent(int a, int b) - { -- if ((a & AA_USER_EXEC_TYPE) && (b & AA_USER_EXEC_TYPE) && -+ if ((a & AA_USER_EXEC) && (b & AA_USER_EXEC) && - ((a & AA_USER_EXEC_TYPE) != (b & AA_USER_EXEC_TYPE))) - { fprintf(stderr, "failed user merge 0x%x 0x%x\n", a, b); - return 0; - } -- if ((a & AA_OTHER_EXEC_TYPE) && (b & AA_OTHER_EXEC_TYPE) && -+ if ((a & AA_OTHER_EXEC) && (b & AA_OTHER_EXEC) && - ((a & AA_OTHER_EXEC_TYPE) != (b & AA_OTHER_EXEC_TYPE))) - { fprintf(stderr, "failed other merge 0x%x 0x%x\n", a, b); - return 0; - -=== modified file 'parser/libapparmor_re/regexp.yy' ---- a/parser/libapparmor_re/regexp.yy 2010-07-24 14:16:14 +0000 -+++ b/parser/libapparmor_re/regexp.yy 2011-01-07 20:46:15 +0000 -@@ -2581,9 +2581,9 @@ - #define MATCH_FLAGS_SIZE (sizeof(uint32_t) * 8 - 1) - MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE]; - DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE]; --#define EXEC_MATCH_FLAGS_SIZE ((AA_EXEC_COUNT << 2) * 2) --MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix *u::o*/ --ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe +ix *u::o*/ -+#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2) /* double for each of ix pux, unsafe x bits * u::o */ -+MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux * u::o*/ -+ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe + ix + pux *u::o*/ - - extern "C" void aare_reset_matchflags(void) - { -@@ -2644,8 +2644,8 @@ - flip_tree(tree); - - --/* 0x3f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, after shift */ --#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f) -+/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */ -+#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f) - - //if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS)) - // fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]); - -=== modified file 'parser/tst/Makefile' ---- a/parser/tst/Makefile 2010-09-15 18:34:38 +0000 -+++ b/parser/tst/Makefile 2011-01-07 20:46:15 +0000 -@@ -11,8 +11,11 @@ - - all: tests - --.PHONY: tests error_output parser_sanity caching --tests: error_output parser_sanity -+.PHONY: tests error_output gen_xtrans parser_sanity caching -+tests: error_output gen_xtrans parser_sanity -+ -+gen_xtrans: -+ perl ./gen-xtrans.pl - - error_output: $(PARSER) - $(PARSER) -S -I errors >/dev/null errors/okay.sd -@@ -34,3 +37,6 @@ - - $(PARSER): - make -C $(PARSER_DIR) $(PARSER_BIN) -+ -+clean: -+ rm -f simple_tests/generated_x/* - -=== added file 'parser/tst/gen-xtrans.pl' ---- a/parser/tst/gen-xtrans.pl 1970-01-01 00:00:00 +0000 -+++ b/parser/tst/gen-xtrans.pl 2011-01-07 20:46:15 +0000 -@@ -0,0 +1,152 @@ -+#!/usr/bin/perl -+ -+use strict; -+use Locale::gettext; -+use POSIX; -+ -+setlocale(LC_MESSAGES, ""); -+ -+my $prefix="simple_tests/generated_x"; -+ -+my @trans_types = ("p", "P", "c", "C", "u", "i"); -+my @modifiers = ("i", "u"); -+my %trans_modifiers = ( -+ "p" => \@modifiers, -+ "P" => \@modifiers, -+ "c" => \@modifiers, -+ "C" => \@modifiers, -+ ); -+ -+my @targets = ("", "target", "target2"); -+my @null_target = (""); -+ -+my %named_trans = ( -+ "p" => \@targets, -+ "P" => \@targets, -+ "c" => \@targets, -+ "C" => \@targets, -+ "u" => \@null_target, -+ "i" => \@null_target, -+ ); -+ -+# audit qualifier disabled for now it really shouldn't affect the conflict -+# test but it may be worth checking every once in awhile -+#my @qualifiers = ("", "owner", "audit", "audit owner"); -+my @qualifiers = ("", "owner"); -+ -+my $count = 0; -+ -+gen_conflicting_x(); -+gen_overlap_re_exact(); -+gen_dominate_re_re(); -+gen_ambiguous_re_re(); -+ -+print "Generated $count xtransition interaction tests\n"; -+ -+sub gen_list { -+ my @output; -+ foreach my $trans (@trans_types) { -+ if ($trans_modifiers{$trans}) { -+ foreach my $mod (@{$trans_modifiers{$trans}}) { -+ push @output, "${trans}${mod}x"; -+ } -+ } -+ push @output, "${trans}x"; -+ } -+ return @output; -+} -+ -+sub print_rule($$$$) { -+ my ($file, $name, $perm, $target) = @_; -+ print $file "\t${name} ${perm}"; -+ if ($target ne "") { -+ print $file " -> $target"; -+ } -+ print $file ",\n"; -+} -+ -+sub gen_file($$$$$$$$) { -+ my ($name, $xres, $rule1, $perm1, $target1, $rule2, $perm2, $target2) = @_; -+ -+# print "$xres $rule1 $perm1 $target1 $rule2 $perm2 $target2\n"; -+ -+ my $file; -+ unless (open $file, ">$name") { -+ print("couldn't open $name\n"); -+ exit 1; -+ } -+ -+ print $file "#\n"; -+ print $file "#=DESCRIPTION ${name}\n"; -+ print $file "#=EXRESULT ${xres}\n"; -+ print $file "#\n"; -+ print $file "/usr/bin/foo {\n"; -+ print_rule($file, $rule1, $perm1, $target1); -+ print_rule($file, $rule2, $perm2, $target2); -+ print $file "}"; -+ close($file); -+ -+ $count++; -+} -+ -+#NOTE: currently we don't do px to cx, or cx to px conversion -+# so -+# /foo { -+# /* px -> /foo//bar, -+# /* cx -> bar, -+# -+# will conflict -+# -+#NOTE: conflict tests don't tests leading permissions or using unsafe keywords -+# It is assumed that there are extra tests to verify 1 to 1 coorispondance -+sub gen_files($$$$) { -+ my ($name, $rule1, $rule2, $default) = @_; -+ -+ my @perms = gen_list(); -+ -+# print "@perms\n"; -+ -+ foreach my $i (@perms) { -+ foreach my $t (@{$named_trans{substr($i, 0, 1)}}) { -+ foreach my $q (@qualifiers) { -+ foreach my $j (@perms) { -+ foreach my $u (@{$named_trans{substr($j, 0, 1)}}) { -+ foreach my $r (@qualifiers) { -+ my $file="${prefix}/${name}-$q$i$t-$r$j$u.sd"; -+# print "$file\n"; -+ -+ #override failures when transitions are the same -+ my $xres = ${default}; -+ if ($i eq $j && $t eq $u) { -+ $xres = "PASS"; -+ } -+ -+ -+# print "foo $xres $rule1 $i $t $rule2 $j $u\n"; -+ gen_file($file, $xres, "$q $rule1", $i, $t, "$r $rule2", $j, $u); -+ } -+ } -+ } -+ } -+ } -+ } -+ -+} -+ -+sub gen_conflicting_x { -+ gen_files("conflict", "/bin/cat", "/bin/cat", "FAIL"); -+} -+ -+sub gen_overlap_re_exact { -+ -+ gen_files("exact", "/bin/cat", "/bin/*", "PASS"); -+} -+ -+# we currently don't support this, once supported change to "PASS" -+sub gen_dominate_re_re { -+ gen_files("dominate", "/bin/*", "/bin/**", "FAIL"); -+} -+ -+sub gen_ambiguous_re_re { -+ gen_files("ambiguous", "/bin/a*", "/bin/*b", "FAIL"); -+} - -=== added directory 'parser/tst/simple_tests/generated_x' -=== added file 'parser/tst/simple_tests/generated_x/readme' ---- a/parser/tst/simple_tests/generated_x/readme 1970-01-01 00:00:00 +0000 -+++ b/parser/tst/simple_tests/generated_x/readme 2011-01-07 20:46:15 +0000 -@@ -0,0 +1,2 @@ -+Directory for auto generated x-transition tests -+ diff --git a/klog-needs-CAP_SYSLOG b/klog-needs-CAP_SYSLOG new file mode 100644 index 0000000..ddbd6c1 --- /dev/null +++ b/klog-needs-CAP_SYSLOG @@ -0,0 +1,35 @@ +--- + parser/parser_misc.c | 4 ++++ + profiles/apparmor.d/sbin.klogd | 1 + + 2 files changed, 5 insertions(+) + +--- a/parser/parser_misc.c ++++ b/parser/parser_misc.c +@@ -122,6 +122,9 @@ static int get_table_token(const char *n + static struct keyword_table capability_table[] = { + /* capabilities */ + #include "cap_names.h" ++#ifndef CAP_SYSLOG ++ {"syslog", 34}, ++#endif + /* terminate */ + {NULL, 0} + }; +@@ -820,6 +823,7 @@ static const char *capnames[] = { + "audit_control", + "setfcap", + "mac_override" ++ "syslog", + }; + + const char *capability_to_name(unsigned int cap) +--- a/profiles/apparmor.d/sbin.klogd ++++ b/profiles/apparmor.d/sbin.klogd +@@ -15,6 +15,7 @@ + #include + + capability sys_admin, ++ capability syslog, + + network inet stream, + diff --git a/testsuite-build-fix b/testsuite-build-fix deleted file mode 100644 index 1ed8507..0000000 --- a/testsuite-build-fix +++ /dev/null @@ -1,23 +0,0 @@ -From: Jeff Mahoney -Subject: testsuite: Fix linking with shared in-tree libapparmor - - This patch stops the static linking with libapparmor and uses the - shared library instead. Before it's installed, it'll have the in-tree - rpath and the testsuite will work as expected. - -Signed-off-by: Jeff Mahoney ---- - libraries/libapparmor/testsuite/Makefile.am | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/libraries/libapparmor/testsuite/Makefile.am -+++ b/libraries/libapparmor/testsuite/Makefile.am -@@ -12,7 +12,7 @@ noinst_PROGRAMS = test_multi.multi - test_multi_multi_SOURCES = test_multi.c - test_multi_multi_CFLAGS = $(CFLAGS) -Wall - test_multi_multi_LDFLAGS = $(LDFLAGS) --test_multi_multi_LDADD = ../src/.libs/libapparmor.a -+test_multi_multi_LDADD = -L../src/.libs -lapparmor - - clean-local: - rm -f tmp.err.* tmp.out.* site.exp site.bak