~tyhicks/apparmor/for-jj : changes

~tyhicks/apparmor/for-jj » Changes from revision 2619

From Revision 2619 to 2600

Rev	Summary	Authors	Date
2619	parser: Don't write the stream's address to the rule buffer parser: Don't write the stream's address to the rule buffer The writeu16() function was returning the address of the passed in std::ostringstream and then the callers of that function were incorrectly writing that address to the rule buffer. Signed-off-by: Tyler Hicks <tyhicks@canonical.com>	Tyler Hicks	9 years ago
2618	parser: Adjust writeu16() to output escaped byte sequences parser: Adjust writeu16() to output escaped byte sequences The writeu16() function was outputting unescaped byte sequences to the rule buffer. That resulted the generation of in an incomplete rule if one of those unescaped byte sequences contained 0x00. This patch uses u8 pointers, instead of char pointers, when writing out the big endian u16 value. More importantly, it casts the u8 values to unsigned ints, which is what's needed to get the properly escaped byte sequences. Signed-off-by: Tyler Hicks <tyhicks@canonical.com>	Tyler Hicks	9 years ago
2617	parser: initialize perms in unix_rule constructor parser: initialize perms in unix_rule constructor On Mon, Aug 25, 2014 at 05:06:07PM -0700, john.johansen@canonical.com wrote: > +unix_rule::unix_rule(unsigned int type_p, bool audit_p, bool denied): > + af_rule("unix"), path(NULL), peer_path(NULL) > +{ > + if (type_p != 0xffffffff) { > + sock_type_n = type_p; > + sock_type = strdup(net_find_type_name(type_p)); > + if (!sock_type) > + yyerror("socket rule: invalid socket type '%d'", type_p); > + } > + mode = AA_VALID_NET_PERMS; > + audit = audit_p ? AA_VALID_NET_PERMS : 0; > + deny = denied; > +} This unix_rule constructor sets audit and deny (so they do not to be initialized); yet > +unix_rule::unix_rule(int mode_p, struct cond_entry conds, > + struct cond_entry peer_conds): > + af_rule("unix"), path(NULL), peer_path(NULL) > +{ > + move_conditionals(conds); > + move_peer_conditionals(peer_conds); > + > + if (mode_p) { > + mode = mode_p; > + if (mode & ~AA_VALID_NET_PERMS) > + yyerror("mode contains invalid permissions for unix socket rules\n"); > + else if ((mode & AA_NET_BIND) && > + ((mode & AA_PEER_NET_PERMS) \|\| has_peer_conds())) > + /* Do we want to loosen this? / > + yyerror("unix socket 'bind' access cannot be used with message rule conditionals\n"); > + else if ((mode & AA_NET_LISTEN) && > + ((mode & AA_PEER_NET_PERMS) \|\| has_peer_conds())) > + / Do we want to loosen this? / > + yyerror("unix socket 'listen' access cannot be used with message rule conditionals\n"); > + else if ((mode & AA_NET_ACCEPT) && > + ((mode & AA_PEER_NET_PERMS) \|\| has_peer_conds())) > + / Do we want to loosen this? */ > + yyerror("unix socket 'accept' access cannot be used with message rule conditionals\n"); > + } else { > + mode = AA_VALID_NET_PERMS; > + } > + > + free_cond_list(conds); > + free_cond_list(peer_conds); this unix_rule constructor does not. The following patch fixes the issue. Signed-off-by: Steve Beattie <steve@nxnw.org>	Steve Beattie	9 years ago
2616	parser: Fix AF_UNIX stub rule creation parser: Fix AF_UNIX stub rule creation The patch titled "parser: Add support for unix domain socket rules." modified the code the creates the stub rules for rule types that the parser supports. It added new stub rules for extended network and AF_UNIX rule types but it also changed the stub rules for all existing rule types. That change causes the kernel to not enforce some rule types. This patch fixes the stub rule creation so that existing rule types continue to be enforced, as well as AF_UNIX rule types when the parser and kernel both support them. Here's the DFA states generated before applying the patch mentioned above: $ echo "/t { /f r, }" \| ./apparmor_parser -qQD dfa-states {1} <== (allow/deny/audit/quiet) {3} (0x 10004/0/0/0) {1} -> {2}: 0x2f / {2} -> {3}: 0x66 f {1} <== (allow/deny/audit/quiet) {2} (0x 4/0/0/0) {1} -> {2}: 0x2 {1} -> {2}: 0x7 {1} -> {2}: 0x9 {1} -> {2}: 0xa {1} -> {2}: 0x20 \ Here are the DFA states generated after applying the patch mentioned above: $ echo "/t { /f r, }" \| ./apparmor_parser -qQD dfa-states {1} <== (allow/deny/audit/quiet) {3} (0x 10004/0/0/0) {1} -> {2}: 0x2f / {2} -> {3}: 0x66 f {1} <== (allow/deny/audit/quiet) {4} (0x 4/0/0/0) {1} -> {2}: 0x0 {1} -> {3}: 0x34 4 {2} -> {4}: 0x2 {2} -> {4}: 0x4 {2} -> {4}: 0x7 {2} -> {4}: 0x9 {2} -> {4}: 0xa {2} -> {4}: 0x20 \ {3} -> {4}: 0x31 1 Here are DFA states generated after applying this patch: $ echo "/t { /f r, }" \| ./apparmor_parser -qQD dfa-states {1} <== (allow/deny/audit/quiet) {3} (0x 10004/0/0/0) {1} -> {2}: 0x2f / {2} -> {3}: 0x66 f {1} <== (allow/deny/audit/quiet) {2} (0x 4/0/0/0) {1} -> {2}: 0x2 {1} -> {2}: 0x4 {1} -> {2}: 0x7 {1} -> {2}: 0x9 {1} -> {2}: 0xa {1} -> {2}: 0x20 \ {1} -> {3}: 0x34 4 {3} -> {4}: 0x0 {4} -> {2}: 0x31 1 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>	Tyler Hicks	9 years ago
2615	map the net permission set into a form compatible with the o... map the net permission set into a form compatible with the old dfa table The old dfa table format has 2 64 bit permission field used to store all of allow, quiet, audit, owner/!owner and transition mask. This leaves 7 bits for entry + a few other special bits. Since policydb entries when using old style dfa permission format don't use support the !owner permission entries we can map, the high net work permission bits to these entries. This allows us to enforce base network permissions on system with only support for the old dfa table format. Signed-off-by: John Johansen <john.johansen@canonical.com>	john.johansen@canoni...	9 years ago
2614	split accept perm processing from rule parsing split accept perm processing from rule parsing Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>	john.johansen@canoni...	9 years ago
2613	Refactor add_new_state into two version, one that splits ano... Refactor add_new_state into two version, one that splits anodes from nnodes, and one for use when anodes and nnodes are presplit Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> === modified file 'parser/libapparmor_re/hfa.cc'	john.johansen@canoni...	9 years ago
2612	Refactor the process_work_queue code into its own fn Refactor the process_work_queue code into its own fn Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> === modified file 'parser/libapparmor_re/hfa.cc'	john.johansen@canoni...	9 years ago
2611	Refactor accept nodes to be common to a shared node type Refactor accept nodes to be common to a shared node type The shared node type will be used in the future to add new capabilities Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> === modified file 'parser/libapparmor_re/expr-tree.h'	john.johansen@canoni...	9 years ago
2610	Refactor rule accumulation to use some helper functions Refactor rule accumulation to use some helper functions Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com>	john.johansen@canoni...	9 years ago
2609	Move nodeset caching into expr-tree.h Move nodeset caching into expr-tree.h We need to rework permission type mapping to nodesets, which means we need to move the nodeset computations earlier in the dfa creation processes, instead of a post step of follow(), so move the nodeset into expr-tree Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com>	john.johansen@canoni...	9 years ago
2608	Fix segfault in af_unix rule processing Fix segfault in af_unix rule processing This patch fixes a segfault that was occurring in testing over the weekend. The problem existed in the original patch that adds af_unix rules (patch 06), but this patch applies at the end of the sequence after the conversion from 'path' to 'addr' occurs, to simplify things a bit. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: John Johansen <john.johansen@canonical.com>	john.johansen@canoni...	9 years ago
2607	And this version actually implements it. Le sigh. But hurrah... And this version actually implements it. Le sigh. But hurrah for having testcases so that it was possible to discover that this was the case.	Steve Beattie	9 years ago
2606	This is the patch Im testing on top of patch 6 locally to ad... This is the patch Im testing on top of patch 6 locally to address these Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: John Johansen <john.johansen@canonical.com>	john.johansen@canoni...	9 years ago
2605	parser: Add support for unix domain socket rules. parser: Add support for unix domain socket rules. This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules. the unix network rules follow the general fine grained network rule pattern of [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] specifically for af_unix this is [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] <qualifiers> = [ 'audit' ] [ 'allow' \| 'deny' ] <access expr> = ( <access> \| <access list> ) <access> = ( 'server' \| 'create' \| 'bind' \| 'listen' \| 'accept' \| 'connect' \| 'shutdown' \| 'getattr' \| 'setattr' \| 'getopt' \| 'setopt' \| 'send' \| 'receive' \| 'r' \| 'w' \| 'rw' ) (some access modes are incompatible with some rules or require additional parameters) <access list> = '(' <access> ( [','] <WS> <access> )* ')' <WS> = white space <rule conds> = ( <type cond> \| <protocol cond> )* each cond can appear at most once <type cond> = 'type' '=' ( <AARE> \| '(' ( '"' <AARE> '"' \| <AARE> )+ ')' ) <protocol cond> = 'protocol' '=' ( <AARE> \| '(' ( '"' <AARE> '"' \| <AARE> )+ ')' ) ???? hrmmm not an in list so should be an alternation for multiple <local expr> = ( <path cond> \| <attr cond> \| <opt cond> )* each cond can appear at most once <peer expr> = 'peer' '=' ( <path cond> \| <label cond> )+ each cond can appear at most once <path cond> = 'path' '=' ( <AARE> \| '(' '"' <AARE> '"' \| <AARE> ')' ) <label cond> = 'label' '=' ( <AARE> \| '(' '"' <AARE> '"' \| <AARE> ')' ) <attr cond> = 'attr' '=' ( <AARE> \| '(' '"' <AARE> '"' \| <AARE> ')' ) <opt cond> = 'opt' '=' ( <AARE> \| '(' '"' <AARE> '"' \| <AARE> ')' ) <AARE> = ?*[]{}^ ( see man page ) unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined. Some permissions are not compatible with all unix rules. unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt) In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied. This means that the rules network unix, network netlink, are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied. ??? should we do this as if fine grained is present use it and then fallback to broader rules ???? probably.	john.johansen@canoni...	9 years ago
2604	fix build dependencies from .c to .cc fix build dependencies from .c to .cc Signed-off-by: John Johansen <john.johansen@canonical.com>	john.johansen@canoni...	9 years ago
2603	fix: [patch 05/12] Make the af type protocol mappings availa... fix: [patch 05/12] Make the af type protocol mappings available for use before the af type protocol mappings patch was applied, a single rule could result in multiple rule entries being created. The af type protocol mappings patch broke this by apply only the first of the mappings that could be found. Restore the previous behavior by search through the entire table until all matches have been made. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>	John Johansen	9 years ago
2602	Fix the value being set in nt_name when allowed path exist Fix the value being set in nt_name when allowed path exist The patch: - sets nt_name to the path, if it is allowed. Acked-by: Christian Boltz <apparmor@cboltz.de> (acked on IRC based on a link to the ML archive[1]) [1] https://lists.ubuntu.com/archives/apparmor/2014-August/006194.html	Kshitij Gupta	9 years ago
2601	aa.py / ask_the_question() - simplify duplicate option preve... aa.py / ask_the_question() - simplify duplicate option prevention add a add_to_options() helper function to aa.py which - adds newpath to options if it's not already there - returns the updated options and the index of newpath This removes duplicated code for CMD_GLOB and CMD_GLOBEXT in ask_the_question() It also adds duplicate prevention to CMD_NEW. Acked-by: Kshitij Gupta <kgupta8592@gmail.com>	Christian Boltz	9 years ago
2600	better error message in aa.py when reaching EOF unexpectedly better error message in aa.py when reaching EOF unexpectedly When reaching EOF while still in a profile (syntax-wise), there are two possible reasons: - missing "}" - missing "," in the last rule (which means that, thanks to multiline rule handling, the "}" is considered to be part of the last rule) This patch improves the error message in aa.py to cover a missing "," Acked-by: Kshitij Gupta <kgupta8592@gmail.com>.	Christian Boltz	9 years ago

Older »