------------------------------------------------------------ revno: 1962 committer: John Johansen branch nick: apparmor timestamp: Fri 2012-02-24 04:38:24 -0800 message: tag apparmor 2.8 beta1 release as 2.7.99 ------------------------------------------------------------ revno: 1961 tags: apparmor_2.7.99 committer: John Johansen branch nick: apparmor timestamp: Fri 2012-02-24 04:29:08 -0800 message: Update current mount tests to reflect how they should behave with mount rules Signed-off-by: John Johansen ------------------------------------------------------------ revno: 1960 committer: John Johansen branch nick: apparmor timestamp: Fri 2012-02-24 04:21:59 -0800 message: Update the copyright dates for the apparmor_parser Signed-off-by: John Johansen ------------------------------------------------------------ revno: 1959 committer: John Johansen branch nick: apparmor timestamp: Fri 2012-02-24 04:20:46 -0800 message: Fix hexdigit conversion in the pcre parser The pcre parser in the dfa backend is not correctly converting escaped hex string like \0x0d This is the minimal patch to fix, and we should investigate just using the C/C++ conversion routines here. I also I nominated for the 2.7 series. Signed-off-by: John Johansen Acked-by: Seth Arnold ------------------------------------------------------------ revno: 1958 committer: John Johansen branch nick: apparmor timestamp: Fri 2012-02-24 04:19:38 -0800 message: Add mount rules Add the ability to control mounting and unmounting The basic form of the rules are. [audit] [deny] mount [conds]* [device] [ -> [conds] path], [audit] [deny] remount [conds]* [path], [audit] [deny] umount [conds]* [path], [audit] [deny] pivotroot [oldroot=] -> remount is just a short cut for mount options=remount where [conds] can be fstype= options= conds follow the extended conditional syntax of allowing either: * a single value after the equals, which has the same character range as regular IDS (ie most anything but it can't be terminated with a , (comma) and if spaces or other characters are needed it can be quoted eg. options=foo options = foo options="foo bar" * a list of values after the equals, the list of values is enclosed within parenthesis () and its has a slightly reduced character set but again elements can be quoted. the separation between elements is whitespace and commas. eg. options=(foo bar) options=(foo, bar) options=(foo , bar) options=(foo,bar) The rules are flexible and follow a similar pattern as network, capability, etc. mount, # allow all mounts, but not umount or pivotroot mount fstype=procfs, # allow mounting procfs anywhere mount options=(bind, ro) /foo -> /bar, # readonly bind mount mount /dev/sda -> /mnt, mount /dev/sd** -> /mnt/**, mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/ umount, umount /m*, Currently variables and regexs are are supported on the device and mount point. ie. mount -> , Regexes are supported in fstype and options. The options have a further caveat that regexs only work if the option is fs specific option. eg. options=(upperdir=/tmp/*,lowerdir=/) regex's will not currently work against the standard options like ro, rw nosuid Conditionals (fstype) can only be applied to the device (source) at this time and will be disregarded in situations where the mount is manipulating an existing mount (bind, remount). Options can be specified multiple times mount option=rw option=(nosuid,upperdir=/foo), and will be combined together into a single set of values The ordering of the standard mount options (rw,ro, ...) does not matter but the ordering of fs specific options does. Specifying that the value of a particular option does not matter can be acheived by providing both the positive and negative forms of and option option=(rw,ro) options=(suid,nosuid) For the fs specific options specifying that a particular value does not matter is achieve using a regex with alternations. Improvements to the syntax and order restrictions are planned for the future. Signed-off-by: John Johansen ------------------------------------------------------------ revno: 1957 committer: John Johansen branch nick: apparmor timestamp: Fri 2012-02-24 04:18:45 -0800 message: Generate the features list from the features directory Newer versions of AppArmor use a features directory instead of a file update the parser to use this to determine features and match string This is just a first pass at this to get things up quickly. A much more comprehensive rework that can parse and use the full information set is needed. Signed-off-by: John Johansen ------------------------------------------------------------ revno: 1956 committer: John Johansen branch nick: apparmor timestamp: Fri 2012-02-24 04:17:19 -0800 message: Extend the information dumped by -D rule-exprs to include permissions Signed-off-by: John Johansen Acked-by: Kees Cook ------------------------------------------------------------ revno: 1955 committer: John Johansen branch nick: apparmor timestamp: Fri 2012-02-24 04:14:00 -0800 message: Default profiles to be chroot relative Due to changes in path looks and the work going forward default profiles to resolve relative to the chroot instead of the namespace. This will only affect profiles that are used on tasks within a chroot. For now it will be possible to get the old default namespace relative behavior by passing the namespace_relative flag to the profile eg. profile /example (namespace_relative) { .. } Signed-off-by: John Johansen Acked-by: Kees Cook ------------------------------------------------------------ revno: 1954 committer: John Johansen branch nick: apparmor timestamp: Thu 2012-02-16 08:17:41 -0800 message: Add const to yyerror parameter to get rid of compile warning Signed-off-by: John Johansen Acked-by: Kees Cook ------------------------------------------------------------ revno: 1953 committer: John Johansen branch nick: apparmor timestamp: Thu 2012-02-16 08:16:18 -0800 message: Add missing ifdefs in parser.h Signed-off-by: John Johansen Acked-by: Kees Cook ------------------------------------------------------------ revno: 1952 committer: John Johansen branch nick: apparmor timestamp: Thu 2012-02-16 08:14:46 -0800 message: Add Basic infrastructure support for the policydb policydb is the new matching format, that combines the matching portions of different rules into a single dfa/hfa. This patch only lays some ground work it does not add encoding of any rules into the policydb Signed-off-by: John Johansen ------------------------------------------------------------ revno: 1951 committer: John Johansen branch nick: apparmor timestamp: Thu 2012-02-16 08:07:28 -0800 message: Make value_list generic so it can be reused. value_list can be reused by conditionals and list values, so pull it out and abstract it some more. Signed-off-by: John Johansen Acked-by: Kees Cook ------------------------------------------------------------ revno: 1950 committer: John Johansen branch nick: apparmor timestamp: Thu 2012-02-16 08:06:04 -0800 message: Allow the 'file' keyword to be optionally used on file rules. Add the optional 'file' keyword to the language/grammer. The main reason for doing this is to support false token injection. Which is needed to move towards the parser being broken out into an api that can be used to parse individual rule types, separate from parsing the whole file. Since we are adding the token to the grammar expose it to userspace with the 'file' keyword. While not needed it helps bring consistency, as all the other rule types start with a keyword (capability, network, rlimit, ...). Also allow the bare keyword to be used to represent allowing all file operations, just as with network and capability. Domain transitions are defaulted to ix. Thus file, is equivalent to /** rwlkmix, Signed-off-by: John Johansen Acked-by: Kees Cook ------------------------------------------------------------ revno: 1949 committer: John Johansen branch nick: apparmor timestamp: Thu 2012-02-16 08:04:04 -0800 message: Remove setting of capabilities from the syntax The ability to set capabilities from a profile has been removed from the kernel for several releases. Remove it from the parser as well. Signed-off-by: John Johansen Acked-by: Kees Cook ------------------------------------------------------------ revno: 1948 committer: John Johansen branch nick: apparmor timestamp: Thu 2012-02-16 08:01:47 -0800 message: Make expressing all capabilities easier Allow the capability rule to be bare to represent all capabilities similar to how network, and other rule types work. capability, Signed-off-by: John Johansen Acked-by: Kees Cook ------------------------------------------------------------ revno: 1947 committer: John Johansen branch nick: apparmor timestamp: Thu 2012-02-16 07:59:23 -0800 message: Enable the parser to pass the next token to be returned to the lexer Currently the parser can not directly influence the lexer output. This limits the grammar and also how the parser can be invoked. Allow the parser to pass the next TOKEN that the lexer will return. This is has two uses: It allows us to trick the bison parser into having multiple start symbols, allowing us to say invoke the parser on an individual network or file rule. It also allows the semantic analysis of the parser to change the language recognized. This can be leveraged to overcome some of the limitation of bison's LALR parse generator. Signed-off-by: John Johansen Acked-by: Kees Cook ------------------------------------------------------------ revno: 1946 committer: John Johansen branch nick: apparmor timestamp: Thu 2012-02-16 07:56:53 -0800 message: Require matched mode strings to terminate mode strings overlap with other potential commands, or strings, and as currently written can be match as a leading substring of an ID. Eliminate the leading substring case by requiring that for a mode string to be recognized it must be terminated by whitespace, eol, eof, or comma (end of rule). The other cases where modes string overlap are ambiguous and the ID should be quoted to remove the ambiguity. Signed-off-by: John Johansen Acked-by: Kees Cook ------------------------------------------------------------ revno: 1945 committer: John Johansen branch nick: apparmor timestamp: Thu 2012-02-16 07:53:04 -0800 message: Instead of using a special flags= token and keyword use TOK_CONDID Signed-off-by: John Johansen Acked-by: Kees Cook ------------------------------------------------------------ revno: 1944 committer: John Johansen branch nick: apparmor timestamp: Thu 2012-02-16 07:51:33 -0800 message: Add generic support extended conditional syntax extended conditionals use a syntax of cond=value cond=(value1 value2) cond=(value1,value2) where the comma is optional and supported as such because the flags syntax used them The mount patch extends, and improves on this patch, the changes probably should have been separated out but ... Signed-off-by: John Johansen Acked-by: Kees Cook ------------------------------------------------------------ revno: 1943 committer: John Johansen branch nick: apparmor timestamp: Thu 2012-02-16 07:49:12 -0800 message: Convert FLAGS_MODE start condition to a generic list of values start cond Signed-off-by: John Johansen jj@ortho:~/apparmor/aa-test/parser$ guilt header Convert FLAGS_MODE start condition to a generic list of values start cond Signed-off-by: John Johansen Acked-by: Kees Cook ------------------------------------------------------------ revno: 1942 committer: John Johansen branch nick: apparmor timestamp: Thu 2012-02-16 07:46:43 -0800 message: Rework the definition of ID and POST_VAR_ID to use a define for the charset ID and POST_VAR_ID define a set of characters that is reused, pull this out to avoid making mistakes when updating the character set. Signed-off-by: John Johansen Acked-by: Kees Cook ------------------------------------------------------------ revno: 1941 committer: John Johansen branch nick: apparmor timestamp: Thu 2012-02-16 07:43:02 -0800 message: Make second minimization pass optional The removal of deny information is a one way operation, that can result in a smaller dfa, but also results in a dfa that should not be used in future operations because the deny rules from the precomputed dfa would not get applied. For now default filtering out of deny information to off, as it takes extra time and seldom results in further state reduction. Signed-off-by: John Johansen Acked-by: Kees Cook ------------------------------------------------------------ revno: 1940 committer: John Johansen branch nick: apparmor timestamp: Thu 2012-02-16 07:41:40 -0800 message: Track full permission set through all stages of DFA construction. Previously permission information was thrown away early and permissions where packed to their CHFA form at the start of DFA construction. Because of this permissions hashing to setup the initial DFA partitions was required as x transition conflicts, etc. could not be resolved. Move the mapping of permissions to CHFA construction, and track the full permission set through DFA construction. This allows removal of the perm_hashing hack, which prevented a full minimization from happening in some DFAs. It also could result in x conflicts not being correctly detected, and deny rules not being fully applied in some situations. Eg. pre full minimization Created dfa: states 33451 Minimized dfa: final partitions 17033 with full minimization Created dfa: states 33451 Minimized dfa: final partitions 9550 Dfa minimization no states removed: partitions 9550 The tracking of deny rules through to the completed DFA construction creates a new class of states. That is states that are marked as being accepting (carry permission information) but infact are non-accepting as they only carry deny information. We add a second minimization pass where such states have their permission information cleared and are thus moved into the non-accepting partion. Signed-off-by: John Johansen Acked-by: Kees Cook ------------------------------------------------------------ revno: 1939 committer: John Johansen branch nick: apparmor timestamp: Thu 2012-02-16 07:40:21 -0800 message: Track deny and quiet perms during DFA construction Delay the packing of audit and quiet permissions until chfa construction, and track deny and quiet perms during DFA construction, so that we will be able to do full minimization. Also delay the packing of audit and Signed-off-by: John Johansen ------------------------------------------------------------ revno: 1938 committer: Steve Beattie branch nick: master timestamp: Wed 2012-02-15 16:34:03 -0800 message: Two patches in one: From: Kees Cook This is a trivial manpage fix that makes pod2man stop yelling at me. Acked-By: Steve Beattie From: Steve Beattie This patch adds --stderr to pod2man to make it report errors, as well as fixes a few other minor text issues I noticed. Acked-by: Kees Cook ------------------------------------------------------------ revno: 1937 committer: Christian Boltz branch nick: apparmor timestamp: Wed 2012-02-15 23:44:39 +0100 message: update apparmor.vim to support "capability," (which allows all capabilities). The rule will be marked in the "dangerous capability" color. Additionally, the patch removes the (already commented out) code for "set capability". Acked-by: Kees Cook ------------------------------------------------------------ revno: 1936 committer: Christian Boltz branch nick: apparmor timestamp: Mon 2012-02-13 10:50:37 +0100 message: Add the missing k permission for /etc/.pwd.lock to the userdel profile. Acked-By: Steve Beattie