[apparmor] [patch][parser] disable downgrade and not enforced rule messages by default
John Johansen
john.johansen at canonical.com
Wed Oct 8 10:32:06 UTC 2014
On 10/07/2014 03:38 PM, Steve Beattie wrote:
> On Tue, Oct 07, 2014 at 04:00:34AM -0700, John Johansen wrote:
>> Currently the apparmor parser warns about rules that are not enforced or
>> downgraded. This is a problem for distros that are not carrying the out of
>> tree kernel patches, as most profile loads result in warnings.
>>
>> Change the behavior to not output a message unless a warn flag is passed.
>> This patch adds 2 different warn flags
>> --warn rule-downgraded # warn if a rule is downgraded
>> --warn rule-not-enforced # warn if a rule is not enforced at all
>>
>> If the warnings are desired by default the flags can be set in the
>> parser.conf file.
>
> Code mostly looks good; a couple of issues:
>
> 1) needs man page update.
> 2) the --help=warn is useful, but --warn needs to be part of the main
> usage statement:
>
v2.
- update man page
- add --warn to usage statement
- make --quiet clear warn flags
Currently the apparmor parser warns about rules that are not enforced or
downgraded. This is a problem for distros that are not carrying the out of
tree kernel patches, as most profile loads result in warnings.
Change the behavior to not output a message unless a warn flag is passed.
This patch adds 2 different warn flags
--warn rule-downgraded # warn if a rule is downgraded
--warn rule-not-enforced # warn if a rule is not enforced at all
If the warnings are desired by default the flags can be set in the
parser.conf file.
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
=== modified file 'parser/af_unix.cc'
--- parser/af_unix.cc 2014-09-22 16:34:32 +0000
+++ parser/af_unix.cc 2014-10-06 21:40:59 +0000
@@ -176,7 +176,8 @@
static void warn_once(const char *name)
{
- warn_once(name, "extended network unix socket rules not enforced");
+ if (warnflags & WARN_RULE_NOT_ENFORCED)
+ warn_once(name, "extended network unix socket rules not enforced");
}
static void writeu16(std::ostringstream &o, int v)
@@ -321,7 +322,8 @@
if (kernel_supports_network) {
/* only warn if we are building against a kernel
* that requires downgrading */
- warn_once(prof.name, "downgrading extended network unix socket rule to generic network rule\n");
+ if (warnflags & WARN_RULE_DOWNGRADED)
+ warn_once(prof.name, "downgrading extended network unix socket rule to generic network rule\n");
/* TODO: add ability to abort instead of downgrade */
return RULE_OK;
}
=== modified file 'parser/apparmor_parser.pod'
--- parser/apparmor_parser.pod 2014-09-23 21:33:54 +0000
+++ parser/apparmor_parser.pod 2014-10-08 10:28:33 +0000
@@ -239,6 +239,16 @@
Report on the profiles as they are loaded, and show warnings.
+=item --warn=n
+
+Enable various warnings during policy compilation. A single dump flag
+can be specified per --warn option, but the --warn flag can be passed
+multiple times.
+
+ apparmor_parser --warn=rules-not-enforced ...
+
+Use --help=warn to see a full list of which warn flags are supported.
+
=item -d, --debug
Given once, only checks the profiles to ensure syntactic correctness.
=== modified file 'parser/dbus.cc'
--- parser/dbus.cc 2014-08-24 06:50:43 +0000
+++ parser/dbus.cc 2014-10-06 21:36:59 +0000
@@ -194,7 +194,7 @@
{
static const char *warned_name = NULL;
- if (warned_name != name) {
+ if ((warnflags & WARN_RULE_NOT_ENFORCED) && warned_name != name) {
cerr << "Warning from profile " << name << " (";
if (current_filename)
cerr << current_filename;
=== modified file 'parser/mount.cc'
--- parser/mount.cc 2014-10-02 19:58:54 +0000
+++ parser/mount.cc 2014-10-06 21:37:31 +0000
@@ -558,7 +558,7 @@
{
static const char *warned_name = NULL;
- if (warned_name != name) {
+ if ((warnflags & WARN_RULE_NOT_ENFORCED) && warned_name != name) {
cerr << "Warning from profile " << name << " (";
if (current_filename)
cerr << current_filename;
=== modified file 'parser/parser.h'
--- parser/parser.h 2014-10-02 19:58:54 +0000
+++ parser/parser.h 2014-10-07 10:36:05 +0000
@@ -47,6 +47,13 @@
*/
extern int parser_token;
+
+#define WARN_RULE_NOT_ENFORCED 1
+#define WARN_RULE_DOWNGRADED 2
+
+extern dfaflags_t warnflags;
+
+
typedef enum pattern_t pattern_t;
struct prefixes {
=== modified file 'parser/parser_common.c'
--- parser/parser_common.c 2014-09-03 20:22:26 +0000
+++ parser/parser_common.c 2014-10-07 10:35:20 +0000
@@ -80,6 +80,7 @@
int option = OPTION_ADD;
dfaflags_t dfaflags = (dfaflags_t)(DFA_CONTROL_TREE_NORMAL | DFA_CONTROL_TREE_SIMPLE | DFA_CONTROL_MINIMIZE | DFA_CONTROL_DIFF_ENCODE);
+dfaflags_t warnflags = 0;
char *subdomainbase = NULL;
const char *progname = __FILE__;
=== modified file 'parser/parser_interface.c'
--- parser/parser_interface.c 2014-08-30 00:40:30 +0000
+++ parser/parser_interface.c 2014-10-06 21:38:05 +0000
@@ -442,7 +442,7 @@
sd_write_uint16(buf, profile->net.deny[i] & profile->net.quiet[i]);
}
sd_write_arrayend(buf);
- } else if (profile->net.allow)
+ } else if (profile->net.allow && (warnflags & WARN_RULE_NOT_ENFORCED))
pwarn(_("profile %s network rules not enforced\n"), profile->name);
if (profile->policy.dfa) {
=== modified file 'parser/parser_main.c'
--- parser/parser_main.c 2014-10-02 19:58:54 +0000
+++ parser/parser_main.c 2014-10-08 10:23:55 +0000
@@ -127,6 +127,7 @@
{"preprocess", 0, 0, 'p'},
{"abort-on-error", 0, 0, 132}, /* no short option */
{"skip-bad-cache-rebuild", 0, 0, 133}, /* no short option */
+ {"warn", 1, 0, 134}, /* no short option */
{NULL, 0, 0, 0},
};
@@ -178,9 +179,25 @@
"-h [cmd], --help[=cmd] Display this text or info about cmd\n"
"--abort-on-error Abort processing of profiles on first error\n"
"--skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel\n"
- ,command);
-}
-
+ "--warn n Enable warnings (see --help=warn)\n"
+ ,command);
+}
+
+optflag_table_t warnflag_table[] = {
+ { 0, "rule-not-enforced", "warn if a rule is not enforced", WARN_RULE_NOT_ENFORCED },
+ { 0, "rule-downgraded", "warn if a rule is downgraded to a lesser but still enforcing rule", WARN_RULE_DOWNGRADED },
+ { 0, NULL, NULL, 0 },
+};
+
+void display_warn(const char *command)
+{
+ display_version();
+ printf("\n%s: --warn [Option]\n\n"
+ "Options:\n"
+ "--------\n"
+ ,command);
+ print_flag_table(warnflag_table);
+}
/* Treat conf file like options passed on command line
*/
@@ -285,6 +302,8 @@
strcmp(optarg, "optimize") == 0 ||
strcmp(optarg, "O") == 0) {
display_optimize(progname);
+ } else if (strcmp(optarg, "warn") == 0) {
+ display_warn(progname);
} else {
PERROR("%s: Invalid --help option %s\n",
progname, optarg);
@@ -384,6 +403,7 @@
case 'q':
conf_verbose = 0;
conf_quiet = 1;
+ warnflags = 0;
break;
case 'v':
conf_verbose = 1;
@@ -435,6 +455,14 @@
preprocess_only = 1;
skip_mode_force = 1;
break;
+ case 134:
+ if (!handle_flag_table(warnflag_table, optarg,
+ &warnflags)) {
+ PERROR("%s: Invalid --warn option %s\n",
+ progname, optarg);
+ exit(1);
+ }
+ break;
default:
display_usage(progname);
exit(1);
=== modified file 'parser/ptrace.cc'
--- parser/ptrace.cc 2014-05-09 22:34:34 +0000
+++ parser/ptrace.cc 2014-10-06 21:36:38 +0000
@@ -105,7 +105,7 @@
{
static const char *warned_name = NULL;
- if (warned_name != name) {
+ if ((warnflags & WARN_RULE_NOT_ENFORCED) && warned_name != name) {
cerr << "Warning from profile " << name << " (";
if (current_filename)
cerr << current_filename;
=== modified file 'parser/signal.cc'
--- parser/signal.cc 2014-05-09 22:34:34 +0000
+++ parser/signal.cc 2014-10-06 21:36:14 +0000
@@ -241,7 +241,7 @@
{
static const char *warned_name = NULL;
- if (warned_name != name) {
+ if ((warnflags & WARN_RULE_NOT_ENFORCED) && warned_name != name) {
cerr << "Warning from profile " << name << " (";
if (current_filename)
cerr << current_filename;
More information about the AppArmor
mailing list