[apparmor] [patch][parser] disable downgrade and not enforced rule messages by default

Steve Beattie steve at nxnw.org
Tue Oct 7 22:38:15 UTC 2014 

On Tue, Oct 07, 2014 at 04:00:34AM -0700, John Johansen wrote:
> Currently the apparmor parser warns about rules that are not enforced or
> downgraded. This is a problem for distros that are not carrying the out of
> tree kernel patches, as most profile loads result in warnings.
> 
> Change the behavior to not output a message unless a warn flag is passed.
> This patch adds 2 different warn flags
>   --warn rule-downgraded		# warn if a rule is downgraded
>   --warn rule-not-enforced		# warn if a rule is not enforced at all
> 
> If the warnings are desired by default the flags can be set in the
> parser.conf file.

Code mostly looks good; a couple of issues:

  1) needs man page update.
  2) the --help=warn is useful, but --warn needs to be part of the main
     usage statement:

	$ ./apparmor_parser --help 2>&1 | grep -i warn
	-q, --quiet             Don't emit warnings
	$ ./apparmor_parser --help=warn
	AppArmor parser version 2.8.97
	Copyright (C) 1999-2008 Novell Inc.
	Copyright 2009-2012 Canonical Ltd.

	./apparmor_parser: --warn [Option]

	Options:
	--------
	     rule-not-enforced  warn if a rule is not enforced
	     rule-downgraded    warn if a rule is downgraded to a lesser but still enforcing rule

Thanks

> === modified file 'parser/af_unix.cc'
> --- parser/af_unix.cc	2014-09-22 16:34:32 +0000
> +++ parser/af_unix.cc	2014-10-06 21:40:59 +0000
> @@ -176,7 +176,8 @@
>  
>  static void warn_once(const char *name)
>  {
> -	warn_once(name, "extended network unix socket rules not enforced");
> +	if (warnflags & WARN_RULE_NOT_ENFORCED)
> +		warn_once(name, "extended network unix socket rules not enforced");
>  }
>  
>  static void writeu16(std::ostringstream &o, int v)
> @@ -321,7 +322,8 @@
>  		if (kernel_supports_network) {
>  			/* only warn if we are building against a kernel
>  			 * that requires downgrading */
> -			warn_once(prof.name, "downgrading extended network unix socket rule to generic network rule\n");
> +			if (warnflags & WARN_RULE_DOWNGRADED)
> +				warn_once(prof.name, "downgrading extended network unix socket rule to generic network rule\n");
>  			/* TODO: add ability to abort instead of downgrade */
>  			return RULE_OK;
>  		}
> 
> === modified file 'parser/dbus.cc'
> --- parser/dbus.cc	2014-08-24 06:50:43 +0000
> +++ parser/dbus.cc	2014-10-06 21:36:59 +0000
> @@ -194,7 +194,7 @@
>  {
>  	static const char *warned_name = NULL;
>  
> -	if (warned_name != name) {
> +	if ((warnflags & WARN_RULE_NOT_ENFORCED) && warned_name != name) {
>  		cerr << "Warning from profile " << name << " (";
>  		if (current_filename)
>  			cerr << current_filename;
> 
> === modified file 'parser/mount.cc'
> --- parser/mount.cc	2014-10-02 19:58:54 +0000
> +++ parser/mount.cc	2014-10-06 21:37:31 +0000
> @@ -558,7 +558,7 @@
>  {
>  	static const char *warned_name = NULL;
>  
> -	if (warned_name != name) {
> +	if ((warnflags & WARN_RULE_NOT_ENFORCED) && warned_name != name) {
>  		cerr << "Warning from profile " << name << " (";
>  		if (current_filename)
>  			cerr << current_filename;
> 
> === modified file 'parser/parser.h'
> --- parser/parser.h	2014-10-02 19:58:54 +0000
> +++ parser/parser.h	2014-10-07 10:36:05 +0000
> @@ -47,6 +47,13 @@
>   */
>  extern int parser_token;
>  
> +
> +#define WARN_RULE_NOT_ENFORCED	1
> +#define WARN_RULE_DOWNGRADED	2
> +
> +extern dfaflags_t warnflags;
> +
> +
>  typedef enum pattern_t pattern_t;
>  
>  struct prefixes {
> 
> === modified file 'parser/parser_common.c'
> --- parser/parser_common.c	2014-09-03 20:22:26 +0000
> +++ parser/parser_common.c	2014-10-07 10:35:20 +0000
> @@ -80,6 +80,7 @@
>  int option = OPTION_ADD;
>  
>  dfaflags_t dfaflags = (dfaflags_t)(DFA_CONTROL_TREE_NORMAL | DFA_CONTROL_TREE_SIMPLE | DFA_CONTROL_MINIMIZE | DFA_CONTROL_DIFF_ENCODE);
> +dfaflags_t warnflags = 0;
>  
>  char *subdomainbase = NULL;
>  const char *progname = __FILE__;
> 
> === modified file 'parser/parser_interface.c'
> --- parser/parser_interface.c	2014-08-30 00:40:30 +0000
> +++ parser/parser_interface.c	2014-10-06 21:38:05 +0000
> @@ -442,7 +442,7 @@
>  			sd_write_uint16(buf, profile->net.deny[i] & profile->net.quiet[i]);
>  		}
>  		sd_write_arrayend(buf);
> -	} else if (profile->net.allow)
> +	} else if (profile->net.allow && (warnflags & WARN_RULE_NOT_ENFORCED))
>  		pwarn(_("profile %s network rules not enforced\n"), profile->name);
>  
>  	if (profile->policy.dfa) {
> 
> === modified file 'parser/parser_main.c'
> --- parser/parser_main.c	2014-10-02 19:58:54 +0000
> +++ parser/parser_main.c	2014-10-07 10:54:41 +0000
> @@ -127,6 +127,7 @@
>  	{"preprocess",		0, 0, 'p'},
>  	{"abort-on-error",	0, 0, 132},	/* no short option */
>  	{"skip-bad-cache-rebuild",	0, 0, 133},	/* no short option */
> +	{"warn",		1, 0, 134},	/* no short option */
>  	{NULL, 0, 0, 0},
>  };
>  
> @@ -181,6 +182,21 @@
>  	       ,command);
>  }
>  
> +optflag_table_t warnflag_table[] = {
> +	{ 0, "rule-not-enforced", "warn if a rule is not enforced", WARN_RULE_NOT_ENFORCED },
> +	{ 0, "rule-downgraded", "warn if a rule is downgraded to a lesser but still enforcing rule", WARN_RULE_DOWNGRADED },
> +	{ 0, NULL, NULL, 0 },
> +};
> +
> +void display_warn(const char *command)
> +{
> +	display_version();
> +	printf("\n%s: --warn [Option]\n\n"
> +	       "Options:\n"
> +	       "--------\n"
> +	       ,command);
> +	print_flag_table(warnflag_table);
> +}
>  
>  /* Treat conf file like options passed on command line
>   */
> @@ -285,6 +301,8 @@
>  			   strcmp(optarg, "optimize") == 0 ||
>  			   strcmp(optarg, "O") == 0) {
>  			display_optimize(progname);
> +		} else if (strcmp(optarg, "warn") == 0) {
> +			display_warn(progname);
>  		} else {
>  			PERROR("%s: Invalid --help option %s\n",
>  			       progname, optarg);
> @@ -435,6 +453,14 @@
>  		preprocess_only = 1;
>  		skip_mode_force = 1;
>  		break;
> +	case 134:
> +		if (!handle_flag_table(warnflag_table, optarg,
> +				       &warnflags)) {
> +			PERROR("%s: Invalid --warn option %s\n",
> +			       progname, optarg);
> +			exit(1);
> +		}
> +		break;
>  	default:
>  		display_usage(progname);
>  		exit(1);
> 
> === modified file 'parser/ptrace.cc'
> --- parser/ptrace.cc	2014-05-09 22:34:34 +0000
> +++ parser/ptrace.cc	2014-10-06 21:36:38 +0000
> @@ -105,7 +105,7 @@
>  {
>  	static const char *warned_name = NULL;
>  
> -	if (warned_name != name) {
> +	if ((warnflags & WARN_RULE_NOT_ENFORCED) && warned_name != name) {
>  		cerr << "Warning from profile " << name << " (";
>  		if (current_filename)
>  			cerr << current_filename;
> 
> === modified file 'parser/signal.cc'
> --- parser/signal.cc	2014-05-09 22:34:34 +0000
> +++ parser/signal.cc	2014-10-06 21:36:14 +0000
> @@ -241,7 +241,7 @@
>  {
>  	static const char *warned_name = NULL;
>  
> -	if (warned_name != name) {
> +	if ((warnflags & WARN_RULE_NOT_ENFORCED) && warned_name != name) {
>  		cerr << "Warning from profile " << name << " (";
>  		if (current_filename)
>  			cerr << current_filename;
> 
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20141007/cb168bcc/attachment.pgp>

More information about the AppArmor mailing list