Currently the apparmor parser warns about rules that are not enforced or
downgraded. This is a problem for distros that are not carrying the out of
tree kernel patches, as most profile loads result in warnings.
Change the behavior to not output a message unless a warn flag is passed.
This patch adds 2 different warn flags
--warn rule-downgraded # warn if a rule is downgraded
--warn rule-not-enforced # warn if a rule is not enforced at all
If the warnings are desired by default the flags can be set in the
parser.conf file.
---
=== modified file 'parser/af_unix.cc'
--- parser/af_unix.cc 2014-09-22 16:34:32 +0000
+++ parser/af_unix.cc 2014-10-06 21:40:59 +0000
@@ -176,7 +176,8 @@
static void warn_once(const char *name)
{
- warn_once(name, "extended network unix socket rules not enforced");
+ if (warnflags & WARN_RULE_NOT_ENFORCED)
+ warn_once(name, "extended network unix socket rules not
enforced");
}
static void writeu16(std::ostringstream &o, int v)
@@ -321,7 +322,8 @@
if (kernel_supports_network) {
/* only warn if we are building against a kernel
* that requires downgrading */
- warn_once(prof.name, "downgrading extended network unix
socket rule to generic network rule\n");
+ if (warnflags & WARN_RULE_DOWNGRADED)
+ warn_once(prof.name, "downgrading extended
network unix socket rule to generic network rule\n");
/* TODO: add ability to abort instead of downgrade */
return RULE_OK;
}
=== modified file 'parser/dbus.cc'
--- parser/dbus.cc 2014-08-24 06:50:43 +0000
+++ parser/dbus.cc 2014-10-06 21:36:59 +0000
@@ -194,7 +194,7 @@
{
static const char *warned_name = NULL;
- if (warned_name != name) {
+ if ((warnflags & WARN_RULE_NOT_ENFORCED) && warned_name != name) {
cerr << "Warning from profile " << name << " (";
if (current_filename)
cerr << current_filename;
=== modified file 'parser/mount.cc'
--- parser/mount.cc 2014-10-02 19:58:54 +0000
+++ parser/mount.cc 2014-10-06 21:37:31 +0000
@@ -558,7 +558,7 @@
{
static const char *warned_name = NULL;
- if (warned_name != name) {
+ if ((warnflags & WARN_RULE_NOT_ENFORCED) && warned_name != name) {
cerr << "Warning from profile " << name << " (";
if (current_filename)
cerr << current_filename;
=== modified file 'parser/parser.h'
--- parser/parser.h 2014-10-02 19:58:54 +0000
+++ parser/parser.h 2014-10-07 10:36:05 +0000
@@ -47,6 +47,13 @@
*/
extern int parser_token;
+
+#define WARN_RULE_NOT_ENFORCED 1
+#define WARN_RULE_DOWNGRADED 2
+
+extern dfaflags_t warnflags;
+
+
typedef enum pattern_t pattern_t;
struct prefixes {
=== modified file 'parser/parser_common.c'
--- parser/parser_common.c 2014-09-03 20:22:26 +0000
+++ parser/parser_common.c 2014-10-07 10:35:20 +0000
@@ -80,6 +80,7 @@
int option = OPTION_ADD;
dfaflags_t dfaflags = (dfaflags_t)(DFA_CONTROL_TREE_NORMAL |
DFA_CONTROL_TREE_SIMPLE | DFA_CONTROL_MINIMIZE | DFA_CONTROL_DIFF_ENCODE);
+dfaflags_t warnflags = 0;
char *subdomainbase = NULL;
const char *progname = __FILE__;
=== modified file 'parser/parser_interface.c'
--- parser/parser_interface.c 2014-08-30 00:40:30 +0000
+++ parser/parser_interface.c 2014-10-06 21:38:05 +0000
@@ -442,7 +442,7 @@
sd_write_uint16(buf, profile->net.deny[i] &
profile->net.quiet[i]);
}
sd_write_arrayend(buf);
- } else if (profile->net.allow)
+ } else if (profile->net.allow && (warnflags & WARN_RULE_NOT_ENFORCED))
pwarn(_("profile %s network rules not enforced\n"),
profile->name);
if (profile->policy.dfa) {
=== modified file 'parser/parser_main.c'
--- parser/parser_main.c 2014-10-02 19:58:54 +0000
+++ parser/parser_main.c 2014-10-07 10:54:41 +0000
@@ -127,6 +127,7 @@
{"preprocess", 0, 0, 'p'},
{"abort-on-error", 0, 0, 132}, /* no short option */
{"skip-bad-cache-rebuild", 0, 0, 133}, /* no short option */
+ {"warn", 1, 0, 134}, /* no short option */
{NULL, 0, 0, 0},
};
@@ -181,6 +182,21 @@
,command);
}
+optflag_table_t warnflag_table[] = {
+ { 0, "rule-not-enforced", "warn if a rule is not enforced",
WARN_RULE_NOT_ENFORCED },
+ { 0, "rule-downgraded", "warn if a rule is downgraded to a lesser but
still enforcing rule", WARN_RULE_DOWNGRADED },
+ { 0, NULL, NULL, 0 },
+};
+
+void display_warn(const char *command)
+{
+ display_version();
+ printf("\n%s: --warn [Option]\n\n"
+ "Options:\n"
+ "--------\n"
+ ,command);
+ print_flag_table(warnflag_table);
+}
/* Treat conf file like options passed on command line
*/
@@ -285,6 +301,8 @@
strcmp(optarg, "optimize") == 0 ||
strcmp(optarg, "O") == 0) {
display_optimize(progname);
+ } else if (strcmp(optarg, "warn") == 0) {
+ display_warn(progname);
} else {
PERROR("%s: Invalid --help option %s\n",
progname, optarg);
@@ -435,6 +453,14 @@
preprocess_only = 1;
skip_mode_force = 1;
break;
+ case 134:
+ if (!handle_flag_table(warnflag_table, optarg,
+ &warnflags)) {
+ PERROR("%s: Invalid --warn option %s\n",
+ progname, optarg);
+ exit(1);
+ }
+ break;
default:
display_usage(progname);
exit(1);
=== modified file 'parser/ptrace.cc'
--- parser/ptrace.cc 2014-05-09 22:34:34 +0000
+++ parser/ptrace.cc 2014-10-06 21:36:38 +0000
@@ -105,7 +105,7 @@
{
static const char *warned_name = NULL;
- if (warned_name != name) {
+ if ((warnflags & WARN_RULE_NOT_ENFORCED) && warned_name != name) {
cerr << "Warning from profile " << name << " (";
if (current_filename)
cerr << current_filename;
=== modified file 'parser/signal.cc'
--- parser/signal.cc 2014-05-09 22:34:34 +0000
+++ parser/signal.cc 2014-10-06 21:36:14 +0000
@@ -241,7 +241,7 @@
{
static const char *warned_name = NULL;
- if (warned_name != name) {
+ if ((warnflags & WARN_RULE_NOT_ENFORCED) && warned_name != name) {
cerr << "Warning from profile " << name << " (";
if (current_filename)
cerr << current_filename;
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
