On 10/07/2014 03:38 PM, Steve Beattie wrote: > On Tue, Oct 07, 2014 at 04:00:34AM -0700, John Johansen wrote: >> Currently the apparmor parser warns about rules that are not enforced or >> downgraded. This is a problem for distros that are not carrying the out of >> tree kernel patches, as most profile loads result in warnings. >> >> Change the behavior to not output a message unless a warn flag is passed. >> This patch adds 2 different warn flags >> --warn rule-downgraded # warn if a rule is downgraded >> --warn rule-not-enforced # warn if a rule is not enforced at all >> >> If the warnings are desired by default the flags can be set in the >> parser.conf file. > > Code mostly looks good; a couple of issues: > > 1) needs man page update. > 2) the --help=warn is useful, but --warn needs to be part of the main > usage statement: >
v2. - update man page - add --warn to usage statement - make --quiet clear warn flags Currently the apparmor parser warns about rules that are not enforced or downgraded. This is a problem for distros that are not carrying the out of tree kernel patches, as most profile loads result in warnings. Change the behavior to not output a message unless a warn flag is passed. This patch adds 2 different warn flags --warn rule-downgraded # warn if a rule is downgraded --warn rule-not-enforced # warn if a rule is not enforced at all If the warnings are desired by default the flags can be set in the parser.conf file. Signed-off-by: John Johansen <[email protected]> --- === modified file 'parser/af_unix.cc' --- parser/af_unix.cc 2014-09-22 16:34:32 +0000 +++ parser/af_unix.cc 2014-10-06 21:40:59 +0000 @@ -176,7 +176,8 @@ static void warn_once(const char *name) { - warn_once(name, "extended network unix socket rules not enforced"); + if (warnflags & WARN_RULE_NOT_ENFORCED) + warn_once(name, "extended network unix socket rules not enforced"); } static void writeu16(std::ostringstream &o, int v) @@ -321,7 +322,8 @@ if (kernel_supports_network) { /* only warn if we are building against a kernel * that requires downgrading */ - warn_once(prof.name, "downgrading extended network unix socket rule to generic network rule\n"); + if (warnflags & WARN_RULE_DOWNGRADED) + warn_once(prof.name, "downgrading extended network unix socket rule to generic network rule\n"); /* TODO: add ability to abort instead of downgrade */ return RULE_OK; } === modified file 'parser/apparmor_parser.pod' --- parser/apparmor_parser.pod 2014-09-23 21:33:54 +0000 +++ parser/apparmor_parser.pod 2014-10-08 10:28:33 +0000 @@ -239,6 +239,16 @@ Report on the profiles as they are loaded, and show warnings. +=item --warn=n + +Enable various warnings during policy compilation. A single dump flag +can be specified per --warn option, but the --warn flag can be passed +multiple times. + + apparmor_parser --warn=rules-not-enforced ... + +Use --help=warn to see a full list of which warn flags are supported. + =item -d, --debug Given once, only checks the profiles to ensure syntactic correctness. === modified file 'parser/dbus.cc' --- parser/dbus.cc 2014-08-24 06:50:43 +0000 +++ parser/dbus.cc 2014-10-06 21:36:59 +0000 @@ -194,7 +194,7 @@ { static const char *warned_name = NULL; - if (warned_name != name) { + if ((warnflags & WARN_RULE_NOT_ENFORCED) && warned_name != name) { cerr << "Warning from profile " << name << " ("; if (current_filename) cerr << current_filename; === modified file 'parser/mount.cc' --- parser/mount.cc 2014-10-02 19:58:54 +0000 +++ parser/mount.cc 2014-10-06 21:37:31 +0000 @@ -558,7 +558,7 @@ { static const char *warned_name = NULL; - if (warned_name != name) { + if ((warnflags & WARN_RULE_NOT_ENFORCED) && warned_name != name) { cerr << "Warning from profile " << name << " ("; if (current_filename) cerr << current_filename; === modified file 'parser/parser.h' --- parser/parser.h 2014-10-02 19:58:54 +0000 +++ parser/parser.h 2014-10-07 10:36:05 +0000 @@ -47,6 +47,13 @@ */ extern int parser_token; + +#define WARN_RULE_NOT_ENFORCED 1 +#define WARN_RULE_DOWNGRADED 2 + +extern dfaflags_t warnflags; + + typedef enum pattern_t pattern_t; struct prefixes { === modified file 'parser/parser_common.c' --- parser/parser_common.c 2014-09-03 20:22:26 +0000 +++ parser/parser_common.c 2014-10-07 10:35:20 +0000 @@ -80,6 +80,7 @@ int option = OPTION_ADD; dfaflags_t dfaflags = (dfaflags_t)(DFA_CONTROL_TREE_NORMAL | DFA_CONTROL_TREE_SIMPLE | DFA_CONTROL_MINIMIZE | DFA_CONTROL_DIFF_ENCODE); +dfaflags_t warnflags = 0; char *subdomainbase = NULL; const char *progname = __FILE__; === modified file 'parser/parser_interface.c' --- parser/parser_interface.c 2014-08-30 00:40:30 +0000 +++ parser/parser_interface.c 2014-10-06 21:38:05 +0000 @@ -442,7 +442,7 @@ sd_write_uint16(buf, profile->net.deny[i] & profile->net.quiet[i]); } sd_write_arrayend(buf); - } else if (profile->net.allow) + } else if (profile->net.allow && (warnflags & WARN_RULE_NOT_ENFORCED)) pwarn(_("profile %s network rules not enforced\n"), profile->name); if (profile->policy.dfa) { === modified file 'parser/parser_main.c' --- parser/parser_main.c 2014-10-02 19:58:54 +0000 +++ parser/parser_main.c 2014-10-08 10:23:55 +0000 @@ -127,6 +127,7 @@ {"preprocess", 0, 0, 'p'}, {"abort-on-error", 0, 0, 132}, /* no short option */ {"skip-bad-cache-rebuild", 0, 0, 133}, /* no short option */ + {"warn", 1, 0, 134}, /* no short option */ {NULL, 0, 0, 0}, }; @@ -178,9 +179,25 @@ "-h [cmd], --help[=cmd] Display this text or info about cmd\n" "--abort-on-error Abort processing of profiles on first error\n" "--skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel\n" - ,command); -} - + "--warn n Enable warnings (see --help=warn)\n" + ,command); +} + +optflag_table_t warnflag_table[] = { + { 0, "rule-not-enforced", "warn if a rule is not enforced", WARN_RULE_NOT_ENFORCED }, + { 0, "rule-downgraded", "warn if a rule is downgraded to a lesser but still enforcing rule", WARN_RULE_DOWNGRADED }, + { 0, NULL, NULL, 0 }, +}; + +void display_warn(const char *command) +{ + display_version(); + printf("\n%s: --warn [Option]\n\n" + "Options:\n" + "--------\n" + ,command); + print_flag_table(warnflag_table); +} /* Treat conf file like options passed on command line */ @@ -285,6 +302,8 @@ strcmp(optarg, "optimize") == 0 || strcmp(optarg, "O") == 0) { display_optimize(progname); + } else if (strcmp(optarg, "warn") == 0) { + display_warn(progname); } else { PERROR("%s: Invalid --help option %s\n", progname, optarg); @@ -384,6 +403,7 @@ case 'q': conf_verbose = 0; conf_quiet = 1; + warnflags = 0; break; case 'v': conf_verbose = 1; @@ -435,6 +455,14 @@ preprocess_only = 1; skip_mode_force = 1; break; + case 134: + if (!handle_flag_table(warnflag_table, optarg, + &warnflags)) { + PERROR("%s: Invalid --warn option %s\n", + progname, optarg); + exit(1); + } + break; default: display_usage(progname); exit(1); === modified file 'parser/ptrace.cc' --- parser/ptrace.cc 2014-05-09 22:34:34 +0000 +++ parser/ptrace.cc 2014-10-06 21:36:38 +0000 @@ -105,7 +105,7 @@ { static const char *warned_name = NULL; - if (warned_name != name) { + if ((warnflags & WARN_RULE_NOT_ENFORCED) && warned_name != name) { cerr << "Warning from profile " << name << " ("; if (current_filename) cerr << current_filename; === modified file 'parser/signal.cc' --- parser/signal.cc 2014-05-09 22:34:34 +0000 +++ parser/signal.cc 2014-10-06 21:36:14 +0000 @@ -241,7 +241,7 @@ { static const char *warned_name = NULL; - if (warned_name != name) { + if ((warnflags & WARN_RULE_NOT_ENFORCED) && warned_name != name) { cerr << "Warning from profile " << name << " ("; if (current_filename) cerr << current_filename; -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
