When a log like system.journal is passed on to aa-genprof, for
example, the user receives a TypeError exception: in method
'parse_record', argument 1 of type 'char *'
This patch catches that exception and displays a more meaningful
message.
506c98e...
by
John Johansen <email address hidden>
Merge utils: catch TypeError exception for binary logs
When a log like system.journal is passed on to aa-genprof, for
example, the user receives a TypeError exception: in method
'parse_record', argument 1 of type 'char *'
This patch catches that exception and displays a more meaningful
message.
libapparmor: make af_protos.h consistent in different archs
af_protos.h is a generated table of the protocols created by looking
for definitions of IPPROTO_* in netinet/in.h. Depending on the
architecture, the order of the table may change when using -dM in the
compiler during the extraction of the defines.
This causes an issue because there is more than one IPPROTO defined
by the value 0: IPPROTO_IP and IPPROTO_HOPOPTS which is a header
extension used by IPv6. So if IPPROTO_HOPOPTS was first in the table,
then protocol=0 in the audit logs would be translated to hopopts.
By the time protocol is resolved in grammar.y, we don't have have
access to the net family to check if it's inet6. Instead of making
protocol dependent on the net family, make the order of the
af_protos.h table consistent between architectures using -dD.
811fe99...
by
John Johansen <email address hidden>
Merge abstractions/base: allow reading of fips_enabled
Commonly used by applications to determine if Linux is running in
FIPS mode. As we already allow access to FIPS specific library files
as part of base, allow this there as well.
Signed-off-by: Georg Pfuetzenreuter <email address hidden>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1286
Approved-by: John Johansen <email address hidden>
Merged-by: John Johansen <email address hidden>
(cherry picked from commit e787f4d69d7d579c702b2c4daeb6cc591ac4e059)
Signed-off-by: John Johansen <email address hidden>
This removes the assumption that the stack is zeroed and silences the corresponding compiler warning
Signed-off-by: Ryan Lee <email address hidden>
(cherry picked from commit 552d9d9f7a66b01d8287dcf19e3fd5eeb671127f)
Signed-off-by: Georgia Garcia <email address hidden>
0824954...
by
John Johansen <email address hidden>
Merge parser: fix Normalizatin infinite loop
Expression simplification can get into an infinite loop due to eps
pairs hiding behind and alternation that can't be caught by
normalize_eps() (which exists in the first place to stop a similar
loop).
The loop in question happens in AltNode::normalize when a subtree has
the following structure.
1. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too
alt /\
/ \
/ \
eps alt /\ / \ / \ alt eps /\
/ \
/ \
eps eps
2. if (normalize_eps(dir)) results in
alt /\
/ \
/ \
alt eps
/\
/ \
/ \
alt eps
/\
/ \
/ \
eps eps
3. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too
alt /\
/ \
/ \
alt alt
/\ /\
/ \ / \
/ \ / \
eps eps eps eps
4. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too
alt /\
/ \
/ \
eps alt /\ / \ / \ eps alt /\ / \ / \ eps eps
5. if (normalize_eps(dir)) results in
alt /\
/ \
/ \
alt eps
/\
/ \
/ \
eps alt /\ / \
/ \ eps eps
6. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too
alt /\
/ \
/ \
eps alt /\ / \ / \ alt eps /\ / \
/ \
eps eps
back to beginning of cycle
Fix this by detecting the creation of an eps_pair in rotate_node(),
that pair can be immediately eliminated by simplifying the tree in that
step.
In the above cycle the pair creation is caught at step 3 resulting
in
3. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too
alt /\
/ \
/ \
alt eps
/\
/ \
/ \
eps eps
4. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too
alt /\
/ \
/ \
eps alt /\ / \ / \ eps eps
which gets reduced to
alt /\
/ \
/ \
eps eps
breaking the normalization loop. The degenerate alt node will be caught
in turn when its parent is dealt with.
This needs to be backported to all releases
Closes: https://gitlab.com/apparmor/apparmor/-/issues/398
Fixes: 846cee506 ("Split out parsing and expression trees from regexp.y")
Reported-by: Christian Boltz <email address hidden>
Signed-off-by: John Johansen <email address hidden>