From 5d7fe96fd058d4b31dc9f77cf2911ff941a4ec78 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maxime=20B=C3=A9lair?= Date: Thu, 17 Apr 2025 19:46:32 +0200 Subject: [PATCH 1/6] apparmor_parser: show attachment in --debug output MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When showing the content of profiles with `apparmor_parser --debug`, the attachment path is now displayed within the 'Debugging built structures' section. Signed-off-by: Maxime Bélair --- parser/parser.h | 1 + parser/parser_regex.c | 2 +- parser/profile.h | 7 ++++++- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/parser/parser.h b/parser/parser.h index 3e0eb5ee9..56fae71f2 100644 --- a/parser/parser.h +++ b/parser/parser.h @@ -410,6 +410,7 @@ extern int process_policydb(Profile *prof); extern int process_policy_ents(Profile *prof); extern void filter_slashes(char *path); +extern const char *local_name(const char *name); /* parser_variable.c */ int expand_entry_variables(char **name); diff --git a/parser/parser_regex.c b/parser/parser_regex.c index 4a8018b65..6d61c61fb 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -433,7 +433,7 @@ out: return ptype; } -static const char *local_name(const char *name) +const char *local_name(const char *name) { const char *t; diff --git a/parser/profile.h b/parser/profile.h index d245a1376..207c9b57e 100644 --- a/parser/profile.h +++ b/parser/profile.h @@ -459,7 +459,12 @@ public: printf("Name:\t\t%s\n", name); else printf("Name:\t\t\n"); - + if (attachment) + printf("Attachment:\t%s\n", attachment); + else { + const char *local = local_name(name); + printf("Attachment:\t%s\n", local[0] == '/' ? local : ""); + } if (parent) printf("Local To:\t%s\n", parent->name); else From 68c0dddf235ce82b18db61ac95e97d264e7b7c30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maxime=20B=C3=A9lair?= Date: Thu, 17 Apr 2025 19:57:39 +0200 Subject: [PATCH 2/6] Add a script to verify attachment-path permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Unconfined delegates access to open file descriptors. Therefore when running a confined binary from unconfined, it will work even when the attachment path is not read-allowed. However, as soon as these confined binaries are run from another confined process, this delegation is not permitted anymore and the program breaks. This has been the cause of several bugs such as https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2107455 or https://github.com/canonical/snapd/pull/15181 . Introduce `test_profile.sh`, a helper script that ensures confining AppArmor profiles explicitly allow (at least) read access to their attachment path. Signed-off-by: Maxime Bélair --- parser/tst/test_profile.sh | 84 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100755 parser/tst/test_profile.sh diff --git a/parser/tst/test_profile.sh b/parser/tst/test_profile.sh new file mode 100755 index 000000000..de8ea9090 --- /dev/null +++ b/parser/tst/test_profile.sh @@ -0,0 +1,84 @@ +#!/usr/bin/env bash +set -euo pipefail + +# Check if the current profile allow reading its attachment +check_entry() { + local prof_name="$1" + local -n lines_ref="$2" + local attachment="$3" + local found=0 + + for line in "${lines_ref[@]}"; do + if [[ $line == Perms:*r*:*"($attachment)"* ]]; then + found=1 + break + fi + done + + if [[ $found -eq 0 ]]; then + echo -e "\e[0;31mProfile $prof_name: ERROR: no Perms rule for '$attachment'.\e[0m" + exit 1 + fi + + [[ -n "${VERBOSE:-}" ]] && echo -e "\e[0;32mProfile $prof_name: OK '$attachment' found\e[0m" || true +} + +# Handle the end of a profile block: either skip it or check for the entry. +finish_profile() { + local name="$1" + local prof_file="$2" + local skip="$3" + local attachment="$4" + local arr_name="$5" + + if [[ -n $name ]]; then + if [[ $skip != 0 ]]; then + [[ -n "${VERBOSE:-}" ]] && echo "Profile '$name' skipped: $skip" || true + else + check_entry "$prof_file ($name)" "$arr_name" "$attachment" + fi + fi +} + +process_profile() { + local prof_file="$1" + shift + local dump curr_name="" attachment="" skip_profile=0 in_entries=0 + local block_lines=() + + if ! dump=$(../parser/apparmor_parser $@ -d "$prof_file" 2>&1); then + echo "\e[0;31mERROR: Failed to parse '$prof_file': $dump\e[0m" >&2 + exit 1 + fi + + IFS=$'\n' read -r -d '' -a lines < <(printf '%s\n' "$dump" && printf '\0') + + for line in "${lines[@]}"; do + if [[ $line =~ ^[[:space:]]*Name:[[:space:]]*([^[:space:]]+) ]]; then + finish_profile "$curr_name" "$prof_file" "$skip_profile" "$attachment" block_lines + curr_name="${BASH_REMATCH[1]}" + attachment="" skip_profile=0 in_entries=0 block_lines=() + elif [[ $line =~ ^[[:space:]]*Mode:[[:space:]]*unconfined ]]; then + skip_profile="unconfined" + elif [[ $line =~ ^Perms:.*r.*:.*:.*\(/(\{?,?\*\*,*\}?)\) ]]; then + skip_profile="All files available" + elif [[ $line =~ ^[[:space:]]*Attachment:[[:space:]]*(.+) ]]; then + attachment="${BASH_REMATCH[1]}" + [[ $attachment == "" ]] && skip_profile="no attachment" + elif [[ $line == ---\ Entries\ --- ]]; then + in_entries=1 + elif [[ $in_entries -ne 0 ]]; then + block_lines+=("$line") + fi + done + + # Last profile + finish_profile "$curr_name" "$prof_file" "$skip_profile" "$attachment" block_lines +} + +if (( $# < 1 )); then + echo "Usage: $0 [parser_extra_args]" + exit 1 +fi + +process_profile $@ From 072d17a237e703dad5e7aac22a4743d293df55cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maxime=20B=C3=A9lair?= Date: Thu, 17 Apr 2025 21:16:15 +0200 Subject: [PATCH 3/6] profiles: Give all profiles read access to their attachment path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Grant explicit read permission on each profile’s attachment path. This avoid issues when running them from a confined environment and makes test_profile.sh pass. Signed-off-by: Maxime Bélair --- profiles/apparmor.d/Xorg | 2 ++ profiles/apparmor.d/alsamixer | 2 ++ profiles/apparmor.d/babeld | 1 + profiles/apparmor.d/bfdd | 2 ++ profiles/apparmor.d/bgpd | 2 ++ profiles/apparmor.d/bin.ping | 2 +- profiles/apparmor.d/eigrpd | 2 ++ profiles/apparmor.d/fabricd | 2 ++ profiles/apparmor.d/isisd | 2 ++ profiles/apparmor.d/nhrpd | 1 + profiles/apparmor.d/ospf6d | 2 ++ profiles/apparmor.d/ospfd | 2 ++ profiles/apparmor.d/pathd | 2 ++ profiles/apparmor.d/pbrd | 2 ++ profiles/apparmor.d/pim6d | 2 ++ profiles/apparmor.d/pimd | 2 ++ profiles/apparmor.d/ripd | 2 ++ profiles/apparmor.d/ripngd | 2 ++ profiles/apparmor.d/staticd | 2 ++ profiles/apparmor.d/tnftp | 2 ++ profiles/apparmor.d/transmission | 8 ++++++++ profiles/apparmor.d/vrrpd | 1 + profiles/apparmor.d/wpa_supplicant | 2 ++ profiles/apparmor.d/zgrep | 3 +-- profiles/apparmor.d/znc | 2 ++ profiles/apparmor/profiles/extras/firefox | 2 ++ profiles/apparmor/profiles/extras/firefox.sh | 2 ++ profiles/apparmor/profiles/extras/usr.bin.acroread | 2 ++ profiles/apparmor/profiles/extras/usr.bin.svnserve | 2 ++ .../profiles/extras/usr.lib.RealPlayer10.realplay | 1 + ...r.lib.evolution-data-server.evolution-data-server-1.10 | 1 + profiles/apparmor/profiles/extras/usr.sbin.in.fingerd | 2 ++ profiles/apparmor/profiles/extras/usr.sbin.oidentd | 2 ++ 33 files changed, 65 insertions(+), 3 deletions(-) diff --git a/profiles/apparmor.d/Xorg b/profiles/apparmor.d/Xorg index 15cb45a6e..c837a55b7 100644 --- a/profiles/apparmor.d/Xorg +++ b/profiles/apparmor.d/Xorg @@ -58,6 +58,8 @@ profile Xorg /usr/lib/xorg/Xorg flags=(attach_disconnected, complain) { /{,usr/}bin/{bash,dash,sh} ix, /usr/bin/xkbcomp ix, + /usr/lib/xorg/Xorg mr, + @{PROC}/cmdline r, @{PROC}/@{pid}/cmdline r, @{PROC}/ioports r, diff --git a/profiles/apparmor.d/alsamixer b/profiles/apparmor.d/alsamixer index 4d3d8146f..b3c872881 100644 --- a/profiles/apparmor.d/alsamixer +++ b/profiles/apparmor.d/alsamixer @@ -10,6 +10,8 @@ profile alsamixer /{usr,}/bin/alsamixer { include + /{usr,}/bin/alsamixer mr, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/profiles/apparmor.d/babeld b/profiles/apparmor.d/babeld index 25068d57b..52f29e81f 100644 --- a/profiles/apparmor.d/babeld +++ b/profiles/apparmor.d/babeld @@ -17,6 +17,7 @@ profile babeld /usr/lib/frr/babeld flags=(attach_disconnected) { include include + /usr/lib/frr/babeld mr, @{run}/frr/babel-state w, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor.d/bfdd b/profiles/apparmor.d/bfdd index 83d2369e0..b54d6ed77 100644 --- a/profiles/apparmor.d/bfdd +++ b/profiles/apparmor.d/bfdd @@ -20,6 +20,8 @@ profile bfdd /usr/lib/frr/bfdd flags=(attach_disconnected) { capability net_raw, capability sys_admin, + + /usr/lib/frr/bfdd mr, @{run}/netns/* r, @{run}/frr/bfdd.sock w, diff --git a/profiles/apparmor.d/bgpd b/profiles/apparmor.d/bgpd index 06fdc041b..bed4b14fe 100644 --- a/profiles/apparmor.d/bgpd +++ b/profiles/apparmor.d/bgpd @@ -21,6 +21,8 @@ profile bgpd /usr/lib/frr/bgpd flags=(attach_disconnected) { capability net_raw, capability sys_admin, + /usr/lib/frr/bgpd mr, + @{run}/netns/* r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/profiles/apparmor.d/bin.ping b/profiles/apparmor.d/bin.ping index 14c489897..c8d450ee6 100644 --- a/profiles/apparmor.d/bin.ping +++ b/profiles/apparmor.d/bin.ping @@ -22,7 +22,7 @@ profile ping /{usr/,}bin/{,iputils-}ping { network inet raw, network inet6 raw, - /{,usr/}bin/{,iputils-}ping mixr, + /{usr/,}bin/{,iputils-}ping mixr, /etc/modules.conf r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/profiles/apparmor.d/eigrpd b/profiles/apparmor.d/eigrpd index 083db5352..736295c8a 100644 --- a/profiles/apparmor.d/eigrpd +++ b/profiles/apparmor.d/eigrpd @@ -19,6 +19,8 @@ profile eigrpd /usr/lib/frr/eigrpd flags=(attach_disconnected) { capability net_raw, + /usr/lib/frr/eigrpd mr, + # Site-specific additions and overrides. See local/README for details. include if exists } diff --git a/profiles/apparmor.d/fabricd b/profiles/apparmor.d/fabricd index 4779a2aa1..6fdf28644 100644 --- a/profiles/apparmor.d/fabricd +++ b/profiles/apparmor.d/fabricd @@ -17,6 +17,8 @@ profile fabricd /usr/lib/frr/fabricd flags=(attach_disconnected) { include include + /usr/lib/frr/fabricd mr, + # Site-specific additions and overrides. See local/README for details. include if exists } diff --git a/profiles/apparmor.d/isisd b/profiles/apparmor.d/isisd index 3bb9b78fb..0a6f285b8 100644 --- a/profiles/apparmor.d/isisd +++ b/profiles/apparmor.d/isisd @@ -20,6 +20,8 @@ profile isisd /usr/lib/frr/isisd flags=(attach_disconnected) { capability net_raw, + /usr/lib/frr/isisd mr, + /var/lib/frr/ r, /var/lib/frr/isisd.json{,.sav} rw, diff --git a/profiles/apparmor.d/nhrpd b/profiles/apparmor.d/nhrpd index d986139ad..68129b1e8 100644 --- a/profiles/apparmor.d/nhrpd +++ b/profiles/apparmor.d/nhrpd @@ -20,6 +20,7 @@ profile nhrpd /usr/lib/frr/nhrpd flags=(attach_disconnected) { capability net_raw, capability net_admin, + /usr/lib/frr/nhrpd mr, /usr/bin/dash ix, @{PROC}/sys/net/ipv4/conf/*/send_redirects w, diff --git a/profiles/apparmor.d/ospf6d b/profiles/apparmor.d/ospf6d index 0f6738045..720ea4973 100644 --- a/profiles/apparmor.d/ospf6d +++ b/profiles/apparmor.d/ospf6d @@ -21,6 +21,8 @@ profile ospf6d /usr/lib/frr/ospf6d flags=(attach_disconnected) { capability net_raw, capability sys_admin, + /usr/lib/frr/ospf6d mr, + @{run}/netns/* r, @{run}/frr/ospf6d-gr.json w, diff --git a/profiles/apparmor.d/ospfd b/profiles/apparmor.d/ospfd index 91262f459..f93f351c8 100644 --- a/profiles/apparmor.d/ospfd +++ b/profiles/apparmor.d/ospfd @@ -21,6 +21,8 @@ profile ospfd /usr/lib/frr/ospfd flags=(attach_disconnected) { capability net_raw, capability sys_admin, + /usr/lib/frr/ospfd mr, + @{run}/netns/* r, @{run}/frr/ospfd-gr.json w, diff --git a/profiles/apparmor.d/pathd b/profiles/apparmor.d/pathd index a636179a8..4672999c1 100644 --- a/profiles/apparmor.d/pathd +++ b/profiles/apparmor.d/pathd @@ -17,6 +17,8 @@ profile pathd /usr/lib/frr/pathd flags=(attach_disconnected) { include include + /usr/lib/frr/pathd mr, + # Site-specific additions and overrides. See local/README for details. include if exists } diff --git a/profiles/apparmor.d/pbrd b/profiles/apparmor.d/pbrd index 7d3b7ec6d..afa768767 100644 --- a/profiles/apparmor.d/pbrd +++ b/profiles/apparmor.d/pbrd @@ -17,6 +17,8 @@ profile pbrd /usr/lib/frr/pbrd flags=(attach_disconnected) { include include + /usr/lib/frr/pbrd mr, + # Site-specific additions and overrides. See local/README for details. include if exists } diff --git a/profiles/apparmor.d/pim6d b/profiles/apparmor.d/pim6d index 373da03d0..a79d3a955 100644 --- a/profiles/apparmor.d/pim6d +++ b/profiles/apparmor.d/pim6d @@ -20,6 +20,8 @@ profile pim6d /usr/lib/frr/pim6d flags=(attach_disconnected) { capability net_raw, capability net_admin, + /usr/lib/frr/pim6d mr, + # Site-specific additions and overrides. See local/README for details. include if exists } diff --git a/profiles/apparmor.d/pimd b/profiles/apparmor.d/pimd index 1ca7e6269..3abb96314 100644 --- a/profiles/apparmor.d/pimd +++ b/profiles/apparmor.d/pimd @@ -20,6 +20,8 @@ profile pimd /usr/lib/frr/pimd flags=(attach_disconnected) { capability net_raw, capability net_admin, + /usr/lib/frr/pimd mr, + # Site-specific additions and overrides. See local/README for details. include if exists } diff --git a/profiles/apparmor.d/ripd b/profiles/apparmor.d/ripd index d41e58d0c..e0d292ddf 100644 --- a/profiles/apparmor.d/ripd +++ b/profiles/apparmor.d/ripd @@ -18,6 +18,8 @@ profile ripd /usr/lib/frr/ripd flags=(attach_disconnected) { include include + /usr/lib/frr/ripd mr, + # Site-specific additions and overrides. See local/README for details. include if exists } diff --git a/profiles/apparmor.d/ripngd b/profiles/apparmor.d/ripngd index ea6bfa866..102a759dc 100644 --- a/profiles/apparmor.d/ripngd +++ b/profiles/apparmor.d/ripngd @@ -17,6 +17,8 @@ profile ripngd /usr/lib/frr/ripngd flags=(attach_disconnected) { include include + /usr/lib/frr/ripngd mr, + # Site-specific additions and overrides. See local/README for details. include if exists } diff --git a/profiles/apparmor.d/staticd b/profiles/apparmor.d/staticd index 61f3e1dbf..e76431566 100644 --- a/profiles/apparmor.d/staticd +++ b/profiles/apparmor.d/staticd @@ -17,6 +17,8 @@ profile staticd /usr/lib/frr/staticd flags=(attach_disconnected) { include include + /usr/lib/frr/staticd mr, + /etc/frr/zebra.conf r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/profiles/apparmor.d/tnftp b/profiles/apparmor.d/tnftp index b62a5aea8..f0c4f9063 100644 --- a/profiles/apparmor.d/tnftp +++ b/profiles/apparmor.d/tnftp @@ -29,6 +29,8 @@ profile tnftp /usr/bin/tnftp { network inet stream, network inet6 stream, + /usr/bin/tnftp mr, + # required for the pager (less, more) to work file Cx /usr/bin/dash, diff --git a/profiles/apparmor.d/transmission b/profiles/apparmor.d/transmission index 5b05af304..6aa4214a8 100644 --- a/profiles/apparmor.d/transmission +++ b/profiles/apparmor.d/transmission @@ -17,6 +17,8 @@ profile transmission-daemon /usr/bin/transmission-daemon flags=(complain,attach_ network inet stream, network inet6 stream, + /usr/bin/transmission-daemon mr, + owner @{PROC}/@{pid}/mounts r, @{PROC}/sys/kernel/random/uuid r, @@ -42,6 +44,8 @@ profile transmission-cli /usr/bin/transmission-cli flags=(complain) { include include + /usr/bin/transmission-cli mr, + # Site-specific additions and overrides. See local/README for details. include if exists include if exists @@ -53,6 +57,8 @@ profile transmission-gtk /usr/bin/transmission-gtk flags=(complain,attach_discon include include + /usr/bin/transmission-gtk mr, + owner @{run}/user/*/dconf/user w, # Site-specific additions and overrides. See local/README for details. @@ -70,6 +76,8 @@ profile transmission-qt /usr/bin/transmission-qt flags=(complain) { include include + /usr/bin/transmission-qt mr, + # Site-specific additions and overrides. See local/README for details. include if exists include if exists diff --git a/profiles/apparmor.d/vrrpd b/profiles/apparmor.d/vrrpd index bc6c1734c..534230079 100644 --- a/profiles/apparmor.d/vrrpd +++ b/profiles/apparmor.d/vrrpd @@ -17,6 +17,7 @@ profile vrrpd /usr/lib/frr/vrrpd flags=(attach_disconnected) { include include + /usr/lib/frr/vrrpd mr, # Site-specific additions and overrides. See local/README for details. include if exists } diff --git a/profiles/apparmor.d/wpa_supplicant b/profiles/apparmor.d/wpa_supplicant index 46d21529b..489fe8db7 100644 --- a/profiles/apparmor.d/wpa_supplicant +++ b/profiles/apparmor.d/wpa_supplicant @@ -52,6 +52,8 @@ profile wpa_supplicant /usr/sbin/wpa_supplicant { interface=org.freedesktop.DBus member={AddMatch,GetNameOwner,Hello,ReleaseName,RemoveMatch,RequestName,StartServiceByName}, + /usr/sbin/wpa_supplicant mr, + owner /dev/rfkill r, owner /etc/group r, owner /etc/nsswitch.conf r, diff --git a/profiles/apparmor.d/zgrep b/profiles/apparmor.d/zgrep index ee98076fb..b37e3ff70 100644 --- a/profiles/apparmor.d/zgrep +++ b/profiles/apparmor.d/zgrep @@ -31,11 +31,10 @@ profile zgrep /usr/bin/{x,}zgrep { /usr/bin/rm ix, /usr/bin/sed Cx -> sed, /usr/bin/xz Cx -> helper, - /usr/bin/xzgrep r, /usr/bin/zgrep Cx -> helper, /usr/bin/zstd Cx -> helper, owner /tmp/zgrep* rw, - /usr/bin/zgrep r, + /usr/bin/{x,}zgrep r, deny /etc/nsswitch.conf r, deny /etc/passwd r, diff --git a/profiles/apparmor.d/znc b/profiles/apparmor.d/znc index 04b478add..c33f0518d 100644 --- a/profiles/apparmor.d/znc +++ b/profiles/apparmor.d/znc @@ -13,6 +13,8 @@ profile znc /usr/bin/znc { network tcp, + /usr/bin/znc mr, + @{system_share_dirs}/znc/** r, owner @{HOME}/.znc/ rw, diff --git a/profiles/apparmor/profiles/extras/firefox b/profiles/apparmor/profiles/extras/firefox index 34773de32..f5dfe2977 100644 --- a/profiles/apparmor/profiles/extras/firefox +++ b/profiles/apparmor/profiles/extras/firefox @@ -110,6 +110,8 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} { member=GetAll peer=(label=unconfined), + @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} mr, + # should maybe be in abstractions /etc/ r, /etc/mime.types r, diff --git a/profiles/apparmor/profiles/extras/firefox.sh b/profiles/apparmor/profiles/extras/firefox.sh index fb75c5b64..bb7efa836 100644 --- a/profiles/apparmor/profiles/extras/firefox.sh +++ b/profiles/apparmor/profiles/extras/firefox.sh @@ -11,6 +11,8 @@ profile firefox.sh /usr/lib/firefox/firefox.sh { deny capability sys_ptrace, + /usr/lib/firefox/firefox.sh mr, + /{usr/,}bin/basename rix, /{usr/,}bin/bash rix, /{usr/,}bin/grep rix, diff --git a/profiles/apparmor/profiles/extras/usr.bin.acroread b/profiles/apparmor/profiles/extras/usr.bin.acroread index 75de6889b..80734a35f 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.acroread +++ b/profiles/apparmor/profiles/extras/usr.bin.acroread @@ -26,6 +26,8 @@ include capability dac_override, + /usr/X11R6/bin/acroread mr, + /{usr/,}bin/basename mixr, /{usr/,}bin/bash mix, /{usr/,}bin/cat mixr, diff --git a/profiles/apparmor/profiles/extras/usr.bin.svnserve b/profiles/apparmor/profiles/extras/usr.bin.svnserve index b7599250c..bc3baca3e 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.svnserve +++ b/profiles/apparmor/profiles/extras/usr.bin.svnserve @@ -19,6 +19,8 @@ include # network service ;) capability net_bind_service, + /usr/bin/svnserve mr, + /srv/svn/*/conf/* r, /srv/svn/*/format r, /srv/svn/*/db/ r, diff --git a/profiles/apparmor/profiles/extras/usr.lib.RealPlayer10.realplay b/profiles/apparmor/profiles/extras/usr.lib.RealPlayer10.realplay index d9190b08c..a52cffa81 100644 --- a/profiles/apparmor/profiles/extras/usr.lib.RealPlayer10.realplay +++ b/profiles/apparmor/profiles/extras/usr.lib.RealPlayer10.realplay @@ -41,6 +41,7 @@ include @{HOME}/ r, @{HOME}/.realplayerrc rw, + /usr/lib/RealPlayer10/realplay mr, /usr/lib/RealPlayer10/** mr, /usr/lib/RealPlayer10/realplay.bin Pxr, /usr/lib/firefox/firefox.sh Pxr, diff --git a/profiles/apparmor/profiles/extras/usr.lib.evolution-data-server.evolution-data-server-1.10 b/profiles/apparmor/profiles/extras/usr.lib.evolution-data-server.evolution-data-server-1.10 index 57e328c4a..610f2d469 100644 --- a/profiles/apparmor/profiles/extras/usr.lib.evolution-data-server.evolution-data-server-1.10 +++ b/profiles/apparmor/profiles/extras/usr.lib.evolution-data-server.evolution-data-server-1.10 @@ -33,6 +33,7 @@ include /usr/lib/GConf/**.so mr, /usr/lib/GConf/2/gconfd-2 Pxr, /usr/lib64/GConf/2/gconfd-2 Pxr, + /usr/lib/evolution-data-server/evolution-data-server-1.10 mr, /usr/lib/evolution-data-server/evolution-data-server-* rmix, /usr/lib/evolution-data-server*/extensions r, /usr/lib/evolution-data-server*/extensions/lib*.so r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.in.fingerd b/profiles/apparmor/profiles/extras/usr.sbin.in.fingerd index 43f6bc71d..27c7c9a0a 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.in.fingerd +++ b/profiles/apparmor/profiles/extras/usr.sbin.in.fingerd @@ -19,6 +19,8 @@ include @{HOME}/.plan r, @{HOME}/.project r, + /usr/sbin/in.fingerd mr, + /usr/bin/finger mix, /var/log/lastlog r, /{,var/}run/utmp rk, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.oidentd b/profiles/apparmor/profiles/extras/usr.sbin.oidentd index 447021939..d1bad8067 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.oidentd +++ b/profiles/apparmor/profiles/extras/usr.sbin.oidentd @@ -21,6 +21,8 @@ include capability dac_override, capability dac_read_search, + /usr/sbin/oidentd mr, + /etc/oidentd.conf r, /etc/oidentd_masq.conf r, @{PROC}/net/tcp r, From 75959225b35cc3cd76e684f2db62e27ee4e81288 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maxime=20B=C3=A9lair?= Date: Thu, 17 Apr 2025 20:12:03 +0200 Subject: [PATCH 4/6] make check: verify attachment-path read permission in profiles MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Extend `make check` to automatically ensure every AppArmor profile grants explicit read access to its attachment path, preventing future omissions. Signed-off-by: Maxime Bélair --- profiles/Makefile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/profiles/Makefile b/profiles/Makefile index d48d26974..78bc26f22 100644 --- a/profiles/Makefile +++ b/profiles/Makefile @@ -123,12 +123,14 @@ check-parser: test-dependencies $(Q)for profile in $$(find ${PROFILES_SOURCE} -maxdepth 1 -type f) ; do \ [ -n "${VERBOSE}" ] && echo "Testing $${profile}" ; \ ${PARSER} --config-file=../parser/tst/parser.conf -S -b ${PROFILES_SOURCE} $${profile} > /dev/null || exit 1; \ + ../parser/tst/test_profile.sh $${profile} --config-file=../parser/tst/parser.conf -S -b ${PROFILES_SOURCE} || exit 1; \ done @echo "*** Checking profiles from ${EXTRAS_SOURCE} against apparmor_parser" $(Q)for profile in $$(find ${EXTRAS_SOURCE} -maxdepth 1 -type f -not -name README) ; do \ [ -n "${VERBOSE}" ] && echo "Testing $${profile}" ; \ ${PARSER} --config-file=../parser/tst/parser.conf -S -b ${EXTRAS_SOURCE} -I ${PROFILES_SOURCE} $${profile} > /dev/null || exit 1; \ + ../parser/tst/test_profile.sh $${profile} --config-file=../parser/tst/parser.conf -S -b ${PROFILES_SOURCE} || exit 1; \ done @echo "*** Checking abstractions from ${ABSTRACTIONS_SOURCE} against apparmor_parser" From d4e795fe6dfcfd288dcbd880c388bcecbe9c89ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maxime=20B=C3=A9lair?= Date: Fri, 18 Apr 2025 10:45:18 +0200 Subject: [PATCH 5/6] utils: Fix test-logprof.py for bin.ping profile MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update expected output to match the modifications on bin.ping profile. Signed-off-by: Maxime Bélair --- utils/test/logprof/ping.bin.ping | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/test/logprof/ping.bin.ping b/utils/test/logprof/ping.bin.ping index e1302bfe2..ea415e5bf 100644 --- a/utils/test/logprof/ping.bin.ping +++ b/utils/test/logprof/ping.bin.ping @@ -28,7 +28,7 @@ profile ping /{usr/,}bin/{,iputils-}ping { /etc/modules.conf r, /proc/21622/cmdline r, - /{,usr/}bin/{,iputils-}ping mrix, + /{usr/,}bin/{,iputils-}ping mrix, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, } From bcf1f7017e3f4a5f1b92947106208970a1e57d8a Mon Sep 17 00:00:00 2001 From: John Johansen Date: Mon, 28 Apr 2025 04:40:34 -0700 Subject: [PATCH 6/6] Revert "make check: verify attachment-path read permission in profiles" This reverts commit 75959225b35cc3cd76e684f2db62e27ee4e81288. Do not enable the verify attachment-path script as part of the CI. 1. The script itself has several bashisms, that need to be fixed before we land it as part of the regular integration test. 2. The script is going to need to be extended to support the new parser variables, before it can be turned on as part of the CI. Signed-off-by: John Johansen --- profiles/Makefile | 2 -- 1 file changed, 2 deletions(-) diff --git a/profiles/Makefile b/profiles/Makefile index 78bc26f22..d48d26974 100644 --- a/profiles/Makefile +++ b/profiles/Makefile @@ -123,14 +123,12 @@ check-parser: test-dependencies $(Q)for profile in $$(find ${PROFILES_SOURCE} -maxdepth 1 -type f) ; do \ [ -n "${VERBOSE}" ] && echo "Testing $${profile}" ; \ ${PARSER} --config-file=../parser/tst/parser.conf -S -b ${PROFILES_SOURCE} $${profile} > /dev/null || exit 1; \ - ../parser/tst/test_profile.sh $${profile} --config-file=../parser/tst/parser.conf -S -b ${PROFILES_SOURCE} || exit 1; \ done @echo "*** Checking profiles from ${EXTRAS_SOURCE} against apparmor_parser" $(Q)for profile in $$(find ${EXTRAS_SOURCE} -maxdepth 1 -type f -not -name README) ; do \ [ -n "${VERBOSE}" ] && echo "Testing $${profile}" ; \ ${PARSER} --config-file=../parser/tst/parser.conf -S -b ${EXTRAS_SOURCE} -I ${PROFILES_SOURCE} $${profile} > /dev/null || exit 1; \ - ../parser/tst/test_profile.sh $${profile} --config-file=../parser/tst/parser.conf -S -b ${PROFILES_SOURCE} || exit 1; \ done @echo "*** Checking abstractions from ${ABSTRACTIONS_SOURCE} against apparmor_parser"