The feature matching done in aa_feature_supports calls walk_one to
traverse the features string. This function is supposed to match on
the feature and return, but it matches the feature based on the length
of the feature to check. If the feature to check shorter, then it
would return as if the feature was not present - which was the case
for the following example:
feature_file contains (shortened for example purposes):
```
network_v9 {af_unix {yes
}
}
network_v8 {af_inet {yes
}
}
network {af_unix {yes
}
}
```
if the feature to be checked was simply "network", then walk_one would
return that the feature was not present.
Fix this by restarting the matching if there was not a full match at
the end of the feaure to check.
Fixes: https://bugs.launchpad.net/apparmor/+bug/2105986
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1608
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 69355d41f784e227a37c25abd024472c72f320f9)
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1527
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry-picked from commit b4caf8782cf677b5128adbbcbb872f663247b3ba)
41be573b Fix leading slash var typo in apparmor.d var example
Co-authored-by: John Johansen <john@jjmx.net>
The "last" command, which was supplied by util-linux in older Ubuntu
versions, is now supplied by wtmpdb in Oracular and Plucky. Unfortunately,
this changed the output format and broke our column based parsing.
While the wtmpdb upstream has added json support at
https://github.com/thkukuk/wtmpdb/issues/20, we cannot use it because
we need to support systems that do not have this new feature added.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1508
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 3b7ee81f040fb9bcaeae2d2d46f97cdfa4572c88)
afd6aa05 utils: test: account for last cmd format change in test-aa-notify
Co-authored-by: John Johansen <john@jjmx.net>
Our ubuntu packaging builds Python-enabled libapparmor's in the directories `libapparmor/libapparmor.python[version_identifier]`. In order for the util's `make check` to pick up on the correct libapparmor during the Ubuntu build process, we need the ability to override its search path. This patch introduces a `LIBAPPARMOR_BASEDIR` variable to allow for that.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1497
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 17a09d2987e297c6a305bf998f583380f1444252)
90143494 Allow overrides and preservation of some environment variables in utils make check
Co-authored-by: Georgia Garcia <georgia.garcia@canonical.com>
This is neeed for "inherit owner = yes" in smb.conf.
From man smb.conf:
inherit owner (S)
The ownership of new files and directories is normally governed by
effective uid of the connected user. This option allows the Samba
administrator to specify that the ownership for new files and
directories should be controlled by the ownership of the parent
directory.
Fixes: https://bugzilla.suse.com/show_bug.cgi?id=1234327
I propose this fix for 3.x, 4.x and master.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1456
Approved-by: Ryan Lee <rlee287@yahoo.com>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit a315d89a2b0a90bab58b574b3a16ea998e6adc64)
d3050285 smbd: allow capability chown
Co-authored-by: John Johansen <john@jjmx.net>
When a log like system.journal is passed on to aa-genprof, for
example, the user receives a TypeError exception: in method
'parse_record', argument 1 of type 'char *'
This patch catches that exception and displays a more meaningful
message.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/436
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Closes#436
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1354
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit cb0f84e1014e0c002735381f09a929ef4dff892c)
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1392
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
When a log like system.journal is passed on to aa-genprof, for
example, the user receives a TypeError exception: in method
'parse_record', argument 1 of type 'char *'
This patch catches that exception and displays a more meaningful
message.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/436
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Closes#436
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1354
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit cb0f84e1014e0c002735381f09a929ef4dff892c)
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
... that are generated during `make`
I propose this patch for 3.x..master.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1374
Approved-by: Ryan Lee <rlee287@yahoo.com>
Approved-by: Steve Beattie <steve+gitlab@nxnw.org>
Merged-by: Steve Beattie <steve+gitlab@nxnw.org>
(cherry picked from commit 347855890413cbab3eab3faf74bbcd3fe032dcb1)
2ea82b86 .gitignore: add mod_apparmor and pam_apparmor files
Co-authored-by: Steve Beattie <steve+gitlab@nxnw.org>
cherry picked from !1379 / commit e53f300821919fa4cc61b190d5e121d6156431b5 and from !1362 / commit 5be4295b5ae833491b56f5892144454e769889dd
I propose this patch for 3.x and 4.0.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1383
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 1ffc1d9ac44578bfbaffd760991c313ce89346c7)
b7a4745b nameservice: add support for libnss-libvirt
b98433c7 abstractions/nameservice: tighten libnss_libvirt file access
Co-authored-by: Christian Boltz <apparmor@cboltz.de>
... which is used by Mesa 24.2.2
Reported by darix.
Fixes: https://bugs.launchpad.net/bugs/2081692
I propose this addition for 3.x, 4.0 and master
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1333
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 62ff290c02d4646dc1db69766fea6be4b6456d78)
49b9a209 abstractions/mesa: allow ~/.cache/mesa_shader_cache_db/
Co-authored-by: Christian Boltz <apparmor@cboltz.de>
... and allow whitespace between the number and the unit.
I propose this patch for 3.x, 4.0 and master.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1336
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 247bdd5deb51bd950b1f7be735234553d0c8c1c2)
9cb591c5 apparmor.vim: Add missing units for rlimit cpu and rttime
Co-authored-by: Christian Boltz <apparmor@cboltz.de>
af_protos.h is a generated table of the protocols created by looking
for definitions of IPPROTO_* in netinet/in.h. Depending on the
architecture, the order of the table may change when using -dM in the
compiler during the extraction of the defines.
This causes an issue because there is more than one IPPROTO defined
by the value 0: IPPROTO_IP and IPPROTO_HOPOPTS which is a header
extension used by IPv6. So if IPPROTO_HOPOPTS was first in the table,
then protocol=0 in the audit logs would be translated to hopopts.
This caused a failure in arm 32bit:
Output doesn't match expected data:
--- ./test_multi/testcase_unix_01.out 2024-08-15 01:47:53.000000000 +0000
+++ ./test_multi/out/testcase_unix_01.out 2024-08-15 23:42:10.187416392 +0000
@@ -12,7 +12,7 @@
Peer Addr: @test_abstract_socket
Network family: unix
Socket type: stream
-Protocol: ip
+Protocol: hopopts
Class: net
Epoch: 1711454639
Audit subid: 322
By the time protocol is resolved in grammar.y, we don't have have
access to the net family to check if it's inet6. Instead of making
protocol dependent on the net family, make the order of the
af_protos.h table consistent between architectures using -dD.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 95c419dc45aa777196a613d41ea72ebca3a679ac)
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Commonly used by applications to determine if Linux is running in
FIPS mode. As we already allow access to FIPS specific library files
as part of base, allow this there as well.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1286
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit e787f4d69d7d579c702b2c4daeb6cc591ac4e059)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Unsigned int vs int probably wouldn't have caused issues, but just in case
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
(cherry picked from commit 91bac34afde765dfc7a0e9fd721940babe5656fd)
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This removes the assumption that the stack is zeroed and silences the corresponding compiler warning
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
(cherry picked from commit 552d9d9f7a66b01d8287dcf19e3fd5eeb671127f)
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
If the test ran under a fs mounted with nosuid option, then these bits
would be ignored and the test would fail. In that case, detect it and
run the test in a tmpfs mountpoint without nosuid.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1285
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit bc68bc51caf3346d74dfd5b14dea45e76b347073)
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1283
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 1fc944bb671c9c02a98213c848217a80d6ee956f)
Signed-off-by: John Johansen <john.johansen@canonical.com>
mount -o loop fails when the loopback module is not loaded with
permission denied. Add a check if /dev/loop0 exists. If not, load
the loop module.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/781
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 656a48b9006fada138419028ec3b7b673b294c83)
Signed-off-by: John Johansen <john.johansen@canonical.com>
... and extend the samba-rpcd profile to also include rpcd_witness.
Patch by Noel Power <nopower@suse.com>
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1225811
I propose this patch for 3.x, 4.0 and master.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1256
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 899c0b3942897c66b30868e59b599a74bde68877)
Signed-off-by: John Johansen <john.johansen@canonical.com>
... which so far was not translatable because it was formatted before
being translated.
I propose this fix for master, 4.0 and 3.x
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1271
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 67021bf91172dc24b4f335d781a1afc5116032fa)
c85958da aa-notify: fix translation of an error message
Co-authored-by: Christian Boltz <apparmor@cboltz.de>
/var/lib/wtmpdb/ contains the Y2038-safe version of wtmpdb.
Proposed by darix.
I propose this patch for master, 4.0 and 3.x.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1267
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 728e0ab1b7d1cf2da33008f35be53ac407439b7a)
da9a3bd3 abstractions/wutmp: allow writing wtmpdb
Co-authored-by: Christian Boltz <apparmor@cboltz.de>
Expression simplification can get into an infinite loop due to eps
pairs hiding behind and alternation that can't be caught by
normalize_eps() (which exists in the first place to stop a similar
loop).
The loop in question happens in AltNode::normalize when a subtree has
the following structure.
1. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too
alt
/\
/ \
/ \
eps alt
/\
/ \
/ \
alt eps
/\
/ \
/ \
eps eps
2. if (normalize_eps(dir)) results in
alt
/\
/ \
/ \
alt eps
/\
/ \
/ \
alt eps
/\
/ \
/ \
eps eps
3. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too
alt
/\
/ \
/ \
alt alt
/\ /\
/ \ / \
/ \ / \
eps eps eps eps
4. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too
alt
/\
/ \
/ \
eps alt
/\
/ \
/ \
eps alt
/\
/ \
/ \
eps eps
5. if (normalize_eps(dir)) results in
alt
/\
/ \
/ \
alt eps
/\
/ \
/ \
eps alt
/\
/ \
/ \
eps eps
6. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too
alt
/\
/ \
/ \
eps alt
/\
/ \
/ \
alt eps
/\
/ \
/ \
eps eps
back to beginning of cycle
Fix this by detecting the creation of an eps_pair in rotate_node(),
that pair can be immediately eliminated by simplifying the tree in that
step.
In the above cycle the pair creation is caught at step 3 resulting
in
3. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too
alt
/\
/ \
/ \
alt eps
/\
/ \
/ \
eps eps
4. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too
alt
/\
/ \
/ \
eps alt
/\
/ \
/ \
eps eps
which gets reduced to
alt
/\
/ \
/ \
eps eps
breaking the normalization loop. The degenerate alt node will be caught
in turn when its parent is dealt with.
This needs to be backported to all releases
Closes: https://gitlab.com/apparmor/apparmor/-/issues/398
Fixes: 846cee506 ("Split out parsing and expression trees from regexp.y")
Reported-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Closes#398
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1252
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit a6691ca53e77263edb7281df3d4d008022812745)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This time it's /tmp/xauth_?????? r, which gets used by latest sddm.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1223900
I propose this fix for 4.0 and master, optionally also for 3.x.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1249
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 121dbec6717c00767b76e2c879037534c1a9fe34)
0c6e031c abstractions/X: add another xauth path
Co-authored-by: John Johansen <john@jjmx.net>
Due to several 'SyntaxWarning: invalid escape sequence' aa-notify
tests fail on Python 3.12.3.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/388
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
commit
b69add4f2 Merge Allow pam_unix to execute unix_chkpwd
is a backport of a fix but that fix also updated the abi and that change
was unfortunately not dropped when it should have been.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Latest pam_unix always runs /usr/sbin/unix_chkpwd instead of reading
/etc/shadow itsself. Add exec permissions to abstraction/authentication.
It also needs to read /proc/@{pid}/loginuid
Also cleanup the now-superfluous rules from the smbd profile.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1219139
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1181
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 9a1838016c18aea24fde26858311b48b2fd8f3d6)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Administrators might want to define global limits (e.g. disabling
a particular feature) via configuration files, but to make that work
all confined software needs to be allowed to read those files or
otherwise the risk is to silently fall back to internal defaults.
This adds the paths usually used by gnutls and openssl to improve these kind of use cases.
Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/2056739
Fixes: https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/2056747
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1178
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 3d1dedfa7e75ff67ec9282d1c7c42ddb53422595)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The new 2037-proof `last` on openSUSE Tumbleweed doesn't support the
`-1` option.
Remove it, and cut off the output manually.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1180
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit ae978c19530e949e4fe6b69588d6295d039ee095)
d19db55a Fix test-aa-notify on openSUSE Tumbleweed (new 'last')
The tests for aa-notify that were related to the last login were
assuming that the machine had been logged in at least once in the last
30 days, but that might not be the case.
Update the test to check for the last login date and update the test
logs considering that value.
Fixes: https://bugs.launchpad.net/bugs/1939022
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 105b50502b085d5ffcd3b2e0e0cdf2d76881a3f9)
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
aa-unconfined can fault if it looses the race between checkking if
proc/*/attr/{apparmor/,}current exists, and actually opening the file.
Catch open/file errors and ignore them like the file doesn't exist.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/355
Signed-off-by: John Johansen <john.johansen@canonical.com>
Closes#355
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1157
Acked-by: seth.arnold@gmail.com
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 4b1bc85022e5abf4e12a465c7a48f6f267ea6aca)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Test for compiler support of "-flto-partition=none" flag before passing
it.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/310Closes#310
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1155
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 95d9ba8d8b6a2d1981dc92ba142865095b74d9b7)
Fixup Merge conflict in .gitlab-ci.yml
Signed-off-by: John Johansen <john.johansen@canonical.com>
Some openssl distributions use version specific engdef and engines paths
to support multi-version installations.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1219571
Signed-off-by: David Disseldorp <ddiss@suse.de>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1147
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 2577fbf0770784e531f9210856208a774ae92af0)
2b8cf1be abstractions/openssl: allow version specific engdef & engines paths
/proc/$pid/cmdline can be changed by an application, therefore escape it
before printing.
The program name in /proc/$pid/exe can also contain any characters
(except \0 and shashes) and needs escaping.
Note: repr() wraps the string into single quotes, which we have to
remove to avoid changing the output format.
The test program from issue 364 now gets displayed as
28443 /path/to/issue364 (/\x1b]0;X\x07) not confined
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/364
I propose this patch for 2.13..master
Closes#364
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1142
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit e63c1e3a76dd03dfae954d6ac2bf900133914553)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add missing change_profile entry required for the example
Signed-off-by: Mostafa Emami <mustafaemami@gmail.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1141
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 3e28d0a25478b720b6319827238f5cb046029b04)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The call aa_getpeercon() can return ENOPROTOOPT error in some cases, specifically when the kernel lacks 'fine grained unix mediation'. Currently, this capability isn't available in upstream kernels, but only in patched ones (for example, the regular Ubuntu kernels). Unfortunately, the manpage lacks this info. This patch fixes this.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/366
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1143
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit b03abbd75fb6d9e309bfb43ab87b77c39d32efdf)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Instead of ignoring all exec events that happen in a hat/child profile, only disallow child exec. ix and px are valid options inside a hat and are now offered to the user.
(When the tools support nested child profiles one day, we can even allow child exec again.)
Backported from dfb6f90aee9eb406caf5f75355be5a4bd2a4ecbc / https://gitlab.com/apparmor/apparmor/-/merge_requests/1133 to match the 3.1 branch
For 3.0, this also needed backporting another commit:
Fix crash caused by ask_exec()
ask_exec still uses aa[profile][hat], therefore
- use full_profile when accessing hashlog
- correctly split the merged profile name to profile and hat
- avoid accidently initializing non-existing aa[profile][hat]
This fixes a regression from converting lots of code to use flat
profile//hat array keys.
(cherry picked from commit 755b5d11e156efa697432bc0b0b4a8c6a3dddb6f)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1135
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
Instead of ignoring all exec events that happen in a hat/child profile,
only disallow child exec. ix and px are valid options inside a hat and
are now offered to the user.
(When the tools support nested child profiles one day, we can even allow
child exec again.)
Backported from dfb6f90aee9eb406caf5f75355be5a4bd2a4ecbc /
https://gitlab.com/apparmor/apparmor/-/merge_requests/1133 to match the
3.1 branch
(cherry picked from commit 0e70ad9b7c50b3d8d0cb5a53ac69a32eba364aa0)
ask_exec still uses aa[profile][hat], therefore
- use full_profile when accessing hashlog
- correctly split the merged profile name to profile and hat
- avoid accidently initializing non-existing aa[profile][hat]
This fixes a regression from converting lots of code to use flat
profile//hat array keys.
(cherry picked from commit 755b5d11e156efa697432bc0b0b4a8c6a3dddb6f)
man apparmor_parser gives examples for the --warn command line option as
apparmor_parser --warn=rules-not-enforced ...
and
apparmor_parser --warn=no-rules-not-enforced ...
but the actual --warn options are rule-not-enforced / no-rule-not-enforced
(without s)
Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057453
I propose this fix for 2.13..master
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1128
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 15d8e21945ccc7ef7ca258a18e0ba5f7a3ffcb01)
3ee47af4 Fix typo in apparmor_parser manpage
