Fixes#449
Tkinter (used by aa-notify) needs the $XAUTHORITY envvar to start but on
some systems (e.g. OpenSuse), sudo clears it. This change add a
--xauthority command-line option to set it explicitly, so aa-notify works
under sudo.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com> (in master)
(cherry picked from commit fbd266c63f657a2b046c77a7a209e556ec1bdf12 /
https://gitlab.com/apparmor/apparmor/-/merge_requests/1771,
adjusted test-aa-notify.py to 4.1 branch)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1772
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Fixes#449
Tkinter (used by aa-notify) needs the $XAUTHORITY envvar to start but on
some systems (e.g. OpenSuse), sudo clears it. This change add a
--xauthority command-line option to set it explicitly, so aa-notify works
under sudo.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com> (in master)
(cherry picked from commit fbd266c63f657a2b046c77a7a209e556ec1bdf12 /
https://gitlab.com/apparmor/apparmor/-/merge_requests/1771,
adjusted test-aa-notify.py to 4.1 branch)
GDM 49~beta implements a userdb VarLink service for managing the unix users
running the greeter shell, as well as the gnome-initial-setup users.
```
gdm-launch-environment][1892]: Gdm: GdmSessionWorker: determining if authenticated user (password required:0) is authorized to session
unix_chkpwd[1897]: could not obtain user info (gdm-greeter)
kernel: audit: type=1400 audit(1754399331.488:211): apparmor="DENIED" operation="connect" class="file" profile="unix-chkpwd" name="/run/systemd/userdb/org.gnome.DisplayManager" pid=1897 comm="unix_chkpwd" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
gdm-launch-environment][1892]: Gdm: GdmSessionWorker: user is not authorized to log in: Authentication failure
```
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1761
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit fedcab2ad0e4101eeec55164ce8a75a1d189b1e8)
b6caed3b nss-systemd: Grant access to the GDM user database
Co-authored-by: John Johansen <john@jjmx.net>
MR !1735 mistakenly assumed that x.is_covered(y) means "x is covered by
y" when the opposite is true
Fix the logic of is_covered and associated tests.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
(cherry picked from commit 380dbb84b8203adde180e47dbaa8db63fb599f85 /
https://gitlab.com/apparmor/apparmor/-/merge_requests/1739,
test-aa.py changes adjusted to 4.1 branch)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1748
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
MR !1735 mistakenly assumed that x.is_covered(y) means "x is covered by
y" when the opposite is true
Fix the logic of is_covered and associated tests.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
(cherry picked from commit 380dbb84b8203adde180e47dbaa8db63fb599f85 /
https://gitlab.com/apparmor/apparmor/-/merge_requests/1739,
test-aa.py changes adjusted to 4.1 branch)
- `is_covered` was not checking priorities when checking if a rule is
covered. With this fix, a rule of lower priority can no longer cover a
higher priority one.
- Fixes `is_equal(strict=False)` so that `priority=0` matches implicit
priority (as it is defaulted to zero)
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1735
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 630fd1c28580563621ae9f89b50d14cafc99b85f)
ab9d3594 utils: Improve rule priority support in is_covered/is_equal
f78aa365 Add tests for priority is_covered/is_equal fix
Co-authored-by: Christian Boltz <apparmor@cboltz.de>
Dovecot 2.4 now creates a "binary" version of its config via doveconf. This needs new access rules, as it otherwise prevents all Dovecot processes from accessing this new configuration.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1733
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit fc636c7ff3f7331b11bb8e4c26a9aa8c1a179844)
021f701e Profiles: dovecot add access for dovecot 2.4 doveconf paths
Co-authored-by: Christian Boltz <apparmor@cboltz.de>
Otherwise tst_regex would log as being from parser_common.c instead of
being from the actual source of parser_regex.c
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
(cherry picked from commit 6e643a1dab45aeb8b6204fd92574479b2b188e8a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The recent change to make CI pipeline build test images on a manual
trigger masks the outcome of the pipeline. Let's use the new inputs [1]
feature to allow manually triggering the pipeline with an explicitly
built image instead.
[1] https://docs.gitlab.com/ci/inputs/
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit 5aed9e8a507bdced0c0bfe6e6481d303c0985cad)
Signed-off-by: John Johansen <john.johansen@canonical.com>
We rely on a hack that avoids compressing and pushing the cache if it
has not really changed but it's worth adding links.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit f9ba11a91e800e2f38cafe18225640302cfb62c9)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The current logic will only build spread images, for master (which uses
protected cache), when the .image-garden.mk or .gitlab-ci.yml files
change as compared to master. This is great IF they change and WHEN the
cache is hot but right now it seems that this is not the case and master
just has no protected cache.
Add a manual knob to run the one-off cache job whenever we want to.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit 272ad36df8b799099a14a8c6e3d1e4872ca7246c)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This relies on a documented hack that makes GitLab cache machinery
skip the upload if all of the cached files are missing in the tree.
This saves about a minute per pull request CI/CD run times the number of
images required for testing.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit 81c1b863736beeebce6c2918e371c463a41f56b1)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This fixes the long standing issue affecting caching of the image
between the image-* jobs and the spread-* jobs.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit d2d0f362442a7188411f57360f296f60f9a0f59b)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This way they can be automatically cancelled by GitLab when a new commit is pushed
to a merge request, this providing feedback to the tip of the branch or pull request
more rapidly.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit 50734c968916000a64f69b4b19141b2e15357be1)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This allows having a locally-built apparmor tree while using spread to
test against other distributions.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit a5bae11cfd4ea7511d0173cf05784b0b06b5665f)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Following the Security Technical Implementation Guide, it is better to
set the permissions to 0000 for the shadow file.
However, since PAM version 1.6.0, after this change [0], unix-chkpwd
will unconditionnaly read the shadow file. And with the previous
restriction, the binary has an access denied to the shadow which
blocks user authentications. Moreover the PAM changes is needed to fix
the CVE-2024-10041.
Giving the read caability to the unix-chkpwd profile allows it to
function properly. See bug report [1].
[0] - https://github.com/linux-pam/linux-pam/pull/686
[1] - https://bugzilla.suse.com/show_bug.cgi?id=1241678
Signed-off-by: vlefebvre <valentin.lefebvre@suse.com>
(cherry picked from commit 556396a172d09ea032404c7b346f4cf54a949a4e)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Having a `__pycache__` on check can result in all kinds of weird issues.
Notaby, the test environment is currently clearing all environment variables,
including those responsible for keeping a reproducible build.
This is not immediately a problem for functionality,
but complicates downstream distribution in systems such as nix, where it is considered a bug [1].
It might also be possible to force determinism by exporting env vars instead:
```
DETERMINISTIC_BUILD=1
PYTHONHASHSEED=0
```
This forces a special mode on the pycache, where instead of a `moddate`,
it will then store a hash of the outputs [2].
This would be an alternative fix, but considering apparmor upstream does
not (yet) test for bit-reproducibility, it is likely too fragile here.
[1] https://github.com/NixOS/nixpkgs/issues/409032
[2] https://peps.python.org/pep-0552/
I understand AppArmor might or might not care about deterministic builds.
I was writing this patch for nixpkgs anyways, so I might as well try to
contribute it - whether it gets merged or not.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1697
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 9fabe25a9fbea12d00fb3f0ec04d0e3865f55981)
f584505a libapparmor/test: avoid writing __pycache__
Co-authored-by: Christian Boltz <apparmor@cboltz.de>
Due to how labeling is implemented, during the creation it is not yet
defined, so we need to grant create permissions without attaching the
label yet. Also, adjust tests to pass when label support is
implemented in the kernel.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1623
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit d94ff137efc543407c6594a133aaaff386694a97)
When label is detected in the kernel, the tests pass.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit c25f2d34074eb966997e637bef0549f5d41887c6)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Due to how labeling is implemented, during the creation it is not yet
defined, so we need to grant create permissions without attaching the
label yet.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 306b656ba2e606f083b46fbb2e95879a59a89439)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Specifying norelatime should set the corresponding MS_RELATIME flag clear
bit. Instead, it ORed in MS_NORELATIME, which expands to 0. Properly set
the clear bit by using MS_RELATIME.
Fixes: c9e31b7f "Add mount rules"
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1679
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit e6bedaac1d56c3da0123dc6d23deadc0c9e66a9f)
Specifying norelatime should set the corresponding MS_RELATIME flag clear
bit. Instead, it ORed in MS_NORELATIME, which expands to 0. Properly set
the clear bit by using MS_RELATIME.
Fixes: c9e31b7f "Add mount rules"
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
(cherry picked from commit 711bbac5ebbb4df1c5af75494529229f00bdf10d)
Signed-off-by: John Johansen <john.johansen@canonical.com>
reported by darix
The initial radv_builtin_shaders rule was added in 4.1, therefore I propose this patch for at least 4.1 and master.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1677
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 3f37b671c37f6179f4fdbf4b5efb0500ad09dd37)
Reported by darix, seen with comm="sshd-session"
I propose this for master and 4.x (optionally also 3.x even if it's less likely that systems using these branches already use lastlog2)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1676
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit b1097077f56c6f8151c70eea427b31c21e8eb169)
Reported by darix, seen with comm="sshd-session"
(cherry picked from commit f8532f2d20351a4f6d266177c188bade9c153d1e)
Signed-off-by: John Johansen <john.johansen@canonical.com>
For NAME_MAX
Fixes 322a98c8 ("Fix incorrect strnlen length in aa_load.c load_policy_dir")
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1666
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit e56751cec024aac8110373540375b90e36dc24d3)
For NAME_MAX
Fixes 322a98c8 ("Fix incorrect strnlen length in aa_load.c load_policy_dir")
(cherry picked from commit 02b7e41ef3d89cea2bc24073938e7fdab8c29b17)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The internal permission accumulation is currently broken in that
the ordering of rules matter to whether deny is clearing accumulated
perms.
If a deny node comes before an allow node the deny bits will get set
but the following allow bits won't get cleared by the deny node.
This isn't currently an actual issue for mediation as the deny
bit will be applied at one of
1. apply_and_clear_deny
2. permission remapping
3. run time mediation
but it does result in the internal state having sometimes having both
allow and deny bits set, dependent on order of computation, resulting
in state machines with different sizes because minimization
partitioning is based on the internal permissions.
This means that dfa minimization may not result in a truly minimal
state machine, and even worse can cause inconsistenty and failure in
tests that rely on internal state like the equality and minimization
test, as seen in https://gitlab.com/apparmor/apparmor/-/issues/513
The failure was due to musl stl sets implementation producing a
different ordering of the nodes than glibc. So when the permissions
where accumulated the internal set of permissions were different.
Fix this by giving the different node classes their own internal priority.
This will ensure the bits are properly cleared for that priority before
accumulating.
Note: other ways of fixing.
1. Fixup internal accumulation to use accumulating perms of "higher"
priority as part of the mask (deny and allow mask prompt).
2. Do a hard masking apply at the end after all bits have been accumulated
(ie, in accept_perms after the for loop).
the priority route was chosen because it is a little smaller and
scales better if we get new Node types we have to deal with
(eg. planned complain node).
BugLink: https://gitlab.com/apparmor/apparmor/-/issues/513
Fixes: 1ebd99115 ("parser: change priority so that it accumulates based on permissions")
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1655
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 648336489e0dce29008e2b1740343cf05f8638ba)
The internal permission accumulation is currently broken in that
the ordering of rules matter to whether deny is clearing accumulated
perms.
If a deny node comes before an allow node the deny bits will get set
but the following allow bits won't get cleared by the deny node.
This isn't currently an actual issue for mediation as the deny
bit will be applied at one of
1. apply_and_clear_deny
2. permission remapping
3. run time mediation
but it does result in the internal state having sometimes having both
allow and deny bits set, dependent on order of computation, resulting
in state machines with different sizes because minimization
partitioning is based on the internal permissions.
This means that dfa minimization may not result in a truly minimal
state machine, and even worse can cause inconsistenty and failure in
tests that rely on internal state like the equality and minimization
test, as seen in https://gitlab.com/apparmor/apparmor/-/issues/513
The failure was due to musl stl sets implementation producing a
different ordering of the nodes than glibc. So when the permissions
where accumulated the internal set of permissions were different.
Fix this by giving the different node classes their own internal priority.
This will ensure the bits are properly cleared for that priority before
accumulating.
Note: other ways of fixing.
1. Fixup internal accumulation to use accumulating perms of "higher"
priority as part of the mask (deny and allow mask prompt).
2. Do a hard masking apply at the end after all bits have been accumulated
(ie, in accept_perms after the for loop).
the priority route was chosen because it is a little smaller and
scales better if we get new Node types we have to deal with
(eg. planned complain node).
BugLink: https://gitlab.com/apparmor/apparmor/-/issues/513
Fixes: 1ebd99115 ("parser: change priority so that it accumulates based on permissions")
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 06e349345ed2cb4ef4c3f22851d7ddc2c4d5f6bf)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add basic support for the priority rules prefix. This patch does not\
allow the utils to set or suggest priorities. It allows parsing and\
retaining of the priority prefix if it already exists on rules and\
checking if it's in the supported range.
Note that this MR is supposed to replace WIP MR https://gitlab.com/apparmor/apparmor/-/merge_requests/1531
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1636
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 71ea87966a84b9ffadf49b789bf37bdce33da67d')
Signed-off-by: John Johansen <john.johansen@canonical.com>
Merge branch 'cherry-pick-71ea87966a84b9ffadf49b789bf37bdce33da67d' into apparmor-4.1
Add basic support for the priority rules prefix. This patch does not
allow the utils to set or suggest priorities. It allows parsing and
retaining of the priority prefix if it already exists on rules and
checking if it's in the supported range.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit c0fcd1698b2562f4c7cbfb3eda0c8c818b37ac57)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Some classes don't support modifiers like audit and deny. Only rlimit
has been checking for the allow keyword, but the others shouldn't
support it as well. Since they all do the same check, refactor them
into a method from BaseRule in case more modifiers are added.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 3389230437570a47927d87c82902c37f63c41c45)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The lack of a space after $testtype is a syntax error and was causing the
equality tests on Ubuntu Xenial to be silently skipped and marked PASS.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1670
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit bd46a02e478036d838f73f14dadfab33649f8a9e)
17ee87ad parser: fix if condition at the bottom of equality.sh
Co-authored-by: Christian Boltz <apparmor@cboltz.de>
Downstream report: https://github.com/NixOS/nixpkgs/issues/347490
Output of `aa-status` is nondescriptive if no profiles are loaded.
Worse yet, the json output isn't even valid json. It would make sense to just return a json object with no entries, instead of returning a non-json `eprint` to stderr.
**Ideally** output of non-json would be more descriptive.
Currently:
```
apparmor module is loaded.
Failed to get profiles: 2....
```
What i would prefer:
```
apparmor module is loaded.
Failed to get profiles: No policies loaded
```
However, i am unfamiliar with how the translation framework works, and thus not confident to do this change blindly. I am happy to add a commit doing so if i know where to change all that.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1652
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 6f480cb819949cb5537023caa6d776e51380e698)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1656
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Downstream report: https://github.com/NixOS/nixpkgs/issues/347490
Output of `aa-status` is nondescriptive if no profiles are loaded.
Worse yet, the json output isn't even valid json.
It would make sense to just return a json object with no entries,
instead of returning a non-json `eprint` to stderr.
glibc defines bsd's rlimit ofile as nofile, however musl does not define
rlimit ofile at all.
Instead of just dropping ofile which would be bad for policy portability
make sure it is defined to be nofile.
This is a partial fie for
https://gitlab.com/apparmor/apparmor/-/issues/513
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1648
Approved-by: Steve Beattie <steve+gitlab@nxnw.org>
Merged-by: Steve Beattie <steve+gitlab@nxnw.org>
(cherry picked from commit 887ff42043e98a4bf59b206056a8a740c57c7c4d)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Proposed by darix
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1642
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 7702b4035995aed943190482a9bccdca1cb9ab44)
If kanidm is configured in nsswitch.conf(5), access to the kanidm-unixd
configuration is needed for applications to resolve entries.
For example:
```
type=AVC apparmor="DENIED" operation="open" class="file" profile="php-fpm"
name="/etc/kanidm/unixd" comm="php-fpm" requested_mask="r" denied_mask="r"
```
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1638
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 8504cda668bcf029f376ee8d49a242ff63d7493f)
If kanidm is configured in nsswitch.conf(5), access to the kanidm-unixd
configuration is needed for applications to resolve entries.
For example:
```
type=AVC apparmor="DENIED" operation="open" class="file" profile="php-fpm"
name="/etc/kanidm/unixd" comm="php-fpm" requested_mask="r" denied_mask="r"
```
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
(cherry picked from commit 675a99ac7b569f952664c9cd582e775e8d24e17b)
Signed-off-by: John Johansen <john.johansen@canonical.com>
we are using this path in a local profile shipped with plasma-workspace in KDE neon
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1633
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit ee08bfbc905102380bfcaf64d5d84bced98c9360)
The wrong clean rule is generated when unix rules contain qualifiers,
with the order inverted with the rule name.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/511
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Closes#511
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1639
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit c5642f9d43a41ffdc29ffa616f6c8f70b23f903e)
8c84b36b utils: fix unix qualifier clean rule generation
Co-authored-by: Christian Boltz <apparmor@cboltz.de>
Fixes https://gitlab.com/apparmor/apparmor/-/issues/505
The profile previously permitted access to `/**`, which excludes the root
directory (`/`). This commit also gives `/` access, aligning with the
intended behavior.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Closes#505
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1626
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 8138bc60d18a7939af766c322586c4268e2940e3)
Fixes https://gitlab.com/apparmor/apparmor/-/issues/505
The profile previously permitted access to `/**`, which excludes the root
directory (`/`). This commit also gives `/` access, aligning with the
intended behavior.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
(cherry picked from commit 182db98c2aed2dd01d434bdc66c352ac1bf6f891)
Signed-off-by: John Johansen <john.johansen@canonical.com>
