2
0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-21 17:47:10 +00:00

1658 Commits

Author SHA1 Message Date
John Johansen
0e755d24bb Merge profiles: add authd socket to unix-chkpwd for authd PAM
Fixes: LP: #2120211

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1775
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
2025-08-19 02:26:14 +00:00
Ryan Lee
6f5a4219d7 profiles: add authd socket to unix-chkpwd for authd PAM
Fixes: LP: #2120211

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
2025-08-18 16:31:35 -07:00
Ryan Lee
0e58e3d7fb profiles: add /run/snapd.socket rule for curl
This ideally is a temporary fix because we do not want to allow all users
of curl to be able to access the snapd socket. However, this will work for
now until we can mediate the accesses better.

Fixes: LP: #2120669

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
2025-08-18 12:15:40 -07:00
John Johansen
ebba635fa9 Merge profiles: Allow curl to read tmp, for scripts which might use config/etags/data...
Some system scripts, namely pollinate, pass temporary files as data.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1769
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
2025-08-14 17:24:56 +00:00
Christian Boltz
e477ccacfa Merge abstractions/gtk: allow writing vulcan cache
Reported by darix

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1766
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
2025-08-14 13:49:33 +00:00
Simon Poirier
01ab33202a profiles: Allow curl to read tmp, for scripts which might use config/etags/data...
Signed-off-by: Simon Poirier <simon.poirier@canonical.com>
2025-08-13 21:37:53 -04:00
Christian Ehrhardt
24216d79e9
abstractions/libnuma: add rules for active usage
The current profile is for linking against libnuma. This
update adds the rules needed to get system information
when actually using libnuma functionality.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2025-08-13 10:39:49 +02:00
Christian Boltz
8210308508
abstractions/gtk: allow writing vulcan cache
Reported by darix
2025-08-12 22:08:16 +02:00
Alessandro Astone
b6caed3b57 nss-systemd: Grant access to the GDM user database
GDM 49~beta implements a userdb VarLink service for managing the unix users
running the greeter shell, as well as the gnome-initial-setup users.

gdm-launch-environment][1892]: Gdm: GdmSessionWorker: determining if authenticated user (password required:0) is authorized to session
unix_chkpwd[1897]: could not obtain user info (gdm-greeter)
kernel: audit: type=1400 audit(1754399331.488:211): apparmor="DENIED" operation="connect" class="file" profile="unix-chkpwd" name="/run/systemd/userdb/org.gnome.DisplayManager" pid=1897 comm="unix_chkpwd" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
gdm-launch-environment][1892]: Gdm: GdmSessionWorker: user is not authorized to log in: Authentication failure

LP: #2119541
2025-08-05 15:51:25 +02:00
John Johansen
b40ac50f49 Merge profiles: add QtWebEngineProcess path used by Arch Linux and other distros
Arch Linux qt6-webengine has `/usr/lib/qt6/QtWebEngineProcess` and
qt5-webengine has `/usr/lib/qt/libexec/QtWebEngineProcess`.

Fedora has `/usr/lib64/qt6/libexec/QtWebEngineProcess`.

openSUSE Tumbleweed has `/usr/libexec/qt5/QtWebEngineProcess` and
`/usr/libexec/qt6/QtWebEngineProcess`.

Co-authored-by: Maxime Bélair <maxime.belair@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1726
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
2025-07-30 08:37:10 +00:00
John Johansen
87e0151c7c Merge added systemd-creds to list of wg-quick binaries
I'd like to store my wg creds in my TPM module using `systemd-creds`:

```bash
PostUp = systemd-creds --name wg0 decrypt /etc/wireguard/secrets/wg0.cred | wg set wg0 private-key /dev/stdin
```

Currently I use `local/wg-quick` as work-around.
The `Ux` permission is may be a little too open, but 2 problems remain:

- the profile maintainer can't know which creds file need to be accessible
- different TMP module implementations / drivers may require different permissions

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1644
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
2025-07-30 08:34:49 +00:00
Robert Stiller
b9ed931c90 added systemd-creds to list of wg-quick binaries 2025-07-30 08:34:49 +00:00
Daniel Richard G.
36d32a81a2 abstractions/mesa, chromium_browser, firefox: Updates
Mesa now needs ~/.cache/mesa_shader_cache_db/marker .

Chromium wants uid_map readable, /proc/$PID/smaps_rollup,
/sys/.../report_descriptor, and two XDG utilities used by the "Create
shortcut..." feature. Deny the latter for now, due to additional
permissions that would be needed and a questionable security trade-off
as a result.

Firefox wants a socket for its crash helper, product_{name,sku} from
DMI devices, and .sql files in its cache directory. It also wants
uevent from devices more broadly than currently allowed.
2025-07-29 15:22:37 -04:00
John Johansen
84fbd87334 Merge profiles: fusermount3 profile fixes for libfuse 3.17
After an upgrade to libfuse 3.17.1-rc0, autopkgtests started to fail
due to a missing x permission for /usr/bin/mount. After looking at the
source code for fusermount, I noticed that it does call /bin/mount and
/bin/umount in certain cases. These uses were already there in
previous versions of libfuse but I'm still not sure why it hasn't
triggered before.

To reproduce it:
```
sudo autopkgtest-buildvm-ubuntu-cloud -v -r questing
autopkgtest archivemount -U --apt-pocket=proposed=src:fuse3 --shell-fail -- qemu autopkgtest-questing-amd64.img
```

After the test fails, enter the vm by
```
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 10022 ubuntu@localhost
```

You can reproduce the test by running
```
cd /tmp/autopkgtest.*/build.*/src/
/tmp/autopkgtest.*/build.*/src/debian/tests/test
```

Note that ix for mount and umount were enough to make the autopkgtest
failures to start passing, but there could be issues in the future
regarding the use of fs specific mount binaries like
/usr/sbin/mount.fuse


Fixes: http://bugs.launchpad.net/bugs/2111845
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1716
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
2025-07-29 09:08:31 +00:00
Keifer Snedeker
b6ad58bbbe profiles: make /sys/devices PCI paths hex-aware 2025-07-23 19:01:25 -04:00
John Johansen
520db7a16c Merge abstractions/X: allow reading /usr/share/xkeyboard-config-*/
/usr/share/X11/xkb/ was moved to /usr/share/xkeyboard-config-2/ in
xkeyboard-config 2.45, see
https://gitlab.freedesktop.org/xkeyboard-config/xkeyboard-config/-/blob/master/ChangeLog.md?ref_type=heads#breaking-changes-2

The old location was covered by the /usr/share/X11/** rule.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1246743

I propose this fix for 4.x and master. (Users of older AppArmor versions probably don't upgrade their xkeyboard package.)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1741
Approved-by: Alex <alexandre@pujol.io>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
2025-07-23 11:13:06 +00:00
John Johansen
a966eac143 Merge lsblk: allow access to PCI buses with hex chars
Hi,

This fixes the following error when a block device's PCI bus starts with
a non-decimal hex character and `lsblk /dev/nvme2n1` is executed:
```
audit: type=1400 audit(1751394406.516:554): apparmor="DENIED" operation="open" class="file" profile="lsblk" name="/sys/devices/pci0000:a0/0000:a0:01.1/0000:a1:00.0/nvme/nvme2/nvme2n1/" pid=164652 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```
I used hex4 and hex2 as it matches the example from
https://docs.kernel.org/PCI/sysfs-pci.html and also because lspci(8)
says:
> domains are numbered from 0 to ffff
>
> bus (0 to ff)

Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2111604

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1729
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
2025-07-23 11:12:10 +00:00
nl6720
f1773f4083
profiles: add QtWebEngineProcess path used by Arch Linux and other distros
Arch Linux qt6-webengine has `/usr/lib/qt6/QtWebEngineProcess` and
qt5-webengine has `/usr/lib/qt/libexec/QtWebEngineProcess`.

Fedora has `/usr/lib64/qt6/libexec/QtWebEngineProcess`.

openSUSE Tumbleweed has `/usr/libexec/qt5/QtWebEngineProcess` and
`/usr/libexec/qt6/QtWebEngineProcess`.

Co-authored-by: Maxime Bélair <maxime.belair@canonical.com>
2025-07-23 09:31:02 +03:00
Christian Boltz
238221f379
abstractions/X: allow reading /usr/share/xkeyboard-config-*/
/usr/share/X11/xkb/ was moved to /usr/share/xkeyboard-config-2/ in
xkeyboard-config 2.45, see
https://gitlab.freedesktop.org/xkeyboard-config/xkeyboard-config/-/blob/master/ChangeLog.md?ref_type=heads#breaking-changes-2

The old location was covered by the /usr/share/X11/** rule.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1246743
2025-07-18 23:00:42 +02:00
Christian Pfeiffer
021f701e59
Profiles: dovecot add access for dovecot 2.4 doveconf paths 2025-07-13 23:26:26 +02:00
Louis Sautier
f16dd60f14
lsblk: allow access to PCI buses with hex chars
This fixes the following error when a block device's PCI bus starts with
a non-decimal hex character and `lsblk /dev/nvme2n1` is executed:
```
audit: type=1400 audit(1751394406.516:554): apparmor="DENIED" operation="open" class="file" profile="lsblk" name="/sys/devices/pci0000:a0/0000:a0:01.1/0000:a1:00.0/nvme/nvme2/nvme2n1/" pid=164652 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```
I used hex4 and hex2 as it matches the example from
https://docs.kernel.org/PCI/sysfs-pci.html and also because lspci(8)
says:
> domains are numbered from 0 to ffff
>
> bus (0 to ff)

Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2111604
Signed-off-by: Louis Sautier <sautier.louis@gmail.com>
2025-07-01 21:07:35 +02:00
Maxime Bélair
83e9be1035 Merge Add free profile
Basic AppArmor profile for the free binary, tested on Ubuntu 24.04.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1629
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
2025-06-23 14:11:07 +00:00
Maxime Bélair
91c5e9639c Merge Add curl profile
In order to test the profile, I did the following inside an oracular VM:

- `curl https://ubuntu.com/ -o /tmp/ubuntu`
- `curl 'https://ubuntu.com/security/{CVE-2024-12797,CVE-2025-24032}' -o '#1'`
- `curl -u dlpuser:rNrKYTX9g7z3RgJRmxWuGHbeu ftp://ftp.dlptest.com/`

Finally, I ran the package's testsuite:
```
apt source curl
cd curl-8.9.1
./configure --without-ssl # SSL has been tested using the above
make
cd test/server
make
cd ..
./runtests.pl -c $(which curl)
```

The only test which should fail should be the last one, since the build was configured with support for less protocols than the ones provided by the binary we're using (this is expected and happens regardless of whether the profile is loaded or not).

A spread smoke-test is also provided as part of this MR.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1560
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
2025-06-23 13:49:24 +00:00
Octavio Galland
37a4b6cb81 Add curl profile 2025-06-23 13:49:23 +00:00
Maxime Bélair
a431a6e80b Merge profiles/apparmor.d: add mosquitto profile
Adds apparmor profile for https://mosquitto.org/ `plucky 2.0.20-2`.

In a production and customized environment, this profile would need overriding as many configuration options in `mosquitto.conf` are file paths which can point anywhere. This profile adds all sensible defaults required for mosquitto to work out of the box with TLS.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1506
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
2025-06-23 13:28:55 +00:00
Maxime Bélair
61a3a4862e Merge Add profile for mbsync tool
Source package isync

Let me know if you think we should better handle any mail or different mbsyncrc location that the user might have.
As well if I should simplify the network access to `include <abstractions/nameservice>` or if that's too much.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1372
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
2025-06-23 13:25:41 +00:00
Maxime Bélair
2c685c0a17 Merge Add dnstracer profile
Add profile for `dnstracer`. The profile has been tested with `dnstracer` for oracular i.e. version `1.9-8build1`.

Signed-off-by: vyomydv <vyom.yadav@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1366
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
2025-06-23 08:09:56 +00:00
Ryan Lee
9a04cd58a6 profiles: restore exec path rules from profiles where they were removed
These profiles don't have an attachment so the path needs to be hardcoded

Fixes: 6e9ff1fa6 ("profiles: update the rest of the profiles to use @{exec_path}")
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
2025-06-17 10:53:14 -07:00
Georgia Garcia
af396a46ee profiles: add mount permissions to fusermount3 needed by flatpak-builder
There were failures in the flatpak-build autopkgtests due to missing
mount permissions:

[   60.822732] audit: type=1400 audit(1749737394.684:168): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="fusermount3" name="/var/tmp/test-flatpak-uuKcEE/.flatpak-builder/rofiles/rofiles-JxeDhQ/" pid=3150 comm="fusermount3" fstype="fuse.rofiles-fuse" srcname="rofiles-fuse" flags="rw, nosuid, nodev"
[   60.825556] audit: type=1400 audit(1749737394.686:169): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="fusermount3" name="/var/tmp/test-flatpak-uuKcEE/.flatpak-builder/rofiles/rofiles-JxeDhQ/" pid=3151 comm="fusermount3" fstype="fuse" srcname="/dev/fuse" flags="rw, nosuid, nodev"
[  918.564687] audit: type=1400 audit(1749738252.435:186): apparmor="DENIED" operation="umount" class="mount" profile="fusermount3" name="/var/tmp/test-flatpak-AI4MsP/.flatpak-builder/rofiles/rofiles-vIM7ok/" pid=7093 comm="fusermount"

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2025-06-12 15:08:07 -03:00
Georgia Garcia
9d2aca7945 profiles: add ix permissions for mount and umount on fusermount3 profile
After an upgrade to libfuse 3.17.1-rc0, autopkgtests started to fail
due to a missing x permission for /usr/bin/mount. After looking at the
source code for fusermount, I noticed that it does call /bin/mount and
/bin/umount in certain cases. These uses were already there in
previous versions of libfuse but I'm still not sure why it hasn't
triggered before.

To reproduce it:
sudo autopkgtest-buildvm-ubuntu-cloud -v -r questing
autopkgtest archivemount -U --apt-pocket=proposed=src:fuse3 --shell-fail -- qemu autopkgtest-questing-amd64.img

After the test fails, enter the vm by

ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 10022 ubuntu@localhost

You can reproduce the test by running

cd /tmp/autopkgtest.*/build.*/src/
/tmp/autopkgtest.*/build.*/src/debian/tests/test

Note that ix for mount and umount were enough to make the autopkgtest
failures to start passing, but there could be issues in the future
regarding the use of fs specific mount binaries like
/usr/sbin/mount.fuse

Fixes: http://bugs.launchpad.net/bugs/2111845
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2025-06-12 14:23:32 -03:00
Maxime Bélair
d068678112 Merge initial john the ripper
@jjohansen had mentioned to me when he suggested this profile that there was smth he noticed about john that gave him the impression it was a good candidate for confinement. I think that would be the only thing I'd want to call out - wondering whether something like this captures that spirit or if there's something else worth including.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1662
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
2025-06-12 05:56:26 +00:00
Eduardo Barretto
3d25f1c80f
profiles: mbsync: Allow mmap as it is needed for other architectures 2025-06-11 11:33:34 +02:00
Eduardo Barretto
a7003f4d49
profiles: mbsync: Use openssl abstraction instead 2025-06-11 11:33:30 +02:00
Eduardo Barretto
bb422c1f01
profile: mbsync: Move vim tag 2025-06-11 11:33:27 +02:00
Eduardo Barretto
76338c29f2
mbsync: Add read to gss
This was needed when testing the profile in Oracular
2025-06-11 11:33:23 +02:00
Eduardo Barretto
00a1152700
mbsync: Add missing write permission to create any folders existent 2025-06-11 11:33:20 +02:00
Eduardo Barretto
5f0fcfcae9
profiles: mbsync: make use of nameservice-strict abstraction
Signed-off-by: Eduardo Barretto <eduardo.barretto@canonical.com>
2025-06-11 11:33:16 +02:00
Eduardo Barretto
74ad177d07
Add profile for mbsync tool
Source package isync

Signed-off-by: Eduardo Barretto <eduardo.barretto@canonical.com>
2025-06-11 11:33:12 +02:00
Federico Quattrin
8cf0bda8d2 added '/usr/bin/free mr' in free profile 2025-06-10 09:26:02 -03:00
Ryan Lee
9f70004058 profiles: add additional rules needed for lsusb under sudo + other flags
Fixes: https://bugs.launchpad.net/ubuntu/+source/usbutils/+bug/2110212
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
2025-06-09 12:56:36 -07:00
Federico Quattrin
bf207941ad update pci sys devices rules 2025-06-06 13:56:39 -07:00
Federico Quattrin
61d5f1a56f removed abstractions/nameservice and added network netlink raw 2025-06-06 13:56:39 -07:00
Federico Quattrin
2634352a75 update lsusb profile name 2025-06-06 13:56:39 -07:00
Federico Quattrin
7af7fd35e5 include local lsusb profile if exists
Signed-off-by: Federico Quattrin <federico.quattrin@canonical.com>
2025-06-06 13:56:39 -07:00
Federico Quattrin
65f8bd4d82 added a few more rules for lsusb to cover verbose mode
Signed-off-by: Federico Quattrin <federico.quattrin@canonical.com>
2025-06-06 13:56:39 -07:00
Federico Quattrin
22023ce70b added lsusb profile
Signed-off-by: Federico Quattrin <federico.quattrin@canonical.com>
2025-06-06 13:56:39 -07:00
Julia Sarris
3c6db7c14b Merge branch apparmor:master into master 2025-06-04 14:27:35 +00:00
Maxime Bélair
e426cc983d Merge Allow lsblk to access Xen PVH disk devices
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2111604

Signed-off-by: Christian Kujau <launchpad@nerdbynature.de>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1702
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
2025-06-03 14:53:55 +00:00
Julia Sarris
b019f9ef08 Merge branch apparmor:master into master 2025-06-03 14:18:41 +00:00
John Johansen
f8b5e5d9a4 Merge profiles: provide backwards compat for hwctl profile
The hwctl profile is being carried upstream, so we can keep it in
sync, but is being packaged from the regular profile set so that it
can be part of a package that is SRUed (ubuntu stable release update)
separate from the rest of apparmor, and its profiles.

Provide backwards compat with older parser to reduce the amount of
distro patching that is needed.

Signed-off-by: John Johansen <john.johansen@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1705
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
2025-06-02 21:43:59 +00:00