I'm working on a Rust library project that collects hardware and OS information from the local system and queries the Ubuntu Hardware Certification service to determine if the device model has been certified.
I'd like to add an AppArmor profile to ensure the `hwctl` program has access to the resources it needs.
Project source code: https://github.com/canonical/hardware-api/
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1658
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
We need to be able to dump the initial partition assignments, and then
the partitions after minimization but before remapping to be able to
check on what is being done by minimization.
Add these as part of -D dfa-minimize-partitions
Ideally we would rework the code so that the existing mininimization
dump could share the dump routine but, its interwined with computation
state and information is thrown away before reaching the end.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1651
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Improve the failure messages around getting policy information to
be less ambiguous about what went wrong.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1653
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
We need to be able to dump the initial partition assignments, and then
the partitions after minimization but before remapping to be able to
check on what is being done by minimization.
Add these as part of -D dfa-minimize-partitions
Ideally we would rework the code so that the existing mininimization
dump could share the dump routine but, its interwined with computation
state and information is thrown away before reaching the end.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Without this, arguments like -r would not work.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1659
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Unconfined delegates access to open file descriptors. Therefore when running a confined binary from unconfined, it will work even when the attachment path is not read-allowed.
However, as soon as these confined binaries are run from another confined process, this delegation is not permitted anymore and the program breaks.
This has been the cause of several bugs such as https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2107455 or https://github.com/canonical/snapd/pull/15181 .
This MR makes sure every confining AppArmor profiles explicitly allow (at least) read access to their attachment path.
This Merge request:
- Introduce `test_profile.sh`, a helper script that ensures confining AppArmor profiles explicitly allow (at least) read access to their attachment path.
- Modifies a lot of profiles so that all profiles have r/mr access to their attachment path
- Extends `make check` to automatically ensure all AppArmor profile grant explicit read access to their attachment path, preventing future omissions.
- Modifies apparmor_parser to show attachment in --debug output
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1637
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This reverts commit 75959225b35cc3cd76e684f2db62e27ee4e81288.
Do not enable the verify attachment-path script as part of the CI.
1. The script itself has several bashisms, that need to be fixed before
we land it as part of the regular integration test.
2. The script is going to need to be extended to support the new
parser variables, before it can be turned on as part of the CI.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Improve the failure messages around getting policy information to
be less ambiguous about what went wrong.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Downstream report: https://github.com/NixOS/nixpkgs/issues/347490
Output of `aa-status` is nondescriptive if no profiles are loaded.
Worse yet, the json output isn't even valid json.
It would make sense to just return a json object with no entries,
instead of returning a non-json `eprint` to stderr.
**Ideally** output of non-json would be more descriptive.
Currently:
```
apparmor module is loaded.
Failed to get profiles: 2....
```
What i would prefer:
```
apparmor module is loaded.
Failed to get profiles: No policies loaded
```
However, i am unfamiliar with how the translation framework works,
and thus not confident to do this change blindly.
I am happy to add a commit doing so if i know where to change all that.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1652
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Downstream report: https://github.com/NixOS/nixpkgs/issues/347490
Output of `aa-status` is nondescriptive if no profiles are loaded.
Worse yet, the json output isn't even valid json.
It would make sense to just return a json object with no entries,
instead of returning a non-json `eprint` to stderr.
glibc defines bsd's rlimit ofile as nofile, however musl does not define
rlimit ofile at all.
Instead of just dropping ofile which would be bad for policy portability
make sure it is defined to be nofile.
This is a partial fie for
https://gitlab.com/apparmor/apparmor/-/issues/513
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1648
Approved-by: Steve Beattie <steve+gitlab@nxnw.org>
Merged-by: Steve Beattie <steve+gitlab@nxnw.org>
glibc defines bsd's rlimit ofile as nofile, however musl.
Instead of just dropping ofile which would be bad for policy portability
make sure it is defined to be nofile.
This is a partial fie for
https://gitlab.com/apparmor/apparmor/-/issues/513
Signed-off-by: John Johansen <john.johansen@canonical.com>
This reverts commit 27f5b623f726a84f8430825e2e2641043965af94, reversing
changes made to ee08bfbc905102380bfcaf64d5d84bced98c9360.
This causes the plasmashell profile to have a conflicting x modifiers
error. This breaks CI and compile/load of the plasmashell profile.
Revert until it can be fixed. Using priority.
Signed-off-by: John Johansen <john.johansen@canonical.com>
If kanidm is configured in nsswitch.conf(5), access to the kanidm-unixd
configuration is needed for applications to resolve entries.
For example:
```
type=AVC apparmor="DENIED" operation="open" class="file" profile="php-fpm"
name="/etc/kanidm/unixd" comm="php-fpm" requested_mask="r" denied_mask="r"
```
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1638
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
There is an unfortunate long kernel dev history as to why this currently
isn't the case, so we're stuck with documenting the facts for now.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1641
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
There is an unfortunate long kernel dev history as to why this currently
isn't the case, so we're stuck with documenting the facts for now.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
If kanidm is configured in nsswitch.conf(5), access to the kanidm-unixd
configuration is needed for applications to resolve entries.
For example:
```
type=AVC apparmor="DENIED" operation="open" class="file" profile="php-fpm"
name="/etc/kanidm/unixd" comm="php-fpm" requested_mask="r" denied_mask="r"
```
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
Extend `make check` to automatically ensure every AppArmor profile grants
explicit read access to its attachment path, preventing future omissions.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Grant explicit read permission on each profile’s attachment path. This
avoid issues when running them from a confined environment and makes
test_profile.sh pass.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Unconfined delegates access to open file descriptors. Therefore when
running a confined binary from unconfined, it will work even when the
attachment path is not read-allowed.
However, as soon as these confined binaries are run from another
confined process, this delegation is not permitted anymore and the
program breaks.
This has been the cause of several bugs such as
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2107455 or
https://github.com/canonical/snapd/pull/15181 .
Introduce `test_profile.sh`, a helper script that ensures confining
AppArmor profiles explicitly allow (at least) read access to their
attachment path.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
When showing the content of profiles with `apparmor_parser --debug`, the
attachment path is now displayed within the 'Debugging built structures'
section.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
The wrong clean rule is generated when unix rules contain qualifiers,
with the order inverted with the rule name.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/511
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
CVMFS ( the [CernVM File System](cernvm.cern.ch)) is a read-only fs used to distribute software that is widely used in scientific computing (at CERN and beyond, for example by the [EESSI project](eessi.io)).
CVMFS historically uses the mountpoint /cvmfs, but the new fusermount3 profile doesn't allow that. It's not really possibly to move the mountpoint to /mnt/cvmfs, because the software installed on CVMFS often uses the absolute path /cvmfs/... for linking.
We've added a /etc/apparmor.d/local/fusermount3 to our packages, but it'd be much appreciated if this could be fixed upstream!
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1587
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
I am unsure how to test this equivalency due to how abi declarations interact with feature file command line arguments, so advice on that would be welcome.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1585
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Currently abi=<kernel> always grabs the kernels actual features but
it should respect --kernel-features=. This is causing the simple
tests to fail when abi=<kernel> is specified.
Fix it so abi=<kernel> respects the kernel abi specified in the configs
or on the command line.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Fixes https://gitlab.com/apparmor/apparmor/-/issues/505
The profile previously permitted access to `/**`, which excludes the root
directory (`/`). This commit also gives `/` access, aligning with the
intended behavior.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Closes#505
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1626
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
This enables us to exercise the front perms parse logic in the utils rule parsing through the simple tests as well
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1627
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Fixes https://gitlab.com/apparmor/apparmor/-/issues/505
The profile previously permitted access to `/**`, which excludes the root
directory (`/`). This commit also gives `/` access, aligning with the
intended behavior.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
This enables us to exercise the front perms parse logic in the utils rule parsing through the simple tests as well
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Check that when using a HTTP client via tinyproxy that the expected Via header
is present and that the tinyproxy stats page works as expected.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1537
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
FS based unix sockets have a complicatd interaction with socket
mediation some of the mediation happens in file hooks while other
parts happen in network hooks.
When the kernel doesn't have the unix socket mediation patches the
interactions become largely mediated through the network hooks, as
unix rules get downgraded to socket rules. However some filesystem
operations are needed, and some hooks like bind may be called
differently based on the unix socket type, and not just the address.
Without the kernel patches these variations are not taken into
account.
Changes in the parser networking permission mappings have also
affected the downgrade path, as the parser now supports permissions on
socket rules, downgrades can use permissions and be more faithful to
the original rule but this can also break tests that didn't add all
the permissions needed for the downgrade case.
update unix_socket_pathname.sh to detect whether rule downgrades are
being used, and adjust permissions and expectations based on this.
Fixes: 7ce768244 ("tests: regression: fix regression test for upstream kernels")
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1622
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
The tests on slower systems are occassionally timing out leading to
inconsistent pass/fail runs. The time out failure depending on which
test it occurs in can result in false passes, or failres.
Double the timeout, which hopefully will be enough to avoid the
timeout issue without making the tests wait too long.
Signed-off-by: John Johansen <john.johansen@canonical.com>
FS based unix sockets have a complicatd interaction with socket
mediation some of the mediation happens in file hooks while other
parts happen in network hooks.
When the kernel doesn't have the unix socket mediation patches the
interactions become largely mediated through the network hooks, as
unix rules get downgraded to socket rules. However some filesystem
operations are needed, and some hooks like bind may be called
differently based on the unix socket type, and not just the address.
Without the kernel patches these variations are not taken into
account.
Changes in the parser networking permission mappings have also
affected the downgrade path, as the parser now supports permissions on
socket rules, downgrades can use permissions and be more faithful to
the original rule but this can also break tests that didn't add all
the permissions needed for the downgrade case.
update unix_socket_pathname.sh to detect whether rule downgrades are
being used, and adjust permissions and expectations based on this.
Fixes: 7ce768244 ("tests: regression: fix regression test for upstream kernels")
Signed-off-by: John Johansen <john.johansen@canonical.com>
