Unconfined delegates access to open file descriptors. Therefore when running a confined binary from unconfined, it will work even when the attachment path is not read-allowed.
However, as soon as these confined binaries are run from another confined process, this delegation is not permitted anymore and the program breaks.
This has been the cause of several bugs such as https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2107455 or https://github.com/canonical/snapd/pull/15181 .
This MR makes sure every confining AppArmor profiles explicitly allow (at least) read access to their attachment path.
This Merge request:
- Introduce `test_profile.sh`, a helper script that ensures confining AppArmor profiles explicitly allow (at least) read access to their attachment path.
- Modifies a lot of profiles so that all profiles have r/mr access to their attachment path
- Extends `make check` to automatically ensure all AppArmor profile grant explicit read access to their attachment path, preventing future omissions.
- Modifies apparmor_parser to show attachment in --debug output
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1637
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The wrong clean rule is generated when unix rules contain qualifiers,
with the order inverted with the rule name.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/511
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This enables us to exercise the front perms parse logic in the utils rule parsing through the simple tests as well
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
... and adjust the tools to raise an exception if such a rule is found.
While this is not nice, it's better than the previous behaviour where
only the last 'fstype' was kept, and the others were lost when writing
the rule.
... and adjust the tools to raise an exception if such a rule is found.
While this is not nice, it's better than the previous behaviour where
only the last 'options' was kept, and the others were lost when writing
the rule.
Note: If multiple fstype= or options= are given, this is not detected as
an error (to keep the regex simpler). When writing back such a rule,
only one fstype and options will "survive".
Adjust the exclude list in test-parser-simple-tests.py accordingly:
- several valid mount rules no longer fail
- two invalid mount rules which so far accidentally raised an exception
because of the fstype/options order no longer raise this exception
(conflicting mount options, which are the real reason why these rules
are invalid, are not detected in the tools)
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/501
The tools are wrong in parsing the detached mount test.
Until that can be fixed, mark the tools as wrong.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Fixes https://bugs.launchpad.net/apparmor/+bug/2106033
Improve the validation of AARE file paths by introducing a new regex
that supports paths starting with '{' (e.g. '{/,/org/freedesktop/DBus}').
These paths are notably used in snap.lxd.* profiles.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1607
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
These are the default directory mounts used by Flatpak's system cache for mounting revokefs-fuse. Unfortunately, the new rules are quite broad, but we might not be able to do much better than that.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1562
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Fixes https://bugs.launchpad.net/apparmor/+bug/2106033
Improve the validation of AARE file paths by introducing a new regex
that supports paths starting with '{' (e.g. '{/,/org/freedesktop/DBus}').
These paths are notably used in snap.lxd.* profiles.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
If the following scenario was present in a profile, cleanprof
would fail with a RecursionError exception (maximum recursion
depth exceeded)
/parent { }
/parent///child { }
This occured because in aa.py, in the write_piece function, the
wrong depth was being passed, along with a wrong hat. The
formatting of the spaces was also incorrect.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Profiles that are defined like below did not have the parent attribute
set in profile storage:
/parent///child {}
The condition on which child profiles were written was also changed so
they are not removed from the profile if /parent does not exist.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Commit c9d41a3ebb introduced a regression on profile header
generation.
This commit removes the name parameter from the get_header function
since the ProfileStorage should already contain all the information
required to generate the header for profiles and hats. The tests
needed to be updated as well to make sure the ProfileStorage object
contained the information needed by the get_header method.
Fixes: c9d41a3ebb ("utils: fix profile and hat header generation")
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The header was being generated incorrectly in 2 cases:
When the profile/hat contained the parent profile in its name, as in
profile firefox//dash {
hat ^firefox//dash {
and in the unit tests, the child profile or hat was being named as the
parent profile. This was not caught by the general case because the
code has not yet been fully adapted to handle multiple nested child
profiles.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/493
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
When doing testing via LXD VMs and in particular when using "lxc exec" to run
commands in the VM, there is no controlling tty and so the output of last is
missing this column of data. Instead try even harder to parse the timestamp from
the output of "last".
Signed-off-by: Alex Murray <alex.murray@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1582
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
When doing testing via LXD VMs and in particular when using "lxc exec" to run
commands in the VM, there is no controlling tty and so the output of last is
missing this column of data. Instead try even harder to parse the timestamp from
the output of "last".
Signed-off-by: Alex Murray <alex.murray@canonical.com>
Add quotes if a mount source or mountpoint includes whitespace.
Also explicitely handle empty mount source (known from
1f33fc9b29c174698fdf0116a4a9f50680ec4fdb)
As usual, some tests can't hurt ;-)
I propose this fix for 4.0..master
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1573
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The attach_disconnected.ipc flag allows the use of disconnected paths
on posix mqueues. This flag is a subset of attach_disconnected, and it
does not allow disconnected paths for all files.
Corresponding kernel patch needed to test in https://gitlab.com/georgiag/apparmor-kernel/-/tree/mqueue-ext
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1577
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Add quotes if a mount source or mountpoint includes whitespace.
Also explicitely handle empty mount source (known from
1f33fc9b29c174698fdf0116a4a9f50680ec4fdb)
As usual, some tests can't hurt ;-)
First expand nested `(...)` in glob_pattern. This duplicates a few bytes, but makes the regex easier to read.
With that done, allow `-` in glob_pattern.
One of the possible matches in glob_pattern was `\w+` which matched for example `none`.
However, it doesn't match `revokefs-fuse` because of the `-`. Therefore change `\w+` to [\w-]+.
While on it, add two more tests - one for `none` with some options, and one with `revokefs-fuse`.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1565
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
One of the possible matches in glob_pattern was `\w+` which matched for
example `none`.
However, it doesn't match `revokefs-fuse` because of the `-`. Therefore
change `\w+` to [\w-]+.
While on it, add two more tests - one for `none` with some options, and
one with `revokefs-fuse`.
The utils should be able to skip profiles that it can't parse now,
so this test suite bypass mechanism should no longer be necessary.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Since all the tools that load profiles go through the same module, this should
be sufficient as a first pass.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
This will allow the other tools to continue working on other profiles, even
if some of them use syntax that the utils currently can't handle.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
The utils cannot parse some of the newer profile constructs yet, so
generalize a pre-existing mechanism for skipping profiles to use that mechanism in the other tests that need it
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Python 3.13 changes the formatting of long-short option pairs that use a
meta-variable. Up until 3.13 the meta-variable was repeated. Since
Python change [1] the meta-var is only printed once.
[1] https://github.com/python/cpython/pull/103372
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
The "last" command, which was supplied by util-linux in older Ubuntu
versions, is now supplied by wtmpdb in Oracular and Plucky. Unfortunately,
this changed the output format and broke our column based parsing.
While the wtmpdb upstream has added json support at
https://github.com/thkukuk/wtmpdb/issues/20, we cannot use it because
we need to support systems that do not have this new feature added.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Our ubuntu packaging builds Python-enabled libapparmor's in the directories `libapparmor/libapparmor.python[version_identifier]`. In order for the util's `make check` to pick up on the correct libapparmor during the Ubuntu build process, we need the ability to override its search path. This patch introduces a `LIBAPPARMOR_BASEDIR` variable to allow for that.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1497
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
os.environ returns a string, but the default value is a list, and the concatenation of __AA_CONFDIR assumes a list.
Thus, if APPARMOR_NOTIFY and __AA_CONFDIR were both specified, this would error out.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
lastlog2 is the 2038-safe replacement for wtmp, and in the meantime
became part of util-linux.
This commit switches from trying to parse the lastlog2 output to
directly reading lastlog2.db with sqlite3.
Adjust get_last_login_timestamp() to use the lastlog2 database
(/var/lib/lastlog/lastlog2.db) if it exists, and adjust
get_last_login_timestamp_lastlog2() to actually do that.
(If lastlog2.db doesn't exist, aa-notify will read wtmp as usual.)
Unfortunately lastlog2 doesn't have a way to get machine-readable output
(for example json), therefore - after trying and failing to parse the
lastlog2 output - directly read from lastlog2.db. Let's hope the format
never changes ;-)
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1228378
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1216660
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/372
lastlog2 is the 2038-safe replacement for wtmp, and in the meantime
became part of util-linux.
Adjust get_last_login_timestamp() to use lastlog2 if it exists, and add
get_last_login_timestamp_lastlog2() to actually do that.
(If lastlog2 doesn't exist, aa-notify will read wtmp as usual.)
Unfortunately lastlog2 doesn't have a way to get machine-readable output
(for example json), therefore we have to parse the output that is meant
for humans. Let's hope the format never changes ;-)
(The alternative would have been to use squlite3 to once more read the
data behind the official program's back, but that was already a bad idea
for wtmp, therefore I decided against it.)
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1228378
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1216660
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/372
... and add a wrapper function with the old name
Also rename the tests to the new name, and create a copy with the
original name. The copy will be adjusted to also check/expect lastlog2
results in a later commit.
Note that the old code assigned dummy_prof to aa[profile][hat] and
active_profiles[profile] (= the main/parent profile) - which is
diffferent when testing a log for a child profile.
aa[profile][hat] was the wrong place - but since we used exactly that
again when checking for added exec rules, this error was hidden.
Now that the test is switched to using active_profiles, only check the
main profile for exec rules added by ask_exec(). (This will need to be
adjusted when we add a test for exec rules/events in nested childs, but
not earlier ;-)
