I'm working on a Rust library project that collects hardware and OS information from the local system and queries the Ubuntu Hardware Certification service to determine if the device model has been certified.
I'd like to add an AppArmor profile to ensure the `hwctl` program has access to the resources it needs.
Project source code: https://github.com/canonical/hardware-api/
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1658
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
We need to be able to dump the initial partition assignments, and then
the partitions after minimization but before remapping to be able to
check on what is being done by minimization.
Add these as part of -D dfa-minimize-partitions
Ideally we would rework the code so that the existing mininimization
dump could share the dump routine but, its interwined with computation
state and information is thrown away before reaching the end.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1651
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
We need to be able to dump the initial partition assignments, and then
the partitions after minimization but before remapping to be able to
check on what is being done by minimization.
Add these as part of -D dfa-minimize-partitions
Ideally we would rework the code so that the existing mininimization
dump could share the dump routine but, its interwined with computation
state and information is thrown away before reaching the end.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Unconfined delegates access to open file descriptors. Therefore when running a confined binary from unconfined, it will work even when the attachment path is not read-allowed.
However, as soon as these confined binaries are run from another confined process, this delegation is not permitted anymore and the program breaks.
This has been the cause of several bugs such as https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2107455 or https://github.com/canonical/snapd/pull/15181 .
This MR makes sure every confining AppArmor profiles explicitly allow (at least) read access to their attachment path.
This Merge request:
- Introduce `test_profile.sh`, a helper script that ensures confining AppArmor profiles explicitly allow (at least) read access to their attachment path.
- Modifies a lot of profiles so that all profiles have r/mr access to their attachment path
- Extends `make check` to automatically ensure all AppArmor profile grant explicit read access to their attachment path, preventing future omissions.
- Modifies apparmor_parser to show attachment in --debug output
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1637
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This reverts commit 75959225b3.
Do not enable the verify attachment-path script as part of the CI.
1. The script itself has several bashisms, that need to be fixed before
we land it as part of the regular integration test.
2. The script is going to need to be extended to support the new
parser variables, before it can be turned on as part of the CI.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Improve the failure messages around getting policy information to
be less ambiguous about what went wrong.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Downstream report: https://github.com/NixOS/nixpkgs/issues/347490
Output of `aa-status` is nondescriptive if no profiles are loaded.
Worse yet, the json output isn't even valid json.
It would make sense to just return a json object with no entries,
instead of returning a non-json `eprint` to stderr.
**Ideally** output of non-json would be more descriptive.
Currently:
```
apparmor module is loaded.
Failed to get profiles: 2....
```
What i would prefer:
```
apparmor module is loaded.
Failed to get profiles: No policies loaded
```
However, i am unfamiliar with how the translation framework works,
and thus not confident to do this change blindly.
I am happy to add a commit doing so if i know where to change all that.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1652
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Downstream report: https://github.com/NixOS/nixpkgs/issues/347490
Output of `aa-status` is nondescriptive if no profiles are loaded.
Worse yet, the json output isn't even valid json.
It would make sense to just return a json object with no entries,
instead of returning a non-json `eprint` to stderr.
This reverts commit 27f5b623f7, reversing
changes made to ee08bfbc90.
This causes the plasmashell profile to have a conflicting x modifiers
error. This breaks CI and compile/load of the plasmashell profile.
Revert until it can be fixed. Using priority.
Signed-off-by: John Johansen <john.johansen@canonical.com>
If kanidm is configured in nsswitch.conf(5), access to the kanidm-unixd
configuration is needed for applications to resolve entries.
For example:
```
type=AVC apparmor="DENIED" operation="open" class="file" profile="php-fpm"
name="/etc/kanidm/unixd" comm="php-fpm" requested_mask="r" denied_mask="r"
```
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1638
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
There is an unfortunate long kernel dev history as to why this currently
isn't the case, so we're stuck with documenting the facts for now.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
If kanidm is configured in nsswitch.conf(5), access to the kanidm-unixd
configuration is needed for applications to resolve entries.
For example:
```
type=AVC apparmor="DENIED" operation="open" class="file" profile="php-fpm"
name="/etc/kanidm/unixd" comm="php-fpm" requested_mask="r" denied_mask="r"
```
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
Extend `make check` to automatically ensure every AppArmor profile grants
explicit read access to its attachment path, preventing future omissions.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Grant explicit read permission on each profile’s attachment path. This
avoid issues when running them from a confined environment and makes
test_profile.sh pass.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Unconfined delegates access to open file descriptors. Therefore when
running a confined binary from unconfined, it will work even when the
attachment path is not read-allowed.
However, as soon as these confined binaries are run from another
confined process, this delegation is not permitted anymore and the
program breaks.
This has been the cause of several bugs such as
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2107455 or
https://github.com/canonical/snapd/pull/15181 .
Introduce `test_profile.sh`, a helper script that ensures confining
AppArmor profiles explicitly allow (at least) read access to their
attachment path.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
When showing the content of profiles with `apparmor_parser --debug`, the
attachment path is now displayed within the 'Debugging built structures'
section.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
CVMFS ( the [CernVM File System](cernvm.cern.ch)) is a read-only fs used to distribute software that is widely used in scientific computing (at CERN and beyond, for example by the [EESSI project](eessi.io)).
CVMFS historically uses the mountpoint /cvmfs, but the new fusermount3 profile doesn't allow that. It's not really possibly to move the mountpoint to /mnt/cvmfs, because the software installed on CVMFS often uses the absolute path /cvmfs/... for linking.
We've added a /etc/apparmor.d/local/fusermount3 to our packages, but it'd be much appreciated if this could be fixed upstream!
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1587
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Currently abi=<kernel> always grabs the kernels actual features but
it should respect --kernel-features=. This is causing the simple
tests to fail when abi=<kernel> is specified.
Fix it so abi=<kernel> respects the kernel abi specified in the configs
or on the command line.
Signed-off-by: John Johansen <john.johansen@canonical.com>
This enables us to exercise the front perms parse logic in the utils rule parsing through the simple tests as well
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
FS based unix sockets have a complicatd interaction with socket
mediation some of the mediation happens in file hooks while other
parts happen in network hooks.
When the kernel doesn't have the unix socket mediation patches the
interactions become largely mediated through the network hooks, as
unix rules get downgraded to socket rules. However some filesystem
operations are needed, and some hooks like bind may be called
differently based on the unix socket type, and not just the address.
Without the kernel patches these variations are not taken into
account.
Changes in the parser networking permission mappings have also
affected the downgrade path, as the parser now supports permissions on
socket rules, downgrades can use permissions and be more faithful to
the original rule but this can also break tests that didn't add all
the permissions needed for the downgrade case.
update unix_socket_pathname.sh to detect whether rule downgrades are
being used, and adjust permissions and expectations based on this.
Fixes: 7ce768244 ("tests: regression: fix regression test for upstream kernels")
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1622
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
The tests on slower systems are occassionally timing out leading to
inconsistent pass/fail runs. The time out failure depending on which
test it occurs in can result in false passes, or failres.
Double the timeout, which hopefully will be enough to avoid the
timeout issue without making the tests wait too long.
Signed-off-by: John Johansen <john.johansen@canonical.com>
FS based unix sockets have a complicatd interaction with socket
mediation some of the mediation happens in file hooks while other
parts happen in network hooks.
When the kernel doesn't have the unix socket mediation patches the
interactions become largely mediated through the network hooks, as
unix rules get downgraded to socket rules. However some filesystem
operations are needed, and some hooks like bind may be called
differently based on the unix socket type, and not just the address.
Without the kernel patches these variations are not taken into
account.
Changes in the parser networking permission mappings have also
affected the downgrade path, as the parser now supports permissions on
socket rules, downgrades can use permissions and be more faithful to
the original rule but this can also break tests that didn't add all
the permissions needed for the downgrade case.
update unix_socket_pathname.sh to detect whether rule downgrades are
being used, and adjust permissions and expectations based on this.
Fixes: 7ce768244 ("tests: regression: fix regression test for upstream kernels")
Signed-off-by: John Johansen <john.johansen@canonical.com>
