Commit c9d41a3ebb introduced a regression on profile header
generation.
This commit removes the name parameter from the get_header function
since the ProfileStorage should already contain all the information
required to generate the header for profiles and hats. The tests
needed to be updated as well to make sure the ProfileStorage object
contained the information needed by the get_header method.
Fixes: c9d41a3ebb ("utils: fix profile and hat header generation")
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1602
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Commit c9d41a3ebb introduced a regression on profile header
generation.
This commit removes the name parameter from the get_header function
since the ProfileStorage should already contain all the information
required to generate the header for profiles and hats. The tests
needed to be updated as well to make sure the ProfileStorage object
contained the information needed by the get_header method.
Fixes: c9d41a3ebb ("utils: fix profile and hat header generation")
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Profile header was being generated incorrectly in 2 cases:
When the profile contained the parent profile in its name, as in
profile firefox//dash {
and in the unit tests, the child profile was being named as the parent
profile. This was not caught by the general case because the code has
not yet been fully adapted to handle multiple nested child profiles.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/493
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Closes#493
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1592
Approved-by: Ryan Lee <rlee287@yahoo.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
We are seeing some test failures caused by the fact that a fixed kernel,
while available, is not installed the CI image. Since cloud-init does
not itself offer a way to express precise dependency on a package
version we may use a crude replacement of upgrading all the packages at
image construction time.
The next time this happens all we need is to touch the .image-garden.mk
file, so that it is more recent than the image kept in CI cache for the
re-generation to occur.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1595
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
We are seeing some test failures caused by the fact that a fixed kernel,
while available, is not installed the CI image. Since cloud-init does
not itself offer a way to express precise dependency on a package
version we may use a crude replacement of upgrading all the packages at
image construction time.
The next time this happens all we need is to touch the .image-garden.mk
file, so that it is more recent than the image kept in CI cache for the
re-generation to occur.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
The header was being generated incorrectly in 2 cases:
When the profile/hat contained the parent profile in its name, as in
profile firefox//dash {
hat ^firefox//dash {
and in the unit tests, the child profile or hat was being named as the
parent profile. This was not caught by the general case because the
code has not yet been fully adapted to handle multiple nested child
profiles.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/493
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The test is added as XFAIL for all images because the kernel patches
required for them to pass have not yet been upstreamed into any published
kernel.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Disconnected paths on lookups have caused actual permission denials, even
when the loaded profile is in complain mode. This is a test that causes
disconnections using mounts (both old and new API) and then verifies that
a complain mode profile doesn't prevent operations with disconnected fds.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
This is needed to fix the gnome-remote-desktop daemon, which mounts in a
directory like /run/user/119/gnome-remote-desktop/cliprdr-ABm0Gd/.
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2103889
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
This involves replacing `command -v` with `which` (again), since the `command` shell builtin isn't recognized by older versions of Make, as well as skipping tests that require the `linux/mount.h` header on older systems that lack it.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1578
Approved-by: Zygmunt Krynicki <me@zygoon.pl>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The new image-garden snap offers a one-stop-shop for integration
testing, bundling qemu, spread and image-garden build recipes.
Extend the documentation, the run-spread.sh helper script as well as
spread.yaml to support this new method.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
The command shell builtin is not recognized by older versions of make, so
switch back to using the which binary instead.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
linux/mount.h is only used in the move_mount test, which exercises the
move_mount syscall that was introduced sometime in 2018 or later. Older
systems without the header also lack the syscall, so we can just skip the
test in those cases.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Fixes bug #2103524
lsblk on some virtualized systems require access to directory
/sys/devices/LNXSYSTM:*/LNXSYBUS:*/** since block devices can be exposed
in this directory.
Making a previously non-const pointer arg const is not an ABI break, and
having const expresses the intent of the interface better.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1586
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Making a previously non-const pointer arg const is not an ABI break, and
having const expresses the intent of the interface better
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
For executables dynamically linked to libnuma, the runtimer linker
invokes libnuma functions (num_init) that try to access
/sys/devices/system/node/ and if the application's apparmor
profile does not allow this access, this access will be denied
by apparmor with following error message:
apparmor="DENIED" operation="open" class="file"
name="/sys/devices/system/node/" comm="qemu-bridge-hel"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Here is the simplified call trace:
0 ... in ?? () from /lib/x86_64-linux-gnu/libnuma.so.1
1 ... in call_init (...) at ./elf/dl-init.c:74
2 ... in call_init (...) at ./elf/dl-init.c:120
3 _dl_init (...) at ./elf/dl-init.c:121
4 ... in _dl_start_user () from /lib64/ld-linux-x86-64.so.2
This commit adds an abstract profile that applications that are
linked to libnuma can include in their apparmor profile.
MR: mailing list patch
Signed-off-by: Hector Cao <hector.cao@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
When doing testing via LXD VMs and in particular when using "lxc exec" to run
commands in the VM, there is no controlling tty and so the output of last is
missing this column of data. Instead try even harder to parse the timestamp from
the output of "last".
Signed-off-by: Alex Murray <alex.murray@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1582
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Followup that replaces !1576.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1581
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
When doing testing via LXD VMs and in particular when using "lxc exec" to run
commands in the VM, there is no controlling tty and so the output of last is
missing this column of data. Instead try even harder to parse the timestamp from
the output of "last".
Signed-off-by: Alex Murray <alex.murray@canonical.com>
The aa-exec man page makes reference to aa-stack(8) and aa-namespace(8)
manpages that don't exist. For now just remove those references and
add a short blurb on using aa-exec with stacking and namespaces.
Proper full manpages for stacking and namespaces need to be added
but that is beyound the scope of this fix.
Bug: https://gitlab.com/apparmor/apparmor/-/issues/496
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1570
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Add quotes if a mount source or mountpoint includes whitespace.
Also explicitely handle empty mount source (known from
1f33fc9b29c174698fdf0116a4a9f50680ec4fdb)
As usual, some tests can't hurt ;-)
I propose this fix for 4.0..master
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1573
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
* Make glob_pattern more readable
- replace filename and variable regex parts with RE_PROFILE_PATH_OR_VAR
- split to multiline string
* Move `[\w-]+` into inner match group by removing/moving the ')' after the empty source.
* Prepare source_fileglob_pattern and dest_fileglob_pattern to be customizable by moving adding the closing ')))' into each of them.
* Allow empty source and any word only in mount source
See the individual commits for details.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1574
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The attach_disconnected.ipc flag allows the use of disconnected paths
on posix mqueues. This flag is a subset of attach_disconnected, and it
does not allow disconnected paths for all files.
Corresponding kernel patch needed to test in https://gitlab.com/georgiag/apparmor-kernel/-/tree/mqueue-ext
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1577
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The attach_disconnected.ipc flag allows the use of disconnected paths
on posix mqueues. This flag is a subset of attach_disconnected, and it
does not allow disconnected paths for all files.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
