When running aa-disable and then aa-enforce passing the binary path as
the argument, aa-enforce fails to enforce the profile with the error:
$ sudo aa-disable /home/foo/test
skipping disabled profile test
Profile for /home/foo/test not found, skipping
According to the man page for aa-enforce, it should work for disabled
profiles.
Note that this does not happen when passing the profile directly to
the tools, so there's a workaround for this issue:
$ sudo /aa-enforce /etc/apparmor.d/test
Setting /etc/apparmor.d/test to enforce mode.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1579
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
When running aa-disable and then aa-enforce passing the binary path as
the argument, aa-enforce fails to enforce the profile with the error:
$ sudo aa-disable /home/foo/test
skipping disabled profile test
Profile for /home/foo/test not found, skipping
According to the man page for aa-enforce, it should work for disabled
profiles.
Note that this does not happen when passing the profile directly to
the tools, so there's a workaround for this issue:
$ sudo /aa-enforce /etc/apparmor.d/test
Setting /etc/apparmor.d/test to enforce mode.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
... by removing/moving the ')' after the empty source.
Also prepare source_fileglob_pattern and dest_fileglob_pattern to be
customizable by moving adding the closing ')))' into each of them.
Add quotes if a mount source or mountpoint includes whitespace.
Also explicitely handle empty mount source (known from
1f33fc9b29)
As usual, some tests can't hurt ;-)
First expand nested `(...)` in glob_pattern. This duplicates a few bytes, but makes the regex easier to read.
With that done, allow `-` in glob_pattern.
One of the possible matches in glob_pattern was `\w+` which matched for example `none`.
However, it doesn't match `revokefs-fuse` because of the `-`. Therefore change `\w+` to [\w-]+.
While on it, add two more tests - one for `none` with some options, and one with `revokefs-fuse`.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1565
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
The aa-exec man page makes reference to aa-stack(8) and aa-namespace(8)
manpages that don't exist. For now just remove those references and
add a short blurb on using aa-exec with stacking and namespaces.
Proper full manpages for stacking and namespaces need to be added
but that is beyound the scope of this fix.
Bug: https://gitlab.com/apparmor/apparmor/-/issues/496
Signed-off-by: John Johansen <john.johansen@canonical.com>
* passwd -e LOGIN was failing
* Allow execution of /usr/sbin/nscd
See: bee77ffc29/lib/nscd.c (L23-L27)
* Allow pam_passwdqc to read /etc/passwdqc.conf and passwdqc filter
files (see https://www.openwall.com/passwdqc/)
* Allow setuid & fsetid capabilities
* Allow locking with /etc/shadow.PID & /etc/shadow.lock
* Allow shadow backup /etc/shadow- and whatever /etc/shadow+ is used for
One of the possible matches in glob_pattern was `\w+` which matched for
example `none`.
However, it doesn't match `revokefs-fuse` because of the `-`. Therefore
change `\w+` to [\w-]+.
While on it, add two more tests - one for `none` with some options, and
one with `revokefs-fuse`.
The utils should be able to skip profiles that it can't parse now,
so this test suite bypass mechanism should no longer be necessary.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Since all the tools that load profiles go through the same module, this should
be sufficient as a first pass.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
This will allow the other tools to continue working on other profiles, even
if some of them use syntax that the utils currently can't handle.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
The utils cannot parse some of the newer profile constructs yet, so
generalize a pre-existing mechanism for skipping profiles to use that mechanism in the other tests that need it
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Instead of relying on neverssl.com spin up a local http server and test
tinyproxy against that to ensure the test can run even if the wider internet is
not accessible.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
This imports translations from launchpad up to commit
revno: 2523
committer: Launchpad Translations on behalf of apparmor-dev
branch nick: apparmor
timestamp: Fri 2025-02-21 09:32:26 +0000
message:
Launchpad automatic translations update.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Similarly to apparmor/apparmor!403, we don't really need to pass these flags
here, but if we don't, blhc raises a false positive, and I don't want to get
used to ignoring blhc failures on Debian's GitLab CI.
sbuild is an unconfined profile allowing it to bypass the unprivlieged
user namespace restriction.
unconfined profiles use a pix transition which means that when the
unprivileged_unshare profile is enabled, the binaries in an unconfined
profile calling unshare will cause a transition to the unprivileged_unshare
profile.
This will break sbuild because it needs capabilities within the
user namespace.
However we cannot just add a x transition rule to unconfined profiles, as
the transitions won't be respected. Instead, we have to make the profile
a default allow profile and add a transition that will override
the default pix transition of allow all.
We have to add the attached_disconnected and mediated_deleted flags
because sbuild is manipulating mounts.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1555
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
sbuild is an unconfined profile allowing it to by-pass the unprivlieged
user namespace restritction.
unconfined profiles us a pix transition which means when the
unprivileged_unshare profile is enabled, the binaries in an unconfined
profile calls unshare it will transition to the unprivileged_unshare
profile.
This will break sbuild because it needs capabilities within the
user namespace.
However we can not just add a x transition rule to unconfined profiles,
the transitions won't be respected. Instead we have to make the profile
a default allow profile, and add a transition that will override
the default pix transition of allow all.
We have to add the attached_disconnected and mediated_deleted flags
because sbuild is manipulating mounts.
Signed-off-by: John Johansen <john.johansen@canonical.com>
In the following policy, "ptrace" would be dropped during merging:
```
$FOO=true
/bin/true {
if $FOO {
ptrace,
}
}
```
Current behavior:
```
----- Debugging built structures -----
Name: /bin/true
Local To: <NULL>
Mode:
```
With patch:
```
----- Debugging built structures -----
Name: /bin/true
Local To: <NULL>
Mode:
ptrace,
```
I am quite new to the AA code base, so please let me know if I'm missing something obvious and this is intended behavior :)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1551
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The original plan was to have a minimal subset for Perl excluding the stuff requiring language-dependent typemaps, but it turns out that there was only one thing that required that, and it was simple enough to copy over from the SWIG repo itself. This MR contains the single non-language-generic part of the SWIG updates.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1341
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
In the following policy, "ptrace" would be dropped during merging:
$FOO=true
/bin/true {
if $FOO {
ptrace,
}
}
Current behavior:
----- Debugging built structures -----
Name: /bin/true
Local To: <NULL>
Mode:
With patch:
----- Debugging built structures -----
Name: /bin/true
Local To: <NULL>
Mode:
ptrace,
This is the only language-dependent nontrivial portion of the SWIG
bindings, and this should be good enough for anyone who is still using the
Perl bindings now
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
When a test fails because of an unexpected success (XFAIL), do not display the empty error log as that may confuse the reader just as it had confused the author.
In addition, when something legitimately fails then display tail of trace log as that may show some useful information.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1548
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
