The test kernel_features only checked if the feature file exists, but
there are cases when we need to check if the feature is part of the
file's content. For example, we might want to check if a mode is present
in the feature "mask" file.
This is already supported by libapparmor's aa_features_supports.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Print out a summary of the tests that passed and failed at the end of the
regression tests. Merge the tests and alltests make targets since they
only differ in which tests are run.
Signed-off-by: Jon Tourville <jon.tourville@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/942
Approved-by: Steve Beattie <gitlab@nxnw.org>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This update to the regression test framework allows a test script to
execute a test binary as a different user by passing '-u <username>'
to the settest function.
Signed-off-by: Jon Tourville <jon.tourville@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/941
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Print out a summary of the tests that passed and failed at the end of the
regression tests. Merge the tests and alltests make targets since they
only differ in which tests are run.
Signed-off-by: Jon Tourville <jon.tourville@canonical.com>
This update to the regression test framework allows a test script to
execute a test binary as a different user by passing '-u <username>'
to the settest function.
Signed-off-by: Jon Tourville <jon.tourville@canonical.com>
When WSL automatically generates a resolv.conf for an instance, the /etc/resolv.conf file is a symlink to /mnt/wsl/resolv.conf. This patch adds an entry for this to the other policies to handle such management.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/935
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
On openSUSE Leap 15.4 (and probably also 15.3), the journal lives in
/var/log/journal/*.journal - without an additional subdirectory level.
I propose this patch for 2.13..master.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/932
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This adds a single e2e test to check that raw_data of a loaded
policy matches the generated policy (cached).
Signed-off-by: Spyros Seimenis <spyros.seimenis@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/929
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
audit.log lines on Arch have an additional FSUID="username" OUID="username",
separated from the previous part of the log line with 0x1d.
Extend the log parsing to accept 0x1d as whitespace, and to recognize
(and ignore) FSUID and OUID.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/271
Also add one of the log lines from #271 as test_multi test case.
I propose this patch for 3.0..master.
Closes#271
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/940
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
audit.log lines on Arch have an additional FSUID="username" OUID="username",
separated from the previous part of the log line with 0x1d.
Extend the log parsing to accept 0x1d as whitespace, and to recognize
(and ignore) FSUID and OUID.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/271
In order to decrease the number of characters in the audit logs
from the kernel, we will drop the "_mask" from the fields
"requested_mask" and "denied_mask".
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
the only supported mode for the moment is `create`, so the following rules have the same effect
```
userns,
userns create,
```
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/927
Approved-by: John Johansen <john@jjmx.net>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
GUI applications such as KDE dragon player, qTox, LibreOffice tries to
access .config/kwinrc, .config/kdedefaults/kwinrc and
.config/kdedefaults/kdeglobals.
Update abstractions/kde to fix denials for applications running under
KDE.
A single '$()' results in variable expansion, which makes
"$(rpm --eval ..)" always an empty string.
Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/928
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
This adds a single e2e test to check that raw_data of a loaded
policy matches the generated policy (cached).
Signed-off-by: Spyros Seimenis <spyros.seimenis@canonical.com>
A single '$()' results in variable expansion, which makes
"$(rpm --eval ..)" always an empty string.
Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
As discussed in !920, this MR renames BaseRule's `parse()` and `_parse()` methods to `create_instance()` and `_create_instance()`, respectively. It then removes the `selection_to_rule_obj` function from `apparmor.aa`, which is now an unnecessary alias for the renamed public method.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/923
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
This MR addresses #269.
Notes:
- In all `is_equal_localvars()` Rule methods, `type(self)` is now used instead of the explicit class. This approach works better with inheritance, and was already used in `IncludeRule` for this reason.
- Remaining direct type comparisons were changed to use `is`/`is not` instead of `==`/`!=`.
- I fixed two typos in `alias.py`; the plural of alias is aliases, not aliass.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/920
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
If audit.log contains entries for a profile that doesn't exist (for
example when working with a log file from another system), skip these
log entries instead of crashing.
Reproducer (crashes without this patch):
aa-logprof -f <(echo 'type=AVC msg=audit(1661739121.578:77893): apparmor="DENIED" operation="open" profile="no_such_profile" name="/run/" pid=33099 comm="no" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0')
I propose this patch for 3.1 and master. (3.0 and older are not affected and do not need this fix.)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/919
Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
If audit.log contains entries for a profile that doesn't exist (for
example when working with a log file from another system), skip these
log entries instead of crashing.
Reproducer (crashes without this patch):
aa-logprof -f <(echo 'type=AVC msg=audit(1661739121.578:77893): apparmor="DENIED" operation="open" profile="no_such_profile" name="/run/" pid=33099 comm="no" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0')
Addresses #270. The `mk_features_file.py` changes are just for clarity, as shadowing built-ins confuses readers.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/918
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
