GDM 49~beta implements a userdb VarLink service for managing the unix users
running the greeter shell, as well as the gnome-initial-setup users.
gdm-launch-environment][1892]: Gdm: GdmSessionWorker: determining if authenticated user (password required:0) is authorized to session
unix_chkpwd[1897]: could not obtain user info (gdm-greeter)
kernel: audit: type=1400 audit(1754399331.488:211): apparmor="DENIED" operation="connect" class="file" profile="unix-chkpwd" name="/run/systemd/userdb/org.gnome.DisplayManager" pid=1897 comm="unix_chkpwd" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
gdm-launch-environment][1892]: Gdm: GdmSessionWorker: user is not authorized to log in: Authentication failure
LP: #2119541
Arch Linux qt6-webengine has `/usr/lib/qt6/QtWebEngineProcess` and
qt5-webengine has `/usr/lib/qt/libexec/QtWebEngineProcess`.
Fedora has `/usr/lib64/qt6/libexec/QtWebEngineProcess`.
openSUSE Tumbleweed has `/usr/libexec/qt5/QtWebEngineProcess` and
`/usr/libexec/qt6/QtWebEngineProcess`.
Co-authored-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1726
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
I'd like to store my wg creds in my TPM module using `systemd-creds`:
```bash
PostUp = systemd-creds --name wg0 decrypt /etc/wireguard/secrets/wg0.cred | wg set wg0 private-key /dev/stdin
```
Currently I use `local/wg-quick` as work-around.
The `Ux` permission is may be a little too open, but 2 problems remain:
- the profile maintainer can't know which creds file need to be accessible
- different TMP module implementations / drivers may require different permissions
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1644
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Mesa now needs ~/.cache/mesa_shader_cache_db/marker .
Chromium wants uid_map readable, /proc/$PID/smaps_rollup,
/sys/.../report_descriptor, and two XDG utilities used by the "Create
shortcut..." feature. Deny the latter for now, due to additional
permissions that would be needed and a questionable security trade-off
as a result.
Firefox wants a socket for its crash helper, product_{name,sku} from
DMI devices, and .sql files in its cache directory. It also wants
uevent from devices more broadly than currently allowed.
After an upgrade to libfuse 3.17.1-rc0, autopkgtests started to fail
due to a missing x permission for /usr/bin/mount. After looking at the
source code for fusermount, I noticed that it does call /bin/mount and
/bin/umount in certain cases. These uses were already there in
previous versions of libfuse but I'm still not sure why it hasn't
triggered before.
To reproduce it:
```
sudo autopkgtest-buildvm-ubuntu-cloud -v -r questing
autopkgtest archivemount -U --apt-pocket=proposed=src:fuse3 --shell-fail -- qemu autopkgtest-questing-amd64.img
```
After the test fails, enter the vm by
```
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 10022 ubuntu@localhost
```
You can reproduce the test by running
```
cd /tmp/autopkgtest.*/build.*/src/
/tmp/autopkgtest.*/build.*/src/debian/tests/test
```
Note that ix for mount and umount were enough to make the autopkgtest
failures to start passing, but there could be issues in the future
regarding the use of fs specific mount binaries like
/usr/sbin/mount.fuse
Fixes: http://bugs.launchpad.net/bugs/2111845
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1716
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Hi,
This fixes the following error when a block device's PCI bus starts with
a non-decimal hex character and `lsblk /dev/nvme2n1` is executed:
```
audit: type=1400 audit(1751394406.516:554): apparmor="DENIED" operation="open" class="file" profile="lsblk" name="/sys/devices/pci0000:a0/0000:a0:01.1/0000:a1:00.0/nvme/nvme2/nvme2n1/" pid=164652 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```
I used hex4 and hex2 as it matches the example from
https://docs.kernel.org/PCI/sysfs-pci.html and also because lspci(8)
says:
> domains are numbered from 0 to ffff
>
> bus (0 to ff)
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2111604
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1729
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
Arch Linux qt6-webengine has `/usr/lib/qt6/QtWebEngineProcess` and
qt5-webengine has `/usr/lib/qt/libexec/QtWebEngineProcess`.
Fedora has `/usr/lib64/qt6/libexec/QtWebEngineProcess`.
openSUSE Tumbleweed has `/usr/libexec/qt5/QtWebEngineProcess` and
`/usr/libexec/qt6/QtWebEngineProcess`.
Co-authored-by: Maxime Bélair <maxime.belair@canonical.com>
This fixes the following error when a block device's PCI bus starts with
a non-decimal hex character and `lsblk /dev/nvme2n1` is executed:
```
audit: type=1400 audit(1751394406.516:554): apparmor="DENIED" operation="open" class="file" profile="lsblk" name="/sys/devices/pci0000:a0/0000:a0:01.1/0000:a1:00.0/nvme/nvme2/nvme2n1/" pid=164652 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```
I used hex4 and hex2 as it matches the example from
https://docs.kernel.org/PCI/sysfs-pci.html and also because lspci(8)
says:
> domains are numbered from 0 to ffff
>
> bus (0 to ff)
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2111604
Signed-off-by: Louis Sautier <sautier.louis@gmail.com>
Basic AppArmor profile for the free binary, tested on Ubuntu 24.04.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1629
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
In order to test the profile, I did the following inside an oracular VM:
- `curl https://ubuntu.com/ -o /tmp/ubuntu`
- `curl 'https://ubuntu.com/security/{CVE-2024-12797,CVE-2025-24032}' -o '#1'`
- `curl -u dlpuser:rNrKYTX9g7z3RgJRmxWuGHbeu ftp://ftp.dlptest.com/`
Finally, I ran the package's testsuite:
```
apt source curl
cd curl-8.9.1
./configure --without-ssl # SSL has been tested using the above
make
cd test/server
make
cd ..
./runtests.pl -c $(which curl)
```
The only test which should fail should be the last one, since the build was configured with support for less protocols than the ones provided by the binary we're using (this is expected and happens regardless of whether the profile is loaded or not).
A spread smoke-test is also provided as part of this MR.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1560
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
Adds apparmor profile for https://mosquitto.org/ `plucky 2.0.20-2`.
In a production and customized environment, this profile would need overriding as many configuration options in `mosquitto.conf` are file paths which can point anywhere. This profile adds all sensible defaults required for mosquitto to work out of the box with TLS.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1506
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
Source package isync
Let me know if you think we should better handle any mail or different mbsyncrc location that the user might have.
As well if I should simplify the network access to `include <abstractions/nameservice>` or if that's too much.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1372
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
Add profile for `dnstracer`. The profile has been tested with `dnstracer` for oracular i.e. version `1.9-8build1`.
Signed-off-by: vyomydv <vyom.yadav@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1366
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
These profiles don't have an attachment so the path needs to be hardcoded
Fixes: 6e9ff1fa6 ("profiles: update the rest of the profiles to use @{exec_path}")
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
After an upgrade to libfuse 3.17.1-rc0, autopkgtests started to fail
due to a missing x permission for /usr/bin/mount. After looking at the
source code for fusermount, I noticed that it does call /bin/mount and
/bin/umount in certain cases. These uses were already there in
previous versions of libfuse but I'm still not sure why it hasn't
triggered before.
To reproduce it:
sudo autopkgtest-buildvm-ubuntu-cloud -v -r questing
autopkgtest archivemount -U --apt-pocket=proposed=src:fuse3 --shell-fail -- qemu autopkgtest-questing-amd64.img
After the test fails, enter the vm by
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 10022 ubuntu@localhost
You can reproduce the test by running
cd /tmp/autopkgtest.*/build.*/src/
/tmp/autopkgtest.*/build.*/src/debian/tests/test
Note that ix for mount and umount were enough to make the autopkgtest
failures to start passing, but there could be issues in the future
regarding the use of fs specific mount binaries like
/usr/sbin/mount.fuse
Fixes: http://bugs.launchpad.net/bugs/2111845
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
@jjohansen had mentioned to me when he suggested this profile that there was smth he noticed about john that gave him the impression it was a good candidate for confinement. I think that would be the only thing I'd want to call out - wondering whether something like this captures that spirit or if there's something else worth including.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1662
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
The hwctl profile is being carried upstream, so we can keep it in
sync, but is being packaged from the regular profile set so that it
can be part of a package that is SRUed (ubuntu stable release update)
separate from the rest of apparmor, and its profiles.
Provide backwards compat with older parser to reduce the amount of
distro patching that is needed.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1705
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
The hwctl profile is being carried upstream, so we can keep it in
sync, but is being packaged from the regular profile set so that it
can be part of a package that is SRUed (ubuntu stable release update)
separate from the rest of apparmor, and its profiles.
Provide backwards compat with older parser to reduce the amount of
distro patching that is needed.
Signed-off-by: John Johansen <john.johansen@canonical.com>
