Fix $(PWD) when using "make -C profiles"
See merge request apparmor/apparmor!80
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 14096cb3a71e2a9343ad8dd2dc3fefbe54a1faac)
20893382 Fix $(PWD) when using "make -C profiles"
ignore .git in is_skippable_dir()
See merge request apparmor/apparmor!77
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 3b5683be2941ef5f9411b9482f76020b1082bdc9)
f9eb3fea ignore .git in is_skippable_dir()
set DBUS_SESSION_BUS_ADDRESS, needed by notify-send
See merge request apparmor/apparmor!53
Acked-by: intrigeri <intrigeri@debian.org> for 2.9..master
(cherry picked from commit 0eefeeb0e7fcb11ee43ad3bc973a442e01901913)
cb5cdf26 set DBUS_SESSION_BUS_ADDRESS, needed by notify-send
Allow to create .nv directory
See merge request apparmor/apparmor!69
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.9..master
(cherry picked from commit 21b0d14ea4e462ec75320ec4b60210b8deb0f02b)
11e7dab9 Allow to create .nv directory
allow access to ntp clockstats
See merge request apparmor/apparmor!54
(cherry picked from commit 85f8cace1266edba387d88a44cc71e982f4fe2ac)
1b58f226 allow access to ntp clockstats
abstractions/X: add another location for .Xauthority
See merge request apparmor/apparmor!39
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit bcfb735b9aadebf2025e5876e328ca8be98d07bc)
bb96e38a abstractions/X: add another location for .Xauthority
Fix local pulseaudio config file access
See merge request apparmor/apparmor!38
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.9..trunk
(cherry picked from commit 6713f9d94aba07f8bb436425310559520fdedca5)
f73627cb Fix local pulseaudio config file access
Fix signal sending for usr.sbin.dovecot
See merge request apparmor/apparmor!36
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.9..trunk
(cherry picked from commit 6db30f8faf91e7599e0c984275b28d71229d0f53)
9f24650e Fix signal sending for usr.sbin.dovecot
Exit rather than returning from shell snippets in Makefiles. It is
reported that returning causes the following error message with bash:
/bin/sh: line 4: return: can only `return' from a function or sourced script
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reported-by: Christian Boltz <apparmor@cboltz.de>
Don't print a literal '\n' in aa-remove-unknown help
See merge request apparmor/apparmor!21
Acked-by: Tyler Hicks tyhicks@canonical.com for 2.9..trunk
(cherry picked from commit 3d40bc6f232d5bcef98a232f544053b3563be211)
4d4228d1 Don't print a literal '\n' in aa-remove-unknown help
allow dac_read_search and dac_override for dovecot/auth
See merge request apparmor/apparmor!14
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk
(cherry picked from commit 42bd81df0171a58bae50ddc7ec0b4ed286c0db77)
6f6b3c57 allow dac_read_search and dac_override for dovecot/auth
Allow to read pulseaudio config subdirectories
See merge request apparmor/apparmor!12
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.9, 2.10, 2.11 and trunk
(cherry picked from commit 4b8b08562a0196ef7a259fd4c849a2273f4cdf45)
9658471d Allow to read pulseaudio config subdirectories
Merge from trunk commit 3726
The files are "head-related transfer function" data sets, used by
OpenAL for better spatialization of sounds when headphones are detected.
Acked-by: Steve Beattie <steve@nxnw.org>
Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874665
/etc/netconfig is required by the tirpc library which nscd and several
other programs use.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1062244
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk
with unix rules we output a downgraded rule compatible with network rules
so that policy will work on kernels that support network socket controls
but not the extended af_unix rules
however this is currently broken if the socket type is left unspecified
(initialized to -1), resulting in denials for kernels that don't support
the extended af_unix rules.
cherry-pick: lp:apparmor r3700
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: timeout
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1057900
------------------------------------------------------------
revno: 3690 [merge]
committer: Steve Beattie <sbeattie@ubuntu.com>
branch nick: apparmor
timestamp: Wed 2017-08-09 08:57:36 -0700
message:
traceroute profile: support TCP SYN for probes, quite net_admin request
Merge from Vincas Dargis, approved by intrigeri.
fix traceroute denies in tcp mode
Acked-by: Steve Beattie <steve@nxnw.org>
------------------------------------------------------------
Backport to 2.10 and 2.9 branch
Acked-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The Samba package used by the INVIS server (based on openSUSE) needs
some additional Samba permissions for the added ActiveDirectory /
Kerberos support.
As discussed with Seth, add /var/lib/sss/mc/initgroups read permissions
to abstractions/nameservice instead of only to the smbd profile because
it's probably needed by more than just Samba if someone uses sss.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk.
- change abstractions/postfix-common to allow /etc/postfix/*.db k
- add several permissions to postfix/error, postfix/lmtp and postfix/pipe
- remove superfluous abstractions/kerberosclient from all postfix
profiles - it's included via abstractions/nameservice
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk
2.10 branch r3387 and 2.9 branch r3052 (Ignore change_hat events
with error=-1 and "unconfined can not change_hat") accidently added
unconfined-change_hat.profile to the test_multi directory.
2.9 and 2.10 don't support the test_multi *.profile files and error out
in the tests saying "Found unknown file unconfined-change_hat.profile",
therefore delete this file.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This option exists in several aa-* tools since 2.9, but isn't mentioned
in the manpage.
Also drop some trailing whitespace in the manpages.
Acked-by: John Johansen <john.johansen@canonical.com>
for 2.9, 2.10, 2.11 and trunk.
dovecot-lda needs
- the attach_disconnected flags
- read access to /usr/share/dovecot/protocols.d/
- rw for /run/dovecot/auth-userdb
References: https://bugs.launchpad.net/bugs/1650827
Acked-by: Steve Beattie <steve@nxnw.org> for 2.9, 2.10 and trunk.
https://launchpad.net/bugs/1668892
This patch creates a new utility, with the code previously used in the
init script 'restart' action, that removes unknown profiles which are
not found in /etc/apparmor.d/. The functionality was removed from the
common init script code in the fix for CVE-2017-6507.
The new utility prints a message containing the name of each unknown
profile before the profiles are removed. It also supports a dry run mode
so that an administrator can check which profiles will be removed before
unloading any unknown profiles.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
CVE-2017-6507
https://launchpad.net/bugs/1668892
The common AppArmor 'restart' code used by some init scripts, upstart
jobs, and/or systemd units contained functionality that is no longer
appropriate to retain. Any profiles not found /etc/apparmor.d/ were
assumed to be obsolete and were unloaded. That behavior became
problematic now that there's a growing number of projects that maintain
their own internal set of AppArmor profiles outside of /etc/apparmor.d/.
It resulted in the AppArmor 'restart' code leaving some important
processes running unconfined. A couple examples are profiles managed by
LXD and Docker.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
That's much better than crashing aa-logprof ;-) (use the log line in
the added testcase if you want to see the crash)
Reported by pfak on IRC.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
Starting with python 3.6, the re.LOCALE flag can only be used with byte
patterns, and errors out if used with str. This patch removes the flag
in get_translated_hotkey().
References: https://bugs.launchpad.net/apparmor/+bug/1661766
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
merge from trunk commit revision 3630
In the environ regression test, when the exec() of the child process
fails, we don't report FAIL to stdout, so the regression tests consider
it an error rather than a failure and abort, short-circuiting the
test script.
This commit fixes this by emitting the FAIL message when the result
from the wait() syscall indicates the child process did not succeed.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Some of the /usr/lib/dovecot/* rules already have mrPx permissions,
while others don't.
With a more recent kernel, I noticed that at least auth, config, dict,
lmtp, pop3 and ssl-params need mrPx instead of just Px (confirmed by the
audit.log and actual breakage caused by the missing mr permissions).
The mr additions for anvil, log and managesieve are just a wild guess,
but I would be very surprised if they don't need mr.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
Add several permissions to the dovecot profiles that are needed on ubuntu
(surprisingly not on openSUSE, maybe it depends on the dovecot config?)
As discussed some weeks ago, the added permissions use only /run/
instead of /{var/,}run/ (which is hopefully superfluous nowadays).
References: https://bugs.launchpad.net/apparmor/+bug/1512131
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
Merge from 2.10 branch commit rev 3380
It was reported that converting the netstat command to examine
processes bound to ipv6 addresses broke on OpenSUSE due to the version
of nettools not supporting the short -4 -6 arguments.
This patch fixes the invocation of netstat to use the "--protocol
inet,inet6" arguments instead, which should return the same results
as the short options.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
ldd exits with $? == 1 if a file is 'not a dynamic executable'.
This is correct behaviour of ldd, so we should handle it instead of
raising an exception ;-)
[not in 2.9 and 2.10] Also extend fake_ldd and add a test to test-aa.py to cover this.
Note that 2.10 and 2.9 don't have tests for get_reqs() nor fake_ldd,
so those branches will only get the aa.py changes.
Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9.
The dovecot/auth profile needs access to /run/dovecot/anvil-auth-penalty
and /var/spool/postfix/private/auth.
The dovecot/log profile needs the attach_disconnected flag.
Refences: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1652131
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
