Without this patch, aa-remove-unknown uses 'profile_name (unconfined)'
when trying to unload unconfined profiles, which fails for obvious
reasons with (picking a random example)
Removing 'busybox (unconfined)'
/sbin/aa-remove-unknown: line 112: echo: write error: No such file or directory
... and tests for it.
This replaces the old code that just stores the full rule as text.
We also get rid of the old ['allow'] and ['deny'] items in
ProfileStorage, the handling of old write functions, and the last usage
of _Raw_Rule (and therefore _Raw_Rule itsself).
Also delete the old test-pivot_root_parse.py which relied on the ancient
code, and even used a wrong syntax in its test rules.
Oh, and aa-logprof can now ask about pivot_root events.
See the individual commits for details.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1232
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Mount Rules with options in { remount, [make-] { [r]unbindable, [r]shared, [r]private, and [r]slave }} do not support specifying a source. This commit aligns utils implementation to apparmor_parser's, which prohibits having a both source and a destination simultaneously, instad of just prohibiting source.
Therefore, both `mount options=(unbindable) /a,` and `mount options=(unbindable) -> /a,` are now supported (and equivalent for apparmor_parser). However, `mount options=(unbindable) /a -> /b,` is invalid.
For the same reason, specifying a fstype in these cases is also prohibited.
Similarly, we prohibit to specify a fstype for bind mount rules.
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1236
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
Mount Rules with options in { remount, [make-] { [r]unbindable, [r]shared, [r]private, and [r]slave }} do not support specifying a source. This commit aligns utils implementation to apparmor_parser's, which prohibits having a both source and a destination simultaneously, instad of just prohibiting source.
Therefore, both `mount options=(unbindable) /a,` and `mount options=(unbindable) -> /a,` are now supported (and equivalent for apparmor_parser). However, `mount options=(unbindable) /a -> /b,` is invalid.
For the same reason, specifying a fstype in these cases is also prohibited.
Similarly, we prohibit to specify a fstype for bind mount rules.
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
... for handling pivot_root rules.
This replaces the old code that just stores the full rule as text.
We also get rid of the old ['allow'] and ['deny'] items in
ProfileStorage, the handling of old write functions, and the last usage
of _Raw_Rule (and therefore _Raw_Rule itsself).
Also delete the old test-pivot_root_parse.py which relied on the ancient
code, and even used a wrong syntax in its test rules.
The following exceptions were added to flake8 since they have several
expected uses in the tools and their tests:
E501: Line lengths are recommended to be no greater than 79 characters.
E241: Multiple spaces after ','
W503: Line break occurred before a binary operator
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
ProfileStorage knows a whole profile, therefore it should also include the profile header in `__repr__()`.
Also add a test for this.
While on it, add a test for an invalid type change for a type that doesn't have special handling in `__setitem__()` to increase test coverage.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1233
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Since musl 1.2.5, basename(3) prototype is only provided in libgen.h
(as mandated by POSIX) and not in strings.h. Also there is a major
difference between the gnu basename and the one defined in libgen.h,
the latter modify the argument string making them incompatible.
Fix this by defining a portable version of basename using strchr.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1234
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
Since musl 1.2.5, basename(3) prototype is only provided in libgen.h
(as mandated by POSIX) and not in strings.h. Also there is a major
difference between the gnu basename and the one defined in libgen.h,
the latter modify the argument string making them incompatible.
Fix this by defining a portable version of basename using strchr.
audit.log entries for mount events don't always include `class=mount`,
but can still be the base for mount rules.
Change logparser.py to also consider `operation=mount` as a mount event.
Actually we already had such a log and profile in our collection
(testcase_mount_01), but since it existed years before MountRule was
implemented, it was excluded in test-libapparmor-test_multi.py.
Therefore we didn't notice that it failed to produce a profile rule when
MountRule was introduced.
Remove testcase_mount_01 from the list of known failures so that it gets
tested - and fix the syntax error in the hand-written
testcase_mount_01.profile.
Also add testcase_mount_02 which is a mount event without fstype,
srcname and class.
I propose this fix for 4.0 and master.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1229
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
audit.log entries for mount events don't always include `class=mount`,
but can still be the base for mount rules.
Change logparser.py to also consider `operation=mount` as a mount event.
Actually we already had such a log and profile in our collection
(testcase_mount_01), but since it existed years before MountRule was
implemented, it was excluded in test-libapparmor-test_multi.py.
Therefore we didn't notice that it failed to produce a profile rule when
MountRule was introduced.
Remove testcase_mount_01 from the list of known failures so that it gets
tested - and fix the syntax error in the hand-written
testcase_mount_01.profile.
Also add testcase_mount_02 which is a mount event without fstype,
srcname and class.
Did some testing on a fresh post-release image of noble, and uncovered some new denials:
#### Xorg
`2024-05-06T19:55:36.782484-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1715039736.765:174): apparmor="DENIED" operation="link" class="file" profile="Xorg" name="/tmp/.X0-lock" pid=1366 comm="Xorg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 target="/tmp/.tX0-lock"`
#### chromium_browser
`2024-05-06T21:17:09.674963-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1715040834.256:168): apparmor="DENIED" operation="userns_create" class="namespace" profile="chromium_browser" pid=2133 comm="chromium" requested="userns_create" denied="userns_create"`
#### firefox
`2024-05-06T21:33:09.387356-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1715045589.369:505): apparmor="DENIED" operation="userns_create" class="namespace" profile="firefox" pid=3610 comm="firefox" requested="userns_create" denied="userns_create"`
`2024-05-06T21:36:48.911280-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1715045808.884:682): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/sys/fs/cgroup/user.slice/user-1000.slice/session-c2.scope/cpu.max" pid=4348 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`
`2024-05-06T21:42:34.152955-04:00 image-ubuntu64 dbus-daemon[1628]: apparmor="DENIED" operation="dbus_bind" bus="session" name="org.mpris.MediaPlayer2.firefox.instance_1_82" mask="bind" pid=4348 label="firefox"`
#### Xorg (second commit)
I neglected to set `abi/4.0` when this went in originally. (I was using the profile on jammy, hence the `3.0`.)
Also, testing on an older laptop that *doesn't* support KMS revealed that Xorg needs some pretty serious permissions then. I've added them in commented-out form, with an explanatory comment. (The `#nokms#` bit is meant to simplify uncommenting those two lines mechanically, e.g. `sed -i 's/#nokms#//'`)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1227
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Balena Etcher runs in a degraded sandbox mode when unprivileged userns
is not available. Add an unconfined profile so it's properly
sandboxed.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Shellcheck is complaining that some of the functions are never called,
but they are called from rc.apparmor.functions, causing a false
positive.
This issue only appears in shellcheck version 0.9.0, which is the one
used in ubuntu 24.04, that's why it only failed in the pipeline now.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/388
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Since we are using ubuntu:latest, and noble was released, some tests
are failing.
shellcheck needs python3 to run, which was possibly installed by
default in previous ubuntu images and is no longer the case.
Ignore dist-packages python files during our coverage tests.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/388
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Rename the "check-extras" target to "check-local" as it is no longer
limited to the extra profiles, and also fix a local include in the
sbuild-shell profile so that it passes the newly-applied CI check.
