mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-05 16:55:32 +00:00
Code Issues Releases Wiki Activity
6,231 Commits 23 Branches 113 Tags
379a486b87ba18565520dfce7d51a082ca061cf9
Commit Graph

6231 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
John Johansen
379a486b87 Merge aa-status: Fix malformed json output with unconfined processes 
As reported in issue #295, the json output from aa-status would be invalid if
there were profiles defined for processes that were unconfined. Fix this by
ensuring the json for the processes array is closed properly.

Signed-off-by: Alex Murray <alex.murray@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/964
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit dfc9847f89)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-01-04 09:33:59 -08:00
Georgia Garcia
5ad91d482d Merge log parsing fixes 
small fixes on log parsing

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/959
Approved-by: Jon Tourville <jon.tourville@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 4f2d2a8cab)
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
 2022-12-16 16:55:31 -03:00
John Johansen
19bbc5dfc3 Merge parser: Fix invalid reference to transitions when building the chfa 
States are not guaranteed to have transitions, but when inserting
a state into the chfa table there is an unconditional dereference
to the states first transition.

This will result in a bad reference and could result in an OOB
flag being set on the state when it shouldn't be.

Fixes: 16b67ddbd ("add ability to use out of band transitions"
Closes: https://gitlab.com/apparmor/apparmor/-/issues/290
Reported-by: Nobel Barakat <nobelbarakat@google.com>
Reported-by: Oleksandr Tymoshenko <ovt@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

Closes #290
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/956
Approved-by: Seth Arnold <seth.arnold@gmail.com>
Merged-by: John Johansen <john@jjmx.net>

(cherry picked from commit a7bce9be98)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-12-09 23:03:54 -08:00
John Johansen
66cb0ed739 Merge smbd: allow reading /var/lib/nscd/netgroup 
(reported on the opensuse-factory mailinglist)

I propose this patch for 2.13..master.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/948
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit ba01d479e2)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-11-29 12:56:21 -08:00
Christian Boltz
d179a704e7 Merge abstractions/nvidia: allow reading @{pid}/comm 
On Debian Sid, NVIDIA driver spams log with:

```
type=AVC msg=audit(1669542108.552:11855): apparmor="DENIED"
operation="open" profile="qtox" name="/proc/21222/comm" pid=21222
comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000
ouid=1000FSUID="vincas" OUID="vincas"
```

```
type=AVC msg=audit(1669541506.703:11329): apparmor="DENIED"
operation="open" profile="skypeforlinux" name="/proc/19851/comm"
pid=19851 comm="skypeforlinux" requested_mask="r" denied_mask="r"
fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"
```

Read is initiated within libnvidia-glcore.so:

```
Thread 1 "qtox" hit Catchpoint 1 (call to syscall openat), 0x00007fb797b16ed0 in __libc_open64 (file=file@entry=0x7fb742adbb50 "/proc/self/comm", oflag=0) at ../sysdeps/unix/sysv/linux/open64.c:41
41	in ../sysdeps/unix/sysv/linux/open64.c
$27 = 0x7fb742adbb50 "/proc/self/comm"
0  0x00007fb797b16ed0 in __libc_open64 (file=file@entry=0x7fb742adbb50 "/proc/self/comm", oflag=0) at ../sysdeps/unix/sysv/linux/open64.c:41
1  0x00007fb797aa0862 in __GI__IO_file_open (fp=fp@entry=0x55795176e600, filename=filename@entry=0x7fb742adbb50 "/proc/self/comm", posix_mode=<optimized out>, prot=prot@entry=438, read_write=8, is32not64=<optimized out>) at ./libio/fileops.c:188
2  0x00007fb797aa0a1b in _IO_new_file_fopen (fp=fp@entry=0x55795176e600, filename=filename@entry=0x7fb742adbb50 "/proc/self/comm", mode=<optimized out>, mode@entry=0x7fb7428effe2 "r", is32not64=is32not64@entry=1) at ./libio/fileops.c:280
3  0x00007fb797a950f9 in __fopen_internal (filename=0x7fb742adbb50 "/proc/self/comm", mode=0x7fb7428effe2 "r", is32=1) at ./libio/iofopen.c:75
4  0x00007fb7423d791f in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03
5  0x00007fb7423d4515 in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03
6  0x00007fb7423d0226 in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03
7  0x00007fb7423e1961 in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03
8  0x00007fb74824bc79 in ?? () from /lib/x86_64-linux-gnu/libGLX_nvidia.so.0
9  0x00007fb7482b1c56 in ?? () from /lib/x86_64-linux-gnu/libGLX_nvidia.so.0
10 0x000000000000001d in ?? ()
11 0x00005579518975f0 in ?? ()
12 0x0000000000000001 in ?? ()
13 0x00007fb74824b1eb in ?? () from /lib/x86_64-linux-gnu/libGLX_nvidia.so.0
14 0x00005579518975f0 in ?? ()
15 0x00007fb79b2dda79 in call_init (env=0x7ffd92d7aac8, argv=0x7ffd92d7aab8, argc=-1831363648, l=0x7fb748516f70) at ./elf/dl-init.c:56
16 call_init (l=0x7fb748516f70, argc=-1831363648, argv=0x7ffd92d7aab8, env=0x7ffd92d7aac8) at ./elf/dl-init.c:26
17 0x00007fb79b2ddba4 in _dl_init (main_map=0x5579518975f0, argc=1, argv=0x7ffd92d7aab8, env=0x7ffd92d7aac8) at ./elf/dl-init.c:117
18 0x00007fb797b6def4 in __GI__dl_catch_exception (exception=<optimized out>, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:182
19 0x00007fb79b2e430e in dl_open_worker (a=a@entry=0x7ffd92d79f20) at ./elf/dl-open.c:808
20 0x00007fb797b6de9a in __GI__dl_catch_exception (exception=<optimized out>, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:208
21 0x00007fb79b2e46a8 in _dl_open (file=0x557951888020 "libGLX_nvidia.so.0", mode=<optimized out>, caller_dlopen=0x7fb78d7d4d27, nsid=<optimized out>, argc=1, argv=0x7ffd92d7aab8, env=0x7ffd92d7aac8) at ./elf/dl-open.c:884
22 0x00007fb797aa42d8 in dlopen_doit (a=a@entry=0x7ffd92d7a190) at ./dlfcn/dlopen.c:56
23 0x00007fb797b6de9a in __GI__dl_catch_exception (exception=exception@entry=0x7ffd92d7a0f0, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:208
24 0x00007fb797b6df4f in __GI__dl_catch_error (objname=0x7ffd92d7a148, errstring=0x7ffd92d7a150, mallocedp=0x7ffd92d7a147, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:227
25 0x00007fb797aa3dc7 in _dlerror_run (operate=operate@entry=0x7fb797aa4280 <dlopen_doit>, args=args@entry=0x7ffd92d7a190) at ./dlfcn/dlerror.c:138
26 0x00007fb797aa4389 in dlopen_implementation (dl_caller=<optimized out>, mode=<optimized out>, file=<optimized out>) at ./dlfcn/dlopen.c:71
27 ___dlopen (file=<optimized out>, mode=<optimized out>) at ./dlfcn/dlopen.c:81
28 0x00007fb78d7d4d27 in ?? () from /lib/x86_64-linux-gnu/libGLX.so.0
29 0x00007fb78d7d6335 in ?? () from /lib/x86_64-linux-gnu/libGLX.so.0
30 0x00007fb78d7cf9f8 in glXChooseFBConfig () from /lib/x86_64-linux-gnu/libGLX.so.0
31 0x00007fb748646f6a in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/xcbglintegrations/libqxcb-glx-integration.so
32 0x00007fb748644450 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/xcbglintegrations/libqxcb-glx-integration.so
33 0x00007fb7486421b7 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/xcbglintegrations/libqxcb-glx-integration.so
34 0x00007fb79838262d in QOpenGLContext::create() () from /lib/x86_64-linux-gnu/libQt5Gui.so.5
35 0x00007fb74bb4303c in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platformthemes/KDEPlasmaPlatformTheme.so
36 0x00007fb797eb7aaf in qt_call_pre_routines () at kernel/qcoreapplication.cpp:317
37 QCoreApplicationPrivate::init (this=<optimized out>) at kernel/qcoreapplication.cpp:849
38 0x00007fb7983379dc in QGuiApplicationPrivate::init() () from /lib/x86_64-linux-gnu/libQt5Gui.so.5
39 0x00007fb798b684c9 in QApplicationPrivate::init() () from /lib/x86_64-linux-gnu/libQt5Widgets.so.5
40 0x0000557950f1d597 in main ()
```

Add read rule to allow reading @{pid}/comm.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/954
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit 2597fd5db8)

948cbb56 abstractions/nvidia: allow reading @{pid}/comm
 2022-11-27 13:06:48 +00:00
Christian Boltz
4244737f65 Merge lsb_release: allow cat and cut 
lsb_release fails on Debian Sid:

```
$ sudo aa-exec -p lsb_release lsb_release
/usr/bin/lsb_release: 70: cut: Permission denied
/usr/bin/lsb_release: 70: cut: Permission denied
```

```
$ sudo aa-exec -p lsb_release lsb_release -h
/usr/bin/lsb_release: 11: cat: Permission denied
```

```
type=AVC msg=audit(1669540199.087:2680): apparmor="DENIED"
operation="exec" profile="lsb_release" name="/usr/bin/cut" pid=17419
comm="lsb_release" requested_mask="x" denied_mask="x" fsuid=0
ouid=0FSUID="root" OUID="root"
```

```
type=AVC msg=audit(1669540392.244:2944): apparmor="DENIED"
operation="exec" profile="lsb_release" name="/usr/bin/cat" pid=17847
comm="lsb_release" requested_mask="x" denied_mask="x" fsuid=0
ouid=0FSUID="root" OUID="root"
```

Update profile to allow lsb_release script to invoke required
executables.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/953
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit 495f68c797)

f596a176 lsb_release: allow cat and cut
 2022-11-27 13:00:19 +00:00
Christian Boltz
e617f04681 Merge Include profile name in error message on directory exec 
... to make the error message more helpful.

Inspired by https://gitlab.com/apparmor/apparmor/-/issues/285

I propose this patch for 3.1 and master.
(3.0 uses a different variable name - if we want it there, it needs a slightly different patch.)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/949
Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit dd5a6c2e0a)

ef5c4b50 Include profile name in error message on directory exec
 2022-11-21 12:59:51 +00:00
Christian Boltz
9d826aae65 Merge Catch PermissionError when trying to write a profile 
... and re-raise it as AppArmorException so that only the actual error
(without a backtrace) gets displayed.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/282

I propose this patch for 3.0..master.

Closes #282
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/946
Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit 50074a3c01)

d0ec2aca Catch PermissionError when trying to write a profile
 2022-11-15 20:46:12 +00:00
Christian Ehrhardt
465c861b02 Allow access to possible cpus for glibc-2.36 
Glibc in 2.36 and later will [1] access sysfs at
/sys/devices/system/cpu/possible when usig sysconf
for _SC_NPROCESSORS_CONF.

That will make a lot of different code, for example
anything linked against libnuma, trigger this apparmor
denial.

  apparmor="DENIED" operation="open" class="file" ...
  name="/sys/devices/system/cpu/possible" ...
  requested_mask="r" denied_mask="r" fsuid=0 ouid=0

This entry seems rather safe, and it follows others
that are already in place. Instead of fixing each
software individually this should go into the base
profile as well.

Initially reported via
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989073
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/267
MR: none - ML
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit c159d0925a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-11-14 21:47:18 -08:00
John Johansen
dc85d04805 Merge Adds WSL programmatic management of /etc/resolv.conf. 
When WSL automatically generates a resolv.conf for an instance, the /etc/resolv.conf file is a symlink to /mnt/wsl/resolv.conf. This patch adds an entry for this to the other policies to handle such management.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/935
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>


(cherry picked from commit 8fa77e9e6c)

5232eaa2 Adds /mnt/wsl/resolv.conf to nameservices.
 2022-11-08 18:13:57 +00:00
John Johansen
a40923006c Merge Allow reading /sys/devices/system/cpu/possible 
... in the dnsmasq//libvirt_leaseshelper profile

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1202849

I propose this patch for 3.0, 3.1 and master.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/917
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>


(cherry picked from commit 37f0f77425)

ace8e044 Allow reading /sys/devices/system/cpu/possible
 2022-11-08 18:11:23 +00:00
John Johansen
1fe80c0f85 Prepare for AppArmor 3.1.2 release 
- update version file
- update library version

Signed-off-by: John Johansen <john.johansen@canonical.com>
v3.1.2 		2022-11-07 10:44:48 -08:00
John Johansen
8043dda3f6 Merge Hardcode and check the expected libapparmor.so name/number 
... to prevent wrong/unexpected numbering (like
https://gitlab.com/apparmor/apparmor/-/issues/266) in future releases.

I propose this patch for master and 3.1.

Backporting to 3.0 and 2.x might also make sense, but of course needs a different .so number.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/915
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit bed1471144)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-10-29 03:08:56 -07:00
John Johansen
e95080e140 Merge libapparmor: allow parsing of logs with 0x1d + uppercase items 
audit.log lines on Arch have an additional FSUID="username" OUID="username",
separated from the previous part of the log line with 0x1d.

Extend the log parsing to accept 0x1d as whitespace, and to recognize
(and ignore) FSUID and OUID.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/271

Also add one of the log lines from #271 as test_multi test case.

I propose this patch for 3.0..master.

Closes #271
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/940
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

(cherry picked from commit 0d61139e2a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-10-29 03:06:30 -07:00
John Johansen
45125cedd3 Merge syslog-ng: allow reading *.journal in flatter directory structure 
On openSUSE Leap 15.4 (and probably also 15.3), the journal lives in
/var/log/journal/*.journal - without an additional subdirectory level.

I propose this patch for 2.13..master.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/932
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2022-10-28 05:56:57 -07:00
Christian Boltz
969a8f7618 Merge samba-rpcd-spoolss: allow mkdir /var/cache/samba/printing/ 
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993572

I propose this fix for 3.0..master.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/937
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit fab4b4e762)

6920daea samba-rpcd-spoolss: allow mkdir /var/cache/samba/printing/
 2022-10-27 22:34:12 +00:00
Christian Boltz
770b8f1e88 Merge abstactions/kde: update for kwinrc, kdedefaults/* files 
GUI applications such as KDE dragon player, qTox, LibreOffice tries to
access .config/kwinrc, .config/kdedefaults/kwinrc and
.config/kdedefaults/kdeglobals.

Update abstractions/kde to fix denials for applications running under
KDE.

Some examples:
```
type=AVC msg=audit(1666458796.112:5561): apparmor="DENIED" operation="open" profile="libreoffice-soffice" name="/home/vincas/.config/kdedefaults/kdeglobals" pid=43868 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"
type=AVC msg=audit(1666458796.204:5683): apparmor="DENIED" operation="open" profile="libreoffice-soffice" name="/home/vincas/.config/kdedefaults/kwinrc" pid=43868 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"

```
```
type=AVC msg=audit(1666462415.255:3640): apparmor="DENIED" operation="open" profile="kde-dragon-player" name="/home/vincas/.config/kdedefaults/kdeglobals" pid=8344 comm="dragon" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"
type=AVC msg=audit(1666462415.343:3641): apparmor="DENIED" operation="open" profile="kde-dragon-player" name="/home/vincas/.config/kdedefaults/kwinrc" pid=8344 comm="dragon" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"
```

```
type=AVC msg=audit(1666459466.968:5852): apparmor="DENIED" operation="open" profile="qtox" name="/home/vincas/.config/kdedefaults/kdeglobals" pid=44561 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"
type=AVC msg=audit(1666459467.076:6057): apparmor="DENIED" operation="open" profile="qtox" name="/home/vincas/.config/kdedefaults/kwinrc" pid=44561 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"
type=AVC msg=audit(1666459467.076:6058): apparmor="DENIED" operation="open" profile="qtox" name="/home/vincas/.config/kwinrc" pid=44561 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"

```

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/936
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit 18d1b06b0c)

d9dc0b61 abstactions/kde: update for kwinrc, kdedefaults/* files
 2022-10-22 19:28:38 +00:00
Christian Boltz
3345250f72 Merge parser: fix DISTRO variable in Makefile 
A single '$()' results in variable expansion, which makes
"$(rpm --eval ..)" always an empty string.

Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/928
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit 05d7bdd655)

1df547ee parser: fix DISTRO variable in Makefile
 2022-10-07 19:54:08 +00:00
John Johansen
51cf0848c7 Merge profiles/apparmor.d: Update samba profile 
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1990692
Signed-off-by: Spyros Seimenis <spyros.seimenis@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/926
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>


(cherry picked from commit e1cc90f3a2)

96aff5a5 profiles/apparmor.d: Update samba profile
 2022-10-01 10:20:32 +00:00
Christian Boltz
e0c0a6a6a5 Merge Prevent crash on log entries for non-existing profile 
If audit.log contains entries for a profile that doesn't exist (for
example when working with a log file from another system), skip these
log entries instead of crashing.

Reproducer (crashes without this patch):

    aa-logprof -f <(echo 'type=AVC msg=audit(1661739121.578:77893): apparmor="DENIED" operation="open" profile="no_such_profile" name="/run/" pid=33099 comm="no" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0')

I propose this patch for 3.1 and master. (3.0 and older are not affected and do not need this fix.)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/919
Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit f5594fbb7c)

94c7c79c Prevent crash on log entries for non-existing profile
 2022-08-29 19:56:17 +00:00
Steve Beattie
ea127f13cd common/Version: bump version for 3.1.1 release 
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
v3.1.1 		2022-08-26 23:35:24 -07:00
Christian Boltz
480cb56553 Merge profiles: permit php-fpm pid files directly under run/ 
The upstream php-fpm.conf file carries the following pid file example
path:
  [global]
  ; Pid file
  ; Note: the default prefix is @EXPANDED_LOCALSTATEDIR@
  ; Default Value: none
  ;pid = run/php-fpm.pid

Add this path to profiles/apparmor.d/php-fpm, alongside the current
nested "@{run}/php{,-fpm}/php*-fpm.pid" wildcard.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/267

Suggested-by: Ali Abdallah <ali.abdallah@suse.com>
Signed-off-by: David Disseldorp <ddiss@suse.de>

Closes #267
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/914
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit d024100efe)

d8533ec8 profiles: permit php-fpm pid files directly under run/
 2022-08-26 10:36:11 +00:00
Georgia Garcia
075c69a4eb Merge [3.1] libapparmor: fix mistaken SO version bump 
In commit 7c7224004 ("Prepare for AppArmor 3.1 release"), as preperation
for the AppArmor 3.1.0 release, the SO versioning information was
adjusted, using a more significant bump to give prior AppArmor releases
room to address bugs in libapparmor without ending up with conflicting
SO versions. Unfortunately, that process was untested and because
AA_LIB_AGE was not incremented by the same amount as AA_LIB_CURRENT,
this resulted in an accidental major SO versions bump with the library
SO version being:

  libapparmor.so.4.9.0

This commit increments AA_LIB_AGE by the same amount, resulting in a
library versioned as:

  libapparmor.so.1.12.0

and adds a note to mention that AA_LIB_AGE needs to be incremented
in the same way as AA_LIB_CURRENT. This fix is intended to address
this for the 3.1 branch; I'd like to find a better approach for
the development branch that can be used in future AppArmor primary
releases.

In general, thanks to symbol versioning (see
`libraries/libapparmor/src/libapparmor.map`) we should not need to
ever bump the SO version except in an extreme case.

Fixes: 7c7224004 ("Prepare for AppArmor 3.1 release")
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Bug: https://gitlab.com/apparmor/apparmor/-/issues/266

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/913
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
 2022-08-25 20:10:30 +00:00
Steve Beattie
f9dbaa38ec [3.1] libapparmor: fix mistaken SO version bump 
In commit 7c7224004 ("Prepare for AppArmor 3.1 release"), as preperation
for the AppArmor 3.1.0 release, the SO versioning information was
adjusted, using a more significant bump to give prior AppArmor releases
room to address bugs in libapparmor without ending up with conflicting
SO versions. Unfortunately, that process was untested and because
AA_LIB_AGE was not incremented by the same amount as AA_LIB_CURRENT,
this resulted in an accidental major SO versions bump with the library
SO version being:

  libapparmor.so.4.9.0

This commit increments AA_LIB_AGE by the same amount, resulting in a
library versioned as:

  libapparmor.so.1.12.0

and adds a note to mention that AA_LIB_AGE needs to be incremented
in the same way as AA_LIB_CURRENT. This fix is intended to address
this for the 3.1 branch; I'd like to find a better approach for
the development branch that can be used in future AppArmor primary
releases.

In general, thanks to symbol versioning (see
`libraries/libapparmor/src/libapparmor.map`) we should not need to
ever bump the SO version except in an extreme case.

Fixes: 7c7224004 ("Prepare for AppArmor 3.1 release")
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Bug: https://gitlab.com/apparmor/apparmor/-/issues/266
 2022-08-25 11:55:42 -07:00
John Johansen
7c7224004c Prepare for AppArmor 3.1 release 
- update version file
- update library version

Signed-off-by: John Johansen <john.johansen@canonical.com>
v3.1.0 		2022-08-23 13:39:18 -07:00
John Johansen
db246ddbb5 parser: begin deprecation process for #include 
by adding a warning flag that is disabled by default. This will enable
devs to find when and where #include is in use by adding the compile
flag

  --warn=pound-include

and can even abort policy compiles by using

  --warn=pound-include --Werror=pound-include

The resulting messages look like

  Warning from /etc/apparmor.d/usr.sbin.cupsd (/etc/apparmor.d/usr.sbin.cupsd line 5): deprecated use of '#include'

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Time-out
 2022-08-22 15:03:26 -07:00
John Johansen
a382452a54 libapparmor: update rules around the library version 
This change tries to give us some room to deal with versioning issues
like we had in

  145136f6 Fix 2.13 libapparmor so version

which revered the library version bump in
  5c47e448 libapparmor: Bump revision in preparation for release.

which was done because of the symbol added by
  351014c3 libapparmor: add _aa_asprintf to private symbols

unfortunately this collided with the 3.0 library symbol versioning
which had a different set of symbols with the same version numbering.
Leaving us no way to increase the version number to when fixing an
exported symbol version in a released library.

Ideally this would have been fixed with library version synchs but
in this case that option wasn't open as we were dealing with two
released versions of the library.

Bumping the current version by 5 on the larger releases gives us room
to deal with these kind of bugs in the future.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Time-out
 2022-08-22 14:52:37 -07:00
John Johansen
f51049ea2e Merge dnsmasq: Add missing r permissions for libvirt_leaseshelper 
Note: This was reported for /usr/libexec/libvirt_leaseshelper, but since
this is probably unrelated to the path or a path change, this commit
also adds r permissions for the previous path.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1202161

I propose this patch for 3.0 and master (optionally also for 2.12 and 2.13 - please tell me if you want that after reviewing the patch, or just merge ;-)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/905
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2022-08-22 21:44:12 +00:00
Christian Boltz
406b6398af Merge dnsmasq: allow paths for podman dnsname plugin in rootless mode 
In rootless mode, files needed to access are under /run/user/, so those needs to be defined separately.

similar change than https://gitlab.com/apparmor/apparmor/-/merge_requests/800 but adds permissions for rootless mode.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/909
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
 2022-08-22 11:57:21 +00:00
Christian Boltz
bcffe7c92c Merge Address Style Guide Infractions 
This MR addresses much of #241. Each commit handles a different aspect of the style guide. All commits are style-only. Lacking from this MR are changes that would alter behavior and/or break backward-compatibility.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/906
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
 2022-08-22 10:47:33 +00:00
IIkka Ollakka
86069dd934 dnsmasq: allow paths for podman dnsname plugin in rootless mode 
In rootless mode, files needed to access are under /run/user/, so those needs to be defined separately.
 2022-08-22 13:20:40 +03:00
Mark Grassi
2f9068e37c Remove duplicate regex "or" comments. 2022-08-21 11:15:07 -04:00
Mark Grassi
46a2be31a7 Remove outdated/incorrect comment. 2022-08-21 11:15:07 -04:00
Mark Grassi
e8b60e46fe Improve regex formatting. 2022-08-21 11:15:07 -04:00
Mark Grassi
b1c2aeaa76 Be consistent with return statements when only returning None. 2022-08-21 11:15:07 -04:00
Mark Grassi
091c6ad59d Use string startswith() and endswith() methods instead of slicing to check for prefixes and suffixes. 2022-08-21 11:15:07 -04:00
Mark Grassi
854602c0d9 Use the fact that empty sequences are false. 2022-08-21 11:15:07 -04:00
Mark Grassi
68e3f12c2c Avoid escaping quotation marks where possible. 2022-08-21 11:15:07 -04:00
Mark Grassi
c57138f255 Order imports and module-level dunder name assignments. 2022-08-21 11:15:07 -04:00
Mark Grassi
ea3fb60007 Break lines before binary operators. 2022-08-21 11:15:07 -04:00
Mark Grassi
ef2e6c62e7 Ensure variables inside functions are lower_case_with_underscores. 2022-08-21 11:15:07 -04:00
Mark Grassi
dc384c48a8 Use triple double-quoted strings for docstrings. 2022-08-21 11:15:07 -04:00
Mark Grassi
de3aa3c5f0 Correct misspelling. 2022-08-21 11:15:07 -04:00
Mark Grassi
f590a66e50 Remove redundant backslashes, and unnecessary semicolons and pass statements. 2022-08-21 11:15:07 -04:00
Mark Grassi
813c831468 Ensure non-membership tests are "not in". 2022-08-21 11:15:07 -04:00
Mark Grassi
96f7121944 Fix most PEP 8 whitespace, indentation, and major line length violations. 2022-08-21 11:15:07 -04:00
Mark Grassi
e4f88cc3a8 Indent line continuations per PEP 8. 2022-08-21 11:15:07 -04:00
Mark Grassi
aff9bb8f81 Ensure no bool comparisons use equality comparisons. 2022-08-21 11:15:07 -04:00
Mark Grassi
62f99465e9 Ensure all None comparisons use is or is not. 2022-08-21 11:15:07 -04:00
Mark Grassi
0375ea1257 Change tabs to spaces in Python files. 2022-08-21 11:15:07 -04:00