When writing out a profile, aa-logprof incorrectly converts PUx execute
permission modes to the syntactically invalid UPx mode, because the
function that converts the internal representation of permissions to
a string emits the U(nconfined) mode bit before the P bit.
This patch corrects this by reordering the way the exec permissions
are emitted, so that P and C modes come before U and i. Based on
http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Execute_rules
this should emit the modes correctly in all combined exec modes.
Other approaches to fixing this would require adjusting the data
structure that contains the permission modes, resulting in a more
invasive patch.
Nominated-By: Steve Beattie <sbeattie@ubuntu.com>
Signed-Off-By: John Johansen <john.johansen@canonical.com>
Bug: https://launchpad.net/bugs/982619
libapparmor: add support for ip addresses and ports
Bugs: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/800826https://bugzilla.novell.com/show_bug.cgi?id=755923
This patch modifies the libapparmor log parsing code to add support
for the additional ip address and port keywords that can occur in
network rejection rules. The laddr and faddr keywords stand for local
address and foreign address respectively.
The regex used to match an ip address is not very strict, to hopefully
catch the formats that the kernel emits for ipv6 addresses; however,
because this is in a context triggered by the addr keywords, it should
not over-eagerly consume non-ip addresses. Said addresses are returned
as strings in the struct to be processed by the calling application.
Nominated-By: Christian Boltz <apparmor@cboltz.de>
Signed-Off-By: John Johansen <john.johansen@canonical.com>
Bug: https://launchpad.net/bugs/800826
(At least) openSUSE uses ~/.kde4 to store KDE4 settings.
This patch changes ~/.kde/ to ~/.kde{,4} in all abstractions.
The patch is mostly from Velery Valery, I only fixed a merge conflict
and added the kmail{,2} part in private-files-strict.
References: https://bugzilla.novell.com/show_bug.cgi?id=741592
Acked-By: Steve Beattie <sbeattie@ubuntu.com> for both trunk and 2.7.
abstraction does not allow write access to the user customizable
dictionaries, the personal dictionary (~/.aspell.$LANG.pws) and the
personal replacement dictionary (~/.aspell.$LANG.prepl). It also
adjusts the abstraction to add the owner modifier to the personal
dictionaries.
Bug: https://bugs.launchpad.net/bugs/917859
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
autogeneration code to include read access to the script itself for
interpreted scripts.
Nominated-By: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: Christian Boltz <apparmor@cboltz.de> for the 2.7 branch
initial profile generation for python and ruby scripts to include
the respective abstractions.
Nominated-By: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
add machine script = /usr/sbin/smbldap-useradd -t 5 -w "%u"
smbd obviously needs x permissions for smbldap-useradd.
The commit also adds a new profile for usr.sbin.smbldap-useradd (based on
the audit.log from Alexis Pellicier).
Additionally, I moved the "/etc/samba/* rwk" rule next to the other
/etc-related rules in the smbd profile.
References: https://bugzilla.novell.com/show_bug.cgi?id=738041
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
This is a backport of r1870 to the 2.7 branch.
Acked-By: Steve Beattie <sbeattie@ubuntu.com> for 2.7
Original commit message for trunk r1870:
Merge from Simon Deziel for TFTP read-only access for dnsmasq. Fixes
LP: #905412
Acked-by: Jamie Strandboge <jamie@canonical.com>
add p11-kit abstraction (LP: #912754, LP: #912752)
From the README in the toplevel source:
"[P11-KIT] Provides a way to load and enumerate PKCS#11 modules. Provides a
standard configuration setup for installing PKCS#11 modules in such a way that
they're discoverable."
File locatations are described in [1]. There is a global configuration file in
/etc/pkcs11/pkcs11.conf. Per module configuration happens in
/etc/pkcs11/<module name>. There is also user configuration in ~/.pkcs11, but
IMO this should not be allowed in the abstraction. Example configuration can b
e
seen in the upstream documentation[2].
This will likely need to be refined as more applications use p11-kit.
[1]http://p11-glue.freedesktop.org/doc/p11-kit/config-locations.html
[2]http://p11-glue.freedesktop.org/doc/p11-kit/config-example.html
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Also add p11-kit to authentication abstraction
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Nvidia users need access to /dev/nvidia* files for various plugins
to work right. Since these are all focused around multimedia, add the
accesses to ubuntu-browsers.d/multimedia
Description: allow read of @{HOME}/.cups/client.conf and
@{HOME}/.cups/lpoptions
Bug-Ubuntu: https://launchpad.net/bugs/887992
Added owner match per Steve Beattie and lpoptions per Steve and Christian Bolt
z
Description: allow read access of /etc/python{2,3}.[0-7]*/sitecustomize.py
in python abstraction. This script is used by apport aware python application
s
Bug-Ubuntu: https://launchpad.net/bugs/860856
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
Description: updates for usr.bin.sshd example profile to work with zsh4, dash
and systems where /var/run moved to /run. Also allows read of
/etc/default/locale.
Bug-Ubuntu: https://launchpad.net/bugs/817956
Acked-by: Jamie Strandboge <jamie@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
"bzr commit" editor is open because bzr caches the modified file
and doesn't include last-minute changes in the commit :-/
In other words: the rule for /.htaccess didn't contain the audit
keyword in my last commit.
abstractions/apache2-common. Additionally, add read permissions
for /**/.htaccess and /dev/urandom to apache2-common.
The patch is based on a profile abstraction from darix. I made some
things more strict (compared to darix' profile), and OTOH added some
things that are needed on my servers.
*** BACKWARDS-INCOMPATIBLE CHANGES ***
^HANDLING_UNTRUSTED_INPUT
- don't allow *.htaccess files (the old /**.htaccess rule was too generous)
Note: this is slightly different to trunk r1895 regarding /.htaccess:
/.htaccess is still allowed in the 2.7 branch, but logged ("audit") and
has a comment saying that it will be disallowed in future versions.
entries where the comm entry has been hex-encoded. This occurs when the
binary being confined contains a space or other problematic character in
its filename. A test case is included.
