When the variable was being expanded, it needed to be reevaluated to
check if there was still unresolved variables. That allowed for a
weird bug to happen: If the string contained a variable preceded by @,
like in "user@@{uid}" and the variable was resolved to a case where {
is used, like in @{uid}={[0-9],[1-9][0-9]}, then on the second pass,
the parser would try to resolve the following variable
@{[0-9],[1-9][0-9]}, which is incorrect behavior. Fix it by not
including part of the string that was already resolved on the
subsequent passes.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1756
Approved-by: Steve Beattie <steve+gitlab@nxnw.org>
Merged-by: Steve Beattie <steve+gitlab@nxnw.org>
When the variable was being expanded, it needed to be reevaluated to
check if there was still unresolved variables. That allowed for a
weird bug to happen: If the string contained a variable preceded by @,
like in "user@@{uid}" and the variable was resolved to a case where {
is used, like in @{uid}={[0-9],[1-9][0-9]}, then on the second pass,
the parser would try to resolve the following variable
@{[0-9],[1-9][0-9]}, which is incorrect behavior. Fix it by not
including part of the string that was already resolved on the
subsequent passes.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The xtable on perms32 capable systems is being padded to the size of
the accept state tables. This was a hack to get around issue in a buggy
perms32 v1. We do not support any system using perms 32 v1 so we can
drop the hack.
Similarly since we don't support perms32v1 we don't support prompt
compat dev or perms32v1, so drop them as well
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1750
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
Their is no reason for the parse to stitch 2 dfas together this way.
In the future there will be better ways to do this using unconpressed
dfas.
Dropping this also allows for some simplification, in other parts of
the code.
Drop the dead/unused code
Signed-off-by: John Johansen <john.johansen@canonical.com>
prompt_compat_permsv1 and prompt_compat_dev were used to support
prompt during early dev. We do not support any kernel using these
so drop them.
This also allows us to drop the propogation of prompt as a parameter
through several functions.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The xtable on perms32 capable systems is being padded to the size of
the accept state tables. This was a hack to get around issue in a buggy
perms32 v1. We do not support any system using perms 32 v1 so we can
drop the hack.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Right now coverity is running in two steps, one to collect logs in
case of failures, and a different one to actually send the data to
coverity. The log collection step is failing because when collecting
data for python with the new version of coverity, build-log.txt is not
generated.
The whole way we build with coverity might need changing, but
currently this patch is removing the log collection so the pipeline
passes.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1754
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Right now coverity is running in two steps, one to collect logs in
case of failures, and a different one to actually send the data to
coverity. The log collection step is failing because when collecting
data for python with the new version of coverity, build-log.txt is not
generated.
The whole way we build with coverity might need changing, but
currently this patch is removing the log collection so the pipeline
passes.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The unnamed nature of an O_TMPFILE, combined with the delayed linkage of
linkat(2), creates a potential for a filesystem mediation bypass or other
unexpected file mediation behavior. Thus, add a test to verify whether or
not such a bypass occurs.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1743
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Arch Linux qt6-webengine has `/usr/lib/qt6/QtWebEngineProcess` and
qt5-webengine has `/usr/lib/qt/libexec/QtWebEngineProcess`.
Fedora has `/usr/lib64/qt6/libexec/QtWebEngineProcess`.
openSUSE Tumbleweed has `/usr/libexec/qt5/QtWebEngineProcess` and
`/usr/libexec/qt6/QtWebEngineProcess`.
Co-authored-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1726
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
I'd like to store my wg creds in my TPM module using `systemd-creds`:
```bash
PostUp = systemd-creds --name wg0 decrypt /etc/wireguard/secrets/wg0.cred | wg set wg0 private-key /dev/stdin
```
Currently I use `local/wg-quick` as work-around.
The `Ux` permission is may be a little too open, but 2 problems remain:
- the profile maintainer can't know which creds file need to be accessible
- different TMP module implementations / drivers may require different permissions
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1644
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Add support for change_onexec logs by converting them to change_profile.
Fix associated test.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1745
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
This MR removes some footguns in aa-notify
- Prevents the modification of special profiles
- Improve the clarity of messages
- Add support for regexes in userns_special_profiles
- Refactor get_event_type.
- Add support for regexes for special profiles
- Optimize aa-notify performances
- Minor bugfixes
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1732
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
import tkinter does not automatically import tkinter.font so calls to
the latter fail if the execution environment does not already contains
it.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Profiles are now updated only at initialization and when aa-notify
itself updates a profile.
A future MR will come to read profiles individually only when an event
for this profile comes to reduce overhead, as more and more profiles are
created.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Mesa now needs ~/.cache/mesa_shader_cache_db/marker .
Chromium wants uid_map readable, /proc/$PID/smaps_rollup,
/sys/.../report_descriptor, and two XDG utilities used by the "Create
shortcut..." feature. Deny the latter for now, due to additional
permissions that would be needed and a questionable security trade-off
as a result.
Firefox wants a socket for its crash helper, product_{name,sku} from
DMI devices, and .sql files in its cache directory. It also wants
uevent from devices more broadly than currently allowed.
After an upgrade to libfuse 3.17.1-rc0, autopkgtests started to fail
due to a missing x permission for /usr/bin/mount. After looking at the
source code for fusermount, I noticed that it does call /bin/mount and
/bin/umount in certain cases. These uses were already there in
previous versions of libfuse but I'm still not sure why it hasn't
triggered before.
To reproduce it:
```
sudo autopkgtest-buildvm-ubuntu-cloud -v -r questing
autopkgtest archivemount -U --apt-pocket=proposed=src:fuse3 --shell-fail -- qemu autopkgtest-questing-amd64.img
```
After the test fails, enter the vm by
```
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 10022 ubuntu@localhost
```
You can reproduce the test by running
```
cd /tmp/autopkgtest.*/build.*/src/
/tmp/autopkgtest.*/build.*/src/debian/tests/test
```
Note that ix for mount and umount were enough to make the autopkgtest
failures to start passing, but there could be issues in the future
regarding the use of fs specific mount binaries like
/usr/sbin/mount.fuse
Fixes: http://bugs.launchpad.net/bugs/2111845
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1716
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
When variable expansion occurs, the expansion attempts to replace the
memory location of the string containing the variable, and frees the
string it is replacing. However, this occurs before the variable lookup
occurs to determine if there is an appropriate declaration for the
variable. When the failing expansion occurs in a profile name, this
causes a read-after-free (followed by a double free) because the error
handling path attempts to report the profile name in the error message.
This can be reproduced like so, using the
tst/simple_tests/vars/vars_profile_name_23.sd testcase:
```
$ ../apparmor_parser --config-file=./parser.conf -M features_files/features.all -S -I /home/sbeattie/git/apparmor/parser/tst/./simple_tests/ ./simple_tests/vars/vars_profile_name_23.sd
Failed to find declaration for: @{FOO}
ERROR expanding variables for profile #xQV, failed to load
free(): double free detected in tcache 2
```
Fix this by waiting to free the profile name field until after the
variable declaration has successfully been looked up. This results in
the test case reporting the following error:
```
$ ../apparmor_parser --config-file=./parser.conf -M features_files/features.all -S -I /home/sbeattie/git/apparmor/parser/tst/./simple_tests/ ./simple_tests/vars/vars_profile_name_23.sd
Failed to find declaration for: @{FOO}
ERROR expanding variables for profile /does/not/exist@{FOO}, failed to load
```
Signed-off-by: Steve Beattie <steve@nxnw.org>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1747
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
When variable expansion occurs, the expansion attempts to replace the
memory location of the string containing the variable, and frees the
string it is replacing. However, this occurs before the variable lookup
occurs to determine if there is an appropriate declaration for the
variable. When the failing expansion occurs in a profile name, this
causes a read-after-free (followed by a double free) because the error
handling path attempts to report the profile name in the error message.
This can be reproduced like so, using the
tst/simple_tests/vars/vars_profile_name_23.sd testcase:
```
$ ../apparmor_parser --config-file=./parser.conf -M features_files/features.all -S -I /home/sbeattie/git/apparmor/parser/tst/./simple_tests/ ./simple_tests/vars/vars_profile_name_23.sd
Failed to find declaration for: @{FOO}
ERROR expanding variables for profile #xQV, failed to load
free(): double free detected in tcache 2
```
Fix this by waiting to free the profile name field until after the
variable declaration has successfully been looked up. This results in
the test case reporting the following error:
```
$ ../apparmor_parser --config-file=./parser.conf -M features_files/features.all -S -I /home/sbeattie/git/apparmor/parser/tst/./simple_tests/ ./simple_tests/vars/vars_profile_name_23.sd
Failed to find declaration for: @{FOO}
ERROR expanding variables for profile /does/not/exist@{FOO}, failed to load
```
Fixes: dfbd2dc4b ("parser: refactor variables and symbols table into their own class")
Signed-off-by: Steve Beattie <steve@nxnw.org>
Ref: https://gitlab.com/apparmor/apparmor/-/merge_requests/1747
The unnamed nature of an O_TMPFILE, combined with the delayed linkage of
linkat(2), creates a potential for a filesystem mediation bypass. Thus,
add a test to verify whether or not such a bypass occurs.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
The current lsblk profile contains `@{sys}/devices/pci@{int}:@{int}/** r` (where `@{int}` expands to `[0-9]+`). PCI BDFs are in hex, so block device paths whose BDF contains [a-f] digits are skipped, causing them to be omitted from the output of lsblk.
Replacing `@{int}` with `@{hex}` (which expands to `[0-9a-fA-F]+`) ensures PCI block device paths with [a-f] hex digits are correctly matched and displayed in the output of `lsblk`.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1725
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Those messages appear in various context and do not provide any useful feedback to the user, diverging from UNIX philosophy of staying quiet when there's nothing of importance to say.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1738
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Hi,
This fixes the following error when a block device's PCI bus starts with
a non-decimal hex character and `lsblk /dev/nvme2n1` is executed:
```
audit: type=1400 audit(1751394406.516:554): apparmor="DENIED" operation="open" class="file" profile="lsblk" name="/sys/devices/pci0000:a0/0000:a0:01.1/0000:a1:00.0/nvme/nvme2/nvme2n1/" pid=164652 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```
I used hex4 and hex2 as it matches the example from
https://docs.kernel.org/PCI/sysfs-pci.html and also because lspci(8)
says:
> domains are numbered from 0 to ffff
>
> bus (0 to ff)
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2111604
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1729
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
MR !1735 mistakenly assumed that x.is_covered(y) means "x is covered by
y" when the opposite is true
Fix the logic of is_covered and associated tests.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1739
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
Arch Linux qt6-webengine has `/usr/lib/qt6/QtWebEngineProcess` and
qt5-webengine has `/usr/lib/qt/libexec/QtWebEngineProcess`.
Fedora has `/usr/lib64/qt6/libexec/QtWebEngineProcess`.
openSUSE Tumbleweed has `/usr/libexec/qt5/QtWebEngineProcess` and
`/usr/libexec/qt6/QtWebEngineProcess`.
Co-authored-by: Maxime Bélair <maxime.belair@canonical.com>
