This is needed if a dovecot child process segfaults - in this case,
dovecot provides a helpful error message like
dovecot[6179]: auth-worker: Fatal: master: service(auth-worker): child 8103 killed with signal 11 (core not dumped - https://dovecot.org/bugreport.html#coredumps - set /proc/sys/fs/suid_dumpable to 2)
which involves reading the current value in suid_dumpable.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/286
(cherry picked from commit 2202a8a267111266b74a7c9fd4bbc89a5f334d6a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
or: get rc.apparmor.functions in sync with the tools and libapparmor.
This was "accidently" reported by Ralph on the opensuse-support
mailinglist.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/282
(cherry picked from commit 228b92ce5ab287aad76954751cb5e8fb2ea8ce4d)
Signed-off-by: John Johansen <john.johansen@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/288
Signed-off-by: Petr Vorel <pvorel@suse.cz>
(cherry picked from commit 49848b90817a923c9cf3f6ee534d02442bf0ff80)
Signed-off-by: John Johansen <john.johansen@canonical.com>
i.e. move '*' from beginning to before suffix.
Commit 025c7dc6 ("dnsmasq: Add permission to open log files") added
pattern, which is not compatible with SELinux. As this pattern has been
in SELinux since 2011 (with recent change to accept '.log' suffix +
logrotate patterns which are not relevant to AppArmor) IMHO it's better
to adjust our profile.
Fixes: 025c7dc6 ("dnsmasq: Add permission to open log files")
PR: PR: https://gitlab.com/apparmor/apparmor/merge_requests/288
Signed-off-by: Petr Vorel <pvorel@suse.cz>
(cherry picked from commit 3ef8df6ac05057e46720b2eba099bad3416f763b)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add /etc/letsencrypt/archive to ssl_key abstraction
See merge request apparmor/apparmor!283
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit 0a666b8e48c162932a2b8049fbe3be2c909517b1)
cb468786 Add /etc/letsencrypt stuff to ssl_keys/ssl_certs abstraction
[2.10+2.11] Backport lots of .gitignore additions from 2.12
The only entries that wouldn't be needed in 2.11 are
cscope.*
libraries/libapparmor/src/PMurHash.lo
libraries/libapparmor/src/PMurHash.o
but they don't hurt, and keeping .gitignore in sync in all branches makes things easier.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/260
Acked-by: John Johansen <john.johansen@canonical.com>
The only entries that wouldn't be needed in 2.11 are
- cscope.*
- libraries/libapparmor/src/PMurHash.lo
- libraries/libapparmor/src/PMurHash.o
but they don't hurt, and keeping .gitignore in sync in all branches
makes things easier.
error out on superfluous TODOs
See merge request apparmor/apparmor!197
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 39a20314878cffaf4b681bb0a97672f7c6333587)
4b26850e error out on superfluous TODOs
disable abi/ok_10 and abi/ok_12 tests
See merge request apparmor/apparmor!259
(cherry picked from commit 608af94dff8313a18adda9ed95bc2766c79f120f)
a3305b51 disable abi/ok_10 and abi/ok_12 tests
Remove TODO notes from no-longer-failing tests
See merge request apparmor/apparmor!180
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: intrigeri <intrigeri@debian.org>
(cherry picked from commit c98d8570eee26469d0541fefbcbfb74a36337caa)
d15bdaba Remove TODO notes from no-longer-failing tests
This is a backport of !239
commit 2209e09aef2a9b08a5518b16548327ac0a2f360e
Author: nl6720 <nl6720@gmail.com>
aa-notify man page: update user's configuration file path
Signed-off-by: nl6720 <nl6720@gmail.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/243
(backported from commit 2209e09aef2a9b08a5518b16548327ac0a2f360e)
Signed-off-by: John Johansen <john.johansen@canonical.com>
AppArmor 3.0 requires policy to use a feature abi rule for access to
new features. However some policy may start using abi rules even if
they don't have rules that require new features. This is especially
true for out of tree policy being shipped in other packages.
Add enough support to older releases that the parser will ignore the
abi rule and warn that it is falling back to the apparmor 2.x
technique of using the system abi.
If the profile contains rules that the older parser does not
understand it will fail policy compilation at the unknown rule instead
of the abi rule.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/196
(backported form commit 83df7c4747a7f730ab59db014cbd15e469b16395)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This changed the profile names and needs adjustments to "signal
peer=..." rules, which is something we should avoid in an old branch.
The reverted commit is
commit 0ce15469ec338ee5116c3c794b5c46896b3ee5f6
Author: Cameron Nemo <camerontnorman@gmail.com>
Date: Wed Jul 25 14:07:35 2018 -0700
profiles: support distributions which merge sbin into bin
Closes#8
(cherry picked from commit 9ab45d811e38ab5363ee6c8f79ee44f8a34c6be5)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This reverts the following commit which changes the profile names -
something we should avoid on an old branch.
commit ae3e230b053e0521f54ea1590326dae895b7642c
Author: Cameron Nemo <camerontnorman@gmail.com>
Date: Tue Sep 11 09:54:33 2018 -0700
profiles: support void-specific binary names for openntpd, traceroute, and ping
(cherry picked from commit 6e28a94acefd5d3e001d35c53ecf999a6c3a16fd)
Signed-off-by: John Johansen <john.johansen@canonical.com>
profiles/Makefile: test abstractions against apparmor_parser
See merge request apparmor/apparmor!244
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10, 2.11 and 2.12.
(cherry picked from commit 500b857d24c07e1cde390a18859516d20184693c)
93ccf15c profiles/Makefile: test abstractions against apparmor_parser
Interestingly, abi/bad_6.sd is detected as invalid, and therefore not
added to the list.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/238
(cherry picked from commit 5c54f662792120c9ffefee6a00ce11f520e6eb36)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Currently if stdin is used the warning
apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
is always displayed but if caching has been disabled there is no need for
this message.
(backported from commit c421a29c61e66d121fa2544ba5e4c243c9a5b68c)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/233
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Fix aa-mergeprof crash caused by accidentially initialzed hat
See merge request apparmor/apparmor!234
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 93445ca02dcbdef64664220dc4364501ff568776)
bc492533 Fix aa-mergeprof crash caused by accidentially initialzed hat
The old patter *.* doesn't match lsb_release and nvidia_modprobe, and
the only file we ship in local is a README. This patch adjusts the
pattern to ignore everything except README.
(cherry picked from commit aeee9a1aabb215f842d99dbe626d2e9357cc667c)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/227
Signed-off-by: John Johansen <john.johansen@canonical.com>
(probably Ubuntu-only? The ssl-params file doesn't exist on my openSUSE
installation)
References: https://bugs.launchpad.net/apparmor-profiles/+bug/1796966
(cherry picked from commit 16a98d26d00b393962c08edf9c9b066472395751)
Signed-off-by: John Johansen <john.johansen@canonical.com>
commit 94dfe15b28dc56f60c7c368f2bf7353fe2e0906d attempted to remove
LD_RUN_PATH unfortunately
But all it actually does is cause the Makefile.perl to embed the rpath
"" instead. Which is still an rpath, only I guess an even worse one.
--
Eli Schwartz
Arch Linux Bug Wrangler and Trusted User
This is because it cleared the setting of the variable LD_RUN_PATH
which was expanded in the command
$(INST_DYNAMIC) : $(OBJECT) $(MYEXTLIB) $(INST_ARCHAUTODIR)$(DFSEP).exists $(EXPORT_LIST) $(PERL_ARCHIVEDEP) $(PERL_ARCHIVE_AFTER) $(INST_DYNAMIC_DEP)
$(RM_F) $@
LD_RUN_PATH="$(LD_RUN_PATH)" $(LD) $(LDDLFLAGS) $(LDFROM) $(OTHERLDFLAGS) -o $@ $(MYEXTLIB) \
$(PERL_ARCHIVE) $(LDLOADLIBS) $(PERL_ARCHIVE_AFTER) $(EXPORT_LIST) \
$(INST_DYNAMIC_FIX)
$(CHMOD) $(PERM_RWX) $@
resulting in LD_RUN_PATH="" being passed to the command.
Finish removing LD_RUN_PATH from Makefile.perl by removing it from
the command invocation if it is present.
Note: we use \x24 instead of $ in the regex as there seems to be a bug
and no level of escaping $ would allow it to be used.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/207
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 958cc288769360aaec23971efaf4318f4c6817bc)
Make @{sys} available by default
See merge request apparmor/apparmor!228
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit 772a8702e0874dbb4de8caa40fc533b487940be0)
aa065287 Make @{sys} available by default
--log-facility option needs to have permission to open files.
Use '*' to allow using more files (for using more dnsmasq instances).
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Jamie Strandboge <jamie@canonical.com>
(cherry picked from commit 025c7dc6a131da24c31e41ad32753015a0ec0f76)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
parser: fix Makefile hardcoded paths to flex and bison
Closes#4
See merge request apparmor/apparmor!224
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit 34cf08503613a60298281200db9218a7532a1e31)
17e059a2 parser: fix Makefile hardcoded paths to flex and bison
2.11: Add basic support for abi rules to the tools
Add basic "understand and keep" support for abi rules, where
"understand" means to not error out when seeing an abi rule, and "keep"
simply means to keep the original abi rule when serializing a profile.
On the long term, abi rules should be parsed (similar to include rules),
but for now, this patch is the smallest possible changeset and easy to
backport.
Note that the only added test is via cleanprof_test.* which is used by
minitools_test.py - and does not run if you do a 'make check'.
Oh, and of course the simple_tests/abi/ files also get parsed by
test-parser-simple-tests.py.
BTW: Even serialize_profile_from_old_profile() can handle abi rules ;-)
This is a backport of 072d3e04 / !202 (merged) to
2.11 (with some adjustments because that commit didn't appy cleanly)
I propose this patch for 2.10 and 2.11.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/223
Acked-by: John Johansen <john.johansen@canonical.com>
2.11/2.10: is_skippable_dir(): add 'cache.d' to exclude list
This excludes the /etc/apparmor.d/cache.d/ directory from aa-logprof
parsing because parsing the binary cache, well, takes a while :-/
Reported on the opensuse-factory mailinglist by Frank Krüger and
confirmed by others.
(cherry picked from commit 5b9497a8)
While this isn't strictly needed for 2.10 or 2.11 userspace, it makes testing these branches easier ;-)
I propose this cherry-pick for 2.11 (= this merge request) and 2.10.
https://gitlab.com/apparmor/apparmor/merge_requests/222
Acked-by: John Johansen <john.johansen@canonical.com>
make 2.11 utils tests green
- switch minitools_test.py to a profile without alternation
- remove non-failing tests from unknown_line exception
- exclude several #include "does not exist" examples
PR: https://gitlab.com/apparmor/apparmor/merge_requests/220
Legacy path ~/.apparmor/notify.conf is preferred if it exists, otherwise
$XDG_CONFIG_HOME/apparmor/notify.conf, with fallback to
~/.config/apparmor/notify.conf, is used.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/215
Signed-off-by: nl6720 <nl6720@gmail.com>
(cherry picked from commit 1fb9acc59eef229e4a3758c3abb3891b030b38ab)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add missing paths to usr.sbin.nmbd, usr.sbin.smbd and abstractions/samba
See merge request apparmor/apparmor!210
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit f76a718f2846247d162e8e54a9e4d5eff5742ea8)
80e98f2d Update usr.sbin.nmbd & usr.sbin.smbd
Add basic "understand and keep" support for abi rules, where
"understand" means to not error out when seeing an abi rule, and "keep"
simply means to keep the original abi rule when serializing a profile.
On the long term, abi rules should be parsed (similar to include rules),
but for now, this patch is the smallest possible changeset and easy to
backport.
Note that the only added test is via cleanprof_test.* which is used by
minitools_test.py - and does _not_ run if you do a 'make check'.
Oh, and of course the simple_tests/abi/ files also get parsed by
test-parser-simple-tests.py.
BTW: Even serialize_profile_from_old_profile() can handle abi rules ;-)
This is a backport of 072d3e04514b70bb3b29d4bfe400caa44dd574a2 / !202 to
2.11 (with some adjustments because that commit didn't appy cleanly)
This excludes the /etc/apparmor.d/cache.d/ directory from aa-logprof
parsing because parsing the binary cache, well, takes a while :-/
Reported on the opensuse-factory mailinglist by Frank Krüger and
confirmed by others.
(cherry picked from commit 5b9497a8c6d9c0bb4ba16fc4f09fc62bd8c51b73)
bare_include_tests/ok_30.sd and ok_31.sd don't fail with the 2.11 tools.
Remove them from the unknown_line exception.
(Interestingly newer branches fail on these tests, but I didn't check why.)
These tests were added with the cherry-picked commit 4184b0c363fe94ae93e596d144a1226ba96eceb6
They are expected to fail, but don't fail with the 2.11 tools because
the regex only matches #include <...> which means #include "..."
is considered to be a comment.
Remove accidently added text from utils/po/Makefile
See merge request apparmor/apparmor!217
Acked-by: Tyler Hicks <tyhicks@canonical.com>
(cherry picked from commit fa82a515234505fad0416c57af8f2f4f3ccef860)
15770576 Remove accidently added text from utils/po/Makefile
Qt GUI applications that uses "platforminputcontexts"-class of plugins
might need reading and/or writing compose cache. Add read-only rule in
qt5 abstraction and create new writing dedicated for compose cache
writing.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/159
(cherry picked from commit 67816c42cfbadd85aa5cbb086284076c4c289881)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Qt-based applications stores QFileDialog (latest browsed directory) and
other shared user settings inside ~/.config/QtProject.conf. Currently
available qt abstraction only allows to read it (by design), so this
patch introduces abstraction that grants permissions for writing.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/159
(cherry picked from commit 69c4cabb93f1f07189687f830cdca7ddc506b857)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Create abtractions/qt5 with common rules needed for Qt5-based
applications.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/99
(cherry picked from commit 6a85ffe00e4fe7a7eaccc5ed9a7981dbc6f42063)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Currently, kde abstraction has rules relevant to Qt 3 and Qt 4
libraries, but are missing rules against latest Qt 5.
Include read-only Qt 5 abstraction to fix styling and similar issues for
software running on KDE 5 desktop.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/209
Fixes https://bugs.launchpad.net/apparmor/+bug/1787201
(cherry picked from commit bd33cdd19a370be58208e022bb51304dae09d734)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add @{uid} and @{uids} variables to allow migrating profiles in advance
while awaiting path mediation implementation, based on current user id,
in kernel side.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/208
(cherry picked from commit cba10db7e7aed10f31cd43d2b6799d4f0a7d8c68)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Harden abstractions part ii
- abstractions/private-files: disallow access to the dirs of private files
- private-files{,-strict}: disallow writes to parent dirs too
- user-files: disallow writes to parents dirs
PR: https://gitlab.com/apparmor/apparmor/merge_requests/206
Signed-off-by: John Johansen <john.johansen@canonical.com>
gio-launch-desktop helper tries to execute /usr/bin/thunderbird wrapper
script, not the /usr/lib/thunderbird... directly.
Add rule allowing to execute /usr/bin/thunderbird.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/204
(cherry picked from commit cee9527fa8f3fae5f86a32afa6bede60e4dceb4f)
Signed-off-by: John Johansen <john.johansen@canonical.com>
