While symtab for now has only static members, it will allow for a
change in the future for each profile to have their own symbols like
profile_name, etc.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1711
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
MR !1735 mistakenly assumed that x.is_covered(y) means "x is covered by
y" when the opposite is true
Fix the logic of is_covered and associated tests.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
- `is_covered` was not checking priorities when checking if a rule is
covered. With this fix, a rule of lower priority can no longer cover a
higher priority one.
- Fixes `is_equal(strict=False)` so that `priority=0` matches implicit
priority (as it is defaulted to zero)
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1735
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
- `is_covered` was not checking priorities when checking if a rule is
covered. With this fix, a rule of lower priority can no longer cover a
higher priority one.
- Fixes `is_equal(strict=False)` so that priority=0 matches implicit
priority (as it is defaulted to zero)
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Copy the optimized version from common.py to easyprof.py (shouldn't
change the behaviour).
Since get_directory_contents() is only used in easyprof.py, delete the
unused copy from common.py.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1720
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Copy the optimized version from common.py to easyprof.py (shouldn't
change the behaviour).
Since get_directory_contents() is only used in easyprof.py, delete the
unused copy from common.py.
Create separate classes for tests not fitting under *TestParseInvalid
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1736
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
... and change all *TestParseInvalid classes to use it, instead of
having (nearly) the same function in every test-*.py.
Also move tests not matching the rule regex into tests array (which now supports this case).
While at it, enable the tests for abi and include rules.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1728
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Dovecot 2.4 now creates a "binary" version of its config via doveconf. This needs new access rules, as it otherwise prevents all Dovecot processes from accessing this new configuration.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1733
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
This fixes the following error when a block device's PCI bus starts with
a non-decimal hex character and `lsblk /dev/nvme2n1` is executed:
```
audit: type=1400 audit(1751394406.516:554): apparmor="DENIED" operation="open" class="file" profile="lsblk" name="/sys/devices/pci0000:a0/0000:a0:01.1/0000:a1:00.0/nvme/nvme2/nvme2n1/" pid=164652 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```
I used hex4 and hex2 as it matches the example from
https://docs.kernel.org/PCI/sysfs-pci.html and also because lspci(8)
says:
> domains are numbered from 0 to ffff
>
> bus (0 to ff)
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2111604
Signed-off-by: Louis Sautier <sautier.louis@gmail.com>
... and change all *TestParseInvalid classes to use it, instead of
having (nearly) the same function in every test-*.py.
While at it, enable the tests for abi and include rules.
While symtab for now has only static members, it will allow for a
change in the future for each profile to have their own symbols like
profile_name, etc.
According to commit cce5bd6e95ae9a9f01caceea0d5d75b612dd3fbc, the
apparmor_parser does not collapse consecutive / characters in the
beginning of paths, since it indicates posix namespaces. Add a
equality test to make sure we maintain this behavior.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
... instead of having them in test-modifiers.py for all rule types
Also add a few additional tests while on it.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1718
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Basic AppArmor profile for the free binary, tested on Ubuntu 24.04.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1629
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
In order to test the profile, I did the following inside an oracular VM:
- `curl https://ubuntu.com/ -o /tmp/ubuntu`
- `curl 'https://ubuntu.com/security/{CVE-2024-12797,CVE-2025-24032}' -o '#1'`
- `curl -u dlpuser:rNrKYTX9g7z3RgJRmxWuGHbeu ftp://ftp.dlptest.com/`
Finally, I ran the package's testsuite:
```
apt source curl
cd curl-8.9.1
./configure --without-ssl # SSL has been tested using the above
make
cd test/server
make
cd ..
./runtests.pl -c $(which curl)
```
The only test which should fail should be the last one, since the build was configured with support for less protocols than the ones provided by the binary we're using (this is expected and happens regardless of whether the profile is loaded or not).
A spread smoke-test is also provided as part of this MR.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1560
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
Adds apparmor profile for https://mosquitto.org/ `plucky 2.0.20-2`.
In a production and customized environment, this profile would need overriding as many configuration options in `mosquitto.conf` are file paths which can point anywhere. This profile adds all sensible defaults required for mosquitto to work out of the box with TLS.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1506
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
Source package isync
Let me know if you think we should better handle any mail or different mbsyncrc location that the user might have.
As well if I should simplify the network access to `include <abstractions/nameservice>` or if that's too much.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1372
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
Add profile for `dnstracer`. The profile has been tested with `dnstracer` for oracular i.e. version `1.9-8build1`.
Signed-off-by: vyomydv <vyom.yadav@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1366
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
In the past, this class and function were used by test-signal_parse.py -
which was deleted in April 2016 (5f58d7f124139784b9ba70ce37cc26716bbc4e0f).
Maybe there were also other users, but none of them survived.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1719
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Fixes: 6e9ff1fa6 ("profiles: update the rest of the profiles to use @{exec_path}")
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1721
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
These profiles don't have an attachment so the path needs to be hardcoded
Fixes: 6e9ff1fa6 ("profiles: update the rest of the profiles to use @{exec_path}")
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Various test cleanups, see the individual commits for details.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1717
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
In the past, this class and function were used by test-signal_parse.py -
which was deleted in April 2016 (5f58d7f124139784b9ba70ce37cc26716bbc4e0f).
Maybe there were also other users, but none of them survived.
Hello!
I run AppArmor daily on my personal machine and use `aa-notify` to receive alerts for any audit events. I wanted to submit two features and one bugfix for problems that I've seen while running `aa-notify`.
### Here are the two features in this merge request:
1. Allow `aa-notify` to run in the foreground.
I understand that `aa-notify` is ment to be run as a background notification daemon, however there are situations when running in the foreground would be better suited. One example is any startup "launcher" that creates and monitors it's child processes (my setup basically does this) and when `aa-notify` forks, the launcher percieves it as crashing on startup.
This merge request adds an option "-F"/"--foreground" to prevent background forking and perserves the default behavior, while allowing `aa-notify` to run like a standard foreground application. The test cases in `utils/test/test-aa-notify.py` are also updated to reflect the argument changes.
2. Prevent `aa-notify` from exiting with a fatal error when the AppArmor profiles directory cannot be read.
During startup, `aa-notify` will attempt to read the AppArmor profiles from the profile directory using the `aa.read_profiles` function. If this function fails due to a permissions check, `aa-notify` will exit with an error. In my setups, the standard user does not have any read access to the AppArmor profiles directory (reasoning: as an attacker, I could read the profiles to find something that would have the weakest permissions for explitation, but with that route blocked, this becomes significantly harder). In this merge request, an optional paramater `skip_perm_error` that is by-default False, is added to the `read_profiles` function call in `aa-notify`. In `aa.py`, this function has two added lines, which are under `except (OSError, TypeError):`. The extra code checks if `skip_perm_error` is True, and if so will print a warning out using the `aaui.UI_Info` function and returns cleanly. During my test cases, I have not run into any issues running `aa-notify` without reading any profiles.
### BugFixes
1. Crash during `aa-notify` polling during audit events that cause `rl.parse_record(event)` to return None
I've noticed certain events will cause `aa-notify` to crash, specifically the ones in the attached log snipped will cause `ev` to be `None`.
In this merge request, I've added a simple `if ev is None:` check before attempting to read from `ev`. If `ev` is None, it will fall into `continue` and prevent a crash from occuring. The crash log is also attached for additional information.
Please let me know if there's any additional questions or information you may need! And thank you for all your hard work on this project!
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1706
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
After an upgrade to libfuse 3.17.1-rc0, autopkgtests started to fail
due to a missing x permission for /usr/bin/mount. After looking at the
source code for fusermount, I noticed that it does call /bin/mount and
/bin/umount in certain cases. These uses were already there in
previous versions of libfuse but I'm still not sure why it hasn't
triggered before.
To reproduce it:
sudo autopkgtest-buildvm-ubuntu-cloud -v -r questing
autopkgtest archivemount -U --apt-pocket=proposed=src:fuse3 --shell-fail -- qemu autopkgtest-questing-amd64.img
After the test fails, enter the vm by
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 10022 ubuntu@localhost
You can reproduce the test by running
cd /tmp/autopkgtest.*/build.*/src/
/tmp/autopkgtest.*/build.*/src/debian/tests/test
Note that ix for mount and umount were enough to make the autopkgtest
failures to start passing, but there could be issues in the future
regarding the use of fs specific mount binaries like
/usr/sbin/mount.fuse
Fixes: http://bugs.launchpad.net/bugs/2111845
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
@jjohansen had mentioned to me when he suggested this profile that there was smth he noticed about john that gave him the impression it was a good candidate for confinement. I think that would be the only thing I'd want to call out - wondering whether something like this captures that spirit or if there's something else worth including.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1662
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
