The header was being generated incorrectly in 2 cases:
When the profile/hat contained the parent profile in its name, as in
profile firefox//dash {
hat ^firefox//dash {
and in the unit tests, the child profile or hat was being named as the
parent profile. This was not caught by the general case because the
code has not yet been fully adapted to handle multiple nested child
profiles.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/493
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
When doing testing via LXD VMs and in particular when using "lxc exec" to run
commands in the VM, there is no controlling tty and so the output of last is
missing this column of data. Instead try even harder to parse the timestamp from
the output of "last".
Signed-off-by: Alex Murray <alex.murray@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1582
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
When doing testing via LXD VMs and in particular when using "lxc exec" to run
commands in the VM, there is no controlling tty and so the output of last is
missing this column of data. Instead try even harder to parse the timestamp from
the output of "last".
Signed-off-by: Alex Murray <alex.murray@canonical.com>
Add quotes if a mount source or mountpoint includes whitespace.
Also explicitely handle empty mount source (known from
1f33fc9b29c174698fdf0116a4a9f50680ec4fdb)
As usual, some tests can't hurt ;-)
I propose this fix for 4.0..master
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1573
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
* Make glob_pattern more readable
- replace filename and variable regex parts with RE_PROFILE_PATH_OR_VAR
- split to multiline string
* Move `[\w-]+` into inner match group by removing/moving the ')' after the empty source.
* Prepare source_fileglob_pattern and dest_fileglob_pattern to be customizable by moving adding the closing ')))' into each of them.
* Allow empty source and any word only in mount source
See the individual commits for details.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1574
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The attach_disconnected.ipc flag allows the use of disconnected paths
on posix mqueues. This flag is a subset of attach_disconnected, and it
does not allow disconnected paths for all files.
Corresponding kernel patch needed to test in https://gitlab.com/georgiag/apparmor-kernel/-/tree/mqueue-ext
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1577
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
When running aa-disable and then aa-enforce passing the binary path as
the argument, aa-enforce fails to enforce the profile with the error:
$ sudo aa-disable /home/foo/test
skipping disabled profile test
Profile for /home/foo/test not found, skipping
According to the man page for aa-enforce, it should work for disabled
profiles.
Note that this does not happen when passing the profile directly to
the tools, so there's a workaround for this issue:
$ sudo /aa-enforce /etc/apparmor.d/test
Setting /etc/apparmor.d/test to enforce mode.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
... by removing/moving the ')' after the empty source.
Also prepare source_fileglob_pattern and dest_fileglob_pattern to be
customizable by moving adding the closing ')))' into each of them.
Add quotes if a mount source or mountpoint includes whitespace.
Also explicitely handle empty mount source (known from
1f33fc9b29c174698fdf0116a4a9f50680ec4fdb)
As usual, some tests can't hurt ;-)
First expand nested `(...)` in glob_pattern. This duplicates a few bytes, but makes the regex easier to read.
With that done, allow `-` in glob_pattern.
One of the possible matches in glob_pattern was `\w+` which matched for example `none`.
However, it doesn't match `revokefs-fuse` because of the `-`. Therefore change `\w+` to [\w-]+.
While on it, add two more tests - one for `none` with some options, and one with `revokefs-fuse`.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1565
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
One of the possible matches in glob_pattern was `\w+` which matched for
example `none`.
However, it doesn't match `revokefs-fuse` because of the `-`. Therefore
change `\w+` to [\w-]+.
While on it, add two more tests - one for `none` with some options, and
one with `revokefs-fuse`.
The utils should be able to skip profiles that it can't parse now,
so this test suite bypass mechanism should no longer be necessary.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Since all the tools that load profiles go through the same module, this should
be sufficient as a first pass.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
This will allow the other tools to continue working on other profiles, even
if some of them use syntax that the utils currently can't handle.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
The utils cannot parse some of the newer profile constructs yet, so
generalize a pre-existing mechanism for skipping profiles to use that mechanism in the other tests that need it
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
This imports translations from launchpad up to commit
revno: 2523
committer: Launchpad Translations on behalf of apparmor-dev
branch nick: apparmor
timestamp: Fri 2025-02-21 09:32:26 +0000
message:
Launchpad automatic translations update.
Signed-off-by: John Johansen <john.johansen@canonical.com>
This is a trivial fix for
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1543
instead of waiting longer for the auther to fix, the MR was merged
and this manual fixup done.
Fixes: dfe9d713f ("aa-logprof/aa-genprof: allow ignoring executions")
Signed-off-by: John Johansen <john.johansen@canonical.com>
We should be using apparmor controlled domains for these files.
Rename the template file from
com.ubuntu.pkexec.aa-notify.policy
to
net.apparmor.pkexec.aa-notify.policy
And update the template file and the install file so that the files
that are generated use net.apparmor instead of com.ubuntu
Signed-off-by: John Johansen <john.johansen@canonical.com>
The install of the polkit action files for aa-notify leaks build root
information.
From OBS
apparmor-utils.noarch: E: file-contains-buildroot (Badness: 10000) /usr/share/polkit-1/actions/com.ubuntu.pkexec.aa-notify.policy
this is present on Ubuntu as well
<annotate key="org.freedesktop.policykit.exec.path">/build/apparmor-ZUzkoL/apparmor-4.1.0~beta4/debian/tmp/usr/lib/python3/dist-packages/apparmor/update_profile.py</annotate>
this occurs because the {LIB_PATH} template variable is being replaced
with the self.install_lib. Make sure we strip the build prefix if
we are generating the files in a build environment instead of doing
a direct install.
Closes: https://gitlab.com/apparmor/apparmor/-/issues/486
Signed-off-by: John Johansen <john.johansen@canonical.com>
Closes#486
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1540
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
The install of the polkit action files for aa-notify leaks build root
information.
From OBS
apparmor-utils.noarch: E: file-contains-buildroot (Badness: 10000) /usr/share/polkit-1/actions/com.ubuntu.pkexec.aa-notify.policy
this is present on Ubuntu as well
<annotate key="org.freedesktop.policykit.exec.path">/build/apparmor-ZUzkoL/apparmor-4.1.0~beta4/debian/tmp/usr/lib/python3/dist-packages/apparmor/update_profile.py</annotate>
this occurs because the {LIB_PATH} template variable is being replaced
with the self.install_lib. Make sure we strip the build prefix if
we are generating the files in a build environment instead of doing
a direct install.
Closes: https://gitlab.com/apparmor/apparmor/-/issues/486
Co-Author: Ryan Lee <ryan.lee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
On certain lxc containers, when aa-genprof tries to set
printk_ratelimit, it fails with the OSError exception, with the
message "OSError: [Errno 30] Read-only file system" instead of
PermissionError.
Since PermissionError is a subclass of OSError, replace it by broader
OSError exception to include both cases in which running aa-genprof
fails.
Reported-by: Paulo Flabiano Smorigo <paulo.smorigo@canonical.com>
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1539
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Instead of setting those variables unconditionally, set them if they
aren't externally set by environment variables. This will allow for usages
like DESTDIR=/some/other/dir make install in the utils directory.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
On certain lxc containers, when aa-genprof tries to set
printk_ratelimit, it fails with the OSError exception, with the
message "OSError: [Errno 30] Read-only file system" instead of
PermissionError.
Since PermissionError is a subclass of OSError, replace it by broader
OSError exception to include both cases in which running aa-genprof
fails.
Reported-by: Paulo Flabiano Smorigo <paulo.smorigo@canonical.com>
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
It is now possible to select individual rules to allow through an
improved GUI (ShowMoreGUIAggregated).
This commit also simplifies codebase thanks to new classes ProfileRules
and SelectableRules.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1444
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Python 3.13 changes the formatting of long-short option pairs that use a
meta-variable. Up until 3.13 the meta-variable was repeated. Since
Python change [1] the meta-var is only printed once.
[1] https://github.com/python/cpython/pull/103372
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
The "last" command, which was supplied by util-linux in older Ubuntu
versions, is now supplied by wtmpdb in Oracular and Plucky. Unfortunately,
this changed the output format and broke our column based parsing.
While the wtmpdb upstream has added json support at
https://github.com/thkukuk/wtmpdb/issues/20, we cannot use it because
we need to support systems that do not have this new feature added.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1508
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Since kernel commit 8c4b785a86be the class is available to check if
the log belongs to which class. This fixes cases where the logparser
is not able to distinguish between network and file operations.
This issue does not manifest previous to and including apparmor-4.0
because we did not process auditing logs then.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/478
Reported-by: vyomydv vyom.yadav@canonical.com
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The "last" command, which was supplied by util-linux in older Ubuntu
versions, is now supplied by wtmpdb in Oracular and Plucky. Unfortunately,
this changed the output format and broke our column based parsing.
While the wtmpdb upstream has added json support at
https://github.com/thkukuk/wtmpdb/issues/20, we cannot use it because
we need to support systems that do not have this new feature added.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Our ubuntu packaging builds Python-enabled libapparmor's in the directories `libapparmor/libapparmor.python[version_identifier]`. In order for the util's `make check` to pick up on the correct libapparmor during the Ubuntu build process, we need the ability to override its search path. This patch introduces a `LIBAPPARMOR_BASEDIR` variable to allow for that.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1497
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
os.environ returns a string, but the default value is a list, and the concatenation of __AA_CONFDIR assumes a list.
Thus, if APPARMOR_NOTIFY and __AA_CONFDIR were both specified, this would error out.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
lastlog2 is the 2038-safe replacement for wtmp, and in the meantime
became part of util-linux.
This commit switches from trying to parse the lastlog2 output to
directly reading lastlog2.db with sqlite3.
Adjust get_last_login_timestamp() to use the lastlog2 database
(/var/lib/lastlog/lastlog2.db) if it exists, and adjust
get_last_login_timestamp_lastlog2() to actually do that.
(If lastlog2.db doesn't exist, aa-notify will read wtmp as usual.)
Unfortunately lastlog2 doesn't have a way to get machine-readable output
(for example json), therefore - after trying and failing to parse the
lastlog2 output - directly read from lastlog2.db. Let's hope the format
never changes ;-)
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1228378
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1216660
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/372
lastlog2 is the 2038-safe replacement for wtmp, and in the meantime
became part of util-linux.
Adjust get_last_login_timestamp() to use lastlog2 if it exists, and add
get_last_login_timestamp_lastlog2() to actually do that.
(If lastlog2 doesn't exist, aa-notify will read wtmp as usual.)
Unfortunately lastlog2 doesn't have a way to get machine-readable output
(for example json), therefore we have to parse the output that is meant
for humans. Let's hope the format never changes ;-)
(The alternative would have been to use squlite3 to once more read the
data behind the official program's back, but that was already a bad idea
for wtmp, therefore I decided against it.)
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1228378
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1216660
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/372
... and add a wrapper function with the old name
Also rename the tests to the new name, and create a copy with the
original name. The copy will be adjusted to also check/expect lastlog2
results in a later commit.
