This is necessary for lsof run as root to be able to return results from
processes run by other users.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
lsof will attempt (reverse?) DNS queries to resolve IP addresses in open
sockets to domain names, so the full nameservice abstraction is needed.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
- common file formats that qpdf works with: .pdf, .json and .qdf
- .in and .out are also allowed in user's home directories as they
are sometimes used
- other paths are added, including mounts and system locations
Signed-off-by: Allen Huang <allen.huang@canonical.com>
We need to be able to dump the initial partition assignments, and then
the partitions after minimization but before remapping to be able to
check on what is being done by minimization.
Add these as part of -D dfa-minimize-partitions
Ideally we would rework the code so that the existing mininimization
dump could share the dump routine but, its interwined with computation
state and information is thrown away before reaching the end.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1651
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Improve the failure messages around getting policy information to
be less ambiguous about what went wrong.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1653
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
We need to be able to dump the initial partition assignments, and then
the partitions after minimization but before remapping to be able to
check on what is being done by minimization.
Add these as part of -D dfa-minimize-partitions
Ideally we would rework the code so that the existing mininimization
dump could share the dump routine but, its interwined with computation
state and information is thrown away before reaching the end.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Without this, arguments like -r would not work.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1659
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Unconfined delegates access to open file descriptors. Therefore when running a confined binary from unconfined, it will work even when the attachment path is not read-allowed.
However, as soon as these confined binaries are run from another confined process, this delegation is not permitted anymore and the program breaks.
This has been the cause of several bugs such as https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2107455 or https://github.com/canonical/snapd/pull/15181 .
This MR makes sure every confining AppArmor profiles explicitly allow (at least) read access to their attachment path.
This Merge request:
- Introduce `test_profile.sh`, a helper script that ensures confining AppArmor profiles explicitly allow (at least) read access to their attachment path.
- Modifies a lot of profiles so that all profiles have r/mr access to their attachment path
- Extends `make check` to automatically ensure all AppArmor profile grant explicit read access to their attachment path, preventing future omissions.
- Modifies apparmor_parser to show attachment in --debug output
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1637
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This reverts commit 75959225b35cc3cd76e684f2db62e27ee4e81288.
Do not enable the verify attachment-path script as part of the CI.
1. The script itself has several bashisms, that need to be fixed before
we land it as part of the regular integration test.
2. The script is going to need to be extended to support the new
parser variables, before it can be turned on as part of the CI.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Improve the failure messages around getting policy information to
be less ambiguous about what went wrong.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Downstream report: https://github.com/NixOS/nixpkgs/issues/347490
Output of `aa-status` is nondescriptive if no profiles are loaded.
Worse yet, the json output isn't even valid json.
It would make sense to just return a json object with no entries,
instead of returning a non-json `eprint` to stderr.
**Ideally** output of non-json would be more descriptive.
Currently:
```
apparmor module is loaded.
Failed to get profiles: 2....
```
What i would prefer:
```
apparmor module is loaded.
Failed to get profiles: No policies loaded
```
However, i am unfamiliar with how the translation framework works,
and thus not confident to do this change blindly.
I am happy to add a commit doing so if i know where to change all that.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1652
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Downstream report: https://github.com/NixOS/nixpkgs/issues/347490
Output of `aa-status` is nondescriptive if no profiles are loaded.
Worse yet, the json output isn't even valid json.
It would make sense to just return a json object with no entries,
instead of returning a non-json `eprint` to stderr.
glibc defines bsd's rlimit ofile as nofile, however musl does not define
rlimit ofile at all.
Instead of just dropping ofile which would be bad for policy portability
make sure it is defined to be nofile.
This is a partial fie for
https://gitlab.com/apparmor/apparmor/-/issues/513
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1648
Approved-by: Steve Beattie <steve+gitlab@nxnw.org>
Merged-by: Steve Beattie <steve+gitlab@nxnw.org>
glibc defines bsd's rlimit ofile as nofile, however musl.
Instead of just dropping ofile which would be bad for policy portability
make sure it is defined to be nofile.
This is a partial fie for
https://gitlab.com/apparmor/apparmor/-/issues/513
Signed-off-by: John Johansen <john.johansen@canonical.com>
This reverts commit 27f5b623f726a84f8430825e2e2641043965af94, reversing
changes made to ee08bfbc905102380bfcaf64d5d84bced98c9360.
This causes the plasmashell profile to have a conflicting x modifiers
error. This breaks CI and compile/load of the plasmashell profile.
Revert until it can be fixed. Using priority.
Signed-off-by: John Johansen <john.johansen@canonical.com>
If kanidm is configured in nsswitch.conf(5), access to the kanidm-unixd
configuration is needed for applications to resolve entries.
For example:
```
type=AVC apparmor="DENIED" operation="open" class="file" profile="php-fpm"
name="/etc/kanidm/unixd" comm="php-fpm" requested_mask="r" denied_mask="r"
```
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1638
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
There is an unfortunate long kernel dev history as to why this currently
isn't the case, so we're stuck with documenting the facts for now.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1641
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
There is an unfortunate long kernel dev history as to why this currently
isn't the case, so we're stuck with documenting the facts for now.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
