If kanidm is configured in nsswitch.conf(5), access to the kanidm-unixd
configuration is needed for applications to resolve entries.
For example:
```
type=AVC apparmor="DENIED" operation="open" class="file" profile="php-fpm"
name="/etc/kanidm/unixd" comm="php-fpm" requested_mask="r" denied_mask="r"
```
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
Extend `make check` to automatically ensure every AppArmor profile grants
explicit read access to its attachment path, preventing future omissions.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Grant explicit read permission on each profile’s attachment path. This
avoid issues when running them from a confined environment and makes
test_profile.sh pass.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Unconfined delegates access to open file descriptors. Therefore when
running a confined binary from unconfined, it will work even when the
attachment path is not read-allowed.
However, as soon as these confined binaries are run from another
confined process, this delegation is not permitted anymore and the
program breaks.
This has been the cause of several bugs such as
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2107455 or
https://github.com/canonical/snapd/pull/15181 .
Introduce `test_profile.sh`, a helper script that ensures confining
AppArmor profiles explicitly allow (at least) read access to their
attachment path.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
When showing the content of profiles with `apparmor_parser --debug`, the
attachment path is now displayed within the 'Debugging built structures'
section.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
The wrong clean rule is generated when unix rules contain qualifiers,
with the order inverted with the rule name.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/511
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Due to how labeling is implemented, during the creation it is not yet
defined, so we need to grant create permissions without attaching the
label yet.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
CVMFS ( the [CernVM File System](cernvm.cern.ch)) is a read-only fs used to distribute software that is widely used in scientific computing (at CERN and beyond, for example by the [EESSI project](eessi.io)).
CVMFS historically uses the mountpoint /cvmfs, but the new fusermount3 profile doesn't allow that. It's not really possibly to move the mountpoint to /mnt/cvmfs, because the software installed on CVMFS often uses the absolute path /cvmfs/... for linking.
We've added a /etc/apparmor.d/local/fusermount3 to our packages, but it'd be much appreciated if this could be fixed upstream!
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1587
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
I am unsure how to test this equivalency due to how abi declarations interact with feature file command line arguments, so advice on that would be welcome.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1585
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Currently abi=<kernel> always grabs the kernels actual features but
it should respect --kernel-features=. This is causing the simple
tests to fail when abi=<kernel> is specified.
Fix it so abi=<kernel> respects the kernel abi specified in the configs
or on the command line.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Fixes https://gitlab.com/apparmor/apparmor/-/issues/505
The profile previously permitted access to `/**`, which excludes the root
directory (`/`). This commit also gives `/` access, aligning with the
intended behavior.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Closes#505
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1626
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
This enables us to exercise the front perms parse logic in the utils rule parsing through the simple tests as well
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1627
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Fixes https://gitlab.com/apparmor/apparmor/-/issues/505
The profile previously permitted access to `/**`, which excludes the root
directory (`/`). This commit also gives `/` access, aligning with the
intended behavior.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
This enables us to exercise the front perms parse logic in the utils rule parsing through the simple tests as well
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
ipa_verify is a simple libcamera tool that does not use the portion of
libcamera that creates user namespaces. This simple profile should be
enough to replace the previous unconfined profile.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Check that when using a HTTP client via tinyproxy that the expected Via header
is present and that the tinyproxy stats page works as expected.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1537
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
FS based unix sockets have a complicatd interaction with socket
mediation some of the mediation happens in file hooks while other
parts happen in network hooks.
When the kernel doesn't have the unix socket mediation patches the
interactions become largely mediated through the network hooks, as
unix rules get downgraded to socket rules. However some filesystem
operations are needed, and some hooks like bind may be called
differently based on the unix socket type, and not just the address.
Without the kernel patches these variations are not taken into
account.
Changes in the parser networking permission mappings have also
affected the downgrade path, as the parser now supports permissions on
socket rules, downgrades can use permissions and be more faithful to
the original rule but this can also break tests that didn't add all
the permissions needed for the downgrade case.
update unix_socket_pathname.sh to detect whether rule downgrades are
being used, and adjust permissions and expectations based on this.
Fixes: 7ce768244 ("tests: regression: fix regression test for upstream kernels")
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1622
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
The tests on slower systems are occassionally timing out leading to
inconsistent pass/fail runs. The time out failure depending on which
test it occurs in can result in false passes, or failres.
Double the timeout, which hopefully will be enough to avoid the
timeout issue without making the tests wait too long.
Signed-off-by: John Johansen <john.johansen@canonical.com>
FS based unix sockets have a complicatd interaction with socket
mediation some of the mediation happens in file hooks while other
parts happen in network hooks.
When the kernel doesn't have the unix socket mediation patches the
interactions become largely mediated through the network hooks, as
unix rules get downgraded to socket rules. However some filesystem
operations are needed, and some hooks like bind may be called
differently based on the unix socket type, and not just the address.
Without the kernel patches these variations are not taken into
account.
Changes in the parser networking permission mappings have also
affected the downgrade path, as the parser now supports permissions on
socket rules, downgrades can use permissions and be more faithful to
the original rule but this can also break tests that didn't add all
the permissions needed for the downgrade case.
update unix_socket_pathname.sh to detect whether rule downgrades are
being used, and adjust permissions and expectations based on this.
Fixes: 7ce768244 ("tests: regression: fix regression test for upstream kernels")
Signed-off-by: John Johansen <john.johansen@canonical.com>
The new image-garden snap offers a one-stop-shop for integration
testing, bundling qemu, spread and image-garden build recipes.
Extend the documentation, the run-spread.sh helper script as well as
spread.yaml to support this new method.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1588
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
... and adjust the tools to raise an exception if such a rule is found.
While this is not nice, it's better than the previous behaviour where
only the last 'options' was kept, and the others were lost when writing
the rule.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1617
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
toybox is similar to busybox but is developed with Android development in
mind. Thus, it has the same issues as the busybox profile and should be
removed.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1620
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The attach_disconnected.sh and deleted.sh tests added expanded their
testing by using unix sockets. This however ever needs support of
unix socket mediation.
Provide a minimal fix by setting bailouts for the the tests if the
requirement is not present. Long term it would be better if the
expected/needed permissions sets could be tweaked to take into
account the permissions required by the use of unix sockets.
The fix f47d5c70a fix af_unix tests for v8 networking, was never
correct, though it worked and was closer before support for fine
grained inet mediation landed. Before finegrained inet mediation
landed unix rules would allow specifying the permission but inet would
not only allowing coarse socket mediation rules. While the backend
supported finegrained permissions in v8 socket mediation the parser
did not.
If af_unix mediation was not supported by the kernel the af_unix
mediation rule would be downgrade to a network rule. All network
socket rules allowed full permission because the parser didn't
support permissions on socket rules. So the "unix create," rule
was being downgraded to a "unix," rule. Thus the "unix create",
rule was enough permissions, in the downgrade even though it
actually wasn't enough permissions.
With support for fine grained inet permissions, support for permissions
on socket rules also landed. When this happend "unix create," was not
enough permissions any more because it was not downgraded to "unix,",
this resulted in failed mediation.
Fixes: cb4a397b1 ("tests: add attach_disconnected tests")
Fixes: f47d5c70a ("fix af_unix tests for v8 networking")
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1621
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The attach_disconnected.sh and deleted.sh tests added expanded their
testing by using unix sockets. This however ever needs support of
unix socket mediation.
Provide a minimal fix by setting bailouts for the the tests if the
requirement is not present. Long term it would be better if the
expected/needed permissions sets could be tweaked to take into
account the permissions required by the use of unix sockets.
The fix f47d5c70a fix af_unix tests for v8 networking, was never
correct, though it worked and was closer before support for fine
grained inet mediation landed. Before finegrained inet mediation
landed unix rules would allow specifying the permission but inet would
not only allowing coarse socket mediation rules. While the backend
supported finegrained permissions in v8 socket mediation the parser
did not.
If af_unix mediation was not supported by the kernel the af_unix
mediation rule would be downgrade to a network rule. All network
socket rules allowed full permission because the parser didn't
support permissions on socket rules. So the "unix create," rule
was being downgraded to a "unix," rule. Thus the "unix create",
rule was enough permissions, in the downgrade even though it
actually wasn't enough permissions.
With support for fine grained inet permissions, support for permissions
on socket rules also landed. When this happend "unix create," was not
enough permissions any more because it was not downgraded to "unix,",
this resulted in failed mediation.
Fixes: cb4a397b1 ("tests: add attach_disconnected tests")
Fixes: f47d5c70a ("fix af_unix tests for v8 networking")
Signed-off-by: John Johansen <john.johansen@canonical.com>
toybox is similar to busybox but is developed with Android development in
mind. Thus, it has the same issues as the busybox profile and should be
removed.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: 1561 Added the ability to specify special a keyword to allow
detached mounts. Unfortunately it updated remount to use the device
and devbuffer when remounts current encoding doesn't support it.
This caused the mount.sh regression test to fail in the following
way.
```
$ sudo bash mount.sh
[sudo] password for jj:
using mount rules ...
Error: mount failed. Test 'MOUNT (confined cap bind mount remount rprivate conflict)' was expected to 'pass'. Reason for failure 'FAIL: mount /tmp/sdtest.358520-12403-ASaOnn/mountpoint2 on /tmp/sdtest.358520-12403-ASaOnn/mountpoint failed - Permission denied'
not supported by parser - skipping mount options=(nodirsync),
Error: mount failed. Test 'MOUNT (confined cap mount remount option)' was expected to 'pass'. Reason for failure 'FAIL: mount /dev/loop40 on /tmp/sdtest.358520-12403-ASaOnn/mountpoint failed - Permission denied'
Error: mount failed. Test 'MOUNT (confined cap mount remount)' was expected to 'pass'. Reason for failure 'FAIL: mount /dev/loop40 on /tmp/sdtest.358520-12403-ASaOnn/mountpoint failed - Permission denied'
Error: mount passed. Test 'MOUNT (confined cap mount remount deny option)' was expected to 'fail'
```
Revert the change to remount. This fixes the regression failure.
fa0746f2e parser: add special casing for detached move mounts
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1618
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
MR: 1561 Added the ability to specify special a keyword to allow
detached mounts. Unfortunately it updated remount to use the device
and devbuffer when remounts current encoding doesn't support it.
This caused the mount.sh regression test to fail in the following
way.
```
$ sudo bash mount.sh
[sudo] password for jj:
using mount rules ...
Error: mount failed. Test 'MOUNT (confined cap bind mount remount rprivate conflict)' was expected to 'pass'. Reason for failure 'FAIL: mount /tmp/sdtest.358520-12403-ASaOnn/mountpoint2 on /tmp/sdtest.358520-12403-ASaOnn/mountpoint failed - Permission denied'
not supported by parser - skipping mount options=(nodirsync),
Error: mount failed. Test 'MOUNT (confined cap mount remount option)' was expected to 'pass'. Reason for failure 'FAIL: mount /dev/loop40 on /tmp/sdtest.358520-12403-ASaOnn/mountpoint failed - Permission denied'
Error: mount failed. Test 'MOUNT (confined cap mount remount)' was expected to 'pass'. Reason for failure 'FAIL: mount /dev/loop40 on /tmp/sdtest.358520-12403-ASaOnn/mountpoint failed - Permission denied'
Error: mount passed. Test 'MOUNT (confined cap mount remount deny option)' was expected to 'fail'
```
Revert the change to remount. This fixes the regression failure.
fa0746f2e parser: add special casing for detached move mounts
Signed-off-by: John Johansen <john.johansen@canonical.com>
... and adjust the tools to raise an exception if such a rule is found.
While this is not nice, it's better than the previous behaviour where
only the last 'fstype' was kept, and the others were lost when writing
the rule.
... and adjust the tools to raise an exception if such a rule is found.
While this is not nice, it's better than the previous behaviour where
only the last 'options' was kept, and the others were lost when writing
the rule.
Note: If multiple fstype= or options= are given, this is not detected as
an error (to keep the regex simpler). When writing back such a rule,
only one fstype and options will "survive".
Adjust the exclude list in test-parser-simple-tests.py accordingly:
- several valid mount rules no longer fail
- two invalid mount rules which so far accidentally raised an exception
because of the fstype/options order no longer raise this exception
(conflicting mount options, which are the real reason why these rules
are invalid, are not detected in the tools)
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/501
I propose this fix for 4.0, 4.1 and master. (Note: excluding `mount/ok_opt_86.sd` was added in !1561, so we either need to also backport this, or have to slightly adjust this MR for backporting.)
Closes#501
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1616
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Note: If multiple fstype= or options= are given, this is not detected as
an error (to keep the regex simpler). When writing back such a rule,
only one fstype and options will "survive".
Adjust the exclude list in test-parser-simple-tests.py accordingly:
- several valid mount rules no longer fail
- two invalid mount rules which so far accidentally raised an exception
because of the fstype/options order no longer raise this exception
(conflicting mount options, which are the real reason why these rules
are invalid, are not detected in the tools)
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/501
