Disconnected paths on lookups have caused actual permission denials, even
when the loaded profile is in complain mode. This is a test that causes
disconnections using mounts (both old and new API) and then verifies that
a complain mode profile doesn't prevent operations with disconnected fds.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
This is needed to fix the gnome-remote-desktop daemon, which mounts in a
directory like /run/user/119/gnome-remote-desktop/cliprdr-ABm0Gd/.
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2103889
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
This involves replacing `command -v` with `which` (again), since the `command` shell builtin isn't recognized by older versions of Make, as well as skipping tests that require the `linux/mount.h` header on older systems that lack it.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1578
Approved-by: Zygmunt Krynicki <me@zygoon.pl>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The new image-garden snap offers a one-stop-shop for integration
testing, bundling qemu, spread and image-garden build recipes.
Extend the documentation, the run-spread.sh helper script as well as
spread.yaml to support this new method.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
The command shell builtin is not recognized by older versions of make, so
switch back to using the which binary instead.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
linux/mount.h is only used in the move_mount test, which exercises the
move_mount syscall that was introduced sometime in 2018 or later. Older
systems without the header also lack the syscall, so we can just skip the
test in those cases.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Fixes bug #2103524
lsblk on some virtualized systems require access to directory
/sys/devices/LNXSYSTM:*/LNXSYBUS:*/** since block devices can be exposed
in this directory.
Making a previously non-const pointer arg const is not an ABI break, and
having const expresses the intent of the interface better.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1586
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Making a previously non-const pointer arg const is not an ABI break, and
having const expresses the intent of the interface better
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
For executables dynamically linked to libnuma, the runtimer linker
invokes libnuma functions (num_init) that try to access
/sys/devices/system/node/ and if the application's apparmor
profile does not allow this access, this access will be denied
by apparmor with following error message:
apparmor="DENIED" operation="open" class="file"
name="/sys/devices/system/node/" comm="qemu-bridge-hel"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Here is the simplified call trace:
0 ... in ?? () from /lib/x86_64-linux-gnu/libnuma.so.1
1 ... in call_init (...) at ./elf/dl-init.c:74
2 ... in call_init (...) at ./elf/dl-init.c:120
3 _dl_init (...) at ./elf/dl-init.c:121
4 ... in _dl_start_user () from /lib64/ld-linux-x86-64.so.2
This commit adds an abstract profile that applications that are
linked to libnuma can include in their apparmor profile.
MR: mailing list patch
Signed-off-by: Hector Cao <hector.cao@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
When doing testing via LXD VMs and in particular when using "lxc exec" to run
commands in the VM, there is no controlling tty and so the output of last is
missing this column of data. Instead try even harder to parse the timestamp from
the output of "last".
Signed-off-by: Alex Murray <alex.murray@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1582
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Followup that replaces !1576.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1581
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
When doing testing via LXD VMs and in particular when using "lxc exec" to run
commands in the VM, there is no controlling tty and so the output of last is
missing this column of data. Instead try even harder to parse the timestamp from
the output of "last".
Signed-off-by: Alex Murray <alex.murray@canonical.com>
The aa-exec man page makes reference to aa-stack(8) and aa-namespace(8)
manpages that don't exist. For now just remove those references and
add a short blurb on using aa-exec with stacking and namespaces.
Proper full manpages for stacking and namespaces need to be added
but that is beyound the scope of this fix.
Bug: https://gitlab.com/apparmor/apparmor/-/issues/496
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1570
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Add quotes if a mount source or mountpoint includes whitespace.
Also explicitely handle empty mount source (known from
1f33fc9b29c174698fdf0116a4a9f50680ec4fdb)
As usual, some tests can't hurt ;-)
I propose this fix for 4.0..master
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1573
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
* Make glob_pattern more readable
- replace filename and variable regex parts with RE_PROFILE_PATH_OR_VAR
- split to multiline string
* Move `[\w-]+` into inner match group by removing/moving the ')' after the empty source.
* Prepare source_fileglob_pattern and dest_fileglob_pattern to be customizable by moving adding the closing ')))' into each of them.
* Allow empty source and any word only in mount source
See the individual commits for details.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1574
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The attach_disconnected.ipc flag allows the use of disconnected paths
on posix mqueues. This flag is a subset of attach_disconnected, and it
does not allow disconnected paths for all files.
Corresponding kernel patch needed to test in https://gitlab.com/georgiag/apparmor-kernel/-/tree/mqueue-ext
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1577
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The attach_disconnected.ipc flag allows the use of disconnected paths
on posix mqueues. This flag is a subset of attach_disconnected, and it
does not allow disconnected paths for all files.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
When running aa-disable and then aa-enforce passing the binary path as
the argument, aa-enforce fails to enforce the profile with the error:
$ sudo aa-disable /home/foo/test
skipping disabled profile test
Profile for /home/foo/test not found, skipping
According to the man page for aa-enforce, it should work for disabled
profiles.
Note that this does not happen when passing the profile directly to
the tools, so there's a workaround for this issue:
$ sudo /aa-enforce /etc/apparmor.d/test
Setting /etc/apparmor.d/test to enforce mode.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1579
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
When running aa-disable and then aa-enforce passing the binary path as
the argument, aa-enforce fails to enforce the profile with the error:
$ sudo aa-disable /home/foo/test
skipping disabled profile test
Profile for /home/foo/test not found, skipping
According to the man page for aa-enforce, it should work for disabled
profiles.
Note that this does not happen when passing the profile directly to
the tools, so there's a workaround for this issue:
$ sudo /aa-enforce /etc/apparmor.d/test
Setting /etc/apparmor.d/test to enforce mode.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
... by removing/moving the ')' after the empty source.
Also prepare source_fileglob_pattern and dest_fileglob_pattern to be
customizable by moving adding the closing ')))' into each of them.
Add quotes if a mount source or mountpoint includes whitespace.
Also explicitely handle empty mount source (known from
1f33fc9b29c174698fdf0116a4a9f50680ec4fdb)
As usual, some tests can't hurt ;-)
First expand nested `(...)` in glob_pattern. This duplicates a few bytes, but makes the regex easier to read.
With that done, allow `-` in glob_pattern.
One of the possible matches in glob_pattern was `\w+` which matched for example `none`.
However, it doesn't match `revokefs-fuse` because of the `-`. Therefore change `\w+` to [\w-]+.
While on it, add two more tests - one for `none` with some options, and one with `revokefs-fuse`.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1565
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
This allows evince to share the document to a program running as a snap,
e.g. mail via firefox. Given that /usr/bin/snap itself is not confined
I chose to use ux, rather than pux.
Tested locally on Ubuntu 24.04 by sharing a document from evince to
firefox.
Fixes: https://bugs.launchpad.net/apparmor/+bug/2095872
Jira: https://bugs.launchpad.net/apparmor/+bug/2095872
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
The aa-exec man page makes reference to aa-stack(8) and aa-namespace(8)
manpages that don't exist. For now just remove those references and
add a short blurb on using aa-exec with stacking and namespaces.
Proper full manpages for stacking and namespaces need to be added
but that is beyound the scope of this fix.
Bug: https://gitlab.com/apparmor/apparmor/-/issues/496
Signed-off-by: John Johansen <john.johansen@canonical.com>
