Otherwise tst_regex would log as being from parser_common.c instead of
being from the actual source of parser_regex.c
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
(cherry picked from commit 6e643a1dab)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The recent change to make CI pipeline build test images on a manual
trigger masks the outcome of the pipeline. Let's use the new inputs [1]
feature to allow manually triggering the pipeline with an explicitly
built image instead.
[1] https://docs.gitlab.com/ci/inputs/
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit 5aed9e8a50)
Signed-off-by: John Johansen <john.johansen@canonical.com>
We rely on a hack that avoids compressing and pushing the cache if it
has not really changed but it's worth adding links.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit f9ba11a91e)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The current logic will only build spread images, for master (which uses
protected cache), when the .image-garden.mk or .gitlab-ci.yml files
change as compared to master. This is great IF they change and WHEN the
cache is hot but right now it seems that this is not the case and master
just has no protected cache.
Add a manual knob to run the one-off cache job whenever we want to.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit 272ad36df8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This relies on a documented hack that makes GitLab cache machinery
skip the upload if all of the cached files are missing in the tree.
This saves about a minute per pull request CI/CD run times the number of
images required for testing.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit 81c1b86373)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This fixes the long standing issue affecting caching of the image
between the image-* jobs and the spread-* jobs.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit d2d0f36244)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This way they can be automatically cancelled by GitLab when a new commit is pushed
to a merge request, this providing feedback to the tip of the branch or pull request
more rapidly.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit 50734c9689)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Following the Security Technical Implementation Guide, it is better to
set the permissions to 0000 for the shadow file.
However, since PAM version 1.6.0, after this change [0], unix-chkpwd
will unconditionnaly read the shadow file. And with the previous
restriction, the binary has an access denied to the shadow which
blocks user authentications. Moreover the PAM changes is needed to fix
the CVE-2024-10041.
Giving the read caability to the unix-chkpwd profile allows it to
function properly. See bug report [1].
[0] - https://github.com/linux-pam/linux-pam/pull/686
[1] - https://bugzilla.suse.com/show_bug.cgi?id=1241678
Signed-off-by: vlefebvre <valentin.lefebvre@suse.com>
(cherry picked from commit 556396a172)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Having a `__pycache__` on check can result in all kinds of weird issues.
Notaby, the test environment is currently clearing all environment variables,
including those responsible for keeping a reproducible build.
This is not immediately a problem for functionality,
but complicates downstream distribution in systems such as nix, where it is considered a bug [1].
It might also be possible to force determinism by exporting env vars instead:
```
DETERMINISTIC_BUILD=1
PYTHONHASHSEED=0
```
This forces a special mode on the pycache, where instead of a `moddate`,
it will then store a hash of the outputs [2].
This would be an alternative fix, but considering apparmor upstream does
not (yet) test for bit-reproducibility, it is likely too fragile here.
[1] https://github.com/NixOS/nixpkgs/issues/409032
[2] https://peps.python.org/pep-0552/
I understand AppArmor might or might not care about deterministic builds.
I was writing this patch for nixpkgs anyways, so I might as well try to
contribute it - whether it gets merged or not.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1697
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 9fabe25a9f)
f584505a libapparmor/test: avoid writing __pycache__
Co-authored-by: Christian Boltz <apparmor@cboltz.de>
Due to how labeling is implemented, during the creation it is not yet
defined, so we need to grant create permissions without attaching the
label yet.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 306b656ba2)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Specifying norelatime should set the corresponding MS_RELATIME flag clear
bit. Instead, it ORed in MS_NORELATIME, which expands to 0. Properly set
the clear bit by using MS_RELATIME.
Fixes: c9e31b7f "Add mount rules"
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
(cherry picked from commit 711bbac5eb)
Signed-off-by: John Johansen <john.johansen@canonical.com>
For NAME_MAX
Fixes 322a98c8 ("Fix incorrect strnlen length in aa_load.c load_policy_dir")
(cherry picked from commit 02b7e41ef3)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The internal permission accumulation is currently broken in that
the ordering of rules matter to whether deny is clearing accumulated
perms.
If a deny node comes before an allow node the deny bits will get set
but the following allow bits won't get cleared by the deny node.
This isn't currently an actual issue for mediation as the deny
bit will be applied at one of
1. apply_and_clear_deny
2. permission remapping
3. run time mediation
but it does result in the internal state having sometimes having both
allow and deny bits set, dependent on order of computation, resulting
in state machines with different sizes because minimization
partitioning is based on the internal permissions.
This means that dfa minimization may not result in a truly minimal
state machine, and even worse can cause inconsistenty and failure in
tests that rely on internal state like the equality and minimization
test, as seen in https://gitlab.com/apparmor/apparmor/-/issues/513
The failure was due to musl stl sets implementation producing a
different ordering of the nodes than glibc. So when the permissions
where accumulated the internal set of permissions were different.
Fix this by giving the different node classes their own internal priority.
This will ensure the bits are properly cleared for that priority before
accumulating.
Note: other ways of fixing.
1. Fixup internal accumulation to use accumulating perms of "higher"
priority as part of the mask (deny and allow mask prompt).
2. Do a hard masking apply at the end after all bits have been accumulated
(ie, in accept_perms after the for loop).
the priority route was chosen because it is a little smaller and
scales better if we get new Node types we have to deal with
(eg. planned complain node).
BugLink: https://gitlab.com/apparmor/apparmor/-/issues/513
Fixes: 1ebd99115 ("parser: change priority so that it accumulates based on permissions")
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1655
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 648336489e)
The internal permission accumulation is currently broken in that
the ordering of rules matter to whether deny is clearing accumulated
perms.
If a deny node comes before an allow node the deny bits will get set
but the following allow bits won't get cleared by the deny node.
This isn't currently an actual issue for mediation as the deny
bit will be applied at one of
1. apply_and_clear_deny
2. permission remapping
3. run time mediation
but it does result in the internal state having sometimes having both
allow and deny bits set, dependent on order of computation, resulting
in state machines with different sizes because minimization
partitioning is based on the internal permissions.
This means that dfa minimization may not result in a truly minimal
state machine, and even worse can cause inconsistenty and failure in
tests that rely on internal state like the equality and minimization
test, as seen in https://gitlab.com/apparmor/apparmor/-/issues/513
The failure was due to musl stl sets implementation producing a
different ordering of the nodes than glibc. So when the permissions
where accumulated the internal set of permissions were different.
Fix this by giving the different node classes their own internal priority.
This will ensure the bits are properly cleared for that priority before
accumulating.
Note: other ways of fixing.
1. Fixup internal accumulation to use accumulating perms of "higher"
priority as part of the mask (deny and allow mask prompt).
2. Do a hard masking apply at the end after all bits have been accumulated
(ie, in accept_perms after the for loop).
the priority route was chosen because it is a little smaller and
scales better if we get new Node types we have to deal with
(eg. planned complain node).
BugLink: https://gitlab.com/apparmor/apparmor/-/issues/513
Fixes: 1ebd99115 ("parser: change priority so that it accumulates based on permissions")
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 06e349345e)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add basic support for the priority rules prefix. This patch does not\
allow the utils to set or suggest priorities. It allows parsing and\
retaining of the priority prefix if it already exists on rules and\
checking if it's in the supported range.
Note that this MR is supposed to replace WIP MR https://gitlab.com/apparmor/apparmor/-/merge_requests/1531
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1636
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 71ea87966a84b9ffadf49b789bf37bdce33da67d')
Signed-off-by: John Johansen <john.johansen@canonical.com>
Merge branch 'cherry-pick-71ea87966a84b9ffadf49b789bf37bdce33da67d' into apparmor-4.1
Add basic support for the priority rules prefix. This patch does not
allow the utils to set or suggest priorities. It allows parsing and
retaining of the priority prefix if it already exists on rules and
checking if it's in the supported range.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit c0fcd1698b)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Some classes don't support modifiers like audit and deny. Only rlimit
has been checking for the allow keyword, but the others shouldn't
support it as well. Since they all do the same check, refactor them
into a method from BaseRule in case more modifiers are added.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 3389230437)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Downstream report: https://github.com/NixOS/nixpkgs/issues/347490
Output of `aa-status` is nondescriptive if no profiles are loaded.
Worse yet, the json output isn't even valid json. It would make sense to just return a json object with no entries, instead of returning a non-json `eprint` to stderr.
**Ideally** output of non-json would be more descriptive.
Currently:
```
apparmor module is loaded.
Failed to get profiles: 2....
```
What i would prefer:
```
apparmor module is loaded.
Failed to get profiles: No policies loaded
```
However, i am unfamiliar with how the translation framework works, and thus not confident to do this change blindly. I am happy to add a commit doing so if i know where to change all that.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1652
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 6f480cb819)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1656
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Downstream report: https://github.com/NixOS/nixpkgs/issues/347490
Output of `aa-status` is nondescriptive if no profiles are loaded.
Worse yet, the json output isn't even valid json.
It would make sense to just return a json object with no entries,
instead of returning a non-json `eprint` to stderr.
If kanidm is configured in nsswitch.conf(5), access to the kanidm-unixd
configuration is needed for applications to resolve entries.
For example:
```
type=AVC apparmor="DENIED" operation="open" class="file" profile="php-fpm"
name="/etc/kanidm/unixd" comm="php-fpm" requested_mask="r" denied_mask="r"
```
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1638
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 8504cda668)
If kanidm is configured in nsswitch.conf(5), access to the kanidm-unixd
configuration is needed for applications to resolve entries.
For example:
```
type=AVC apparmor="DENIED" operation="open" class="file" profile="php-fpm"
name="/etc/kanidm/unixd" comm="php-fpm" requested_mask="r" denied_mask="r"
```
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
(cherry picked from commit 675a99ac7b)
Signed-off-by: John Johansen <john.johansen@canonical.com>
FS based unix sockets have a complicatd interaction with socket
mediation some of the mediation happens in file hooks while other
parts happen in network hooks.
When the kernel doesn't have the unix socket mediation patches the
interactions become largely mediated through the network hooks, as
unix rules get downgraded to socket rules. However some filesystem
operations are needed, and some hooks like bind may be called
differently based on the unix socket type, and not just the address.
Without the kernel patches these variations are not taken into
account.
Changes in the parser networking permission mappings have also
affected the downgrade path, as the parser now supports permissions on
socket rules, downgrades can use permissions and be more faithful to
the original rule but this can also break tests that didn't add all
the permissions needed for the downgrade case.
update unix_socket_pathname.sh to detect whether rule downgrades are
being used, and adjust permissions and expectations based on this.
Fixes: 7ce768244 ("tests: regression: fix regression test for upstream kernels")
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1622
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit d9ecaf60bc)
The tests on slower systems are occassionally timing out leading to
inconsistent pass/fail runs. The time out failure depending on which
test it occurs in can result in false passes, or failres.
Double the timeout, which hopefully will be enough to avoid the
timeout issue without making the tests wait too long.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 2c784709b2)
Signed-off-by: John Johansen <john.johansen@canonical.com>
FS based unix sockets have a complicatd interaction with socket
mediation some of the mediation happens in file hooks while other
parts happen in network hooks.
When the kernel doesn't have the unix socket mediation patches the
interactions become largely mediated through the network hooks, as
unix rules get downgraded to socket rules. However some filesystem
operations are needed, and some hooks like bind may be called
differently based on the unix socket type, and not just the address.
Without the kernel patches these variations are not taken into
account.
Changes in the parser networking permission mappings have also
affected the downgrade path, as the parser now supports permissions on
socket rules, downgrades can use permissions and be more faithful to
the original rule but this can also break tests that didn't add all
the permissions needed for the downgrade case.
update unix_socket_pathname.sh to detect whether rule downgrades are
being used, and adjust permissions and expectations based on this.
Fixes: 7ce768244 ("tests: regression: fix regression test for upstream kernels")
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 08f9466d1c)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The new image-garden snap offers a one-stop-shop for integration
testing, bundling qemu, spread and image-garden build recipes.
Extend the documentation, the run-spread.sh helper script as well as
spread.yaml to support this new method.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
(cherry picked from commit bd500e2391)
Signed-off-by: John Johansen <john.johansen@canonical.com>
... and adjust the tools to raise an exception if such a rule is found.
While this is not nice, it's better than the previous behaviour where
only the last 'fstype' was kept, and the others were lost when writing
the rule.
(cherry picked from commit b5894687ed)
Signed-off-by: John Johansen <john.johansen@canonical.com>
... and adjust the tools to raise an exception if such a rule is found.
While this is not nice, it's better than the previous behaviour where
only the last 'options' was kept, and the others were lost when writing
the rule.
(cherry picked from commit 171e0b1fa9)
Signed-off-by: John Johansen <john.johansen@canonical.com>
