toybox is similar to busybox but is developed with Android development in
mind. Thus, it has the same issues as the busybox profile and should be
removed.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Two fixes for the remmina profile so we can merge this
1. mknod is not currently an allowed permission. It has to be
downgraded to w
Do that with a note about how this needs to change in the future
2. The original fix adds direct references to peer=(label=unconfined)
Fix this to use a variable. So it will be easier to refactor and
update.
While doing it for the PMR also fixup the other direct unconfined
references.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Representative log lines from the [LaunchPad bug](https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2098838):
```
Feb 19 16:34:01 kernel: audit: type=1400 audit(1740000841.920:621): apparmor="DENIED" operation="create" class="net" profile="wpa_supplicant" pid=2211 comm="wpa_supplicant" family="netlink" sock_type="raw" protocol=0 requested="create" denied="create"
Feb 19 16:34:01 kernel: audit: type=1400 audit(1740000841.920:622): apparmor="DENIED" operation="open" class="file" profile="wpa_supplicant" name="/sys/devices/pci0000:00/0000:00:14.3/ieee80211/phy0/name" pid=2211 comm="wpa_supplicant" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 19 16:34:01 kernel: audit: type=1400 audit(1740000841.920:623): apparmor="DENIED" operation="create" class="net" profile="wpa_supplicant" pid=2211 comm="wpa_supplicant" family="inet" sock_type="dgram" protocol=0 requested="create" denied="create"
Feb 19 16:34:01 kernel: audit: type=1400 audit(1740000841.920:624): apparmor="DENIED" operation="open" class="file" profile="wpa_supplicant" name="/sys/devices/pci0000:00/0000:00:14.3/ieee80211/phy0/name" pid=2211 comm="wpa_supplicant" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```
However, regression potential remains for other setups (e.g. USB WiFi dongles), and we should maybe open up a discussion about when we want to target profiles into `apparmor.d` as opposed to `extras`.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1554
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
These are the default directory mounts used by Flatpak's system cache for mounting revokefs-fuse. Unfortunately, the new rules are quite broad, but we might not be able to do much better than that.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1562
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Fixes: https://bugs.launchpad.net/maas/+bug/2092232
In the lsblk profile, the rule responsible for allowing to read disks
over network was not generic enough to handle some cases, such as IBM
Power. The new rule, `@{sys}/devices/**/host@{int}/** r`, should support
all cases.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
This is needed to fix the gnome-remote-desktop daemon, which mounts in a
directory like /run/user/119/gnome-remote-desktop/cliprdr-ABm0Gd/.
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2103889
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Fixes bug #2103524
lsblk on some virtualized systems require access to directory
/sys/devices/LNXSYSTM:*/LNXSYBUS:*/** since block devices can be exposed
in this directory.
For executables dynamically linked to libnuma, the runtimer linker
invokes libnuma functions (num_init) that try to access
/sys/devices/system/node/ and if the application's apparmor
profile does not allow this access, this access will be denied
by apparmor with following error message:
apparmor="DENIED" operation="open" class="file"
name="/sys/devices/system/node/" comm="qemu-bridge-hel"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Here is the simplified call trace:
0 ... in ?? () from /lib/x86_64-linux-gnu/libnuma.so.1
1 ... in call_init (...) at ./elf/dl-init.c:74
2 ... in call_init (...) at ./elf/dl-init.c:120
3 _dl_init (...) at ./elf/dl-init.c:121
4 ... in _dl_start_user () from /lib64/ld-linux-x86-64.so.2
This commit adds an abstract profile that applications that are
linked to libnuma can include in their apparmor profile.
MR: mailing list patch
Signed-off-by: Hector Cao <hector.cao@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
This allows evince to share the document to a program running as a snap,
e.g. mail via firefox. Given that /usr/bin/snap itself is not confined
I chose to use ux, rather than pux.
Tested locally on Ubuntu 24.04 by sharing a document from evince to
firefox.
Fixes: https://bugs.launchpad.net/apparmor/+bug/2095872
Jira: https://bugs.launchpad.net/apparmor/+bug/2095872
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
* passwd -e LOGIN was failing
* Allow execution of /usr/sbin/nscd
See: bee77ffc29/lib/nscd.c (L23-L27)
* Allow pam_passwdqc to read /etc/passwdqc.conf and passwdqc filter
files (see https://www.openwall.com/passwdqc/)
* Allow setuid & fsetid capabilities
* Allow locking with /etc/shadow.PID & /etc/shadow.lock
* Allow shadow backup /etc/shadow- and whatever /etc/shadow+ is used for
These are needed by e.g. AppImages
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1556
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
sbuild is an unconfined profile allowing it to by-pass the unprivlieged
user namespace restritction.
unconfined profiles us a pix transition which means when the
unprivileged_unshare profile is enabled, the binaries in an unconfined
profile calls unshare it will transition to the unprivileged_unshare
profile.
This will break sbuild because it needs capabilities within the
user namespace.
However we can not just add a x transition rule to unconfined profiles,
the transitions won't be respected. Instead we have to make the profile
a default allow profile, and add a transition that will override
the default pix transition of allow all.
We have to add the attached_disconnected and mediated_deleted flags
because sbuild is manipulating mounts.
Signed-off-by: John Johansen <john.johansen@canonical.com>
This manifested with chmod calls failing in autopkgtests of dbus and snapd
Reported-by: Alex Murray <alex.murray@canonical.com>
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Follow up from !1544 with the other basic variables.
Variables such as `@{rand6}` and `@{word6}` are very commonly used as they allow us to restrict access from rules such as: `/tmp/*`, `/tmp/??????`
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1546
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The unshare-userns-restrict profile contained a cx transition to
transition to a profile that allows most things while denying
capabilities:
audit allow cx /** -> unpriv,
However, this transition does not stack the unshare//unpriv profile
against any other profile the target binary might have had. As a result,
the lack of stacking resulted in a non-namespace-related sandboxing
bypass in which attachments of other profiles that should have confined
the target binary do not get applied. Instead, we adopt a stack similar
to the one in bwrap-userns-restrict, with the exception that unshare
does not use no-new-privs and therefore only needs a two-layer stack
instead of a three-layer stack.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1533
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
The unshare-userns-restrict profile contained a cx transition to
transition to a profile that allows most things while denying
capabilities:
audit allow cx /** -> unpriv,
However, this transition does not stack the unshare//unpriv profile
against any other profile the target binary might have had. As a result,
the lack of stacking resulted in a non-namespace-related sandboxing
bypass in which attachments of other profiles that should have confined
the target binary do not get applied. Instead, we adopt a stack similar
to the one in bwrap-userns-restrict, with the exception that unshare
does not use no-new-privs and therefore only needs a two-layer stack
instead of a three-layer stack.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
AppArmor profile for `iotop-c`, developed and tested in Ubuntu 24.04 LTS.
Signed-off-by: Allen Huang <allen.huang@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1520
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
profile for wpa_supplicant in oracular
tested: creating, connecting, disconnecting, removing wireless networks, hotspot and p2 networks
Signed-off-by: Sudhakar Verma <sudhakar.verma@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1385
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
- Remove `owner` in /proc/ rules to enable non-root users
- add "include if exists" line to pass the pipeline
- change <abstractions/nameservice> to smaller <abstractions/nameservice-strict>
Signed-off-by: Allen Huang <allen.huang@canonical.com>
- add profile for tshark
- sub profile for dumpcap
- tested with tests from upstream wireshark project,not all test cases
passed but failures unrelated to apparmor restriction
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1384
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
