abstractions/kerberosclient: allow reading /etc/krb5.conf.d/
See merge request apparmor/apparmor!425
Acked-by: Steve Beattie <steve@nxnw.org> for 2.10..master
Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..master
(cherry picked from commit 663546c284)
dffed831 abstractions/kerberosclient: allow reading /etc/krb5.conf.d/
--log-facility option needs to have permission to open files.
Use '*' to allow using more files (for using more dnsmasq instances).
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Jamie Strandboge <jamie@canonical.com>
(cherry picked from commit 025c7dc6a1)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
looping through the first 16 loop devices to find a free device will
fail if those mount devices are taken, and unfortunately there are
now services that use an excessive amount of loop devices causing
the regression test to fail.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/379
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
(cherry picked from commit ab0f2af1da)
Add several libapparmor/swig/ruby files to gitignore
See merge request apparmor/apparmor!366
(cherry picked from commit 9c11ce37c6)
7ed1a16a Add several libapparmor/swig/ruby files to gitignore
misc dovecot fixes (take #2)
See merge request apparmor/apparmor!336
Acked-by: Christian Boltz <apparmor@cboltz.de> for master..2.10
(cherry picked from commit e68beb988a)
a57f01d8 dovecot: allow FD passing between dovecot and dovecot's anvil
d0aa863f dovecot: allow chroot'ing the auth processes
9afeb225 dovecot: let dovecot/anvil rw the auth-penalty socket
17db8f38 dovecot: auth processes need to read from postfix auth socket
6a7c49b1 dovecot: add abstractions/ssl_certs to lmtp
parser/libapparmor_re/parse.cc is autogenerated during build parser/tst_lib gets compiled during "make check"
Both files get deleted by make clean.
This is the only remaining difference between 2.10 and newer .gitignore files, and the two files already get generated in 2.10.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/319
(cherry picked from commit 9d5934f5)
Signed-off-by: John Johansen john.johansen@canonical.com
- parser/libapparmor_re/parse.cc is autogenerated during build
- parser/tst_lib gets compiled during "make check"
Both files get deleted by make clean.
Acked-by: John Johansen <john.johansen@canonical.com> for trunk and 2.11.
(cherry picked from commit 9d5934f5ff)
abstractions/ssl_{certs,keys}: dehydrated uses /var/lib on Debian
See merge request apparmor/apparmor!299
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit 1f53de174d)
1306f9a6 abstractions/ssl_{certs,keys}: dehydrated uses /var/lib on Debian
c5a89d5d abstractions/ssl_{certs,keys}: sort the alternation for dehydrated and drop...
04b2842e abstractions/ssl_{certs,keys}: allow reading ocsp.der maintained by dehydrated for OCSP stapling
abi rule skipping is core dumping on some bad abi rule file names.
[ 112s] # Failed test './simple_tests//abi/bad_10.sd: Produced core dump (signal 6): abi testing - abi path quotes in <> with spaces'
[ 112s] # at simple.pl line 126.
[ 112s]
[ 112s] # Failed test './simple_tests//abi/bad_11.sd: Produced core dump (signal 6): abi testing - abi path quotes in <> with spaces'
[ 112s] # at simple.pl line 126.
[ 112s]
[ 112s] # Failed test './simple_tests//abi/bad_12.sd: Produced core dump (signal 6): abi testing - abi path quotes in <> with spaces'
[ 112s] # at simple.pl line 126.
This is caused by calling processquoted without ensuring that that the
length being processed is valid.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Add /etc/letsencrypt/archive to ssl_key abstraction
See merge request apparmor/apparmor!283
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit 0a666b8e48)
cb468786 Add /etc/letsencrypt stuff to ssl_keys/ssl_certs abstraction
The only entries that wouldn't be needed in 2.11 are
- cscope.*
- libraries/libapparmor/src/PMurHash.lo
- libraries/libapparmor/src/PMurHash.o
but they don't hurt, and keeping .gitignore in sync in all branches
makes things easier.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/260
(cherry picked from commit 8bba589d2d)
Signed-off-by: John Johansen <john.johansen@canonical.com>
disable abi/ok_10 and abi/ok_12 tests
See merge request apparmor/apparmor!259
(cherry picked from commit 608af94dff)
a3305b51 disable abi/ok_10 and abi/ok_12 tests
profiles/Makefile: test abstractions against apparmor_parser
See merge request apparmor/apparmor!244
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10, 2.11 and 2.12.
(cherry picked from commit 500b857d24)
93ccf15c profiles/Makefile: test abstractions against apparmor_parser
AppArmor 3.0 requires policy to use a feature abi rule for access to
new features. However some policy may start using abi rules even if
they don't have rules that require new features. This is especially
true for out of tree policy being shipped in other packages.
Add enough support to older releases that the parser will ignore the
abi rule and warn that it is falling back to the apparmor 2.x
technique of using the system abi.
If the profile contains rules that the older parser does not
understand it will fail policy compilation at the unknown rule instead
of the abi rule.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/196
(backported form commit 83df7c4747)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
[2.10] Initialize hats that don't exist in the /etc/apparmor.d profile yet
If a hat only exists in the to-be-merged profile, it needs to be
initialized in the /etc/apparmor.d/ profile. This patch does exactly
that to avoid an aa-mergeprof crash.
This bug only exists in the 2.10 branch. Newer branches already got it
"accidently fixed" during merging ask_the_questions() into aa.py and the
ProfileStorage implementation.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/235
Acked-by: John Johansen <john.johansen@canonical.com>
If a hat only exists in the to-be-merged profile, it needs to be
initialized in the /etc/apparmor.d/ profile. This patch does exactly
that to avoid an aa-mergeprof crash.
This bug only exists in the 2.10 branch. Newer branches already got it
"accidently fixed" during merging ask_the_questions() into aa.py and the
ProfileStorage implementation.
commit 94dfe15b28 attempted to remove
LD_RUN_PATH unfortunately
But all it actually does is cause the Makefile.perl to embed the rpath
"" instead. Which is still an rpath, only I guess an even worse one.
--
Eli Schwartz
Arch Linux Bug Wrangler and Trusted User
This is because it cleared the setting of the variable LD_RUN_PATH
which was expanded in the command
$(INST_DYNAMIC) : $(OBJECT) $(MYEXTLIB) $(INST_ARCHAUTODIR)$(DFSEP).exists $(EXPORT_LIST) $(PERL_ARCHIVEDEP) $(PERL_ARCHIVE_AFTER) $(INST_DYNAMIC_DEP)
$(RM_F) $@
LD_RUN_PATH="$(LD_RUN_PATH)" $(LD) $(LDDLFLAGS) $(LDFROM) $(OTHERLDFLAGS) -o $@ $(MYEXTLIB) \
$(PERL_ARCHIVE) $(LDLOADLIBS) $(PERL_ARCHIVE_AFTER) $(EXPORT_LIST) \
$(INST_DYNAMIC_FIX)
$(CHMOD) $(PERM_RWX) $@
resulting in LD_RUN_PATH="" being passed to the command.
Finish removing LD_RUN_PATH from Makefile.perl by removing it from
the command invocation if it is present.
Note: we use \x24 instead of $ in the regex as there seems to be a bug
and no level of escaping $ would allow it to be used.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/207
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 958cc28876)
2.10: Add basic support for abi rules to the tools
Add basic "understand and keep" support for abi rules, where
"understand" means to not error out when seeing an abi rule, and "keep"
simply means to keep the original abi rule when serializing a profile.
On the long term, abi rules should be parsed (similar to include rules),
but for now, this patch is the smallest possible changeset and easy to
backport.
Note that the only added test is via cleanprof_test.* which is used by
minitools_test.py - and does not run if you do a 'make check'.
Oh, and of course the simple_tests/abi/ files also get parsed by
test-parser-simple-tests.py.
BTW: Even serialize_profile_from_old_profile() can handle abi rules ;-)
This is a backport of 072d3e04 / !202 (merged) to
2.10 (with some adjustments because that commit didn't appy cleanly)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/225
Acked-by: John Johansen <john.johansen@canonical.com>
parser: fix Makefile hardcoded paths to flex and bison
Closes#4
See merge request apparmor/apparmor!224
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit 34cf085036)
17e059a2 parser: fix Makefile hardcoded paths to flex and bison
Add basic "understand and keep" support for abi rules, where
"understand" means to not error out when seeing an abi rule, and "keep"
simply means to keep the original abi rule when serializing a profile.
On the long term, abi rules should be parsed (similar to include rules),
but for now, this patch is the smallest possible changeset and easy to
backport.
Note that the only added test is via cleanprof_test.* which is used by
minitools_test.py - and does _not_ run if you do a 'make check'.
Oh, and of course the simple_tests/abi/ files also get parsed by
test-parser-simple-tests.py.
BTW: Even serialize_profile_from_old_profile() can handle abi rules ;-)
This is a backport of 072d3e0451 / !202 to
2.10 (with some adjustments because that commit didn't appy cleanly)
