Right now coverity is running in two steps, one to collect logs in
case of failures, and a different one to actually send the data to
coverity. The log collection step is failing because when collecting
data for python with the new version of coverity, build-log.txt is not
generated.
The whole way we build with coverity might need changing, but
currently this patch is removing the log collection so the pipeline
passes.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The unnamed nature of an O_TMPFILE, combined with the delayed linkage of
linkat(2), creates a potential for a filesystem mediation bypass or other
unexpected file mediation behavior. Thus, add a test to verify whether or
not such a bypass occurs.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1743
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Arch Linux qt6-webengine has `/usr/lib/qt6/QtWebEngineProcess` and
qt5-webengine has `/usr/lib/qt/libexec/QtWebEngineProcess`.
Fedora has `/usr/lib64/qt6/libexec/QtWebEngineProcess`.
openSUSE Tumbleweed has `/usr/libexec/qt5/QtWebEngineProcess` and
`/usr/libexec/qt6/QtWebEngineProcess`.
Co-authored-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1726
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
I'd like to store my wg creds in my TPM module using `systemd-creds`:
```bash
PostUp = systemd-creds --name wg0 decrypt /etc/wireguard/secrets/wg0.cred | wg set wg0 private-key /dev/stdin
```
Currently I use `local/wg-quick` as work-around.
The `Ux` permission is may be a little too open, but 2 problems remain:
- the profile maintainer can't know which creds file need to be accessible
- different TMP module implementations / drivers may require different permissions
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1644
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Add support for change_onexec logs by converting them to change_profile.
Fix associated test.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1745
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
This MR removes some footguns in aa-notify
- Prevents the modification of special profiles
- Improve the clarity of messages
- Add support for regexes in userns_special_profiles
- Refactor get_event_type.
- Add support for regexes for special profiles
- Optimize aa-notify performances
- Minor bugfixes
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1732
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
import tkinter does not automatically import tkinter.font so calls to
the latter fail if the execution environment does not already contains
it.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Profiles are now updated only at initialization and when aa-notify
itself updates a profile.
A future MR will come to read profiles individually only when an event
for this profile comes to reduce overhead, as more and more profiles are
created.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Mesa now needs ~/.cache/mesa_shader_cache_db/marker .
Chromium wants uid_map readable, /proc/$PID/smaps_rollup,
/sys/.../report_descriptor, and two XDG utilities used by the "Create
shortcut..." feature. Deny the latter for now, due to additional
permissions that would be needed and a questionable security trade-off
as a result.
Firefox wants a socket for its crash helper, product_{name,sku} from
DMI devices, and .sql files in its cache directory. It also wants
uevent from devices more broadly than currently allowed.
After an upgrade to libfuse 3.17.1-rc0, autopkgtests started to fail
due to a missing x permission for /usr/bin/mount. After looking at the
source code for fusermount, I noticed that it does call /bin/mount and
/bin/umount in certain cases. These uses were already there in
previous versions of libfuse but I'm still not sure why it hasn't
triggered before.
To reproduce it:
```
sudo autopkgtest-buildvm-ubuntu-cloud -v -r questing
autopkgtest archivemount -U --apt-pocket=proposed=src:fuse3 --shell-fail -- qemu autopkgtest-questing-amd64.img
```
After the test fails, enter the vm by
```
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 10022 ubuntu@localhost
```
You can reproduce the test by running
```
cd /tmp/autopkgtest.*/build.*/src/
/tmp/autopkgtest.*/build.*/src/debian/tests/test
```
Note that ix for mount and umount were enough to make the autopkgtest
failures to start passing, but there could be issues in the future
regarding the use of fs specific mount binaries like
/usr/sbin/mount.fuse
Fixes: http://bugs.launchpad.net/bugs/2111845
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1716
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
When variable expansion occurs, the expansion attempts to replace the
memory location of the string containing the variable, and frees the
string it is replacing. However, this occurs before the variable lookup
occurs to determine if there is an appropriate declaration for the
variable. When the failing expansion occurs in a profile name, this
causes a read-after-free (followed by a double free) because the error
handling path attempts to report the profile name in the error message.
This can be reproduced like so, using the
tst/simple_tests/vars/vars_profile_name_23.sd testcase:
```
$ ../apparmor_parser --config-file=./parser.conf -M features_files/features.all -S -I /home/sbeattie/git/apparmor/parser/tst/./simple_tests/ ./simple_tests/vars/vars_profile_name_23.sd
Failed to find declaration for: @{FOO}
ERROR expanding variables for profile #xQV, failed to load
free(): double free detected in tcache 2
```
Fix this by waiting to free the profile name field until after the
variable declaration has successfully been looked up. This results in
the test case reporting the following error:
```
$ ../apparmor_parser --config-file=./parser.conf -M features_files/features.all -S -I /home/sbeattie/git/apparmor/parser/tst/./simple_tests/ ./simple_tests/vars/vars_profile_name_23.sd
Failed to find declaration for: @{FOO}
ERROR expanding variables for profile /does/not/exist@{FOO}, failed to load
```
Signed-off-by: Steve Beattie <steve@nxnw.org>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1747
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
When variable expansion occurs, the expansion attempts to replace the
memory location of the string containing the variable, and frees the
string it is replacing. However, this occurs before the variable lookup
occurs to determine if there is an appropriate declaration for the
variable. When the failing expansion occurs in a profile name, this
causes a read-after-free (followed by a double free) because the error
handling path attempts to report the profile name in the error message.
This can be reproduced like so, using the
tst/simple_tests/vars/vars_profile_name_23.sd testcase:
```
$ ../apparmor_parser --config-file=./parser.conf -M features_files/features.all -S -I /home/sbeattie/git/apparmor/parser/tst/./simple_tests/ ./simple_tests/vars/vars_profile_name_23.sd
Failed to find declaration for: @{FOO}
ERROR expanding variables for profile #xQV, failed to load
free(): double free detected in tcache 2
```
Fix this by waiting to free the profile name field until after the
variable declaration has successfully been looked up. This results in
the test case reporting the following error:
```
$ ../apparmor_parser --config-file=./parser.conf -M features_files/features.all -S -I /home/sbeattie/git/apparmor/parser/tst/./simple_tests/ ./simple_tests/vars/vars_profile_name_23.sd
Failed to find declaration for: @{FOO}
ERROR expanding variables for profile /does/not/exist@{FOO}, failed to load
```
Fixes: dfbd2dc4b ("parser: refactor variables and symbols table into their own class")
Signed-off-by: Steve Beattie <steve@nxnw.org>
Ref: https://gitlab.com/apparmor/apparmor/-/merge_requests/1747
The unnamed nature of an O_TMPFILE, combined with the delayed linkage of
linkat(2), creates a potential for a filesystem mediation bypass. Thus,
add a test to verify whether or not such a bypass occurs.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
The current lsblk profile contains `@{sys}/devices/pci@{int}:@{int}/** r` (where `@{int}` expands to `[0-9]+`). PCI BDFs are in hex, so block device paths whose BDF contains [a-f] digits are skipped, causing them to be omitted from the output of lsblk.
Replacing `@{int}` with `@{hex}` (which expands to `[0-9a-fA-F]+`) ensures PCI block device paths with [a-f] hex digits are correctly matched and displayed in the output of `lsblk`.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1725
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Those messages appear in various context and do not provide any useful feedback to the user, diverging from UNIX philosophy of staying quiet when there's nothing of importance to say.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1738
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Hi,
This fixes the following error when a block device's PCI bus starts with
a non-decimal hex character and `lsblk /dev/nvme2n1` is executed:
```
audit: type=1400 audit(1751394406.516:554): apparmor="DENIED" operation="open" class="file" profile="lsblk" name="/sys/devices/pci0000:a0/0000:a0:01.1/0000:a1:00.0/nvme/nvme2/nvme2n1/" pid=164652 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```
I used hex4 and hex2 as it matches the example from
https://docs.kernel.org/PCI/sysfs-pci.html and also because lspci(8)
says:
> domains are numbered from 0 to ffff
>
> bus (0 to ff)
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2111604
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1729
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
MR !1735 mistakenly assumed that x.is_covered(y) means "x is covered by
y" when the opposite is true
Fix the logic of is_covered and associated tests.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1739
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
Arch Linux qt6-webengine has `/usr/lib/qt6/QtWebEngineProcess` and
qt5-webengine has `/usr/lib/qt/libexec/QtWebEngineProcess`.
Fedora has `/usr/lib64/qt6/libexec/QtWebEngineProcess`.
openSUSE Tumbleweed has `/usr/libexec/qt5/QtWebEngineProcess` and
`/usr/libexec/qt6/QtWebEngineProcess`.
Co-authored-by: Maxime Bélair <maxime.belair@canonical.com>
Fix issues introduced in coverity's snapshot 89167
- CID 532797: (#1 of 1): Use of auto that causes a copy (AUTO_CAUSES_COPY)
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
While symtab for now has only static members, it will allow for a
change in the future for each profile to have their own symbols like
profile_name, etc.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1711
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
MR !1735 mistakenly assumed that x.is_covered(y) means "x is covered by
y" when the opposite is true
Fix the logic of is_covered and associated tests.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
- `is_covered` was not checking priorities when checking if a rule is
covered. With this fix, a rule of lower priority can no longer cover a
higher priority one.
- Fixes `is_equal(strict=False)` so that `priority=0` matches implicit
priority (as it is defaulted to zero)
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1735
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
- `is_covered` was not checking priorities when checking if a rule is
covered. With this fix, a rule of lower priority can no longer cover a
higher priority one.
- Fixes `is_equal(strict=False)` so that priority=0 matches implicit
priority (as it is defaulted to zero)
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Copy the optimized version from common.py to easyprof.py (shouldn't
change the behaviour).
Since get_directory_contents() is only used in easyprof.py, delete the
unused copy from common.py.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1720
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Copy the optimized version from common.py to easyprof.py (shouldn't
change the behaviour).
Since get_directory_contents() is only used in easyprof.py, delete the
unused copy from common.py.
Create separate classes for tests not fitting under *TestParseInvalid
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1736
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
... and change all *TestParseInvalid classes to use it, instead of
having (nearly) the same function in every test-*.py.
Also move tests not matching the rule regex into tests array (which now supports this case).
While at it, enable the tests for abi and include rules.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1728
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Dovecot 2.4 now creates a "binary" version of its config via doveconf. This needs new access rules, as it otherwise prevents all Dovecot processes from accessing this new configuration.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1733
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
