Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit ba3dc9fc85a246126d3f9f0711fe41d7d4470248)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 42b43d58d0d37b1d587a596330ff83b1db8873bb)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 301857ef5d1213f24323718d55c8a708b807f579)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 303deea3a816e88bdbf5661cce46cc79ea2ab8cb)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 894c6cd6d2340415c23083db65eeaeafbc561cc2)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit eb38db595330be59120b7c874c7c86fedfd4e277)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 5cc8718965a2ed59bc36c522e56c2ef7f6bbd4f6)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
The parser currently skips the cache if optimizations are specified
because it can not determine if the cached policy was compiled
with the specified optimization. However this causes cache misses
even if policy is cached with those options, and distros are setting
some optimizations by default.
Instead of skipping reading the cache if optimizations are set, users
can force overwriting the cache if needed, until the parser can
store aditional meta info in the cache.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/385
BugLink: http://bugs.launchpad.net/bugs/1820068
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit f6cd5c01c1a5bca947516055543144870f1476b0)
This is a partial backport of bc36daa264b0f0067deeb1de893a27b25bc5e4e4
(without the abstractions/nameservice removal in
usr.lib.dovecot.pop3-login)
Original commmit message:
dovecot: align {pop3,managesieve}-login to imap-login
Those 3 login daemons should have similiar needs and thus similar
profiles. IMAP is likely the most tested one so let's align the
other 2 with it. Unix and TCP sockets rules were added to pop3-login
after the removal of abstractions/nameservice that included them
implicitly.
Signed-off-by: Simon Deziel <simon@sdeziel.info>
[2.12+2.13] make abstractions/postfix-common compatible with latest postfix profiles
See merge request apparmor/apparmor!387
Seth Arnold <seth.arnold@canonical.com>
Even if we don't backport the latest postfix profiles (in extras) to
2.12 and 2.13, making the abstraction compatible with them (by adding
peer=postfix-master rules in addition to the path-based ones) makes
things much easier for people who want to use the latest profiles.
When building with swig 4 we are seeing the error
AttributeError: 'aa_log_record' object has no attribute '__getattr__'
Which forces swig to use modern classes which do not generate __getattr__
methods.
issue: https://gitlab.com/apparmor/apparmor/issues/33
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit a6ac6f4cfcc3d4fe1064087389004c3cc8b41207)
looping through the first 16 loop devices to find a free device will
fail if those mount devices are taken, and unfortunately there are
now services that use an excessive amount of loop devices causing
the regression test to fail.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/379
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
(cherry picked from commit ab0f2af1da2bcab0d4898e2140c736121c528737)
[2.11..2.13] handle_children: Fix denying of adding a hat
See merge request apparmor/apparmor!378
Acked-by: John Johansen <john.johansen@canonical.com>
Choosing "Deny" when handle_children() asks about adding a hat should
not add that hat, but it should _not_ leave the function because that
means all the other log events that were not migrated to prelog yet will
be lost.
Change "return" to "continue" to fix this.
Drop 'to' option for link rules from manpage
See merge request apparmor/apparmor!368
Acked-by: Eric Chiang <ericchiang@google.com>
(cherry picked from commit 041cd95a98e798e3567c63c3c7eb74d81fc5c64e)
115a1d89 Drop 'to' option for link rules from manpage
Add several libapparmor/swig/ruby files to gitignore
See merge request apparmor/apparmor!366
(cherry picked from commit 9c11ce37c61b442161c5b13dd28d7939bc1327fa)
7ed1a16a Add several libapparmor/swig/ruby files to gitignore
Fix error 'KeyError: 'logfiles'' when no logprof.conf exists
See merge request apparmor/apparmor!365
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.12..master
(cherry picked from commit cece7871829ed85a3ed3783be3ac009ad0cfe205)
455c4413 aa.py: Ensure there is always a fallback falue for the logfile location
3c7e1668 aa.py: Indicate permission error if log file is found but cannot be opened
Since !345 the set of permissions that are granted (get_file_perms_2)
or suggested (propose_file_rules) has changed. These new sets are
expected due to the changes brought by this MR, so let's adjust
the test suite accordingly.
(cherry picked from commit 0170e98f9c7342a614bbda5ce9e64a1444f47413)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/358
Signed-off-by: John Johansen <john.johansen@canonical.com>
For example, VirtualBox guests have /usr/lib/VBoxOGL.so.
Without this changes, in a VirtualBox VM with VBoxVGA graphics,
at least one Qt5 application (OnionShare) won't start and display:
ImportError: libGL.so.1: failed to map segment from shared object
… and the system logs have:
apparmor="DENIED" operation="file_mmap" profile="/usr/bin/onionshare-gui" name="/usr/lib/VBoxOGL.so" pid=11415 comm="onionshare-gui" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
While this works fine with VBoxSVGA and VMSVGA when 3D acceleration is enabled.
So let's not assume all libraries have a name that starts with "lib".
PR: https://gitlab.com/apparmor/apparmor/merge_requests/345
(cherry picked from commit 5cbb7df95ef241725b327bccfb5aa21f8be14695)
Signed-off-by: John Johansen <john.johansen@canonical.com>
update network keyword list in utils and add test
See merge request apparmor/apparmor!350
Acked-by: Eric Chiang <ericchiang@google.com> for 2.12..master
(cherry picked from commit dc010bc0340fe8b7159db5c3c2e01f7e27749ea8)
49849ed7 update network keyword list in utils and add test
apparmor.d manpage: update list of network domain keywords
See merge request apparmor/apparmor!349
Acked-by: Eric Chiang <ericchiang@google.com> for 2.12..master
(cherry picked from commit 6416ccebf636308eeb05185bb4ccdc1731a96980)
6b276563 apparmor.d manpage: update list of network domain keywords
The calling function and the merge() macro both make use of a variable
named "i" but this causes problems when merging. The aa_policy_cache.sh
test script experiences "bad file descriptor" failures due to the merged
list containing invalid fd values (-1).
Fix this by renaming merge()'s index variables from i and j to y and z
to hopefully prevent future overlap. The better fix here would be to
convert merge() to a function but that's a more intrusive change and I
don't have an easy way to test the overlay feature.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/348
(cherry picked from commit d7ac07afc48bdc61892e4227949ee8e24c95ff1e)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
qsort()'s _size_ parameter is used to indicate the size of the elements
in the _base_ array parameter. Adjust the third argument to qsort() to
indicate that we're dealing with an array of struct dirent pointers
rather than an array of struct dirent.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/348
(cherry picked from commit 8b218718204062efa2dd093d95d2b05e0d722f92)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Adjust aa_policy_cache.sh to handle the additional layer in the
directory hierarchy when determining where the policy cache binaries are
stored. This is needed due to the multicache changes that allow multiple
policy caches to exist on a single system.
Differentiate between the cache location (the top level directory
containing all caches) and the cache directory (the directory used to
store the cached policies).
Use the libapparmor wrapper to get the cache directory for the given
cache location and the features of the currently running kernel.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/348
(cherry picked from commit f31457b26e3f7a0433ce32c8f25bf270ab587f1c)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Print the policy cache directory path for the features of the currently
running kernel to stdout so that the aa_policy_cache.sh regression test
script can make use of it when writing out binary policy files.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/348
(cherry picked from commit ad81ea0e671f3d4af1d6e44da6d41db3af3c1985)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
The length of a xmatch is used to prioritize multiple profiles that
match the same path, with the intent that the more specific match wins.
Currently, the length of a xmatch is computed by the position of the
first regex character.
While trying to work around issues with no_new_privs by combining
profiles, we noticed that the xmatch length computation doesn't work as
expected for multiple regexs. Consider the following two profiles:
profile all /** { }
profile bins /{,usr/,usr/local/}bin/** { }
xmatch_len is currently computed as "1" for both profiles, even though
"bins" is clearly more specific.
When determining the length of a regex, compute the smallest possible
match and use that for xmatch priority instead of the position of the
first regex character.
(cherry picked from commit cc09794fbdd3fe311027ae2ceb9f441a30a6075a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Using /usr/{bin,sbin}/dbsmasq as both the profile name and attachment break compatibility with the peer=/usr/sbin/dnsmasq rule, in the libvirtd profile.
Instead specify the profile has the old name of /usr/sbin/dnsmasq and specify the attachment separately. This looks funny but it avoids breaking libvirtd and still provides the broader attachment need by distros that have merged sbin into bin.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1127073
I propose this patch for 2.12 and 2.13. (Older versions didn't get the alternation, master has a profile name added.)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/346
Signed-off-by: John Johansen <john.johansen@canonical.com>
Even if we expected it to stay compatible with peer=/usr/sbin/dnsmasq in
the libvirtd profile, practise shows that we were wrong.
This patch adds a tricky workaround so that the profile name doesn't
change, but the profile will attach even on distributions with merged
bin and sbin. (Credits for this crazy idea go to John ;-)
It also re-adds the libvirtd peer name /usr/sbin/libvirtd to avoid
breaking libvirtd.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1127073
and the discussion in https://gitlab.com/apparmor/apparmor/merge_requests/346
tunables/share: fix buggy syntax that broke the ~/.local/share part of the @{user_share_dirs} tunable
See merge request apparmor/apparmor!344
(cherry picked from commit 2ed3763a2f5f59605f75536b413b281ca7cf7297)
cdeb6185 tunables/share: fix buggy syntax that broke the ~/.local/share part of the...
The parser is not correctly handling some error conditions when
dealing with work units. Failure to spawn work, access files, etc
should be returned where appropriate, and be able to abort processing
if abort_on_error is set.
In addition some errors are leading to a direct exit without checking
for abort_on_error.
BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921866
BugLink: http://bugs.launchpad.net/bugs/1815294
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Eric Chiang <ericchiang@google.com>
(backported from commit cb43e57d27962039c5bc2a380936c7316575701f)
Conflicts:
parser/parser_main.c
Reason:
commit 48a32b78b189cf9e2c4d8bce8fb45c68bf4cc327 not backported
misc dovecot fixes (take #2)
See merge request apparmor/apparmor!336
Acked-by: Christian Boltz <apparmor@cboltz.de> for master..2.10
(cherry picked from commit e68beb988adf63c85b2091880c64a5e6ca3c20ca)
a57f01d8 dovecot: allow FD passing between dovecot and dovecot's anvil
d0aa863f dovecot: allow chroot'ing the auth processes
9afeb225 dovecot: let dovecot/anvil rw the auth-penalty socket
17db8f38 dovecot: auth processes need to read from postfix auth socket
6a7c49b1 dovecot: add abstractions/ssl_certs to lmtp
Debian and Ubuntu have releases coming out with usr-merge in place. For
these systems, /bin and /sbin are symlinks to their respective /usr
directories. This breaks a few tests in the python utils and in the
regression tests. This patch series fixes them, mostly by performing
realpath() calls when necessary. For the ptrace regression test,
it copies the called /bin/true binary into the created temporary
directory and executes it from there. (Good for other reasons, too.)
(cherry picked from commit b4ab8476e4721b922d2de193b9203bba0c192bf9)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/merge_requests/331
Bug-Debian: https://bugs.debian.org/920669
Relevant documentation: http://www.alsa-project.org/main/index.php/Asoundrc
We already grant read access to the corresponding per-user configuration file
(~/.asoundrc) so it makes sense to also grant access to the system-wide one.
(cherry picked from commit 2d72795f6585ad67bc85e01e1dfc8c1bc2eac56a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Latest netconfig in openSUSE writes /run/netconfig/resolv.conf, and only
has a symlink to it in /etc
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1097370
Acked-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit b0bacba9dbe903803ff1a7df05789ac254043490)
aa-logprof errors out if it hits a log event for a non-existing profile
while a profile file with the default filename for that non-existing
profile exists. This can for example happen after adding a profile name
to a profile if audit.log still contains events for the attachment-based
profile name.
Since we ignore log events for non-existing profiles in general, drop
the code for the special case "but a file matching the default filename
for that non-existing profile exists" and also silently ignore events
for this very special non-existing profile.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1120472
(cherry picked from commit 03ea5b82b783cd459978bb4c5a6076286c2ce4fa)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This updates the mysqld to what I use on my servers nowadays.
Note: my profile also has capability sys_resource,, but I'm not sure
why I had to add this and therefore didn't include it in this merge
request.
Speaking about "why I had added $whatever" - these changes were
collected over the last years and of course ;-) I don't remember any
details.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/310
(cherry picked from commit 0199edf8e735d3d67488a2b6ea52493b7c379699)
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
