mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 14:25:52 +00:00
Code Issues Releases Wiki Activity
5,833 Commits 23 Branches 113 Tags
a80e3dc43265d1d4a3eef46c6a8d2f87c2bc1912
Commit Graph

5833 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Georgia Garcia
a80e3dc432 Merge Fix spacing when printing out AF_UNIX addresses 
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/978
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 608560ee43)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-02-01 19:51:42 -08:00
John Johansen
de739160c1 Merge Fix: Opening links with Brave 
Resolves #292.

This fix is the same as !830 but for Brave.
Opening links in Brave now works as intended.

Note that now a separate denial is caused, related to WidevineCDM, is produced:
```
[ERROR:content_main_runner_impl.cc(415)] Unable to load CDM /home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so (error: /home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so: failed to map segment from shared object)
```

In the syslog:
```
audit: type=1400 audit(1671108748.090:117): apparmor="DENIED" operation="file_mmap" profile="/usr/bin/evince//sanitized_helper" name="/home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so" pid=65765 comm="brave" requested_mask="m" denied_mask="m" fsuid=1000 ouid=100
```

I'm not sure if granting permission(s) for this is desirable. In either case, the potential relevant changes are out of the scope of this MR.

If I disable WidevineCDM in Brave, I get the following denial on cap sys_admin:
```
audit: type=1400 audit(1671112807.666:174): apparmor="DENIED" operation="capable" profile="/usr/bin/evince//sanitized_helper" pid=112098 comm="brave" capability=21  capname="sys_admin"
```
which is fine, as mentioned by @jjohansen [here](https://gitlab.com/apparmor/apparmor/-/merge_requests/830#note_831915024).

Closes #292
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/957
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

(cherry picked from commit 5fd8c25745)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-01-25 13:10:34 -08:00
John Johansen
698c3f313f Merge libapparmor: add scanner support for dbus method 
In the [merge request that adds AppArmor support on D-Bus Broker](https://github.com/bus1/dbus-broker/pull/286), the word "method" is used instead of "member" on the auditing logs.
So we are adding support to parse "method" the same way as "member" on D-Bus audit logs.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/958
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit a96fa35bd5)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-01-25 13:10:23 -08:00
John Johansen
ca6191d158 Merge Extend crypto and ssl_certs abstractions 
- ssl_certs: /{etc,usr/share}/pki/trust/ has more than the 'anchors' subdirectory
- crypoto: allow reading /etc/gcrypt/hwf.deny

I propose this patch for 3.0..master (2.13 doesn't have abstractions/crypto).

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/961
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>


(cherry picked from commit bb30df7843)

d15bfa99 Extend crypto and ssl_certs abstractions
 2023-01-24 23:10:34 +00:00
Christian Boltz
d2905d907a Merge Add pipewire client.conf to audio abstractions 
Fixes: https://bugs.launchpad.net/bugs/2003702

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/970
Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit dedb5d94cb)

b5a7641d Add pipewire client.conf to audio abstractions
 2023-01-23 20:35:26 +00:00
Christian Boltz
da9a4aa20a Merge profiles: dnsmasq: add Waydroid pid file 
Waydroid uses LXC and some lxc-net equivalent scripts. Allow that.

b910c89174/data/scripts/waydroid-net.sh
https://web.archive.org/web/20221202141315/https://docs.waydro.id/debugging/known-issues

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/969
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit d61ccafcb3)

977e45c1 profiles: dnsmasq: add Waydroid pid file
 2023-01-22 18:11:51 +00:00
John Johansen
e7bf292343 Merge regression tests: fix bogon patch characters in Makefile 
Commit 8cf3534a5 ("tests regression: fix failure on older versions of
Make") from https://gitlab.com/apparmor/apparmor/-/merge_requests/639
was incorrectly applied, including the `+` prefixes from the proposed
patch. This causes the sysctl syscall() checks to not correctly be
applied and results in a mismatch of expectations in the
syscall_sysctl.sh test script, causing it and the testsuite to fail.

Thus, remove the bogon `+` characters from the Makefile, to make
USE_SYSCTL be set correctly.

Fixes: 8cf3534a5 ("tests regression: fix failure on older versions of Make")
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/963
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit f0bc1a89a4)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-01-04 16:45:46 -08:00
John Johansen
099ad8186a Merge aa-status: Fix malformed json output with unconfined processes 
As reported in issue #295, the json output from aa-status would be invalid if
there were profiles defined for processes that were unconfined. Fix this by
ensuring the json for the processes array is closed properly.

Signed-off-by: Alex Murray <alex.murray@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/964
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit dfc9847f89)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-01-04 09:34:39 -08:00
Georgia Garcia
aa10832801 Merge log parsing fixes 
small fixes on log parsing

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/959
Approved-by: Jon Tourville <jon.tourville@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 4f2d2a8cab)
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
 2022-12-16 16:58:06 -03:00
John Johansen
504df28245 Merge parser: Fix invalid reference to transitions when building the chfa 
States are not guaranteed to have transitions, but when inserting
a state into the chfa table there is an unconditional dereference
to the states first transition.

This will result in a bad reference and could result in an OOB
flag being set on the state when it shouldn't be.

Fixes: 16b67ddbd ("add ability to use out of band transitions"
Closes: https://gitlab.com/apparmor/apparmor/-/issues/290
Reported-by: Nobel Barakat <nobelbarakat@google.com>
Reported-by: Oleksandr Tymoshenko <ovt@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

Closes #290
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/956
Approved-by: Seth Arnold <seth.arnold@gmail.com>
Merged-by: John Johansen <john@jjmx.net>

(cherry picked from commit a7bce9be98)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-12-09 23:04:43 -08:00
John Johansen
a072082626 Merge smbd: allow reading /var/lib/nscd/netgroup 
(reported on the opensuse-factory mailinglist)

I propose this patch for 2.13..master.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/948
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit ba01d479e2)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-11-29 12:56:50 -08:00
Christian Boltz
6d3cb1b78d Merge abstractions/nvidia: allow reading @{pid}/comm 
On Debian Sid, NVIDIA driver spams log with:

```
type=AVC msg=audit(1669542108.552:11855): apparmor="DENIED"
operation="open" profile="qtox" name="/proc/21222/comm" pid=21222
comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000
ouid=1000FSUID="vincas" OUID="vincas"
```

```
type=AVC msg=audit(1669541506.703:11329): apparmor="DENIED"
operation="open" profile="skypeforlinux" name="/proc/19851/comm"
pid=19851 comm="skypeforlinux" requested_mask="r" denied_mask="r"
fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"
```

Read is initiated within libnvidia-glcore.so:

```
Thread 1 "qtox" hit Catchpoint 1 (call to syscall openat), 0x00007fb797b16ed0 in __libc_open64 (file=file@entry=0x7fb742adbb50 "/proc/self/comm", oflag=0) at ../sysdeps/unix/sysv/linux/open64.c:41
41	in ../sysdeps/unix/sysv/linux/open64.c
$27 = 0x7fb742adbb50 "/proc/self/comm"
0  0x00007fb797b16ed0 in __libc_open64 (file=file@entry=0x7fb742adbb50 "/proc/self/comm", oflag=0) at ../sysdeps/unix/sysv/linux/open64.c:41
1  0x00007fb797aa0862 in __GI__IO_file_open (fp=fp@entry=0x55795176e600, filename=filename@entry=0x7fb742adbb50 "/proc/self/comm", posix_mode=<optimized out>, prot=prot@entry=438, read_write=8, is32not64=<optimized out>) at ./libio/fileops.c:188
2  0x00007fb797aa0a1b in _IO_new_file_fopen (fp=fp@entry=0x55795176e600, filename=filename@entry=0x7fb742adbb50 "/proc/self/comm", mode=<optimized out>, mode@entry=0x7fb7428effe2 "r", is32not64=is32not64@entry=1) at ./libio/fileops.c:280
3  0x00007fb797a950f9 in __fopen_internal (filename=0x7fb742adbb50 "/proc/self/comm", mode=0x7fb7428effe2 "r", is32=1) at ./libio/iofopen.c:75
4  0x00007fb7423d791f in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03
5  0x00007fb7423d4515 in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03
6  0x00007fb7423d0226 in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03
7  0x00007fb7423e1961 in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03
8  0x00007fb74824bc79 in ?? () from /lib/x86_64-linux-gnu/libGLX_nvidia.so.0
9  0x00007fb7482b1c56 in ?? () from /lib/x86_64-linux-gnu/libGLX_nvidia.so.0
10 0x000000000000001d in ?? ()
11 0x00005579518975f0 in ?? ()
12 0x0000000000000001 in ?? ()
13 0x00007fb74824b1eb in ?? () from /lib/x86_64-linux-gnu/libGLX_nvidia.so.0
14 0x00005579518975f0 in ?? ()
15 0x00007fb79b2dda79 in call_init (env=0x7ffd92d7aac8, argv=0x7ffd92d7aab8, argc=-1831363648, l=0x7fb748516f70) at ./elf/dl-init.c:56
16 call_init (l=0x7fb748516f70, argc=-1831363648, argv=0x7ffd92d7aab8, env=0x7ffd92d7aac8) at ./elf/dl-init.c:26
17 0x00007fb79b2ddba4 in _dl_init (main_map=0x5579518975f0, argc=1, argv=0x7ffd92d7aab8, env=0x7ffd92d7aac8) at ./elf/dl-init.c:117
18 0x00007fb797b6def4 in __GI__dl_catch_exception (exception=<optimized out>, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:182
19 0x00007fb79b2e430e in dl_open_worker (a=a@entry=0x7ffd92d79f20) at ./elf/dl-open.c:808
20 0x00007fb797b6de9a in __GI__dl_catch_exception (exception=<optimized out>, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:208
21 0x00007fb79b2e46a8 in _dl_open (file=0x557951888020 "libGLX_nvidia.so.0", mode=<optimized out>, caller_dlopen=0x7fb78d7d4d27, nsid=<optimized out>, argc=1, argv=0x7ffd92d7aab8, env=0x7ffd92d7aac8) at ./elf/dl-open.c:884
22 0x00007fb797aa42d8 in dlopen_doit (a=a@entry=0x7ffd92d7a190) at ./dlfcn/dlopen.c:56
23 0x00007fb797b6de9a in __GI__dl_catch_exception (exception=exception@entry=0x7ffd92d7a0f0, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:208
24 0x00007fb797b6df4f in __GI__dl_catch_error (objname=0x7ffd92d7a148, errstring=0x7ffd92d7a150, mallocedp=0x7ffd92d7a147, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:227
25 0x00007fb797aa3dc7 in _dlerror_run (operate=operate@entry=0x7fb797aa4280 <dlopen_doit>, args=args@entry=0x7ffd92d7a190) at ./dlfcn/dlerror.c:138
26 0x00007fb797aa4389 in dlopen_implementation (dl_caller=<optimized out>, mode=<optimized out>, file=<optimized out>) at ./dlfcn/dlopen.c:71
27 ___dlopen (file=<optimized out>, mode=<optimized out>) at ./dlfcn/dlopen.c:81
28 0x00007fb78d7d4d27 in ?? () from /lib/x86_64-linux-gnu/libGLX.so.0
29 0x00007fb78d7d6335 in ?? () from /lib/x86_64-linux-gnu/libGLX.so.0
30 0x00007fb78d7cf9f8 in glXChooseFBConfig () from /lib/x86_64-linux-gnu/libGLX.so.0
31 0x00007fb748646f6a in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/xcbglintegrations/libqxcb-glx-integration.so
32 0x00007fb748644450 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/xcbglintegrations/libqxcb-glx-integration.so
33 0x00007fb7486421b7 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/xcbglintegrations/libqxcb-glx-integration.so
34 0x00007fb79838262d in QOpenGLContext::create() () from /lib/x86_64-linux-gnu/libQt5Gui.so.5
35 0x00007fb74bb4303c in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platformthemes/KDEPlasmaPlatformTheme.so
36 0x00007fb797eb7aaf in qt_call_pre_routines () at kernel/qcoreapplication.cpp:317
37 QCoreApplicationPrivate::init (this=<optimized out>) at kernel/qcoreapplication.cpp:849
38 0x00007fb7983379dc in QGuiApplicationPrivate::init() () from /lib/x86_64-linux-gnu/libQt5Gui.so.5
39 0x00007fb798b684c9 in QApplicationPrivate::init() () from /lib/x86_64-linux-gnu/libQt5Widgets.so.5
40 0x0000557950f1d597 in main ()
```

Add read rule to allow reading @{pid}/comm.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/954
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit 2597fd5db8)

948cbb56 abstractions/nvidia: allow reading @{pid}/comm
 2022-11-27 13:07:09 +00:00
Christian Boltz
8ec5f81382 Merge lsb_release: allow cat and cut 
lsb_release fails on Debian Sid:

```
$ sudo aa-exec -p lsb_release lsb_release
/usr/bin/lsb_release: 70: cut: Permission denied
/usr/bin/lsb_release: 70: cut: Permission denied
```

```
$ sudo aa-exec -p lsb_release lsb_release -h
/usr/bin/lsb_release: 11: cat: Permission denied
```

```
type=AVC msg=audit(1669540199.087:2680): apparmor="DENIED"
operation="exec" profile="lsb_release" name="/usr/bin/cut" pid=17419
comm="lsb_release" requested_mask="x" denied_mask="x" fsuid=0
ouid=0FSUID="root" OUID="root"
```

```
type=AVC msg=audit(1669540392.244:2944): apparmor="DENIED"
operation="exec" profile="lsb_release" name="/usr/bin/cat" pid=17847
comm="lsb_release" requested_mask="x" denied_mask="x" fsuid=0
ouid=0FSUID="root" OUID="root"
```

Update profile to allow lsb_release script to invoke required
executables.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/953
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit 495f68c797)

f596a176 lsb_release: allow cat and cut
 2022-11-27 13:00:32 +00:00
John Johansen
1312cf4768 libapparmor: fix expect library version to bump in 3.0.8 release 
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-11-21 17:09:28 -08:00
John Johansen
474a12ebe8 Prepare for AppArmor 3.0.8 release 
- update version file
- update library version

Signed-off-by: John Johansen <john.johansen@canonical.com>
v3.0.8 		2022-11-21 16:54:32 -08:00
Christian Ehrhardt
8b8fe03f1e Allow access to possible cpus for glibc-2.36 
Glibc in 2.36 and later will [1] access sysfs at
/sys/devices/system/cpu/possible when usig sysconf
for _SC_NPROCESSORS_CONF.

That will make a lot of different code, for example
anything linked against libnuma, trigger this apparmor
denial.

  apparmor="DENIED" operation="open" class="file" ...
  name="/sys/devices/system/cpu/possible" ...
  requested_mask="r" denied_mask="r" fsuid=0 ouid=0

This entry seems rather safe, and it follows others
that are already in place. Instead of fixing each
software individually this should go into the base
profile as well.

Initially reported via
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989073
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/267
MR: none - ML
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit c159d0925a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-11-14 21:47:41 -08:00
John Johansen
57994dfcda Merge Adds WSL programmatic management of /etc/resolv.conf. 
When WSL automatically generates a resolv.conf for an instance, the /etc/resolv.conf file is a symlink to /mnt/wsl/resolv.conf. This patch adds an entry for this to the other policies to handle such management.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/935
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>


(cherry picked from commit 8fa77e9e6c)

5232eaa2 Adds /mnt/wsl/resolv.conf to nameservices.
 2022-11-08 18:14:08 +00:00
John Johansen
18cf5bffde Merge Allow reading /sys/devices/system/cpu/possible 
... in the dnsmasq//libvirt_leaseshelper profile

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1202849

I propose this patch for 3.0, 3.1 and master.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/917
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>


(cherry picked from commit 37f0f77425)

ace8e044 Allow reading /sys/devices/system/cpu/possible
 2022-11-08 18:11:37 +00:00
John Johansen
d71b9ade1a Merge [3.0] Use open instead of codecs.open to fix line breaks 
`codecs.open()` splits lines at unexpected characters like 0x1d.

Switch `open_file_*()` to use `open()` which does not have this problem.
(Note: 3.1 and master already use `open()`.)

This fixes the test failure introduced in the 3.0 branch in commit
ea681c4638 which contains an example log
with a 0x1d character.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/945
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2022-11-06 15:33:07 +00:00
Christian Boltz
e6ed0b6c42 Use open instead of codecs.open to fix line breaks 
`codecs.open()` splits lines at unexpected characters like 0x1d.

Switch `open_file_*()` to use `open()` which does not have this problem.
(Note: 3.1 and master already use `open()`.)

This fixes the test failure introduced in the 3.0 branch in commit
ea681c4638 which contains an example log
with a 0x1d character.
 2022-11-04 20:23:43 +01:00
John Johansen
e92a8c8f1b Merge Hardcode and check the expected libapparmor.so name/number 
... to prevent wrong/unexpected numbering (like
https://gitlab.com/apparmor/apparmor/-/issues/266) in future releases.

I propose this patch for master and 3.1.

Backporting to 3.0 and 2.x might also make sense, but of course needs a different .so number.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/915
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(backported from commit bed1471144)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-10-29 03:13:35 -07:00
John Johansen
ea681c4638 Merge libapparmor: allow parsing of logs with 0x1d + uppercase items 
audit.log lines on Arch have an additional FSUID="username" OUID="username",
separated from the previous part of the log line with 0x1d.

Extend the log parsing to accept 0x1d as whitespace, and to recognize
(and ignore) FSUID and OUID.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/271

Also add one of the log lines from #271 as test_multi test case.

I propose this patch for 3.0..master.

Closes #271
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/940
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

(cherry picked from commit 0d61139e2a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-10-29 03:07:27 -07:00
John Johansen
010b0bd081 Merge syslog-ng: allow reading *.journal in flatter directory structure 
On openSUSE Leap 15.4 (and probably also 15.3), the journal lives in
/var/log/journal/*.journal - without an additional subdirectory level.

I propose this patch for 2.13..master.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/932
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2022-10-28 05:57:26 -07:00
Christian Boltz
6a0f7e813c Merge samba-rpcd-spoolss: allow mkdir /var/cache/samba/printing/ 
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993572

I propose this fix for 3.0..master.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/937
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit fab4b4e762)

6920daea samba-rpcd-spoolss: allow mkdir /var/cache/samba/printing/
 2022-10-27 22:34:25 +00:00
Christian Boltz
d9ea198fe4 Merge abstactions/kde: update for kwinrc, kdedefaults/* files 
GUI applications such as KDE dragon player, qTox, LibreOffice tries to
access .config/kwinrc, .config/kdedefaults/kwinrc and
.config/kdedefaults/kdeglobals.

Update abstractions/kde to fix denials for applications running under
KDE.

Some examples:
```
type=AVC msg=audit(1666458796.112:5561): apparmor="DENIED" operation="open" profile="libreoffice-soffice" name="/home/vincas/.config/kdedefaults/kdeglobals" pid=43868 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"
type=AVC msg=audit(1666458796.204:5683): apparmor="DENIED" operation="open" profile="libreoffice-soffice" name="/home/vincas/.config/kdedefaults/kwinrc" pid=43868 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"

```
```
type=AVC msg=audit(1666462415.255:3640): apparmor="DENIED" operation="open" profile="kde-dragon-player" name="/home/vincas/.config/kdedefaults/kdeglobals" pid=8344 comm="dragon" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"
type=AVC msg=audit(1666462415.343:3641): apparmor="DENIED" operation="open" profile="kde-dragon-player" name="/home/vincas/.config/kdedefaults/kwinrc" pid=8344 comm="dragon" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"
```

```
type=AVC msg=audit(1666459466.968:5852): apparmor="DENIED" operation="open" profile="qtox" name="/home/vincas/.config/kdedefaults/kdeglobals" pid=44561 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"
type=AVC msg=audit(1666459467.076:6057): apparmor="DENIED" operation="open" profile="qtox" name="/home/vincas/.config/kdedefaults/kwinrc" pid=44561 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"
type=AVC msg=audit(1666459467.076:6058): apparmor="DENIED" operation="open" profile="qtox" name="/home/vincas/.config/kwinrc" pid=44561 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas"

```

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/936
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit 18d1b06b0c)

d9dc0b61 abstactions/kde: update for kwinrc, kdedefaults/* files
 2022-10-22 19:28:51 +00:00
Christian Boltz
7ebb259610 Merge [2.13+3.0] Use string startswith() and endswith() methods 
... instead of slicing to check for prefixes and suffixes.

This change prevents a crash in aa-mergeprof - if `replacement` is empty,
trying to access `replacement[0]` causes an IndexError.
Using `.startswith()` works without crashing.

This backports parts of the severity.py changes in
commit 091c6ad59d
by Mark Grassi.

I propose this fix for 2.13 and 3.0. (3.1 and master already have this fix.)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/931
Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
 2022-10-11 16:18:27 +00:00
Christian Boltz
e1714b9631 Use string startswith() and endswith() methods 
... instead of slicing to check for prefixes and suffixes.

This change prevents a crash in aa-mergeprof - if `replacement` is empty,
trying to access `replacement[0]` causes an IndexError.
Using `.startswith()` works without crashing.

This backports parts of the severity.py changes in
commit 091c6ad59d
by Mark Grassi.
 2022-10-09 20:46:35 +02:00
Christian Boltz
e8c7f0f84f Merge parser: fix DISTRO variable in Makefile 
A single '$()' results in variable expansion, which makes
"$(rpm --eval ..)" always an empty string.

Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/928
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit 05d7bdd655)

1df547ee parser: fix DISTRO variable in Makefile
 2022-10-07 19:54:21 +00:00
John Johansen
505a3fbc59 Merge profiles/apparmor.d: Update samba profile 
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1990692
Signed-off-by: Spyros Seimenis <spyros.seimenis@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/926
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>


(cherry picked from commit e1cc90f3a2)

96aff5a5 profiles/apparmor.d: Update samba profile
 2022-10-01 10:20:44 +00:00
Christian Boltz
b4c7e18f55 Merge profiles: permit php-fpm pid files directly under run/ 
The upstream php-fpm.conf file carries the following pid file example
path:
  [global]
  ; Pid file
  ; Note: the default prefix is @EXPANDED_LOCALSTATEDIR@
  ; Default Value: none
  ;pid = run/php-fpm.pid

Add this path to profiles/apparmor.d/php-fpm, alongside the current
nested "@{run}/php{,-fpm}/php*-fpm.pid" wildcard.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/267

Suggested-by: Ali Abdallah <ali.abdallah@suse.com>
Signed-off-by: David Disseldorp <ddiss@suse.de>

Closes #267
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/914
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit d024100efe)

d8533ec8 profiles: permit php-fpm pid files directly under run/
 2022-08-26 10:36:24 +00:00
John Johansen
66118dc3e0 Merge dnsmasq: Add missing r permissions for libvirt_leaseshelper 
Note: This was reported for /usr/libexec/libvirt_leaseshelper, but since
this is probably unrelated to the path or a path change, this commit
also adds r permissions for the previous path.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1202161

I propose this patch for 3.0 and master (optionally also for 2.12 and 2.13 - please tell me if you want that after reviewing the patch, or just merge ;-)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/905
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>


(cherry picked from commit f51049ea2e)

c9c5208f dnsmasq: Add missing r permissions for libvirt_leaseshelper
 2022-08-22 21:45:07 +00:00
Christian Boltz
79044b98e4 Merge dnsmasq: allow paths for podman dnsname plugin in rootless mode 
In rootless mode, files needed to access are under /run/user/, so those needs to be defined separately.

similar change than https://gitlab.com/apparmor/apparmor/-/merge_requests/800 but adds permissions for rootless mode.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/909
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit 406b6398af)

86069dd9 dnsmasq: allow paths for podman dnsname plugin in rootless mode
 2022-08-22 11:57:35 +00:00
Christian Boltz
ae1c30e337 Merge Set (instead of compare) exresult 
Interestingly this accidentally worked because `if exresult` is true for
both a non-empty string ("PASS") as well as a real `True` value.

Found by Mark Grassi as part of
https://gitlab.com/apparmor/apparmor/-/merge_requests/906

I propose this patch for all branches.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/907
Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit c06ea77445)

5a2fb856 Set (instead of compare) exresult
 2022-08-16 19:26:43 +00:00
John Johansen
0ead606d9e Prepoare for AppArmor 3.0.7 release 
- update version file

Signed-off-by: John Johansen <john.johansen@canonical.com>
v3.0.7 		2022-08-09 01:56:58 -07:00
Georgia Garcia
20c28f25ce Merge Fix setuptools version detection in buildpath.py 
libraries/libapparmor/swig/python/test/buildpath.py:
The changes introduced in
cc7f549665
targetted a wrong setuptools version (61.2).
The change in build directory naming has been introduced with 62.0.

Fixes #259 
Fixes #39

Closes #39 and #259
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/904
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>


(cherry picked from commit a555ccd9f4)

fda39098 Fix setuptools version detection in buildpath.py
1ff0c2c7 Use basepath.py in profiles Makefile
 2022-08-03 17:22:25 +00:00
John Johansen
702c282325 Prepare for AppArmor 3.0.6 release 
- update version file

Signed-off-by: John Johansen <john.johansen@canonical.com>
v3.0.6 		2022-08-01 01:22:42 -07:00
John Johansen
822db765c6 Merge abstraction/exo-open: Remove dbus deny rule 
Abstractions should not generally include deny rules as this can unduly
constrain profiles which include them due to the precedent matching rules
between deny vs allow rules. Also as per the comment, this is not required
for exo-open to work, so simply omit it from the abstraction for
now. Finally, in Ubuntu, the evince profile includes the exo-open
abstraction and this deny rule causes evince to fail to initialise
correctly as it then assumes it cannot use gvfs.

Signed-off-by: Alex Murray <alex.murray@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/884
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit d7e3f33aa8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-07-26 23:23:49 -07:00
Georgia Garcia
e34149546d parser: fix LTO build 
The previous fix for LTO builds in b6d3daa7 did not take into
consideration that LTO support could be added through CFLAGS,in which
case the fix would not be applied.

This patch applied the fix -flto-partition=none even if CFLAGS is
already defined.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Closes #214
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/901
Acked-by: John Johansen <john@jjmx.net>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 0afc2cbb84)
 2022-07-25 17:36:05 -03:00
Christian Boltz
8668d4a456 Merge dirtest.sh: don't rely on apparmor_parser -N's output sort order to be deterministic 
I've seen this test fail because "apparmor_parser -N" returned the expected
lines, but in a different order than what's expected (dirtest.out).

To fix this, sort both the expected and actual output.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/900
Approved-by: Jon Tourville <jon.tourville@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit 1f3a817c11)

c0815d0e dirtest.sh: don't rely on apparmor_parser -N's output sort order to be deterministic
 2022-07-25 20:09:30 +00:00
John Johansen
704c82c574 Prepare for AppArmor 3.0.5 release 
- update version file
  - bump library version

Signed-off-by: John Johansen <john.johansen@canonical.com>
v3.0.5 		2022-07-25 00:22:07 -07:00
Christian Boltz
bcda237953 Merge [3.0] Support setuptools >= 61.2 in Python tests 
Fix for #253, by mirroring the change from 1c23f5e1e4

This is the 3.0 version of https://gitlab.com/apparmor/apparmor/-/merge_requests/897, with the difference that the 3.0 branch already has `python3-setuptools` in `.gitlab-ci.yml` and therefore doesn't need the commit that updates `.gitlab-ci.yml`.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/899
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
 2022-07-20 16:52:24 +00:00
Ben Greiner
8485770cdf reviewed edits 
(cherry picked from commit d442584a0a)
 2022-07-19 22:33:52 +02:00
Ben Greiner
cc7f549665 use new build_platlib path with setuptools >= 61.2 
(cherry picked from commit 47d68dac0f)
 2022-07-19 22:32:32 +02:00
Guillem Jover
d6441c9da8 profiles: merge Update syslogd for inetutils-syslogd 
The inetutils syslogd implementation integrates the kmsg support in the
main server, it has support for syslog.d configuration fragment files.
and it uses a slightly different pid filename.

Signed-off-by: Guillem Jover <guillem@hadrons.org>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/888
Approved-by: Steve Beattie <gitlab@nxnw.org>
Merged-by: Steve Beattie <gitlab@nxnw.org>
(cherry picked from commit 0859b42ba2)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
 2022-07-07 22:29:57 -07:00
Christian Boltz
18813234b9 Merge [3.0] Fix inconsistent return length in _run_tests() 
This is a manual backport of
728dbde5e4 / https://gitlab.com/apparmor/apparmor/-/merge_requests/890 by Mark Grassi

For the records: the inconsistent return length was introduced when
splitting run_tests() into two functions in
500cbf89a7

2.13 and older don't have the split run_tests() and therefore don't need this patch.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/891
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
 2022-06-29 13:27:10 +00:00
Christian Boltz
b9aaa632fb Fix inconsistent return length in _run_tests() 
This is a manual backport of
728dbde5e4 by Mark Grassi

For the records: the inconsistent return length was introduced when
splitting run_tests() into two functions in
500cbf89a7
 2022-06-28 21:06:12 +02:00
Christian Boltz
8cf3ec75fc Merge samba profiles: support paths used by Arch Linux 
On Arch Linux `rpcd_classic`, `rpcd_epmapper`, `rpcd_fsrvp`, `rpcd_lsad`, `rpcd_mdssvc`, `rpcd_rpcecho`, `rpcd_spoolss`, `rpcd_winreg`, `samba-bgqd`, `samba-dcerpcd` and `smbspool_krb5_wrapper` are in `/usr/lib/samba/samba/`.

See https://archlinux.org/packages/extra/x86_64/samba/files/ and https://bugs.archlinux.org/task/74614.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/883
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>


(cherry picked from commit 48fc233d05)

deadcc0d samba profiles: support paths used by Arch Linux
 2022-06-06 10:54:08 +00:00
John Johansen
d4e465a0bb parser: fix min length calculation for inverse character sets 
The inverse character set lists the characters it doesn't match. If
the inverse character set contains an oob then that is NOT considered
a match. So length should be one.

However because of oobs are handle not containing an oob doesn't mean
there is a match either. Currently the only way to match an oob is
via a positive express (no inverse matches are possible).

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/872
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-05-23 15:43:30 -07:00
John Johansen
8890dbcedc Merge Update for the mesa abstraction 
I noticed that some apps return the following errors when launched:

```
  kernel: audit: type=1400 audit(1651244478.255:5501): apparmor="DENIED" operation="open" profile="some_app" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=1877976 comm="some_app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  kernel: audit: type=1400 audit(1651244478.255:5502): apparmor="DENIED" operation="open" profile="some_app" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=1877976 comm="some_app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
```

Blocking the files results in the following errors when the app is executed in a terminal:

```
  MESA: error: Failed to query drm device.
  libGL error: failed to create dri screen
  libGL error: failed to load driver: crocus
  MESA: error: Failed to query drm device.
  libGL error: failed to create dri screen
  libGL error: failed to load driver: crocus
```

Since they have something to do with MESA, I think the mesa abstraction should
be updated to fix the issue.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/879
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-05-23 15:36:49 -07:00
John Johansen
0e7d009164 Merge Add missing permissions for dovecot-{imap,lmtp,pop3} 
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1199535

I propose this patch for 3.0 and master. (2.13 and older have more different dovecot profiles which might make backporting a bit harder.)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/881
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2022-05-23 15:34:23 -07:00