The feature matching done in aa_feature_supports calls walk_one to
traverse the features string. This function is supposed to match on
the feature and return, but it matches the feature based on the length
of the feature to check. If the feature to check shorter, then it
would return as if the feature was not present - which was the case
for the following example:
feature_file contains (shortened for example purposes):
```
network_v9 {af_unix {yes
}
}
network_v8 {af_inet {yes
}
}
network {af_unix {yes
}
}
```
if the feature to be checked was simply "network", then walk_one would
return that the feature was not present.
Fix this by restarting the matching if there was not a full match at
the end of the feaure to check.
Fixes: https://bugs.launchpad.net/apparmor/+bug/2105986
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1608
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
--configdir is meant for testing and should override all other configs,
instead of being combined with them. Config combination causes aa-notify
test failures if e.g. the user-local config sets filtering options.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Both the unconfined profile and unprivileged_userns are part of the
default notify.conf, so the default fallback when no configurations are
present should also match this default.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
The feature matching done in aa_feature_supports calls walk_one to
traverse the features string. This function is supposed to match on
the feature and return, but it matches the feature based on the length
of the feature to check. If the feature to check shorter, then it
would return as if the feature was not present - which was the case
for the following example:
feature_file contains (shortened for example purposes):
network_v9 {af_unix {yes
}
}
network_v8 {af_inet {yes
}
}
network {af_unix {yes
}
}
if the feature to be checked was simply "network", then walk_one would
return that the feature was not present.
Fix this by restarting the matching if there was not a full match at
the end of the feaure to check.
Fixes: https://bugs.launchpad.net/apparmor/+bug/2105986
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The original location of the error count checks in the middle of the priority function helper was completely nonsensical. We can instead do this check just once after running all the tests.
In addition, some tests in the priority helper don't use the priority variables at all, and are moved out of the helper to avoid repeating the exact same sequence of tests 16 times.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1604
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The original location in the middle of the priority function helper was
completely nonsensical. We can instead do this check just once after
running all the tests.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Fixes https://bugs.launchpad.net/apparmor/+bug/2106033
Improve the validation of AARE file paths by introducing a new regex
that supports paths starting with '{' (e.g. '{/,/org/freedesktop/DBus}').
These paths are notably used in snap.lxd.* profiles.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Fixes: https://bugs.launchpad.net/maas/+bug/2092232
In the lsblk profile, the rule responsible for allowing to read disks
over network was not generic enough to handle some cases, such as IBM
Power. The new rule, `@{sys}/devices/**/host@{int}/** r`, should support
all cases.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
If the following scenario was present in a profile, cleanprof
would fail with a RecursionError exception (maximum recursion
depth exceeded)
/parent { }
/parent///child { }
This occured because in aa.py, in the write_piece function, the
wrong depth was being passed, along with a wrong hat. The
formatting of the spaces was also incorrect.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1605
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
If the following scenario was present in a profile, cleanprof
would fail with a RecursionError exception (maximum recursion
depth exceeded)
/parent { }
/parent///child { }
This occured because in aa.py, in the write_piece function, the
wrong depth was being passed, along with a wrong hat. The
formatting of the spaces was also incorrect.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Profiles that are defined like below did not have the parent attribute
set in profile storage:
/parent///child {}
The condition on which child profiles were written was also changed so
they are not removed from the profile if /parent does not exist.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Commit c9d41a3ebb introduced a regression on profile header
generation.
This commit removes the name parameter from the get_header function
since the ProfileStorage should already contain all the information
required to generate the header for profiles and hats. The tests
needed to be updated as well to make sure the ProfileStorage object
contained the information needed by the get_header method.
Fixes: c9d41a3ebb ("utils: fix profile and hat header generation")
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1602
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Commit c9d41a3ebb introduced a regression on profile header
generation.
This commit removes the name parameter from the get_header function
since the ProfileStorage should already contain all the information
required to generate the header for profiles and hats. The tests
needed to be updated as well to make sure the ProfileStorage object
contained the information needed by the get_header method.
Fixes: c9d41a3ebb ("utils: fix profile and hat header generation")
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
We are seeing some test failures caused by the fact that a fixed kernel,
while available, is not installed the CI image. Since cloud-init does
not itself offer a way to express precise dependency on a package
version we may use a crude replacement of upgrading all the packages at
image construction time.
The next time this happens all we need is to touch the .image-garden.mk
file, so that it is more recent than the image kept in CI cache for the
re-generation to occur.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1595
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
We are seeing some test failures caused by the fact that a fixed kernel,
while available, is not installed the CI image. Since cloud-init does
not itself offer a way to express precise dependency on a package
version we may use a crude replacement of upgrading all the packages at
image construction time.
The next time this happens all we need is to touch the .image-garden.mk
file, so that it is more recent than the image kept in CI cache for the
re-generation to occur.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
The header was being generated incorrectly in 2 cases:
When the profile/hat contained the parent profile in its name, as in
profile firefox//dash {
hat ^firefox//dash {
and in the unit tests, the child profile or hat was being named as the
parent profile. This was not caught by the general case because the
code has not yet been fully adapted to handle multiple nested child
profiles.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/493
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The test is added as XFAIL for all images because the kernel patches
required for them to pass have not yet been upstreamed into any published
kernel.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Disconnected paths on lookups have caused actual permission denials, even
when the loaded profile is in complain mode. This is a test that causes
disconnections using mounts (both old and new API) and then verifies that
a complain mode profile doesn't prevent operations with disconnected fds.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
This involves replacing `command -v` with `which` (again), since the `command` shell builtin isn't recognized by older versions of Make, as well as skipping tests that require the `linux/mount.h` header on older systems that lack it.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1578
Approved-by: Zygmunt Krynicki <me@zygoon.pl>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The new image-garden snap offers a one-stop-shop for integration
testing, bundling qemu, spread and image-garden build recipes.
Extend the documentation, the run-spread.sh helper script as well as
spread.yaml to support this new method.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
The command shell builtin is not recognized by older versions of make, so
switch back to using the which binary instead.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
linux/mount.h is only used in the move_mount test, which exercises the
move_mount syscall that was introduced sometime in 2018 or later. Older
systems without the header also lack the syscall, so we can just skip the
test in those cases.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
