Fixes bug #2103524
lsblk on some virtualized systems require access to directory
/sys/devices/LNXSYSTM:*/LNXSYBUS:*/** since block devices can be exposed
in this directory.
Making a previously non-const pointer arg const is not an ABI break, and
having const expresses the intent of the interface better
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
For executables dynamically linked to libnuma, the runtimer linker
invokes libnuma functions (num_init) that try to access
/sys/devices/system/node/ and if the application's apparmor
profile does not allow this access, this access will be denied
by apparmor with following error message:
apparmor="DENIED" operation="open" class="file"
name="/sys/devices/system/node/" comm="qemu-bridge-hel"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Here is the simplified call trace:
0 ... in ?? () from /lib/x86_64-linux-gnu/libnuma.so.1
1 ... in call_init (...) at ./elf/dl-init.c:74
2 ... in call_init (...) at ./elf/dl-init.c:120
3 _dl_init (...) at ./elf/dl-init.c:121
4 ... in _dl_start_user () from /lib64/ld-linux-x86-64.so.2
This commit adds an abstract profile that applications that are
linked to libnuma can include in their apparmor profile.
MR: mailing list patch
Signed-off-by: Hector Cao <hector.cao@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
When doing testing via LXD VMs and in particular when using "lxc exec" to run
commands in the VM, there is no controlling tty and so the output of last is
missing this column of data. Instead try even harder to parse the timestamp from
the output of "last".
Signed-off-by: Alex Murray <alex.murray@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1582
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
When doing testing via LXD VMs and in particular when using "lxc exec" to run
commands in the VM, there is no controlling tty and so the output of last is
missing this column of data. Instead try even harder to parse the timestamp from
the output of "last".
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* Make glob_pattern more readable
- replace filename and variable regex parts with RE_PROFILE_PATH_OR_VAR
- split to multiline string
* Move `[\w-]+` into inner match group by removing/moving the ')' after the empty source.
* Prepare source_fileglob_pattern and dest_fileglob_pattern to be customizable by moving adding the closing ')))' into each of them.
* Allow empty source and any word only in mount source
See the individual commits for details.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1574
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The attach_disconnected.ipc flag allows the use of disconnected paths
on posix mqueues. This flag is a subset of attach_disconnected, and it
does not allow disconnected paths for all files.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
When running aa-disable and then aa-enforce passing the binary path as
the argument, aa-enforce fails to enforce the profile with the error:
$ sudo aa-disable /home/foo/test
skipping disabled profile test
Profile for /home/foo/test not found, skipping
According to the man page for aa-enforce, it should work for disabled
profiles.
Note that this does not happen when passing the profile directly to
the tools, so there's a workaround for this issue:
$ sudo /aa-enforce /etc/apparmor.d/test
Setting /etc/apparmor.d/test to enforce mode.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1579
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
When running aa-disable and then aa-enforce passing the binary path as
the argument, aa-enforce fails to enforce the profile with the error:
$ sudo aa-disable /home/foo/test
skipping disabled profile test
Profile for /home/foo/test not found, skipping
According to the man page for aa-enforce, it should work for disabled
profiles.
Note that this does not happen when passing the profile directly to
the tools, so there's a workaround for this issue:
$ sudo /aa-enforce /etc/apparmor.d/test
Setting /etc/apparmor.d/test to enforce mode.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
... by removing/moving the ')' after the empty source.
Also prepare source_fileglob_pattern and dest_fileglob_pattern to be
customizable by moving adding the closing ')))' into each of them.
Add quotes if a mount source or mountpoint includes whitespace.
Also explicitely handle empty mount source (known from
1f33fc9b29)
As usual, some tests can't hurt ;-)
First expand nested `(...)` in glob_pattern. This duplicates a few bytes, but makes the regex easier to read.
With that done, allow `-` in glob_pattern.
One of the possible matches in glob_pattern was `\w+` which matched for example `none`.
However, it doesn't match `revokefs-fuse` because of the `-`. Therefore change `\w+` to [\w-]+.
While on it, add two more tests - one for `none` with some options, and one with `revokefs-fuse`.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1565
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
The aa-exec man page makes reference to aa-stack(8) and aa-namespace(8)
manpages that don't exist. For now just remove those references and
add a short blurb on using aa-exec with stacking and namespaces.
Proper full manpages for stacking and namespaces need to be added
but that is beyound the scope of this fix.
Bug: https://gitlab.com/apparmor/apparmor/-/issues/496
Signed-off-by: John Johansen <john.johansen@canonical.com>
* passwd -e LOGIN was failing
* Allow execution of /usr/sbin/nscd
See: bee77ffc29/lib/nscd.c (L23-L27)
* Allow pam_passwdqc to read /etc/passwdqc.conf and passwdqc filter
files (see https://www.openwall.com/passwdqc/)
* Allow setuid & fsetid capabilities
* Allow locking with /etc/shadow.PID & /etc/shadow.lock
* Allow shadow backup /etc/shadow- and whatever /etc/shadow+ is used for
One of the possible matches in glob_pattern was `\w+` which matched for
example `none`.
However, it doesn't match `revokefs-fuse` because of the `-`. Therefore
change `\w+` to [\w-]+.
While on it, add two more tests - one for `none` with some options, and
one with `revokefs-fuse`.
The utils should be able to skip profiles that it can't parse now,
so this test suite bypass mechanism should no longer be necessary.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Since all the tools that load profiles go through the same module, this should
be sufficient as a first pass.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
This will allow the other tools to continue working on other profiles, even
if some of them use syntax that the utils currently can't handle.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
The utils cannot parse some of the newer profile constructs yet, so
generalize a pre-existing mechanism for skipping profiles to use that mechanism in the other tests that need it
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Instead of relying on neverssl.com spin up a local http server and test
tinyproxy against that to ensure the test can run even if the wider internet is
not accessible.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
This imports translations from launchpad up to commit
revno: 2523
committer: Launchpad Translations on behalf of apparmor-dev
branch nick: apparmor
timestamp: Fri 2025-02-21 09:32:26 +0000
message:
Launchpad automatic translations update.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Similarly to apparmor/apparmor!403, we don't really need to pass these flags
here, but if we don't, blhc raises a false positive, and I don't want to get
used to ignoring blhc failures on Debian's GitLab CI.
