This is needed to catch conflicts between uppercase and lowercase hotkeys of the same letter, as seen with `(B)enannt` and `A(b)lehnen` in the german utils translations.
(cherry picked from commit 07bd11390ea16df17db7f7e6bd2c9678345d3ac5)
Also fix hotkey conflict in utils id.po and sv.po (cherry picked from commit 7cf54f2cd83938cd3b51d588864eb8cc890d63f6)
Note that 7cf54f2cd83938cd3b51d588864eb8cc890d63f6 also included fixes for de.po which are not needed in the 2.13 branch.
This is the 2.13 variant of MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/675.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/678
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 7cf54f2cd83938cd3b51d588864eb8cc890d63f6)
Note that 7cf54f2cd83938cd3b51d588864eb8cc890d63f6 also included fixes
for de.po which are not needed in the 2.13 branch.
This is needed to catch conflicts between uppercase and lowercase
hotkeys of the same letter, as seen with `(B)enannt` and `A(b)lehnen` in
the german utils translations.
(cherry picked from commit 07bd11390ea16df17db7f7e6bd2c9678345d3ac5)
Backport profile to fix denials in Debian Buster+Bullseye.
Add hashes for #include's, remove abi specification.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/672
Acked-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: John Johansen <john.johansen@canonical.com>
Dovecot is hit with this denial on Debian 10 (buster):
```
type=AVC msg=audit(1603647096.369:24514): apparmor="DENIED"
operation="open" profile="dovecot" name="/usr/share/dovecot/dh.pem"
pid=28774 comm="doveconf" requested_mask="r" denied_mask="r" fsuid=0
ouid=0
```
This results in fatal error:
```
Oct 25 19:31:36 dovecot[28774]: doveconf: Fatal: Error in configuration
file /etc/dovecot/conf.d/10-ssl.conf line 50: ssl_dh: Can't open file
/usr/share/dovecot/dh.pem: Permission denied
```
Add rule to allow reading dh.pem.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/671
(cherry picked from commit 9d8e111abe3f54681bb8ba5d47b6fc43e4f4a034)
Signed-off-by: John Johansen <john.johansen@canonical.com>
On arch
make -C profiles check-logprof
fails with
*** Checking profiles from ./apparmor.d against logprof
ERROR: Can't find AppArmor profiles in /etc/apparmor.d
make: *** [Makefile:113: check-logprof] Error 1
make: Leaving directory '/build/apparmor/src/apparmor-2.13.3/profiles'
because /etc/apparmor.d/ is not available in the build environment
and aa-logprofs --dir argument, is not being passed to init_aa()
but used to update profiles_dir after the fact.
Fix this by passing profiledir as an argument to init_aa()
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/36
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/663
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
(backported from commit 15dc06248c62ccceec00f70296a6c17f7c5096a1)
ab0f4ab2ed7e734827b143cd32dace4444875e9b increased `AA_LIB_REVISION` and `AA_LIB_AGE`, with the result that 2.13.5 builds `libapparmor.so.0.7.3`, while 2.13.4 had `libapparmor-1.6.2`
This patch reverts the `AA_LIB_AGE` increase to fix the so name so that we'll get `libapparmor-1.6.3`.
Note: If you want to apply this fix on top of the 2.13.5 tarball, you'll need to also apply the patch to `Makefile.in`.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/658
Acked-by: John Johansen <john.johansen@canonical.com>
ab0f4ab2ed7e734827b143cd32dace4444875e9b increased AA_LIB_REVISION and
AA_LIB_AGE, with the result that 2.13.5 builds libapparmor.so.0.7.3,
while 2.13.4 had libapparmor-1.6.2
This patch reverts the AA_LIB_AGE increase to fix the so name so that
we'll get libapparmor-1.6.3.
Note: If you want to apply this fix on top of the 2.13.5 tarball, you'll
need to also apply the patch to Makefile.in.
With the backport of static caps to support caps from newer kernels
in older build environments. Builds against older kernels broke
because not all of the newer capabilities are defined in the kernel
headers, nor in apparmor.
In particular
CAP_AUDIT_READ was added to the kernel in 3.16
and
CAP_AUDIT_WRITE, CAP_AUDIT_CONTROL, CAP_SETFCAP, CAP_MAC_OVERRIDE,
CAP_MAC_ADMIN, CAP_SYSLOG, CAP_WAKE_ALARM, CAP_BLOCK_SUSPEND in 3.8
The apparmor kernel module was merge into the upstream kernel in 2.6.36.
In order to support all upstream kernels with apparmor add the set
of capabilities introduced since apparmor was merged upstream.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/655
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Linux 5.9 added CAP_CHECKPOINT_RESTORE add it to the set of supported
capabilities.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/654
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
(backported from commit 644a473971df4e18555e97fa36bafd89459c4717)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Because of the need to be stacking LSM aware, aa_getpeercon() calls
aa_enable to ensure that apparmor is enabled. Without the permission,
aa_getpeercon() fails, causing test failures.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit fb773fec36495135a2a5ce6c84306fcda114ec71)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The aa_policy_cache test is using the system parser.conf file even
when the tests are set to use source. This can lead to failures
if the system parser.conf contain options not understood by
the source parser.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/653
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 1033e19171941a4655565d4bbe9b69c552a2353b)
When using the in tree parser we should not be using the system
parser.conf file, as if the system apparmor is newer than the
tree being tested the parser.conf file could contain options not
understood by the in tree apparmor_parser.
Use --config-file to specify the default in tree parser.conf
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/653
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 5ac368bce7a710c61e7d94bf1e23b03d2ace824e)
The sed command to manipulate the known cap list (base_cap_names.h) into
a format to match the generated_cap_names.h was buggy because the
trailing '}' would never match anything, leading to failures when built
against 5.8 kernel headers, due to it not replacing the base capabilities
correctly.
Fix this by removing the trailing '}" match and instead match the third
comma-delimited field that matches a capability name, and replace that.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/596
(cherry picked from commit a7fc8bb5008f17075137e6743230807ebf2b3ee6)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The mnt_point and devices conditionals in mount rules are generally
paths and should have slashes filtered after variable expansion.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit a1978fb1b2f9c97ae6ea7efb752e3d25ac261830)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Similar to unix addr rules, the dbus path conditional is more a path
than a profile name and should get its slashes filtered after variable
expansion.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 35f6d49ec679f41ac30a2dd22780881c03ca01c9)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Currently mount options type= and options= do not expand variables
but they should. Fix it.
Note: this does not treat either as paths because their use is
too device dependent for it to be safe to filter slashes.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/99
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/638
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 882380ad3d8e90a9ac9fe489485ce9f652a1a80a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
While `include/sys/apparmor.h` makes use of `socklen_t`, it doesn't
include the `<sys/socket.h>` header to make its declaration available.
While this works on systems using glibc via transitive includes, it
breaks compilation on musl libc.
Fix the issue by including the header.
Signed-off-by: Patrick Steinhardt <ps@pks.im>
(cherry picked from commit 47263a3a74d7973e7a54b17db6aa903701468ffd)
Signed-off-by: John Johansen <john.johansen@canonical.com>
While `_aa_asprintf` is supposed to be of private visibility, it's used
by apparmor_parser and thus required to be visible when linking. This
commit thus adds it to the list of private symbols to make it available
for linking in apparmor_parser.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/643
Signed-off-by: Patrick Steinhardt <ps@pks.im>
(cherry picked from commit 9a8fee6bf1c79c261374d928b838b5eb9244ee9b)
The parser is not treating unix addr as a path and filtering slashes
after variable expansion. This can lead to errors where
@{foo}=/a/
unix bind addr=@{foo}/bar,
will always fail because addr is being matched as /a//bar instead of
/a/bar.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607
Fixes: https://bugs.launchpad.net/apparmor/+bug/1856738
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 6af05006d9dd1bfaa36e555841496a4cbf3992ee)
The parser is supposed to add a rule to profiles if they are a hat
or contain hats granting write access to the kernel interfaces
used to perform the change_hat operation.
Unfortunately the check is broken and currently won't add the
rule to hats (it does add it for the parent).
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/625
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Acked-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 5b850c154f26bdd5435b8d9d3af4a7fc2072c62e)
Refresh the postfix profiles in the 2.13 branch with (mostly) all changes in master.
The most important changes are:
* support having the `postfix/*` binaries in `/usr/lib/postfix/bin/` (like for example openSUSE has now)
* add profile names
* rename the profile files to `postfix-*`
* several "smaller" changes (especially added permissions), see the individual commits for all details
Note that some changes were not backported to the 2.13 branch:
* adding abi rules
* changing `#include` to `include`
* removal of "superfluous" rules covered by abstractions (dd4903efc6a97a69c3e28ba09c2e67d25bf154c8)
* removal of `peer=/usr/lib/postfix/...` rules
20/20 Revert renaming usr.lib.postfix.* to postfix.* in 2.13 branch
19/20 postfix-master: allow access to postlog socket
18/20 Allow to read icu *.dat files in postfix-related profiles
17/20 postfix/master needs to execute postfix/error
16/20 Add several permissions to the postfix.* profiles
15/20 adjust postfix profiles for openSUSE path
14/20 profiles/postfix-smtpd: Include ssl_certs, ssl_keys
13/20 profiles/postdrop: Allow reading from pickup socket
12/20 profiles/postfix-pickup: Allow reading from cleanup socket
11/20 postfix.local: Minor adjustments to make it work
10/20 postfix.*: Adapt for new queue names, and extra locking and r/w communication
9/20 postfix.tlsmgr: Connect to urandom and prng exchange
8/20 postfix.master: Change path of child processes
7/20 profiles/postfix: add locking perm to pid files
6/20 profiles: add a postfix dnsblog profile
5/20 profiles: add a postfix postscreen profile
4/20 profiles/postfix-master: grant signal+unix communication with children
3/20 profiles/postfix: use named profiles
2/20 profiles/postfix-master: use profile name instead of match pattern
1/20 allow locking /etc/aliases.db
Note: Backport Exception Requested by OpenSuse, updated profiles needed, on a 2.13 release
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/621
Acked-by: John Johansen <john.johansen@canonical.com>
This is needed for postdrop, postmap, postqueue and sendmail
Seen on openSUSE Tumbleweed.
(cherry picked from commit b23aa00b8178b1e74b3a89d83ed51b812adaf1f7)
On openSUSE Leap 15.1, the postfix binaries live in
/usr/lib/postfix/bin/ which was not covered in the postfix.* attachment
and mrix rules.
(cherry picked from commit f668f31bf02792e4aaa08e5a0977c6637814f1f2)
This gets us to the local process now, which comes next.
(cherry picked from commit 02528133d2b55a254d1bb8288601566e12ceccdf)
Note: this cherry-pick doesn't include the removal of the path-based
signal and unix rules in postfix-master.
Grant the ability to communicate with the postfix named child profiles
via signals and unix sockets. Include the path-based match names as
a fallback on upgrades.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 35d84895fe15d989b885a38d4763a73ffc8ba49c)
Convert all the postfix subprocesses to using named profiles instead of
path match profiles, and adjust exec paths for newer debian/ubuntu
releses. Rename profiles to match profile names.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 39ca2adff651aff52b951e194507b4216c7d67e6)
Convert postfix's master profile to use a named profile
(postfix-master) rather than the exec path match pattern. Adjust
postfix-common abstraction to take this into account. Rename profile
name in the profiles/apparmor/profiles/extras/ directory to match
the profile name.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 01648c6a61519a01d5bf54270c3a75557f1cb5cb)
