Another instance of using libvirt_leaseshelper without having
libexec access. As addressed in the previous patch.
issue: https://gitlab.com/apparmor/apparmor/-/issues/87
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit e731b8a335f5ebcc59f51d14a2868d9e11e28e2f)
The error:
type=AVC msg=audit(1585403559.846:34317577): apparmor="DENIED" operation="exec" profile="/usr/sbin/dnsmasq" name="/usr/libexec/libvirt_leaseshelper" pid=7162 comm="sh" requested_mas
k="x" denied_mask="x" fsuid=0 ouid=0
type=AVC msg=audit(1585403559.846:34317578): apparmor="DENIED" operation="open" profile="/usr/sbin/dnsmasq" name="/usr/libexec/libvirt_leaseshelper" pid=7162 comm="sh" requested_mas
k="r" denied_mask="r" fsuid=0 ouid=0
Looks like the path to libvirt_leasehelper is incorrect usr.sbin.dnsmasq, at least in gentoo. Patching the file fixes the problem:
issue: https://gitlab.com/apparmor/apparmor/-/issues/87
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 28fce5f76d43bda3be66449a2439cd56bea80fba)
several postfix-* binaries on openSUSE Tumbleweed need to read
/usr/share/icu/[0-9]*.[0-9]*/*.dat.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/615
(cherry picked from commit 39ef7c508fa9dabb9c70997a1cf43260b2e8d451)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This is a partial backport of eb8f9302aa664e8ac84a03eaf11b1cb1372b1e44 (only adding the abstraction) to the 2.13 branch.
Note that the 2.13 version of the abstraction doesn't have
* the abi rule
* the `include if exists <abstractions/hosts_access.d>`
because both are new in master and would cause interesting\[tm\] problems with the 2.13 tools.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/612
Acked-by: John Johansen <john.johansen@canonical.com>
This is a partial backport of eb8f9302aa664e8ac84a03eaf11b1cb1372b1e44
(only adding the abstraction) to the 2.13 branch.
Note that the 2.13 version of the abstraction doesn't have
- the abi rule
- the `include if exists <abstractions/hosts_access.d>`
because both are new in master and would cause interesting[tm] problems
with the 2.13 tools.
Add support for CAP BPF and PERFMON
Backport from !578 the subset of patches that convert the parser to a pregenerated list of capability names instead of a dynamically generated list.
The dynamically generated list is still created and compared to the pregenerated list and the build will fail if new capabilities are added to the dynamically generated list that are not in the pregenerated list.
This enables the parser to support new capabilities like CAP BPF and PERFMON that are might not be in the kernel that the parser is being built against.
This patch series adds support CAP BPF and PERFMON in the pregenerated list of capabilities
See merge request apparmor/apparmor!594
prologue.inc:settest() in same cases invokes a sed command that uses
'~' as a pattern separator, on things that can contain filesystem
paths. However, in the debian/ubuntu world, '~' can be used in version
strings, particularly for pre-release versions, and when this happens
and the version is embedded in the path, the sed command breaks
because of the extraneous separator. Fix this by using '#' as a
separator, which has the benefit of being considered a comment if
accidentally interpreted by a shell.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/599
(cherry picked from commit efc6590409846114f729618a5ff011ab0f836342)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The autogenerated capabilities comparison needs to be updated if the
capability_table structure changes. Add a note by the structure to
make sure the Makefile will get updated if the structure is changed.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/597
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
(backported from commit 139fac6062131b11df22bdcb59747329c4f6e7b8)
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/596
(backported from commit 33ff79a9e59dc72428a9d4d94b01e00b8d0b8429)
Signed-off-by: John Johansen <john.johansen@canonical.com>
There are currently two capability name tables the one that is
autogenerated and an internal hardcoded name table.
Now that the autogenerated table has been converted to a base
static table we can drop the internal static table. This
removes the chance of getting the tables getting out of sync.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit fb9c5f9bcfd9a8d73b8eb9a8336693b4bce9fa6f)
The static cap sys_log declaration is no longer needed as
base_cap_names.h contains it and ensures that it will always be
present.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit fdba3a571c82adb589732a1eccbc36878a194330)
The auto-generated cap_names.h has problems when the parser if the
parser is built against a kernel with a smaller capability list than
the kernel policy is being compiled for.
Moving to a pre-generated list lets us support all capabilities even
when we build against older kernels. However we don't want to only use
the pre-generated list as that would make it too easy to miss when a
new capability has been added.
Keep auto generating the caps list and compare it to the pre-generated
caps list so we can detect when new capabilities are added, and fail
the build so that the pre-generated list can be updated. We screen the
diff for only additions so that the parser can continue to build on
older kernels that don't have the full capability list without errors.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 270fb0a2b27321fb14a316b3a3afd4b86f9cec6f)
GTK+ 3 has a global settings file that should be readable as well.
(cherry picked from commit af6fe026e1a056b0ef1898f164c2b590c21e6cb0)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/592
utils `make check_severity_db` will fail the build if a (probably new) capability in not listed in severity.db. This also means it should print out an ERROR, not a warning.
This is a follow-up of lp#1890547 and https://gitlab.com/apparmor/apparmor/-/merge_requests/589
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/591
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 2f5d5e1b24ef9e467bc5b37ded3c3c178682a26e)
Signed-off-by: John Johansen <john.johansen@canonical.com>
These capabilities were introduced in Linux 5.8
References: https://bugs.launchpad.net/bugs/1890547
(cherry picked from commit ae012502095596df4675555da635c868e3b3c04a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Nobody told the tools that log events with operation="symlink" exist.
Add this keyword to the list of file or network operations (I don't
expect network symlinks ;-) but keeping everything in that list makes
things easier than special-casing it.)
Also add the log sample and expected result to the libapparmor tests.
Fixes https://gitlab.com/apparmor/apparmor/-/issues/107
(cherry picked from commit 98bf187323b2f7ea265cf53b10f45513d9a955a4)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Similar to the profiles/ check using the python utilities, the
tests for the python utilities were not including the path for the
swig libapparmor library in the LD_LIBRARY_PATH variable, only in
PYTHONPATH. This commit fixes that, renaming the variable used for
the built libapparmor check.
v2:
- actually use the LIBAPPARMOR_PATH variable when defining
LD_LIBRARY_PATH
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
The commit c8b6d8b393be ("profiles: Update 'make check' to select tools
based on USE_SYSTEM") set a bunch of variables but neglected to apply
them when invoking aa-logprof. This commit addresses this by:
* correcting the PYTHONPATH used with aa-logprof
* setting LD_LIBRARY_PATH when invoking aa-logprof
* adjusting LD_LIBRARY_PATH to include both the directory location
of libapparmor but also the swig libapparmor library needed for
python tools to function.
* adjusts the test for the presence of libapparmor to not use
LD_LIBRARY_PATH but instead a libapparmor specific variable
LIBAPPARMOR_PATH
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
Fixes: c8b6d8b393be
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
When running the 'check-logprof' test using tools in the tree,
libapparmor needs to have been built for the python utilities to work.
Add a check for its existence to the test-dependencies target.
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
The "local" make target does not depend on the parser having been
built. Create a separate "test-dependencies" target and have the tests
that need them depend on that and the "local" target, when validating
the profile set against the apparmor tools.
Fixes: c8b6d8b393be
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
The profiles dirs make check is not always using the correct tools.
Update it to be similar to other Makefiles where the var USE_SYSTEM
make check USE_SYSTEM=1
is used to indicated that the system installed tools should be used
and
make check
is used to run the tests against the in tree tools
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/580
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit c8b6d8b393bea3276e2a53a6c2c039c90c6fa016)
This is a backport of the fix-lexer patch series for 2.13
Atm it has more patches than are strictly necessary. The open question is how much of that series do we actually want to bring back?
technically the only patch we need to keep CI working and fix the issues that have been discovered are
```
Remove TODO for half-quoted abi rule
parser: split newline and end of rule handling into separate rules
parser: update rule to process newlines to include states that eat WS
parser: add ABI_MODE to WS consumption state
```
However that would keep us from being able to catch other errors. If we want to be able to catch other potential lexer pass-through errors, at a minimum we need to include.
```
Error out on unhandled parts when parsing a profile
```
Which excludes only
```
parser: add missing states to the default rule and improve the error msg
```
While its nice to have better debug output, I am not sure it is worth backporting this patch
Summary of Discussion: The debug output is worth having
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/572
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
The hashing of the featue set is wrong because it is hashing the
whole feature structure instead of just the feature string.
This results in the refcount and hash field becoming part of the
hash and the feature string not being completely hashed as the
bytes of the refcount and hash field are being counted in the
as part of the string length when the hash is taken.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/583
Reported-by: Samuele Pedroni <samuele.pedroni@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit b8be1c3ff88eec72b44c61c5d070fb209b194340)
Update fonts abstraction for Debian
Closes#94
See merge request apparmor/apparmor!575
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.12..master
(cherry picked from commit 5b4a40ea58dbdeb198aa7f4698d9f2aeb85cb77c)
7b7e98a5 Update fonts abstraction for Debian
[2.11..2.13] fix setting apparmor.aa.profile_dir in some tests
cherry picked from commit 6fe4b5e59afe85e3bbfe98eab7e291c9f532db25 -
but only the test-aa.py changes because test-profile-list.py didn't have
the affected tests in 2.13 yet.
See merge request apparmor/apparmor!574
Acked-by: Steve Beattie <steve.beattie@canonical.com> for 2.11..2.13
cherry picked from commit 6fe4b5e59afe85e3bbfe98eab7e291c9f532db25 -
but only the test-aa.py changes because test-profile-list.py didn't have
the affected tests in 2.13 yet
ABI_MODE needs to be able to consume white space, unfortunately this
was missed, and only showed up with the basckport of the patches
to stop unmatched input from being passed through.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Newlines should generally be treated as whitespace. Expand the list
of states using the newline rule to include almost all rules that
eat WS.
There are two exceptions assign and comment which have special handling
of newlines.
this fixes the failures
not ok 71543 - ./simple_tests//vars/vars_simple_assignment_13.sd: quoted commas should not trigger an error
not ok 71544 - ./simple_tests//vars/vars_simple_assignment_14.sd: quoted commas should not trigger an error
found by introducing nodefault
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/569
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
(cherry picked from commit 21498ff9a434117516477b83c6c380b0c26a6037)
Split the newline processing into a separate rule block so that it can
be shared with states that need to process newlines without processing
end of rule conditions.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/569
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
(cherry picked from commit fffca2ffa00d86b0f3a11eea066cf651486331ea)
There were several states missing from the default rule which catches
unexpected input in a state.
Update the default rule to catch all input including newlines and
update its error message to include information about which state the
failure occured in. Also update the comment about what to do when
adding new states.
While the lexer now has the "nodefault" option set, it doesn't provide
as much information as the default rule does, so we prefer states
to use our provided default rule.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/569
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
(cherry picked from commit 1a4288886bcb46dcfc19ad61d648a30488f44619)
With %option nodefault, the parser now errors out as expected, even if
the error message isn't too helpful.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/569
Signed-off-by: Christian Boltz <apparmor@cboltz.de> Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
(cherry picked from commit 7d062917aa34c62b2eafc3c20f77d0be903b90bc)
... (using `%option nodefault`) instead of echoing the unknown parts to
stdout, and ignoring the error.
This will cause the parser to error out with
flex scanner jammed
and $?=2 if a profile contains unknown/invalid parts. That's not really
a helpful error message, but still better than ignoring errors.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/569
Signed-off-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
(cherry picked from commit c01ed1d57b6115067f43a405b14acf24d84ff03a)
Seen on openSUSE Tumbleweed with the mail users in a mysql database.
(cherry picked from commit f7ab91f423303157167be06dce87a79e9b36c926)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This is needed when using the "apparmor" plugin which means dovecot
switches to user-specific hats.
Seen on openSUSE Tumbleweed.
(backported from commit 6a388859f8a3420a8abd5d5d4d86bb0cbf486021)
Signed-off-by: John Johansen <john.johansen@canonical.com>
When a filesystem is mounted with the option *user*, the file selection
dialogue, e.g. in *Evince*, triggers an access of */run/mount/utab*, which
comes from *libmount* and should be allowed.
Reported-by: JrgSommer[m] in #apparmor
(cherry picked from commit cd3532f792a0aa653c9f27ac5d1d55054e0d58e2)
Signed-off-by: John Johansen <john.johansen@canonical.com>
strip_quotes() assumed its parameter is at least one character long, and
errored out on an empty string.
It also converted a string consisting of a single quote to an empty
string because that single quote had a quote as first and last char.
This commit fixes these two bugs.
Also rewrite TestStripQuotes to use tests[], and add some test for an empty
string, a one-char path (just a slash) and a single quote.
(cherry picked from commit 373e8e23b13c9ff941939e7dd11042213149e0bb)
Signed-off-by: John Johansen <john.johansen@canonical.com>
[2.12+2.13] collapse_log(): avoid accidently initializing aa[profile]
See merge request apparmor/apparmor!539
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12 and 2.13
... or calling is_known_rule() on events for non-existing hats.
It's the usual hasher() "fun" again - accessing a non-existing element
will create its parent.
In theory this commit might be worth a backport. In practise, it doesn't cause
any visible problem.
However, starting with the next commit, it will cause lots of test errors.
Also add a missing is_known_rule() call for dbus rules, which might have
caused similar hasher() "fun".
(Backported from 9f1b2f4014ef27c5e7a17acadd03221387bb9809)
Merge request apparmor/apparmor!466 (454fca7483eae) pulled back the
@{run} variable definition from apparmor/apparmor!454 (452b5b8735e4)
to the 2.13 and 2.12 branches, to make backporting profile changes
easier. However, it did not include the followup fix to the @{run}
definition to include trailing slashes to ensure they are treated as
directories (apparmor/apparmor!456 ef591a67cedc).
Signed-off-by: nl6720 <nl6720@gmail.com>
(cherry picked from commit ef591a67cedc1da0676b26448ea96fa8c073c253)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/533
apparmor.vim: allow leading whitespace for alias rules
See merge request apparmor/apparmor!527
Acked-by: Steve Beattie <steve.beattie@canonical.com> for 2.11..master
(cherry picked from commit ae70ecfbaafd2d2b18f51fe16e4107f861c2d8af)
c636580f apparmor.vim: allow leading whitespace for alias rules
