When aa-genprof proposes a local inactive profile, it had a hardcoded
call to 'less' to display that profile.
Unsurprisingly, this doesn't work in JSON mode and breaks YaST (luckily
it's only a case of "the button doesn't work").
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1171315
(cherry picked from commit 68a258b006)
(cherry picked from commit cb95e9a2568b19e2e7601c0af363e0605a6889d9)
UI_ShowFile() is more generic and can be used to display various (text)
files, not only diffs.
(cherry picked from commit bb3803b931,
adjusted for 2.13 branch)
usr.sbin.dnsmasq: update to support dnsmasq 2.81
See merge request apparmor/apparmor!475
Acked-by: Christian Boltz for 2.11..master
(cherry picked from commit acafe9de82)
88c142c6 usr.sbin.dnsmasq: allow reading @{PROC}/@{pid}/fd/ as is needed by dnsmasq 2.81
@Talkless requested xdg-open and friends be cherry-picked into 2.13
This is the set of commits (and fixes) to do that without modifying them.
We could drop backporting dbus-strict by modifying both the adding missing .d dirs, and add xdg-open and friends patches.
This series does not currently include the make check test and its fixes for the .d directories, as they were not required but we may want to include them to catch any potential errors.
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/471
Signed-off-by: John Johansen <john.johansen@canonical.com>
Implement set of abstractions to handle opening uris via xdg-open and similar helpers used on different desktop environments.
Abstractions are intended to be included into child profile, together with bundle abstractions such as ubuntu-browsers, ubuntu-email and others, for fine-grained control on what confined application can actually open via xdg-open and similar helpers.
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/404
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit d257afd309)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Some applications queries network configuration (using QNetworkConfigurationManager class in Qt and similar), and that produces DBus denials under AppArmor confinement when NetworkManager backend is used.
Add abstraction that allows most common read-only DBus queries for getting current network configuration from NetworkManager backend.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/409
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit a10fa57fb6)
Signed-off-by: John Johansen <john.johansen@canonical.com>
In focal users of mdns get denials in apparmor confined applications.
An exampel can be found in the original bug below.
It seems it is a common pattern, see
https://github.com/lathiat/nss-mdns#etcmdnsallow
Therefore I'm asking to add
/etc/mdns.allow r,
to the file
/etc/apparmor.d/abstractions/mdns"
by default.
--- original bug ---
Many repetitions of
audit: type=1400 audit(1585517168.705:63): apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd" name="/etc/mdns.allow" pid=1983815 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=123 ouid=0
in log. I use libnss-mdns for .local name resolution, so /etc/nsswitch.conf contains
hosts: files mdns [NOTFOUND=return] myhostname dns
and /etc/mnds.allow contains the domains to resolve with mDNS (in may case, "local." and "local"; see /usr/share/doc/libnss-mdns/README.html.)
Presumably cronyd calls a gethostbyX() somewhere, thus eventually trickling down through the name service switch and opening /etc/mdns.allow, which the AppArmor profile in the chrony package does not allow.
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1869629
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit eeac8c11c9)
abstractions/mesa: allow checking if the kernel supports the i915 perf interface
See merge request apparmor/apparmor!464
Acked-by: Vincas Dargis <vindrg@gmail.com>
Acked-by: Christian Boltz <apparmor@cboltz.de> for master and 2.13
(cherry picked from commit f56bab3f75)
61571da1 abstractions/mesa: allow checking if the kernel supports the i915 perf interface
This way we could generate the capabilities in a way that works with
every version of make.
Changes to list_capabilities are intended to exactly replicate the old
behavior.
(cherry picked from commit e92da079ca)
This change updates parser/Makefile to respect target dependencies and
not rebuild apparmor_parser if nothing's changed. The goal is to allow
cross-compiled tests #17 to run on a target system without the tests
attempting to rebuild the parser.
Two changes were made:
* Generate af_names.h in a script so the script timestamp is compared.
* Use FORCE instead of PHONY for libapparmor_re/libapparmor_re.a
Changes to list_af_names are intended to exactly replicate the old
behavior.
Signed-off-by: Eric Chiang <ericchiang@google.com>
(cherry picked from commit cb8c3377ba)
abstractions/base: allow read access to /run/uuidd/request
See merge request apparmor/apparmor!445
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
(cherry picked from commit 80bf920929)
45fffc12 abstractions/base: allow read access to /run/uuidd/request
abstractions/base: allow read access to top-level ecryptfs directories
See merge request apparmor/apparmor!443
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
(cherry picked from commit 24895ea302)
fbd8981e abstractions/base: allow read access to top-level ecryptfs directories
Allow /usr/etc/ in abstractions/authentication
openSUSE (and hopefully some other distributions) work on moving shipped
config files from /etc/ to /usr/etc/ so that /etc/ only contains files
written by the admin of each system.
See https://en.opensuse.org/openSUSE:Packaging_UsrEtc for details and
the first moved files.
Updating abstractions/authentication is the first step, and also fixes
bugzilla.opensuse.org/show_bug.cgi?id=1153162
See merge request apparmor/apparmor!426
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12..master
(cherry picked from commit 1cfd4d4bbc)
ee7194a7 Allow /usr/etc/ in abstractions/authentication
abstractions/kerberosclient: allow reading /etc/krb5.conf.d/
See merge request apparmor/apparmor!425
Acked-by: Steve Beattie <steve@nxnw.org> for 2.10..master
Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..master
(cherry picked from commit 663546c284)
dffed831 abstractions/kerberosclient: allow reading /etc/krb5.conf.d/
Drop 'localinclude' in parse_profile_data() and ProfileStorage
See merge request apparmor/apparmor!427
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12..master
Acked-by: Steve Beattie <steve@nxnw.org> for 2.12..master
(cherry picked from commit b017f8f8a9)
001ea9e3 Drop 'localinclude' in parse_profile_data() and ProfileStorage
879531b36ec3dfc7f9b72475c68c30e4f4b7b6af changed access for
@{HOME}/.{,cache/}fontconfig/** to include 'w'rite. Fontconfig has been
a source of CVEs. Confined applications should absolutely have read
access, but write access could lead to breaking out of the sandbox if a
confined application can write a malformed font cache file since
unconfined applications could then pick them up and be controlled via
the malformed cache. The breakout is dependent on the fontconfig
vulnerability, but this is the sort of thing AppArmor is meant to help
guard against.
(cherry picked from commit c5968c70d0)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/420
Signed-off-by: John Johansen <john.johansen@canonical.com>
v2:
- parse partial log line broken at \n
- add testcase_dbus_10.* for partial log line
- remove quotes from testcasw_dbus_09.profile
The following log format has been seen in the wild, and currently results
in a RECORD_INVALID
[4835959.046111] audit: type=1107 audit(1561053426.749:186): pid=640 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="LookupDynamicUserByName" mask="send" name="org.freedesktop.systemd1" pid=20596 label="/usr/sbin/sshd" peer_pid=1 peer_label="unconfined"
exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Test parsing the above message with and without the \n embedded between
peer_label= and exec=
PR: https://gitlab.com/apparmor/apparmor/merge_requests/395
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 0349cf2d0a)
