less shell ;-)
See merge request apparmor/apparmor!520
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 6b55794074fb4e74a1e28b3eb1d1b97c2be1c06e)
48bae9e3 less shell ;-)
[2.11..2.13] Fix showing the local inactive profile in json mode
See merge request apparmor/apparmor!516
Acked-by: Steve Beattie <steve.beattie@canonical.com> for 2.12 and 2.13
When aa-genprof proposes a local inactive profile, it had a hardcoded
call to 'less' to display that profile.
Unsurprisingly, this doesn't work in JSON mode and breaks YaST (luckily
it's only a case of "the button doesn't work").
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1171315
(cherry picked from commit 68a258b0064d98c376631fa27904a5be1a2e0044)
(cherry picked from commit cb95e9a2568b19e2e7601c0af363e0605a6889d9)
UI_ShowFile() is more generic and can be used to display various (text)
files, not only diffs.
(cherry picked from commit bb3803b931683c841768ba6256c29e16bebd2eeb,
adjusted for 2.13 branch)
apparmor.vim: support 'include if exists'
See merge request apparmor/apparmor!500
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12..master
(cherry picked from commit a4864146e2d5b39bdc9635507f784fb5a268212b)
efa7c6d6 apparmor.vim: support 'include if exists'
Privacy statement
See merge request apparmor/apparmor!441
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
(cherry picked from commit 4281b58c896c79294c813e6b6a36d05b1cdb0298)
bfde89a6 infrastructure: Add privacy statement to the README
This series adds a couple of patches to make the software more crosscompilation friendly. They are based on the work I'm doing to fix the package on buildroot
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/485
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 9ba2334423cccc811c0e59e3af604f06631a3d4f)
Signed-off-by: John Johansen <john.johansen@canonical.com>
egrep: bad regex '^/.[ \t]+flags[ \t]=[ \t]*([ \t]complain[ \t])[ \t]+{': Invalid contents of {}
Note the final non-escaped {.
The issue is not present any more in branch master.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/80
Signed-off-by: John Johansen <john.johansen@canonical.com>
usr.sbin.dnsmasq: update to support dnsmasq 2.81
See merge request apparmor/apparmor!475
Acked-by: Christian Boltz for 2.11..master
(cherry picked from commit acafe9de826f7f9292fa0e7e8c3fc2a2c41d265a)
88c142c6 usr.sbin.dnsmasq: allow reading @{PROC}/@{pid}/fd/ as is needed by dnsmasq 2.81
@Talkless requested xdg-open and friends be cherry-picked into 2.13
This is the set of commits (and fixes) to do that without modifying them.
We could drop backporting dbus-strict by modifying both the adding missing .d dirs, and add xdg-open and friends patches.
This series does not currently include the make check test and its fixes for the .d directories, as they were not required but we may want to include them to catch any potential errors.
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/471
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add #include if exists <*.d> to new abstractions
See merge request apparmor/apparmor!453
Acked-by: Seth Arnold <seth.arnold@canonical.com>
(cherry picked from commit 962f1e7a7b1e2e97bfc6c42173b494b5609b0f29)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Implement set of abstractions to handle opening uris via xdg-open and similar helpers used on different desktop environments.
Abstractions are intended to be included into child profile, together with bundle abstractions such as ubuntu-browsers, ubuntu-email and others, for fine-grained control on what confined application can actually open via xdg-open and similar helpers.
PR: https://gitlab.com/apparmor/apparmor/-/merge_requests/404
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit d257afd3096b25f5d76e2575478c13d4f6930f9a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
add missing *.d include to dbus-network-manager-strict abstraction
See merge request apparmor/apparmor!448
Acked-by: Seth Arnold <seth.arnold@canonical.com>
(cherry picked from commit eae474bb5c75129a9c5d0d02b1edf30636794900)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Some applications queries network configuration (using QNetworkConfigurationManager class in Qt and similar), and that produces DBus denials under AppArmor confinement when NetworkManager backend is used.
Add abstraction that allows most common read-only DBus queries for getting current network configuration from NetworkManager backend.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/409
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit a10fa57fb6274d32763d9df8e3051f6c45543776)
Signed-off-by: John Johansen <john.johansen@canonical.com>
In focal users of mdns get denials in apparmor confined applications.
An exampel can be found in the original bug below.
It seems it is a common pattern, see
https://github.com/lathiat/nss-mdns#etcmdnsallow
Therefore I'm asking to add
/etc/mdns.allow r,
to the file
/etc/apparmor.d/abstractions/mdns"
by default.
--- original bug ---
Many repetitions of
audit: type=1400 audit(1585517168.705:63): apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd" name="/etc/mdns.allow" pid=1983815 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=123 ouid=0
in log. I use libnss-mdns for .local name resolution, so /etc/nsswitch.conf contains
hosts: files mdns [NOTFOUND=return] myhostname dns
and /etc/mnds.allow contains the domains to resolve with mDNS (in may case, "local." and "local"; see /usr/share/doc/libnss-mdns/README.html.)
Presumably cronyd calls a gethostbyX() somewhere, thus eventually trickling down through the name service switch and opening /etc/mdns.allow, which the AppArmor profile in the chrony package does not allow.
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1869629
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit eeac8c11c935edf9eea2bed825af6c57e9fb52e3)
On systems with systemd 245, nss-systemd additionally queries NSS records from systemd-userdbd.service. See https://systemd.io/USER_GROUP_API/ .
(cherry picked from commit 16f9f6885aff84123c0b52197f435e40d656c0e4)
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/82
Signed-off-by: nl6720 <nl6720@gmail.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
abstractions/mesa: allow checking if the kernel supports the i915 perf interface
See merge request apparmor/apparmor!464
Acked-by: Vincas Dargis <vindrg@gmail.com>
Acked-by: Christian Boltz <apparmor@cboltz.de> for master and 2.13
(cherry picked from commit f56bab3f75dfbdfc9456628a392cabbb985a44bb)
61571da1 abstractions/mesa: allow checking if the kernel supports the i915 perf interface
https://gitlab.com/apparmor/apparmor/-/merge_requests/461 /
e92da079ca12e776991bd36524430bd67c1cb72a changed creating the
capabilities to use a script.
A side effect is that the list is now separated by \n instead of
spaces. Adjust create-apparmor.vim.py to the new output.
(cherry picked from commit 60b005788e79c1be7276349242e0cc97b99f7118)
This way we could generate the capabilities in a way that works with
every version of make.
Changes to list_capabilities are intended to exactly replicate the old
behavior.
(cherry picked from commit e92da079ca12e776991bd36524430bd67c1cb72a)
This reverts commit 378519d23f8b6e55b1c0741e8cd197863e0ff8a0.
this commit was meant for the 2.13 branch not master
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 9144e39d252cd75dd2d6941154e014f7d46147ca)
This change updates parser/Makefile to respect target dependencies and
not rebuild apparmor_parser if nothing's changed. The goal is to allow
cross-compiled tests #17 to run on a target system without the tests
attempting to rebuild the parser.
Two changes were made:
* Generate af_names.h in a script so the script timestamp is compared.
* Use FORCE instead of PHONY for libapparmor_re/libapparmor_re.a
Changes to list_af_names are intended to exactly replicate the old
behavior.
Signed-off-by: Eric Chiang <ericchiang@google.com>
(cherry picked from commit cb8c3377babfed4600446d1f60d53d8e2a581578)
assertEquals is deprecated since Python 2.7 and 3.2.
(cherry picked from commit 62abfe38e8bb3e6ba4dc873efbd1855888ea8aa0)
Signed-off-by: John Johansen <john.johansen@canonical.com>
abstractions/base: allow read access to /run/uuidd/request
See merge request apparmor/apparmor!445
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
(cherry picked from commit 80bf9209296417a1a65fe03130530e1303a4d6c7)
45fffc12 abstractions/base: allow read access to /run/uuidd/request
abstractions/gnome: also allow /etc/xdg/mimeapps.list
See merge request apparmor/apparmor!444
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
(cherry picked from commit 3becbbab2c47b2c4d57ecce2674af690b1888ba9)
67cf4fa3 abstractions/gnome: also allow /etc/xdg/mimeapps.list
abstractions/base: allow read access to top-level ecryptfs directories
See merge request apparmor/apparmor!443
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
(cherry picked from commit 24895ea302d06684b4fda1c538e04fb9e6d0f287)
fbd8981e abstractions/base: allow read access to top-level ecryptfs directories
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
(cherry picked from commit f4220a19bec57a2d3d7d92984e9030197605c0dd)
Allow /usr/etc/ in abstractions/authentication
openSUSE (and hopefully some other distributions) work on moving shipped
config files from /etc/ to /usr/etc/ so that /etc/ only contains files
written by the admin of each system.
See https://en.opensuse.org/openSUSE:Packaging_UsrEtc for details and
the first moved files.
Updating abstractions/authentication is the first step, and also fixes
bugzilla.opensuse.org/show_bug.cgi?id=1153162
See merge request apparmor/apparmor!426
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12..master
(cherry picked from commit 1cfd4d4bbc4e35fd6ec9a0f15df7445310680d02)
ee7194a7 Allow /usr/etc/ in abstractions/authentication
abstractions/kerberosclient: allow reading /etc/krb5.conf.d/
See merge request apparmor/apparmor!425
Acked-by: Steve Beattie <steve@nxnw.org> for 2.10..master
Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..master
(cherry picked from commit 663546c2842d84255ce6d3e38ac1255c01ca14d6)
dffed831 abstractions/kerberosclient: allow reading /etc/krb5.conf.d/
Drop 'localinclude' in parse_profile_data() and ProfileStorage
See merge request apparmor/apparmor!427
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12..master
Acked-by: Steve Beattie <steve@nxnw.org> for 2.12..master
(cherry picked from commit b017f8f8a9fadc63d983814a44016aeb9dd57475)
001ea9e3 Drop 'localinclude' in parse_profile_data() and ProfileStorage
Fix a Python 3.8 autoconf check
See merge request apparmor/apparmor!430
Acked-by: Christian Boltz <apparmor@cboltz.de> for master and 2.13
Acked-by: Steve Beattie <steve@nxnw.org> for master and 2.13
(cherry picked from commit 3db14e8e49dea227b8b95f4aef47dbf505beac2d)
ccbf1e0b Fix a Python 3.8 autoconf check
879531b36ec3dfc7f9b72475c68c30e4f4b7b6af changed access for
@{HOME}/.{,cache/}fontconfig/** to include 'w'rite. Fontconfig has been
a source of CVEs. Confined applications should absolutely have read
access, but write access could lead to breaking out of the sandbox if a
confined application can write a malformed font cache file since
unconfined applications could then pick them up and be controlled via
the malformed cache. The breakout is dependent on the fontconfig
vulnerability, but this is the sort of thing AppArmor is meant to help
guard against.
(cherry picked from commit c5968c70d0f1bd3da9ed1a19b5a79748adbfd566)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/420
Signed-off-by: John Johansen <john.johansen@canonical.com>
Bug-Debian: https://bugs.debian.org/935058
Applications running under Xwayland in a GNOME+Wayland session need read access
to this file since:
a8984a81c2
… that was first included in mutter 3.33.3.
This rule is presumably only needed for GNOME+Wayland sessions, so one could
argue that it should live in abstractions/wayland instead, but Jamie argued that
it should be in the X abstraction because Xwayland is a X server.
(cherry picked from commit c006f79141b29c5d7dd2225da75657c558be50aa)
MR: https://gitlab.com/apparmor/apparmor/merge_requests/419
Bug-Debian: https://bugs.debian.org/935058
Signed-off-by: John Johansen <john.johansen@canonical.com>
Correct the long option used to print the cache directory.
Fixes: e9d9395f91cd ("parser: Add option to print the cache directory")
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
(cherry picked from commit 50e34b45c2d332b9575bc5c23eb872bdbc3dec4e)
Ref: https://gitlab.com/apparmor/apparmor/merge_requests/406
Acked-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Fix crash on unbalanced parenthesis in filename
See merge request apparmor/apparmor!402
Seth Arnold <seth.arnold@canonical.com> for 2.10..master
(cherry picked from commit db1f391844de9f17381247ffc85f6f9b503744fe)
8f74ac02 Fix crash on unbalanced parenthesis in filename
When cross compiling apparmor-parser, Makefile will use ar for
creating the static library. However, ar produces libraries on
the build platform. The right ar could be prefixed with the target
platform triples.
Signed-off-by: Xiang Fei Ding <dingxiangfei2009@gmail.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Ref: https://github.com/NixOS/nixpkgs/pull/63999
Bug: https://gitlab.com/apparmor/apparmor/issues/41
(cherry picked from commit 654d96a3f78ba4145125060e52dcda6a226909e2)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
v2:
- parse partial log line broken at \n
- add testcase_dbus_10.* for partial log line
- remove quotes from testcasw_dbus_09.profile
The following log format has been seen in the wild, and currently results
in a RECORD_INVALID
[4835959.046111] audit: type=1107 audit(1561053426.749:186): pid=640 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="LookupDynamicUserByName" mask="send" name="org.freedesktop.systemd1" pid=20596 label="/usr/sbin/sshd" peer_pid=1 peer_label="unconfined"
exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Test parsing the above message with and without the \n embedded between
peer_label= and exec=
PR: https://gitlab.com/apparmor/apparmor/merge_requests/395
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 0349cf2d0a898cd245e9b788ede44c1a35da3e5a)
