Choosing "Deny" when handle_children() asks about adding a hat should
not add that hat, but it should _not_ leave the function because that
means all the other log events that were not migrated to prelog yet will
be lost.
Change "return" to "continue" to fix this.
Drop 'to' option for link rules from manpage
See merge request apparmor/apparmor!368
Acked-by: Eric Chiang <ericchiang@google.com>
(cherry picked from commit 041cd95a98e798e3567c63c3c7eb74d81fc5c64e)
115a1d89 Drop 'to' option for link rules from manpage
Add several libapparmor/swig/ruby files to gitignore
See merge request apparmor/apparmor!366
(cherry picked from commit 9c11ce37c61b442161c5b13dd28d7939bc1327fa)
7ed1a16a Add several libapparmor/swig/ruby files to gitignore
Fix error 'KeyError: 'logfiles'' when no logprof.conf exists
See merge request apparmor/apparmor!365
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.12..master
(cherry picked from commit cece7871829ed85a3ed3783be3ac009ad0cfe205)
455c4413 aa.py: Ensure there is always a fallback falue for the logfile location
3c7e1668 aa.py: Indicate permission error if log file is found but cannot be opened
Since !345 the set of permissions that are granted (get_file_perms_2)
or suggested (propose_file_rules) has changed. These new sets are
expected due to the changes brought by this MR, so let's adjust
the test suite accordingly.
(cherry picked from commit 0170e98f9c7342a614bbda5ce9e64a1444f47413)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/358
Signed-off-by: John Johansen <john.johansen@canonical.com>
For example, VirtualBox guests have /usr/lib/VBoxOGL.so.
Without this changes, in a VirtualBox VM with VBoxVGA graphics,
at least one Qt5 application (OnionShare) won't start and display:
ImportError: libGL.so.1: failed to map segment from shared object
… and the system logs have:
apparmor="DENIED" operation="file_mmap" profile="/usr/bin/onionshare-gui" name="/usr/lib/VBoxOGL.so" pid=11415 comm="onionshare-gui" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
While this works fine with VBoxSVGA and VMSVGA when 3D acceleration is enabled.
So let's not assume all libraries have a name that starts with "lib".
PR: https://gitlab.com/apparmor/apparmor/merge_requests/345
(cherry picked from commit 5cbb7df95ef241725b327bccfb5aa21f8be14695)
Signed-off-by: John Johansen <john.johansen@canonical.com>
update network keyword list in utils and add test
See merge request apparmor/apparmor!350
Acked-by: Eric Chiang <ericchiang@google.com> for 2.12..master
(cherry picked from commit dc010bc0340fe8b7159db5c3c2e01f7e27749ea8)
49849ed7 update network keyword list in utils and add test
apparmor.d manpage: update list of network domain keywords
See merge request apparmor/apparmor!349
Acked-by: Eric Chiang <ericchiang@google.com> for 2.12..master
(cherry picked from commit 6416ccebf636308eeb05185bb4ccdc1731a96980)
6b276563 apparmor.d manpage: update list of network domain keywords
The calling function and the merge() macro both make use of a variable
named "i" but this causes problems when merging. The aa_policy_cache.sh
test script experiences "bad file descriptor" failures due to the merged
list containing invalid fd values (-1).
Fix this by renaming merge()'s index variables from i and j to y and z
to hopefully prevent future overlap. The better fix here would be to
convert merge() to a function but that's a more intrusive change and I
don't have an easy way to test the overlay feature.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/348
(cherry picked from commit d7ac07afc48bdc61892e4227949ee8e24c95ff1e)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
qsort()'s _size_ parameter is used to indicate the size of the elements
in the _base_ array parameter. Adjust the third argument to qsort() to
indicate that we're dealing with an array of struct dirent pointers
rather than an array of struct dirent.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/348
(cherry picked from commit 8b218718204062efa2dd093d95d2b05e0d722f92)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Adjust aa_policy_cache.sh to handle the additional layer in the
directory hierarchy when determining where the policy cache binaries are
stored. This is needed due to the multicache changes that allow multiple
policy caches to exist on a single system.
Differentiate between the cache location (the top level directory
containing all caches) and the cache directory (the directory used to
store the cached policies).
Use the libapparmor wrapper to get the cache directory for the given
cache location and the features of the currently running kernel.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/348
(cherry picked from commit f31457b26e3f7a0433ce32c8f25bf270ab587f1c)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Print the policy cache directory path for the features of the currently
running kernel to stdout so that the aa_policy_cache.sh regression test
script can make use of it when writing out binary policy files.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/348
(cherry picked from commit ad81ea0e671f3d4af1d6e44da6d41db3af3c1985)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
The length of a xmatch is used to prioritize multiple profiles that
match the same path, with the intent that the more specific match wins.
Currently, the length of a xmatch is computed by the position of the
first regex character.
While trying to work around issues with no_new_privs by combining
profiles, we noticed that the xmatch length computation doesn't work as
expected for multiple regexs. Consider the following two profiles:
profile all /** { }
profile bins /{,usr/,usr/local/}bin/** { }
xmatch_len is currently computed as "1" for both profiles, even though
"bins" is clearly more specific.
When determining the length of a regex, compute the smallest possible
match and use that for xmatch priority instead of the position of the
first regex character.
(cherry picked from commit cc09794fbdd3fe311027ae2ceb9f441a30a6075a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Using /usr/{bin,sbin}/dbsmasq as both the profile name and attachment break compatibility with the peer=/usr/sbin/dnsmasq rule, in the libvirtd profile.
Instead specify the profile has the old name of /usr/sbin/dnsmasq and specify the attachment separately. This looks funny but it avoids breaking libvirtd and still provides the broader attachment need by distros that have merged sbin into bin.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1127073
I propose this patch for 2.12 and 2.13. (Older versions didn't get the alternation, master has a profile name added.)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/346
Signed-off-by: John Johansen <john.johansen@canonical.com>
Even if we expected it to stay compatible with peer=/usr/sbin/dnsmasq in
the libvirtd profile, practise shows that we were wrong.
This patch adds a tricky workaround so that the profile name doesn't
change, but the profile will attach even on distributions with merged
bin and sbin. (Credits for this crazy idea go to John ;-)
It also re-adds the libvirtd peer name /usr/sbin/libvirtd to avoid
breaking libvirtd.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1127073
and the discussion in https://gitlab.com/apparmor/apparmor/merge_requests/346
tunables/share: fix buggy syntax that broke the ~/.local/share part of the @{user_share_dirs} tunable
See merge request apparmor/apparmor!344
(cherry picked from commit 2ed3763a2f5f59605f75536b413b281ca7cf7297)
cdeb6185 tunables/share: fix buggy syntax that broke the ~/.local/share part of the...
The parser is not correctly handling some error conditions when
dealing with work units. Failure to spawn work, access files, etc
should be returned where appropriate, and be able to abort processing
if abort_on_error is set.
In addition some errors are leading to a direct exit without checking
for abort_on_error.
BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921866
BugLink: http://bugs.launchpad.net/bugs/1815294
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Eric Chiang <ericchiang@google.com>
(backported from commit cb43e57d27962039c5bc2a380936c7316575701f)
Conflicts:
parser/parser_main.c
Reason:
commit 48a32b78b189cf9e2c4d8bce8fb45c68bf4cc327 not backported
misc dovecot fixes (take #2)
See merge request apparmor/apparmor!336
Acked-by: Christian Boltz <apparmor@cboltz.de> for master..2.10
(cherry picked from commit e68beb988adf63c85b2091880c64a5e6ca3c20ca)
a57f01d8 dovecot: allow FD passing between dovecot and dovecot's anvil
d0aa863f dovecot: allow chroot'ing the auth processes
9afeb225 dovecot: let dovecot/anvil rw the auth-penalty socket
17db8f38 dovecot: auth processes need to read from postfix auth socket
6a7c49b1 dovecot: add abstractions/ssl_certs to lmtp
Debian and Ubuntu have releases coming out with usr-merge in place. For
these systems, /bin and /sbin are symlinks to their respective /usr
directories. This breaks a few tests in the python utils and in the
regression tests. This patch series fixes them, mostly by performing
realpath() calls when necessary. For the ptrace regression test,
it copies the called /bin/true binary into the created temporary
directory and executes it from there. (Good for other reasons, too.)
(cherry picked from commit b4ab8476e4721b922d2de193b9203bba0c192bf9)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/merge_requests/331
Bug-Debian: https://bugs.debian.org/920669
Relevant documentation: http://www.alsa-project.org/main/index.php/Asoundrc
We already grant read access to the corresponding per-user configuration file
(~/.asoundrc) so it makes sense to also grant access to the system-wide one.
(cherry picked from commit 2d72795f6585ad67bc85e01e1dfc8c1bc2eac56a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Latest netconfig in openSUSE writes /run/netconfig/resolv.conf, and only
has a symlink to it in /etc
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1097370
Acked-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit b0bacba9dbe903803ff1a7df05789ac254043490)
aa-logprof errors out if it hits a log event for a non-existing profile
while a profile file with the default filename for that non-existing
profile exists. This can for example happen after adding a profile name
to a profile if audit.log still contains events for the attachment-based
profile name.
Since we ignore log events for non-existing profiles in general, drop
the code for the special case "but a file matching the default filename
for that non-existing profile exists" and also silently ignore events
for this very special non-existing profile.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1120472
(cherry picked from commit 03ea5b82b783cd459978bb4c5a6076286c2ce4fa)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This updates the mysqld to what I use on my servers nowadays.
Note: my profile also has capability sys_resource,, but I'm not sure
why I had to add this and therefore didn't include it in this merge
request.
Speaking about "why I had added $whatever" - these changes were
collected over the last years and of course ;-) I don't remember any
details.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/310
(cherry picked from commit 0199edf8e735d3d67488a2b6ea52493b7c379699)
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
[2.10..2.13] Backport updated font paths
Update fonts for Debian and openSUSE
- Allow to read conf-avail dir itself.
- Add various openSUSE-specific font config directories.
See merge request !96 (merged) for details.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/309
(cherry picked from commit 7bd3029f)
Update fonts for Debian and openSUSE
See merge request apparmor/apparmor!96
(cherry picked from commit 7bd3029f259464eb2ce1ca378564f0a59a75dc2d)
b902d250 Update fonts for Debian and openSUSE
dnsmasq: allow peer=libvirtd to support named profile
See merge request apparmor/apparmor!304
Acked-by: Eric Chiang <ericchiang@google.com> for 2.12..master
(cherry picked from commit 5d384d96254b2cdbe230e674863158e171cfceb8)
20fe099c dnsmasq: allow peer=libvirtd to support named profile
This reverts commit aa3022208f539978f137c918ede01c80cacd8567.
Space-separated list of values don't play well with aliases.
For example, in Tails, despite this alias rule:
alias / -> /lib/live/mount/rootfs/*.squashfs/,
… the Tor Browser profile denies access to
/lib/live/mount/rootfs/filesystem.squashfs/usr/share/mime/mime.cache, which
should be equivalent to /usr/share/mime/mime.cache. That's fixed by using
alternations instead; too bad they're less readable.
Possibly related:
https://bugs.launchpad.net/apparmor/+bug/888077https://bugs.launchpad.net/apparmor/+bug/1703692https://bugs.launchpad.net/apparmor/+bug/1703692
Cherry-picked from master branch: a91d199ab1da3004cf3744d7087a32c91097a16e.
New abstraction: lsb_release (sub-profile).
See merge request apparmor/apparmor!154
(cherry picked from commit 47e38944f3e84c8d414fc4622aa3219cd4d1f330)
f7351405 New profile: lsb_release (no attachment path)
99e45b59 lsb_release: added permissions needed by openSUSE implementation.
parser/apparmor.systemd: fix minor issues detected by shellcheck
See merge request apparmor/apparmor!293
Acked-by: Christian Boltz <apparmor@cboltz.de> for master and 2.13
(cherry picked from commit a772ee0f8bd569f3db2d89148a5bce3ce1dcd2bd)
b3937d19 parser/apparmor.systemd: fix minor issues detected by shellcheck
abstractions/ssl_{certs,keys}: dehydrated uses /var/lib on Debian
See merge request apparmor/apparmor!299
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit 1f53de174dbd2ad0409d9b0e5b535a5ff3dff294)
1306f9a6 abstractions/ssl_{certs,keys}: dehydrated uses /var/lib on Debian
c5a89d5d abstractions/ssl_{certs,keys}: sort the alternation for dehydrated and drop...
04b2842e abstractions/ssl_{certs,keys}: allow reading ocsp.der maintained by dehydrated for OCSP stapling
[2.12+2.13] revert naming the dnsmasq profile
Changing to "profile dnsmasq /..." broke the peer=/usr/sbin/dnsmasq in the libvirtd profile. Revert adding the name to avoid breaking the libvirtd profile in stable branches.
See also https://bugzilla.opensuse.org/show_bug.cgi?id=1118952 which is a request to update the libvirtd profile to allow both peer=dnsmasq and peer=/usr/sbin/dnsmasq
I propose this revert for 2.12 and 2.13 (older branches didn't get the named profile)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/290
Acked-by: John Johansen <john.johansen@canonical.com>
Changing to "profile dnsmasq /..." broke the peer=/usr/sbin/dnsmasq in
the libvirtd profile. Revert adding the name to avoid breaking the
libvirtd profile in stable branches.
See also https://bugzilla.opensuse.org/show_bug.cgi?id=1118952
which is a request to update the libvirtd profile to allow both
peer=dnsmasq and peer=/usr/sbin/dnsmasq
This is needed if a dovecot child process segfaults - in this case,
dovecot provides a helpful error message like
dovecot[6179]: auth-worker: Fatal: master: service(auth-worker): child 8103 killed with signal 11 (core not dumped - https://dovecot.org/bugreport.html#coredumps - set /proc/sys/fs/suid_dumpable to 2)
which involves reading the current value in suid_dumpable.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/286
(cherry picked from commit 2202a8a267111266b74a7c9fd4bbc89a5f334d6a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
or: get rc.apparmor.functions in sync with the tools and libapparmor.
This was "accidently" reported by Ralph on the opensuse-support
mailinglist.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/282
(cherry picked from commit 228b92ce5ab287aad76954751cb5e8fb2ea8ce4d)
Signed-off-by: John Johansen <john.johansen@canonical.com>
