[2.12+2.13] Replace "existing_profiles" & fix minitools for named profiles
(This is the 2.13 version of !249 (merged) which had a few merge conflicts in the 2.13 branch, and needs a little change (last commit) on top)
This patchset introduces the ProfileList class which replaces "existing_profiles" in aa.py and fixes some bugs in aa-complain and the other minitools:
* aa-complain etc. never found profiles that have a profile name (the attachment wasn't checked)
* even if the profile name was given as parameter to aa-complain, it first did "which $parameter" so it never matched on named profiles
* profile names with alternations (without attachment specification) also never matched because the old code didn't use AARE.
References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882047#92 (search for "As usual" ;-)
See the individual commit messages for details.
All changes survived my tests (both manually and unittests), but as always when doing bigger changes to aa.py, more manual testing is always welcome ;-)
I propose this patch for 2.12 and 2.13.
Acked-by: John Johansen <john.johansen@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/268
PR: https://gitlab.com/apparmor/apparmor/merge_requests/288
Signed-off-by: Petr Vorel <pvorel@suse.cz>
(cherry picked from commit 49848b90817a923c9cf3f6ee534d02442bf0ff80)
Signed-off-by: John Johansen <john.johansen@canonical.com>
i.e. move '*' from beginning to before suffix.
Commit 025c7dc6 ("dnsmasq: Add permission to open log files") added
pattern, which is not compatible with SELinux. As this pattern has been
in SELinux since 2011 (with recent change to accept '.log' suffix +
logrotate patterns which are not relevant to AppArmor) IMHO it's better
to adjust our profile.
Fixes: 025c7dc6 ("dnsmasq: Add permission to open log files")
PR: PR: https://gitlab.com/apparmor/apparmor/merge_requests/288
Signed-off-by: Petr Vorel <pvorel@suse.cz>
(cherry picked from commit 3ef8df6ac05057e46720b2eba099bad3416f763b)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add /etc/letsencrypt/archive to ssl_key abstraction
See merge request apparmor/apparmor!283
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit 0a666b8e48c162932a2b8049fbe3be2c909517b1)
cb468786 Add /etc/letsencrypt stuff to ssl_keys/ssl_certs abstraction
aa-genprof checks if one of the profiles in the extra profile dir
matches the binary, and proposes to use that profile as a starting
point.
Since 4d722f18397dd35b208548d4c841b955c41ac7ce the "(V)iew profile"
option to display the proposed profile was broken.
The easiest fix is to remember the filename in the extras directory, and
display the file from there.
Sidenote: when choosing to use the extra profile, it gets written to
disk without any problems, so this bug really only affected "(V)iew
profile" to preview the proposed extra profile.
(cherry picked from commit 8b4e76a7d5d87cafb964faa87368dd2b6842f4b8)
'lastline' gets merged into 'line' (and reset to None) when reading the
next line. If 'lastline' isn't empty after reading the whole profile,
this means there's something unparseable at the end of the profile,
therefore parse_profile_data() should error out.
Also remove some simple_tests testcases from the 'exception_not_raised'
list - they only didn't raise the exception because the invalid rule was
the last line in the affected profile.
Thanks to Eric Chiang for accidently (and maybe even unnoticedly ;-)
discovering this bug while adding some xattr testcases that surprisingly
didn't fail in the tools.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/271
(cherry picked from commit 4efff35bf8991fcdda3f16e65a036826b9b5cf5f)
Signed-off-by: John Johansen <john.johansen@canonical.com>
In the 2.13 branch (and older), 'options' is not always a dict, but can
also be None or an empty string.
Adjust the if condition in serialize_profile() so that "View changes
between clean profiles" doesn't error out.
Technical stuff first:
Replace existing_profiles (a dict with the filenames for both active and
inactive profiles) with active_profiles and extra_profiles which are
ProfileList()s and store the active profiles and those in the extra
directory separately. Thanks to ProfileList, now also the relation
between attachments and filenames is easily available.
Also replace all usage of existing_profiles with active_profiles and
extra_profiles, and adjust it to the ProfileList syntax everywhere.
With this change, several bugs in aa-complain and the other minitools
get fixed:
- aa-complain etc. never found profiles that have a profile name
(the attachment wasn't checked)
- even if the profile name was given as parameter to aa-complain, it
first did "which $parameter" so it never matched on named profiles
- profile names with alternations (without attachment specification)
also never matched because the old code didn't use AARE.
References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882047#92
(search for "As usual" ;-)
Just for completeness - the matching still doesn't honor/expand
variables in the profile name.
(cherry picked from commit 4d722f18397dd35b208548d4c841b955c41ac7ce)
ProfileList is meant to store the list of profiles (both name and
attachment) and in which files they live.
Also add unittests to make sure everything works as expected.
(cherry picked from commit 789c4658e22ef42e76fd55c14e31fcaa93ef574b)
parse_profile_data() returns the parsed profiles, but writes to
existing_profiles directly.
read_profiles() calls parse_profile_data() and already handles adding
the parsed profiles to aa, original_aa or extras, which means updating
existing_profiles there is a much better place.
This commit also includes a hidden change: Previously, when parsing
include files, they were also added to existing_profiles. This is
superfluous, only real profiles need to be stored there.
(cherry picked from commit 8809218ac8cfb89a6c8b2109511960c8aab944aa)
... and call it from get_profile_filename_* if get_new is True
(= always with the current code)
(cherry picked from commit a6b8d14908dafb3667f05984d39b7e3889503dcc)
Split get_profile_filename() into
- get_profile_filename_from_profile_name() (parameter: a profile name)
- get_profile_filename_from_attachment() (parameter: an attachment)
Currently both functions call get_profile_filename_orig() (formerly
get_profile_filename()) so the behaviour doesn't change yet.
The most important part of this commit is changing all
get_profile_filename() calls to use one of the new functions to make
clear if they specify a profile or an attachment/executable as
parameter.
As promised, the is_attachment parameter starts to get used in this
patch ;-)
Note: The get_new parameter (which I'll explain in the patch actually
using it) is set to True in all calls to the new functions.
The long term plan is to get rid of it in most cases (hence defaulting
to False), but that will need more testing.
(cherry picked from commit ec741424f81e152598035324b6fde604427e0a63)
The minitools call write_profile(), write_profile_feedback_ui() and
serialize_profile() with the _attachment_ as parameter.
However, aa-logprof etc. call them with the _profile name_ as parameter.
This patch adds an is_attachment parameter to write_profile() and
write_profile_feedback_ui(). It also passes it through to
serialize_profile() via the options parameter.
If is_attachment is True, the parameter will be handled as attachment,
otherwise it is expected to be a profile name.
tools.py gets changed to set is_attachment to True when calling the
functions listed above to make clear that the parameter is an attachment.
Note: This patch only adds the is_attachment parameter/option, but
doesn't change any behaviour. That will happen in the next patch.
(cherry picked from commit bc783372b879b8f090044b3793a9ca49cc30cd87)
[2.12+2.13] use serialize_profile() for the new profile in (V)iew Changes
See merge request apparmor/apparmor!267
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12 and 2.13
... which is unused since the last commit.
Note: unlike 0eb12a8cbd13d17a1784b29d3488fc99e4457e2c, this commit does
_not_ delete several write_* function that were only used by this
function. Verifying that these functions are really unused is not worth
the effort in the 2.13 branch.
(cherry picked from commit 0eb12a8cbd13d17a1784b29d3488fc99e4457e2c -
but only apply partially)
Commit aa065287909f6a3115bfaf02bee85d323e46b706 made @{sys} tunable
available by default.
Update profiles and abstractions to actually use @{sys} tunable for
better confinement in the future (when @{sys} becomes kernel var).
Closes LP#1728551
error out on superfluous TODOs
See merge request apparmor/apparmor!197
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 39a20314878cffaf4b681bb0a97672f7c6333587)
4b26850e error out on superfluous TODOs
disable abi/ok_10 and abi/ok_12 tests
See merge request apparmor/apparmor!259
(cherry picked from commit 608af94dff8313a18adda9ed95bc2766c79f120f)
a3305b51 disable abi/ok_10 and abi/ok_12 tests
Remove TODO notes from no-longer-failing tests
See merge request apparmor/apparmor!180
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: intrigeri <intrigeri@debian.org>
(cherry picked from commit c98d8570eee26469d0541fefbcbfb74a36337caa)
d15bdaba Remove TODO notes from no-longer-failing tests
Credits go to John Johansen <john@jjmx.net> for most of the information
and the initial phrasing.
Bug-Debian: https://bugs.debian.org/826218
Cherry-picked from commit b95f9bdd3b1937c4944da3de48d5e128e580d53d
Split the features file into compile features and kernel features
which is needed for policy versioning and the new caching scheme.
A new flag --kernel-features was added to set the kernel features but
unfortunately -M, --features-file was setup to only specify the
compile features, when it used to effectively specify both the
compile and kernel features.
This broke existing uses of -M.
Fix this by having -M specify both the compile and kernel features,
and a new flag --compile-features that can be used to specify the
compile fature set separate from the kernel feature set.
sbeattie> fixed up error message to refer to compile features when
--compile-features argument fails.
Backport-requested-by: intrigeri <intrigeri@debian.org>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/104
(cherry picked from commit e83fa67edfb534976dc4133e634519084153c0e7)
Fixes: 9e48a5da5e10 ("parser: split kernel features from compile features.")
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
[2.12+2.13] backport some .gitignore additions
I propose this patch for 2.12 and 2.13, which will bring the .gitignore in sync with master.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/241
Acked-by: John Johansen <john.johansen@canonical.com>
Add profile names to all profiles with {bin,sbin} attachment
See merge request apparmor/apparmor!242
Acked-by: intrigeri <intrigeri@debian.org>
(cherry picked from commit fd68a5eb648cb78c967181c56d6e33cd31239f3c)
b77116e6 Add profile names to all profiles with {bin,sbin} attachment
This "will break with non-glibc libcs on Debian and with glibc headers moved to
multiarch locations" (https://bugs.debian.org/798955). Patch based on the one
proposed by Helmut Grohne <helmut@subdivi.de>, amended to replace hard coded
"gcc" with "$(CC)".
PR: https://gitlab.com/apparmor/apparmor/merge_requests/245
Bug-Debian: https://bugs.debian.org/909966
(cherry picked from commit 2d91211842147d19173d8c1659824afb60d8526e)
Signed-off-by: John Johansen <john.johansen@canonical.com>
profiles/Makefile: test abstractions against apparmor_parser
See merge request apparmor/apparmor!237
Acked-by: Christian Boltz <apparmor@cboltz.de> for trunk and 2.13.
Pre-acked for 2.10..2.12 after removing the --config-file option which is not supported in these branches.
(cherry picked from commit 2863e20f37f6b24f99e7d997cb2ae8fbb6efbe73)
dc7ae28d profiles/Makefile: test abstractions against apparmor_parser
Interestingly, abi/bad_6.sd is detected as invalid, and therefore not
added to the list.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/238
(cherry picked from commit 5c54f662792120c9ffefee6a00ce11f520e6eb36)
Signed-off-by: John Johansen <john.johansen@canonical.com>
AppArmor 3.0 requires policy to use a feature abi rule for access to
new features. However some policy may start using abi rules even if
they don't have rules that require new features. This is especially
true for out of tree policy being shipped in other packages.
Add enough support to older releases that the parser will ignore the
abi rule and warn that it is falling back to the apparmor 2.x
technique of using the system abi.
If the profile contains rules that the older parser does not
understand it will fail policy compilation at the unknown rule instead
of the abi rule.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/196
(backported form commit 83df7c4747a7f730ab59db014cbd15e469b16395)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Currently if stdin is used the warning
apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
is always displayed but if caching has been disabled there is no need for
this message.
(cherry picked from commit c421a29c61e66d121fa2544ba5e4c243c9a5b68c)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/233
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Fix aa-mergeprof crash caused by accidentially initialzed hat
See merge request apparmor/apparmor!234
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 93445ca02dcbdef64664220dc4364501ff568776)
bc492533 Fix aa-mergeprof crash caused by accidentially initialzed hat
The old patter *.* doesn't match lsb_release and nvidia_modprobe, and
the only file we ship in local is a README. This patch adjusts the
pattern to ignore everything except README.
(cherry picked from commit aeee9a1aabb215f842d99dbe626d2e9357cc667c)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/227
Signed-off-by: John Johansen <john.johansen@canonical.com>
(probably Ubuntu-only? The ssl-params file doesn't exist on my openSUSE
installation)
References: https://bugs.launchpad.net/apparmor-profiles/+bug/1796966
(cherry picked from commit 16a98d26d00b393962c08edf9c9b066472395751)
Signed-off-by: John Johansen <john.johansen@canonical.com>
commit 94dfe15b28dc56f60c7c368f2bf7353fe2e0906d attempted to remove
LD_RUN_PATH unfortunately
But all it actually does is cause the Makefile.perl to embed the rpath
"" instead. Which is still an rpath, only I guess an even worse one.
--
Eli Schwartz
Arch Linux Bug Wrangler and Trusted User
This is because it cleared the setting of the variable LD_RUN_PATH
which was expanded in the command
$(INST_DYNAMIC) : $(OBJECT) $(MYEXTLIB) $(INST_ARCHAUTODIR)$(DFSEP).exists $(EXPORT_LIST) $(PERL_ARCHIVEDEP) $(PERL_ARCHIVE_AFTER) $(INST_DYNAMIC_DEP)
$(RM_F) $@
LD_RUN_PATH="$(LD_RUN_PATH)" $(LD) $(LDDLFLAGS) $(LDFROM) $(OTHERLDFLAGS) -o $@ $(MYEXTLIB) \
$(PERL_ARCHIVE) $(LDLOADLIBS) $(PERL_ARCHIVE_AFTER) $(EXPORT_LIST) \
$(INST_DYNAMIC_FIX)
$(CHMOD) $(PERM_RWX) $@
resulting in LD_RUN_PATH="" being passed to the command.
Finish removing LD_RUN_PATH from Makefile.perl by removing it from
the command invocation if it is present.
Note: we use \x24 instead of $ in the regex as there seems to be a bug
and no level of escaping $ would allow it to be used.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/207
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 958cc288769360aaec23971efaf4318f4c6817bc)
Make @{sys} available by default
See merge request apparmor/apparmor!228
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit 772a8702e0874dbb4de8caa40fc533b487940be0)
aa065287 Make @{sys} available by default
--log-facility option needs to have permission to open files.
Use '*' to allow using more files (for using more dnsmasq instances).
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Jamie Strandboge <jamie@canonical.com>
(cherry picked from commit 025c7dc6a131da24c31e41ad32753015a0ec0f76)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
parser: fix Makefile hardcoded paths to flex and bison
Closes#4
See merge request apparmor/apparmor!224
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit 34cf08503613a60298281200db9218a7532a1e31)
17e059a2 parser: fix Makefile hardcoded paths to flex and bison
Commit 8f9bd5b0e3e329dd7ce8dfbd0134c503e079b443 rightfully removed PUx
transition into nvidia-modprobe executable due to security concerns. To
overcome this, commit 327420b15195fa18c82c2e741c971c43ec3d56f4 added
named nvidia_modprobe profile, which allows to use this abstraction
without requiring additional rules to make OpenCL work with NVIDIA
drivers.
Add rule to allow Px transition into nvidia_modprobe profile for
nvidia-modprobe executable.
https://gitlab.com/apparmor/apparmor/merge_requests/219
(cherry picked from commit e4b1cadf6327ec502c7175fde1241f776c4c9bc7)
Signed-off-by: John Johansen <john.johansen@canonical.com>
nvidia-modprobe is setuid executable is used to create various device
files and load the the NVIDIA kernel module
(https://github.com/NVIDIA/nvidia-modprobe).
Add named profile to be used in application profiles for confining
potentially risky setuid application.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/213
(cherry picked from commit 327420b15195fa18c82c2e741c971c43ec3d56f4)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Legacy path ~/.apparmor/notify.conf is preferred if it exists, otherwise
$XDG_CONFIG_HOME/apparmor/notify.conf, with fallback to
~/.config/apparmor/notify.conf, is used.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/215
Signed-off-by: nl6720 <nl6720@gmail.com>
(cherry picked from commit 1fb9acc59eef229e4a3758c3abb3891b030b38ab)
Signed-off-by: John Johansen <john.johansen@canonical.com>
