The open-coded readdirfd fn used to replace scandirat skipped
checks for memory allocation failures and cleaning on faulures,
fix this.
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 25f98537dbe46599d22949a92a814b0533d5a4d0)
The `scandirat` function is a nonstandard GNU extension, which opens a
directory relative to a file descriptor. musl libc does not implement
that function and thus cannot be used to compile libapparmor.
All our uses of `scandirat` directly scan the directory the file
descriptor is referring to, not any directory beneath the FD. Implement
a function `readdirfd()`, which gets as arguments the directory FD, the
location where to put the list of directory entries as well as a
function pointer to a comparing function. `readdirfd` will then scan all
directory entries except "." and ".." and return them via an allocated
array. The array is sorted in case the comparing function is set.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/107
Signed-off-by: Patrick Steinhardt <ps@pks.im>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 259a4bad50a94ea9f9e3527652439f05b4982ebe)
Using stdin with --write-cache set results in
# apparmor_parser --show-cache --write-cache
Cache: added primary location '/var/cache/apparmor'
Warnung aus stdin (Zeile 1): Cache: added readonly location '/usr/share/apparmor/cache'
Warnung aus stdin (Zeile 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
Cache miss: stdin
Wrote cache: /var/cache/apparmor/9b2cd0d0.0/(null)
The "Wrote cache:" message is referencing a null value and should not
be displayed.
BugLink: http://bugs.launchpad.net/bugs/1787717
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Timeout
Reported by darix on IRC, and also something I noticed in my own usage
of PHP.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/184
(cherry picked from commit e396f9dae9e217c977f34be84210268342c58de0)
Signed-off-by: John Johansen <john.johansen@canonical.com>
set_profile_flags(): allow named profiles without attachment
See merge request apparmor/apparmor!142
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit c66a1a972c511f75eca6bc6576104a0684dcd2b6)
0dca959c set_profile_flags(): allow named profiles without attachment
2.13: prevent that aa-complain etc. overwrites flags in child profiles if they differ from the main profile
See merge request apparmor/apparmor!185
Acked-by: John Johansen <john.johansen@canonical.com>
... instead of overwriting them with the flags of the main profile.
This fixes a longstanding issue with aa-complain, aa-enforce and
aa-audit which broke the flags of child profiles and hats if they
differed from the main profile.
It also fixes several issues documented in the tests (which obviously
need adjustment to match the fixed behaviour).
Also change the "no profile found" cases to AppArmorException - errors
in a profile are not worth triggering AppArmorBug ;-)
(cherry picked from commit b00aab0843803bfcfcc6e17109aed23e111a3c60)
All callers call change_profile_flags(), so it makes sense to test this
function instead of set_profile_flags().
Besides that, set_profile_flags() will be merged into
change_profile_flags() in the next commit ;-)
Note that this commit adds some '# XXX' notes to the tests. These will
be addressed in later commits.
(cherry picked from commit abd124c00d98dd4c548e79bf50af449768de240e)
This looks better than a comma without whitespace.
Also adjust minitools_test.py to follow this change.
(cherry picked from commit 4a021ec203f709f4320f683d2e81a22520136a08)
If the old flags are given as str (or None), call split_flags() to
convert them to a list.
This allows to simplify change_profile_flags() which now doesn't need to
call split_flags() on its own.
Also add some tests with a str for the old flags
(cherry picked from commit e80caa130ad716dcc2d1e75c192fb6ec6ee93935 +
conflict resolution)
... and change change_profile_flags() to use it instead of doing it
itsself
Also add some tests for split_flags()
Cherry-picked from ce7ea062c502da124106ec4bd6db28fef8f3709d + conflict
resolution
... instead of set_profile_flags() to keep possibly existing flags like
attach_disconnected.
Note that this function is unused (meant to be used with the
no-longer-existing profile repo), therefore nobody noticed that
set_profile_flags() was called with the wrong number of parameters ;-)
KIconLoader uses ~/.cache/icon-cache.kcache, and it is opened in
read-write mode. Because access to it does not seem to be critical, and
read-only mode is not used, rules for accessing this cache is added to
it's own new "write" abstraction, instead of making kde abstraction more
permissive by default.
(cherry picked from commit 94014c09f09fc63229bb10fea3f0727113fe5bae)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Currently, kde abstraction only allows reading
~/.config/klanguageoverridesrc file (by design). Some KDE applications
has option to change language for it's interface, and this needs write
access. This is fixed by introducing new abstraction.
(cherry picked from commit 7345f61e9c21b51c74974d18f5dc22bb81300f77)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Currently, kde abstraction only allows reading ~/.config/kdeglobals (by
design), though some applications might need to update it's contents
such as KFileDialog settings. This patch fixes it by introducing new
abstraction.
(cherry picked from commit fae93f1b6c7a28bb77ad186ab1de41372630272b)
Signed-off-by: John Johansen <john.johansen@canonical.com>
I don't use dehydrated myself, therefore this is based on the comments
on https://build.opensuse.org/request/show/533380
(cherry picked from commit 2e8b9022488ccfd9e5f943a913793dd7dba2ab48)
Signed-off-by: John Johansen <john.johansen@canonical.com>
When running aa-genprof in a lxd instance, printk_ratelimit is readonly
and writing to it fails. Instead of crashing with a backtrace, only
print a warning.
References: https://bugs.launchpad.net/apparmor/+bug/1785391
(cherry picked from commit 961e69afe5b77fd048411e995a397c67acfc1df9)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Each coverity command writes its debugging output to
cov-int/build-log.txt, which means that multiple runs of cov-build
overwrite previous logs, resulting in only the last invocation's output
remaining at the end of the build, making debugging why failures to
capture coverity output difficult. Fix this by renaming the build-log to
per-directory log files.
(This would still be an issue even if we had a single build command
for the entire tree, as capturing python and other interpreted
files requires a second invocation of cov-build to scan for those
file types.)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/145
(cherry picked from commit fed101920b6fbc7700aaa1175b6dbf88abbf920f)
Signed-off-by: John Johansen <john.johansen@canonical.com>
When creating a new profile with aa-genprof, get_profile() searches for
an inactive ("extra") profile and, if it finds one, removes the filename
from that profile so that it gets stored in /etc/apparmor.d/ later.
However, it used .pop() to remove the filename, which explodes since
ProfileStorage is a class now.
This patch fixes this (tested manually).
PR: !140
(cherry picked from commit 73b33bdf366340f8a0578c506fdbbebe0bb395ef)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The parser config file can affect the parsers behavior during tests.
Allow overriding the default location with the option
--config-file=
the option must be the first option in the commands argument list.
Also provile a
--print-config-file
option to display what the parser is using for a config file.
BugLink: http://bugs.launchpad.net/bugs/1277711
Signed-off-by: John Johansen <john.johansen@canonical.com>
Allow /usr/local/lib/python3/dist-packages in abstractions/python
See merge request apparmor/apparmor!160
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit 763a6787d829e200668e236e8393a8b898c90a93)
6a10f076 Allow /usr/local/lib/python3/dist-packages in abstractions/python
As Simon McVittie wrote, "if a specification or library creates extra caches, or
has .desktop files in a subdirectory, or anything like that, then I don't see
why we wouldn't want to allow reading those too".
As Simon McVittie <smcv@collabora.com> wrote on
https://bugs.debian.org/865206 and on the AppArmor mailing list:
"Anything in /var/lib/flatpak/exports/share or
~/.local/share/flatpak/exports/share is essentially equivalent to
the corresponding path in /usr/{local/,}share, and is something
that has deliberately been "exported" to the rest of the system by a
Flatpak-confined app.
The only reason to prevent reading those directories would be if you do
not want the AppArmor-confined app to be able to enumerate the other
software you have installed on your system, as an anti-fingerprinting
mechanism.".
Bug-Debian: https://bugs.debian.org/865206
Python 3.7 was released yesterday - and to make the abstraction
future-proof, also cover 3.8 and 3.9 in advance ;-)
(cherry picked from commit 01f41fbff821be7264a4b0aac83ed04747395055)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/139/
parse_profile_start(): Error out on nested child profiles
See merge request apparmor/apparmor!136
Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..master
(cherry picked from commit b7a4f37cbbea5f708205c751156379079fa35747)
8462c39b parse_profile_start(): Error out on nested child profiles
The POSIX standard never defines the typedefs `comparison_fn_t` and
`__free_fn_t`, but they are provided by glibc and user in the parsing
code. Provide the typedefs ourselves to fix compiling on musl based
systems.
(cherry picked from commit 655d3e782661aa756a53b45b2235205f88e1e0d0)
Signed-off-by: Patrick Steinhardt <ps@pks.im>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/107
The `secure_getenv` function is a non-POSIX compliant extension of
glibc. In contrast to the POSIX `getenv`, `secure_getenv` will return
`NULL` for all environment variables when the program is run with
escalated privileges due to an SUID or SGID bit. Some strictly
POSIX-compliant libc libraries, most notably musl libc, do not have this
function and do not wish to implement it. Thus, AppArmor cannot be
compiled on such systems.
In libapparmor, `secure_getenv` is only used to determine whether the
environment variable DEBUG_ENV_VAR has been set to enable debugging. In
case an unprivileged user runs a SUID/SGID executable linked against
libapparmor, we do not want that user to be able to get additional
information via debug output.
The fix here is to produce an error only in case where debug output is
enabled by defining ENABLE_DEBUG_OUTPUT. Otherwise, we simply define
`secure_getenv` to `NULL` to completely disable the debug output.
(cherry picked from commit 778176b9d84580f2e5a3be301ef9797b34ed69b9)
Signed-off-by: Patrick Steinhardt <ps@pks.im>
Acked-by: Steve Beattie <steve@nxnw.org>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/107
While the parser makes use of the `aa_policy_cache_add_ro_dir` function,
it is not being declared as a global function in the libapparmor.map
file. Due to this, dynamic linking of apparmor_parser with
libapparmor.so is not possible.
[Fixed up to use 2.13.1 symbol section as when the
`aa_policy_cache_add_ro_dir` was introduced -- @smb]
(cherry picked from commit 1506f2cf0e89b0a04154c64ec058ab0f5541692e)
Signed-off-by: Patrick Steinhardt <ps@pks.im>
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/107
write_pair() ignored the 'tail' parameter, which resulted in writing
invalid alias rules (without the trailing comma).
Also add an alias to test/cleanprof.* to ensure it doesn't break again.
(cherry picked from commit ae4ab628551afa4614cc7cb41daf1d5a67e417bb)
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/119
Writing a "link subset" rule missed a space, which resulted in something
like
link subset/foo -> /bar,
Also add a test rule to tests/cleanprof.* to ensure this doesn't break
again.
(cherry picked from commit 514535608f32590ed9e1c23931606bc7a66079ee)
Acked-by: Steve Beattie <steve@nxnw.org>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/117
Commit 63b7cb0660eb790678376436994595d9676b0ab0 (libapparmor: convert
multicache from using djb2 hashing to murmur3 hash) mistakenly added
PmurHash.h to the list of files generated by the build process and thus
should be removed when the 'maintainerclean' make target is invoked.
This fixes the issue by removing PmurHash.h from the list of generated
files.
(cherry picked from commit 9f2959482f4c5c19ff8ed414e8c6a8e0615a37f4)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/112
is_skippable_dir(): add 'cache.d' to exclude list
See merge request apparmor/apparmor!110
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 67d84c8959b60bfdee8a4b0db5c8a1546eb80380)
5b9497a8 is_skippable_dir(): add 'cache.d' to exclude list
The mount regression test passes MS_MANDLOCK to the mount(2) syscall in
the test program. When the kernel is configured without
CONFIG_MANDATORY_FILE_LOCKING set, attempting to mount a filesystem with
this option always fails with EPERM. To fix, convert the test program to
use the MS_NODEV option instead.
(cherry picked from commit 49ba6af2bf49be9eff89ce760cca60f33eb8e341)
Bug: https://bugs.launchpad.net/apparmor/+bug/1765025
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/109
The refactor unfortunately changed dirfd to fd on one mkdirat, but
fd is always invalid at this point resulting in the parser reporting
Failed setting up policy cache (../profiles/cache/): Bad file descriptor
(cherry picked from commit b08b327922a36d985c82f94c90a785fb4a909d29)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/103
