mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-30 22:05:27 +00:00
Code Issues Releases Wiki Activity
6,890 Commits 23 Branches 113 Tags
b7f9b66cba3e632aedba3f31fb296bfe88020512
Commit Graph

6890 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Georgia Garcia
b7f9b66cba Merge gitlab-ci.yml: fix pipeline for ubuntu:latest (noble) 
Since we are using ubuntu:latest, and noble was released, some tests
are failing.

shellcheck needs python3 to run, which was possibly installed by
default in previous ubuntu images and is no longer the case.

Ignore dist-packages python files during our coverage tests.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/388

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

Closes #388
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1223
Merged-by: Steve Beattie <steve+gitlab@nxnw.org>


(cherry picked from commit 8c9ac7a84e)

731880de gitlab-ci.yml: fix pipeline for ubuntu:latest (noble)
aaad725a apparmor.systemd: fix shellcheck false positive

Co-authored-by: Steve Beattie <steve+gitlab@nxnw.org>
 2024-05-02 13:37:53 +00:00
John Johansen
6d1e5dbbe6 Merge profiles: add fixes for samba from issue #386 
Signed-off-by: Alex Murray <alex.murray@canonical.com>

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/386
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1219
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 1457eada8b)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-23 07:36:08 -07:00
John Johansen
f1173379ff Merge Fix redefinition of _ 
... which unsurprisingly broke using the translations.

This was a regression introduced in 4f51c93f9d

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/387

This fix is needed in 4.0 and master. (3.x branches are not affected.)

Closes #387
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1218
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

(cherry picked from commit 79226675fd)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-22 16:42:13 -07:00
John Johansen
b0eb95457b Prepare for AppArmor 4.0.1 release 
AppArmor 4.0.1 will be the official release superseding the 4.0.0 tag
the only change being it adds a regression test for CVE-2016-1585

- update version file

Signed-off-by: John Johansen <john.johansen@canonical.com>
v4.0.1 		2024-04-11 20:59:30 -07:00
John Johansen
5ad4efec50 Merge regression tests: add mount test for CVE-2016-1585 
Add infrastructure for calling the mount test binary with an fstype
instead of using the default hardcoded ext2 type, and then use that in a
test that exercises CVE-2016-1585, ensuring that mounting a procfs
filesystem isn't permitted when the only mount rule is

  mount options=(rw,make-slave) -> **,

to try to ensure that the generated and enforced policy is restricted to
what is intended.

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1597017

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1211
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 93c4c6fb9f)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-11 20:58:31 -07:00
John Johansen
a635a86e1d Prepare for AppArmor 4.0 release 
- update version file

Signed-off-by: John Johansen <john.johansen@canonical.com>
v4.0.0 		2024-04-11 20:55:33 -07:00
John Johansen
c8e25e4689 Merge parser: add network inet mediation documentation to apparmor.d 
This updates the man page for the recent inet mediation patch.

This is an extension of MR 1202, it adds a patch that changes the anonymous ip address anon to be ip address none which is a better fit.

This patch adds documentation of the recent network changes which extended all network rules to support access permissions, and added address and port matching for inet and inet6 families.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1213
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit ab9e6311f3)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-11 20:54:23 -07:00
John Johansen
68dd052873 Merge parser: inet conditionals should only generate rules for inet family 
When a family is specified in the network rules, we have to make sure
the conditionals match the family. A netlink rule should not be able
to specify ip and port for local and remote (peer) sockets, for example.

When type or protocol is specified in network rules along with inet
conditionals, we should only generate rules for the families that
support those conditionals.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/384
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

Closes #384
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1210
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

(cherry picked from commit a0acf7785d)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-11 20:53:41 -07:00
John Johansen
4cef932170 Merge profiles: add unconfined wike profile 
Wike (deb package/compiled version) does not run in Ubuntu 24.04
due to some interference between apparmor and webkit.

Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060810
Signed-off-by: John Johansen <john.johansen@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1212
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 3c43c314dc)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-11 20:53:30 -07:00
John Johansen
8108a217a3 Merge profiles: add unconfined foliate profile 
Foliate is using user namespaces via bwrap. For now add an unconfined
profile to support it.

Fixes: https://github.com/johnfactotum/foliate/issues/1271
Fixes: https://bugs.launchpad.net/bugs/2060767
Signed-off-by: John Johansen <john.johansen@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1209
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 0aa689dbf7)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-11 20:53:10 -07:00
John Johansen
2284e99613 Merge Updates to the chromium_browser profile 
This is a retargeting of [my MR in apparmor-profiles](https://gitlab.com/apparmor/apparmor-profiles/-/merge_requests/58).

The most significant change is the addition of a `crashpad_handler` subprofile, to factor out some permissions that the browser proper does not need. The remainder is mostly updates from my normal usage monitoring.

I have recorded below examples of the AppArmor log messages that motivated the updates. They are listed in the order in which they appear in the overall diff:

#### +abstractions/fonts
`Jun 30 16:45:42 testvm kernel: [ 4956.877581] audit: type=1400 audit(1688157942.647:127): apparmor="DENIED" operation="mknod" profile="chromium_browser" name="/home/username/.cache/fontconfig/af531e44-9f34-43fa-a244-e0ea9a6dc5f1-le64.cache-7.TMP-VbjHEy" pid=2136 comm="chromium" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000`

#### +abstractions/mesa
`May 30 21:08:36 testvm kernel: [ 9893.605107] audit: type=1400 audit(1685495316.380:1708): apparmor="ALLOWED" operation="file_lock" profile="chromium_browser" name="/home/username/.cache/mesa_shader_cache/6b/ce9f90908044cb4d4dabc34d81bf24b2fbda0a.tmp" pid=5879 comm="chromiu:disk$0" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000`

#### +abstractions/vulcan
`May 30 22:35:36 testvm kernel: [1544761.278181] audit: type=1400 audit(1685500536.387:22272): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:02.0/drm/card0/gt_min_freq_mhz" pid=963194 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

#### -deny dbus path=/org/freedesktop/hostname1
`Jun 13 19:16:35 image-ubuntu64 kernel: [78978.711877] audit: type=1107 audit(1686698195.982:2339): pid=540 uid=102 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/hostname1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.369" pid=17766 label="chromium_browser" peer_pid=17975 peer_label="unconfined"`

#### +dbus path=/org/freedesktop/login1
`Jun 12 21:45:36 testvm kernel: [ 1518.318643] audit: type=1107 audit(1686620736.127:67): pid=540 uid=102 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_signal"  bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.Manager" member="SessionNew" name=":1.1" mask="receive" pid=3378 label="chromium_browser" peer_pid=565 peer_label="unconfined"`

`Jun 12 21:40:03 testvm kernel: [ 1185.247117] audit: type=1107 audit(1686620403.059:66): pid=540 uid=102 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_signal"  bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.Manager" member="SessionRemoved" name=":1.1" mask="receive" pid=3378 label="chromium_browser" peer_pid=565 peer_label="unconfined"`

#### +dbus path=/org/freedesktop/DBus
`Jun  2 00:02:39 image-ubuntu64 dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call"  bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="AddMatch" mask="send" name="org.freedesktop.DBus" pid=34637 label="chromium_browser" peer_label="unconfined"`

`Jun  2 00:02:39 image-ubuntu64 dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call"  bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="GetNameOwner" mask="send" name="org.freedesktop.DBus" pid=34637 label="chromium_browser" peer_label="unconfined"`

`Jun  2 00:02:39 image-ubuntu64 dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call"  bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=34637 label="chromium_browser" peer_label="unconfined"`

`Jun  2 00:02:39 image-ubuntu64 dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call"  bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="NameHasOwner" mask="send" name="org.freedesktop.DBus" pid=34637 label="chromium_browser" peer_label="unconfined"`

`Jun  2 00:02:39 image-ubuntu64 dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call"  bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="RemoveMatch" mask="send" name="org.freedesktop.DBus" pid=34637 label="chromium_browser" peer_label="unconfined"`

`Jun  2 00:02:39 image-ubuntu64 dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call"  bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="StartServiceByName" mask="send" name="org.freedesktop.DBus" pid=34637 label="chromium_browser" peer_label="unconfined"`

#### +dbus path=/org/freedesktop/portal/desktop
`Jun  2 00:02:39 testvm dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call"  bus="session" path="/org/freedesktop/portal/desktop" interface="org.freedesktop.DBus.Properties" member="Get" mask="send" name="org.freedesktop.portal.Desktop" pid=34637 label="chromium_browser" peer_pid=10595 peer_label="unconfined"`

#### +dbus path=/org/freedesktop/Notifications
`Jun  2 00:02:39 testvm dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call"  bus="session" path="/org/freedesktop/Notifications" interface="org.freedesktop.Notifications" member="GetCapabilities" mask="send" name="org.freedesktop.Notifications" pid=34637 label="chromium_browser" peer_pid=10438 peer_label="unconfined"`

`Jun  2 00:02:39 testvm dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call"  bus="session" path="/org/freedesktop/Notifications" interface="org.freedesktop.Notifications" member="GetServerInformation" mask="send" name="org.freedesktop.Notifications" pid=34637 label="chromium_browser" peer_pid=10438 peer_label="unconfined"`

#### +dbus path=/org/gtk/vfs/mounttracker
`Jun  2 00:02:39 testvm dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call"  bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="ListMountableInfo" mask="send" name=":1.9" pid=34637 label="chromium_browser" peer_pid=10331 peer_label="unconfined"`

#### +/etc/fstab
`Jun 19 00:12:34 testvm kernel: [3192175.541293] audit: type=1400 audit(1687147954.193:127452): apparmor="DENIED" operation="open" profile="chromium_browser" name="/etc/fstab" pid=1541844 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0`

#### +~/.cache/thumbnails
`Jun 28 14:31:34 testvm kernel: [4021314.484388] audit: type=1400 audit(1687977094.903:128621): apparmor="DENIED" operation="open" profile="chromium_browser" name="/home/username/.cache/thumbnails/normal/5ff3c24d6d3b35a6ea92e12c71c487f9.png" pid=1781421 comm="pool-chromium" requested_mask="r" denied_mask="r" fsuid=1002 ouid=1002`

`Jun 28 14:31:34 testvm kernel: [4021314.484975] audit: type=1400 audit(1687977094.903:128622): apparmor="DENIED" operation="open" profile="chromium_browser" name="/home/username/.cache/thumbnails/normal/5ff3c24d6d3b35a6ea92e12c71c487f9.png" pid=1781421 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1002 ouid=1002`

#### -/proc/$PID/fd/
This rule appears to have been used by the crash handler, so I've moved it to the new `crashpad_handler` subprofile. I have not observed the normal browser process(es) attempting this access.

#### +/proc/pressure/{cpu,io,memory}
`May 30 22:44:26 testvm kernel: [1545291.245886] audit: type=1400 audit(1685501066.352:22355): apparmor="DENIED" operation="open" profile="chromium_browser" name="/proc/pressure/cpu" pid=741817 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0`

`May 30 22:44:26 testvm kernel: [1545291.245903] audit: type=1400 audit(1685501066.352:22356): apparmor="DENIED" operation="open" profile="chromium_browser" name="/proc/pressure/io" pid=741817 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0`

`May 30 22:44:26 testvm kernel: [1545291.245912] audit: type=1400 audit(1685501066.352:22357): apparmor="DENIED" operation="open" profile="chromium_browser" name="/proc/pressure/memory" pid=741817 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0`

#### +/proc/$PID/clear_refs
`May 30 18:32:55 testvm kernel: [  552.316554] audit: type=1400 audit(1685485975.161:305): apparmor="ALLOWED" operation="open" profile="chromium_browser" name="/proc/1950/clear_refs" pid=1950 comm="MemoryInfra" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000`

#### +/proc/$PID/mountinfo
`Jun 19 00:12:34 testvm kernel: [3192175.541221] audit: type=1400 audit(1687147954.193:127451): apparmor="DENIED" operation="open" profile="chromium_browser" name="/proc/1541844/mountinfo" pid=1541844 comm="gmain" requested_mask="r" denied_mask="r" fsuid=1002 ouid=1002`

#### +/proc/sys/fs/inotify/max_user_watches
`May 30 18:32:26 testvm kernel: [  523.274479] audit: type=1400 audit(1685485946.109:288): apparmor="ALLOWED" operation="open" profile="chromium_browser" name="/proc/sys/fs/inotify/max_user_watches" pid=1972 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

#### +/sys/devices/system/cpu/{kernel_max,possible,present}
`May 30 18:32:26 testvm kernel: [  523.287063] audit: type=1400 audit(1685485946.125:290): apparmor="ALLOWED" operation="open" profile="chromium_browser" name="/sys/devices/system/cpu/kernel_max" pid=1971 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

`May 30 18:32:26 testvm kernel: [  523.287107] audit: type=1400 audit(1685485946.125:291): apparmor="ALLOWED" operation="open" profile="chromium_browser" name="/sys/devices/system/cpu/possible" pid=1971 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

`May 30 18:32:26 testvm kernel: [  523.287607] audit: type=1400 audit(1685485946.125:297): apparmor="ALLOWED" operation="open" profile="chromium_browser" name="/sys/devices/system/cpu/present" pid=1972 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

#### +/sys/devices/pci[0-9]*/**/{bConfigurationValue,boot_vga,busnum}
`2023-07-03T04:40:49.955727-04:00 testsys kernel: [28353.647821] audit: type=1400 audit(1688373649.948:152): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:1d.3/usb5/5-2/bConfigurationValue" pid=5585 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

`Jul  4 00:10:52 testvm kernel: [  405.584960] audit: type=1400 audit(1688443852.472:148): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:02.0/boot_vga" pid=2057 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

`2023-07-03T04:40:49.955731-04:00 testsys kernel: [28353.647923] audit: type=1400 audit(1688373649.948:153): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:1d.3/usb5/5-2/busnum" pid=5585 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

#### +/sys/devices/pci[0-9]*/**/{descriptors,devnum}
`2023-07-02T21:29:22.067669-04:00 testsys kernel: [ 2465.760458] audit: type=1400 audit(1688347762.063:71): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:1d.0/usb2/descriptors" pid=2276 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

`2023-07-02T21:29:22.071708-04:00 testsys kernel: [ 2465.762364] audit: type=1400 audit(1688347762.067:75): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:1d.3/usb5/5-2/descriptors" pid=2276 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

`2023-07-02T21:29:22.071721-04:00 testsys kernel: [ 2465.763437] audit: type=1400 audit(1688347762.067:78): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:1d.7/usb1/1-6/1-6.3/descriptors" pid=2276 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

`2023-07-03T04:40:49.955736-04:00 testsys kernel: [28353.648042] audit: type=1400 audit(1688373649.948:154): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:1d.3/usb5/5-2/devnum" pid=5585 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

#### +/sys/devices/pci[0-9]*/**/{manufacturer,product}
`2023-07-03T04:40:49.955694-04:00 testsys kernel: [28353.647497] audit: type=1400 audit(1688373649.948:150): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:1d.3/usb5/5-2/manufacturer" pid=5585 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

`2023-07-03T04:40:49.955721-04:00 testsys kernel: [28353.647661] audit: type=1400 audit(1688373649.948:151): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:1d.3/usb5/5-2/product" pid=5585 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

#### +/sys/devices/pci[0-9]*/**/serial
(lost the log entry for this one)

#### +deny /sys/devices/virtual/dmi/id/*
`May 30 18:38:58 testvm kernel: [  915.363204] audit: type=1400 audit(1685486338.202:390): apparmor="ALLOWED" operation="open" profile="chromium_browser" name="/sys/devices/virtual/dmi/id/sys_vendor" pid=2158 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

`May 30 18:38:58 testvm kernel: [  915.363521] audit: type=1400 audit(1685486338.202:391): apparmor="ALLOWED" operation="open" profile="chromium_browser" name="/sys/devices/virtual/dmi/id/product_name" pid=2158 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

These sysfs paths yield the make and model of your system, so their access is questionable from a privacy perspective.

#### +{dev,var/run} in shm paths
Can't be replaced with `@{run}` as this does not include `/dev`.

#### +ptrace (read)
`May 31 04:47:35 testvm kernel: [1567080.438164] audit: type=1400 audit(1685522855.581:124669): apparmor="DENIED" operation="ptrace" profile="chromium_browser" pid=1145702 comm="ThreadPoolForeg" requested_mask="read" denied_mask="read" peer="chromium_browser//xdgsettings"`

Figured I'd add read access proactively to `lsb_release` as well. Holding back on adding it to self for now.

#### /etc/@{chromium}/policies/** -> /etc/@{chromium}/**
`May 30 21:25:44 testvm kernel: [10922.020981] audit: type=1400 audit(1685496344.792:2031): apparmor="ALLOWED" operation="open" profile="chromium_browser" name="/etc/chromium/master_preferences" pid=6465 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

#### Note: "~/.pki/... denied by private-files abstraction"
`May 30 21:29:13 testvm kernel: [11130.436441] audit: type=1400 audit(1685496553.206:2105): apparmor="ALLOWED" operation="mkdir" profile="chromium_browser" name="/home/username/.pki/" pid=7344 comm="ThreadPoolForeg" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000`

`May 30 21:29:13 testvm kernel: [11130.437992] audit: type=1400 audit(1685496553.206:2106): apparmor="ALLOWED" operation="mkdir" profile="chromium_browser" name="/home/username/.pki/nssdb/" pid=7344 comm="ThreadPoolForeg" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000`

Something else will need to create these directories.

#### +Widevine
`May 31 04:46:52 testvm kernel: [1567036.849155] audit: type=1400 audit(1685522811.993:124665): apparmor="DENIED" operation="file_mmap" profile="chromium_browser" name="/home/username/.config/chromium/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so" pid=1145723 comm="chromium" requested_mask="m" denied_mask="m" fsuid=1002 ouid=1002`

#### +GVfs
`Jun 13 19:16:35 testvm kernel: [78978.537455] audit: type=1400 audit(1686698195.810:2337): apparmor="DENIED" operation="connect" profile="chromium_browser" name="/run/user/1000/gvfsd/socket-EpT3MyPP" pid=17766 comm="chromium" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000`

#### +/lib/libc.so
`May 30 18:02:25 testvm kernel: [  868.340300] audit: type=1400 audit(1685484145.031:80): apparmor="ALLOWED" operation="open" profile="chromium_browser//chromium_browser_sandbox" name="/lib/x86_64-linux-gnu/libc.so.6" pid=2405 comm="chrome-sandbox" requested_mask="r" denied_mask="r" fsuid=0 ouid=0`

`May 30 18:02:25 testvm kernel: [  868.340363] audit: type=1400 audit(1685484145.031:81): apparmor="ALLOWED" operation="file_mmap" profile="chromium_browser//chromium_browser_sandbox" name="/lib/x86_64-linux-gnu/libc.so.6" pid=2405 comm="chrome-sandbox" requested_mask="rm" denied_mask="rm" fsuid=0 ouid=0`

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1208
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit a1afe3265c)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-11 20:52:32 -07:00
John Johansen
f763c44cd0 Merge Add profiles for the Transmission family of Bittorrent clients 
This covers the various forms of the Transmission BT client. I've tested the `-gtk` one most thoroughly, and run through an ISO download with each of the other three.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1190
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 30a45ba82f)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-11 20:51:32 -07:00
John Johansen
1d36e1f196 Prepare for AppArmor 4.0 beta4 release 
- update version file

Signed-off-by: John Johansen <john.johansen@canonical.com>
v4.0.0-beta4 		2024-04-08 03:21:40 -07:00
John Johansen
22ee6c19bc Merge profiles: disable bwrap and unshare profiles by default 
The bwrap and unshare profiles are special profiles in the same
vein as the unconfined profiles but they actual enforce restrictions
on the applications that are launched.

As such they have come to late in the 4.0 dev cycle to consider enabling
by default. Disable them but ship them so users or distros can easily
enable them.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/382
Signed-off-by: John Johansen <john.johansen@canonical.com>

Closes #382
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1206
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

(cherry picked from commit 41d4664124)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-08 00:17:10 -07:00
John Johansen
6198edb3d0 Merge profiles: Add profile for unshare utility 
This adds an unshare profile to allow it to function on a system
with user namespace restrictions enabled.

The child task of unshare will enter into a profile without capabilities
thus preventing unshare from being able to be used to
arbitrarily by-pass the user namespace restriction.

This profile does prevent applications launch with privilege (eg.
sudo unshare ...) from functioning so it may break some use cases.

Fixes: https://bugs.launchpad.net/ubuntu/+source/pageedit/+bug/2046844
Signed-off-by: John Johansen <john.johansen@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1204
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 2d59dc3d9b)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-03 22:45:10 -07:00
John Johansen
4d2a171466 Merge profiles: Add profile for bwrap utility 
This adds a bwrap profile to allow it to function on a system with
user namespace restrictions enabled.

The child task of bwrap will enter into a profile without capabilities
thus preventing bwrap from being able to be used to arbitrarily
by-pass user namespace restrictions.

This profile does prevent applications launch with privilege (eg.
sudo bwrap ...) from functioning so it may break some use cases.

Note: The unpriv_bwrap profile is deliberately stacked against the
bwrap profile due to bwraps uses of no-new-privileges.

Fixes: https://bugs.launchpad.net/ubuntu/+source/pageedit/+bug/2046844
Signed-off-by: John Johansen <john.johansen@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1205
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit b6f2a3d9d2)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-03 22:44:49 -07:00
John Johansen
e88cf3cd02 Merge profiles: adjust unconfined firefox profile to support mozilla.org download 
The version of tarball version of firefox downloaded from mozilla.org
installs to /opt/firefox/firefox. Support this location so that the
firefox from the tarball works.

Note this does not support running firefox from the users home directory
in this case the user must update the profile accordingly.

Signed-off-by: John Johansen <john.johansen@canonical.com>

Fixes: https://bugs.launchpad.net/bugs/2056297
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1203
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 2dfe6aeec2)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-03 22:39:58 -07:00
John Johansen
6f856dfee3 Merge profiles/samba*: allow /etc/gnutls/config & @{HOMEDIRS} 
# abstractions/samba: allow /etc/gnutls/config

Various samba components want to read it. Without it, shares cannot be accessed.

    apparmor="DENIED" operation="open" class="file" profile="nmbd" name="/etc/gnutls/config" pid=23509 comm="nmbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="smbd" name="/etc/gnutls/config" pid=23508 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=24037 comm="rpcd_fsrvp" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=24036 comm="rpcd_epmapper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=24038 comm="rpcd_lsad" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=24041 comm="rpcd_winreg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=24039 comm="rpcd_mdssvc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd-spoolss" name="/etc/gnutls/config" pid=24040 comm="rpcd_spoolss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd-classic" name="/etc/gnutls/config" pid=24035 comm="rpcd_classic" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

# profiles/apparmor.d/samba-rpcd-classic: allow @{HOMEDIRS}

Give access to @{HOMEDIRS}, just like in usr.sbin.smbd, so that
usershares in /home/ can be accessed.

    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd-classic" name="/home/user/path/to/usershare/" pid=4781 comm="rpcd_classic" requested_mask="r" denied_mask="r" fsuid=0 ouid=1000

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/379
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1200
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 5998a0021a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-03 14:15:52 -07:00
John Johansen
a6d8171bd6 Merge parser: fix getattr and setattr perm mapping on mqueue rules 
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/377
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/378
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1197
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 88ec709aac)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-03 02:32:32 -07:00
John Johansen
26e7249f44 Merge tests: fix inet tests 
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/376
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1192
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 01fcce41dc)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-03 02:30:59 -07:00
John Johansen
117d0cc444 Merge usr.sbin.sshd: Add new permissions needed on Ubuntu 24.04 
Testing on noble turned these up:

`2024-03-27T00:10:28.929314-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1711512628.920:155): apparmor="DENIED" operation="bind" class="net" profile="/usr/sbin/sshd" pid=1290 comm="sshd" family="unix" sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind" addr="@63cf34db7fbab75f/bus/sshd/system"`

`2024-03-27T00:41:09.791826-04:00 image-ubuntu64 kernel: audit: type=1107 audit(1711514469.771:333907): pid=703 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.Manager" member="CreateSessionWithPIDFD" mask="send" name="org.freedesktop.login1" pid=4528 label="/usr/sbin/sshd" peer_pid=688 peer_label="unconfined"`

Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060100
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1196
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 3aa40249cf)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-03 02:29:31 -07:00
Georgia Garcia
1c7127d30d Merge utils: allow mount destination globbing 
The abstraction lxc/start-container shipped by the liblxc-common
package uses the following mount rule which was not allowed by our
regexes:

  mount options=(rw, make-slave) -> **,
  mount options=(rw, make-rslave) -> **,

Since in AppArmor regex ** includes '/' but * by itself doesn't, I'm
adding explicit support for **.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/381
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1195
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit e96fdc0f5b)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-03 02:23:43 -07:00
Christian Boltz
d111ddcc21 Merge firefox: allow locking of *.sqlite-shm files in user cache area 
Noticed a bunch of these after a Firefox 124.0 upgrade:

`Mar 25 22:08:27 darkstar kernel: [598271.991739] audit: type=1400 audit(1711418907.493:27323): apparmor="DENIED" operation="file_lock" profile="firefox" name="/home/username/.cache/mozilla/firefox/deadbeef.default/suggest.sqlite-shm" pid=2855447 comm=4267494F5468727E6F6C2023333530 requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000`

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/380
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1193
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 14572d9581)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-03 02:18:24 -07:00
John Johansen
fa26623e6d Merge Move pam-related permissions to abstractions/authentication 
... instead of keeping them in the smbd profile.

For details, see c09f58a364 and
https://bugzilla.opensuse.org/show_bug.cgi?id=1220032#c12

Also replace /usr/etc/ with @{etc_ro} to that also /etc/ is covered.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1220032#c12
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1191
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit f334884787)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-03 02:14:16 -07:00
John Johansen
451bb8b235 Merge profiles: add unconfined profile for tuxedo-control-center 
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1187
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2024-03-18 23:29:01 +00:00
John Johansen
6e46631b6f Merge parser: fix issues appointed by coverity 
Fix issues introduced in coverity's snapshots 75887, 70858 and 75429.
- CID 353483: Uninitialized pointer field (UNINIT_CTOR)
- CID 349572: Unsigned compared against 0 (NO_EFFECT)

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1188
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2024-03-18 23:27:59 +00:00
Georgia Garcia
f9527d2113 parser: fix issues appointed by coverity 
Fix issues introduced in coverity's snapshots 75887, 70858 and 75429.
- CID 353483: Uninitialized pointer field (UNINIT_CTOR)
- CID 349572: Unsigned compared against 0 (NO_EFFECT)

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
 2024-03-18 10:36:56 -03:00
Georgia Garcia
9dc2f48773 profiles: add unconfined profile for tuxedo-control-center 
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
 2024-03-18 09:17:51 -03:00
John Johansen
2fc80487f7 Prepare for AppArmor 4.0 beta3 release 
- update version file

Signed-off-by: John Johansen <john.johansen@canonical.com>
v4.0.0-beta3 		2024-03-17 00:55:14 -07:00
John Johansen
c87969b37c Merge profiles: Add more unconfined profiles 
This adds the remaining set of unconfined profiles, from the set listed
in https://bugs.launchpad.net/ubuntu/+source/pageedit/+bug/2046844

Fixes: https://bugs.launchpad.net/ubuntu/+source/pageedit/+bug/2046844
Signed-off-by: John Johansen <john.johansen@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1186
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2024-03-17 07:27:49 +00:00
John Johansen
b68bb18860 Merge network: several fixes 
This patchset includes several fixes for the inet mediation.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/374
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1183
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2024-03-17 07:22:24 +00:00
John Johansen
c47789340a Merge add unconfined profiles for geary, loupe and firefox dev versions 
These applications need to use user namespaces, hence it needs an
unconfined profile when user namespaces are restricted from unconfined
like other applications in MR #1123

https://gitlab.com/apparmor/apparmor/-/merge_requests/1123

In addition this serves as a handle to uniquely identify them instead
of unconfined to peers in policy.

Bug: https://bugs.launchpad.net/bugs/2046844

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1185
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2024-03-17 07:18:03 +00:00
John Johansen
e23a3eeba5 profiles: Add more unconfined profiles 
This adds the remaining set of unconfined profiles, from the set listed
in https://bugs.launchpad.net/ubuntu/+source/pageedit/+bug/2046844

Fixes: https://bugs.launchpad.net/ubuntu/+source/pageedit/+bug/2046844
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-03-17 00:16:37 -07:00
Georgia Garcia
d0fadc48cf tests: add missing rules to the inet/inet6 mediation tests 
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
 2024-03-15 18:24:19 -03:00
Georgia Garcia
aec3f3b22c add unconfined profiles for geary, loupe and firefox dev versions 
These applications need to use user namespaces, hence it needs an
unconfined profile when user namespaces are restricted from unconfined
like other applications in MR #1123

https://gitlab.com/apparmor/apparmor/-/merge_requests/1123

In addition this serves as a handle to uniquely identify them instead
of unconfined to peers in policy.

Bug: https://bugs.launchpad.net/bugs/2046844

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
 2024-03-15 17:44:23 -03:00
Georgia Garcia
101651c88f parser: fix af_inet feature from network to network_v8 
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
 2024-03-15 16:38:10 -03:00
Georgia Garcia
efc2ec5fdd parser: fix cmp function for network rules 
The network cmp function was missing the new attributes added, causing
rules to be dropped.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
 2024-03-15 16:38:10 -03:00
Georgia Garcia
b01b9895e7 parser: add ability to specify anonymous ip 
If anonymous ip is specified, then the port will match anything.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
 2024-03-15 16:38:10 -03:00
Georgia Garcia
a0a0c88d9e parser: generate all ip options when ip is not specified 
When the ip is not specified, then we should generate rules for ip
types: anonymous, ipv4 and ipv6. And that's the case for both local
and peer when considering recv and send permissions.

std::ostringstream does not have a copy constructor, that's why in
several places one can see streaming the string of one stream into
another.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
 2024-03-15 10:33:33 -03:00
Georgia Garcia
63676459c4 parser: encode create permission separately from the others 
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
 2024-03-15 10:33:33 -03:00
Georgia Garcia
9ed04cb01e parser: introduce network label attribute 
We want to be able to determine label in the future and build the
policy dfa based on its presence or not.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
 2024-03-15 10:33:33 -03:00
Georgia Garcia
2a885872a3 parser: ip size encoding should be an enum, not the ip size 
According to the protocol expected by the kernel, the field
representing the ip size should be an enum instead of the actual ip
size. This is more future-proof.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
 2024-03-15 10:33:33 -03:00
Georgia Garcia
989501428e parser: initial steps into encoding protocol properly 
Before the inet patches, protocol was not handled, so the information
was ignored. This patch introduces the ability to start mediating
protocol.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
 2024-03-15 10:33:33 -03:00
John Johansen
25f21a0758 Merge libraries/libapparmor: fix syntax in configure 
We're not trying to execute a command in EXTRA_WARNINGS, so don't try to spawn
a subshell for it which gives:
```
./configure: 14770: EXTRA_WARNINGS: not found
checking whether C compiler accepts -flto-partition=none... yes
```

We can either use ${} or just $ (style). Use $ to be consistent with other
uses in the file.

Signed-off-by: Sam James <sam@gentoo.org>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1184
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2024-03-15 04:05:15 +00:00
Sam James
022af9c528 libraries/libapparmor: fix syntax in configure 
We're not trying to execute a command in EXTRA_WARNINGS, so don't try to spawn
a subshell for it which gives:
```
./configure: 14770: EXTRA_WARNINGS: not found
checking whether C compiler accepts -flto-partition=none... yes
```

We can either use ${} or just $ (style). Use $ to be consistent with other
uses in the file.

Signed-off-by: Sam James <sam@gentoo.org>
 2024-03-15 02:36:12 +00:00
John Johansen
9a1838016c Merge Allow pam_unix to execute unix_chkpwd 
Latest pam_unix always runs /usr/sbin/unix_chkpwd instead of reading
/etc/shadow itsself. Add exec permissions to abstraction/authentication.

It also needs to read /proc/@{pid}/loginuid

Also cleanup the now-superfluous rules from the smbd profile.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1219139

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1181
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2024-03-14 21:09:59 +00:00
Christian Boltz
f4c19acfba Merge MountRule: Fix _is_covered_localvars 
If `fstype==None`, `_is_covered_localvars` would trigger an exception.

This is fixed and a new testcase is added.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1182
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
 2024-03-14 12:46:01 +00:00
Maxime Bélair
dac9d08764 MountRule: Fix _is_covered_localvars 2024-03-14 12:46:01 +00:00
Christian Boltz
243162ca29 Allow pam_unix to execute unix_chkpwd 
Latest pam_unix always runs /usr/sbin/unix_chkpwd instead of reading
/etc/shadow itsself. Add exec permissions to abstraction/authentication.

It also needs to read /proc/@{pid}/loginuid

Also cleanup the now-superfluous rules from the smbd profile.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1219139
 2024-03-13 23:13:19 +01:00
Georgia Garcia
ae978c1953 Merge Fix test-aa-notify on openSUSE Tumbleweed (new 'last') 
The new 2037-proof `last` on openSUSE Tumbleweed doesn't support the
`-1` option.

Remove it, and cut off the output manually.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1180
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
 2024-03-12 18:54:35 +00:00