The hwctl profile is being carried upstream, so we can keep it in
sync, but is being packaged from the regular profile set so that it
can be part of a package that is SRUed (ubuntu stable release update)
separate from the rest of apparmor, and its profiles.
Provide backwards compat with older parser to reduce the amount of
distro patching that is needed.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1705
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
The hwctl profile is being carried upstream, so we can keep it in
sync, but is being packaged from the regular profile set so that it
can be part of a package that is SRUed (ubuntu stable release update)
separate from the rest of apparmor, and its profiles.
Provide backwards compat with older parser to reduce the amount of
distro patching that is needed.
Signed-off-by: John Johansen <john.johansen@canonical.com>
profiles make check was showing an error because
profiles/extras/abstractions didn't exist, so only include tests for
it if it exists. This commit also deduplicates the abstractions test.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1687
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
profiles make check was showing an error because
profiles/extras/abstractions didn't exist, so only include tests for
it if it exists. This commit also deduplicates the abstractions test.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Following the Security Technical Implementation Guide, it is better to
set the permissions to 0000 for the shadow file.
However, since PAM version 1.6.0, after this change [0], unix-chkpwd
will unconditionnaly read the shadow file. And with the previous
restriction, the binary has an access denied to the shadow which
blocks user authentications. Moreover the PAM changes is needed to fix
the CVE-2024-10041.
Giving the read caability to the unix-chkpwd profile allows it to
function properly. See bug report [1].
[0] - https://github.com/linux-pam/linux-pam/pull/686
[1] - https://bugzilla.suse.com/show_bug.cgi?id=1241678
Signed-off-by: vlefebvre <valentin.lefebvre@suse.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1685
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Following the Security Technical Implementation Guide, it is better to
set the permissions to 0000 for the shadow file.
However, since PAM version 1.6.0, after this change [0], unix-chkpwd
will unconditionnaly read the shadow file. And with the previous
restriction, the binary has an access denied to the shadow which
blocks user authentications. Moreover the PAM changes is needed to fix
the CVE-2024-10041.
Giving the read caability to the unix-chkpwd profile allows it to
function properly. See bug report [1].
[0] - https://github.com/linux-pam/linux-pam/pull/686
[1] - https://bugzilla.suse.com/show_bug.cgi?id=1241678
Signed-off-by: vlefebvre <valentin.lefebvre@suse.com>
Allow gs to run from confined environment by explicitly allowing access
to /usr/bin/gs.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1684
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
Creates an AA profile for ProFTPD. The profile has been tested on Oracular with version `1.3.8.b+dfsg-2ubuntu1`, using the source integration/unit tests and via FTP commands. As an FTP package any directory can be used for manipulating files. I've included read/write permissions to several usual locations located at the end of the profile. However these are too loose, any suggestions for how they could be tightened is much appreciated. Thanks!
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1524
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
Initial profile for review + extra descriptions to summarize why each rule / chunk is there.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1486
Approved-by: John Johansen <john@jjmx.net>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
The current Transmission related profiles are set to complain mode. I've tested on Oracular `transmission-daemon` and `transmission` with the profile enforced with no denials have occurred. This MR removes the complain flag on these profiles.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1534
Approved-by: John Johansen <john@jjmx.net>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
For now, also use a complain mode flag like with Xorg. However, it may be
possible for complain mode to be dropped from both in the future,
tightening confinement (especially since Xorg.wrap is setuid). A
complain-mode profile can still be useful for Xorg.wrap by giving it a
separate label.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1665
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: Ryan Lee <rlee287@yahoo.com>
It doesn't seem to need a lot of rules, and I've tried running upstream test suite with this profile and it passed.
Signed-off-by: Allen Huang <allen.huang@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1660
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
For now, also use a complain mode flag like with Xorg. However, it may be
possible for complain mode to be dropped from both in the future,
tightening confinement (especially since Xorg.wrap is setuid). A
complain-mode profile can still be useful for Xorg.wrap by giving it a
separate label.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Add AA profile for ghostscript. This profile has been tested on the latest plucky gs version 10.05.0dfsg1-0ubuntu1 while the latest upstream version is 10.05.0. This profile limits file access (read and write) to specific file extensions, printer devices in /dev and directories in /tmp.
The profile has been tested against the regression test suite we use in Ubuntu and manually. Testing against devices has been performed in a limited fashion as I only have access to one usb printer.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1590
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
Add AA profile for `nslookup`. This profile has been tested on the latest plucky `nslookup` version `9.20.4-3ubuntu1` (ultimately part of `dnsutils`). Functionality has been exercised as much as possible, including basic record lookups, querying specific DNS servers, performing reverse DNS lookups, querying a CNAME, querying an MX record, querying a txt record, querying a DNSSEC-related record, performing IPv4 & IPv6 lookups, and overriding to use a custom resolver. These tests were performed through command parsing and the interactive terminal mode. AFAIK, upstream does not have a test suite available for `nslookup`
Signed-off-by: john-breton <john.breton@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1619
Approved-by: Ryan Lee <rlee287@yahoo.com>
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
- Tested with different flags manually
- apparmor.d also have a profile for `hostname` which includes `<abstractions/consoles>` but was not needed while testing for plucky
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1650
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
Add AA profile for /usr/bin/locale. This profile has been tested on the latest plucky version of locale (Ubuntu GLIBC 2.41-6-ubuntu1). This profile prevents write access to any file, limits read access to all files necessary for locale to work and limits execution of any other file other than the compressors (gzip/bzip2), which are also limited by a specific subprofile..
The profile has been tested manually.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1646
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
See the comment for an explanation of why CAP_SYS_ADMIN was being checked and why it isn't actually necessary for setting ionice values for processes
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1683
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
`make check-parser` in profiles now verifies that all profiles allow at
least a read access to their attachment path.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
See the comment for an explanation of why CAP_SYS_ADMIN was being checked and why it isn't actually necessary for setting ionice values for processes
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
