Improve #LOGPROF-SUGGEST metadata to support a set of space-separated
regexes. If this tag is present, the abstraction is only proposed to
aa-logprof if one of the regexes is matched.
If this abstraction should not be proposed to any profile, it is
possible to tell #LOGPROF-SUGGEST: no
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Introduce aa-show-usage, a new helper allowing to determine which
profiles on the system are used and which are not. A profile is marked as
used when at least one file installed in the machine matches the attach point
specified in the profile.
This tool supports filtering options, allowing users to, for example,
display only unconfined profiles that are currently in use. This can
notably help sysadmins to evaluate the security of their systems.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1612
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
The new option --show-matching-path shows a path that matches in the host
filesystem, to prove that the profile is indeed used.
Also, profiles' xattrs are now parsed into a dict and are taken in
consideration when looking for matching profiles.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Many test provide their own implementation of cmd(). This commit makes
all of them rely on common.py implementation of cmd()
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Introduce aa-show-usage, a new helper allowing to determine which
profiles on the system are used and which are not. A profile is marked as
used when at least one file installed in the machine matches the attach point
specified in the profile.
This tool supports filtering options, allowing users to, for example,
display only unconfined profiles that are currently in use. This can
notably help sysadmins to evaluate the security of their systems.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
The recent change to make CI pipeline build test images on a manual
trigger masks the outcome of the pipeline. Let's use the new inputs [1]
feature to allow manually triggering the pipeline with an explicitly
built image instead.
[1] https://docs.gitlab.com/ci/inputs/
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1700
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: Zygmunt Krynicki <me@zygoon.pl>
The recent change to make CI pipeline build test images on a manual
trigger masks the outcome of the pipeline. Let's use the new inputs [1]
feature to allow manually triggering the pipeline with an explicitly
built image instead.
[1] https://docs.gitlab.com/ci/inputs/
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
The tools don't support having multiple options specified in mount
rules as it is allowed in the parser.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Having a `__pycache__` on check can result in all kinds of weird issues.
Notaby, the test environment is currently clearing all environment variables,
including those responsible for keeping a reproducible build.
This is not immediately a problem for functionality,
but complicates downstream distribution in systems such as nix, where it is considered a bug [1].
It might also be possible to force determinism by exporting env vars instead:
```
DETERMINISTIC_BUILD=1
PYTHONHASHSEED=0
```
This forces a special mode on the pycache, where instead of a `moddate`,
it will then store a hash of the outputs [2].
This would be an alternative fix, but considering apparmor upstream does
not (yet) test for bit-reproducibility, it is likely too fragile here.
[1] https://github.com/NixOS/nixpkgs/issues/409032
[2] https://peps.python.org/pep-0552/
I understand AppArmor might or might not care about deterministic builds.
I was writing this patch for nixpkgs anyways, so I might as well try to
contribute it - whether it gets merged or not.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1697
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Having a __pycache__ on check can result in all kinds of weird issues.
Notaby, the test environment is currently clearing all environment variables,
including those responsible for keeping a reproducible build.
This is not immediately a problem for functionality,
but complicates downstream distribution in systems such as nix, where it is considered a bug [1].
It might also be possible to force determinism by exporting env vars instead:
```
DETERMINISTIC_BUILD=1
PYTHONHASHSEED=0
```
This forces a special mode on the pycache, where instead of a `moddate`,
it will then store a hash of the outputs [2].
This would be an alternative fix, but considering apparmor upstream does
not (yet) test for bit-reproducibility, it is likely too fragile here.
[1] https://github.com/NixOS/nixpkgs/issues/409032
[2] https://peps.python.org/pep-0552/
We rely on a hack that avoids compressing and pushing the cache if it
has not really changed but it's worth adding links.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1695
Approved-by: Ryan Lee <rlee287@yahoo.com>
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
The current logic will only build spread images, for master (which uses
protected cache), when the .image-garden.mk or .gitlab-ci.yml files
change as compared to master. This is great IF they change and WHEN the
cache is hot but right now it seems that this is not the case and master
just has no protected cache.
Add a manual knob to run the one-off cache job whenever we want to.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1694
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
We rely on a hack that avoids compressing and pushing the cache if it
has not really changed but it's worth adding links.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
The current logic will only build spread images, for master (which uses
protected cache), when the .image-garden.mk or .gitlab-ci.yml files
change as compared to master. This is great IF they change and WHEN the
cache is hot but right now it seems that this is not the case and master
just has no protected cache.
Add a manual knob to run the one-off cache job whenever we want to.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
This relies on a documented hack that makes GitLab cache machinery
skip the upload if all of the cached files are missing in the tree.
This saves about a minute per pull request CI/CD run times the number of
images required for testing.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1691
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This fixes the long standing issue affecting caching of the image
between the image-* jobs and the spread-* jobs.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1690
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This way they can be automatically cancelled by GitLab when a new commit is pushed
to a merge request, this providing feedback to the tip of the branch or pull request
more rapidly.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1689
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This allows having a locally-built apparmor tree while using spread to
test against other distributions.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1692
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
This allows having a locally-built apparmor tree while using spread to
test against other distributions.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
This relies on a documented hack that makes GitLab cache machinery
skip the upload if all of the cached files are missing in the tree.
This saves about a minute per pull request CI/CD run times the number of
images required for testing.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
This fixes the long standing issue affecting caching of the image
between the image-* jobs and the spread-* jobs.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
This way they can be automatically cancelled by GitLab when a new commit is pushed
to a merge request, this providing feedback to the tip of the branch or pull request
more rapidly.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
profiles make check was showing an error because
profiles/extras/abstractions didn't exist, so only include tests for
it if it exists. This commit also deduplicates the abstractions test.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1687
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
profiles make check was showing an error because
profiles/extras/abstractions didn't exist, so only include tests for
it if it exists. This commit also deduplicates the abstractions test.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Following the Security Technical Implementation Guide, it is better to
set the permissions to 0000 for the shadow file.
However, since PAM version 1.6.0, after this change [0], unix-chkpwd
will unconditionnaly read the shadow file. And with the previous
restriction, the binary has an access denied to the shadow which
blocks user authentications. Moreover the PAM changes is needed to fix
the CVE-2024-10041.
Giving the read caability to the unix-chkpwd profile allows it to
function properly. See bug report [1].
[0] - https://github.com/linux-pam/linux-pam/pull/686
[1] - https://bugzilla.suse.com/show_bug.cgi?id=1241678
Signed-off-by: vlefebvre <valentin.lefebvre@suse.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1685
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This is a set of small tweaks to the merged rule interface window
- don't specify, font or size when setting bold
- improve message around unknown profiles
- add a custom message for snap profile
- output tktheme missing message, to help users identify they can improve the interface when started manually
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1529
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Snap policy is a special case of the unknown profile. Give the user
a slightly better message for these messages.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The current notification can be confusing, in that it can present a
profile followed by a list of rules that can't be selected.
Explictly state that the Unknown profile can't be modified so the user
has some indication that not being able to select the shown rules is
expected.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Instead of specifying the font type and size, which will not work for
all display configuration, use the the default BOLD font that tkinter
supplies.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Following the Security Technical Implementation Guide, it is better to
set the permissions to 0000 for the shadow file.
However, since PAM version 1.6.0, after this change [0], unix-chkpwd
will unconditionnaly read the shadow file. And with the previous
restriction, the binary has an access denied to the shadow which
blocks user authentications. Moreover the PAM changes is needed to fix
the CVE-2024-10041.
Giving the read caability to the unix-chkpwd profile allows it to
function properly. See bug report [1].
[0] - https://github.com/linux-pam/linux-pam/pull/686
[1] - https://bugzilla.suse.com/show_bug.cgi?id=1241678
Signed-off-by: vlefebvre <valentin.lefebvre@suse.com>
Allow gs to run from confined environment by explicitly allowing access
to /usr/bin/gs.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1684
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
Creates an AA profile for ProFTPD. The profile has been tested on Oracular with version `1.3.8.b+dfsg-2ubuntu1`, using the source integration/unit tests and via FTP commands. As an FTP package any directory can be used for manipulating files. I've included read/write permissions to several usual locations located at the end of the profile. However these are too loose, any suggestions for how they could be tightened is much appreciated. Thanks!
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1524
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
