FS based unix sockets have a complicatd interaction with socket
mediation some of the mediation happens in file hooks while other
parts happen in network hooks.
When the kernel doesn't have the unix socket mediation patches the
interactions become largely mediated through the network hooks, as
unix rules get downgraded to socket rules. However some filesystem
operations are needed, and some hooks like bind may be called
differently based on the unix socket type, and not just the address.
Without the kernel patches these variations are not taken into
account.
Changes in the parser networking permission mappings have also
affected the downgrade path, as the parser now supports permissions on
socket rules, downgrades can use permissions and be more faithful to
the original rule but this can also break tests that didn't add all
the permissions needed for the downgrade case.
update unix_socket_pathname.sh to detect whether rule downgrades are
being used, and adjust permissions and expectations based on this.
Fixes: 7ce768244 ("tests: regression: fix regression test for upstream kernels")
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1622
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
The tests on slower systems are occassionally timing out leading to
inconsistent pass/fail runs. The time out failure depending on which
test it occurs in can result in false passes, or failres.
Double the timeout, which hopefully will be enough to avoid the
timeout issue without making the tests wait too long.
Signed-off-by: John Johansen <john.johansen@canonical.com>
FS based unix sockets have a complicatd interaction with socket
mediation some of the mediation happens in file hooks while other
parts happen in network hooks.
When the kernel doesn't have the unix socket mediation patches the
interactions become largely mediated through the network hooks, as
unix rules get downgraded to socket rules. However some filesystem
operations are needed, and some hooks like bind may be called
differently based on the unix socket type, and not just the address.
Without the kernel patches these variations are not taken into
account.
Changes in the parser networking permission mappings have also
affected the downgrade path, as the parser now supports permissions on
socket rules, downgrades can use permissions and be more faithful to
the original rule but this can also break tests that didn't add all
the permissions needed for the downgrade case.
update unix_socket_pathname.sh to detect whether rule downgrades are
being used, and adjust permissions and expectations based on this.
Fixes: 7ce768244 ("tests: regression: fix regression test for upstream kernels")
Signed-off-by: John Johansen <john.johansen@canonical.com>
The new image-garden snap offers a one-stop-shop for integration
testing, bundling qemu, spread and image-garden build recipes.
Extend the documentation, the run-spread.sh helper script as well as
spread.yaml to support this new method.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1588
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
... and adjust the tools to raise an exception if such a rule is found.
While this is not nice, it's better than the previous behaviour where
only the last 'options' was kept, and the others were lost when writing
the rule.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1617
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
toybox is similar to busybox but is developed with Android development in
mind. Thus, it has the same issues as the busybox profile and should be
removed.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1620
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The attach_disconnected.sh and deleted.sh tests added expanded their
testing by using unix sockets. This however ever needs support of
unix socket mediation.
Provide a minimal fix by setting bailouts for the the tests if the
requirement is not present. Long term it would be better if the
expected/needed permissions sets could be tweaked to take into
account the permissions required by the use of unix sockets.
The fix f47d5c70a fix af_unix tests for v8 networking, was never
correct, though it worked and was closer before support for fine
grained inet mediation landed. Before finegrained inet mediation
landed unix rules would allow specifying the permission but inet would
not only allowing coarse socket mediation rules. While the backend
supported finegrained permissions in v8 socket mediation the parser
did not.
If af_unix mediation was not supported by the kernel the af_unix
mediation rule would be downgrade to a network rule. All network
socket rules allowed full permission because the parser didn't
support permissions on socket rules. So the "unix create," rule
was being downgraded to a "unix," rule. Thus the "unix create",
rule was enough permissions, in the downgrade even though it
actually wasn't enough permissions.
With support for fine grained inet permissions, support for permissions
on socket rules also landed. When this happend "unix create," was not
enough permissions any more because it was not downgraded to "unix,",
this resulted in failed mediation.
Fixes: cb4a397b1 ("tests: add attach_disconnected tests")
Fixes: f47d5c70a ("fix af_unix tests for v8 networking")
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1621
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The attach_disconnected.sh and deleted.sh tests added expanded their
testing by using unix sockets. This however ever needs support of
unix socket mediation.
Provide a minimal fix by setting bailouts for the the tests if the
requirement is not present. Long term it would be better if the
expected/needed permissions sets could be tweaked to take into
account the permissions required by the use of unix sockets.
The fix f47d5c70a fix af_unix tests for v8 networking, was never
correct, though it worked and was closer before support for fine
grained inet mediation landed. Before finegrained inet mediation
landed unix rules would allow specifying the permission but inet would
not only allowing coarse socket mediation rules. While the backend
supported finegrained permissions in v8 socket mediation the parser
did not.
If af_unix mediation was not supported by the kernel the af_unix
mediation rule would be downgrade to a network rule. All network
socket rules allowed full permission because the parser didn't
support permissions on socket rules. So the "unix create," rule
was being downgraded to a "unix," rule. Thus the "unix create",
rule was enough permissions, in the downgrade even though it
actually wasn't enough permissions.
With support for fine grained inet permissions, support for permissions
on socket rules also landed. When this happend "unix create," was not
enough permissions any more because it was not downgraded to "unix,",
this resulted in failed mediation.
Fixes: cb4a397b1 ("tests: add attach_disconnected tests")
Fixes: f47d5c70a ("fix af_unix tests for v8 networking")
Signed-off-by: John Johansen <john.johansen@canonical.com>
toybox is similar to busybox but is developed with Android development in
mind. Thus, it has the same issues as the busybox profile and should be
removed.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: 1561 Added the ability to specify special a keyword to allow
detached mounts. Unfortunately it updated remount to use the device
and devbuffer when remounts current encoding doesn't support it.
This caused the mount.sh regression test to fail in the following
way.
```
$ sudo bash mount.sh
[sudo] password for jj:
using mount rules ...
Error: mount failed. Test 'MOUNT (confined cap bind mount remount rprivate conflict)' was expected to 'pass'. Reason for failure 'FAIL: mount /tmp/sdtest.358520-12403-ASaOnn/mountpoint2 on /tmp/sdtest.358520-12403-ASaOnn/mountpoint failed - Permission denied'
not supported by parser - skipping mount options=(nodirsync),
Error: mount failed. Test 'MOUNT (confined cap mount remount option)' was expected to 'pass'. Reason for failure 'FAIL: mount /dev/loop40 on /tmp/sdtest.358520-12403-ASaOnn/mountpoint failed - Permission denied'
Error: mount failed. Test 'MOUNT (confined cap mount remount)' was expected to 'pass'. Reason for failure 'FAIL: mount /dev/loop40 on /tmp/sdtest.358520-12403-ASaOnn/mountpoint failed - Permission denied'
Error: mount passed. Test 'MOUNT (confined cap mount remount deny option)' was expected to 'fail'
```
Revert the change to remount. This fixes the regression failure.
fa0746f2e parser: add special casing for detached move mounts
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1618
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
MR: 1561 Added the ability to specify special a keyword to allow
detached mounts. Unfortunately it updated remount to use the device
and devbuffer when remounts current encoding doesn't support it.
This caused the mount.sh regression test to fail in the following
way.
```
$ sudo bash mount.sh
[sudo] password for jj:
using mount rules ...
Error: mount failed. Test 'MOUNT (confined cap bind mount remount rprivate conflict)' was expected to 'pass'. Reason for failure 'FAIL: mount /tmp/sdtest.358520-12403-ASaOnn/mountpoint2 on /tmp/sdtest.358520-12403-ASaOnn/mountpoint failed - Permission denied'
not supported by parser - skipping mount options=(nodirsync),
Error: mount failed. Test 'MOUNT (confined cap mount remount option)' was expected to 'pass'. Reason for failure 'FAIL: mount /dev/loop40 on /tmp/sdtest.358520-12403-ASaOnn/mountpoint failed - Permission denied'
Error: mount failed. Test 'MOUNT (confined cap mount remount)' was expected to 'pass'. Reason for failure 'FAIL: mount /dev/loop40 on /tmp/sdtest.358520-12403-ASaOnn/mountpoint failed - Permission denied'
Error: mount passed. Test 'MOUNT (confined cap mount remount deny option)' was expected to 'fail'
```
Revert the change to remount. This fixes the regression failure.
fa0746f2e parser: add special casing for detached move mounts
Signed-off-by: John Johansen <john.johansen@canonical.com>
... and adjust the tools to raise an exception if such a rule is found.
While this is not nice, it's better than the previous behaviour where
only the last 'fstype' was kept, and the others were lost when writing
the rule.
... and adjust the tools to raise an exception if such a rule is found.
While this is not nice, it's better than the previous behaviour where
only the last 'options' was kept, and the others were lost when writing
the rule.
Note: If multiple fstype= or options= are given, this is not detected as
an error (to keep the regex simpler). When writing back such a rule,
only one fstype and options will "survive".
Adjust the exclude list in test-parser-simple-tests.py accordingly:
- several valid mount rules no longer fail
- two invalid mount rules which so far accidentally raised an exception
because of the fstype/options order no longer raise this exception
(conflicting mount options, which are the real reason why these rules
are invalid, are not detected in the tools)
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/501
I propose this fix for 4.0, 4.1 and master. (Note: excluding `mount/ok_opt_86.sd` was added in !1561, so we either need to also backport this, or have to slightly adjust this MR for backporting.)
Closes#501
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1616
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Note: If multiple fstype= or options= are given, this is not detected as
an error (to keep the regex simpler). When writing back such a rule,
only one fstype and options will "survive".
Adjust the exclude list in test-parser-simple-tests.py accordingly:
- several valid mount rules no longer fail
- two invalid mount rules which so far accidentally raised an exception
because of the fstype/options order no longer raise this exception
(conflicting mount options, which are the real reason why these rules
are invalid, are not detected in the tools)
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/501
upsteam move_mount mediation now allows for a detached (disconnected)
mount to be move mounted into a namespace.
Add support for this by detecting 'detached' as a keyword for the
source/device and using it to create a null match. Because existing
mount encoding using a null separator between the mount terms null
match followed by the null seperator will separate detached mounts
within the existing encoding.
```
Eg.
mount detached -> /destination,
mount options=(ro) fstype=ext4 detached -> /destination,
```
This is functionally equivalent to using
```
mount "" -> /destination,
```
However using ```""``` does not provide any context that about what the rule is allowing or why so the ```detached``` form is preferred.
This is not a perfect solution, but is what can be currently supported
by the kernel without more LSM hooks.
On kernels that don't support detached mount detection, rules using
the detached source conditional will be ignored (never matched).
This encoding also allows the existing
```
mount,
mount options=(move),
mount options=(move) -> /destination,
```
to continue to work with both detached and regular mounts on kernels
that support the move_mount() syscall.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1561
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The tools are wrong in parsing the detached mount test.
Until that can be fixed, mark the tools as wrong.
Signed-off-by: John Johansen <john.johansen@canonical.com>
upsteam move_mount mediation now allows for a detached (disconnected)
mount to be move mounted into a namespace.
Add support for this by detecting 'detached' as a keyword for the
source/device and using it to create a null match. Because existing
mount encoding using a null separator between the mount terms null
match followed by the null seperator will separate detached mounts
within the existing encoding.
Eg.
mount detached -> /destination,
mount options=(ro) fstype=ext4 detached -> /destination,
This is functionally equivalent to using
mount "" -> /destination,
However using "" does not provide any context that about what the rule is allowing or why so the 'detached' form is preferred.
This is not a perfect solution, but is what can be currently supported
by the kernel without more LSM hooks.
On kernels that don't support detached mount detection, rules using
the detached souce conditional will be ignored (never matched).
This encoding also allows the existing
mount,
mount options=(move),
mount options=(move) -> /destination,
to continue to work with both detached and regular mounts on kernels
that support the move_mount() syscall.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Without the kernel patches in
https://lists.ubuntu.com/archives/apparmor/2025-March/013533.html
these tests will fail. This means spread ci for the majority of
kernels will fail.
Indeed disconnected paths failing in complain mode was always expected
behavior until the above kernel patches were posted.
Instead mark these patches as xpass, so spread CI can pass. These
tests will need to be updated to make them detect if the kernel
supports complain mode with disconnected paths.
Fixes: 089539cbf Merge regression: test complain-mode operations on disconnected paths in mounts
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1614
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Without the kernel patches in
https://lists.ubuntu.com/archives/apparmor/2025-March/013533.html
these tests will fail. This means spread ci for the majority of
kernels will fail.
Indeed disconnected paths failing in complain mode was always expected
behavior until the above kernel patches were posted.
Instead mark these patches as xpass, so spread CI can pass. These
tests will need to be updated to make them detect if the kernel
supports complain mode with disconnected paths.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Two fixes for the remmina profile so we can merge this
1. mknod is not currently an allowed permission. It has to be
downgraded to w
Do that with a note about how this needs to change in the future
2. The original fix adds direct references to peer=(label=unconfined)
Fix this to use a variable. So it will be easier to refactor and
update.
While doing it for the PMR also fixup the other direct unconfined
references.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Disconnected paths on lookups have caused actual permission denials, even
when the loaded profile is in complain mode. This is a test that causes
disconnections using mounts (both old and new API) and then verifies that
a complain mode profile doesn't prevent operations with disconnected fds.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1568
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Representative log lines from the [LaunchPad bug](https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2098838):
```
Feb 19 16:34:01 kernel: audit: type=1400 audit(1740000841.920:621): apparmor="DENIED" operation="create" class="net" profile="wpa_supplicant" pid=2211 comm="wpa_supplicant" family="netlink" sock_type="raw" protocol=0 requested="create" denied="create"
Feb 19 16:34:01 kernel: audit: type=1400 audit(1740000841.920:622): apparmor="DENIED" operation="open" class="file" profile="wpa_supplicant" name="/sys/devices/pci0000:00/0000:00:14.3/ieee80211/phy0/name" pid=2211 comm="wpa_supplicant" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 19 16:34:01 kernel: audit: type=1400 audit(1740000841.920:623): apparmor="DENIED" operation="create" class="net" profile="wpa_supplicant" pid=2211 comm="wpa_supplicant" family="inet" sock_type="dgram" protocol=0 requested="create" denied="create"
Feb 19 16:34:01 kernel: audit: type=1400 audit(1740000841.920:624): apparmor="DENIED" operation="open" class="file" profile="wpa_supplicant" name="/sys/devices/pci0000:00/0000:00:14.3/ieee80211/phy0/name" pid=2211 comm="wpa_supplicant" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```
However, regression potential remains for other setups (e.g. USB WiFi dongles), and we should maybe open up a discussion about when we want to target profiles into `apparmor.d` as opposed to `extras`.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1554
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
--configdir is meant for testing and should override all other configs,
instead of being combined with them. Config combination causes aa-notify
test failures if e.g. the user-local config sets filtering options.
Also supply a notify.conf file for exclusive use during testing.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1610
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
The feature matching done in aa_feature_supports calls walk_one to
traverse the features string. This function is supposed to match on
the feature and return, but it matches the feature based on the length
of the feature to check. If the feature to check shorter, then it
would return as if the feature was not present - which was the case
for the following example:
feature_file contains (shortened for example purposes):
```
network_v9 {af_unix {yes
}
}
network_v8 {af_inet {yes
}
}
network {af_unix {yes
}
}
```
if the feature to be checked was simply "network", then walk_one would
return that the feature was not present.
Fix this by restarting the matching if there was not a full match at
the end of the feaure to check.
Fixes: https://bugs.launchpad.net/apparmor/+bug/2105986
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1608
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
Both the unconfined profile and unprivileged_userns are part of the
default notify.conf, so the default fallback when no configurations are
present should also match this default.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1609
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
--configdir is meant for testing and should override all other configs,
instead of being combined with them. Config combination causes aa-notify
test failures if e.g. the user-local config sets filtering options.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Both the unconfined profile and unprivileged_userns are part of the
default notify.conf, so the default fallback when no configurations are
present should also match this default.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
The feature matching done in aa_feature_supports calls walk_one to
traverse the features string. This function is supposed to match on
the feature and return, but it matches the feature based on the length
of the feature to check. If the feature to check shorter, then it
would return as if the feature was not present - which was the case
for the following example:
feature_file contains (shortened for example purposes):
network_v9 {af_unix {yes
}
}
network_v8 {af_inet {yes
}
}
network {af_unix {yes
}
}
if the feature to be checked was simply "network", then walk_one would
return that the feature was not present.
Fix this by restarting the matching if there was not a full match at
the end of the feaure to check.
Fixes: https://bugs.launchpad.net/apparmor/+bug/2105986
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Fixes https://bugs.launchpad.net/apparmor/+bug/2106033
Improve the validation of AARE file paths by introducing a new regex
that supports paths starting with '{' (e.g. '{/,/org/freedesktop/DBus}').
These paths are notably used in snap.lxd.* profiles.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1607
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
These are the default directory mounts used by Flatpak's system cache for mounting revokefs-fuse. Unfortunately, the new rules are quite broad, but we might not be able to do much better than that.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1562
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
The original location of the error count checks in the middle of the priority function helper was completely nonsensical. We can instead do this check just once after running all the tests.
In addition, some tests in the priority helper don't use the priority variables at all, and are moved out of the helper to avoid repeating the exact same sequence of tests 16 times.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1604
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The original location in the middle of the priority function helper was
completely nonsensical. We can instead do this check just once after
running all the tests.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Fixes https://bugs.launchpad.net/apparmor/+bug/2106033
Improve the validation of AARE file paths by introducing a new regex
that supports paths starting with '{' (e.g. '{/,/org/freedesktop/DBus}').
These paths are notably used in snap.lxd.* profiles.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Fixes: https://bugs.launchpad.net/maas/+bug/2092232
In the lsblk profile, the rule responsible for allowing to read disks
over network was not generic enough to handle some cases, such as IBM
Power. The new rule, `@{sys}/devices/**/host@{int}/** r`, should support
all cases.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1606
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Alex <alexandre@pujol.io>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
Fixes: https://bugs.launchpad.net/maas/+bug/2092232
In the lsblk profile, the rule responsible for allowing to read disks
over network was not generic enough to handle some cases, such as IBM
Power. The new rule, `@{sys}/devices/**/host@{int}/** r`, should support
all cases.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
If the following scenario was present in a profile, cleanprof
would fail with a RecursionError exception (maximum recursion
depth exceeded)
/parent { }
/parent///child { }
This occured because in aa.py, in the write_piece function, the
wrong depth was being passed, along with a wrong hat. The
formatting of the spaces was also incorrect.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1605
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
