... and adjust the tools to raise an exception if such a rule is found.
While this is not nice, it's better than the previous behaviour where
only the last 'fstype' was kept, and the others were lost when writing
the rule.
... and adjust the tools to raise an exception if such a rule is found.
While this is not nice, it's better than the previous behaviour where
only the last 'options' was kept, and the others were lost when writing
the rule.
Note: If multiple fstype= or options= are given, this is not detected as
an error (to keep the regex simpler). When writing back such a rule,
only one fstype and options will "survive".
Adjust the exclude list in test-parser-simple-tests.py accordingly:
- several valid mount rules no longer fail
- two invalid mount rules which so far accidentally raised an exception
because of the fstype/options order no longer raise this exception
(conflicting mount options, which are the real reason why these rules
are invalid, are not detected in the tools)
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/501
The tools are wrong in parsing the detached mount test.
Until that can be fixed, mark the tools as wrong.
Signed-off-by: John Johansen <john.johansen@canonical.com>
--configdir is meant for testing and should override all other configs,
instead of being combined with them. Config combination causes aa-notify
test failures if e.g. the user-local config sets filtering options.
Also supply a notify.conf file for exclusive use during testing.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1610
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
--configdir is meant for testing and should override all other configs,
instead of being combined with them. Config combination causes aa-notify
test failures if e.g. the user-local config sets filtering options.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Both the unconfined profile and unprivileged_userns are part of the
default notify.conf, so the default fallback when no configurations are
present should also match this default.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Fixes https://bugs.launchpad.net/apparmor/+bug/2106033
Improve the validation of AARE file paths by introducing a new regex
that supports paths starting with '{' (e.g. '{/,/org/freedesktop/DBus}').
These paths are notably used in snap.lxd.* profiles.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1607
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
These are the default directory mounts used by Flatpak's system cache for mounting revokefs-fuse. Unfortunately, the new rules are quite broad, but we might not be able to do much better than that.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1562
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Fixes https://bugs.launchpad.net/apparmor/+bug/2106033
Improve the validation of AARE file paths by introducing a new regex
that supports paths starting with '{' (e.g. '{/,/org/freedesktop/DBus}').
These paths are notably used in snap.lxd.* profiles.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
If the following scenario was present in a profile, cleanprof
would fail with a RecursionError exception (maximum recursion
depth exceeded)
/parent { }
/parent///child { }
This occured because in aa.py, in the write_piece function, the
wrong depth was being passed, along with a wrong hat. The
formatting of the spaces was also incorrect.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1605
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
If the following scenario was present in a profile, cleanprof
would fail with a RecursionError exception (maximum recursion
depth exceeded)
/parent { }
/parent///child { }
This occured because in aa.py, in the write_piece function, the
wrong depth was being passed, along with a wrong hat. The
formatting of the spaces was also incorrect.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Profiles that are defined like below did not have the parent attribute
set in profile storage:
/parent///child {}
The condition on which child profiles were written was also changed so
they are not removed from the profile if /parent does not exist.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Commit c9d41a3ebb introduced a regression on profile header
generation.
This commit removes the name parameter from the get_header function
since the ProfileStorage should already contain all the information
required to generate the header for profiles and hats. The tests
needed to be updated as well to make sure the ProfileStorage object
contained the information needed by the get_header method.
Fixes: c9d41a3ebb ("utils: fix profile and hat header generation")
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The header was being generated incorrectly in 2 cases:
When the profile/hat contained the parent profile in its name, as in
profile firefox//dash {
hat ^firefox//dash {
and in the unit tests, the child profile or hat was being named as the
parent profile. This was not caught by the general case because the
code has not yet been fully adapted to handle multiple nested child
profiles.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/493
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
When doing testing via LXD VMs and in particular when using "lxc exec" to run
commands in the VM, there is no controlling tty and so the output of last is
missing this column of data. Instead try even harder to parse the timestamp from
the output of "last".
Signed-off-by: Alex Murray <alex.murray@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1582
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
When doing testing via LXD VMs and in particular when using "lxc exec" to run
commands in the VM, there is no controlling tty and so the output of last is
missing this column of data. Instead try even harder to parse the timestamp from
the output of "last".
Signed-off-by: Alex Murray <alex.murray@canonical.com>
Add quotes if a mount source or mountpoint includes whitespace.
Also explicitely handle empty mount source (known from
1f33fc9b29c174698fdf0116a4a9f50680ec4fdb)
As usual, some tests can't hurt ;-)
I propose this fix for 4.0..master
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1573
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
* Make glob_pattern more readable
- replace filename and variable regex parts with RE_PROFILE_PATH_OR_VAR
- split to multiline string
* Move `[\w-]+` into inner match group by removing/moving the ')' after the empty source.
* Prepare source_fileglob_pattern and dest_fileglob_pattern to be customizable by moving adding the closing ')))' into each of them.
* Allow empty source and any word only in mount source
See the individual commits for details.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1574
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The attach_disconnected.ipc flag allows the use of disconnected paths
on posix mqueues. This flag is a subset of attach_disconnected, and it
does not allow disconnected paths for all files.
Corresponding kernel patch needed to test in https://gitlab.com/georgiag/apparmor-kernel/-/tree/mqueue-ext
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1577
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
When running aa-disable and then aa-enforce passing the binary path as
the argument, aa-enforce fails to enforce the profile with the error:
$ sudo aa-disable /home/foo/test
skipping disabled profile test
Profile for /home/foo/test not found, skipping
According to the man page for aa-enforce, it should work for disabled
profiles.
Note that this does not happen when passing the profile directly to
the tools, so there's a workaround for this issue:
$ sudo /aa-enforce /etc/apparmor.d/test
Setting /etc/apparmor.d/test to enforce mode.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
... by removing/moving the ')' after the empty source.
Also prepare source_fileglob_pattern and dest_fileglob_pattern to be
customizable by moving adding the closing ')))' into each of them.
Add quotes if a mount source or mountpoint includes whitespace.
Also explicitely handle empty mount source (known from
1f33fc9b29c174698fdf0116a4a9f50680ec4fdb)
As usual, some tests can't hurt ;-)
First expand nested `(...)` in glob_pattern. This duplicates a few bytes, but makes the regex easier to read.
With that done, allow `-` in glob_pattern.
One of the possible matches in glob_pattern was `\w+` which matched for example `none`.
However, it doesn't match `revokefs-fuse` because of the `-`. Therefore change `\w+` to [\w-]+.
While on it, add two more tests - one for `none` with some options, and one with `revokefs-fuse`.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1565
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
One of the possible matches in glob_pattern was `\w+` which matched for
example `none`.
However, it doesn't match `revokefs-fuse` because of the `-`. Therefore
change `\w+` to [\w-]+.
While on it, add two more tests - one for `none` with some options, and
one with `revokefs-fuse`.
The utils should be able to skip profiles that it can't parse now,
so this test suite bypass mechanism should no longer be necessary.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Since all the tools that load profiles go through the same module, this should
be sufficient as a first pass.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
This will allow the other tools to continue working on other profiles, even
if some of them use syntax that the utils currently can't handle.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
The utils cannot parse some of the newer profile constructs yet, so
generalize a pre-existing mechanism for skipping profiles to use that mechanism in the other tests that need it
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
This imports translations from launchpad up to commit
revno: 2523
committer: Launchpad Translations on behalf of apparmor-dev
branch nick: apparmor
timestamp: Fri 2025-02-21 09:32:26 +0000
message:
Launchpad automatic translations update.
Signed-off-by: John Johansen <john.johansen@canonical.com>
This is a trivial fix for
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1543
instead of waiting longer for the auther to fix, the MR was merged
and this manual fixup done.
Fixes: dfe9d713f ("aa-logprof/aa-genprof: allow ignoring executions")
Signed-off-by: John Johansen <john.johansen@canonical.com>
We should be using apparmor controlled domains for these files.
Rename the template file from
com.ubuntu.pkexec.aa-notify.policy
to
net.apparmor.pkexec.aa-notify.policy
And update the template file and the install file so that the files
that are generated use net.apparmor instead of com.ubuntu
Signed-off-by: John Johansen <john.johansen@canonical.com>
The install of the polkit action files for aa-notify leaks build root
information.
From OBS
apparmor-utils.noarch: E: file-contains-buildroot (Badness: 10000) /usr/share/polkit-1/actions/com.ubuntu.pkexec.aa-notify.policy
this is present on Ubuntu as well
<annotate key="org.freedesktop.policykit.exec.path">/build/apparmor-ZUzkoL/apparmor-4.1.0~beta4/debian/tmp/usr/lib/python3/dist-packages/apparmor/update_profile.py</annotate>
this occurs because the {LIB_PATH} template variable is being replaced
with the self.install_lib. Make sure we strip the build prefix if
we are generating the files in a build environment instead of doing
a direct install.
Closes: https://gitlab.com/apparmor/apparmor/-/issues/486
Signed-off-by: John Johansen <john.johansen@canonical.com>
Closes#486
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1540
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
The install of the polkit action files for aa-notify leaks build root
information.
From OBS
apparmor-utils.noarch: E: file-contains-buildroot (Badness: 10000) /usr/share/polkit-1/actions/com.ubuntu.pkexec.aa-notify.policy
this is present on Ubuntu as well
<annotate key="org.freedesktop.policykit.exec.path">/build/apparmor-ZUzkoL/apparmor-4.1.0~beta4/debian/tmp/usr/lib/python3/dist-packages/apparmor/update_profile.py</annotate>
this occurs because the {LIB_PATH} template variable is being replaced
with the self.install_lib. Make sure we strip the build prefix if
we are generating the files in a build environment instead of doing
a direct install.
Closes: https://gitlab.com/apparmor/apparmor/-/issues/486
Co-Author: Ryan Lee <ryan.lee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
On certain lxc containers, when aa-genprof tries to set
printk_ratelimit, it fails with the OSError exception, with the
message "OSError: [Errno 30] Read-only file system" instead of
PermissionError.
Since PermissionError is a subclass of OSError, replace it by broader
OSError exception to include both cases in which running aa-genprof
fails.
Reported-by: Paulo Flabiano Smorigo <paulo.smorigo@canonical.com>
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1539
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Instead of setting those variables unconditionally, set them if they
aren't externally set by environment variables. This will allow for usages
like DESTDIR=/some/other/dir make install in the utils directory.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
