import tkinter does not automatically import tkinter.font so calls to
the latter fail if the execution environment does not already contains
it.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Profiles are now updated only at initialization and when aa-notify
itself updates a profile.
A future MR will come to read profiles individually only when an event
for this profile comes to reduce overhead, as more and more profiles are
created.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Mesa now needs ~/.cache/mesa_shader_cache_db/marker .
Chromium wants uid_map readable, /proc/$PID/smaps_rollup,
/sys/.../report_descriptor, and two XDG utilities used by the "Create
shortcut..." feature. Deny the latter for now, due to additional
permissions that would be needed and a questionable security trade-off
as a result.
Firefox wants a socket for its crash helper, product_{name,sku} from
DMI devices, and .sql files in its cache directory. It also wants
uevent from devices more broadly than currently allowed.
After an upgrade to libfuse 3.17.1-rc0, autopkgtests started to fail
due to a missing x permission for /usr/bin/mount. After looking at the
source code for fusermount, I noticed that it does call /bin/mount and
/bin/umount in certain cases. These uses were already there in
previous versions of libfuse but I'm still not sure why it hasn't
triggered before.
To reproduce it:
```
sudo autopkgtest-buildvm-ubuntu-cloud -v -r questing
autopkgtest archivemount -U --apt-pocket=proposed=src:fuse3 --shell-fail -- qemu autopkgtest-questing-amd64.img
```
After the test fails, enter the vm by
```
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 10022 ubuntu@localhost
```
You can reproduce the test by running
```
cd /tmp/autopkgtest.*/build.*/src/
/tmp/autopkgtest.*/build.*/src/debian/tests/test
```
Note that ix for mount and umount were enough to make the autopkgtest
failures to start passing, but there could be issues in the future
regarding the use of fs specific mount binaries like
/usr/sbin/mount.fuse
Fixes: http://bugs.launchpad.net/bugs/2111845
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1716
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
When variable expansion occurs, the expansion attempts to replace the
memory location of the string containing the variable, and frees the
string it is replacing. However, this occurs before the variable lookup
occurs to determine if there is an appropriate declaration for the
variable. When the failing expansion occurs in a profile name, this
causes a read-after-free (followed by a double free) because the error
handling path attempts to report the profile name in the error message.
This can be reproduced like so, using the
tst/simple_tests/vars/vars_profile_name_23.sd testcase:
```
$ ../apparmor_parser --config-file=./parser.conf -M features_files/features.all -S -I /home/sbeattie/git/apparmor/parser/tst/./simple_tests/ ./simple_tests/vars/vars_profile_name_23.sd
Failed to find declaration for: @{FOO}
ERROR expanding variables for profile #xQV, failed to load
free(): double free detected in tcache 2
```
Fix this by waiting to free the profile name field until after the
variable declaration has successfully been looked up. This results in
the test case reporting the following error:
```
$ ../apparmor_parser --config-file=./parser.conf -M features_files/features.all -S -I /home/sbeattie/git/apparmor/parser/tst/./simple_tests/ ./simple_tests/vars/vars_profile_name_23.sd
Failed to find declaration for: @{FOO}
ERROR expanding variables for profile /does/not/exist@{FOO}, failed to load
```
Signed-off-by: Steve Beattie <steve@nxnw.org>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1747
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
When variable expansion occurs, the expansion attempts to replace the
memory location of the string containing the variable, and frees the
string it is replacing. However, this occurs before the variable lookup
occurs to determine if there is an appropriate declaration for the
variable. When the failing expansion occurs in a profile name, this
causes a read-after-free (followed by a double free) because the error
handling path attempts to report the profile name in the error message.
This can be reproduced like so, using the
tst/simple_tests/vars/vars_profile_name_23.sd testcase:
```
$ ../apparmor_parser --config-file=./parser.conf -M features_files/features.all -S -I /home/sbeattie/git/apparmor/parser/tst/./simple_tests/ ./simple_tests/vars/vars_profile_name_23.sd
Failed to find declaration for: @{FOO}
ERROR expanding variables for profile #xQV, failed to load
free(): double free detected in tcache 2
```
Fix this by waiting to free the profile name field until after the
variable declaration has successfully been looked up. This results in
the test case reporting the following error:
```
$ ../apparmor_parser --config-file=./parser.conf -M features_files/features.all -S -I /home/sbeattie/git/apparmor/parser/tst/./simple_tests/ ./simple_tests/vars/vars_profile_name_23.sd
Failed to find declaration for: @{FOO}
ERROR expanding variables for profile /does/not/exist@{FOO}, failed to load
```
Fixes: dfbd2dc4b ("parser: refactor variables and symbols table into their own class")
Signed-off-by: Steve Beattie <steve@nxnw.org>
Ref: https://gitlab.com/apparmor/apparmor/-/merge_requests/1747
The unnamed nature of an O_TMPFILE, combined with the delayed linkage of
linkat(2), creates a potential for a filesystem mediation bypass. Thus,
add a test to verify whether or not such a bypass occurs.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
The current lsblk profile contains `@{sys}/devices/pci@{int}:@{int}/** r` (where `@{int}` expands to `[0-9]+`). PCI BDFs are in hex, so block device paths whose BDF contains [a-f] digits are skipped, causing them to be omitted from the output of lsblk.
Replacing `@{int}` with `@{hex}` (which expands to `[0-9a-fA-F]+`) ensures PCI block device paths with [a-f] hex digits are correctly matched and displayed in the output of `lsblk`.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1725
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Those messages appear in various context and do not provide any useful feedback to the user, diverging from UNIX philosophy of staying quiet when there's nothing of importance to say.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1738
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Hi,
This fixes the following error when a block device's PCI bus starts with
a non-decimal hex character and `lsblk /dev/nvme2n1` is executed:
```
audit: type=1400 audit(1751394406.516:554): apparmor="DENIED" operation="open" class="file" profile="lsblk" name="/sys/devices/pci0000:a0/0000:a0:01.1/0000:a1:00.0/nvme/nvme2/nvme2n1/" pid=164652 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```
I used hex4 and hex2 as it matches the example from
https://docs.kernel.org/PCI/sysfs-pci.html and also because lspci(8)
says:
> domains are numbered from 0 to ffff
>
> bus (0 to ff)
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2111604
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1729
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
MR !1735 mistakenly assumed that x.is_covered(y) means "x is covered by
y" when the opposite is true
Fix the logic of is_covered and associated tests.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1739
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
Arch Linux qt6-webengine has `/usr/lib/qt6/QtWebEngineProcess` and
qt5-webengine has `/usr/lib/qt/libexec/QtWebEngineProcess`.
Fedora has `/usr/lib64/qt6/libexec/QtWebEngineProcess`.
openSUSE Tumbleweed has `/usr/libexec/qt5/QtWebEngineProcess` and
`/usr/libexec/qt6/QtWebEngineProcess`.
Co-authored-by: Maxime Bélair <maxime.belair@canonical.com>
Fix issues introduced in coverity's snapshot 89167
- CID 532797: (#1 of 1): Use of auto that causes a copy (AUTO_CAUSES_COPY)
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
While symtab for now has only static members, it will allow for a
change in the future for each profile to have their own symbols like
profile_name, etc.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1711
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
MR !1735 mistakenly assumed that x.is_covered(y) means "x is covered by
y" when the opposite is true
Fix the logic of is_covered and associated tests.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
- `is_covered` was not checking priorities when checking if a rule is
covered. With this fix, a rule of lower priority can no longer cover a
higher priority one.
- Fixes `is_equal(strict=False)` so that `priority=0` matches implicit
priority (as it is defaulted to zero)
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1735
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
- `is_covered` was not checking priorities when checking if a rule is
covered. With this fix, a rule of lower priority can no longer cover a
higher priority one.
- Fixes `is_equal(strict=False)` so that priority=0 matches implicit
priority (as it is defaulted to zero)
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Copy the optimized version from common.py to easyprof.py (shouldn't
change the behaviour).
Since get_directory_contents() is only used in easyprof.py, delete the
unused copy from common.py.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1720
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Copy the optimized version from common.py to easyprof.py (shouldn't
change the behaviour).
Since get_directory_contents() is only used in easyprof.py, delete the
unused copy from common.py.
Create separate classes for tests not fitting under *TestParseInvalid
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1736
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
... and change all *TestParseInvalid classes to use it, instead of
having (nearly) the same function in every test-*.py.
Also move tests not matching the rule regex into tests array (which now supports this case).
While at it, enable the tests for abi and include rules.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1728
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Dovecot 2.4 now creates a "binary" version of its config via doveconf. This needs new access rules, as it otherwise prevents all Dovecot processes from accessing this new configuration.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1733
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
This fixes the following error when a block device's PCI bus starts with
a non-decimal hex character and `lsblk /dev/nvme2n1` is executed:
```
audit: type=1400 audit(1751394406.516:554): apparmor="DENIED" operation="open" class="file" profile="lsblk" name="/sys/devices/pci0000:a0/0000:a0:01.1/0000:a1:00.0/nvme/nvme2/nvme2n1/" pid=164652 comm="lsblk" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```
I used hex4 and hex2 as it matches the example from
https://docs.kernel.org/PCI/sysfs-pci.html and also because lspci(8)
says:
> domains are numbered from 0 to ffff
>
> bus (0 to ff)
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2111604
Signed-off-by: Louis Sautier <sautier.louis@gmail.com>
... and change all *TestParseInvalid classes to use it, instead of
having (nearly) the same function in every test-*.py.
While at it, enable the tests for abi and include rules.
While symtab for now has only static members, it will allow for a
change in the future for each profile to have their own symbols like
profile_name, etc.
According to commit cce5bd6e95ae9a9f01caceea0d5d75b612dd3fbc, the
apparmor_parser does not collapse consecutive / characters in the
beginning of paths, since it indicates posix namespaces. Add a
equality test to make sure we maintain this behavior.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
... instead of having them in test-modifiers.py for all rule types
Also add a few additional tests while on it.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1718
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
Basic AppArmor profile for the free binary, tested on Ubuntu 24.04.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1629
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
In order to test the profile, I did the following inside an oracular VM:
- `curl https://ubuntu.com/ -o /tmp/ubuntu`
- `curl 'https://ubuntu.com/security/{CVE-2024-12797,CVE-2025-24032}' -o '#1'`
- `curl -u dlpuser:rNrKYTX9g7z3RgJRmxWuGHbeu ftp://ftp.dlptest.com/`
Finally, I ran the package's testsuite:
```
apt source curl
cd curl-8.9.1
./configure --without-ssl # SSL has been tested using the above
make
cd test/server
make
cd ..
./runtests.pl -c $(which curl)
```
The only test which should fail should be the last one, since the build was configured with support for less protocols than the ones provided by the binary we're using (this is expected and happens regardless of whether the profile is loaded or not).
A spread smoke-test is also provided as part of this MR.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1560
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
