The check isn't correct, it should be checking for capability
MAC_ADMIN, but in the future that won't be correct either. Instead
rely on the kernel to check permission to load policy, which it alread
does as it is possible to by-pass the parser to load policy.
Also improve the error message when the kernel does deny
loading policy due to failed permission checks.
Signed-off-by: John Johansen <john.johansen@canonical.com>
'name' gets used in the error message. Make sure it only gets freed
afterwards.
This bug was introduced in be0d2fa947b90320cb3f32878ceea934eb76a837 /
https://gitlab.com/apparmor/apparmor/-/merge_requests/727
Fixes coverity CID 254465: Memory - illegal accesses (USE_AFTER_FREE)
I propose this fix for 3.0..master.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1040
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
If `else if (preprocess_only)` is true, the more strict condition
`else if (!include_file && preprocess_only)` won't be reached if it gets
checked after the shorter condition.
Exchange the two sections so that both code paths can be reached.
Fixes coverity CID 312499: Control flow issues (DEADCODE)
This was probably introduced in 7dcf013bcab9548582734db244ba74f09449f9c1 / https://gitlab.com/apparmor/apparmor/-/merge_requests/743 which means we'll need to backport this fix to 3.0 and 3.1.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1039
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
... by including cstdint.
Credits go to the new gcc in Tumbleweed for proposing this patch.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1038
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
'name' gets used in the error message. Make sure it only gets freed
afterwards.
This bug was introduced in be0d2fa947b90320cb3f32878ceea934eb76a837 /
https://gitlab.com/apparmor/apparmor/-/merge_requests/727
Fixes coverity CID 254465: Memory - illegal accesses (USE_AFTER_FREE)
If `else if (preprocess_only)` is true, the more strict condition
`else if (!include_file && preprocess_only)` won't be reached if it gets
checked after the shorter condition.
Exchange the two sections so that both code paths can be reached.
Fixes coverity CID 312499: Control flow issues (DEADCODE)
In some cases (if profiles in complain _and_ enforce mode are loaded), the `i` loop runs more
than once, which also means `j == 0` is true in the middle of the json.
This causes invalid json.
This patch fixes this.
This is a regression related to 22aa9b61615b72c20d96f8eeeac0a3f6ff0a5d1e
/ https://gitlab.com/apparmor/apparmor/-/merge_requests/964 /
https://gitlab.com/apparmor/apparmor/-/issues/295
which fixed another case of invalid json if a process was unconfined
while having a profile defined.
Note: I also tested this patch for the "unconfined, but has a profile
defined" case to ensure it doesn't break what
22aa9b61615b72c20d96f8eeeac0a3f6ff0a5d1e fixed.
This fix is needed in all branches that also got !964 (which means 3.1 and 3.0).
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1036
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
In some cases (if profiles in complain and enforce mode are loaded), the
`i` loop runs more than once, which also means `j == 0` is true in the
middle of the json. This causes invalid json.
This patch fixes this.
This is a regression related to 22aa9b61615b72c20d96f8eeeac0a3f6ff0a5d1e
/ https://gitlab.com/apparmor/apparmor/-/merge_requests/964 /
https://gitlab.com/apparmor/apparmor/-/issues/295
which fixed another case of invalid json if a process was unconfined
while having a profile defined.
Note: I also tested this patch for the "unconfined, but has a profile
defined" case to ensure it doesn't break what
22aa9b61615b72c20d96f8eeeac0a3f6ff0a5d1e fixed.
Enhance aa-status by adding posix regex filter support and support for new modes
this MR adds the following command line options
```
--show={profiles,processes,all}
--count
--filter.mode=filter
--filter.processs=filter
--filter.profiles=filter
--filter.pid=filter
```
Where currently filters use the basic posix regexs, do we want to go with extended regex, or apparmor globbing
An example of using the new filters
```
$ sudo ./aa-status --filter.exe="firefox" --show=processes
apparmor module is loaded.
65 processes have profiles defined.
25 processes are in enforce mode.
/snap/firefox/2605/usr/lib/firefox/firefox (4406) snap.firefox.firefox
/snap/firefox/2605/usr/lib/firefox/firefox (4686) snap.firefox.firefox
/snap/firefox/2605/usr/lib/firefox/firefox (4721) snap.firefox.firefox
/snap/firefox/2605/usr/lib/firefox/firefox (4826) snap.firefox.firefox
/snap/firefox/2605/usr/lib/firefox/firefox (19204) snap.firefox.firefox
/snap/firefox/2605/usr/lib/firefox/firefox (19206) snap.firefox.firefox
/snap/firefox/2605/usr/lib/firefox/firefox (23159) snap.firefox.firefox
/snap/firefox/2605/usr/lib/firefox/firefox (23195) snap.firefox.firefox
/snap/firefox/2605/usr/lib/firefox/firefox (23292) snap.firefox.firefox
/snap/firefox/2605/usr/lib/firefox/firefox (30929) snap.firefox.firefox
/snap/firefox/2605/usr/lib/firefox/firefox (31487) snap.firefox.firefox
/snap/firefox/2605/usr/lib/firefox/firefox (31528) snap.firefox.firefox
/snap/firefox/2605/usr/lib/firefox/firefox (71708) snap.firefox.firefox
/snap/firefox/2605/usr/lib/firefox/firefox (2271631) snap.firefox.firefox
/snap/firefox/2605/usr/lib/firefox/firefox (2271969) snap.firefox.firefox
/snap/firefox/2605/usr/lib/firefox/firefox (2272030) snap.firefox.firefox
/snap/firefox/2605/usr/lib/firefox/firefox (2272347) snap.firefox.firefox
/snap/firefox/2605/usr/lib/firefox/firefox (2654995) snap.firefox.firefox
/snap/firefox/2605/usr/lib/firefox/firefox (2655042) snap.firefox.firefox
/snap/firefox/2605/usr/lib/firefox/firefox (2655082) snap.firefox.firefox
/snap/firefox/2605/usr/lib/firefox/firefox (2655152) snap.firefox.firefox
/snap/firefox/2605/usr/lib/firefox/firefox (2655237) snap.firefox.firefox
/snap/firefox/2605/usr/lib/firefox/firefox (2656215) snap.firefox.firefox
/snap/firefox/2605/usr/lib/firefox/firefox (2656334) snap.firefox.firefox
/snap/firefox/2605/usr/lib/firefox/firefox (2657837) snap.firefox.firefox
0 processes are in complain mode.
0 processes are in prompt mode.
0 processes are in kill mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
```
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1016
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Bring in updates and improvements that have been made to the Chromium profile at `apparmor-profiles/ubuntu/20.04/usr.bin.chromium-browser`.
The changes are largely as follows:
* Use `@{pid}` or `@{tid}` instead of `[0-9]*`
* Use the discrete `lsb_release` profile instead of a subprofile
* Add a few additional libraries to the `sandbox` subprofile
Once this is in, the Chromium profiles in `apparmor-profiles` can be considered deprecated, and I would advise slating them for removal altogether.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1032
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
`unscd` is a drop-in replacement for `nscd` that uses the same binary location (`/usr/sbin/nscd`) and config file (`/etc/nscd.conf`). The `usr.sbin.nscd` profile only needs one additional permission to support it.
```
May 9 18:07:42 darkstar kernel: [ 2706.138823] audit: type=1400
audit(1683670062.580:839): apparmor="DENIED" operation="sendmsg"
profile="nscd" name="/run/systemd/notify" pid=4343 comm="nscd"
requested_mask="w" denied_mask="w" fsuid=125 ouid=0
```
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1031
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
The mount options MS_LAZYTIME and MS_NOSYMFOLLOW were added in
kernels 4.0 and 5.10, respectively. Update the mount test script
and helper to skip testing those options if they are not available.
Signed-off-by: Jon Tourville <jon.tourville@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1024
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Jon Tourville <jon.tourville@canonical.com>
The mount options MS_LAZYTIME and MS_NOSYMFOLLOW were added in
kernels 4.0 and 5.10, respectively. Update the mount test script
and helper to skip testing those options if they are not available.
Signed-off-by: Jon Tourville <jon.tourville@canonical.com>
To emphasize that the
--mode
--processs
--profiles
--pid
options are filters rename them to
--filter.mode
--filter.processs
--filter.profiles
--filter.pid
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add the basic infrastructure for adding regex based filters and
allow filtering process and profiles by mode based on a user supplied
filter.
Signed-off-by: John Johansen <john.johansen@canonical.com>
So that the user can control the set of data being shown add a --show
flag. Currently it allows showing
all
profiles
processes
Signed-off-by: John Johansen <john.johansen@canonical.com>
In preparation for new options and controls, split detailed_output()
into detailed_profiles() and detailed_processes() and This switch the
output processing to one larger pass that uses option flags.
This doesn't change current behavior and is in not as clean as the
current code for the current option set. However it will allow us to
easily add new options in one place and have them apply correctly
every where.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The unix network tests are not being run on a v8 network capable kernel. Under v8 there needs to be some adjustments to the tests because unix rules get downgraded to the socket rule ```network unix,``` which does not have the same set of conditionals or fine grained permissions, meaning some tests that would fail under af_unix (like missing permission tests) will pass under v8 network rules.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/893
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
This patch adds the following mount options: 'nostrictatime',
'lazytime', and 'nolazytime'.
The MS_STRICTATIME mount flag already existed, and 'nostrictatime' was
listed along with 'strictatime' in the comments of parser/mount.cc, so
this patch adds a mapping for 'nostrictatime' to clear MS_STRICTATIME.
Additionally, the Linux kernel includes the 'lazytime' option with
MS_LAZYTIME mapping to (1<<25), so this patch adds MS_LAZYTIME to
parser/mount.h and the corresponding mappings in parser/mount.cc for
'lazytime' and 'nolazytime'.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1005
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The conflicting flags value message was hard to read
conflicting flag value = lazytimenolazytime
change it to
conflicting flag values = lazytime, nolazytime
Signed-off-by: John Johansen <john.johansen@canonical.com>
Adds the corresponding `MS_NOSYMFOLLOW` flag to parser/mount.h as well,
defined as (1 << 8) just as in the util-linux and the kernel.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
This patch adds the following mount options: 'nostrictatime',
'lazytime', and 'nolazytime'.
The MS_STRICTATIME mount flag already existed, and 'nostrictatime' was
listed along with 'strictatime' in the comments of parser/mount.cc, so
this patch adds a mapping for 'nostrictatime' to clear MS_STRICTATIME.
Additionally, the Linux kernel includes the 'lazytime' option with
MS_LAZYTIME mapping to (1<<25), so this patch adds MS_LAZYTIME to
parser/mount.h and the corresponding mappings in parser/mount.cc for
'lazytime' and 'nolazytime'.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Make it so the output options that count profiles and processes can
be output to a file.
This does not add a user option to do so
Signed-off-by: John Johansen <john.johansen@canonical.com>
For detailed output split up where output is going from whether json
is being produced.
This also allows none json output to go to a file.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The chfa equivalence class shouldn't be a reference. Its needs to
actually exist and be part of the class during later method calls.
As a reference it leads to bad references when used later.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1015
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
When the replacement regex for multiple qualifiers matches, the
capture group variables ($1, $2, etc) are overwritten to match the
most recent regex. Since there are no capture groups in the 's/,/ /g'
regex, then $2 was empty, causing an error on policy generation.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The chfa equivalence class shouldn't be a reference. Its needs to
actually exist and be part of the class during later method calls.
As a reference it leads to bad references when used later.
Signed-off-by: John Johansen <john.johansen@canonical.com>
