fuse_overlayfs requires noatime, but we should also allow more flags than
just that to preempt future breakage from flags not included in the rules.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1673
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
ipa_verify is a simple libcamera tool that does not use the portion of
libcamera that creates user namespaces. This simple profile should be
enough to replace the previous unconfined profile.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1624
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
In particular, the dbus rules were completely rebuilt based on reading through wpa_supplicant's dbus source code.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1630
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
... and drop rules that are part of abstractions/gtk
Note that abstractions/gtk contains more than the rules dropped here,
which means it effectively extends the permissions granted by
abstractions/gnome.
Idea by darix.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1678
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
reported by darix
The initial radv_builtin_shaders rule was added in 4.1, therefore I propose this patch for at least 4.1 and master.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1677
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
Reported by darix, seen with comm="sshd-session"
I propose this for master and 4.x (optionally also 3.x even if it's less likely that systems using these branches already use lastlog2)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1676
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
- iotop-c fails with permission errors in nl_init without network netlink
raw.
- iotop-c also needs access to the iotop config directory instead of just
the iotoprc file within.
- iotop-c uses CAP_SYS_NICE to set ionice values. For some reason, no
audit log is generated without the capability present, but include it
anyways in case this allowance is due to a parser or kernel bug that
needs to be squashed later.
Fixes: https://bugs.launchpad.net/bugs/2107727
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1675
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
- iotop-c fails with permission errors in nl_init without network netlink
raw.
- iotop-c also needs access to the iotop config directory instead of just
the iotoprc file within.
- iotop-c uses CAP_SYS_NICE to set ionice values. For some reason, no
audit log is generated without the capability present, but include it
anyways in case this allowance is due to a parser or kernel bug that
needs to be squashed later.
Fixes: https://bugs.launchpad.net/bugs/2107727
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
... and drop rules that are part of abstractions/gtk
Note that abstractions/gtk contains more than the rules dropped here,
which means it effectively extends the permissions granted by
abstractions/gnome.
Idea by darix.
fuse_overlayfs requires noatime, but we should also allow more flags than
just that to preempt future breakage from flags not included in the rules.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
- set filetype, instead of syntax, in vim modelines
- replace filetype of subdomain with apparmor
- move modelines in the first or last five lines of each file so that
vim can recognize them
Unconfined delegates access to open file descriptors. Therefore when running a confined binary from unconfined, it will work even when the attachment path is not read-allowed.
However, as soon as these confined binaries are run from another confined process, this delegation is not permitted anymore and the program breaks.
This has been the cause of several bugs such as https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2107455 or https://github.com/canonical/snapd/pull/15181 .
This MR makes sure every confining AppArmor profiles explicitly allow (at least) read access to their attachment path.
This Merge request:
- Introduce `test_profile.sh`, a helper script that ensures confining AppArmor profiles explicitly allow (at least) read access to their attachment path.
- Modifies a lot of profiles so that all profiles have r/mr access to their attachment path
- Extends `make check` to automatically ensure all AppArmor profile grant explicit read access to their attachment path, preventing future omissions.
- Modifies apparmor_parser to show attachment in --debug output
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1637
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This reverts commit 75959225b35cc3cd76e684f2db62e27ee4e81288.
Do not enable the verify attachment-path script as part of the CI.
1. The script itself has several bashisms, that need to be fixed before
we land it as part of the regular integration test.
2. The script is going to need to be extended to support the new
parser variables, before it can be turned on as part of the CI.
Signed-off-by: John Johansen <john.johansen@canonical.com>
This reverts commit 27f5b623f726a84f8430825e2e2641043965af94, reversing
changes made to ee08bfbc905102380bfcaf64d5d84bced98c9360.
This causes the plasmashell profile to have a conflicting x modifiers
error. This breaks CI and compile/load of the plasmashell profile.
Revert until it can be fixed. Using priority.
Signed-off-by: John Johansen <john.johansen@canonical.com>
If kanidm is configured in nsswitch.conf(5), access to the kanidm-unixd
configuration is needed for applications to resolve entries.
For example:
```
type=AVC apparmor="DENIED" operation="open" class="file" profile="php-fpm"
name="/etc/kanidm/unixd" comm="php-fpm" requested_mask="r" denied_mask="r"
```
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1638
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
If kanidm is configured in nsswitch.conf(5), access to the kanidm-unixd
configuration is needed for applications to resolve entries.
For example:
```
type=AVC apparmor="DENIED" operation="open" class="file" profile="php-fpm"
name="/etc/kanidm/unixd" comm="php-fpm" requested_mask="r" denied_mask="r"
```
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
Extend `make check` to automatically ensure every AppArmor profile grants
explicit read access to its attachment path, preventing future omissions.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Grant explicit read permission on each profile’s attachment path. This
avoid issues when running them from a confined environment and makes
test_profile.sh pass.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
CVMFS ( the [CernVM File System](cernvm.cern.ch)) is a read-only fs used to distribute software that is widely used in scientific computing (at CERN and beyond, for example by the [EESSI project](eessi.io)).
CVMFS historically uses the mountpoint /cvmfs, but the new fusermount3 profile doesn't allow that. It's not really possibly to move the mountpoint to /mnt/cvmfs, because the software installed on CVMFS often uses the absolute path /cvmfs/... for linking.
We've added a /etc/apparmor.d/local/fusermount3 to our packages, but it'd be much appreciated if this could be fixed upstream!
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1587
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Fixes https://gitlab.com/apparmor/apparmor/-/issues/505
The profile previously permitted access to `/**`, which excludes the root
directory (`/`). This commit also gives `/` access, aligning with the
intended behavior.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
ipa_verify is a simple libcamera tool that does not use the portion of
libcamera that creates user namespaces. This simple profile should be
enough to replace the previous unconfined profile.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
toybox is similar to busybox but is developed with Android development in
mind. Thus, it has the same issues as the busybox profile and should be
removed.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Two fixes for the remmina profile so we can merge this
1. mknod is not currently an allowed permission. It has to be
downgraded to w
Do that with a note about how this needs to change in the future
2. The original fix adds direct references to peer=(label=unconfined)
Fix this to use a variable. So it will be easier to refactor and
update.
While doing it for the PMR also fixup the other direct unconfined
references.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Representative log lines from the [LaunchPad bug](https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2098838):
```
Feb 19 16:34:01 kernel: audit: type=1400 audit(1740000841.920:621): apparmor="DENIED" operation="create" class="net" profile="wpa_supplicant" pid=2211 comm="wpa_supplicant" family="netlink" sock_type="raw" protocol=0 requested="create" denied="create"
Feb 19 16:34:01 kernel: audit: type=1400 audit(1740000841.920:622): apparmor="DENIED" operation="open" class="file" profile="wpa_supplicant" name="/sys/devices/pci0000:00/0000:00:14.3/ieee80211/phy0/name" pid=2211 comm="wpa_supplicant" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 19 16:34:01 kernel: audit: type=1400 audit(1740000841.920:623): apparmor="DENIED" operation="create" class="net" profile="wpa_supplicant" pid=2211 comm="wpa_supplicant" family="inet" sock_type="dgram" protocol=0 requested="create" denied="create"
Feb 19 16:34:01 kernel: audit: type=1400 audit(1740000841.920:624): apparmor="DENIED" operation="open" class="file" profile="wpa_supplicant" name="/sys/devices/pci0000:00/0000:00:14.3/ieee80211/phy0/name" pid=2211 comm="wpa_supplicant" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```
However, regression potential remains for other setups (e.g. USB WiFi dongles), and we should maybe open up a discussion about when we want to target profiles into `apparmor.d` as opposed to `extras`.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1554
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
These are the default directory mounts used by Flatpak's system cache for mounting revokefs-fuse. Unfortunately, the new rules are quite broad, but we might not be able to do much better than that.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1562
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
Fixes: https://bugs.launchpad.net/maas/+bug/2092232
In the lsblk profile, the rule responsible for allowing to read disks
over network was not generic enough to handle some cases, such as IBM
Power. The new rule, `@{sys}/devices/**/host@{int}/** r`, should support
all cases.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
This is needed to fix the gnome-remote-desktop daemon, which mounts in a
directory like /run/user/119/gnome-remote-desktop/cliprdr-ABm0Gd/.
Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2103889
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
