When run with the -p flag, aa-notify works fine for 100 seconds and then it exits.
I suspect that the issue arises from the following check on line 259 in utils/aa-notify
if debug_logger.debug_level <= 10 and int(time.time()) - start_time > 100:
debug_logger.debug('Debug mode detected: aborting notification emitter after 100 seconds.')
sys.exit(0)
together with line 301 in utils/apparmor/common.py which initializes debug_logger.debug_level to logging.DEBUG which has the numerical value 10.
A simple solution might be to just remove the check as I'm not quit sure why one would want aa-notify to exit when run in debug mode in the first place.
Alternatively, one could check against debug_logger.debugging (initialized to False) or change the initialization of debug_logger.debug_level to something else, but I don't know how that would affect other consumers of utils/apparmor/common.py.
For now just add dbugger_logger.debugging as an additional check as the
reason for timing out after 100s during debugging are unclear.
Suggested-by: vicvbcun
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/126
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/660
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Otto Kekäläinen <otto@kekalainen.net>
(cherry picked from commit 8ea7630b6d)
This reverts merge request !628. My reason for this proposal is that commit 88c142c6 already provided this change, something I must have missed when I opened the initial merge request. This resulted in duplicate entries in the profile, something that is also potentially confusing to users or other contributors.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/659
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 38c611ed31)
e0b20a4d Revert "Merge dnsmasq: Permit access to /proc/self/fd/"
When using the in tree parser we should not be using the system
parser.conf file, as if the system apparmor is newer than the
tree being tested the parser.conf file could contain options not
understood by the in tree apparmor_parser.
Use --config-file to specify the default in tree parser.conf
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/653
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 5ac368bce7)
In cross build environments, using the hosts cpp gives incorrect
detection of reallocarray. Change cpp to a variable.
fixes:
parser_misc.c: In function 'int capable_add_cap(const char*, int, unsigned int, capability_flags)':
| parser_misc.c:297:37: error: 'reallocarray' was not declared in this scope
| 297 | tmp = (struct capability_table *) reallocarray(cap_table, sizeof(struct capability_table), cap_table_size+1);
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/647
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 0dbcbee700)
Signed-off-by: John Johansen <john.johansen@canonical.com>
It trys to create a symlink before the man pages are installed.
ln -sf aa-status.8 /(path}/apparmor/3.0-r0/image/usr/share/man/man8/apparmor_status.8
| ln: failed to create symbolic link '{path}/apparmor/3.0-r0/image/usr/share/man/man8/apparmor_status.8': No such file or directory
...
install -d /{path}/apparmor/3.0-r0/image/usr/share/man/man8 ; install -m 644 aa-status.8 /{path}/apparmor/3.0-r0/image/usr/share/man/man8;
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/646
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 37b9028499)
Signed-off-by: John Johansen <john.johansen@canonical.com>
While `include/sys/apparmor.h` makes use of `socklen_t`, it doesn't
include the `<sys/socket.h>` header to make its declaration available.
While this works on systems using glibc via transitive includes, it
breaks compilation on musl libc.
Fix the issue by including the header.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/642
Signed-off-by: Patrick Steinhardt <ps@pks.im>
(cherry picked from commit 47263a3a74)
Signed-off-by: John Johansen <john.johansen@canonical.com>
While `_aa_asprintf` is supposed to be of private visibility, it's used
by apparmor_parser and thus required to be visible when linking. This
commit thus adds it to the list of private symbols to make it available
for linking in apparmor_parser.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/643
Signed-off-by: Patrick Steinhardt <ps@pks.im>
(cherry picked from commit 9a8fee6bf1)
Signed-off-by: John Johansen <john.johansen@canonical.com>
With AppArmor release 3.0, a new function `aa_features_new_from_file`
was added, but not added to the list of public symbols. As a result,
it's not possible to make use of this function when linking against
libapparmor.so.
Fix the issue by adding it to the symbol map.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/643
Signed-off-by: Patrick Steinhardt <ps@pks.im>
(cherry picked from commit c9255a0343)
Signed-off-by: John Johansen <john.johansen@canonical.com>
bison change the default text past to yerror in bison 3.6, this
breaks make check as some tests are comparing against the error
output
======================================================================
FAIL: test_modefail (__main__.AAErrorTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/home/jj/apparmor.git/parser/tst/testlib.py", line 50, in new_unittest_func
return unittest_func(self)
File "./errors.py", line 58, in test_modefail
self._run_test(
File "./errors.py", line 40, in _run_test
self.assertIn(message, outerr, report)
AssertionError: 'AppArmor parser error for errors/modefail.sd in profile errors/modefail.sd at line 6: syntax error, unexpected TOK_ID, expecting TOK_MODE' not found in 'AppArmor parser error for errors/modefail.sd in profile errors/modefail.sd at line 6: syntax error\n' :
Command: ../apparmor_parser --config-file=./parser.conf -S -I errors errors/modefail.sd
Exit value:1
STDERR
AppArmor parser error for errors/modefail.sd in profile errors/modefail.sd at line 6: syntax error
To fix this we need to add
define parse.error=verbose
to bison. Unfortunately define parse.error was only added in bison 3.0
and and older versions of bison will break if that is defined in
parser_yacc.y
Instead test for the version of bison available and set define parse.error
as a build flag if supported by the version of bison being called.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/640
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
The parser is not handling variable expansion/rule conditionals
correctly in some cases. Eg. NOT treating unix addr as a path and
filtering slashes after variable expansion. This can lead to errors
where
@{foo}=/a/ unix bind addr=@{foo}/bar,
will always fail because addr is being matched as /a//bar instead of
/a/bar.
Note: this is a first pass and may not fix all cases. Eg. There is a
known issue with profile names not being able to begin with a
variable.
Signed-off-by: John Johansen john.johansen@canonical.com
Acked-by: Steve Beattie <steve.beattie@canonical.com>
Attempt to get clarity on what is valid syntax for mount options and
fstype options.
Note that simple_tests/mount/bad_opt_27.sd is marked TODO, as the
parser accepts it but should not.
Also mark the tests as expecting to fail to raise an exception by the
python utils.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607
Signed-off-by: John Johansen <john.johansen@canonical.com>
This adds support for the new v8 network mediation in the 4.17 and later kernels.
It requires that policy either be tagged with an abi rule that support the v8 network, or the policy be pinned with --policy-features= with a feature abit that supports v8 network.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/521
Acked-by: Steve Beattie <steve.beattie@canonical.com>
af_unix allows for sockets to be bound to a name that is autogenerated.
Currently this type of binding is only supported by a very generic
rule.
unix (bind) type=dgram,
but this allows both sockets with specified names and anonymous
sockets. Extend unix rule syntax to support specifying just an
auto bind socket by specifying addr=auto
eg.
unix (bind) addr=auto,
It is important to note that addr=auto only works for the bind
permission as once the socket is bound to an autogenerated address,
the addr with have a valid unique value that can be matched against
with a regular
addr=@name
expression
Fixes: https://bugs.launchpad.net/apparmor/+bug/1867216
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/521
Signed-off-by: John Johansen <john.johansen@canonical.com>
v8 network permissions extend into the range used by exec mapping
so it is important to not blindly do execmapping on both the
file dfa and policydb dfa any more.
Track what type of dfa and its permissions we are building so
we can properly apply exec mapping only when building the
file dfa.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/521
Signed-off-by: John Johansen <john.johansen@canonical.com>
If an exec gets denied in enforce mode, there are no log events for the target binary/profile. Therefore, trying to set the final_name for the target will crash with a KeyError.
Check for the existence of hashlog\[aamode\]\[target_profile\] in all exec options to prevent this crash.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/634
Acked-by: John Johansen <john.johansen@canonical.com>
Add a basic tool for manipulating the apparmor features abi via
libapparmor. This serves as a basic tool and as an example of using
the library api.
Currently its function is limited to extracting the kernel feature
abi and loading a feature abi from a file and then outputing it.
In the future it will pickup the ability to verify the feature
abi, and merge feature abis.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/613
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
... and allow dovecot to Px to it.
The profile is based on a profile I received in a bugreport, with the
actual script factored out. Note that you'll _need_ to add a rule to the
local/ include to allow executing the actual script, but since the
script to execute is configurable, it's basically impossible to add a
default rule for it.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1166007
If an exec gets denied in enforce mode, there are no log events for the
target binary/profile. Therefore, trying to set the final_name for the
target will crash with a KeyError.
Check for the existence of hashlog[aamode][target_profile] in all exec
options to prevent this crash.
Note that the log doesn't include enough information for EXEC MODE and EXEC COND, therefore aa-logprof will always propose ALL as EXEC COND (comm= might give a hint about EXEC COND, but isn't good enough).
With the added support in aa-logprof, remove the changeprofile tests from the known-failing list in test-libapparmor-test_multi.py.
Also add another test log (from darix) / expected profile to the libapparmor testsuite.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/631
Acked-by: John Johansen <john.johansen@canonical.com>
When switching to complain or enforce mode (for example with aa-complain and aa-enforce), remove conflicting flags like kill and unconfined.
As ground work, change add_or_remove_flag() to allow to add or remove multiple flags. Multiple flags can be given as string (will be split) or as array.
Also add some tests confirming that everything works as expected.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/633
Acked-by: John Johansen <john.johansen@canonical.com>
Snapd now loads its own policy via its own systemd unit
https://github.com/snapcore/snapd/pull/8467
If A distro is not using snapd systemd unit then dropping snapd policy
from the apparmor unit is a breaking change, distros will either need
to use the snapd systemd unit or revert
0164fd05 init: stop loading snap policy
Signed-off-by: John Johansen <john.johansen@canonical.com>
