bump release version to 2.11.1

libapparmor: fix swig test_apparmor.py for zero length ptrace records
Merge from trunk revision 3715 The added testcase for a ptrace target with an empty string (ptrace_garbage_lp1689667_1.in) was causing the swig python test script to fail. The generated python swig record for libapparmor ends up setting a number of fields to None or other values that indicate the value is unset, and the test script was checking if the value in the field didn't evaluate to False in a python 'if' test. Unfortunately, python evaluates the empty string '' as False in 'if' tests, resulting in the specific field that contained the empty string to be dropped from the returned record. This commit fixes that by special case checking for the empty string. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: John Johansen <john.johansen@canonical.com>
2025-09-01 06:45:38 +00:00 · 2017-10-19 02:13:37 -07:00 · 2017-10-18 17:06:28 -07:00 · 2017-10-18 14:31:16 -07:00 · 2017-10-12 13:28:51 +02:00 · 2017-09-28 17:48:13 +02:00
66 changed files with 178 additions and 84 deletions
--- a/.bzrignore
+++ b/.bzrignore
@@ -2,6 +2,7 @@ apparmor-*
 parser/po/*.mo
 parser/af_names.h
 parser/cap_names.h
 parser/tst_lib
 parser/tst_misc
 parser/tst_regex
 parser/tst_symtab
@@ -19,6 +20,7 @@ parser/*.7.html
 parser/*.5.html
 parser/*.8.html
 parser/apparmor_parser
 parser/libapparmor_re/parse.cc
 parser/libapparmor_re/regexp.cc
 parser/techdoc.aux
 parser/techdoc.log
--- a/2
+++ b/2
@@ -19,7 +19,7 @@ DIRS=libraries/libapparmor \
 #REPO_URL?=lp:apparmor
 # --per-file-timestamps is failing over SSH, https://bugs.launchpad.net/bzr/+bug/1257078
-REPO_URL?=https://code.launchpad.net/~apparmor-dev/apparmor/master
+REPO_URL?=https://code.launchpad.net/~apparmor-dev/apparmor/2.11
 # alternate possibilities to export from
 #REPO_URL=.
 #REPO_URL="bzr+ssh://bazaar.launchpad.net/~sbeattie/+junk/apparmor-dev/"
--- a/common/Version
+++ b/common/Version
@@ -1 +1 @@
-2.11.0
+2.11.1
--- a/libraries/libapparmor/src/Makefile.am
+++ b/libraries/libapparmor/src/Makefile.am
@@ -27,7 +27,7 @@ INCLUDES = $(all_includes)
 # http://www.gnu.org/software/libtool/manual/html_node/Libtool-versioning.html
 #
 AA_LIB_CURRENT = 5
-AA_LIB_REVISION = 0
+AA_LIB_REVISION = 1
 AA_LIB_AGE = 4
 SUFFIXES = .pc.in .pc
--- a/libraries/libapparmor/swig/python/test/test_python.py.in
+++ b/libraries/libapparmor/swig/python/test/test_python.py.in
@@ -121,7 +121,7 @@ class AAPythonBindingsTests(unittest.TestCase):
                    continue
                else:
                    new_record[key] = str(value)
-            elif record.__getattr__(key):
+            elif value or value == '':
                new_record[key] = str(value)
        return new_record
--- a/libraries/libapparmor/testsuite/Makefile.am
+++ b/libraries/libapparmor/testsuite/Makefile.am
@@ -17,8 +17,8 @@ clean-local:
 	rm -rf tmp.err.* tmp.out.* site.exp site.bak test_multi/out
 	rm -f libaalogparse.log libaalogparse.sum
-check-local:
+check-local: check-DEJAGNU
-	if ! test -f libaalogparse.log ; then echo '*** libaalogparse.log not found - is dejagnu installed? ***'; exit 1; fi
+	@if ! test -f libaalogparse.log ; then echo '*** libaalogparse.log not found - is dejagnu installed? ***'; exit 1; fi
-	if grep ERROR libaalogparse.log ; then exit 1 ; fi
+	@if grep ERROR libaalogparse.log ; then exit 1 ; fi
 EXTRA_DIST = test_multi/*.in test_multi/*.out test_multi/*.err
--- a/libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_1.err
+++ b/libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_1.err
--- a/libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_1.in
+++ b/libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_1.in
@@ -0,0 +1 @@
 type=AVC msg=audit(1494272099.261:3455): apparmor="DENIED" operation="ptrace" profile="/bin/netstat" pid=1962 comm="netstat" target=""
--- a/libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_1.out
+++ b/libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_1.out
@@ -0,0 +1,11 @@
 START
 File: ptrace_garbage_lp1689667_1.in
 Event type: AA_RECORD_DENIED
 Audit ID: 1494272099.261:3455
 Operation: ptrace
 Profile: /bin/netstat
 Command: netstat
 Name2: 
 PID: 1962
 Epoch: 1494272099
 Audit subid: 3455
--- a/libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_1.profile
+++ b/libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_1.profile
@@ -0,0 +1,2 @@
 /bin/netstat {
 }
--- a/libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_2.err
+++ b/libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_2.err
--- a/libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_2.in
+++ b/libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_2.in
@@ -0,0 +1 @@
 type=AVC msg=audit(1494272099.261:3455): apparmor="DENIED" operation="ptrace" profile="/bin/netstat" pid=1962 comm="netstat" target=8022C0FF81A0FFFF8022C0FF81A0FFFF1080CBFF81A0FFFF1080CBFF81A0FFFF2080CBFF81A0FFFF2080CBFF81A0FFFF9E03
--- a/libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_2.out
+++ b/libraries/libapparmor/testsuite/test_multi/ptrace_garbage_lp1689667_2.out
@@ -0,0 +1,10 @@
 START
 File: ptrace_garbage_lp1689667_2.in
 Event type: AA_RECORD_INVALID
 Audit ID: 1494272099.261:3455
 Operation: ptrace
 Profile: /bin/netstat
 Command: netstat
 PID: 1962
 Epoch: 1494272099
 Audit subid: 3455
--- a/libraries/libapparmor/testsuite/test_multi/ptrace_no_denied_mask.err
+++ b/libraries/libapparmor/testsuite/test_multi/ptrace_no_denied_mask.err
--- a/libraries/libapparmor/testsuite/test_multi/ptrace_no_denied_mask.in
+++ b/libraries/libapparmor/testsuite/test_multi/ptrace_no_denied_mask.in
@@ -0,0 +1 @@
 type=AVC msg=audit(1495217772.047:4471): apparmor="DENIED" operation="ptrace" profile="/usr/bin/pidgin" pid=21704 comm="pidgin" peer="unconfined"
--- a/libraries/libapparmor/testsuite/test_multi/ptrace_no_denied_mask.out
+++ b/libraries/libapparmor/testsuite/test_multi/ptrace_no_denied_mask.out
@@ -0,0 +1,11 @@
 START
 File: ptrace_no_denied_mask.in
 Event type: AA_RECORD_DENIED
 Audit ID: 1495217772.047:4471
 Operation: ptrace
 Profile: /usr/bin/pidgin
 Peer: unconfined
 Command: pidgin
 PID: 21704
 Epoch: 1495217772
 Audit subid: 4471
--- a/libraries/libapparmor/testsuite/test_multi/ptrace_no_denied_mask.profile
+++ b/libraries/libapparmor/testsuite/test_multi/ptrace_no_denied_mask.profile
@@ -0,0 +1,2 @@
 /usr/bin/pidgin {
 }
--- a/parser/af_unix.cc
+++ b/parser/af_unix.cc
@@ -196,16 +196,20 @@ static void writeu16(std::ostringstream &o, int v)
 #define CMD_OPT		4
 void unix_rule::downgrade_rule(Profile &prof) {
 	unsigned int mask = (unsigned int) -1;
 	if (!prof.net.allow && !prof.alloc_net_table())
 		yyerror(_("Memory allocation error."));
 	if (sock_type_n != -1)
 		mask = 1 << sock_type_n;
 	if (deny) {
-		prof.net.deny[AF_UNIX] |= 1 << sock_type_n;
+		prof.net.deny[AF_UNIX] |= mask;
 		if (!audit)
-			prof.net.quiet[AF_UNIX] |= 1 << sock_type_n;
+			prof.net.quiet[AF_UNIX] |= mask;
 	} else {
-		prof.net.allow[AF_UNIX] |= 1 << sock_type_n;
+		prof.net.allow[AF_UNIX] |= mask;
 		if (audit)
-			prof.net.audit[AF_UNIX] |= 1 << sock_type_n;
+			prof.net.audit[AF_UNIX] |= mask;
 	}
 }
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@@ -111,7 +111,7 @@ capabilities(7))
 B<NETWORK RULE> = [ I<QUALIFIERS> ] 'network' [ I<DOMAIN> ] [ I<TYPE> | I<PROTOCOL> ]
-B<DOMAIN> = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'bluetooth' | 'netlink' | 'unix' | 'rds' | 'llc' | 'can' | 'tipc' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' | 'mpls' | 'ib' | 'kcm' ) ','
+B<DOMAIN> = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'bluetooth' | 'netlink' | 'unix' | 'rds' | 'llc' | 'can' | 'tipc' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' | 'mpls' | 'ib' | 'kcm' | 'smc' ) ','
 B<TYPE> = ( 'stream' | 'dgram' | 'seqpacket' |  'rdm' | 'raw' | 'packet' )
--- a/profiles/apparmor.d/abstractions/base
+++ b/profiles/apparmor.d/abstractions/base
@@ -82,6 +82,7 @@
  @{PROC}/meminfo                r,
  @{PROC}/stat                   r,
  @{PROC}/cpuinfo                r,
  /sys/devices/system/cpu/       r,
  /sys/devices/system/cpu/online r,
  # glibc's *printf protections read the maps file
--- a/profiles/apparmor.d/abstractions/freedesktop.org
+++ b/profiles/apparmor.d/abstractions/freedesktop.org
@@ -10,10 +10,10 @@
 # ------------------------------------------------------------------
  # system configuration
-  /usr/share/applications/               r,
+  /usr/{,local/}share/applications/{*/,}               r,
-  /usr/share/applications/defaults.list  r,
+  /usr/{,local/}share/applications/{*/,}defaults.list  r,
-  /usr/share/applications/mimeinfo.cache r,
+  /usr/{,local/}share/applications/{*/,}mimeinfo.cache r,
-  /usr/share/applications/*.desktop      r,
+  /usr/{,local/}share/applications/{*/,}*.desktop      r,
  /usr/share/icons/               r,
  /usr/share/icons/**             r,
  /usr/share/pixmaps/             r,
--- a/profiles/apparmor.d/abstractions/gnome
+++ b/profiles/apparmor.d/abstractions/gnome
@@ -66,6 +66,10 @@
  /var/cache/**/icon-theme.cache  r,
  /usr/share/**/icon-theme.cache  r,
  # GLib schemas
  /usr/{local/,}share/glib-[0-9]*/schemas/   r,
  /usr/{local/,}share/glib-[0-9]*/schemas/** r,
  # gnome VFS modules
  /etc/gnome-vfs-2.0/modules/ r,
  /etc/gnome-vfs-2.0/modules/* r,
--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@@ -29,6 +29,7 @@
  # When using sssd, the passwd and group files are stored in an alternate path
  # and the nss plugin also needs to talk to a pipe
  /var/lib/sss/mc/group   r,
  /var/lib/sss/mc/initgroups r,
  /var/lib/sss/mc/passwd  r,
  /var/lib/sss/pipes/nss  rw,
--- a/profiles/apparmor.d/abstractions/perl
+++ b/profiles/apparmor.d/abstractions/perl
@@ -15,8 +15,8 @@
  /usr/lib{,32,64}/perl5/**                    r,
  /usr/lib{,32,64}/perl{,5}/**.so*             mr,
-  /usr/lib/@{multiarch}/perl{,5}/**            r,
+  /usr/lib/@{multiarch}/perl{,5,-base}/**            r,
-  /usr/lib/@{multiarch}/perl{,5}/[0-9]*/**.so* mr,
+  /usr/lib/@{multiarch}/perl{,5,-base}/[0-9]*/**.so* mr,
  /usr/share/perl/**             r,
  /usr/share/perl5/**            r,
--- a/profiles/apparmor.d/abstractions/postfix-common
+++ b/profiles/apparmor.d/abstractions/postfix-common
@@ -22,7 +22,7 @@
  /etc/mailname         r,
  /etc/postfix/*.cf     r,
-  /etc/postfix/*.db     r,
+  /etc/postfix/*.db     rk,
  @{PROC}/net/if_inet6  r,
  /usr/lib/postfix/*.so mr,
  /usr/lib{,32,64}/sasl2/*    mr,
--- a/profiles/apparmor.d/abstractions/python
+++ b/profiles/apparmor.d/abstractions/python
@@ -10,18 +10,18 @@
 #
 # ------------------------------------------------------------------
-  /usr/lib{,32,64}/python{2.[4-7],3.[0-5]}/**.{pyc,so}           mr,
+  /usr/lib{,32,64}/python{2.[4-7],3.[0-6]}/**.{pyc,so}           mr,
-  /usr/lib{,32,64}/python{2.[4-7],3.[0-5]}/**.{egg,py,pth}       r,
+  /usr/lib{,32,64}/python{2.[4-7],3.[0-6]}/**.{egg,py,pth}       r,
-  /usr/lib{,32,64}/python{2.[4-7],3.[0-5]}/{site,dist}-packages/ r,
+  /usr/lib{,32,64}/python{2.[4-7],3.[0-6]}/{site,dist}-packages/ r,
-  /usr/lib{,32,64}/python3.[0-5]/lib-dynload/*.so            mr,
+  /usr/lib{,32,64}/python3.[0-6]/lib-dynload/*.so            mr,
-  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-5]}/**.{pyc,so}           mr,
+  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-6]}/**.{pyc,so}           mr,
-  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-5]}/**.{egg,py,pth}       r,
+  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-6]}/**.{egg,py,pth}       r,
-  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-5]}/{site,dist}-packages/ r,
+  /usr/local/lib{,32,64}/python{2.[4-7],3.[0-6]}/{site,dist}-packages/ r,
-  /usr/local/lib{,32,64}/python3.[0-5]/lib-dynload/*.so            mr,
+  /usr/local/lib{,32,64}/python3.[0-6]/lib-dynload/*.so            mr,
  # Site-wide configuration
-  /etc/python{2.[4-7],3.[0-5]}/** r,
+  /etc/python{2.[4-7],3.[0-6]}/** r,
  # shared python paths
  /usr/share/{pyshared,pycentral,python-support}/**      r,
@@ -34,4 +34,4 @@
  /usr/lib/wx/python/*.pth r,
  # python build configuration and headers
-  /usr/include/python{2.[4-7],3.[0-5]}*/pyconfig.h r,
+  /usr/include/python{2.[4-7],3.[0-6]}*/pyconfig.h r,
--- a/profiles/apparmor.d/abstractions/samba
+++ b/profiles/apparmor.d/abstractions/samba
@@ -11,6 +11,7 @@
  /etc/samba/* r,
  /usr/lib*/ldb/*.so mr,
  /usr/lib*/samba/ldb/*.so mr,
  /usr/share/samba/*.dat r,
  /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
  /var/cache/samba/ w,
--- a/profiles/apparmor.d/abstractions/user-download
+++ b/profiles/apparmor.d/abstractions/user-download
@@ -15,7 +15,7 @@
  owner @{HOME}/tmp/**       		rwl,
  owner @{HOME}/[dD]ownload{,s}/	r,
  owner @{HOME}/[dD]ownload{,s}/**	rwl,
-  owner @{HOME}/[a-zA-Z0-9]* 		rwl,
+  owner @{HOME}/[^.]*			rwl,
  owner @{HOME}/@{XDG_DESKTOP_DIR}/	r,
  owner @{HOME}/@{XDG_DESKTOP_DIR}/*	rwl,
  owner @{HOME}/@{XDG_DOWNLOAD_DIR}/	r,
--- a/profiles/apparmor.d/abstractions/user-write
+++ b/profiles/apparmor.d/abstractions/user-write
@@ -14,8 +14,8 @@
  owner @{HOME}/@{XDG_DESKTOP_DIR}/       r,
  owner @{HOME}/@{XDG_DOCUMENTS_DIR}/     r,
  owner @{HOME}/@{XDG_PUBLICSHARE_DIR}/   r,
-  owner @{HOME}/[a-zA-Z0-9]*/             rw,
+  owner @{HOME}/[^.]*/                    rw,
-  owner @{HOME}/[a-zA-Z0-9]*              rwl,
+  owner @{HOME}/[^.]*                     rwl,
  owner @{HOME}/@{XDG_DESKTOP_DIR}/**     rwl,
  owner @{HOME}/@{XDG_DOCUMENTS_DIR}/**   rwl,
  owner @{HOME}/@{XDG_PUBLICSHARE_DIR}/** rwl,
--- a/profiles/apparmor.d/abstractions/wayland
+++ b/profiles/apparmor.d/abstractions/wayland
@@ -11,4 +11,4 @@
  owner /var/run/user/*/weston-shared-* rw,
  owner /run/user/*/wayland-[0-9]* rw,
-  owner /run/user/*/{mesa,mutter,sdl,weston,xwayland}-shared-* rw,
+  owner /run/user/*/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw,
--- a/profiles/apparmor.d/usr.lib.dovecot.imap-login
+++ b/profiles/apparmor.d/usr.lib.dovecot.imap-login
@@ -26,6 +26,7 @@
  /usr/lib/dovecot/imap-login mr,
  /{,var/}run/dovecot/anvil rw,
  /{,var/}run/dovecot/login-master-notify* rw,
  /{,var/}run/dovecot/login/ r,
  /{,var/}run/dovecot/login/* rw,
--- a/profiles/apparmor.d/usr.sbin.dovecot
+++ b/profiles/apparmor.d/usr.sbin.dovecot
@@ -12,7 +12,7 @@
 #include <tunables/global>
-/usr/sbin/dovecot {
+/usr/sbin/dovecot flags=(attach_disconnected) {
  #include <abstractions/authentication>
  #include <abstractions/base>
  #include <abstractions/dovecot-common>
--- a/profiles/apparmor.d/usr.sbin.traceroute
+++ b/profiles/apparmor.d/usr.sbin.traceroute
@@ -15,6 +15,7 @@
  #include <abstractions/consoles>
  #include <abstractions/nameservice>
  deny capability net_admin, # noisy setsockopt() calls
  capability net_raw,
  network inet raw,
@@ -23,6 +24,7 @@
  /usr/sbin/traceroute mrix,
  /usr/bin/traceroute.db mrix,
  @{PROC}/net/route r,
  @{PROC}/sys/net/ipv4/{tcp_ecn,tcp_sack,tcp_timestamps,tcp_window_scaling} r,
  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.traceroute>
--- a/profiles/apparmor.d/usr.sbin.winbindd
+++ b/profiles/apparmor.d/usr.sbin.winbindd
@@ -20,6 +20,7 @@
  @{PROC}/sys/kernel/core_pattern r,
  /tmp/.winbindd/ w,
  /tmp/krb5cc_* rwk,
  /usr/lib*/samba/gensec/krb*.so mr,
  /usr/lib*/samba/idmap/*.so mr,
  /usr/lib*/samba/nss_info/*.so mr,
  /usr/lib*/samba/pdb/*.so mr,
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.anvil
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.anvil
@@ -13,7 +13,6 @@
 /usr/lib/postfix/anvil {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/kerberosclient>
  #include <abstractions/postfix-common>
  capability setgid,
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.bounce
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.bounce
@@ -13,7 +13,6 @@
 /usr/lib/postfix/bounce {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/kerberosclient>
  #include <abstractions/postfix-common>
  capability setgid,
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.cleanup
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.cleanup
@@ -13,7 +13,6 @@
 /usr/lib/postfix/cleanup {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/kerberosclient>
  #include <abstractions/postfix-common>
  capability net_bind_service,
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.error
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.error
@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2006 Novell/SUSE
 #    Copyright (C) 2017 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -13,8 +14,13 @@
 /usr/lib/postfix/error {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/kerberosclient>
  #include <abstractions/postfix-common>
-  /usr/lib/postfix/error rmix,
+  @{PROC}/sys/kernel/ngroups_max r,
  /usr/lib/postfix/error mrix,
  owner /var/spool/postfix/active/* rwk,
  /var/spool/postfix/pid/unix.error rwk,
  /var/spool/postfix/pid/unix.retry rwk,
  owner /var/spool/postfix/private/defer w,
 }
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.flush
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.flush
@@ -13,7 +13,6 @@
 /usr/lib/postfix/flush {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/kerberosclient>
  #include <abstractions/postfix-common>
  capability setgid,
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.lmtp
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.lmtp
@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2006 Novell/SUSE
 #    Copyright (C) 2017 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -13,8 +14,10 @@
 /usr/lib/postfix/lmtp {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/kerberosclient>
  #include <abstractions/postfix-common>
-  /usr/lib/postfix/lmtp rmix,
+  /usr/lib/postfix/lmtp mrix,
  /var/spool/postfix/active/* rwk,
  /var/spool/postfix/pid/unix.lmtp rwk,
 }
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.local
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.local
@@ -14,7 +14,6 @@
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/nameservice>
  #include <abstractions/kerberosclient>
  #include <abstractions/user-mail>
  #include <abstractions/postfix-common>
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.master
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.master
@@ -12,7 +12,6 @@
 /usr/lib/postfix/master {
  #include <abstractions/base>
  #include <abstractions/kerberosclient>
  #include <abstractions/nameservice>
  #include <abstractions/postfix-common>
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.nqmgr
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.nqmgr
@@ -12,7 +12,6 @@
 /usr/lib/postfix/nqmgr {
  #include <abstractions/base>
  #include <abstractions/kerberosclient>
  #include <abstractions/nameservice>
  #include <abstractions/postfix-common>
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.pickup
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.pickup
@@ -12,7 +12,6 @@
 /usr/lib/postfix/pickup {
  #include <abstractions/base>
  #include <abstractions/kerberosclient>
  #include <abstractions/nameservice>
  #include <abstractions/postfix-common>
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.pipe
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.pipe
@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2006 Novell/SUSE
 #    Copyright (C) 2017 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -12,6 +13,14 @@
 /usr/lib/postfix/pipe {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/postfix-common>
  /usr/lib/postfix/pipe mrix,
  /var/spool/postfix/active/* rwk,
  /var/spool/postfix/private/bounce w,
  /var/spool/postfix/private/defer w,
  /var/spool/postfix/private/rewrite w,
  /var/spool/postfix/private/trace w,
  /usr/lib/postfix/pipe rmix,
 }
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.qmgr
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.qmgr
@@ -12,7 +12,6 @@
 /usr/lib/postfix/qmgr {
  #include <abstractions/base>
  #include <abstractions/kerberosclient>
  #include <abstractions/nameservice>
  #include <abstractions/postfix-common>
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.qmqpd
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.qmqpd
@@ -13,7 +13,6 @@
 /usr/lib/postfix/qmqpd {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/kerberosclient>
  #include <abstractions/postfix-common>
  /usr/lib/postfix/qmqpd rmix,
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.showq
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.showq
@@ -13,7 +13,6 @@
 /usr/lib/postfix/showq {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/kerberosclient>
  #include <abstractions/postfix-common>
  /usr/lib/postfix/showq                       rmix,
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.smtp
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.smtp
@@ -13,7 +13,6 @@
 /usr/lib/postfix/smtp {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/kerberosclient>
  #include <abstractions/postfix-common>
  #include <abstractions/openssl>
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd
@@ -13,7 +13,6 @@
 /usr/lib/postfix/smtpd {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/kerberosclient>
  #include <abstractions/postfix-common>
  #include <abstractions/openssl>
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.spawn
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.spawn
@@ -13,7 +13,6 @@
 /usr/lib/postfix/spawn {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/kerberosclient>
  #include <abstractions/postfix-common>
  /usr/lib/postfix/spawn rmix,
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.trivial-rewrite
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.trivial-rewrite
@@ -13,7 +13,6 @@
 /usr/lib/postfix/trivial-rewrite {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/kerberosclient>
  #include <abstractions/postfix-common>
  /usr/lib/postfix/trivial-rewrite            rmix,
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.verify
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.verify
@@ -13,7 +13,6 @@
 /usr/lib/postfix/verify {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/kerberosclient>
  #include <abstractions/postfix-common>
  /usr/lib/postfix/verify rmix,
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.virtual
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.virtual
@@ -13,7 +13,6 @@
 /usr/lib/postfix/virtual {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/kerberosclient>
  #include <abstractions/postfix-common>
  capability setgid,
--- a/utils/aa-audit.pod
+++ b/utils/aa-audit.pod
@@ -6,7 +6,7 @@ aa-audit - set an AppArmor security profile to I<audit> mode.
 =head1 SYNOPSIS
-B<aa-audit I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<-r>]>
+B<aa-audit I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<--no-reload>] [I<-r>]>
 =head1 OPTIONS
@@ -15,9 +15,12 @@ B<-d --dir  /path/to/profiles>
   Specifies where to look for the AppArmor security profile set.
   Defaults to /etc/apparmor.d.
 B<--no-reload>
   Do not reload the profile after modifying it.
 B<-r --remove>
-   Removes the audit mode for the profile.  
+   Removes the audit mode for the profile.
 =head1 DESCRIPTION
--- a/utils/aa-cleanprof.pod
+++ b/utils/aa-cleanprof.pod
@@ -6,7 +6,7 @@ aa-cleanprof - clean an existing AppArmor security profile.
 =head1 SYNOPSIS
-B<aa-cleanprof I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<-s>]>
+B<aa-cleanprof I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<--no-reload]> [I<-s>]>
 =head1 OPTIONS
@@ -15,6 +15,9 @@ B<-d --dir  /path/to/profiles>
   Specifies where to look for the AppArmor security profile set.
   Defaults to /etc/apparmor.d.
 B<--no-reload>
   Do not reload the profile after modifying it.
 B<-s --silent>
   Silently overwrites the profile without user prompt.
@@ -22,7 +25,7 @@ B<-s --silent>
 =head1 DESCRIPTION
 B<aa-cleanprof> is used to perform a cleanup on one or more profiles.
-The tool removes any existing superfluous rules (rules that are covered 
+The tool removes any existing superfluous rules (rules that are covered
 under an include or another rule), reorders the rules to group similar rules
 together and removes all comments from the file.
--- a/utils/aa-complain.pod
+++ b/utils/aa-complain.pod
@@ -26,7 +26,7 @@ aa-complain - set an AppArmor security profile to I<complain> mode.
 =head1 SYNOPSIS
-B<< aa-complain I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] >>
+B<aa-complain I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<--no-reload>]>
 =head1 OPTIONS
@@ -35,6 +35,9 @@ B<-d --dir  /path/to/profiles>
   Specifies where to look for the AppArmor security profile set.
   Defaults to /etc/apparmor.d.
 B<--no-reload>
   Do not reload the profile after modifying it.
 =head1 DESCRIPTION
 B<aa-complain> is used to set the enforcement mode for one or more profiles to I<complain> mode.
--- a/utils/aa-disable.pod
+++ b/utils/aa-disable.pod
@@ -26,7 +26,7 @@ aa-disable - disable an AppArmor security profile
 =head1 SYNOPSIS
-B<aa-disable I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<-r>]>
+B<aa-disable I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<--no-reload>] [I<-r>]>
 =head1 OPTIONS
@@ -35,11 +35,14 @@ B<-d --dir  /path/to/profiles>
   Specifies where to look for the AppArmor security profile set.
   Defaults to /etc/apparmor.d.
 B<--no-reload>
   Do not unreload the profile after modifying it.
 =head1 DESCRIPTION
-B<aa-disable> is used to I<disable> one or more profiles. 
+B<aa-disable> is used to I<disable> one or more profiles.
 This command will unload the profile from the kernel and prevent the
-profile from being loaded on AppArmor startup. 
+profile from being loaded on AppArmor startup.
 The I<aa-enforce> and I<aa-complain> utilities may be used to to change
 this behavior.
--- a/utils/aa-enforce.pod
+++ b/utils/aa-enforce.pod
@@ -27,7 +27,7 @@ being disabled or I<complain> mode.
 =head1 SYNOPSIS
-B<< aa-enforce I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] >>
+B<aa-enforce I<E<lt>executableE<gt>> [I<E<lt>executableE<gt>> ...] [I<-d /path/to/profiles>] [I<--no-reload>]>
 =head1 OPTIONS
@@ -36,12 +36,15 @@ B<-d --dir / path/to/profiles>
   Specifies where to look for the AppArmor security profile set.
   Defaults to /etc/apparmor.d.
 B<--no-reload>
   Do not reload the profile after modifying it.
 =head1 DESCRIPTION
 B<aa-enforce> is used to set one or more profiles to I<enforce> mode.
 This command is only relevant in conjunction with the I<aa-complain> utility
 which sets a profile to complain mode and the I<aa-disable> utility which
-unloads and disables a profile. 
+unloads and disables a profile.
 The default mode for a security policy is enforce and the I<aa-complain>
 utility must be run to change this behavior.
--- a/utils/aa-status.pod
+++ b/utils/aa-status.pod
@@ -102,23 +102,23 @@ following values:
 =over 4
-=item 0
+=item B<0>
 if apparmor is enabled and policy is loaded.
-=item 1
+=item B<1>
 if apparmor is not enabled/loaded.
-=item 2
+=item B<2>
 if apparmor is enabled but no policy is loaded.
-=item 3
+=item B<3>
 if the apparmor control files aren't available under /sys/kernel/security/.
-=item 4
+=item B<4>
 if the user running the script doesn't have enough privileges to read
 the apparmor control files.
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -1374,24 +1374,16 @@ def handle_children(profile, hat, root):
                            if ynans == 'y':
                                hat = exec_target
                                if not aa[profile].get(hat, False):
-                                    aa[profile][hat] = profile_storage(profile, hat, 'handle_children()')
+                                    stub_profile = create_new_profile(hat, True)
                                    aa[profile][hat] = stub_profile[hat][hat]
                                aa[profile][hat]['profile'] = True
                                if profile != hat:
                                    aa[profile][hat]['flags'] = aa[profile][profile]['flags']
                                stub_profile = create_new_profile(hat, True)
                                aa[profile][hat]['flags'] = 'complain'
                                aa[profile][hat]['allow']['path'] = hasher()
                                if stub_profile[hat][hat]['allow'].get('path', False):
                                    aa[profile][hat]['allow']['path'] = stub_profile[hat][hat]['allow']['path']
                                aa[profile][hat]['include'] = hasher()
                                if stub_profile[hat][hat].get('include', False):
                                    aa[profile][hat]['include'] = stub_profile[hat][hat]['include']
                                file_name = aa[profile][profile]['filename']
                                filelist[file_name]['profiles'][profile][hat] = True
@@ -1967,13 +1959,15 @@ def save_profiles():
            q.explanation = _('The following local profiles were changed. Would you like to save them?')
            q.functions = ['CMD_SAVE_CHANGES', 'CMD_SAVE_SELECTED', 'CMD_VIEW_CHANGES', 'CMD_VIEW_CHANGES_CLEAN', 'CMD_ABORT']
            q.default = 'CMD_VIEW_CHANGES'
            q.options = changed
            q.selected = 0
            ans = ''
            arg = None
            while ans != 'CMD_SAVE_CHANGES':
                if not changed:
                    return
                q.options = sorted(changed.keys())
                ans, arg = q.promptUser()
                if ans == 'CMD_SAVE_SELECTED':
                    profile_name = list(changed.keys())[arg]
@@ -3574,6 +3568,9 @@ def get_file_perms(profile, path, audit, deny):
                    for perm in incperms[allow_or_deny][owner_or_all]:
                        perms[allow_or_deny][owner_or_all].add(perm)
                    if 'a' in perms[allow_or_deny][owner_or_all] and 'w' in perms[allow_or_deny][owner_or_all]:
                        perms[allow_or_deny][owner_or_all].remove('a')  # a is a subset of w, so remove it
            for incpath in incperms['paths']:
                perms['paths'].add(incpath)
@@ -3598,6 +3595,9 @@ def propose_file_rules(profile_obj, rule_obj):
        merged_rule_obj.perms.add(perm)
        merged_rule_obj.raw_rule = None
    if 'a' in merged_rule_obj.perms and 'w' in merged_rule_obj.perms:
        merged_rule_obj.perms.remove('a')  # a is a subset of w, so remove it
    pathlist = {original_path} | existing_perms['paths'] | set(glob_common(original_path))
    for user_glob in user_globs:
--- a/utils/apparmor/logparser.py
+++ b/utils/apparmor/logparser.py
@@ -338,6 +338,13 @@ class ReadLog:
            return(e['pid'], e['parent'], 'unknown_hat',
                             [profile, hat, aamode, hat])
        elif e['operation'] == 'ptrace':
            if not e['peer']:
                self.debug_logger.debug('ignored garbage ptrace event with empty peer')
                return None
            if not e['denied_mask']:
                self.debug_logger.debug('ignored garbage ptrace event with empty denied_mask')
                return None
            return(e['pid'], e['parent'], 'ptrace',
                             [profile, hat, prog, aamode, e['denied_mask'], e['peer']])
        elif e['operation'] == 'signal':
--- a/utils/apparmor/rule/network.py
+++ b/utils/apparmor/rule/network.py
@@ -27,7 +27,7 @@ _ = init_translation()
 network_domain_keywords   = [ 'unspec', 'unix', 'inet', 'ax25', 'ipx', 'appletalk', 'netrom', 'bridge', 'atmpvc', 'x25', 'inet6',
                              'rose', 'netbeui', 'security', 'key', 'netlink', 'packet', 'ash', 'econet', 'atmsvc', 'rds', 'sna',
                              'irda', 'pppox', 'wanpipe', 'llc', 'can', 'tipc', 'bluetooth', 'iucv', 'rxrpc', 'isdn', 'phonet',
-                              'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 'mpls', 'ib', 'kcm' ]
+                              'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 'mpls', 'ib', 'kcm', 'smc' ]
 network_type_keywords     = ['stream', 'dgram', 'seqpacket', 'rdm', 'raw', 'packet']
 network_protocol_keywords = ['tcp', 'udp', 'icmp']
--- a/utils/test/test-aa.py
+++ b/utils/test/test-aa.py
@@ -781,6 +781,7 @@ class AaTest_get_file_perms_1(AATest):
 class AaTest_get_file_perms_2(AATest):
    tests = [
        ('/usr/share/common-licenses/foo/bar',      {'allow': {'all': {'r'},            'owner': {'w'}  }, 'deny': {'all':set(),    'owner': set()},    'paths': {'/usr/share/common-licenses/**'}              }),
        ('/usr/share/common-licenses/what/ever',    {'allow': {'all': {'r'},            'owner': {'w'}  }, 'deny': {'all':set(),    'owner': set()},    'paths': {'/usr/share/common-licenses/**', '/usr/share/common-licenses/what/ever'}      }),
        ('/dev/null',                               {'allow': {'all': {'r', 'w', 'k'},  'owner': set()  }, 'deny': {'all':set(),    'owner': set()},    'paths': {'/dev/null'}                                  }),
        ('/foo/bar',                                {'allow': {'all': {'r', 'w'},       'owner': set()  }, 'deny': {'all':set(),    'owner': set()},    'paths': {'/foo/bar'}                                   }),  # exec perms not included
        ('/no/thing',                               {'allow': {'all': set(),            'owner': set()  }, 'deny': {'all':set(),    'owner': set()},    'paths': set()                                          }),
@@ -808,6 +809,7 @@ class AaTest_get_file_perms_2(AATest):
        profile['include']['abstractions/enchant'] = True  # includes abstractions/aspell
        profile['file'].add(FileRule.parse('owner /usr/share/common-licenses/**  w,'))
        profile['file'].add(FileRule.parse('owner /usr/share/common-licenses/what/ever a,'))  # covered by the above 'w' rule, so 'a' should be ignored
        profile['file'].add(FileRule.parse('/dev/null rwk,'))
        profile['file'].add(FileRule.parse('/foo/bar rwix,'))
@@ -822,6 +824,7 @@ class AaTest_propose_file_rules(AATest):
        (['/foo/bar',                           'rw'],  ['/foo/bar rw,']                                                                                                        ),
        (['/usr/lib/ispell/',                   'w'],   ['/{usr/,}lib{,32,64}/** rw,', '/usr/lib/ispell/ rw,']                                                                     ),
        (['/usr/lib/aspell/some.so',            'k'],   ['/usr/lib/aspell/* mrk,', '/usr/lib/aspell/*.so mrk,', '/{usr/,}lib{,32,64}/** mrk,', '/usr/lib/aspell/some.so mrk,']     ),
        (['/foo/log',                           'w'],   ['/foo/log w,']                                                                                                            ),
    ]
    def _run_test(self, params, expected):
@@ -850,6 +853,7 @@ class AaTest_propose_file_rules(AATest):
        profile['file'].add(FileRule.parse('owner /usr/share/common-licenses/**  w,'))
        profile['file'].add(FileRule.parse('/dev/null rwk,'))
        profile['file'].add(FileRule.parse('/foo/bar rwix,'))
        profile['file'].add(FileRule.parse('/foo/log a,'))  # will be replaced with '/foo/log w,' (not 'wa')
        rule_obj = FileRule(params[0], params[1], None, FileRule.ALL, owner=False, log_event=True)
        proposals = propose_file_rules(profile, rule_obj)
--- a/utils/test/test-libapparmor-test_multi.py
+++ b/utils/test/test-libapparmor-test_multi.py
@@ -66,6 +66,8 @@ class TestLibapparmorTestMulti(AATest):
                    pass
                elif parsed_items['operation'] == 'exec' and label in ['sock_type', 'family', 'protocol']:
                    pass  # XXX 'exec' + network? really?
                elif parsed_items['operation'] == 'ptrace' and label == 'name2' and params.endswith('/ptrace_garbage_lp1689667_1'):
                    pass  # libapparmor would better qualify this case as invalid event
                elif not parsed_items.get(label, None):
                    raise Exception('parsed_items[%s] not set' % label)
                elif not expected.get(label, None):
--- a/utils/test/test-parser-simple-tests.py
+++ b/utils/test/test-parser-simple-tests.py
@@ -49,6 +49,15 @@ exception_not_raised = [
    'change_profile/onx_conflict_unsafe1.sd',
    'change_profile/onx_conflict_unsafe2.sd',
    # duplicated conditionals aren't detected by the tools
    'generated_dbus/duplicated-conditionals-45127.sd',
    'generated_dbus/duplicated-conditionals-45131.sd',
    'generated_dbus/duplicated-conditionals-45124.sd',
    'generated_dbus/duplicated-conditionals-45130.sd',
    'generated_dbus/duplicated-conditionals-45125.sd',
    'generated_dbus/duplicated-conditionals-45128.sd',
    'generated_dbus/duplicated-conditionals-45129.sd',
    'dbus/bad_modifier_2.sd',
    'dbus/bad_regex_01.sd',
    'dbus/bad_regex_02.sd',
Author	SHA1	Message	Date
John Johansen	8b81fe065f	bump release version to 2.11.1	2017-10-19 02:13:37 -07:00
Steve Beattie	a8f5b8f0db	libapparmor: fix swig test_apparmor.py for zero length ptrace records Merge from trunk revision 3715 The added testcase for a ptrace target with an empty string (ptrace_garbage_lp1689667_1.in) was causing the swig python test script to fail. The generated python swig record for libapparmor ends up setting a number of fields to None or other values that indicate the value is unset, and the test script was checking if the value in the field didn't evaluate to False in a python 'if' test. Unfortunately, python evaluates the empty string '' as False in 'if' tests, resulting in the specific field that contained the empty string to be dropped from the returned record. This commit fixes that by special case checking for the empty string. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: John Johansen <john.johansen@canonical.com>	2017-10-18 17:06:28 -07:00
John Johansen	878ebd4b33	Fix af_unix downgrade of network rules with unix rules we output a downgraded rule compatible with network rules so that policy will work on kernels that support network socket controls but not the extended af_unix rules however this is currently broken if the socket type is left unspecified (initialized to -1), resulting in denials for kernels that don't support the extended af_unix rules. cherry-pick: lp:apparmor r3700 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: timeout	2017-10-18 14:31:16 -07:00
Christian Boltz	bc5634f2af	Fix save_profiles() for YaST YaST has two issues in the "save changed profiles" dialog: - when using "save selected", the list of profiles doesn't get updated. Update q.options inside the loop to fix this. - the list of profiles is displayed as "["/usr/bin/foo", true]" instead of just "/usr/bin/foo". Use changed.keys() instead of changed to fix this. (text-mode aa-logprof doesn't change, it always displayed "/usr/bin/foo" and continues to do so.) References: https://bugzilla.opensuse.org/show_bug.cgi?id=1062667 part a) Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.11. Note that 2.11 needs a slightly different patch (whitespace diff).	2017-10-12 13:28:51 +02:00
Christian Boltz	7c217b7413	Allow /var/run/dovecot/login-master-notify* in dovecot imap-login profiles Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.11, 2.10 and 2.9.	2017-09-28 17:48:13 +02:00
Christian Boltz	86037e0a23	abstractions/freedesktop.org: support /usr/local/applications; support subdirs of applications folder Merge request by Cameron Norman 2015-06-07 https://code.launchpad.net/~cameronnemo/apparmor/abstraction-fdo-applications-fixups/+merge/261336 Acked-by: Christian Boltz <apparmor@cboltz.de> for trunk, 2.11, 2.10 and 2.9	2017-09-10 12:28:30 +02:00
Christian Boltz	1f82a98029	Add network 'smc' keyword in NetworkRule and apparmor.d manpage 'smc' seems to be new in kernel 4.12. Note that the 2.10 apparmor.d manpage also misses the 'kcm' keyword, so the patch also adds it there. Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.11 and 2.10.	2017-08-30 11:06:56 +02:00
Christian Boltz	7adbc4b3ee	Samba profile updates for ActiveDirectory / Kerberos The Samba package used by the INVIS server (based on openSUSE) needs some additional Samba permissions for the added ActiveDirectory / Kerberos support. As discussed with Seth, add /var/lib/sss/mc/initgroups read permissions to abstractions/nameservice instead of only to the smbd profile because it's probably needed by more than just Samba if someone uses sss. Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk.	2017-08-29 13:32:03 +02:00
Christian Boltz	5199e44ef0	update some Postfix profiles - change abstractions/postfix-common to allow /etc/postfix/*.db k - add several permissions to postfix/error, postfix/lmtp and postfix/pipe - remove superfluous abstractions/kerberosclient from all postfix profiles - it's included via abstractions/nameservice Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10, 2.11 and trunk	2017-08-22 12:43:52 +02:00
Steve Beattie	32e76985c9	libapparmor: fix ptrace regression test failure Merge from trunk revision 3692 In http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3659, a testcase was added that where the expected output file did not match the input source name, cause libapparmor's regression tests to fail: Output doesn't match expected data: --- ./test_multi/ptrace_no_denied_mask.out 2017-08-18 16:35:30.000000000 -0700 +++ ./test_multi/out/ptrace_no_denied_mask.out 2017-08-18 16:35:38.985863094 -0700 @@ -1,5 +1,5 @@ START -File: ptrace_1.in +File: ptrace_no_denied_mask.in Event type: AA_RECORD_DENIED Audit ID: 1495217772.047:4471 Operation: ptrace FAIL: ptrace_no_denied_mask This patch corrects the issue. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com>	2017-08-18 17:16:27 -07:00
Steve Beattie	54bdfd3565	user abstractions: fix for non-latin file/directory names Merge from trunk commit 3691 Merge from Vincas Dargis, approved by intrigeri Fix user-write and user-download abstractions for non-latin file names. Acked-by: Steve Beattie <steve@nxnw.org>	2017-08-09 12:48:18 -07:00
Steve Beattie	bd68cd2d69	traceroute profile: support TCP SYN for probes, quite net_admin request Merge from trunk revision 3690 Merge from Vincas Dargis, approved by intrigeri. fix traceroute denies in tcp mode Acked-by: Steve Beattie <steve@nxnw.org>	2017-08-09 09:35:34 -07:00
Steve Beattie	f076497f89	abstractions/gnome: allow reading GLib schemas. Merge from trunk revision 3687 Merge from intrigeri based on original work by Cameron Norman. Acked-by: Steve Beattie <steve@nxnw.org>	2017-08-07 10:40:35 -07:00
Steve Beattie	5089a941c8	wayland abstraction: allow wayland-cursor-shared-* Merge from trunk revision 3686 Merge from intrigeri. Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870807 Acked-by: Steve Beattie <steve@nxnw.org>	2017-08-07 10:28:30 -07:00
Christian Boltz	3b490f9450	Prevent 'wa' conflicts for file rules get_file_perms() and propose_file_rules() happily collect all file permissions. This could lead to proposing 'wa' permissions in aa-logprof, which then errored out because of conflicting permissions. This patch adds a check to both functions that removes 'a' if 'w' is present, and extends the tests to check this. Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.11. Note: Both functions (including this bug) were introduced together with FileRule, so older releases are not affected.	2017-08-04 22:27:16 +02:00
Christian Boltz	66928660f5	Carry over all autodep-generated rules in handle_children() When creating a new child profile, handle_children() did only copy over include and path rules. While this was correct in the past, path rules got changed to FileRule in the meantime and were therefore lost. (In practise, this means the "$binary mr," rule wasn't added to the new child profile, causing a "superfluous" question in aa-logprof.) This patch changes handle_children() to carry over the complete new child profile instead of only cherry-picking include and path rules. Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.11. Older versions (with path as hasher) are not affected.	2017-08-02 13:26:49 +02:00
Jamie Strandboge	d2fc6ff1cc	update aa-status.pod for updated podchecker Bug-Ubuntu: https://launchpad.net/bugs/1707614 Signed-Off-By: Jamie Strandboge <jamie@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de>	2017-07-31 10:22:33 -05:00
Jamie Strandboge	39fc9dc40f	Adjust python abstraction for python3.6 Signed-Off-By: Jamie Strandboge <jamie@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de>	2017-07-26 15:10:24 -05:00
Christian Boltz	a90238e7c6	Add --no-reload to various utils manpages This option exists in several aa-* tools since 2.9, but isn't mentioned in the manpage. Also drop some trailing whitespace in the manpages. Acked-by: John Johansen <john.johansen@canonical.com> for 2.9, 2.10, 2.11 and trunk.	2017-07-23 21:30:56 +02:00
Christian Boltz	5246203c9e	dovecot profile: add the attach_disconnected flag Reported by pfak on IRC [...] apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/dovecot" name="run/systemd/journal/dev-log" pid=20313 comm="dovecot" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 Acked-by <timeout> for 2.9, 2.10, 2.11 and trunk.	2017-06-29 22:54:17 +02:00
Jamie Strandboge	4b99f16b49	Origin: r3669 from trunk Description: adjust the multiarch alternation rule in the perl abstraction for modern Debian and Ubuntu systems which store some modules under the architecture-specific perl-base directory instead of perl or perl5. Signed-Off-By: Jamie Strandboge <jamie@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>	2017-06-26 14:43:13 -05:00
Christian Boltz	7777b1418e	Ignore ptrace log events without denied_mask This fixes a crash in the tools. Reported by peetaur on IRC. Acked-by: John Johansen <john.johansen@canonical.com> for trunk and 2.11.	2017-05-20 01:06:39 +02:00
Christian Boltz	9d5934f5ff	Add two parser files to .bzrignore - parser/libapparmor_re/parse.cc is autogenerated during build - parser/tst_lib gets compiled during "make check" Both files get deleted by make clean. Acked-by: John Johansen <john.johansen@canonical.com> for trunk and 2.11.	2017-05-20 01:04:10 +02:00
Christian Boltz	962d4afb3d	Fix aa-logprof crash on ptrace garbage log events (garbage) ptrace events like ... apparmor="DENIED" operation="ptrace" profile="/bin/netstat" pid=1962 comm="netstat" target="" cause an empty name2 field, which leads to a crash in the tools. This patch lets logparser.py ignore such garbage log events, which also avoids the crash. As usual, add some testcases. test-libapparmor-test_multi.py needs some special handling to ignore the empty name2 field in one of the testcases. References: https://bugs.launchpad.net/apparmor/+bug/1689667 Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.11. Older releases can't handle ptrace log events and therefore can't crash ;-)	2017-05-19 22:47:36 +02:00
Tyler Hicks	eb8acf4b45	libapparmor: Don't print shell commands that check for test failures Error messages should only show up in build logs when the error has been encountered. This patch silences these shell commands from being printed before they're interpreted. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de>	2017-04-21 13:52:44 +00:00
Tyler Hicks	8217eb04af	libapparmor: Fix parallel make dependency issue in testsuite A multi job `make check` command could fail due to check-local running before the check-DEJAGNU target, which is automatically generated by automake, would complete. This would result in a build failure due to libaalogparse.log not yet existing. Fix the issue by depending on the check-DEJAGNU target. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com>	2017-04-21 13:52:42 +00:00
Christian Boltz	26e1200324	Ignore test failures about duplicated conditionals in dbus rules Since r3634, the tools allow any order of dbus conditionals. Quoting the r3634 patch description: This patch eases the restriction on the ordering at the expense of the utils no longer being able to detect and reject a single attribute that is repeated multiple times. In that situation, only the last occurrence of the attribute will be honored by the utils. It seems nobody tested with all test profiles generated ;-) so we have to add some exceptions to the "does not raise an exception" list now. Acked-by <timeout> for trunk and 2.11 Bug: https://launchpad.net/bugs/1658239	2017-04-20 13:07:06 +02:00
Steve Beattie	4181b187c3	profiles: abstractions/base - Allow sysconf(_SC_NPROCESSORS_CONF) Merge Simon McVittie's patch to allow querying the number of configured processors in the base abstraction. Acked-by: Steve Beattie <steve@nxnw.org>	2017-04-14 16:08:03 -07:00
John Johansen	485798c4f8	Update REPO_URL to 2.11 branch	2017-04-13 13:56:20 -07:00
Simon McVittie	1b15425ea3	abstractions/base: Allow sysconf(_SC_NPROCESSORS_CONF) glibc implements this by doing a readdir() and filtering. We already allowed sysconf(_SC_NPROCESSORS_ONLN), which is basically a read from /sys/devices/system/cpu/online. Signed-off-by: Simon McVittie <smcv@collabora.com>	2017-04-12 18:35:10 +01:00
		`@@ -0,0 +1 @@`
							`type=AVC msg=audit(1494272099.261:3455): apparmor="DENIED" operation="ptrace" profile="/bin/netstat" pid=1962 comm="netstat" target=""`
		`@@ -0,0 +1 @@`
							`type=AVC msg=audit(1495217772.047:4471): apparmor="DENIED" operation="ptrace" profile="/usr/bin/pidgin" pid=21704 comm="pidgin" peer="unconfined"`