apparmor

mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 14:25:52 +00:00

Author	SHA1	Message	Date
John Johansen	84a6bc1b6d	Prepare for AppArmor 4.0.1 release - update version file - update library version. addition of saddr/... parsing extends the record struct which is an interface addition. Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-07-23 16:02:50 -07:00
John Johansen	9f849247b9	Merge [4.0] MqueueRule: allow `/` as mqueue name ... and not only `/something` Fixes: https://gitlab.com/apparmor/apparmor/-/issues/413#note_2008929033 This is the 4.0 version of https://gitlab.com/apparmor/apparmor/-/merge_requests/1278 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1279 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-07-22 01:48:12 +00:00
Christian Boltz	3fe2d323fc	MqueueRule: allow `/` as mqueue name ... and not only `/something` Fixes: https://gitlab.com/apparmor/apparmor/-/issues/413#note_2008929033 (cherry picked from commit `02edb649fa`)	2024-07-21 19:13:50 +02:00
Christian Boltz	f0f7420f6c	test-mqueue: table-format MessageQueueTestParse (cherry picked from commit `93870323a0`, adjusted to 4.0 branch)	2024-07-21 19:13:29 +02:00
Georgia Garcia	efef7d1b28	Merge Add fcitx5 dbus interface to fcitx abstraction Similar reference in snapd https://github.com/snapcore/snapd/pull/12924 Reference upstream implementation: https://github.com/fcitx/fcitx/blob/master/src/frontend/ipcportal/ipcportal.h https://github.com/fcitx/fcitx5/blob/master/src/frontend/dbusfrontend/dbusfrontend.cpp MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1222 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Georgia Garcia <georgia.garcia@canonical.com> (cherry picked from commit `e1de0bb5d5`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-07-21 01:56:21 -07:00
John Johansen	d61109d47e	Merge profiles: Add userns stub for Chromium and variants This gets `chromium` and `ungoogled-chromium` working again on Ubuntu 24.04; see discussion [here](#394). Bug: https://gitlab.com/apparmor/apparmor/-/issues/394 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1238 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `ca03f69e64`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-07-21 01:53:55 -07:00
John Johansen	113ce2cfcd	Merge parser: make lead # in assignment value indicate a comment technically a # leading a value in an assignment expression is allowed, however people are also using it to a comment at the end of a line. ie. ``` @{var1}=value1 # comment about this value or for a given system ``` this unsurprisingly leads to odd/unexpected behavior when the variable is used. ``` allow rw /@{var1}, ``` expands into ``` allow rw /{value1,#,comment,about,this,value,or,for,a,given,system}, ``` change a leading # of a value in an assignment expression to a comment. If the # is really supposed to lead the value, require it to be escaped or in quotes. ie. ``` @{var1}=value1 \#not_a_comment ``` Note: this could potentially break som policy if the # was used as the leading character for a value in an assignment expression, but is worth it to avoid the confusion. Signed-off-by: John Johansen <john.johansen@canonical.com> Bug: https://gitlab.com/apparmor/apparmor/-/issues/407 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1255 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `642db8a37c`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-07-21 01:48:21 -07:00
John Johansen	af7a10b5d9	Merge parser: ensure mqueue obeys abi The abi is not being respected by mqueue rules in many cases. If policy does ot specify an mqueue rule the abi is correctly applied but if an mqueue rule is specified explicitly or implicitly (eg. allow all). without setting the mqueue type OR setting the mqueue type to sysv. The abi will be ignored and mqueue will be enforced for policy regadless. Known good mqueue rule that respects abi mqueue type=posix, # and all variations that keep type=posix Known bad mqueue rules that do not respect abi mqueue, # and all variants that do not specify the type= option mqueue type=sysv, # and all variants that specify the type=sysv option Issue: https://gitlab.com/apparmor/apparmor/-/issues/412 Fixes: `d98c5c4cf` ("parser: add parser support for message queue mediation") Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1277 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `d0d75abd02`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-07-21 01:42:32 -07:00
John Johansen	4bb134e4bb	Merge parser: don't add mediation classes to unconfined profiles Adding mediation classes in unconfined profiles caused nested profiles to be mediated, inside a container for example. Fixes: https://bugs.launchpad.net/apparmor/+bug/2067900 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1247 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `0d9d548694`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-07-18 05:58:11 -07:00
John Johansen	4569381ec3	Merge profiles: add mediate_deleted to bwrap Some applications using the bwrap profile don't function properly due to "Failed name lookup - deleted entry". The following denials trying to start flatpak KeePassXC is an example showing that it happens for both bwrap and unpriv_bwrap profiles: Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.106:310): apparmor="DENIED" operation="link" class="file" info="Failed name lookup - deleted entry" error=-2 profile="bwrap" name="/home/\\\\/.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317211" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 Jul 12 09:44:37 ubuntu2404 kernel: audit: type=1400 audit(1720741477.341:317): apparmor="DENIED" operation="link" class="file" profile="unpriv_bwrap" name="/home//.var/app/org.keepassxc.KeePassXC/config/keepassxc/keepassxc.ini" pid=4021 comm="keepassxc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home//.var/app/org.keepassxc.KeePassXC/config/keepassxc/#317214" Fixes: https://launchpad.net/bugs/2072811 I propose this fix for master and apparmor-4.0 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1272 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `7f35adef41`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-07-18 05:47:10 -07:00
John Johansen	73a29ade16	Merge parser: fix unix for all rule By specifying 0 in the unix type, all rules were allowing only the "none" type, when it wanted to allow all types, so replace it by 0xffffffff. Also, add this testcase to the unix regression tests. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/410 I propose this fix for master and apparmor-4.0 Closes #410 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1273 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `5b44e33d25`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-07-18 05:44:22 -07:00
John Johansen	d8e17207e8	Merge firefox: allow /etc/writable/timezone and update UPower DBus access Saw these couple of accesses fail recently on my Ubuntu 22.04 system: `Jun 3 15:29:24 darkstar kernel: [5401883.070129] audit: type=1107 audit(1717442964.884:9223): pid=729 uid=102 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/UPower" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.28" pid=2164500 label="firefox" peer_pid=2502 peer_label="unconfined"` `Jun 3 15:29:24 darkstar kernel: [5401883.070588] audit: type=1107 audit(1717442964.884:9224): pid=729 uid=102 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/UPower" interface="org.freedesktop.UPower" member="EnumerateDevices" mask="send" name=":1.28" pid=2164500 label="firefox" peer_pid=2502 peer_label="unconfined"` Also, I noticed that the `firefox` profile in the Ubuntu 24.04 package has a rule for `/etc/writable/timezone` that is not present in Git. Figured that should be in here. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/409 Closes #409 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1253 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `09d8f886ca`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-07-17 01:39:42 -07:00
John Johansen	0f51513a11	Merge samba-dcerpcd: allow to execute rpcd_witness ... and extend the samba-rpcd profile to also include rpcd_witness. Patch by Noel Power <nopower@suse.com> Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1225811 I propose this patch for 3.x, 4.0 and master. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1256 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `899c0b3942`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-07-17 01:31:26 -07:00
John Johansen	a07a8e69e0	Merge utils: Ignore/skip disabled profiles This is needed to avoid a "Conflicting profiles" error if there are two profiles for an application, with one of them disabled. This is not a theoretical usecase - for example, apparmor.d ships some profiles that replace our "userns+unconfined" profiles. These profiles use a different filename, and apparmor.d also creates a disable symlink for the "userns+unconfined" profile it replaces. I propose this patch for 4.0 and master. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1264 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `834c28b5fe`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-07-17 01:25:26 -07:00
Christian Boltz	24a0ebb5ef	Merge aa-notify: fix translation of an error message ... which so far was not translatable because it was formatted before being translated. I propose this fix for master, 4.0 and 3.x MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1271 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Christian Boltz <apparmor@cboltz.de> (cherry picked from commit `67021bf911`) `c85958da` aa-notify: fix translation of an error message Co-authored-by: Christian Boltz <apparmor@cboltz.de>	2024-07-15 19:27:29 +00:00
Christian Boltz	0310a122d4	Merge abstractions/wutmp: allow writing wtmpdb /var/lib/wtmpdb/ contains the Y2038-safe version of wtmpdb. Proposed by darix. I propose this patch for master, 4.0 and 3.x. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1267 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Christian Boltz <apparmor@cboltz.de> (cherry picked from commit `728e0ab1b7`) `da9a3bd3` abstractions/wutmp: allow writing wtmpdb Co-authored-by: Christian Boltz <apparmor@cboltz.de>	2024-07-11 12:04:34 +00:00
Christian Boltz	6cad7b889e	Merge ask_exec: ignore events for missing profiles ... and not only for events in missing hats. This fixes a crash if the log contains exec events for a hat where not even the parent profile exists. I propose this patch for master, 4.0 and 3.1. (In 3.0, `aa` is still a `hasher` which avoids the crash, therefore it doesn't really need this patch.) MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1265 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Christian Boltz <apparmor@cboltz.de> (cherry picked from commit `3ea19d5f32`) `7928c416` ask_exec: ignore events for missing profiles Co-authored-by: Christian Boltz <apparmor@cboltz.de>	2024-07-11 12:03:36 +00:00
John Johansen	e2aff72f53	Merge test-logprof: increase timeout ... so that slow test environments don't fail. Fixes: https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/2062138 I propose this fix for 4.0 and master. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1268 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `0785006b41`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-07-07 05:40:17 -07:00
Christian Boltz	046fe9c1bd	Merge [4.0] MountRule: add support for quoted paths and empty source * MountRule: add support for quoted paths While on it, make the output for failing tests more verbose for easier debugging. * MountRule: Add support for empty ("") source This needs adding of an empty_ok flag in \_aare_or_all(). Also add a few tests from boo#1226031 to utils and parser tests. Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1226031 This is the 4.0 version of https://gitlab.com/apparmor/apparmor/-/merge_requests/1258 (test-mount.py had a few merge conflicts) MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1259 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Christian Boltz <apparmor@cboltz.de>	2024-06-20 20:46:35 +00:00
John Johansen	e4e60f1a4f	Merge parser: fix Normalizatin infinite loop Expression simplification can get into an infinite loop due to eps pairs hiding behind and alternation that can't be caught by normalize_eps() (which exists in the first place to stop a similar loop). The loop in question happens in AltNode::normalize when a subtree has the following structure. 1. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too alt /\ / \ / \ eps alt /\ / \ / \ alt eps /\ / \ / \ eps eps 2. if (normalize_eps(dir)) results in alt /\ / \ / \ alt eps /\ / \ / \ alt eps /\ / \ / \ eps eps 3. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too alt /\ / \ / \ alt alt /\ /\ / \ / \ / \ / \ eps eps eps eps 4. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too alt /\ / \ / \ eps alt /\ / \ / \ eps alt /\ / \ / \ eps eps 5. if (normalize_eps(dir)) results in alt /\ / \ / \ alt eps /\ / \ / \ eps alt /\ / \ / \ eps eps 6. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too alt /\ / \ / \ eps alt /\ / \ / \ alt eps /\ / \ / \ eps eps back to beginning of cycle Fix this by detecting the creation of an eps_pair in rotate_node(), that pair can be immediately eliminated by simplifying the tree in that step. In the above cycle the pair creation is caught at step 3 resulting in 3. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too alt /\ / \ / \ alt eps /\ / \ / \ eps eps 4. elseif (child[dir]->is_type(ALT_NODE)) rotate_node too alt /\ / \ / \ eps alt /\ / \ / \ eps eps which gets reduced to alt /\ / \ / \ eps eps breaking the normalization loop. The degenerate alt node will be caught in turn when its parent is dealt with. This needs to be backported to all releases Closes: https://gitlab.com/apparmor/apparmor/-/issues/398 Fixes: `846cee506` ("Split out parsing and expression trees from regexp.y") Reported-by: Christian Boltz <apparmor@cboltz.de> Signed-off-by: John Johansen <john.johansen@canonical.com> Closes #398 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1252 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `a6691ca53e`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-06-14 12:41:26 -07:00
Christian Boltz	ae01582798	Merge abstractions/X: add another xauth path This time it's /tmp/xauth_?????? r, which gets used by latest sddm. Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1223900 I propose this fix for 4.0 and master, optionally also for 3.x. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1249 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `121dbec671`) `0c6e031c` abstractions/X: add another xauth path Co-authored-by: John Johansen <john@jjmx.net>	2024-06-11 11:37:47 +00:00
Christian Boltz	98a0a2fee9	MountRule: Add support for empty ("") source This needs adding of an empty_ok flag in _aare_or_all(). Also add a few tests from boo#1226031 to utils and parser tests. Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1226031 (cherry picked from commit `1f33fc9b29`, test-mount.py changes adjusted for 4.0 branch)	2024-06-11 13:36:24 +02:00
Christian Boltz	aada708bc1	MountRule: add support for quoted paths While on it, make the output for failing tests more verbose for easier debugging. (cherry picked from commit `900f233101`, test-mount.py adjusted for 4.0 branch)	2024-06-11 13:36:21 +02:00
John Johansen	dca6ac3b73	Merge Partial revert of "libapparmor: add log parser support for saddr, daddr, src and dest" This partially reverts commit `d1311cc93f`. During the cherry-pick, I incorrectly assumed the patches for fine grained support of network rules from MR https://gitlab.com/apparmor/apparmor/-/merge_requests/1216 were part of apparmor-4.0, therefore the test cases added in commit `d1311cc93f` fail. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1250 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-06-11 06:26:36 +00:00
Christian Boltz	9d1388fdb6	Merge aa-teardown: print out which profile removal failed This is a follow-up of https://gitlab.com/apparmor/apparmor/-/merge_requests/1242 to make it easier to identify failures. I propose this patch for 4.0 and master. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1257 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Christian Boltz <apparmor@cboltz.de> (cherry picked from commit `5ab0d205af`) `bc4ddd5f` aa-teardown: print out which profile removal failed Co-authored-by: Christian Boltz <apparmor@cboltz.de>	2024-06-10 21:48:50 +00:00
Christian Boltz	a8637a5aa1	Merge Honor global CFLAGS when building Python library Similarly to https://gitlab.com/apparmor/apparmor/-/merge_requests/689, use the global CFLAGS when building Python library, so we honor extra flags set by distributions, such as -fstack-protector-strong -fstack-clash-protection -Werror=format-security -fcf-protection. Spotted by blhc on Debian. Gbp-Pq: Name Honor-global-CFLAGS-when-building-Python-library.patch MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1254 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de> (cherry picked from commit `1ec42d8bec`) `b7d75638` Honor global CFLAGS when building Python library Co-authored-by: Christian Boltz <apparmor@cboltz.de>	2024-06-07 21:55:12 +00:00
Christian Boltz	a866d77e72	Merge profiles: installation of php-fpm needs w @{run}/systemd/notify Installation of php-fpm fails on Ubuntu because the profile does not allow writing to /run/systemd/notify. Fixes: https://bugs.launchpad.net/bugs/2061113 Signed-off-by: Georgia Garcia georgia.garcia@canonical.com I propose this fix for 4.0 and master. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1251 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de> (cherry picked from commit `70ddb0ca5b`) `49aa7ae3` profiles: installation of php-fpm needs w @{run}/systemd/notify Co-authored-by: Christian Boltz <apparmor@cboltz.de>	2024-06-05 16:56:48 +00:00
Georgia Garcia	527205bda9	Partial revert of "libapparmor: add log parser support for saddr, daddr, src and dest" This partially reverts commit `d1311cc93f`. During the cherry-pick, I incorrectly assumed the patches for fine grained support of network rules from MR https://gitlab.com/apparmor/apparmor/-/merge_requests/1216 were part of apparmor-4.0, therefore the test cases added in commit `d1311cc93f` fail. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-06-04 18:36:14 -03:00
Georgia Garcia	e3be2e52ea	Merge profiles: fix location for wike profile and add unconfined profile for balena-etcher MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1221 Approved-by: John Johansen <john@jjmx.net> Merged-by: Georgia Garcia <georgia.garcia@canonical.com> (cherry picked from commit `d605463b66`) `a5a1ecfe` profiles: fix wike profile location to apparmor.d `70125895` profiles: add unconfined balena-etcher profile Co-authored-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-06-04 20:54:53 +00:00
Georgia Garcia	d1311cc93f	libapparmor: add log parser support for saddr, daddr, src and dest saddr, daddr, src and dest are used in network logs Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> (cherry picked from commit `6774654424`) Fixes: https://gitlab.com/apparmor/apparmor/-/issues/397 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-06-04 17:42:21 -03:00
Christian Boltz	2a3cf471ab	apparmor.vim: add support for userns and the unconfined flag (cherry picked from commit `4cd39e70a0`) Fixes: https://gitlab.com/apparmor/apparmor/-/issues/396 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-06-04 17:41:29 -03:00
Christian Boltz	c31da2ec55	Merge utils: fix removing unknown profiles that contain spaces aa-remove-unknown doesn't deal properly with profiles that contain spaces in their names. Using profile "MongoDB Compass" as an example, awk's sub returns the number of matches - either 1 or 0 and replaces the actual string ($0) with the substitution. By accessing the return of sub with $, awk would be accessing $1 which would return only "MongoDB". Fix this by using $0 instead of $str. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/395 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> Closes #395 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1243 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `920120ffea`) `7ef7704f` utils: fix removing unknown profiles that contain spaces Co-authored-by: John Johansen <john@jjmx.net>	2024-06-04 20:36:10 +00:00
Christian Boltz	e8b2597676	Merge Fix aa-teardown for `unconfined` profiles Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1225457 I propose this patch for 4.0 and master. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1242 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `81a08ab1ee`) `f497afbe` Fix aa-teardown for `unconfined` profiles Co-authored-by: John Johansen <john@jjmx.net>	2024-06-04 20:35:41 +00:00
Christian Boltz	6dee9d0a6a	Merge Add openSUSE path to plasmashell profile While on it, - add some comments explaining what the profile does - adjust the rule with the Debian/Ubuntu path to work with Qt6 Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1225961 I propose this fix for 4.0 and master. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1248 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Christian Boltz <apparmor@cboltz.de> (cherry picked from commit `a6a121144b`) `64469afa` Add openSUSE path to plasmashell profile Co-authored-by: Christian Boltz <apparmor@cboltz.de>	2024-06-04 19:38:07 +00:00
Christian Boltz	aa74b9b12d	Merge abstractions/nameservice: allow reading @{PROC}/@{pid}/net/ipv6_route This file contains the same kind of information as @{PROC}/@{pid}/net/route and both files are world readable: ``` $ ls -l /proc/self/net/*route -r--r--r-- 1 root root 0 Jun 3 15:33 /proc/self/net/ipv6_route -r--r--r-- 1 root root 0 Jun 3 15:33 /proc/self/net/route ``` Signed-off-by: Simon Deziel <simon.deziel@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1246 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de> (cherry picked from commit `5adeb86bbe`) `7770cd71` abstractions/nameservice: allow reading @{PROC}/@{pid}/net/ipv6_route Co-authored-by: Christian Boltz <apparmor@cboltz.de>	2024-06-03 20:06:34 +00:00
Georgia Garcia	9ec5134322	Merge Fix aa-remove-unknown for 'unconfined' profiles Without this patch, aa-remove-unknown uses 'profile_name (unconfined)' when trying to unload unconfined profiles, which fails for obvious reasons with (picking a random example) Removing 'busybox (unconfined)' /sbin/aa-remove-unknown: line 112: echo: write error: No such file or directory I propose this patch for 4.0 and master. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1240 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Georgia Garcia <georgia.garcia@canonical.com> (cherry picked from commit `cf5be7d356`) `cabd88a9` Fix aa-remove-unknown for 'unconfined' profiles Co-authored-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-05-28 19:17:53 +00:00
Georgia Garcia	fcd02fb69b	Merge Cherry-pick: MountRule: Aligning behavior with apparmor_parser Mount Rules with options in { remount, [make-] { [r]unbindable, [r]shared, [r]private, and [r]slave }} do not support specifying a source. This commit aligns utils implementation to apparmor_parser's, which prohibits having a both source and a destination simultaneously, instad of just prohibiting source. Therefore, both `mount options=(unbindable) /a,` and `mount options=(unbindable) -> /a,` are now supported (and equivalent for apparmor_parser). However, `mount options=(unbindable) /a -> /b,` is invalid. For the same reason, specifying a fstype in these cases is also prohibited. Similarly, we prohibit to specify a fstype for bind mount rules. Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685 (cherry picked from commit `60acc4a405`) Signed-off-by: Maxime Bélair <maxime.belair@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1237 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-05-22 12:34:01 +00:00
Maxime Bélair	1f4bba0448	Cherry-pick: MountRule: Aligning behavior with apparmor_parser Mount Rules with options in { remount, [make-] { [r]unbindable, [r]shared, [r]private, and [r]slave }} do not support specifying a source. This commit aligns utils implementation to apparmor_parser's, which prohibits having a both source and a destination simultaneously, instad of just prohibiting source. Therefore, both `mount options=(unbindable) /a,` and `mount options=(unbindable) -> /a,` are now supported (and equivalent for apparmor_parser). However, `mount options=(unbindable) /a -> /b,` is invalid. For the same reason, specifying a fstype in these cases is also prohibited. Similarly, we prohibit to specify a fstype for bind mount rules. Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685 (cherry picked from commit `60acc4a405`) Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>	2024-05-22 08:31:27 +02:00
Christian Boltz	af88a13712	Merge Include abi/4.0 when creating a new profile ... with aa-genprof or aa-autodep Fixes: https://gitlab.com/apparmor/apparmor/-/issues/392 I propose this patch for 4.0 and master. Closes #392 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1231 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Christian Boltz <apparmor@cboltz.de> (cherry picked from commit `74316fe152`) `6c8ef381` Include abi/4.0 when creating a new profile Co-authored-by: Christian Boltz <apparmor@cboltz.de>	2024-05-14 19:11:24 +00:00
Georgia Garcia	8e74855531	Merge Handle mount events/log entries without class audit.log entries for mount events don't always include `class=mount`, but can still be the base for mount rules. Change logparser.py to also consider `operation=mount` as a mount event. Actually we already had such a log and profile in our collection (testcase_mount_01), but since it existed years before MountRule was implemented, it was excluded in test-libapparmor-test_multi.py. Therefore we didn't notice that it failed to produce a profile rule when MountRule was introduced. Remove testcase_mount_01 from the list of known failures so that it gets tested - and fix the syntax error in the hand-written testcase_mount_01.profile. Also add testcase_mount_02 which is a mount event without fstype, srcname and class. I propose this fix for 4.0 and master. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1229 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Georgia Garcia <georgia.garcia@canonical.com> (cherry picked from commit `48a936e985`) `b475ed0d` Handle mount events/log entries without class Co-authored-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-05-10 12:31:41 +00:00
John Johansen	951ea5b2fb	Merge Cherry-pick: MountRule: Relaxing constraints on fstype and completing AARE support - Before this commit, fstype had to match a known fs. However, having and maintaining the exhaustive list of fstypes proved challenging (see !1195 and !1176). Therefore, we add support for any filesystem name. - Completing AARE support for fstype (brace expressions like ext{3,4} are now supported). MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1198 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de> (cherry picked from commit `baa8b67248`) `dad5ee28` MountRule: Relaxing constraints on fstype and completing AARE support Co-authored-by: Christian Boltz <apparmor@cboltz.de> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1228 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-05-08 13:23:15 +00:00
Georgia Garcia	eee50538da	Merge MountRule: Relaxing constraints on fstype and completing AARE support - Before this commit, fstype had to match a known fs. However, having and maintaining the exhaustive list of fstypes proved challenging (see !1195 and !1176). Therefore, we add support for any filesystem name. - Completing AARE support for fstype (brace expressions like ext{3,4} are now supported). MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1198 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de> (cherry picked from commit `baa8b67248`) `dad5ee28` MountRule: Relaxing constraints on fstype and completing AARE support Co-authored-by: Christian Boltz <apparmor@cboltz.de>	2024-05-08 12:58:42 +00:00
Christian Boltz	86be5d35f3	util/test/: Don't rely on argparse saying "options:" Some argparse versions (for example on openSUSE Leap 15.5) instead say "optional arguments:" Don't rely on the "options:" line to allow both wordings. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1226 Approved-by: Steve Beattie <steve+gitlab@nxnw.org> Cherrypicked-by: Steve Beattie <steve+gitlab@nxnw.org>	2024-05-06 12:24:32 +02:00
Georgia Garcia	b7f9b66cba	Merge gitlab-ci.yml: fix pipeline for ubuntu:latest (noble) Since we are using ubuntu:latest, and noble was released, some tests are failing. shellcheck needs python3 to run, which was possibly installed by default in previous ubuntu images and is no longer the case. Ignore dist-packages python files during our coverage tests. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/388 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> Closes #388 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1223 Merged-by: Steve Beattie <steve+gitlab@nxnw.org> (cherry picked from commit `8c9ac7a84e`) `731880de` gitlab-ci.yml: fix pipeline for ubuntu:latest (noble) `aaad725a` apparmor.systemd: fix shellcheck false positive Co-authored-by: Steve Beattie <steve+gitlab@nxnw.org>	2024-05-02 13:37:53 +00:00
John Johansen	6d1e5dbbe6	Merge profiles: add fixes for samba from issue #386 Signed-off-by: Alex Murray <alex.murray@canonical.com> Fixes: https://gitlab.com/apparmor/apparmor/-/issues/386 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1219 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `1457eada8b`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-04-23 07:36:08 -07:00
John Johansen	f1173379ff	Merge Fix redefinition of _ ... which unsurprisingly broke using the translations. This was a regression introduced in `4f51c93f9d` Fixes: https://gitlab.com/apparmor/apparmor/-/issues/387 This fix is needed in 4.0 and master. (3.x branches are not affected.) Closes #387 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1218 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `79226675fd`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-04-22 16:42:13 -07:00
John Johansen	b0eb95457b	Prepare for AppArmor 4.0.1 release AppArmor 4.0.1 will be the official release superseding the 4.0.0 tag the only change being it adds a regression test for CVE-2016-1585 - update version file Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-04-11 20:59:30 -07:00
John Johansen	5ad4efec50	Merge regression tests: add mount test for CVE-2016-1585 Add infrastructure for calling the mount test binary with an fstype instead of using the default hardcoded ext2 type, and then use that in a test that exercises CVE-2016-1585, ensuring that mounting a procfs filesystem isn't permitted when the only mount rule is mount options=(rw,make-slave) -> **, to try to ensure that the generated and enforced policy is restricted to what is intended. Signed-off-by: Steve Beattie <steve.beattie@canonical.com> Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1597017 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1211 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `93c4c6fb9f`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-04-11 20:58:31 -07:00
John Johansen	a635a86e1d	Prepare for AppArmor 4.0 release - update version file Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-04-11 20:55:33 -07:00
John Johansen	c8e25e4689	Merge parser: add network inet mediation documentation to apparmor.d This updates the man page for the recent inet mediation patch. This is an extension of MR 1202, it adds a patch that changes the anonymous ip address anon to be ip address none which is a better fit. This patch adds documentation of the recent network changes which extended all network rules to support access permissions, and added address and port matching for inet and inet6 families. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1213 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `ab9e6311f3`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-04-11 20:54:23 -07:00
John Johansen	68dd052873	Merge parser: inet conditionals should only generate rules for inet family When a family is specified in the network rules, we have to make sure the conditionals match the family. A netlink rule should not be able to specify ip and port for local and remote (peer) sockets, for example. When type or protocol is specified in network rules along with inet conditionals, we should only generate rules for the families that support those conditionals. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/384 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> Closes #384 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1210 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `a0acf7785d`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-04-11 20:53:41 -07:00
John Johansen	4cef932170	Merge profiles: add unconfined wike profile Wike (deb package/compiled version) does not run in Ubuntu 24.04 due to some interference between apparmor and webkit. Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060810 Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1212 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `3c43c314dc`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-04-11 20:53:30 -07:00
John Johansen	8108a217a3	Merge profiles: add unconfined foliate profile Foliate is using user namespaces via bwrap. For now add an unconfined profile to support it. Fixes: https://github.com/johnfactotum/foliate/issues/1271 Fixes: https://bugs.launchpad.net/bugs/2060767 Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1209 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `0aa689dbf7`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-04-11 20:53:10 -07:00
John Johansen	2284e99613	Merge Updates to the chromium_browser profile This is a retargeting of [my MR in apparmor-profiles](https://gitlab.com/apparmor/apparmor-profiles/-/merge_requests/58). The most significant change is the addition of a `crashpad_handler` subprofile, to factor out some permissions that the browser proper does not need. The remainder is mostly updates from my normal usage monitoring. I have recorded below examples of the AppArmor log messages that motivated the updates. They are listed in the order in which they appear in the overall diff: #### +abstractions/fonts `Jun 30 16:45:42 testvm kernel: [ 4956.877581] audit: type=1400 audit(1688157942.647:127): apparmor="DENIED" operation="mknod" profile="chromium_browser" name="/home/username/.cache/fontconfig/af531e44-9f34-43fa-a244-e0ea9a6dc5f1-le64.cache-7.TMP-VbjHEy" pid=2136 comm="chromium" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000` #### +abstractions/mesa `May 30 21:08:36 testvm kernel: [ 9893.605107] audit: type=1400 audit(1685495316.380:1708): apparmor="ALLOWED" operation="file_lock" profile="chromium_browser" name="/home/username/.cache/mesa_shader_cache/6b/ce9f90908044cb4d4dabc34d81bf24b2fbda0a.tmp" pid=5879 comm="chromiu:disk$0" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000` #### +abstractions/vulcan `May 30 22:35:36 testvm kernel: [1544761.278181] audit: type=1400 audit(1685500536.387:22272): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:02.0/drm/card0/gt_min_freq_mhz" pid=963194 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0` #### -deny dbus path=/org/freedesktop/hostname1 `Jun 13 19:16:35 image-ubuntu64 kernel: [78978.711877] audit: type=1107 audit(1686698195.982:2339): pid=540 uid=102 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/hostname1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.369" pid=17766 label="chromium_browser" peer_pid=17975 peer_label="unconfined"` #### +dbus path=/org/freedesktop/login1 `Jun 12 21:45:36 testvm kernel: [ 1518.318643] audit: type=1107 audit(1686620736.127:67): pid=540 uid=102 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_signal" bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.Manager" member="SessionNew" name=":1.1" mask="receive" pid=3378 label="chromium_browser" peer_pid=565 peer_label="unconfined"` `Jun 12 21:40:03 testvm kernel: [ 1185.247117] audit: type=1107 audit(1686620403.059:66): pid=540 uid=102 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_signal" bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.Manager" member="SessionRemoved" name=":1.1" mask="receive" pid=3378 label="chromium_browser" peer_pid=565 peer_label="unconfined"` #### +dbus path=/org/freedesktop/DBus `Jun 2 00:02:39 image-ubuntu64 dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="AddMatch" mask="send" name="org.freedesktop.DBus" pid=34637 label="chromium_browser" peer_label="unconfined"` `Jun 2 00:02:39 image-ubuntu64 dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="GetNameOwner" mask="send" name="org.freedesktop.DBus" pid=34637 label="chromium_browser" peer_label="unconfined"` `Jun 2 00:02:39 image-ubuntu64 dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=34637 label="chromium_browser" peer_label="unconfined"` `Jun 2 00:02:39 image-ubuntu64 dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="NameHasOwner" mask="send" name="org.freedesktop.DBus" pid=34637 label="chromium_browser" peer_label="unconfined"` `Jun 2 00:02:39 image-ubuntu64 dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="RemoveMatch" mask="send" name="org.freedesktop.DBus" pid=34637 label="chromium_browser" peer_label="unconfined"` `Jun 2 00:02:39 image-ubuntu64 dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="StartServiceByName" mask="send" name="org.freedesktop.DBus" pid=34637 label="chromium_browser" peer_label="unconfined"` #### +dbus path=/org/freedesktop/portal/desktop `Jun 2 00:02:39 testvm dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call" bus="session" path="/org/freedesktop/portal/desktop" interface="org.freedesktop.DBus.Properties" member="Get" mask="send" name="org.freedesktop.portal.Desktop" pid=34637 label="chromium_browser" peer_pid=10595 peer_label="unconfined"` #### +dbus path=/org/freedesktop/Notifications `Jun 2 00:02:39 testvm dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call" bus="session" path="/org/freedesktop/Notifications" interface="org.freedesktop.Notifications" member="GetCapabilities" mask="send" name="org.freedesktop.Notifications" pid=34637 label="chromium_browser" peer_pid=10438 peer_label="unconfined"` `Jun 2 00:02:39 testvm dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call" bus="session" path="/org/freedesktop/Notifications" interface="org.freedesktop.Notifications" member="GetServerInformation" mask="send" name="org.freedesktop.Notifications" pid=34637 label="chromium_browser" peer_pid=10438 peer_label="unconfined"` #### +dbus path=/org/gtk/vfs/mounttracker `Jun 2 00:02:39 testvm dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="ListMountableInfo" mask="send" name=":1.9" pid=34637 label="chromium_browser" peer_pid=10331 peer_label="unconfined"` #### +/etc/fstab `Jun 19 00:12:34 testvm kernel: [3192175.541293] audit: type=1400 audit(1687147954.193:127452): apparmor="DENIED" operation="open" profile="chromium_browser" name="/etc/fstab" pid=1541844 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0` #### +~/.cache/thumbnails `Jun 28 14:31:34 testvm kernel: [4021314.484388] audit: type=1400 audit(1687977094.903:128621): apparmor="DENIED" operation="open" profile="chromium_browser" name="/home/username/.cache/thumbnails/normal/5ff3c24d6d3b35a6ea92e12c71c487f9.png" pid=1781421 comm="pool-chromium" requested_mask="r" denied_mask="r" fsuid=1002 ouid=1002` `Jun 28 14:31:34 testvm kernel: [4021314.484975] audit: type=1400 audit(1687977094.903:128622): apparmor="DENIED" operation="open" profile="chromium_browser" name="/home/username/.cache/thumbnails/normal/5ff3c24d6d3b35a6ea92e12c71c487f9.png" pid=1781421 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1002 ouid=1002` #### -/proc/$PID/fd/ This rule appears to have been used by the crash handler, so I've moved it to the new `crashpad_handler` subprofile. I have not observed the normal browser process(es) attempting this access. #### +/proc/pressure/{cpu,io,memory} `May 30 22:44:26 testvm kernel: [1545291.245886] audit: type=1400 audit(1685501066.352:22355): apparmor="DENIED" operation="open" profile="chromium_browser" name="/proc/pressure/cpu" pid=741817 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0` `May 30 22:44:26 testvm kernel: [1545291.245903] audit: type=1400 audit(1685501066.352:22356): apparmor="DENIED" operation="open" profile="chromium_browser" name="/proc/pressure/io" pid=741817 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0` `May 30 22:44:26 testvm kernel: [1545291.245912] audit: type=1400 audit(1685501066.352:22357): apparmor="DENIED" operation="open" profile="chromium_browser" name="/proc/pressure/memory" pid=741817 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0` #### +/proc/$PID/clear_refs `May 30 18:32:55 testvm kernel: [ 552.316554] audit: type=1400 audit(1685485975.161:305): apparmor="ALLOWED" operation="open" profile="chromium_browser" name="/proc/1950/clear_refs" pid=1950 comm="MemoryInfra" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000` #### +/proc/$PID/mountinfo `Jun 19 00:12:34 testvm kernel: [3192175.541221] audit: type=1400 audit(1687147954.193:127451): apparmor="DENIED" operation="open" profile="chromium_browser" name="/proc/1541844/mountinfo" pid=1541844 comm="gmain" requested_mask="r" denied_mask="r" fsuid=1002 ouid=1002` #### +/proc/sys/fs/inotify/max_user_watches `May 30 18:32:26 testvm kernel: [ 523.274479] audit: type=1400 audit(1685485946.109:288): apparmor="ALLOWED" operation="open" profile="chromium_browser" name="/proc/sys/fs/inotify/max_user_watches" pid=1972 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0` #### +/sys/devices/system/cpu/{kernel_max,possible,present} `May 30 18:32:26 testvm kernel: [ 523.287063] audit: type=1400 audit(1685485946.125:290): apparmor="ALLOWED" operation="open" profile="chromium_browser" name="/sys/devices/system/cpu/kernel_max" pid=1971 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0` `May 30 18:32:26 testvm kernel: [ 523.287107] audit: type=1400 audit(1685485946.125:291): apparmor="ALLOWED" operation="open" profile="chromium_browser" name="/sys/devices/system/cpu/possible" pid=1971 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0` `May 30 18:32:26 testvm kernel: [ 523.287607] audit: type=1400 audit(1685485946.125:297): apparmor="ALLOWED" operation="open" profile="chromium_browser" name="/sys/devices/system/cpu/present" pid=1972 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0` #### +/sys/devices/pci[0-9]//{bConfigurationValue,boot_vga,busnum} `2023-07-03T04:40:49.955727-04:00 testsys kernel: [28353.647821] audit: type=1400 audit(1688373649.948:152): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:1d.3/usb5/5-2/bConfigurationValue" pid=5585 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0` `Jul 4 00:10:52 testvm kernel: [ 405.584960] audit: type=1400 audit(1688443852.472:148): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:02.0/boot_vga" pid=2057 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0` `2023-07-03T04:40:49.955731-04:00 testsys kernel: [28353.647923] audit: type=1400 audit(1688373649.948:153): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:1d.3/usb5/5-2/busnum" pid=5585 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0` #### +/sys/devices/pci[0-9]/*/{descriptors,devnum} `2023-07-02T21:29:22.067669-04:00 testsys kernel: [ 2465.760458] audit: type=1400 audit(1688347762.063:71): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:1d.0/usb2/descriptors" pid=2276 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0` `2023-07-02T21:29:22.071708-04:00 testsys kernel: [ 2465.762364] audit: type=1400 audit(1688347762.067:75): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:1d.3/usb5/5-2/descriptors" pid=2276 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0` `2023-07-02T21:29:22.071721-04:00 testsys kernel: [ 2465.763437] audit: type=1400 audit(1688347762.067:78): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:1d.7/usb1/1-6/1-6.3/descriptors" pid=2276 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0` `2023-07-03T04:40:49.955736-04:00 testsys kernel: [28353.648042] audit: type=1400 audit(1688373649.948:154): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:1d.3/usb5/5-2/devnum" pid=5585 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0` #### +/sys/devices/pci[0-9]/*/{manufacturer,product} `2023-07-03T04:40:49.955694-04:00 testsys kernel: [28353.647497] audit: type=1400 audit(1688373649.948:150): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:1d.3/usb5/5-2/manufacturer" pid=5585 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0` `2023-07-03T04:40:49.955721-04:00 testsys kernel: [28353.647661] audit: type=1400 audit(1688373649.948:151): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:1d.3/usb5/5-2/product" pid=5585 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0` #### +/sys/devices/pci[0-9]/*/serial (lost the log entry for this one) #### +deny /sys/devices/virtual/dmi/id/ `May 30 18:38:58 testvm kernel: [ 915.363204] audit: type=1400 audit(1685486338.202:390): apparmor="ALLOWED" operation="open" profile="chromium_browser" name="/sys/devices/virtual/dmi/id/sys_vendor" pid=2158 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0` `May 30 18:38:58 testvm kernel: [ 915.363521] audit: type=1400 audit(1685486338.202:391): apparmor="ALLOWED" operation="open" profile="chromium_browser" name="/sys/devices/virtual/dmi/id/product_name" pid=2158 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0` These sysfs paths yield the make and model of your system, so their access is questionable from a privacy perspective. #### +{dev,var/run} in shm paths Can't be replaced with `@{run}` as this does not include `/dev`. #### +ptrace (read) `May 31 04:47:35 testvm kernel: [1567080.438164] audit: type=1400 audit(1685522855.581:124669): apparmor="DENIED" operation="ptrace" profile="chromium_browser" pid=1145702 comm="ThreadPoolForeg" requested_mask="read" denied_mask="read" peer="chromium_browser//xdgsettings"` Figured I'd add read access proactively to `lsb_release` as well. Holding back on adding it to self for now. #### /etc/@{chromium}/policies/ -> /etc/@{chromium}/ `May 30 21:25:44 testvm kernel: [10922.020981] audit: type=1400 audit(1685496344.792:2031): apparmor="ALLOWED" operation="open" profile="chromium_browser" name="/etc/chromium/master_preferences" pid=6465 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0` #### Note: "~/.pki/... denied by private-files abstraction" `May 30 21:29:13 testvm kernel: [11130.436441] audit: type=1400 audit(1685496553.206:2105): apparmor="ALLOWED" operation="mkdir" profile="chromium_browser" name="/home/username/.pki/" pid=7344 comm="ThreadPoolForeg" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000` `May 30 21:29:13 testvm kernel: [11130.437992] audit: type=1400 audit(1685496553.206:2106): apparmor="ALLOWED" operation="mkdir" profile="chromium_browser" name="/home/username/.pki/nssdb/" pid=7344 comm="ThreadPoolForeg" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000` Something else will need to create these directories. #### +Widevine `May 31 04:46:52 testvm kernel: [1567036.849155] audit: type=1400 audit(1685522811.993:124665): apparmor="DENIED" operation="file_mmap" profile="chromium_browser" name="/home/username/.config/chromium/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so" pid=1145723 comm="chromium" requested_mask="m" denied_mask="m" fsuid=1002 ouid=1002` #### +GVfs `Jun 13 19:16:35 testvm kernel: [78978.537455] audit: type=1400 audit(1686698195.810:2337): apparmor="DENIED" operation="connect" profile="chromium_browser" name="/run/user/1000/gvfsd/socket-EpT3MyPP" pid=17766 comm="chromium" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000` #### +/lib/libc.so `May 30 18:02:25 testvm kernel: [ 868.340300] audit: type=1400 audit(1685484145.031:80): apparmor="ALLOWED" operation="open" profile="chromium_browser//chromium_browser_sandbox" name="/lib/x86_64-linux-gnu/libc.so.6" pid=2405 comm="chrome-sandbox" requested_mask="r" denied_mask="r" fsuid=0 ouid=0` `May 30 18:02:25 testvm kernel: [ 868.340363] audit: type=1400 audit(1685484145.031:81): apparmor="ALLOWED" operation="file_mmap" profile="chromium_browser//chromium_browser_sandbox" name="/lib/x86_64-linux-gnu/libc.so.6" pid=2405 comm="chrome-sandbox" requested_mask="rm" denied_mask="rm" fsuid=0 ouid=0` MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1208 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `a1afe3265c`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-04-11 20:52:32 -07:00
John Johansen	f763c44cd0	Merge Add profiles for the Transmission family of Bittorrent clients This covers the various forms of the Transmission BT client. I've tested the `-gtk` one most thoroughly, and run through an ISO download with each of the other three. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1190 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `30a45ba82f`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-04-11 20:51:32 -07:00
John Johansen	1d36e1f196	Prepare for AppArmor 4.0 beta4 release - update version file Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-04-08 03:21:40 -07:00
John Johansen	22ee6c19bc	Merge profiles: disable bwrap and unshare profiles by default The bwrap and unshare profiles are special profiles in the same vein as the unconfined profiles but they actual enforce restrictions on the applications that are launched. As such they have come to late in the 4.0 dev cycle to consider enabling by default. Disable them but ship them so users or distros can easily enable them. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/382 Signed-off-by: John Johansen <john.johansen@canonical.com> Closes #382 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1206 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `41d4664124`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-04-08 00:17:10 -07:00
John Johansen	6198edb3d0	Merge profiles: Add profile for unshare utility This adds an unshare profile to allow it to function on a system with user namespace restrictions enabled. The child task of unshare will enter into a profile without capabilities thus preventing unshare from being able to be used to arbitrarily by-pass the user namespace restriction. This profile does prevent applications launch with privilege (eg. sudo unshare ...) from functioning so it may break some use cases. Fixes: https://bugs.launchpad.net/ubuntu/+source/pageedit/+bug/2046844 Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1204 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `2d59dc3d9b`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-04-03 22:45:10 -07:00
John Johansen	4d2a171466	Merge profiles: Add profile for bwrap utility This adds a bwrap profile to allow it to function on a system with user namespace restrictions enabled. The child task of bwrap will enter into a profile without capabilities thus preventing bwrap from being able to be used to arbitrarily by-pass user namespace restrictions. This profile does prevent applications launch with privilege (eg. sudo bwrap ...) from functioning so it may break some use cases. Note: The unpriv_bwrap profile is deliberately stacked against the bwrap profile due to bwraps uses of no-new-privileges. Fixes: https://bugs.launchpad.net/ubuntu/+source/pageedit/+bug/2046844 Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1205 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `b6f2a3d9d2`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-04-03 22:44:49 -07:00
John Johansen	e88cf3cd02	Merge profiles: adjust unconfined firefox profile to support mozilla.org download The version of tarball version of firefox downloaded from mozilla.org installs to /opt/firefox/firefox. Support this location so that the firefox from the tarball works. Note this does not support running firefox from the users home directory in this case the user must update the profile accordingly. Signed-off-by: John Johansen <john.johansen@canonical.com> Fixes: https://bugs.launchpad.net/bugs/2056297 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1203 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `2dfe6aeec2`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-04-03 22:39:58 -07:00
John Johansen	6f856dfee3	Merge profiles/samba*: allow /etc/gnutls/config & @{HOMEDIRS} # abstractions/samba: allow /etc/gnutls/config Various samba components want to read it. Without it, shares cannot be accessed. apparmor="DENIED" operation="open" class="file" profile="nmbd" name="/etc/gnutls/config" pid=23509 comm="nmbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 apparmor="DENIED" operation="open" class="file" profile="smbd" name="/etc/gnutls/config" pid=23508 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=24037 comm="rpcd_fsrvp" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=24036 comm="rpcd_epmapper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=24038 comm="rpcd_lsad" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=24041 comm="rpcd_winreg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=24039 comm="rpcd_mdssvc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 apparmor="DENIED" operation="open" class="file" profile="samba-rpcd-spoolss" name="/etc/gnutls/config" pid=24040 comm="rpcd_spoolss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 apparmor="DENIED" operation="open" class="file" profile="samba-rpcd-classic" name="/etc/gnutls/config" pid=24035 comm="rpcd_classic" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 # profiles/apparmor.d/samba-rpcd-classic: allow @{HOMEDIRS} Give access to @{HOMEDIRS}, just like in usr.sbin.smbd, so that usershares in /home/ can be accessed. apparmor="DENIED" operation="open" class="file" profile="samba-rpcd-classic" name="/home/user/path/to/usershare/" pid=4781 comm="rpcd_classic" requested_mask="r" denied_mask="r" fsuid=0 ouid=1000 Fixes: https://gitlab.com/apparmor/apparmor/-/issues/379 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1200 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `5998a0021a`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-04-03 14:15:52 -07:00
John Johansen	a6d8171bd6	Merge parser: fix getattr and setattr perm mapping on mqueue rules Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> Fixes: https://gitlab.com/apparmor/apparmor/-/issues/377 Fixes: https://gitlab.com/apparmor/apparmor/-/issues/378 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1197 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `88ec709aac`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-04-03 02:32:32 -07:00
John Johansen	26e7249f44	Merge tests: fix inet tests Fixes: https://gitlab.com/apparmor/apparmor/-/issues/376 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1192 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `01fcce41dc`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-04-03 02:30:59 -07:00
John Johansen	117d0cc444	Merge usr.sbin.sshd: Add new permissions needed on Ubuntu 24.04 Testing on noble turned these up: `2024-03-27T00:10:28.929314-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1711512628.920:155): apparmor="DENIED" operation="bind" class="net" profile="/usr/sbin/sshd" pid=1290 comm="sshd" family="unix" sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind" addr="@63cf34db7fbab75f/bus/sshd/system"` `2024-03-27T00:41:09.791826-04:00 image-ubuntu64 kernel: audit: type=1107 audit(1711514469.771:333907): pid=703 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.Manager" member="CreateSessionWithPIDFD" mask="send" name="org.freedesktop.login1" pid=4528 label="/usr/sbin/sshd" peer_pid=688 peer_label="unconfined"` Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060100 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1196 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `3aa40249cf`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-04-03 02:29:31 -07:00
Georgia Garcia	1c7127d30d	Merge utils: allow mount destination globbing The abstraction lxc/start-container shipped by the liblxc-common package uses the following mount rule which was not allowed by our regexes: mount options=(rw, make-slave) -> , mount options=(rw, make-rslave) -> , Since in AppArmor regex ** includes '/' but * by itself doesn't, I'm adding explicit support for **. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> Fixes: https://gitlab.com/apparmor/apparmor/-/issues/381 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1195 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Georgia Garcia <georgia.garcia@canonical.com> (cherry picked from commit `e96fdc0f5b`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-04-03 02:23:43 -07:00
Christian Boltz	d111ddcc21	Merge firefox: allow locking of *.sqlite-shm files in user cache area Noticed a bunch of these after a Firefox 124.0 upgrade: `Mar 25 22:08:27 darkstar kernel: [598271.991739] audit: type=1400 audit(1711418907.493:27323): apparmor="DENIED" operation="file_lock" profile="firefox" name="/home/username/.cache/mozilla/firefox/deadbeef.default/suggest.sqlite-shm" pid=2855447 comm=4267494F5468727E6F6C2023333530 requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000` Fixes: https://gitlab.com/apparmor/apparmor/-/issues/380 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1193 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de> (cherry picked from commit `14572d9581`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-04-03 02:18:24 -07:00
John Johansen	fa26623e6d	Merge Move pam-related permissions to abstractions/authentication ... instead of keeping them in the smbd profile. For details, see `c09f58a364` and https://bugzilla.opensuse.org/show_bug.cgi?id=1220032#c12 Also replace /usr/etc/ with @{etc_ro} to that also /etc/ is covered. Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1220032#c12 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1191 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `f334884787`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-04-03 02:14:16 -07:00
John Johansen	451bb8b235	Merge profiles: add unconfined profile for tuxedo-control-center Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1187 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-03-18 23:29:01 +00:00
John Johansen	6e46631b6f	Merge parser: fix issues appointed by coverity Fix issues introduced in coverity's snapshots 75887, 70858 and 75429. - CID 353483: Uninitialized pointer field (UNINIT_CTOR) - CID 349572: Unsigned compared against 0 (NO_EFFECT) Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1188 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-03-18 23:27:59 +00:00
Georgia Garcia	f9527d2113	parser: fix issues appointed by coverity Fix issues introduced in coverity's snapshots 75887, 70858 and 75429. - CID 353483: Uninitialized pointer field (UNINIT_CTOR) - CID 349572: Unsigned compared against 0 (NO_EFFECT) Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-03-18 10:36:56 -03:00
Georgia Garcia	9dc2f48773	profiles: add unconfined profile for tuxedo-control-center Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-03-18 09:17:51 -03:00
John Johansen	2fc80487f7	Prepare for AppArmor 4.0 beta3 release - update version file Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-03-17 00:55:14 -07:00
John Johansen	c87969b37c	Merge profiles: Add more unconfined profiles This adds the remaining set of unconfined profiles, from the set listed in https://bugs.launchpad.net/ubuntu/+source/pageedit/+bug/2046844 Fixes: https://bugs.launchpad.net/ubuntu/+source/pageedit/+bug/2046844 Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1186 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-03-17 07:27:49 +00:00
John Johansen	b68bb18860	Merge network: several fixes This patchset includes several fixes for the inet mediation. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/374 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1183 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-03-17 07:22:24 +00:00
John Johansen	c47789340a	Merge add unconfined profiles for geary, loupe and firefox dev versions These applications need to use user namespaces, hence it needs an unconfined profile when user namespaces are restricted from unconfined like other applications in MR #1123 https://gitlab.com/apparmor/apparmor/-/merge_requests/1123 In addition this serves as a handle to uniquely identify them instead of unconfined to peers in policy. Bug: https://bugs.launchpad.net/bugs/2046844 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1185 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-03-17 07:18:03 +00:00
John Johansen	e23a3eeba5	profiles: Add more unconfined profiles This adds the remaining set of unconfined profiles, from the set listed in https://bugs.launchpad.net/ubuntu/+source/pageedit/+bug/2046844 Fixes: https://bugs.launchpad.net/ubuntu/+source/pageedit/+bug/2046844 Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-03-17 00:16:37 -07:00
Georgia Garcia	d0fadc48cf	tests: add missing rules to the inet/inet6 mediation tests Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-03-15 18:24:19 -03:00
Georgia Garcia	aec3f3b22c	add unconfined profiles for geary, loupe and firefox dev versions These applications need to use user namespaces, hence it needs an unconfined profile when user namespaces are restricted from unconfined like other applications in MR #1123 https://gitlab.com/apparmor/apparmor/-/merge_requests/1123 In addition this serves as a handle to uniquely identify them instead of unconfined to peers in policy. Bug: https://bugs.launchpad.net/bugs/2046844 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-03-15 17:44:23 -03:00
Georgia Garcia	101651c88f	parser: fix af_inet feature from network to network_v8 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-03-15 16:38:10 -03:00
Georgia Garcia	efc2ec5fdd	parser: fix cmp function for network rules The network cmp function was missing the new attributes added, causing rules to be dropped. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-03-15 16:38:10 -03:00
Georgia Garcia	b01b9895e7	parser: add ability to specify anonymous ip If anonymous ip is specified, then the port will match anything. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-03-15 16:38:10 -03:00
Georgia Garcia	a0a0c88d9e	parser: generate all ip options when ip is not specified When the ip is not specified, then we should generate rules for ip types: anonymous, ipv4 and ipv6. And that's the case for both local and peer when considering recv and send permissions. std::ostringstream does not have a copy constructor, that's why in several places one can see streaming the string of one stream into another. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-03-15 10:33:33 -03:00
Georgia Garcia	63676459c4	parser: encode create permission separately from the others Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-03-15 10:33:33 -03:00
Georgia Garcia	9ed04cb01e	parser: introduce network label attribute We want to be able to determine label in the future and build the policy dfa based on its presence or not. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-03-15 10:33:33 -03:00
Georgia Garcia	2a885872a3	parser: ip size encoding should be an enum, not the ip size According to the protocol expected by the kernel, the field representing the ip size should be an enum instead of the actual ip size. This is more future-proof. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-03-15 10:33:33 -03:00
Georgia Garcia	989501428e	parser: initial steps into encoding protocol properly Before the inet patches, protocol was not handled, so the information was ignored. This patch introduces the ability to start mediating protocol. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-03-15 10:33:33 -03:00
John Johansen	25f21a0758	Merge libraries/libapparmor: fix syntax in configure We're not trying to execute a command in EXTRA_WARNINGS, so don't try to spawn a subshell for it which gives: ``` ./configure: 14770: EXTRA_WARNINGS: not found checking whether C compiler accepts -flto-partition=none... yes ``` We can either use ${} or just $ (style). Use $ to be consistent with other uses in the file. Signed-off-by: Sam James <sam@gentoo.org> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1184 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-03-15 04:05:15 +00:00
Sam James	022af9c528	libraries/libapparmor: fix syntax in configure We're not trying to execute a command in EXTRA_WARNINGS, so don't try to spawn a subshell for it which gives: ``` ./configure: 14770: EXTRA_WARNINGS: not found checking whether C compiler accepts -flto-partition=none... yes ``` We can either use ${} or just $ (style). Use $ to be consistent with other uses in the file. Signed-off-by: Sam James <sam@gentoo.org>	2024-03-15 02:36:12 +00:00
John Johansen	9a1838016c	Merge Allow pam_unix to execute unix_chkpwd Latest pam_unix always runs /usr/sbin/unix_chkpwd instead of reading /etc/shadow itsself. Add exec permissions to abstraction/authentication. It also needs to read /proc/@{pid}/loginuid Also cleanup the now-superfluous rules from the smbd profile. Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1219139 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1181 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-03-14 21:09:59 +00:00
Christian Boltz	f4c19acfba	Merge MountRule: Fix _is_covered_localvars If `fstype==None`, `_is_covered_localvars` would trigger an exception. This is fixed and a new testcase is added. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1182 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2024-03-14 12:46:01 +00:00
Maxime Bélair	dac9d08764	MountRule: Fix _is_covered_localvars	2024-03-14 12:46:01 +00:00
Christian Boltz	243162ca29	Allow pam_unix to execute unix_chkpwd Latest pam_unix always runs /usr/sbin/unix_chkpwd instead of reading /etc/shadow itsself. Add exec permissions to abstraction/authentication. It also needs to read /proc/@{pid}/loginuid Also cleanup the now-superfluous rules from the smbd profile. Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1219139	2024-03-13 23:13:19 +01:00
Georgia Garcia	ae978c1953	Merge Fix test-aa-notify on openSUSE Tumbleweed (new 'last') The new 2037-proof `last` on openSUSE Tumbleweed doesn't support the `-1` option. Remove it, and cut off the output manually. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1180 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-03-12 18:54:35 +00:00
Christian Boltz	d19db55a37	Fix test-aa-notify on openSUSE Tumbleweed (new 'last') The new 2037-proof `last` on openSUSE Tumbleweed doesn't support the `-1` option. Remove it, and cut off the output manually.	2024-03-12 19:37:29 +01:00
Christian Boltz	e3d381cf91	Merge Clean superfluous openssl abstraction includes With abstractions/openssl now being included from abstraction/base (via the indirection of abstractions/crypto) anything already including abstraction/base can stop including abstractions/openssl directly. This is a follow up to `3d1dedfa` as suggested by @cboltz MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1179 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2024-03-12 18:12:12 +00:00
Christian Ehrhardt	aa69d9adc9	Clean superfluous openssl abstraction includes With abstractions/openssl now being included from abstraction/base (via the indirection of abstractions/crypto) anything already including abstraction/base can stop including abstractions/openssl directly.	2024-03-12 14:54:01 +01:00
John Johansen	3d1dedfa7e	Merge abstractions/crypto: allow read of more common crypto configuration files Administrators might want to define global limits (e.g. disabling a particular feature) via configuration files, but to make that work all confined software needs to be allowed to read those files or otherwise the risk is to silently fall back to internal defaults. This adds the paths usually used by gnutls and openssl to improve these kind of use cases. Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/2056739 Fixes: https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/2056747 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1178 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-03-12 11:27:59 +00:00
Christian Ehrhardt	f27b1ef93a	abstractions/crypto: allow read of openssl config Administrators might want to define global limits (e.g. disabling a particular feature) via configuration files, but to make that work all confined software needs to be allowed to read those files or otherwise the risk is to silently fall back to internal defaults. This adds the abstraction already defined for openssl to abstraction/crypto as it is about cryptography, but also because abstraction/base includes abstraction/crypto and therefore it will be allowed in general.	2024-03-12 08:57:12 +01:00
Christian Ehrhardt	18d6a917f8	abstractions/crypto: allow read of gnutls config Administrators might want to define global limits (e.g. disabling a particular feature) via configuration files, but to make that work all confined software needs to be allowed to read those files or otherwise the risk is to silently fall back to internal defaults. This adds the paths usually used by gnutls to abstraction/crypto as it is about cryptography, but also because abstraction/base includes abstraction/crypto and therefore it will be allowed in general.	2024-03-12 08:54:36 +01:00
Christian Boltz	d1d39d176e	Merge parser(Makefile): don't ship /var in downstream packages Should help with building /var free images downstream. See below: https://gitlab.com/apparmor/apparmor/-/merge_requests/1167#note_1798547092 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1167 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2024-03-08 12:53:32 +00:00
Max Gautier	2d654477f2	parser(Makefile): dont install /var/lib/apparmor This directory is not used anymore. This help downstream build of /var free images. Links: https://0pointer.net/blog/fitting-everything-together.html	2024-03-08 10:18:16 +01:00
John Johansen	66dc2cc7d0	Merge Minor improvements for MountRule to fix make check failure Minor improvements for MountRule - Adding support for regex in fstype - add resctrl filesystem - Adding support for source beginning by '{' This MR allows to support edge cases for MountRule e.g. source = {,/usr}/lib{,32,64,x32}/modules/ or fstype = fuse.* Fixes: https://gitlab.com/apparmor/apparmor/-/issues/370 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1176 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-03-07 19:27:03 +00:00
Maxime Bélair	021c3248f9	Minor improvements for MountRule	2024-03-07 19:27:03 +00:00
John Johansen	353ba896d4	Prepare for AppArmor 4.0 beta2 release - update version file Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-03-06 17:06:45 -08:00
John Johansen	c13007f7fc	Merge libapparmor: check if AX_CHECK_COMPILE_FLAG is available The error message when autoconf-archive is not installed is not very intuitive: ``` ./configure: line 14422: EXTRA_WARNINGS: command not found ./configure: line 14423: syntax error near unexpected token `-flto-partition=none,' ./configure: line 14423: `AX_CHECK_COMPILE_FLAG(-flto-partition=none, , , -Werror)' ``` So, check if AX_CHECK_COMPILE_FLAG is defined and if not, complain that autoconf-archive is missing. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1174 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-03-06 21:21:54 +00:00
John Johansen	88a420853e	Merge parser: fix policy generation for non-af_inet rules The layout for AF_INET and AF_INET6 rules were being applied to all families, which causes failures in their mediation. Fixes: `ddefe11a` ("parser: add fine grained conditionals to network rule") Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1175 Merged-by: John Johansen <john@jjmx.net>	2024-03-06 21:19:21 +00:00
Georgia Garcia	2db41acd1b	parser: fix generic perms in network rules The permission for network rules when the inet mediation was not available, or for when the family was not af_inet or af_inet6 was being generated as one that would allow anything. Make them specific using perms. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-03-06 10:33:54 -03:00
Georgia Garcia	a10d9044b8	parser: fix policy generation for non-af_inet rules The layout for AF_INET and AF_INET6 rules were being applied to all families, which causes failures in their mediation. Fixes: `ddefe11a` ("parser: add fine grained conditionals to network rule") Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-03-06 10:07:17 -03:00
Christian Boltz	b53441a689	Merge Update ancient paths in apparmor and apparmor.d manpage - replace example calls of /etc/init.d/apparmor with apparmor.service - drop /etc/init.d/apparmor in filelist - replace /var/lib/apparmor/ with /var/cache/apparmor/ MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1171 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Christian Boltz <apparmor@cboltz.de>	2024-03-06 12:24:13 +00:00
Christian Boltz	7452f34279	Update ancient paths in apparmor and apparmor.d manpage - replace example calls of /etc/init.d/apparmor with apparmor.service - drop /etc/init.d/apparmor in filelist - replace /var/lib/apparmor/ with /var/cache/apparmor/	2024-03-05 22:59:18 +01:00
Georgia Garcia	aedb8a5b00	libapparmor: check if AX_CHECK_COMPILE_FLAG is available The error message when autoconf-archive is not installed is not very intuitive: ./configure: line 14422: EXTRA_WARNINGS: command not found ./configure: line 14423: syntax error near unexpected token `-flto-partition=none,' ./configure: line 14423: `AX_CHECK_COMPILE_FLAG(-flto-partition=none, , , -Werror)' So, check if AX_CHECK_COMPILE_FLAG is defined and if not, complain that autoconf-archive is missing. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-03-04 10:27:34 -03:00
Christian Boltz	6695944c2c	Merge utils: fix coding style in mount Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1173 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2024-03-04 13:05:41 +00:00
Georgia Garcia	01090dcf1b	utils: fix coding style in mount Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-03-04 09:24:58 -03:00
Georgia Garcia	3ea2bfec56	Merge Small fixes in MountRule - Removed unnecessary variable source_is_path in mount rules - Changed a string to a r-string to avoid an 'invalid escape sequence \s' warning MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1172 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-03-04 11:53:51 +00:00
Georgia Garcia	3d1a867c0a	Merge Update mailinglist and homepage in changehat READMEs MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1170 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-03-04 11:53:10 +00:00
Georgia Garcia	dfb02cbd93	Merge MountRule: check for unknown fstype and options keywords, and fix issues uncovered by that * MountRule: sync flags_keywords with parser code ... based on /mount.cc mnt_opts_table Several keywords and aliases were missing in flags_keywords: - B - M - make-private - make-rprivate - make-rshared - make-rslave - make-runbindable - make-shared - make-slave - make-unbindable - r - R - read-only - w Also sort the keywords in the same order as in mount.cc. Note: AARE handling is still a TODO. After that, update the list of known parsing failures: - several valid profiles are now correctly parsed - some `"make-" mount opt and an invalid src` bad profiles are no longer detected as being invalid test-mount.py: fix MountRule instance creation If fstype or options is a str, it has to be exactly one keyword, because \__init__() / check_and_split_list() won't parse a str. Our "normal" code already honors this, and only hands over fstype and options as sets or a single-keyword str. However, a few tests (wrongly) handed over a str that would need further parsing. Adjust the tests to no longer do this. * MountRule: check for unknown fstype and options ... now that the previous commits fixed issues that ended up as unknown keywords. Also add mount/ok_12.sd as known-failing test. It uses fstype=AARE which MountRule doesn't support (yet?). MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1169 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-03-04 11:52:53 +00:00
Georgia Garcia	90f056c1c6	Merge Several MountRule fixes and improvements * Fix writing 'mount {options,fstype} in ...' rules We need spaces around the 'in' keyword. Also add some tests for this. * Make error check more readable * MountRule: make get_clean() more readable ... by getting rid of two mostly-identical, big return statements. Also add tests for bare umound and remount rules to ensure full test coverage. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1168 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-03-04 11:52:33 +00:00
Maxime Bélair	0daf3e8c9b	Changing string to r-string to avoid warning	2024-03-04 09:02:24 +01:00
Maxime Bélair	a86c1bd45a	Remove unnecessary variable source_is_path in mount rules	2024-03-04 09:00:58 +01:00
Christian Boltz	8f4073ecd9	MountRule: check for unknown fstype and options ... now that the previous commits fixed issues that ended up as unknown keywords. Also add mount/ok_12.sd as known-failing test. It uses fstype=AARE which MountRule doesn't support (yet?).	2024-03-03 21:30:49 +01:00
Christian Boltz	440be71c12	Update mailinglist and homepage in changehat READMEs	2024-03-03 18:12:06 +01:00
Christian Boltz	8d21f01924	test-mount.py: fix MountRule instance creation If fstype or options is a str, it has to be exactly one keyword, because __init__() / check_and_split_list() won't parse a str. Our "normal" code already honors this, and only hands over fstype and options as sets or a single-keyword str. However, a few tests (wrongly) handed over a str that would need further parsing. Adjust the tests to no longer do this.	2024-03-03 15:52:14 +01:00
Christian Boltz	4e546291a5	MountRule: sync flags_keywords with parser code ... based on /mount.cc mnt_opts_table Several keywords and aliases were missing in flags_keywords: - B - M - make-private - make-rprivate - make-rshared - make-rslave - make-runbindable - make-shared - make-slave - make-unbindable - r - R - read-only - w Also sort the keywords in the same order as in mount.cc. Note: AARE handling is still a TODO. After that, update the list of known parsing failures: - several valid profiles are now correctly parsed - some `"make-*" mount opt and an invalid src` bad profiles are no longer detected as being invalid	2024-03-03 15:37:59 +01:00
Christian Boltz	8c026077d6	MountRule: make get_clean() more readable ... by getting rid of two mostly-identical, big return statements. Also add tests for bare umound and remount rules to ensure full test coverage.	2024-03-03 13:09:43 +01:00
Christian Boltz	5e4c4a0cb3	Make error check more readable	2024-03-03 12:53:49 +01:00
Christian Boltz	9c27a7c435	Fix writing 'mount {options,fstype} in ...' rules We need spaces around the 'in' keyword. Also add some tests for this.	2024-03-03 12:49:57 +01:00
Christian Boltz	a367c07437	Merge Add useful error message in test-mount.py If /proc/filesystems contains a filesystem that is not listed in MountRule valid_fs, print a useful error message that says what exactly is going on, instead of only saying "False is not True". MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1166 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Christian Boltz <apparmor@cboltz.de>	2024-03-01 21:30:33 +00:00
Christian Boltz	2200013088	Merge Cleanup old handling of mount rules Now that we have MountRule and MountRuleset, drop the old "just store the whole rule" code for mount rules. Also drop some old tests that used that "store the whole mount rule" code, and adjust the regex_matches tests to import the regex directly from apparmor.regex. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1165 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Christian Boltz <apparmor@cboltz.de>	2024-03-01 21:29:48 +00:00
Christian Boltz	d5afc33c40	Merge MountRule: Fix typo in 'btrfs', and add '9p' filesystem The `9p` filesystem is available during the build in build.opensuse.org. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1164 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Christian Boltz <apparmor@cboltz.de>	2024-03-01 21:27:44 +00:00
Christian Boltz	517e7c96c8	MountRule: add '9p' filesystem This filesystem is available during the build in build.opensuse.org	2024-03-01 21:36:26 +01:00
Christian Boltz	a7cd59819e	Add useful error message in test-mount.py If /proc/filesystems contains a filesystem that is not listed in MountRule valid_fs, print a useful error message that says what exactly is going on, instead of only saying "False is not True".	2024-03-01 20:34:11 +01:00
Christian Boltz	e7f5ee3271	MountRule: Fix typo in 'btrfs'	2024-03-01 19:49:21 +01:00
Christian Boltz	da75b1c8d8	Cleanup old handling of mount rules Now that we have MountRule and MountRuleset, drop the old "just store the whole rule" code for mount rules. Also drop some old tests that used that "store the whole mount rule" code, and adjust the regex_matches tests to import the regex directly from apparmor.regex.	2024-03-01 19:46:02 +01:00
Georgia Garcia	b264bb62c9	Prepare for AppArmor 4.0 beta1 release - update version file - update library version Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-02-29 19:24:53 -03:00
John Johansen	35287c8e1c	Merge add fine grained network mediation support Similar to https://gitlab.com/apparmor/apparmor/-/merge_requests/1095, but this time simplified. This version removes support for ip and port ranges and subnets. This can be added later. It also contains an updated version of the network layout required by the kernel side of AppArmor. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1160 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-02-29 21:58:24 +00:00
Georgia Garcia	119e3f38f9	parser: maintain compatibility for fine grained inet network mediation A simple rule without conditionals need to be generated for when the kernel does not support fine grained inet network mediation. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-02-29 18:27:20 -03:00
Georgia Garcia	dd0d145a19	tests: add fine grained network regression tests	2024-02-29 17:09:19 -03:00
Georgia Garcia	f6ad1cbe1e	tests: add multi string support in requires_parser_support By not having quotes in $@, the string splits by the whitespace. That prevents us from checking if the parser supports rules that have spaces in them. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-02-29 16:25:59 -03:00
Georgia Garcia	8a5e7227db	parser: add parser tests for specified perms Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-02-29 16:25:59 -03:00
Georgia Garcia	79ee3eb180	parser: add parser tests for local conditional	2024-02-29 16:25:59 -03:00
Georgia Garcia	052dd987b3	parser: add network conditional parser tests	2024-02-29 16:25:59 -03:00
Georgia Garcia	7e25be7b0b	parser: change network conditionals to allow unquoted ids Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-02-29 16:25:59 -03:00
Georgia Garcia	ddefe11a40	parser: add fine grained conditionals to network rule Options available are ip= and port= inside the peer group or outside, representing local addresses and ports: network peer=(ip=127.0.0.1 port=8080), network ip=::1 port=8080 peer=(ip=::2 port=8081), The 'ip' option supports both IPv4 and IPv6. Examples would be ip=192.168.0.4, or ip=::578d The 'port' option accepts a 16-bit unsigned integer. An example would be port=1234 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-02-29 16:25:59 -03:00
John Johansen	b83cf90b82	Merge Fix some DENIES for smbd when honouring pam restrictions with smbd.conf param 'obey pam restrictions = yes' on tumbleweed we get some new DENIES (which can prevent login) e.g. type=AVC msg=audit(1709113104.674:533): apparmor="DENIED" operation="exec" class="file" profile="smbd" name="/usr/sbin/unix_chkpwd" pid=3509 comm="smbd[127.0.0.1]" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 type=AVC msg=audit(1709110904.602:345): apparmor="DENIED" operation="open" class="file" profile="smbd" name="/usr/etc/security/limits.d/" pid=3746 comm="smbd[127.0.0.1]" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1709110904.602:346): apparmor="DENIED" operation="open" class="file" profile="smbd" name="/proc/3746/loginuid" pid=3746 comm="smbd[127.0.0.1]" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1709110904.602:347): apparmor="DENIED" operation="open" class="file" profile="smbd" name="/usr/etc/environment" pid=3746 comm="smbd[127.0.0.1]" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1220032 Signed-off-by: Noel Power <noel.power@suse.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1159 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-02-29 18:00:40 +00:00
John Johansen	e3cb9e1669	Merge Adding userspace support for mount rules in aa-genprof/aa-logprof Adding userspace support for mount rules in aa-genprof/aa-logprof MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1153 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-02-29 17:59:51 +00:00
Maxime Bélair	924b335dfc	Adding userspace support for mount rules in aa-genprof/aa-logprof	2024-02-29 17:59:50 +00:00
John Johansen	a2da64304f	Merge profiles: add nautilus unconfined profile Nautilus uses user namespaces to load thumbnails, hence it needs an unconfined profile when user namespaces are restricted from unconfined like other applications in MR #1123 Although nautilus has extensions that would allow opening a terminal from the nautilus interface, they do not inherit nautilus' AppArmor label, therefore the use of unconfined does not allow arbitrary use of unprivileged user namespaces using the nautilus label. https://gitlab.com/apparmor/apparmor/-/merge_requests/1123 In addition this serves as a handle to uniquely identify them instead of unconfined to peers in policy. Note that unconfined mode should be changed for default_allow when https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged. Fixes: https://bugs.launchpad.net/bugs/2047256 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1161 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-02-29 12:02:44 +00:00
Georgia Garcia	bb53886211	profiles: add nautilus unconfined profile Nautilus uses user namespaces to load thumbnails, hence it needs an unconfined profile when user namespaces are restricted from unconfined like other applications in MR #1123 Although nautilus has extensions that would allow opening a terminal from the nautilus interface, they do not inherit nautilus' AppArmor label, therefore the use of unconfined does not allow arbitrary use of unprivileged user namespaces using the nautilus label. https://gitlab.com/apparmor/apparmor/-/merge_requests/1123 In addition this serves as a handle to uniquely identify them instead of unconfined to peers in policy. Note that unconfined mode should be changed for default_allow when https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged. Fixes: https://bugs.launchpad.net/bugs/2047256 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-02-29 08:21:25 -03:00
Georgia Garcia	746f76d3e1	parser: add ability to specify permission in network rules Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-02-28 21:42:18 -03:00
Georgia Garcia	35f25a251b	parser: fix coverity issues found in snapshot 70858 This commit add fixes for issues found in coverity's snapshot 70858. - CID 323127: Performance inefficiencies (COPY_INSTEAD_OF_MOVE) - CID 323125: Uninitialized members (UNINIT_CTOR) I'm also removing Novell, Inc. from the copyright notice added by a copy-paste error, and an unused variable left over from debugging. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-02-28 10:24:08 -03:00
Noel Power	c09f58a364	Fix some DENIES for smbd when honouring pam restrictions with smbd.conf param 'obey pam restrictions = yes' on tumbleweed we get some new DENIES (which can prevent login) e.g. type=AVC msg=audit(1709113104.674:533): apparmor="DENIED" operation="exec" class="file" profile="smbd" name="/usr/sbin/unix_chkpwd" pid=3509 comm="smbd[127.0.0.1]" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 type=AVC msg=audit(1709110904.602:345): apparmor="DENIED" operation="open" class="file" profile="smbd" name="/usr/etc/security/limits.d/" pid=3746 comm="smbd[127.0.0.1]" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1709110904.602:346): apparmor="DENIED" operation="open" class="file" profile="smbd" name="/proc/3746/loginuid" pid=3746 comm="smbd[127.0.0.1]" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 type=AVC msg=audit(1709110904.602:347): apparmor="DENIED" operation="open" class="file" profile="smbd" name="/usr/etc/environment" pid=3746 comm="smbd[127.0.0.1]" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1220032 Signed-off-by: Noel Power <noel.power@suse.com>	2024-02-28 09:59:55 +00:00
Christian Boltz	909e330fd0	Merge aa-notify: precompile filter regexes Precompile each filter regex with re.compile so they don't need to be recompiled for each log message when using re.match directly. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1158 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2024-02-26 17:15:26 +00:00
Georgia Garcia	88907253e4	aa-notify: precompile filter regexes Precompile each filter regex with re.compile so they don't need to be recompiled for each log message when using re.match directly. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-02-26 10:24:46 -03:00
Christian Boltz	124e73ec93	Merge profiles: update visual studio code so that it can be run from gnome The current attachment works from the commandline but not from gnome as it uses an alternate path. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/368 Signed-off-by: John Johansen <john.johansen@canonical.com> Closes #368 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1156 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2024-02-25 10:11:30 +00:00
John Johansen	4b1bc85022	Merge aa-unconfined: Fix race when reading proc//attr/current aa-unconfined can fault if it looses the race between checkking if proc//attr/{apparmor/,}current exists, and actually opening the file. Catch open/file errors and ignore them like the file doesn't exist. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/355 Signed-off-by: John Johansen <john.johansen@canonical.com> Closes #355 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1157 Acked-by: seth.arnold@gmail.com Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-02-25 07:36:16 +00:00
John Johansen	c4f649da92	aa-unconfined: Fix race when reading proc//attr/current aa-unconfined can fault if it looses the race between checkking if proc//attr/{apparmor/,}current exists, and actually opening the file. Catch open/file errors and ignore them like the file doesn't exist. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/355 Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-02-24 20:33:35 -08:00
John Johansen	108f489f2b	profiles: update visual studio code so that it can be run from gnome The current attachment works from the commandline but not from gnome as it uses an alternate path. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/368 Signed-off-by: John Johansen <john.johansen@canonical.com>	2024-02-24 20:27:13 -08:00
John Johansen	4d2172e82e	Merge aa-notify: add notification filtering Allow notification filtering of the fields profile, operation, name, denied_mask, net_family and net_socket using regex. Both command line and config options in notify.conf are available. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1154 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-02-25 04:07:00 +00:00
John Johansen	95d9ba8d8b	Merge makefiles: test for support of flto-partition flag Test for compiler support of "-flto-partition=none" flag before passing it. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/310 Closes #310 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1155 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-02-25 03:31:01 +00:00
Félix Poisot	420d3395fc	makefiles: test for support of flto-partition flag Test for compiler support of "-flto-partition=none" flag before passing it. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/310	2024-02-24 16:07:55 +00:00
Georgia Garcia	4608d32628	aa-notify: add notification filtering Allow notification filtering of the fields profile, operation, name, denied_mask, net_family and net_socket using regex. Both command line and config options in notify.conf are available. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-02-23 17:20:18 -03:00
John Johansen	2394ca82c5	Merge utils: fix aa-notify last login test The tests for aa-notify that were related to the last login were assuming that the machine had been logged in at least once in the last 30 days, but that might not be the case. Update the test to check for the last login date and update the test logs considering that value. Fixes: https://bugs.launchpad.net/bugs/1939022 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1152 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-02-21 22:38:35 +00:00
Georgia Garcia	105b50502b	utils: fix aa-notify last login test The tests for aa-notify that were related to the last login were assuming that the machine had been logged in at least once in the last 30 days, but that might not be the case. Update the test to check for the last login date and update the test logs considering that value. Fixes: https://bugs.launchpad.net/bugs/1939022 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-02-21 18:18:26 -03:00
John Johansen	105bdfdeb9	Merge fix test failures on regex, exec and userns. Failures on regex and exec are related to /usr/bin and /bin merge. The userns failure is related to the addition of the unprivileged_userns profile and the kernel ability to transition to it when an unconfined unprivileged user namespace is created. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1146 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-02-21 13:22:03 +00:00
John Johansen	f9d38c9b2c	Merge binutils: fix aa-status filters help message The help message from aa-status referenced -h filter when it should have been -h filters. Also added some whitespaces for consistency. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1151 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-02-21 13:18:00 +00:00
Georgia Garcia	3ea050eb30	binutils: fix aa-status filters short help message The short form of the help parameter was not accepting an optional argument as described in the help message. Update the help message to remove the extra whitespace in between -h and the options since getopt(1) says that "If the option has an optional argument, it must be written directly after the option character if present." even though that's not described in getopt(3). Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-02-21 09:58:16 -03:00
Georgia Garcia	b49822a48d	binutils: fix aa-status filters help message The help message from aa-status referenced -h filter when it should have been -h filters. Also added some whitespaces for consistency. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-02-21 09:37:36 -03:00
Georgia Garcia	32bba24468	Merge add element-desktop unconfined profile element-desktop needs to use user namespaces, hence it needs an unconfined profile when user namespaces are restricted from unconfined like other applications in MR #1123 !1123 In addition this serves as a handle to uniquely identify them instead of unconfined to peers in policy. Note that unconfined mode should be changed for default_allow when !1109 is merged. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1150 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-02-20 12:38:27 +00:00
Maxime Bélair	fd25954c56	add element-desktop unconfined profile	2024-02-20 12:38:26 +00:00
John Johansen	ca3afe1691	Merge add more unconfined profiles These applications need to use user namespaces, hence it needs an unconfined profile when user namespaces are restricted from unconfined like other applications in MR #1123 https://gitlab.com/apparmor/apparmor/-/merge_requests/1123 In addition this serves as a handle to uniquely identify them instead of unconfined to peers in policy. Note that unconfined mode should be changed for default_allow when https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1149 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-02-07 09:37:08 +00:00
Christian Boltz	2577fbf077	Merge abstractions/openssl: allow version specific engdef & engines paths Some openssl distributions use version specific engdef and engines paths to support multi-version installations. Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1219571 Signed-off-by: David Disseldorp <ddiss@suse.de> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1147 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2024-02-07 08:49:58 +00:00
David Disseldorp	2b8cf1be80	abstractions/openssl: allow version specific engdef & engines paths Some openssl distributions use version specific engdef and engines paths to support multi-version installations. Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1219571 Signed-off-by: David Disseldorp <ddiss@suse.de>	2024-02-07 10:31:34 +11:00
Georgia Garcia	89a9f76733	add more unconfined profiles These applications need to use user namespaces, hence it needs an unconfined profile when user namespaces are restricted from unconfined like other applications in MR #1123 https://gitlab.com/apparmor/apparmor/-/merge_requests/1123 In addition this serves as a handle to uniquely identify them instead of unconfined to peers in policy. Note that unconfined mode should be changed for default_allow when https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-02-06 15:10:20 -03:00
Georgia Garcia	4621af8ead	tests: handle unprivileged_userns transition in userns tests There is a kernel feature, available under namespaces/userns_create/pciu&, that enables the transition of unconfined tasks to a special profile called unprivileged_userns when they try to create an unprivileged user namespace with clone/unshare. This transition allows the creation of the unprivileged user namespace but hinders its privileges by not allowing capabilities. Refer to the unprivileged_userns profile to check what rules are allowed. If either the feature is not present in the kernel, or the unprivileged_userns profile is not loaded, then the defined behavior is to deny the creation of the unprivileged user namespace Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-02-06 09:04:59 -03:00
Georgia Garcia	668f5af436	tests: fix usr-merge failures on exec and regex tests Some of the tests are failing because of /usr/bin/true vs /bin/true. Similarly to what was done in `8c09b328`, to make the tests more reliable, copy the true binary to $tmpdir and use this path on the tests instead. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-02-06 09:04:59 -03:00
Georgia Garcia	48d475036a	Merge add keybase unconfined profile Keybase needs to use user namespaces, hence it needs an unconfined profile when user namespaces are restricted from unconfined like other applications in MR #1123 https://gitlab.com/apparmor/apparmor/-/merge_requests/1123 In addition this serves as a handle to uniquely identify keybase instead of unconfined to peers in policy. Note that unconfined mode should be changed for default_allow when https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1145 Approved-by: John Johansen <john@jjmx.net> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-02-02 21:23:34 +00:00
Georgia Garcia	0e378f52a8	add keybase unconfined profile Keybase needs to use user namespaces, hence it needs an unconfined profile when user namespaces are restricted from unconfined like other applications in MR #1123 https://gitlab.com/apparmor/apparmor/-/merge_requests/1123 In addition this serves as a handle to uniquely identify keybase instead of unconfined to peers in policy. Note that unconfined mode should be changed for default_allow when https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-02-02 16:53:58 -03:00
Georgia Garcia	15337db4af	Prepare for AppArmor 4.0 alpha 4 release - update version file Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-02-02 15:21:41 -03:00
Georgia Garcia	ce3c97df0f	Merge add profiles for applications that create user namespaces These are profiles for applications that create user namespaces, both the actual policy and unconfined profiles, like it was done in MR 1123. https://gitlab.com/apparmor/apparmor/-/merge_requests/1123 In addition this serves as a handle to uniquely identify these applications instead of unconfined to peers in policy. Note that unconfined mode should be changed for default_allow when https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1144 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-02-02 18:18:40 +00:00
Georgia Garcia	789cda2f08	add special unprivileged_userns profile Unprivileged user namespace creation is allowed an will result in a transition into the unprivileged_userns profile. The unprivileged_userns profile with then deny all capabilities within the profile. Execution of applications is allowed within the unprivileged_userns profile but, they will result in a stack with the unprivileged_userns profile, that is to say the unprivileged_userns profile can not be dropped (capabilities can not be gained). If the unprivileged_userns profile does not exist, unprivileged user namespace creation is denied as before. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-02-02 10:52:26 -03:00
Georgia Garcia	6add80d83f	add profiles for applications that create user namespaces These are profiles for applications that create user namespaces, both the actual policy and unconfined profiles, like it was done in MR 1123. https://gitlab.com/apparmor/apparmor/-/merge_requests/1123 In addition this serves as a handle to uniquely identify these applications instead of unconfined to peers in policy. Note that unconfined mode should be changed for default_allow when https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-02-02 10:51:06 -03:00
John Johansen	3e28d0a254	Merge doc(fix): Fix wrong syntax for profile stacking Add missing change_profile entry required for the example Signed-off-by: Mostafa Emami <mustafaemami@gmail.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1141 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-01-30 09:45:36 +00:00
John Johansen	e63c1e3a76	Merge Prevent ANSI terminal injection in aa-unconfined /proc/$pid/cmdline can be changed by an application, therefore escape it before printing. The program name in /proc/$pid/exe can also contain any characters (except \0 and shashes) and needs escaping. Note: repr() wraps the string into single quotes, which we have to remove to avoid changing the output format. The test program from issue 364 now gets displayed as 28443 /path/to/issue364 (/\x1b]0;X\x07) not confined Fixes: https://gitlab.com/apparmor/apparmor/-/issues/364 I propose this patch for 2.13..master Closes #364 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1142 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-01-30 09:43:23 +00:00
John Johansen	b03abbd75f	Merge manpages: Add ENOPROTOOPT error in aa_getcon() manpage The call aa_getpeercon() can return ENOPROTOOPT error in some cases, specifically when the kernel lacks 'fine grained unix mediation'. Currently, this capability isn't available in upstream kernels, but only in patched ones (for example, the regular Ubuntu kernels). Unfortunately, the manpage lacks this info. This patch fixes this. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/366 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1143 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-01-30 09:33:48 +00:00
Sergio Costas	6e81104bbf	manpages: Add ENOPROTOOPT error in aa_getcon() manpage	2024-01-30 09:33:47 +00:00
Christian Boltz	6cc3a3642d	Prevent ANSI terminal injection in aa-unconfined /proc/$pid/cmdline can be changed by an application, therefore escape it before printing. The program name in /proc/$pid/exe can also contain any characters (except \0 and shashes) and needs escaping. Note: repr() wraps the string into single quotes, which we have to remove to avoid changing the output format. The test program from issue 364 now gets displayed as 28443 /path/to/issue364 (/\x1b]0;X\x07) not confined Fixes: https://gitlab.com/apparmor/apparmor/-/issues/364	2024-01-20 23:42:30 +01:00
Mostafa Emami	166ebdb3bc	doc(fix): Fix wrong syntax for profile stacking Add missing change_profile entry required for the example Signed-off-by: Mostafa Emami <mustafaemami@gmail.com>	2024-01-17 22:15:41 +01:00
John Johansen	253eace573	Merge tests: parse result of multiple lines in output There are some tests like attach_disconnected and posix_mq that can have a program that calls another. For example, posix_mq_rcv calls posix_mq_snd. Both of them write to the same output file, but the code that checks the result expects only one line. This change enables checking multiple lines in the output file and passing or failing accordingly. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1140 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-01-17 10:28:15 +00:00
Georgia Garcia	c2487f017f	tests: cleanup debugging message from unix_fd_server.sh Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-01-15 17:51:49 -03:00
Georgia Garcia	dc73f0fc0b	tests: parse result of multiple lines in output There are some tests like attach_disconnected and posix_mq that can have a program that calls another. For example, posix_mq_rcv calls posix_mq_snd. Both of them write to the same output file, but the code that checks the result expects only one line. This change enables checking multiple lines in the output file and passing or failing accordingly. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-01-15 17:51:49 -03:00
Georgia Garcia	3578b07aeb	Merge tests: fix move_mount test failure caused by returned error The move_mount tests were returning -1 in case of failure causing it to become 255 in some systems, but checktestbg in the testsuite considers any return value greater than 128 to be a signal error. That would cause tests that should fail to display the following test error: ... was expected to 'fail'. Reason for failure 'killed by signal 127' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1139 Approved-by: Steve Beattie <steve+gitlab@nxnw.org> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-01-12 21:39:48 +00:00
Georgia Garcia	28e67c7ba8	tests: fix move_mount test failure caused by returned error The move_mount tests were returning -1 in case of failure causing it to become 255 in some systems, but checktestbg in the testsuite considers any return value greater than 128 to be a signal error. That would cause tests that should fail to display the following test error: ... was expected to 'fail'. Reason for failure 'killed by signal 127' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-01-12 17:12:43 -03:00
John Johansen	c8a2dc34d9	Merge firefox: remove owner restrictions for /proc/$pid/net/* On openSUSE, these files are owned by root. This partially reverts `70809fc716` / https://gitlab.com/apparmor/apparmor/-/merge_requests/1131 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1132 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-01-12 08:32:00 +00:00
John Johansen	350f9cf3dd	Merge tests: add move_mount regression tests MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1138 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2024-01-12 08:31:17 +00:00
Georgia Garcia	f889f9f434	tests: add move_mount regression tests Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-01-04 18:18:58 -03:00
Georgia Garcia	5ca2ea3621	Merge ask_exec(): no longer skip exec events in hats Instead of ignoring all exec events that happen in a hat/child profile, only disallow child exec. ix and px are valid options inside a hat and are now offered to the user. (When the tools support nested child profiles one day, we can even allow child exec again.) [This MR is for master only. I opened separate MRs for 3.1 and 3.0] MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1133 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-01-03 13:38:33 +00:00
Christian Boltz	2c5bc5a09b	Merge profiles: add brave browser to the snap_browsers abstraction Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1137 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2024-01-02 18:33:57 +00:00
Georgia Garcia	dc821ef762	profiles: add brave browser to the snap_browsers abstraction Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2024-01-02 15:25:49 -03:00
Christian Boltz	31c9cf6845	Merge regression tests: fix stack tests for new proc interface the stacking tests need to be able to read and write the new apparmor dir in proc, if that interface has been selected. Update the tests to make sure they have the permissions needed. Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1136 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2023-12-30 12:02:47 +00:00
John Johansen	66484687e8	regression tests: fix stack tests for new proc interface the stacking tests need to be able to read and write the new apparmor dir in proc, if that interface has been selected. Update the tests to make sure they have the permissions needed. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-12-29 14:55:10 -08:00
Christian Boltz	dfb6f90aee	ask_exec(): no longer skip exec events in hats Instead of ignoring all exec events that happen in a hat/child profile, only disallow child exec. ix and px are valid options inside a hat and are now offered to the user. (When the tools support nested child profiles one day, we can even allow child exec again.)	2023-12-28 23:12:10 +01:00
Christian Boltz	fcd46063fd	firefox: remove owner restrictions for /proc/$pid/net/* On openSUSE, these files are owned by root. This partially reverts `70809fc716` / https://gitlab.com/apparmor/apparmor/-/merge_requests/1131	2023-12-24 17:19:10 +01:00
John Johansen	f10e106a08	Merge parser: Add support for a default_allow mode Add support for a default_allow mode that facillitates writing profiles in that allow everything by default. This is not normally recomended but fascilitates creating basic profiles while working to transition policy away from unconfined. This mode is being added specifically to replace the use of the unconfined flag in these transitional profiles as the use of unconfined in policy is confusing and does not reflect the semantics of what is being done. Generally the goal for policy should be to remove all default_allow profiles once the policy is fully developed. Note: this patch only adds parsing of default_allow mode. Currently it sets the unconfined flag to achieve default allow but this prevents deny rules from being applied. Once dominance is fixed a subsequent patch will transition default_allow away from using the unconfined flag. Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-12-23 08:38:18 +00:00
John Johansen	d778fbef57	Merge firefox: add "owner" keywords, updates from usage monitoring Happy holidays, been meaning to push these updates out for some time: * Add `owner` keyword to several rules to tighten them up. I've tested these for several months in normal usage and encountered no denials; * Add new DBus access rules for the following: ``` Oct 18 06:26:06 darkstar kernel: [4369444.223230] audit: type=1107 audit(1697624766.349:2448): pid=745 uid=102 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_signal" bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" name=":1.1" mask="receive" pid=1484746 label="firefox" peer_pid=773 peer_label="unconfined" Oct 19 19:18:20 darkstar kernel: [4502177.573224] audit: type=1107 audit(1697757500.040:2456): pid=745 uid=102 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.1" pid=1677547 label="firefox" peer_pid=773 peer_label="unconfined" Oct 19 19:18:20 darkstar kernel: [4502177.700071] audit: type=1107 audit(1697757500.168:2457): pid=745 uid=102 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/timedate1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.5878" pid=1484746 label="firefox" peer_pid=1677582 peer_label="unconfined" ``` * Deny write access to `/etc/*`, due to this odd bit: ``` Jul 27 15:23:21 darkstar kernel: [6530015.183715] audit: type=1400 audit(1690485801.308:128963): apparmor="DENIED" operation="mknod" profile="firefox" name="/etc/igfx_user_feature_next.txt" pid=2618266 comm="vaapitest" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 ``` Allow read access to a cgroup `cpu.max` variable. I lost the relevant log bit here, I'm afraid; * Relocate the ptrace rule, as it relates to the crash reporter, not (as far as I've found) the Widevine plugin. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1131 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-12-23 08:36:47 +00:00
Daniel Richard G	70809fc716	firefox: add "owner" keywords, updates from usage monitoring Also relocate the ptrace rule so it belongs to the crash reporter, not the Widevine plugin	2023-12-22 19:25:01 -05:00
John Johansen	15d8e21945	Merge Fix typo in apparmor_parser manpage man apparmor_parser gives examples for the --warn command line option as apparmor_parser --warn=rules-not-enforced ... and apparmor_parser --warn=no-rules-not-enforced ... but the actual --warn options are rule-not-enforced / no-rule-not-enforced (without s) Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057453 I propose this fix for 2.13..master MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1128 Merged-by: John Johansen <john@jjmx.net>	2023-12-05 12:43:08 +00:00
Christian Boltz	3ee47af402	Fix typo in apparmor_parser manpage man apparmor_parser gives examples for the --warn command line option as apparmor_parser --warn=rules-not-enforced ... and apparmor_parser --warn=no-rules-not-enforced ... but the actual --warn options are rule-not-enforced / no-rule-not-enforced (without s) Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057453	2023-12-05 13:27:09 +01:00
John Johansen	eb6fa02251	Merge fix subprofile name in profile serialization Given the following profile: profile foo { profile bar { profile baz { } } } The parser would correctly serialize the "foo" profile and the "foo//bar" profile, but it would incorrectly name "bar//baz" when it should be "foo//bar//baz". This would cause issues loading the profile in certain kernels causing a "parent does not exist" error. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1127 Merged-by: John Johansen <john@jjmx.net>	2023-12-04 09:09:32 +00:00
Georgia Garcia	923cbcf3be	parser: fix subprofile name in profile serialization Given the following profile: profile foo { profile bar { profile baz { } } } The parser would correctly serialize the "foo" profile and the "foo//bar" profile, but it would incorrectly name "bar//baz" when it should be "foo//bar//baz". This would cause issues loading the profile in certain kernels causing a "parent does not exist" error. Partially addresses #346. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-12-01 16:14:19 -03:00
Georgia Garcia	78a2c9f5f3	parser: constify unchanged strings in sd_write_* Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-12-01 15:18:51 -03:00
Christian Boltz	81bc26c934	Merge add steam profile for applications in unconfined mode Steam needs to use user namespaces, hence it needs an unconfined profile when user namespaces are restricted from unconfined like other applications in MR1123 https://gitlab.com/apparmor/apparmor/-/merge_requests/1123 In addition this serves as a handle to uniquely identify stream instead of unconfined to peers in policy. Note that unconfined mode should be changed for default_allow when https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged. Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1125 Merged-by: Christian Boltz <apparmor@cboltz.de>	2023-11-26 16:30:41 +00:00
Christian Boltz	71e28e9357	Merge profiles: convert local include to match profile name The recently added unconfined profiles use the binary name for the local include instead of the profile name. Switch to using the profile name for the local include. Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1126 Merged-by: Christian Boltz <apparmor@cboltz.de>	2023-11-26 16:29:14 +00:00
John Johansen	7c684f9d22	profiles: convert local include to match profile name The recently added unconfined profiles use the binary name for the local include instead of the profile name. Switch to using the profile name for the local include. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-11-24 18:53:51 -08:00
John Johansen	6c01b90c13	add steam profile for applications in unconfined mode Steam needs to use user namespaces, hence it needs an unconfined profile when user namespaces are restricted from unconfined like other applications in MR1123 https://gitlab.com/apparmor/apparmor/-/merge_requests/1123 In addition this serves as a handle to uniquely identify stream instead of unconfined to peers in policy. Note that unconfined mode should be changed for default_allow when https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-11-24 15:48:53 -08:00
John Johansen	832bb8f417	parser: Add support for a default_allow mode Add support for a default_allow mode that facillitates writing profiles in that allow everything by default. This is not normally recomended but fascilitates creating basic profiles while working to transition policy away from unconfined. This mode is being added specifically to replace the use of the unconfined flag in these transitional profiles as the use of unconfined in policy is confusing and does not reflect the semantics of what is being done. Generally the goal for policy should be to remove all default_allow profiles once the policy is fully developed. Note: this patch only adds parsing of default_allow mode. Currently it sets the unconfined flag to achieve default allow but this prevents deny rules from being applied. Once dominance is fixed a subsequent patch will transition default_allow away from using the unconfined flag. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-11-24 15:38:19 -08:00
John Johansen	e0bc90f5cf	Merge Add profiles for applications in unconfined mode Adding profiles for applications even if they allow all operations will allow them to be referenced as peer by other policies. This is a step towards a more comprehensive system policy, adding names, instead of just unconfined, to peers of existing policy and to applications that are known to use unprivileged user namespaces. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1123 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-11-23 23:14:22 +00:00
John Johansen	6a96067938	Merge parser: fix regex parser leak on parsing failure When the regex parser failed, the Chars objects created/used in rules charset and cset_chars would not be cleaned up properly and would leak. Closes #361 Closes #361 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1124 Merged-by: John Johansen <john@jjmx.net>	2023-11-23 23:12:21 +00:00
Georgia Garcia	dcad01ccc3	parser: fix regex parser leak on parsing failure When the regex parser failed, the Chars objects created/used in rules charset and cset_chars would not be cleaned up properly and would leak. Closes #361 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-11-23 17:37:46 -03:00
Georgia Garcia	2594d936ad	add profiles for applications in unconfined mode Adding profiles for applications even if they allow all operations will allow them to be referenced as peer by other policies. This is a step towards a more comprehensive system policy, adding names, instead of just unconfined, to peers of existing policy and to applications that are known to use unprivileged user namespaces. Note that unconfined mode should be changed for default_allow when https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-11-23 10:34:20 -03:00
Christian Boltz	9bba464d93	Merge Allow reading /run/systemd/sessions/ Several applications use it now that utmp and wtmp are being removed because they are not Y2038 compliant This is the case for example in openSUSE Tumbleweed and openSUSE MicroOS: https://microos.opensuse.org/blog/2023-11-06-utmp-and-wtmp-are-gone/ Closes https://gitlab.com/apparmor/apparmor/-/issues/360 Closes #360 Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1216878 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1121 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2023-11-08 18:16:47 +00:00
Julio Gonzalez Gil	96b1aa549b	Allow reading /run/systemd/sessions/ Several applications use it now that utmp and wtmp are being removed because they are not Y2038 compliant This is the case for example in openSUSE Tumbleweed and openSUSE MicroOS: https://microos.opensuse.org/blog/2023-11-06-utmp-and-wtmp-are-gone/ Closes https://gitlab.com/apparmor/apparmor/-/issues/360	2023-11-08 18:13:03 +01:00
John Johansen	dcc719c69c	Merge tests: fix regression tests to run on kernels that only have network_v8 upstream kernels only have network_v8 unfortunately the tcp tests were only being run against kernels that had network (which is v7). Kernels that support both (Ubuntu) would be tested against v8, so v8 has been tested but pure upstream kernels were failing to be tested correctly. This patch will only make sure one of the supported verserions are tested. This is determined by the parser which prefers v8. In the future the tests need to be extended to run the tests against all kernel supported versions. Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1120 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: John Johansen <john@jjmx.net>	2023-11-08 14:24:13 +00:00
John Johansen	6304d372bf	tests: fix regression tests to run on kernels that only have network_v8 upstream kernels only have network_v8 unfortunately the tcp tests were only being run against kernels that had network (which is v7). Kernels that support both (Ubuntu) would be tested against v8, so v8 has been tested but pure upstream kernels were failing to be tested correctly. This patch will only make sure one of the supported versions are tested. This is determined by the parser which prefers v8. In the future the tests need to be extended to run the tests against all kernel supported versions. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-11-06 02:33:31 -08:00
John Johansen	54915dabc4	Merge Allow reading /etc/authselect/nsswitch.conf On systems with authselect installed, /etc/nsswitch.conf is a symlink to /etc/authselect/nsswitch.conf. Fixes: https://gitlab.com/apparmor/apparmor-profiles/-/issues/13 I propose this patch for 3.0..master. Closes apparmor-profiles#13 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1119 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-11-03 03:22:05 +00:00
John Johansen	d55a1e6d5d	Merge Validate capabilities against list of known capabilities Teach CapabilityRule about the list of known capabilities, and ensure that only valid capabilities are allowed in profiles. This comes with several test additions (and removals from the `exception_not_raised` list for the parser simple_tests), see the individual commits for details. Reviewing each commit on its own is probably easier than reading the merged diff. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1117 Merged-by: John Johansen <john@jjmx.net>	2023-11-03 03:09:46 +00:00
John Johansen	6580331625	Merge Add Documentation=... to apparmor.service This is taken from Debian's apparmor.service, and is the first (and easiest) step to get the upstream and Debian file closer. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1116 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-11-03 02:55:46 +00:00
John Johansen	1e7f63415a	Merge ubuntu-browsers.d/kde: fix plasma-browser-integration Out of the box the KDE plasma-browser-integration package does not work after a user installed the corresponding Firefox extension: The browser can't start the native host binary. The same is probably true for Chromium. This was originally reported to KDE at https://bugs.kde.org/show_bug.cgi?id=397399 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1115 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-11-03 02:51:36 +00:00
Christian Boltz	d4dff5ce4e	Allow reading /etc/authselect/nsswitch.conf On systems with authselect installed, /etc/nsswitch.conf is a symlink to /etc/authselect/nsswitch.conf. Fixes: https://gitlab.com/apparmor/apparmor-profiles/-/issues/13	2023-11-01 17:03:06 +01:00
Christian Boltz	86c05357cf	Add test for unknown capability Even if this is very unlikely to happen (because of the previously added test, and because CapabilityRule only allows to specify known severity keywords), ensure proper behaviour if an unknown severity gets rated.	2023-10-29 22:10:07 +01:00
Christian Boltz	f17bd59904	Test severity of all capabilities ... to ensure that they are all listed in severity.db	2023-10-29 22:10:07 +01:00
Christian Boltz	d38c7b22ce	CapabilityRule: simplify and improve __init__() - convert a string parameter to a list to avoid duplication of the validation logic - add separate check for empty cap_list - remove check for empty strings - the previous commit already added such a check to the for loop. Also, move the comment to that check.	2023-10-29 21:42:57 +01:00
Christian Boltz	942202da17	CapabilityRule: Validate given caps against cap list ... and error out if an unknown capability is given. This also means recognizing bad capabilities in the parser simple_tests now works (so remove these from the exception_not_raised list), and that we can no longer hand over an unknown capability in test-capability.py to test their severity.	2023-10-29 21:31:43 +01:00
Christian Boltz	5c34655f4a	CapabilityRule: Add list of known capabilities ... and add a test to ensure that the list is/stays complete.	2023-10-29 21:28:13 +01:00
Christian Boltz	57ba373213	test-capability: use valid capability names ... instead of non-existing ones. This is a search-and-replace commit: ptrace -> sys_ptrace chgrp -> fowner (because fowner wasn't used in the test before)	2023-10-29 21:23:00 +01:00
Christian Boltz	5d9d4483fb	Add Documentation=... to apparmor.service This is taken from Debian's apparmor.service, and is the first (and easiest) step to get the upstream and Debian file closer.	2023-10-29 10:49:33 +01:00
Malte S. Stretz	8b95030665	ubuntu-browsers.d/kde: fix plasma-browser-integration Out of the box the KDE plasma-browser-integration package does not work after a user installed the corresponding Firefox extension: The browser can't start the native host binary. The same is probably true for Chromium. This was originally reported to KDE at https://bugs.kde.org/show_bug.cgi?id=397399	2023-10-18 11:37:18 +02:00
John Johansen	58a89284d5	Merge tools.py: the big cleanup tools.py contained quite some things that need a big cleanup. See the individual commits for details and more readable diffs. Note: This MR "only" does cleanups and some refactoring. It does not change the (user-visible) behaviour of the code. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1114 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-10-14 00:54:15 +00:00
John Johansen	28f336cb91	Merge abstractions: pipewire rt conf Pipewire also uses the client-rt.conf file, add this to the audio abstraction. See pipewire source: https://github.com/PipeWire/pipewire/blob/master/src/daemon/client-rt.conf.in Hit this during normal usage of Firefox. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1113 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-10-14 00:05:21 +00:00
Antonius Mulder	61fc6805a9	abstractions: pipewire rt conf Pipewire also uses the client-rt.conf file, add this to the audio abstraction.	2023-10-13 13:06:42 -07:00
Christian Boltz	f2f24884c3	get_next_to_profile(): ensure all branches set all variables This also means we can get rid of most cleanprof-specific conditions without changing the behaviour (because the other functions don't use 'profile' yet). Also hand over prof_filename to clean_profile() so that it doesn't need to find it out itsself.	2023-10-12 13:44:04 +02:00
Christian Boltz	5d8347bc26	clean_profile(): re-order code Error out early (avoids a tab level), and handle the short branch first in the if condition.	2023-10-12 13:11:30 +02:00
Christian Boltz	0c595ac801	clean_profile(): rename filename to prof_filename ... for consistency with the variable name in all the other functions.	2023-10-12 13:08:13 +02:00
Christian Boltz	1d5f90efcd	Rename profile variable to prof_filename ... if it contains the profile filename. This avoids confusion with the "real" 'profile' variable that contains a profile name.	2023-10-12 13:04:29 +02:00
Christian Boltz	4f51c93f9d	get_next_to_profile(): return profile and prof_filename Before, the 'profile' return value was either a profile name or a profile filename, depending on the active module (cleanprof vs. everything else). Separate the return values so that it's clear what we get. Notes: - This commit doesn't change functionality, only the number of return values and some variable names. - There's no guarantee that all return values are set. They can also be None. (This might change in the future.) Also adjust the callers of get_next_to_profile(), and rename 'profile' to 'prof_filename' in calling functions that actually use the profile filename.	2023-10-12 12:36:09 +02:00
Christian Boltz	4d1c17b426	Drop enable_profile() and disable_profile() enable_profile() was unused. disable_profile() was only used once, inline it into cmd_disable()	2023-10-12 12:36:09 +02:00
Christian Boltz	918a15e244	Merge common parts of mode changes into get_next_for_modechange()	2023-10-12 12:36:09 +02:00
Christian Boltz	fc8c7722a1	tools.py: call apparmor.read_profiles() in __init__() ... instead of calling it in every cmd_* function.	2023-10-12 12:36:05 +02:00
John Johansen	7eff621fc7	Merge parser/rc.apparmor: Handle Incus Add init function support to skip incus prefixed policy like is done for lxc and lxd Signed-off-by: Stéphane Graber <stgraber@stgraber.org> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1112 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-10-12 05:52:40 +00:00
Stéphane Graber	659a187687	parser/rc.apparmor: Handle Incus Signed-off-by: Stéphane Graber <stgraber@stgraber.org>	2023-10-12 00:55:03 -04:00
John Johansen	cee501349e	Merge ProfileList: merge self.attachments_AARE into self.attachments['re'] Since the unittests now compare a dict that contains an AARE, this also needs: AARE: add `__eq__()` to allow checking aare1 == aare2 ... and add some tests for it MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1111 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-10-12 04:44:24 +00:00
Christian Boltz	27de7ea0c2	ProfileList: merge self.attachments_AARE into self.attachments['re']	2023-10-11 20:39:37 +02:00
Christian Boltz	bfd72c93be	AARE: add __eq__() to allow checking aare1 == aare2 ... and add some tests for it	2023-10-11 20:38:38 +02:00
John Johansen	6ac0e0236b	Merge Fix aa-cleanprof to work with named profiles This needed replacement of "program" with "profile" at various places in tools.py (of course this description is over-simplified). The changes in get_next_to_profile() (which is used by several aa-* minitools) are restricted to cleanprof to avoid side effects in the other aa-* minitools. However, the other aa-* minitools possibly also suffer from problems with named profiles, but checking and fixing that is left for another commit ;-) Fixes: https://gitlab.com/apparmor/apparmor/-/issues/351 . The fix needs an additional function in ProfileList (`profile_from_attachment()`) to get the profile name for a given attachment. Since this is not very different from filename_from_attachment(), move most of the code into a thing_from_attachment() function, and make {profile,filename}_from_attachment wrappers for it. Also adjust the tests to the changed internal data structure, and add tests for profile_from_attachment(). I propose this patch for 3.0..master. (3.0 will probably need a slightly different patch - I'll submit a separate MR once this MR is merged.) Closes #351 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1108 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-10-10 03:55:12 +00:00
Christian Boltz	151bf26bb9	Fix aa-cleanprof to work with named profiles This needed replacement of "program" with "profile" at various places in tools.py (of course this description is over-simplified). The changes in get_next_to_profile() (which is used by several aa-* minitools) are restricted to cleanprof to avoid side effects in the other aa-* minitools. However, the other aa-* minitools possibly also suffer from problems with named profiles, but checking and fixing that is left for another commit ;-) Fixes: https://gitlab.com/apparmor/apparmor/-/issues/351	2023-10-08 20:01:27 +02:00
Christian Boltz	26903320fd	ProfileList: add profile_from_attachment() ... to get the profile name for a given attachment. Since this is not very different from filename_from_attachment(), move most of the code into a thing_from_attachment() function, and make {profile,filename}_from_attachment wrappers for it. Also adjust the tests to the changed internal data structure, and add tests for profile_from_attachment().	2023-10-08 15:25:55 +02:00
John Johansen	884adcc58f	repare for AppArmor 4.0 alpha 3 release - update version file Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-09-18 03:51:29 -07:00
John Johansen	f5be84acdc	Merge Utils: add support for the 'all,' rule MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1105 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-09-12 00:39:42 +00:00
John Johansen	5d940b2a47	Merge apparmor.vim: add support for the 'all' rule ... and update the bugreporting info in the header MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1106 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-09-12 00:37:44 +00:00
Christian Boltz	583d116871	apparmor.vim: add support for the 'all' rule ... and update the bugreporting info in the header	2023-09-10 18:38:48 +02:00
Christian Boltz	e361644d5a	Utils: add support for the 'all,' rule	2023-09-10 18:07:41 +02:00
John Johansen	4e758a838d	Merge parser: add support for a generic all rule type Extend the policy syntax to have a rule that allows specifying all permissions for all rule types. allow all, This is useful for making blacklist based policy, but can also be useful when combined with other rule prefixes, eg. to add audit to all rules. audit access all, Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1103 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-09-07 09:09:13 +00:00
John Johansen	197d00d21a	parser: add support for a generic all rule type Extend the policy syntax to have a rule that allows specifying all permissions for all rule types. allow all, This is useful for making blacklist based policy, but can also be useful when combined with other rule prefixes, eg. to add audit to all rules. audit access all, Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-09-07 01:30:15 -07:00
John Johansen	a9c5388f69	Merge parser: refactor network rules and prepare for fine grained network rules This lays the ground work for fine grained network mediation. The switch to using the rules class brings the advantages of shared infrastructure and is needed for tracking all the different combinations possible with finer control. In addition range generation and support for large numbers (needed for ipv6) are added. This patchset does not make policy visible changes to network rules. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1104 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-09-07 07:22:21 +00:00
Georgia Garcia	75ca0e7919	parser: track leading zeros required for ipv6 range regex generator Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-09-07 00:13:52 -07:00
Georgia Garcia	fb5f59024c	parser: add uppercase hex on regex range generator Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-09-07 00:13:42 -07:00
Georgia Garcia	a71ac76e6d	parser: add regex generator for range Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-09-07 00:13:29 -07:00
Georgia Garcia	2be9c431ca	parser: add opt_cond in preparation to finer grained network mediation Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-09-07 00:13:15 -07:00
Georgia Garcia	05de4b82e7	parser: implement dedup of network rules Since network rules don't use the "perms" attribute, it is using the dedup class in which duplicate rules are removed. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-09-07 00:13:04 -07:00
Georgia Garcia	820f1fb5f2	parser: refactor network to use rule class as its base. There is one significant difference in the encoding of the network rules. Before this change, when the parser was encoding a "network," rule, it would generate an entry for every family and every type/protocol. After this patch the parser should generate an entry for every family, but the type/protocol is changed to .. in the pcre syntax. There should be no difference in behavior. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-09-07 00:12:51 -07:00
John Johansen	65905b0c55	Merge aa-status: separate error messages from the regular output using dfprintf for error messages subjects them to the other output controls and can cause them to be surpressed when they shouldn't. Instead use a dedicated error function and add a quiet flag to allow silencing errors. Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1102 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-09-07 06:01:08 +00:00
John Johansen	1945ecbf19	aa-status: separate error messages from the regular output using dfprintf for error messages subjects them to the other output controls and can cause them to be surpressed when they shouldn't. Instead use a dedicated error function and add a quiet flag to allow silencing errors. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-08-28 15:52:44 -07:00
John Johansen	11976c42e3	Merge binutils/aa_status.c: quiet verbose outputs when --json is specified By default aa-status outputs with --verbose enabled - if --json is also specified then aa-status would currently output in its first line "apparmor module is loaded.": aa-status --json \| head -n1 apparmor module is loaded. And only after this the actual json output would follow. This then results in failures to parse this JSON output: aa-status --json \| jq . parse error: Invalid numeric literal at line 1, column 9 This in turn then breaks tools / tests which expect the output of aa-status --json to be purely json - e.g: https://salsa.debian.org/apparmor-team/apparmor-profiles-extra/-/blob/debian/unstable/debian/tests/policy-is-loaded#L12 So ensure dprintf() etc do not output when --json is specified to restrict the output of aa-status to pure JSON. Signed-off-by: Alex Murray <alex.murray@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1097 Approved-by: Seth Arnold <seth.arnold@gmail.com> Merged-by: John Johansen <john@jjmx.net>	2023-08-28 22:07:17 +00:00
John Johansen	327588f019	Merge parser: fix coverity scan 553075 coverity is reporting an overrun of the profile_mode_table 217 if (merge_profile_mode(mode, rhs.mode) == MODE_CONFLICT) >>> CID 322989: (OVERRUN) >>> Overrunning array "profile_mode_table" of 6 8-byte elements at element index 6 (byte offset 55) using index "this->mode" (which evaluates to 6). this is because it is being indexed by the profile_mode enum which can go up to a 6th entry. The code tests for MODE_CONFLICT before using the table so it shouldn't trigger a bug today, but play it safe for the future and also get rid of the coverity scan error by adding a "conflict" entry to the mode_table. Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1098 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: John Johansen <john@jjmx.net>	2023-08-28 22:05:45 +00:00
John Johansen	84e22b4cca	Merge Docs: apparmor.d.pod document io_uring and userns rules Documentation for io_uring and userns rules is missing from the apparmor.d man page. Provide some basic documentation for them. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/349 Signed-off-by: John Johansen <john.johansen@canonical.com> Closes #349 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1099 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: John Johansen <john@jjmx.net>	2023-08-28 22:05:20 +00:00
John Johansen	248625ae00	Merge apparmor.d.pod: rename SIGNALS to SIGNAL SIGNAL makes more sense because it's about a single signal. Besides that, `a9494f5523` introduced a (at that point broken) usage of SIGNAL which becomes valid with this commit. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1100 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-08-28 22:05:04 +00:00
John Johansen	9ab72ffc7c	Merge Install systemd unit on fedora/redhat systems ... instead of trying the old rc.apparmor.redhat initscript, which we no longer ship since `2019519e34`. Also remove a superfluous level of indirection (rhel4 -> redhat). Fixes: https://gitlab.com/apparmor/apparmor/-/issues/350 Closes #350 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1101 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-08-28 22:04:53 +00:00
Christian Boltz	9be09aa909	Install systemd unit on fedora/redhat systems ... instead of trying the old rc.apparmor.redhat initscript, which we no longer ship since `2019519e34`. Also remove a superfluous level of indirection (rhel4 -> redhat). Fixes: https://gitlab.com/apparmor/apparmor/-/issues/350	2023-08-28 18:46:20 +02:00
Christian Boltz	2bf35277a0	apparmor.d.pod: rename SIGNALS to SIGNAL SIGNAL makes more sense because it's about a single signal. Besides that, `a9494f5523` introduced a (at that point broken) usage of SIGNAL which becomes valid with this commit.	2023-08-28 18:33:03 +02:00
John Johansen	9db134223c	Docs: apparmor.d.pod document io_uring and userns rules Documentation for io_uring and userns rules is missing from the apparmor.d man page. Provide some basic documentation for them. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/349 Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-08-27 01:06:01 -07:00
John Johansen	ef56e60e06	parser: fix coverity scan 553075 coverity is reporting an overrun of the profile_mode_table 217 if (merge_profile_mode(mode, rhs.mode) == MODE_CONFLICT) >>> CID 322989: (OVERRUN) >>> Overrunning array "profile_mode_table" of 6 8-byte elements at element index 6 (byte offset 55) using index "this->mode" (which evaluates to 6). this is because it is being indexed by the profile_mode enum which can go up to a 6th entry. The code tests for MODE_CONFLICT before using the table so it shouldn't trigger a bug today, but play it safe for the future and also get rid of the coverity scan error by adding a "conflict" entry to the mode_table. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-08-25 23:49:32 -07:00
John Johansen	96965c3da2	Merge Add support for new profile flags This adds two new profile flags * `interruptible` which can be used with prompt * `kill.signal=XXX` which can be used to set the signal used by kill mode or the kill rule prefix In addition it adds a few cleanups and fixes around profile flag handling MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1096 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: John Johansen <john@jjmx.net>	2023-08-26 05:05:42 +00:00
John Johansen	a9494f5523	parser: add kill.signal=XXX flag support Add a flag that allows setting the signal used to kill the process. This should not be normally used but can be very useful when debugging applications, interaction with apparmor. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-08-25 10:16:51 -07:00
John Johansen	57985480ca	parser: Fixup flags merge for disconnected_path When merging flags with a disconnected_path specified, there is no check for a conflict and we can just throw away (and leak) one of the paths. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-08-25 07:19:01 -07:00
John Johansen	f10467556c	parser: move flag init and merge to flagvals class We have a basic flagvals class it makes sense to move the parser code into it, to help make management easier going forward. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-08-25 07:19:01 -07:00
John Johansen	30707be87f	parser: add interruptible flag Allow indicating that prompt upcalls to userspace can be interrupted Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-08-25 07:18:50 -07:00
Alex Murray	f61fd42061	binutils/aa_status.c: quiet verbose outputs when --json is specified By default aa-status outputs with --verbose enabled - if --json is also specified then aa-status would currently output in its first line "apparmor module is loaded.": aa-status --json \| head -n1 apparmor module is loaded. And only after this the actual json output would follow. This then results in failures to parse this JSON output: aa-status --json \| jq . parse error: Invalid numeric literal at line 1, column 9 This in turn then breaks tools / tests which expect the output of aa-status --json to be purely json - e.g: https://salsa.debian.org/apparmor-team/apparmor-profiles-extra/-/blob/debian/unstable/debian/tests/policy-is-loaded#L12 So ensure dprintf() etc do not output when --json is specified to restrict the output of aa-status to pure JSON. Signed-off-by: Alex Murray <alex.murray@canonical.com>	2023-08-25 09:23:04 +09:30
John Johansen	847ab59e1c	Merge collapse_log(): Attach null-* events to correct target profile ask_exec() and ask_addhat() set hashlog[aamode][full_profile]['final_name']. While this was used to get profile and hat split, it was not used as key for log_dict. This resulted in entries like log_dict['PERMITTING']['foo//null-/usr/bin/cat'] which are obviously wrong. Use final_name as log_dict key so that we end up with (assuming child exec was selected) log_dict['PERMITTING']['foo///usr/bin/cat'] This fixes a regression introduced in 3.1. Due to other changes in collapse_log() done in master, picking this into 3.1 isn't that easy. I'll submit a separate patch for 3.1. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1091 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-08-24 01:12:09 +00:00
John Johansen	427b58a4b6	Merge Ignore ´//null-` peers in signal and ptrace events Ideally we'd update them to the chosen exec target - but until this is implemented, it doesn't make sense to ask about adding a //null-* peer to a profile. I propose this patch for all branches. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1090 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-08-24 01:11:02 +00:00
John Johansen	aa20721be1	Merge Don't create local/* profile sniplets by default ... and document how to create them if you still want them. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/337 Closes #337 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1089 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-08-23 23:26:54 +00:00
Georgia Garcia	5957aa49f5	Merge fix test specifying path on attach disconnected MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1094 Approved-by: John Johansen <john@jjmx.net> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-08-22 12:49:54 +00:00
Georgia Garcia	e133a9fc68	tests: remove superfluous attach_disconnected flag Merge request https://gitlab.com/apparmor/apparmor/merge_requests/1084 makes it so attach_disconnected.path implies attach_disconnected, so remove superfluous flag from tests. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-08-22 09:40:17 -03:00
Georgia Garcia	32307601a0	tests: fix test specifying path on attach disconnected Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-08-21 17:36:48 -03:00
Georgia Garcia	5b139521aa	tests: replace individual socket permission to socket and put_old/socket Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-08-21 17:33:33 -03:00
John Johansen	2d7bd40606	Merge tests: fix userns setns opening pipe order setns tests part of the userns could fail if the parent process opened the child pipe to write it was done before the child opened the pipe with read permissions. From the fifo(7) man page: A process can open a FIFO in nonblocking mode. In this case, opening for read‐only succeeds even if no one has opened on the write side yet and opening for write‐only fails with ENXIO (no such device or address) unless the other end has already been opened. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1093 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-08-21 16:13:28 +00:00
Georgia Garcia	24806f6f61	tests: fix userns setns opening pipe order setns tests part of the userns could fail if the parent process opened the child pipe to write it was done before the child opened the pipe with read permissions. From the fifo(7) man page: A process can open a FIFO in nonblocking mode. In this case, opening for read‐only succeeds even if no one has opened on the write side yet and opening for write‐only fails with ENXIO (no such device or address) unless the other end has already been opened. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-08-21 12:04:51 -03:00
Christian Boltz	fbe68f0078	collapse_log(): use final_name Now that we have `final_name` as shortcut for `hashlog[aamode][full_profile]['final_name']`, update the code that used the long version to make it more readable.	2023-08-20 15:50:20 +02:00
Christian Boltz	74265e8ded	collapse_log(): Attach null-* events to correct target profile ask_exec() and ask_addhat() set hashlog[aamode][full_profile]['final_name']. While this was used to get profile and hat split, it was not used as key for log_dict. This resulted in entries like log_dict['PERMITTING']['foo//null-/usr/bin/cat'] which are obviously wrong. Use final_name as log_dict key so that we end up with (assuming child exec was selected) log_dict['PERMITTING']['foo///usr/bin/cat']	2023-08-20 15:49:59 +02:00
Christian Boltz	41df2ca366	Ignore ´//null-` peers in signal and ptrace events Ideally we'd update them to the chosen exec target - but until this is implemented, it doesn't make sense to ask about adding a //null-* peer to a profile.	2023-08-20 11:53:08 +02:00
Christian Boltz	adf19138d5	Don't create local/* profile sniplets by default ... and document how to create them if you still want them. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/337	2023-08-20 11:49:10 +02:00
John Johansen	1758b66c9d	Merge Increase timeout in test-logprof.py On (terribly, but real-world) slow buid hosts, running test-logprof.py fails with a timeout. Increase the timeout so that even those build hosts get enough time to finish the aa-logprof tests. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1087 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-08-17 11:04:14 +00:00
Christian Boltz	dd9b7b358f	Increase timeout in test-logprof.py On (terribly, but real-world) slow buid hosts, running test-logprof.py fails with a timeout. Increase the timeout so that even those build hosts get enough time to finish the aa-logprof tests.	2023-08-15 20:49:08 +02:00
John Johansen	b45c10d4de	Merge Fix compability with Python < 3.9 str.removeprefix() was introduced in Python 3.9. Replace it with backwards-compatible code. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1085 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-08-15 13:04:06 +00:00
Christian Boltz	c175e414c8	Fix compability with Python < 3.9 str.removeprefix() was introduced in Python 3.9. Replace it with backwards-compatible code.	2023-08-15 12:40:39 +02:00
John Johansen	5f6e213d23	Prepare for AppArmor 4.0 alpha 2 release - update version file Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-08-14 14:36:03 -07:00
John Johansen	d717adfc2f	Merge parser: make attach_disconnected.path enable attach_disconnected Currently you need to use attach_disconnected with attach_disconnected.path=XXX to be able to attach to a different location than / whic is ugly and redundant. Make it so attach_disconnected.path implies attach_disconnected. Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1084 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: John Johansen <john@jjmx.net>	2023-08-14 21:28:40 +00:00
John Johansen	4a21bd104c	parser: make attach_disconnected.path enable attach_disconnected Currently you need to use attach_disconnected with attach_disconnected.path=XXX to be able to attach to a different location than / whic is ugly and redundant. Make it so attach_disconnected.path implies attach_disconnected. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-08-14 13:28:31 -07:00
John Johansen	f9036d57de	Merge document that attach_disconnected.path expexts =PATH MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1083 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-08-14 20:28:26 +00:00
Christian Boltz	c87dd7985f	document that attach_disconnected.path expexts =PATH	2023-08-14 22:22:02 +02:00
John Johansen	8eee4de83e	Merge parser: add support for attach_disconnected.path Add support for specifying the path prefix used when attach disconnected is specified. TODO: add regression tests Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/661 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-08-14 14:15:25 +00:00
John Johansen	dbb2a1d0bb	tests: regression, add basic regression tests Add a couple basic attach disconnected regression tests Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-08-14 01:42:34 -07:00
John Johansen	b46b2662ff	parser: add support for attach_disconnected.path Add support for specifying the path prefix used when attach disconnected is specified. The kernel supports prepending a different value than / when a path is disconnected. Expose through a profile flag. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-08-14 01:42:28 -07:00
John Johansen	03669ae3df	Merge Add aa-logprof test framework ... and a simple test for a single (fake) event for ping. Notes: - to let aa-logprof work in the CI environment, we need to skip checking for the AppArmor mountpoint. Introduce --no-check-mountpoint for this. - PYTHONPATH and LD_LIBRARY_PATH need to be explicitely forwarded when starting aa-logprof via subprocess.Popen() - if the test runs with coverage enabled, it will also start aa-logprof with coverage (parameters copied from Makefile). Speaking about coverage - this test adds 4% overall coverage, and 10% more coverage for apparmor/aa.py. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1082 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-08-14 07:55:31 +00:00
John Johansen	941118c699	Merge profiles: allow for the default dovecot libexecdir Though many Linux distros choose to pass _/usr/lib_ as the libexecdir while configuring dovecot, such as [Debian](https://sources.debian.org/src/dovecot/1%3A2.3.20%2Bdfsg1-1/debian/rules/#L132) and [Arch](https://gitlab.archlinux.org/archlinux/packaging/packages/dovecot/-/blob/main/PKGBUILD#L76), others like Alpine Linux and Gentoo don't pass anything as libexecdir, allowing it to default to _/usr/libexec_. Both appear to be valid. From [FHS 3.0, Chapter 4.7](https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch04s07.html): > Some previous versions of this document did not support _/usr/libexec_, despite it being standard practice in a number of environments. To accomodate this restriction, it became common practice to use _/usr/lib_ instead. Either practice is now acceptable, but each application must choose one way or the other to organize itself. Allow for the default libexec subdir _/usr/libexec/dovecot_ as well as the more common _/usr/lib/dovecot_. Signed-off-by: Peter Levine <plevine457@gmail.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1080 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-08-14 07:54:19 +00:00
Christian Boltz	46debcc493	Add aa-logprof test framework ... and a simple test for a single (fake) event for ping. Notes: - to let aa-logprof work in the CI environment, we need to skip checking for the AppArmor mountpoint. Introduce --no-check-mountpoint for this. - PYTHONPATH and LD_LIBRARY_PATH need to be explicitely forwarded when starting aa-logprof via subprocess.Popen() - if the test runs with coverage enabled, it will also start aa-logprof with coverage (parameters copied from Makefile). Speaking about coverage - this test adds 4% overall coverage, and 10% more coverage for apparmor/aa.py.	2023-08-13 21:02:50 +02:00
Christian Boltz	65de34f462	Merge Add `include if exists <tunables/$FILE.d>` to all tunables (except the deprecated tunables/sys) This allows users to extend variables without editing the main tunables files. It also allows to cleanly introduce new tunable files (via tunables/global.d) and new aliases (via tunables/alias.d). Note: some files already had `include <tunables/$FILE.d>`. These get changed to `include if exists`, and the comments for these includes get unified. Also extend make check to ensure that all tunables include tunables/$FILE.d Fixes: https://gitlab.com/apparmor/apparmor/-/issues/347 I propose this patch for 3.0..master. Closes #347 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1077 Approved-by: timeout Merged-by: Christian Boltz <apparmor@cboltz.de>	2023-08-13 15:02:45 +00:00
Peter Levine	37ffc6eac8	profiles: allow for the default dovecot libexecdir Allow for the default libexec subdir, /usr/libexec/dovecot, as well as the more common /usr/lib/dovecot. Signed-off-by: Peter Levine <plevine457@gmail.com>	2023-08-03 01:30:42 -04:00
John Johansen	313366fbbc	Merge parser: fix encoding of unix permissions for setopt and getopt The permissions for AA_NET_OPT need to be bounded by mask so we can make sure it matches when a policy specified only setopt or only getopt. This was causing failures on the regression tests unix_socket_pathname, unix_socket_abstract, unix_socket_unnamed and unix_socket_autobind Fixes: `44f3be091` ("parser: convert the stored audit from a bit mask to a bool") Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1079 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-08-02 11:13:40 +00:00
Georgia Garcia	64c1eb9cda	tests: fix feature test Fixes: `81f0b84d` ("tests: fix feature checking if it's a directory") Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-08-01 16:20:20 -03:00
Georgia Garcia	210ad63cbf	parser: fix encoding of unix permissions for setopt and getopt The permissions for AA_NET_OPT need to be bounded by mask so we can make sure it matches when a policy specified only setopt or only getopt. This was causing failures on the regression tests unix_socket_pathname, unix_socket_abstract, unix_socket_unnamed and unix_socket_autobind Fixes: `44f3be091` ("parser: convert the stored audit from a bit mask to a bool") Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-08-01 14:25:41 -03:00
John Johansen	93dff6a806	Merge parser: add support for prompt profile mode Add support for the prompt profile flag. That allows policy to do an upcall to userspace if supported by the kernel and if a userspace daemon is available. Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1062 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-07-31 04:10:33 +00:00
John Johansen	e5dace9ffd	parser: add support for prompt profile mode Add support for the prompt profile mode. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-07-30 20:50:03 -07:00
John Johansen	80f7add3b7	Merge Add option to log aa-logprof json input and output Add a json_log option (default: disabled) to logprof.conf that enables logging of all aa-logprof and aa-genprof input and output to a /tmp/aa-jsonlog-* file. This can be useful for debugging, and maybe also to create tests that do a full aa-logprof run. This patch introduces a minor behaviour change if aa-logprof errors out on startup (for example if the config file is broken or the parser can't be found): Before: ``` $ aa-logprof --json {"dialog": "apparmor-json-version","data": "2.12"} ERROR: Can't find apparmor_parser at /sbin/apparmor_parser ``` After: ``` $ aa-logprof --json ERROR: Can't find apparmor_parser at /sbin/apparmor_parser ``` Note that the json version line will not be printed if aa-logprof or aa-genprof error out that early. If there are no startup errors, the behaviour will not change. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1078 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-07-31 02:40:23 +00:00
John Johansen	c2b8ca1b28	Merge firefox: fix app name and DBus access Minor fixes for the firefox profile: 1. The attachment spec was failing to match `/usr/lib/firefox-esr/firefox-esr` on Debian; 2. The `Mounted` method of `org.gtk.vfs.MountTracker` is received, not sent. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1076 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-07-31 02:39:44 +00:00
Christian Boltz	7dc0254b90	Add option to log aa-logprof json input and output Add a json_log option (default: disabled) to logprof.conf that enables logging of all aa-logprof and aa-genprof input and output to a /tmp/aa-jsonlog-* file. This can be useful for debugging, and maybe also to create tests that do a full aa-logprof run. This patch introduces a minor behaviour change if aa-logprof errors out on startup (for example if the config file is broken or the parser can't be found): Before: ``` $ aa-logprof --json {"dialog": "apparmor-json-version","data": "2.12"} ERROR: Can't find apparmor_parser at /sbin/apparmor_parser ``` After: ``` $ aa-logprof --json ERROR: Can't find apparmor_parser at /sbin/apparmor_parser ``` Note that the json version line will not be printed if aa-logprof or aa-genprof error out that early. If there are no startup errors, the behaviour will not change.	2023-07-30 21:28:35 +02:00
Christian Boltz	d6bc107940	make check: ensure that all tunables include tunables/$FILE.d (except the deprecated tunables/sys)	2023-07-30 00:58:21 +02:00
Christian Boltz	5657799dc7	Add `include if exists <tunables/$FILE.d>` to all tunables (except the deprecated tunables/sys) This allows users to extend variables without editing the main tunables files. It also allows to cleanly introduce new tunable files (via tunables/global.d) and new aliases (via tunables/alias.d). Note: some files already had `include <tunables/$FILE.d>`. These get changed to `include if exists`, and the comments for these includes get unified. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/347	2023-07-30 00:47:34 +02:00
Daniel Richard G	018efdeb9d	firefox: fix app name and DBus access	2023-07-25 20:04:26 -04:00
John Johansen	17a521ff50	Merge ask_exec: Stop checking for CMD_nx (named exec) ... because it gets translated to CMD_px or CMD_cx earlier in the function. Also add a safety check for unknown answers. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1072 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-07-19 21:17:35 +00:00
John Johansen	853b138537	Merge libapparmor: fix dynamic linkage It appears that lto1 does not support -dynamic, and that ld no longer documents -dynamic. Which results in the following build failure when usine lto1 for link time optimizations ``` [ 45s] libtool: link: gcc -shared -fPIC -DPIC .libs/grammar.o .libs/libaalogparse.o .libs/kernel.o .libs/scanner.o .libs/private.o .libs/features.o .libs/kernel_interface.o .libs/policy_cache.o .libs/PMurHash.o -flto-partition=none -O2 -fstack-protector-strong -flto=auto -dynamic -Wl,--version-script=../src/libapparmor.map -flto=auto -pthread -Wl,-soname -Wl,libapparmor.so.1 -o .libs/libapparmor.so.1.17.0 [ 45s] lto1: warning: unrecognized gcc debugging option: y [ 45s] lto1: warning: unrecognized gcc debugging option: n [ 45s] lto1: warning: unrecognized gcc debugging option: m [ 45s] lto1: warning: unrecognized gcc debugging option: i [ 45s] lto1: warning: unrecognized gcc debugging option: c ``` Switch to -Bdynamic which is documented. Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1071 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: John Johansen <john@jjmx.net>	2023-07-19 21:16:36 +00:00
John Johansen	d6673f95d2	Merge tests: fix feature checking if it's a directory The test to check if the kernel supports a feature covers two cases: 1. The file/directory indicates a feature is supported. 2. The feature is supported if it's in the contents of the file. When the intended check is for case 1, and the file does not exist, then the code checks if it's case 2, but since it was not supposed to be, we end up grepping a directory, causing an error message. Fix this by checking if we're grepping a file. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1074 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-07-19 21:16:23 +00:00
John Johansen	b2274a7f5d	Merge Revert "policy: pin policy to 4.0 abi for dev" This reverts commit `460c3d5b59`. The 4.0 ABI was pinned for the development cycle but it can cause in-tree uses of parser/parser.conf to fail if it cannot find the 4.0 file in /etc/apparmor.d/abi/. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1073 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-07-19 21:14:45 +00:00
Georgia Garcia	81f0b84da5	tests: fix feature checking if it's a directory The test to check if the kernel supports a feature covers two cases: 1. The file/directory indicates a feature is supported. 2. The feature is supported if it's in the contents of the file. When the intended check is for case 1, and the file does not exist, then the code checks if it's case 2, but since it was not supposed to be, we end up grepping a directory, causing an error message. Fix this by checking if we're grepping a file. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-07-19 17:46:13 -03:00
Georgia Garcia	10529a6db7	Revert "policy: pin policy to 4.0 abi for dev" This reverts commit `460c3d5b59`. The 4.0 ABI was pinned for the development cycle but it can cause in-tree uses of parser/parser.conf to fail if it cannot find the 4.0 file in /etc/apparmor.d/abi/. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-07-19 17:37:24 -03:00
Christian Boltz	f1ab009a09	ask_exec: Stop checking for CMD_nx (named exec) ... because it gets translated to CMD_px or CMD_cx earlier in the function. Also add a safety check for unknown answers.	2023-07-19 21:41:43 +02:00
John Johansen	94082cc5e4	libapparmor: fix dynamic linkage It appears that lto1 does not support -dynamic, and that ld no longer documents -dynamic. Which results in the following build failure when usine lto1 for link time optimizations [ 45s] libtool: link: gcc -shared -fPIC -DPIC .libs/grammar.o .libs/libaalogparse.o .libs/kernel.o .libs/scanner.o .libs/private.o .libs/features.o .libs/kernel_interface.o .libs/policy_cache.o .libs/PMurHash.o -flto-partition=none -O2 -fstack-protector-strong -flto=auto -dynamic -Wl,--version-script=../src/libapparmor.map -flto=auto -pthread -Wl,-soname -Wl,libapparmor.so.1 -o .libs/libapparmor.so.1.17.0 [ 45s] lto1: warning: unrecognized gcc debugging option: y [ 45s] lto1: warning: unrecognized gcc debugging option: n [ 45s] lto1: warning: unrecognized gcc debugging option: m [ 45s] lto1: warning: unrecognized gcc debugging option: i [ 45s] lto1: warning: unrecognized gcc debugging option: c Switch to -Bdynamic which is documented. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-07-17 21:04:11 -07:00
Steve Beattie	b6bd4f5421	parser: improve errors.py test coverage, convert to unittest.main Merge the following commits: - [`12cf66ff0`] parser/errors.py: check error message + error code for non-existent profiles - [`87896b949`] parser/errors.py: convert to unittest.main() MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1070 Signed-off-by: Steve Beattie <steve.beattie@canonical.com> Approved-by: John Johansen <john@jjmx.net>	2023-07-13 13:43:40 -05:00
Steve Beattie	87896b9496	parser/errors.py: convert to unittest.main() Do this to simplify test identification, and also support the different invocation mechanisms of unittest, like running individual tests. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1070 Signed-off-by: Steve Beattie <steve.beattie@canonical.com> Approved-by: John Johansen <john@jjmx.net>	2023-07-13 13:40:42 -05:00
Steve Beattie	12cf66ff0b	parser/errors.py: check error message + error code for non-existent profiles Add tests for passing the parser a file that doesn't exist, a symlink to a file that doesn't exist, and a directory that contains that latter. Also include tests for different levels of -j passed as an argument. These tests are based on the fixing commit `1259319508` ("parser: Fix parser failing to handle errors when setting up work") MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1070 Signed-off-by: Steve Beattie <steve.beattie@canonical.com> Approved-by: John Johansen <john@jjmx.net>	2023-07-13 13:38:52 -05:00
Georgia Garcia	a271b2474c	Prepare for AppArmor 4.0 alpha release - update version file - update library version Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-07-11 13:23:38 -03:00
Georgia Garcia	3cd2baccdd	Merge parser: rework perms rule merging Instead of pushing the cmp logic for rule merging into each rule class make it the default behavior for the perms_rule_t parent class. Also save off the original perms for the merged rule. For classes that don't want perms merging add an alternate dedup_perms_rule_t clase. Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1069 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-07-11 12:10:23 +00:00
John Johansen	5e8567c9e9	parser: rework perms rule merging Instead of pushing the cmp logic for rule merging into each rule class make it the default behavior for the perms_rule_t parent class. Also save off the original perms for the merged rule. For classes that don't want perms merging add an alternate dedup_perms_rule_t clase. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-07-10 20:04:53 -07:00
John Johansen	74b101faa8	Merge parser: improve dfa generation speedup and reduce memory usage of dfa generation A variety of changes to improve dfa generation - By switching to Nodevec instead of Node sets we can reduce memory usage slightly and reduce code - By using charsets for chars we reduce code and increase chances of node merging/reduction which reduces memory usage slightly - By merging charsets we reduce the number of nodes Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1066 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-07-11 02:26:10 +00:00
John Johansen	1dfd26aea7	Merge parser: add permission merging By changing the compare function from each rule to use class_rule_t, instead of perms_rule_t, we temporarily ignore if permissions are different. If every rule attribute is the same, then the permissions can be merged. This is done at the perms_rule_t's level. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1068 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-07-11 02:18:45 +00:00
John Johansen	806b097d9a	Merge tests: only compile and run io_uring tests if liburing-dev is installed Compiling of io_uring tests fail if liburing-dev is not installed. Also, the tests were not running as part of the test suite. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1067 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-07-10 21:05:21 +00:00
Georgia Garcia	cdb5e501d6	parser: add permission merging By changing the compare function from each rule to use class_rule_t, instead of perms_rule_t, we temporarily ignore if permissions are different. If every rule attribute is the same, then the permissions can be merged. This is done at the perms_rule_t's level. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-07-10 18:01:32 -03:00
John Johansen	1279f85e4a	Merge parser: Improve rule merging/dedup Currently File rules are the only rules that have rule dedup/merging performed. Extend support for rule merging to all other rule types. This can result in a small performance regression when rules can not be merged/deduped but can result in a large performance increase when lots of rules can be eliminated. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1065 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: John Johansen <john@jjmx.net>	2023-07-10 19:13:25 +00:00
Georgia Garcia	3b832dd313	Merge tests/regression/apparmor/capabilities.sh: fail iopl/ioperm with lockdown In MR #1063 the tests/regression/apparmor/syscall.sh script was updated to account for kernel lockdown, but the capabilities.sh script also exercises these system calls so this also needs to be updated as well. Also required to fix issue #226. Signed-off-by: Alex Murray <alex.murray@canonical.com> Closes #226 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1064 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-07-10 13:09:48 +00:00
John Johansen	501e87a3f2	parser: Cleanup parser control flags, so they display as expected to user Instead of having multiple tables, since we have room post split of optimization and dump flags just move all the optimization and dump flags into a common table. We can if needed switch the flag entry size to a long in the future. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-07-08 19:58:59 -07:00
John Johansen	1754b4da69	parser: add flags to control rule merging Add the ability to control whether rule merging is done. TODO: in the furture cleanup display of flags split accross two tables Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-07-08 01:06:50 -07:00
John Johansen	e84e481263	parser: cleanup and rework optimization and dump flag handling In preparation for more flags (not all of the backend dfa based), rework the optimization and dump flag handling which has been exclusively around the dfa up to this point. - split dfa control and dump flags into separate fields. This gives more room for new flags in the existing DFA set - rename DFA_DUMP, and DFA_CONTROL to CONTROL_DFA and DUMP_DFA as this will provide more uniform naming for none dfa flags - group dump and control flags into a structure so they can be passed together. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-07-07 17:47:41 -07:00
John Johansen	c5f2fcbb95	parser: add rule merging for dbus rules Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-07-07 17:47:36 -07:00
John Johansen	5e713276ca	parser: add rule merging for af_unix rules this is reuired because af_rule merging does not take into account the potential af_unix addresses and could incorrectly merge af_unix rules. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-07-07 17:46:54 -07:00
John Johansen	00553a6dd5	parser: add rule mergeing for af_rules Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-07-07 17:46:19 -07:00
John Johansen	08a0970d1f	parser: add io_uring rule merging Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-07-07 17:45:38 -07:00
John Johansen	ca976bf5cb	parser: add rule merging for mqueue rules Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-07-07 17:41:10 -07:00
John Johansen	0f660828e1	parser: add rule merging for ptrace rules Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-07-07 17:40:20 -07:00
John Johansen	fd20c226e0	parser: add rule merging for userns rules Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-07-07 17:39:50 -07:00
John Johansen	53b99a82f6	parser: add rule merging for signals Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-07-07 17:39:33 -07:00
John Johansen	3ede2c46cf	parser: add rule dedup of mount rules Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-07-07 17:38:47 -07:00
John Johansen	7d9958890f	parser: finish basic infrastructure for rule merging Currently only file rules get merged. Finish adding basic support for rule merging and make the default the behavior to dedup merge rules that are exact matches. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-07-07 17:35:37 -07:00
Georgia Garcia	88baa28799	common: fix newline on Makefile rules The required extra newline was removed unintentionally in `0b719e4f8`. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-07-05 11:08:32 -03:00
Georgia Garcia	502b83a2a6	tests: only compile and run io_uring tests if liburing-dev is installed Compiling of io_uring tests fail if liburing-dev is not installed. Also, the tests were not running as part of the test suite. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-07-05 11:08:28 -03:00
John Johansen	dbca8ebb89	parser: Improve the rule skip test. Rules can be marked as being deleted/merged, and should be skipped on further processing. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-07-05 04:40:27 -07:00
Alex Murray	eafae0dd03	tests/regression/apparmor/capabilities.sh: fail iopl/ioperm with lockdown In MR #1063 the tests/regression/apparmor/syscall.sh script was updated to account for kernel lockdown, but the capabilities.sh script also exercises these system calls so this also needs to be updated as well. Also required to fix issue #226. Signed-off-by: Alex Murray <alex.murray@canonical.com>	2023-07-05 13:25:25 +09:30
John Johansen	f6b179010e	Merge parser: add support for exposing a debug flag to policy Allowing access to a debug flag can greatly improve policy debugging. This is different than the debug mode of old, that was removed. It only will trigger additional messages to the kernel ring buffer, not the audit log, and it does not change mediation. Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1060 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: John Johansen <john@jjmx.net>	2023-07-04 06:58:16 +00:00
John Johansen	5dda593345	Merge policy: update to use 4.0 abi Begin preparing policy for the 4.0 release. This may result in new denials. This is expected and needed to make sure policy is ready for the 4.0 release. Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1061 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: John Johansen <john@jjmx.net>	2023-07-04 06:57:52 +00:00
John Johansen	7393aaac21	Merge tests/regression/apparmor/syscall.sh: fail iopl/ioperm with lockdown When kernel lockdown is enabled the ioperm and iopl tests will fail regardless since lockdown prevents these syscalls before AppArmor has a chance to mediate them. So workaround this by detecting when lockdown is enabled and expect the tests to fail in that case. Fixes issue #226. Signed-off-by: Alex Murray <alex.murray@canonical.com> Closes #226 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1063 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-07-04 06:52:33 +00:00
Alex Murray	6ca4992107	tests/regression/apparmor/syscall.sh: fail iopl/ioperm with lockdown When kernel lockdown is enabled the ioperm and iopl tests will fail regardless since lockdown prevents these syscalls before AppArmor has a chance to mediate them. So workaround this by detecting when lockdown is enabled and expect the tests to fail in that case. Fixes issue #226. Signed-off-by: Alex Murray <alex.murray@canonical.com>	2023-07-04 15:45:45 +09:30
John Johansen	24f834b128	parser: allow character sets to be used as exact match permissions character sets are just a way of enumerating to exact match rules more succinctly, so loosen the exact match check to allow them. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-07-03 00:53:26 -07:00
John Johansen	9e9ca7e55d	Drop code that is now unused because of the conversion to NodeVec Drop NodeCache and hashedNodes as they are no longer used. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-07-03 00:53:26 -07:00
John Johansen	61c20a0ae8	convert anodes to using NodeVecs instead of NodeSets Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-07-03 00:53:26 -07:00
John Johansen	53d00b4d2b	rename hashedNodeVec to NodeVec Shorten the name length by dropping the leading "hashed". Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-07-03 00:49:56 -07:00
Daniel Richard G	3f6ebfd218	firefox: updates from usage monitoring	2023-07-03 00:49:56 -07:00
John Johansen	367babf9cb	parser: add support for exposing a debug flag to policy Allowing access to a debug flag can greatly improve policy debugging. This is different than the debug mode of old, that was removed. It only will trigger additional messages to the kernel ring buffer, not the audit log, and it does not change mediation. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-07-02 03:02:02 -07:00
John Johansen	460c3d5b59	policy: pin policy to 4.0 abi for dev TO BE REVERTED: this is a dev patch to help make sure policy is getting updated. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-06-30 23:43:40 -07:00
John Johansen	f1b4da2f64	policy: update to use 4.0 abi Begin preparing policy for the 4.0 release. This may result in new denials. This is expected and needed to make sure policy is ready for the 4.0 release. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-06-30 23:36:12 -07:00
John Johansen	271f0e2366	Merge firefox: updates from usage monitoring I have a number of updates for the Firefox profile, based on monitoring AppArmor logs in the course of my own usage. I'm going to try annotating the diff with the appropriate log messages, to see if that is a useful way of documenting the changes. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1055 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-07-01 01:06:17 +00:00
John Johansen	5b7e637872	Merge abstractions/fonts: allow writing to fontconfig user cache files Apologies for the second push; this change is made with the understanding that the abstraction is not intended to be solely read-only. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1059 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-07-01 01:05:46 +00:00
Daniel Richard G	dc5d999c5b	firefox: updates from usage monitoring	2023-06-30 18:38:31 -04:00
Daniel Richard G	07919c2c70	abstractions/fonts: allow writing to fontconfig user cache files	2023-06-30 18:26:28 -04:00
John Johansen	162aa447d2	Merge abstractions/fonts: allow locking fontconfig user cache files Got this after allowing `rw` access to `~/.cache/fontconfig/**`: `Jun 20 00:41:26 testvm kernel: [3280307.358614] audit: type=1400 audit(1687236086.210:127519): apparmor="DENIED" operation="file_lock" profile="firefox" name="/home/username/.cache/fontconfig/a41116dafaf8b233ac2c61cb73f2ea5f-le64.cache-7" pid=1758224 comm="firefox" requested_mask="k" denied_mask="k" fsuid=1002 ouid=1002` MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1057 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-06-30 17:45:32 +00:00
John Johansen	15492fe8c9	Merge binutils: fix resource leak on aa-load Dir "d" is not closed when asprintf fails. Found by coverity: CID 321416: Resource leaks (RESOURCE_LEAK) Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1058 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-06-30 17:43:51 +00:00
Georgia Garcia	b0902a34d1	binutils: fix resource leak on aa-load Dir "d" is not closed when asprintf fails. Found by coverity: CID 321416: Resource leaks (RESOURCE_LEAK) Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-06-30 10:02:48 -03:00
John Johansen	ab218526bf	Merge parser: Remove check for root to run parser The check isn't correct, it should be checking for capability MAC_ADMIN, but in the future that won't be correct either. Instead rely on the kernel to check permission to load policy, which it alread does as it is possible to by-pass the parser to load policy. Also improve the error message when the kernel does deny loading policy due to failed permission checks. Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1044 Approved-by: Seth Arnold <seth.arnold@gmail.com> Merged-by: John Johansen <john@jjmx.net>	2023-06-30 07:02:34 +00:00
Daniel Richard G	3b51143d87	abstractions/fonts: allow locking fontconfig user cache files	2023-06-29 21:26:59 -04:00
John Johansen	e7844e723e	parser: Remove check for root to run parser The check isn't correct, it should be checking for capability MAC_ADMIN, but in the future that won't be correct either. Instead rely on the kernel to check permission to load policy, which it alread does as it is possible to by-pass the parser to load policy. Also improve the error message when the kernel does deny loading policy due to failed permission checks. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-06-29 14:42:02 -07:00
John Johansen	fef3eb3693	Merge add userspace support for io_uring mediation ``` io_uring rules have the following format: io_uring [<access_mode>] [<label>], access_mode := 'sqpoll'\|'override_creds' label := 'label' '=' <target label> ``` You can use the following kernel tree with the io_uring mediation patch to test this feature https://gitlab.com/georgiag/apparmor-kernel/-/commits/io_uring MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/993 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-06-29 21:38:02 +00:00
John Johansen	d788af0891	Merge aa-load aa-load is a tool that loads cached (compiled) policies into the kernel. It can receive as argument a file, a cache directory containing the hash subtree, and a directory containing cached files directly underneath - no hash. This tool can be used in the as a guide for other init systems to load the cached policies directly. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/770 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-06-29 21:24:25 +00:00
John Johansen	a7dc938188	Merge Fix "use-after-free" of 'tmp' in procattr_open() This Fixes coverity CID 254463: Memory - illegal accesses (USE_AFTER_FREE) which was introduced in `35e58273` / https://gitlab.com/apparmor/apparmor/-/merge_requests/713 (merged) The coverity report it self is wrong because while the pointer use is after free. It is deliberately a pointer comparison to see if the value was pointing to proc_attr_base_old. This is not actually problematic as far as it goes. However it does surface a bug in the logic, and regardless if it is allowed doing a post-free pointer comparison like this will confuse static checkers and humans alike. procattr_path() will never return proc_attr_base_old, it will return a copy of it (if it did return it, we couldn't free it). So the test tmp != proc_attr_base_old is bad, in that it will always be true even if tmp was a copy of proc_attr_base_old. Fix this by makint tmp auto free, and switching to a string comparison. Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1042 Aked-by: time-out Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-06-29 21:23:27 +00:00
John Johansen	1ff74fed4b	Merge abstactions/kde: allow reading global Debian KDE settings New denials detected on Debian Sid: ``` type=AVC msg=audit(1687372581.246:738): apparmor="DENIED" operation="open" class="file" profile="qtox" name="/usr/share/desktop-base/kf5-settings/kdeglobals" pid=17988 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0FSUID="vincas" OUID="root" ``` Debian package `desktop-base` contains some global KDE settings files: ``` $ dpkg -L desktop-base \| fgrep kf5 /usr/share/desktop-base/kf5-settings /usr/share/desktop-base/kf5-settings/baloofilerc /usr/share/desktop-base/kf5-settings/kdeglobals /usr/share/desktop-base/kf5-settings/kscreenlockerrc ``` Add file rules to allow reading global KDE settings. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1056 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-06-29 21:21:32 +00:00
Vincas Dargis	155be0ffc4	abstactions/kde: allow reading global Debian KDE settings New denials detected on Debian Sid: ``` type=AVC msg=audit(1687372581.246:738): apparmor="DENIED" operation="open" class="file" profile="qtox" name="/usr/share/desktop-base/kf5-settings/kdeglobals" pid=17988 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0FSUID="vincas" OUID="root" ``` Debian package `desktop-base` contains some global KDE settings files: ``` $ dpkg -L desktop-base \| fgrep kf5 /usr/share/desktop-base/kf5-settings /usr/share/desktop-base/kf5-settings/baloofilerc /usr/share/desktop-base/kf5-settings/kdeglobals /usr/share/desktop-base/kf5-settings/kscreenlockerrc ``` Add file rules to allow reading global KDE settings.	2023-06-26 20:09:55 +03:00
John Johansen	d4b0fef10a	parser: fix rule flag generation change_mount type rules MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1048 made it so rules like mount slave /snap/bin/ -> /, mount /snap/bin/ -> /, would get passed into change_mount_type rule generation when they shouldn't have been. This would result in two different errors. 1. If kernel mount flags were present on the rule. The error would be caught causing an error to be returned, causing profile compilation to fail. 2. If the rule did not contain explicit flags then rule would generate change_mount_type permissions based on souly the mount point. And the implied set of flags. However this is incorrect as it should not generate change_mount permissions for this type of rule. Not only does it ignore the source/device type condition but it generates permissions that were never intended. When used in combination with a deny prefix this overly broad rule can result in almost all mount rules being denied, as the denial takes priority over the allow mount rules. Fixes: https://bugs.launchpad.net/apparmor/+bug/2023814 Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1211989 Fixes: `9d3f8c6cc` ("parser: fix parsing of source as mount point for propagation type flags") Fixes: MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1048 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1054 Signed-off-by: John Johansen <john.johansen@canonical.com> (cherry picked from commit `86d193e183`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-06-21 01:18:14 -07:00
John Johansen	b0354ef714	Merge detailed_processes(): initialize ret ... to avoid returning it uninitialized. Found by coverity: CID 320935: Uninitialized variables (UNINIT) MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1053 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-06-13 23:31:16 +00:00
John Johansen	b192da49c2	Fix "use-after-free" of 'tmp' in procattr_open() This Fixes coverity CID 254463: Memory - illegal accesses (USE_AFTER_FREE) which was introduced in `35e58273` / https://gitlab.com/apparmor/apparmor/-/merge_requests/713 (merged) The coverity report it self is wrong because while the pointer use is after free. It is deliberately a pointer comparison to see if the value was pointing to proc_attr_base_old. This is not actually problematic as far as it goes. However it does surface a bug in the logic, and regardless if it is allowed doing a post-free pointer comparison like this will confuse static checkers and humans alike. procattr_path() will never return proc_attr_base_old, it will return a copy of it (if it did return it, we couldn't free it). So the test tmp != proc_attr_base_old is bad, in that it will always be true even if tmp was a copy of proc_attr_base_old. Fix this by makint tmp auto free, and switching to a string comparison. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-06-13 16:25:44 -07:00
Christian Boltz	8bf58a79b1	detailed_processes(): initialize ret ... to avoid returning it uninitialized. Found by coverity: CID 320935: Uninitialized variables (UNINIT)	2023-06-13 22:11:21 +02:00
Christian Boltz	b6be7b6204	Merge Enable coverity scans for master ... so that each change in master gets scanned (until we reach the scan limit). This will give us more timely results than only scanning the coverity branch whenever someone manually updates it. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1052 Approved-by: John Johansen <john@jjmx.net> Merged-by: Christian Boltz <apparmor@cboltz.de>	2023-06-13 18:46:13 +00:00
Christian Boltz	34a46bd8f2	Enable coverity scans for master ... so that each change in master gets scanned (until we reach the scan limit). This will give us more timely results than only scanning the coverity branch whenever someone manually updates it.	2023-06-13 20:35:07 +02:00
Christian Boltz	a4575a688c	Merge usr.sbin.sshd: Add permissions masked by internal-sftp section I have been testing the `usr.sbin.sshd` profile with the [three "for internal-sftp" rules](`ad3750058d/profiles/apparmor/profiles/extras/usr.sbin.sshd (L138-140)`) commented out, as they are quite broad. This has turned up a few oversights, a couple of which have been fixed in abstractions. This MR brings in the missing rules that don't currently seem to have a better place to go, and addresses a couple of other minor issues in the profile. Here are the associated syslog messages: ``` Jun 8 21:09:11 testvm kernel: [ 28.211637] audit: type=1400 audit(1686272951.369:66): apparmor="DENIED" operation="sendmsg" profile="/usr/sbin/sshd" name="/run/systemd/notify" pid=830 comm="sshd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 Jun 9 00:27:24 testvm kernel: [10846.886139] audit: type=1400 audit(1686284844.516:1268): apparmor="DENIED" operation="mkdir" profile="/usr/sbin/sshd" name="/home/username/.cache/" pid=5815 comm="sshd" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 Jun 9 00:28:57 testvm kernel: [10940.152625] audit: type=1400 audit(1686284937.780:1337): apparmor="DENIED" operation="mknod" profile="/usr/sbin/sshd" name="/home/username/.cache/motd.legal-displayed" pid=5979 comm="sshd" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 ``` MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1051 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2023-06-11 14:27:13 +00:00
Daniel Richard G	15112b3a49	usr.sbin.sshd: Add permissions masked by internal-sftp section Also replace /(var/)run with @{run} and /sys with @{sys}, and fix a typo (etc.legal)	2023-06-10 16:49:24 -04:00
John Johansen	ad3750058d	Merge abstractions/base: Add transparent hugepage support Found in testing a slimmed-down `usr.sbin.sshd` profile: ``` Jun 8 21:09:38 testvm kernel: [ 54.847014] audit: type=1400 audit(1686272978.009:68): apparmor="DENIED" operation="open" profile="/usr/sbin/sshd" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=1035 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ``` Not sure what glibc/system call uses this, but it seems pretty broadly applicable, and read access is presumably harmless. [THP reference](https://www.kernel.org/doc/html/latest/admin-guide/mm/transhuge.html) MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1050 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-06-09 08:46:31 +00:00
John Johansen	b41fcdce16	Merge abstractions/authentication: Add GSSAPI mechanism modules config Found in testing a slimmed-down `usr.sbin.sshd` profile: ``` Jun 8 21:09:37 testvm kernel: [ 54.770501] audit: type=1400 audit(1686272977.933:67): apparmor="DENIED" operation="open" profile="/usr/sbin/sshd" name="/etc/gss/mech.d/" pid=1036 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ``` ([Reference](https://web.mit.edu/kerberos/krb5-1.21/doc/admin/host_config.html#gssapi-mechanism-modules) for GSSAPI mechanism modules) MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1049 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-06-09 08:45:20 +00:00
Daniel Richard G	3844e45220	abstractions/base: Add transparent hugepage support	2023-06-09 01:14:13 -04:00
Daniel Richard G	4b9ba3977b	abstractions/authentication: Add GSSAPI mechanism modules config	2023-06-09 00:47:32 -04:00
John Johansen	6e0d776f65	Merge profiles: allow reading of /etc/ld-musl-.path /etc/ld-musl-.path is required to perform dynamic linking on musl libc. The wildcard is to match all CPU architectures, like x86_64. type=AVC msg=audit(1686087677.497:67): apparmor="DENIED" operation="open" class="file" profile="syslog-ng" name="/etc/ld-musl-x86_64.path" pid=25866 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Closes #333 Signed-off-by: Nikita Romaniuk <kelvium@yahoo.com> Closes #333 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1047 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-06-09 01:59:53 +00:00
John Johansen	8ef7e91a38	Merge Improvements from the Ubuntu 20.04 Firefox profile This brings in numerous improvements from the Firefox AppArmor profile that Ubuntu ships in 20.04/focal. The raw profile may be viewed [here](https://bazaar.launchpad.net/~mozillateam/firefox/firefox-trunk.head/view/head:/debian/usr.bin.firefox.apparmor.14.10) (or alternately [here](https://bazaar.launchpad.net/~mozillateam/firefox/firefox.focal/view/head:/debian/usr.bin.firefox.apparmor.14.10)). To review, you may not only want to compare this new version against HEAD, but also against the Ubuntu profile, which has a smaller diff. I suggest preprocessing the latter with the following to reduce extraneous diffs: ``` sed 's,@{PROC}/\[0-9\]\/,@{PROC}/@{pid}/,g; s,/@{pid}/task/\[0-9\]\/,/@{pid}/task/@{tid}/,g; s/#$include$/\1/' ``` I've made a few minor edits along the way, such as using AppArmor variables instead of preprocessing directives (like `@MOZ_LIBDIR@`) that are substituted in the Firefox package build. Any feature/stylistic downgrades in the Ubuntu profile should have been filtered out. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1043 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-06-09 01:57:25 +00:00
John Johansen	1e0d7bcbb7	Merge parser: fix parsing of source as mount point for propagation type flags Before `300889c3a`, mount rules would compile policy when using source as mount point for rules that contain propagation type flags, such as unbindable, runbindable, private, rprivate, slave, rslave, shared, and rshared. Even though it compiled, the rule generated would not work as expected. This commit fixes both issues. It allows the usage of source as mount point for the specified flags, albeit with a deprecation warning, and it correctly generates the mount rule. The policy fails to load when both source and mount point are specified, keeping the original behavior (reference parser/tst/simple_tests/mount/bad_opt_10.sd for example). Fixes: https://bugs.launchpad.net/bugs/1648245 Fixes: https://bugs.launchpad.net/bugs/2023025 It should be backported to versions 2.13, 3.0, 3.1. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1048 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-06-09 01:52:40 +00:00
Georgia Garcia	9d3f8c6cc0	parser: fix parsing of source as mount point for propagation type flags Before `300889c3a`, mount rules would compile policy when using source as mount point for rules that contain propagation type flags, such as unbindable, runbindable, private, rprivate, slave, rslave, shared, and rshared. Even though it compiled, the rule generated would not work as expected. This commit fixes both issues. It allows the usage of source as mount point for the specified flags, albeit with a deprecation warning, and it correctly generates the mount rule. The policy fails to load when both source and mount point are specified, keeping the original behavior (reference parser/tst/simple_tests/mount/bad_opt_10.sd for example). Fixes: https://bugs.launchpad.net/bugs/1648245 Fixes: https://bugs.launchpad.net/bugs/2023025 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-06-07 20:16:50 -03:00
Nikita Romaniuk	d8e25ce915	profiles: allow reading of /etc/ld-musl-.path /etc/ld-musl-.path is required to perform dynamic linking on musl libc. The wildcard is to match all CPU architectures, like x86_64. type=AVC msg=audit(1686087677.497:67): apparmor="DENIED" operation="open" class="file" profile="syslog-ng" name="/etc/ld-musl-x86_64.path" pid=25866 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Closes #333 Signed-off-by: Nikita Romaniuk <kelvium@yahoo.com>	2023-06-07 01:09:33 +03:00
Georgia Garcia	a00ece5b6e	Merge profiles: add lock file permission to snap browsers When opening snap browsers with evince using the snap_browsers abstraction, we get the following AppArmor denials which prevent the browsers from opening audit: type=1400 audit(1685996894.479:225): apparmor="DENIED" operation="open" class="file" profile="/usr/bin/evince//snap_browsers" name="/var/lib/snapd/inhibit/firefox.lock" pid=13282 comm="snap" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 audit: type=1400 audit(1685997517.142:259): apparmor="DENIED" operation="file_lock" class="file" profile="/usr/bin/evince//snap_browsers" name="/var/lib/snapd/inhibit/firefox.lock" pid=14200 comm="snap" requested_mask="k" denied_mask="k" fsuid=1000 ouid=0 This MR should be cherry-picked into 2.13, 3.0, 3.1 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1045 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-06-06 11:14:43 +00:00
Georgia Garcia	daec4bc82a	profiles: add lock file permission to snap browsers When opening snap browsers with evince using the snap_browsers abstraction, we get the following AppArmor denials which prevent the browsers from opening audit: type=1400 audit(1685996894.479:225): apparmor="DENIED" operation="open" class="file" profile="/usr/bin/evince//snap_browsers" name="/var/lib/snapd/inhibit/firefox.lock" pid=13282 comm="snap" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 audit: type=1400 audit(1685997517.142:259): apparmor="DENIED" operation="file_lock" class="file" profile="/usr/bin/evince//snap_browsers" name="/var/lib/snapd/inhibit/firefox.lock" pid=14200 comm="snap" requested_mask="k" denied_mask="k" fsuid=1000 ouid=0 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-06-05 17:39:28 -03:00
Daniel Richard G	d367adf1f1	Improvements from the Ubuntu 20.04 Firefox profile The Ubuntu profile is available at (trunk and branch locations) https://bazaar.launchpad.net/~mozillateam/firefox/firefox-trunk.head/view/head:/debian/usr.bin.firefox.apparmor.14.10 https://bazaar.launchpad.net/~mozillateam/firefox/firefox.focal/view/head:/debian/usr.bin.firefox.apparmor.14.10	2023-05-30 15:22:25 -04:00
John Johansen	8d6358fa6d	Merge Fix use-after-free of 'name' in parser_regex.c 'name' gets used in the error message. Make sure it only gets freed afterwards. This bug was introduced in `be0d2fa947` / https://gitlab.com/apparmor/apparmor/-/merge_requests/727 Fixes coverity CID 254465: Memory - illegal accesses (USE_AFTER_FREE) I propose this fix for 3.0..master. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1040 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: John Johansen <john@jjmx.net>	2023-05-29 22:38:17 +00:00
John Johansen	dc8cbebdef	Merge Fix order of if conditions to avoid unreachable code If `else if (preprocess_only)` is true, the more strict condition `else if (!include_file && preprocess_only)` won't be reached if it gets checked after the shorter condition. Exchange the two sections so that both code paths can be reached. Fixes coverity CID 312499: Control flow issues (DEADCODE) This was probably introduced in `7dcf013bca` / https://gitlab.com/apparmor/apparmor/-/merge_requests/743 which means we'll need to backport this fix to 3.0 and 3.1. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1039 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: John Johansen <john@jjmx.net>	2023-05-29 22:29:06 +00:00
John Johansen	b92bad44d7	Merge Fix missing uint32_t type declaration in rule.h ... by including cstdint. Credits go to the new gcc in Tumbleweed for proposing this patch. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1038 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: John Johansen <john@jjmx.net>	2023-05-29 22:28:04 +00:00
Christian Boltz	e408d03a5b	Fix use-after-free of 'name' in parser_regex.c 'name' gets used in the error message. Make sure it only gets freed afterwards. This bug was introduced in `be0d2fa947` / https://gitlab.com/apparmor/apparmor/-/merge_requests/727 Fixes coverity CID 254465: Memory - illegal accesses (USE_AFTER_FREE)	2023-05-29 22:16:09 +02:00
Christian Boltz	eabbc61509	Fix order of if conditions to avoid unreachable code If `else if (preprocess_only)` is true, the more strict condition `else if (!include_file && preprocess_only)` won't be reached if it gets checked after the shorter condition. Exchange the two sections so that both code paths can be reached. Fixes coverity CID 312499: Control flow issues (DEADCODE)	2023-05-29 21:33:54 +02:00
Christian Boltz	c5c0ecb508	Fix missing uint32_t type declaration in rule.h ... by including cstdint. Credits go to the new gcc in Tumbleweed for proposing this patch.	2023-05-29 21:24:31 +02:00
John Johansen	d700f87d3e	Merge extend test profiles for mount - in bad_?.sd, explain why the profile is bad (conflicting options) - add a good profile with two space-separated options This is a follow-up for https://gitlab.com/apparmor/apparmor/-/merge_requests/1029 If we backport !1029, we should also backport these test changes. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1035 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-05-23 21:40:06 +00:00
John Johansen	88d2bf45a4	Merge aa-status: Fix malformed json output In some cases (if profiles in complain _and_ enforce mode are loaded), the `i` loop runs more than once, which also means `j == 0` is true in the middle of the json. This causes invalid json. This patch fixes this. This is a regression related to `22aa9b6161` / https://gitlab.com/apparmor/apparmor/-/merge_requests/964 / https://gitlab.com/apparmor/apparmor/-/issues/295 which fixed another case of invalid json if a process was unconfined while having a profile defined. Note: I also tested this patch for the "unconfined, but has a profile defined" case to ensure it doesn't break what `22aa9b6161` fixed. This fix is needed in all branches that also got !964 (which means 3.1 and 3.0). MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1036 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-05-19 20:33:20 +00:00
Christian Boltz	f72c001643	aa-status: Fix malformed json output In some cases (if profiles in complain and enforce mode are loaded), the `i` loop runs more than once, which also means `j == 0` is true in the middle of the json. This causes invalid json. This patch fixes this. This is a regression related to `22aa9b6161` / https://gitlab.com/apparmor/apparmor/-/merge_requests/964 / https://gitlab.com/apparmor/apparmor/-/issues/295 which fixed another case of invalid json if a process was unconfined while having a profile defined. Note: I also tested this patch for the "unconfined, but has a profile defined" case to ensure it doesn't break what `22aa9b6161` fixed.	2023-05-19 22:25:05 +02:00
Christian Boltz	9a9af71d83	extend test profiles for mount - in bad_?.sd, explain why the profile is bad (conflicting options) - add a good profile with two space-separated options This is a follow-up for https://gitlab.com/apparmor/apparmor/-/merge_requests/1029	2023-05-18 20:05:42 +02:00
John Johansen	e7f1b882f7	Merge aa-status: extend to support filtering Enhance aa-status by adding posix regex filter support and support for new modes this MR adds the following command line options ``` --show={profiles,processes,all} --count --filter.mode=filter --filter.processs=filter --filter.profiles=filter --filter.pid=filter ``` Where currently filters use the basic posix regexs, do we want to go with extended regex, or apparmor globbing An example of using the new filters ``` $ sudo ./aa-status --filter.exe="firefox" --show=processes apparmor module is loaded. 65 processes have profiles defined. 25 processes are in enforce mode. /snap/firefox/2605/usr/lib/firefox/firefox (4406) snap.firefox.firefox /snap/firefox/2605/usr/lib/firefox/firefox (4686) snap.firefox.firefox /snap/firefox/2605/usr/lib/firefox/firefox (4721) snap.firefox.firefox /snap/firefox/2605/usr/lib/firefox/firefox (4826) snap.firefox.firefox /snap/firefox/2605/usr/lib/firefox/firefox (19204) snap.firefox.firefox /snap/firefox/2605/usr/lib/firefox/firefox (19206) snap.firefox.firefox /snap/firefox/2605/usr/lib/firefox/firefox (23159) snap.firefox.firefox /snap/firefox/2605/usr/lib/firefox/firefox (23195) snap.firefox.firefox /snap/firefox/2605/usr/lib/firefox/firefox (23292) snap.firefox.firefox /snap/firefox/2605/usr/lib/firefox/firefox (30929) snap.firefox.firefox /snap/firefox/2605/usr/lib/firefox/firefox (31487) snap.firefox.firefox /snap/firefox/2605/usr/lib/firefox/firefox (31528) snap.firefox.firefox /snap/firefox/2605/usr/lib/firefox/firefox (71708) snap.firefox.firefox /snap/firefox/2605/usr/lib/firefox/firefox (2271631) snap.firefox.firefox /snap/firefox/2605/usr/lib/firefox/firefox (2271969) snap.firefox.firefox /snap/firefox/2605/usr/lib/firefox/firefox (2272030) snap.firefox.firefox /snap/firefox/2605/usr/lib/firefox/firefox (2272347) snap.firefox.firefox /snap/firefox/2605/usr/lib/firefox/firefox (2654995) snap.firefox.firefox /snap/firefox/2605/usr/lib/firefox/firefox (2655042) snap.firefox.firefox /snap/firefox/2605/usr/lib/firefox/firefox (2655082) snap.firefox.firefox /snap/firefox/2605/usr/lib/firefox/firefox (2655152) snap.firefox.firefox /snap/firefox/2605/usr/lib/firefox/firefox (2655237) snap.firefox.firefox /snap/firefox/2605/usr/lib/firefox/firefox (2656215) snap.firefox.firefox /snap/firefox/2605/usr/lib/firefox/firefox (2656334) snap.firefox.firefox /snap/firefox/2605/usr/lib/firefox/firefox (2657837) snap.firefox.firefox 0 processes are in complain mode. 0 processes are in prompt mode. 0 processes are in kill mode. 0 processes are unconfined but have a profile defined. 0 processes are in mixed mode. ``` Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1016 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: John Johansen <john@jjmx.net>	2023-05-18 16:59:08 +00:00
John Johansen	f629340d1b	Merge chromium_browser: Inherit updates from apparmor-profiles repo Bring in updates and improvements that have been made to the Chromium profile at `apparmor-profiles/ubuntu/20.04/usr.bin.chromium-browser`. The changes are largely as follows: * Use `@{pid}` or `@{tid}` instead of `[0-9]` Use the discrete `lsb_release` profile instead of a subprofile * Add a few additional libraries to the `sandbox` subprofile Once this is in, the Chromium profiles in `apparmor-profiles` can be considered deprecated, and I would advise slating them for removal altogether. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1032 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: John Johansen <john@jjmx.net>	2023-05-18 16:57:59 +00:00
Christian Boltz	dec3815f07	Merge nscd: add permission to allow supporting unscd `unscd` is a drop-in replacement for `nscd` that uses the same binary location (`/usr/sbin/nscd`) and config file (`/etc/nscd.conf`). The `usr.sbin.nscd` profile only needs one additional permission to support it. ``` May 9 18:07:42 darkstar kernel: [ 2706.138823] audit: type=1400 audit(1683670062.580:839): apparmor="DENIED" operation="sendmsg" profile="nscd" name="/run/systemd/notify" pid=4343 comm="nscd" requested_mask="w" denied_mask="w" fsuid=125 ouid=0 ``` MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1031 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2023-05-10 10:54:22 +00:00
Daniel Richard G	bd0d401b3d	nscd: add permission to allow supporting unscd May 9 18:07:42 darkstar kernel: [ 2706.138823] audit: type=1400 audit(1683670062.580:839): apparmor="DENIED" operation="sendmsg" profile="nscd" name="/run/systemd/notify" pid=4343 comm="nscd" requested_mask="w" denied_mask="w" fsuid=125 ouid=0	2023-05-10 00:31:06 -04:00
Daniel Richard G	4507bdc020	chromium_browser: Inherit updates from apparmor-profiles repo Bring in updates and improvements that have been made to the Chromium profile at apparmor-profiles/ubuntu/20.04/usr.bin.chromium-browser	2023-05-10 00:19:55 -04:00
Georgia Garcia	cb2292922d	utils: add io_uring python tool support Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-05-03 16:04:32 +02:00
Georgia Garcia	6c8331a7d0	libapparmor tests: add io_uring denied logs Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-05-03 16:04:32 +02:00
Georgia Garcia	eb801d8ccf	libapparmor: add support for tcontext on logparsing Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-05-03 16:04:32 +02:00
Georgia Garcia	feb5069f67	tests: add io_uring regression tests Note that the tests add the dependency of liburing. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-05-03 16:04:29 +02:00
Georgia Garcia	50dd41f920	parser: add io_uring simple tests Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-05-03 16:03:52 +02:00
Georgia Garcia	e5e920d178	parser: add parser support for io_uring mediation io_uring rules have the following format: io_uring [<access_mode>] [<label>], access_mode := 'sqpoll'\|'override_creds' label := 'label' '=' <target label> Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-05-03 16:03:52 +02:00
Jon Tourville	c46bf8944a	Merge Check for newer mount options in regression test The mount options MS_LAZYTIME and MS_NOSYMFOLLOW were added in kernels 4.0 and 5.10, respectively. Update the mount test script and helper to skip testing those options if they are not available. Signed-off-by: Jon Tourville <jon.tourville@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1024 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Jon Tourville <jon.tourville@canonical.com>	2023-05-03 11:40:32 +00:00
Jon Tourville	9a760def8d	Check for newer mount options in regression test The mount options MS_LAZYTIME and MS_NOSYMFOLLOW were added in kernels 4.0 and 5.10, respectively. Update the mount test script and helper to skip testing those options if they are not available. Signed-off-by: Jon Tourville <jon.tourville@canonical.com>	2023-05-03 08:51:28 +00:00
John Johansen	2434838136	aa-status: update man page with filter information Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-05-03 01:22:33 -07:00
John Johansen	09b35f836b	Merge Abstractions: better integration This is the first MR of a possibly very long list of MR in order to upstream stable abstraction & profiles previously tested in https://github.com/roddhjav/apparmor.d This first MR focuses on integrating abstraction completion from the `*.d` directory in [apparmor.d/abstractions](https://github.com/roddhjav/apparmor.d/tree/main/apparmor.d/abstractions) MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/995 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-05-02 12:34:04 +00:00
John Johansen	5ff6686ea7	aa-status: rename filters so they have the filters. prefix To emphasize that the --mode --processs --profiles --pid options are filters rename them to --filter.mode --filter.processs --filter.profiles --filter.pid Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-05-02 03:06:36 -07:00
John Johansen	5453f985ba	aa-status: add support for prompt mode Support prompt mode. Note that the kernel uses "user" instead of "prompt" that policy uses. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-05-02 02:57:11 -07:00
John Johansen	c065570c6f	aa-status: Add filter for the executable Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-05-02 02:57:09 -07:00
John Johansen	a5852c41df	aa-status: add ability to filter on pid Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-05-02 02:55:45 -07:00
John Johansen	195877b732	fixup profile filter	2023-05-02 02:53:51 -07:00
John Johansen	016183cbf4	aa-status: add profile filter Extend filtering to be able to screen for different profiles by name Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-05-02 02:45:49 -07:00
John Johansen	ee66319d0b	aa-status: Make filtering more generic In preparation for more filters than just mode prepare a basic filtering infrastructure. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-05-02 02:45:01 -07:00
John Johansen	33464a7a3f	aa-status: allow filtering processes and profiles based on mode Add the basic infrastructure for adding regex based filters and allow filtering process and profiles by mode based on a user supplied filter. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-05-02 02:38:50 -07:00
John Johansen	840807cacc	aa-status: add a --show flag So that the user can control the set of data being shown add a --show flag. Currently it allows showing all profiles processes Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-05-02 02:38:50 -07:00
John Johansen	6b902047c9	aa-status: add --count flag In prepartaion for greater control over dispaly and counting add a count flag. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-05-02 02:38:50 -07:00
John Johansen	ed62eeba75	aa-status: convert to using options instead of directly calling fns In preparation for new options and controls, split detailed_output() into detailed_profiles() and detailed_processes() and This switch the output processing to one larger pass that uses option flags. This doesn't change current behavior and is in not as clean as the current code for the current option set. However it will allow us to easily add new options in one place and have them apply correctly every where. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-05-02 02:38:43 -07:00
John Johansen	59b4109a8b	Merge fix af_unix tests for v8 networking. The unix network tests are not being run on a v8 network capable kernel. Under v8 there needs to be some adjustments to the tests because unix rules get downgraded to the socket rule ```network unix,``` which does not have the same set of conditionals or fine grained permissions, meaning some tests that would fail under af_unix (like missing permission tests) will pass under v8 network rules. Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/893 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: John Johansen <john@jjmx.net>	2023-05-01 12:10:10 +00:00
John Johansen	c37be61d17	Merge Issue 312: added missing kernel mount options This patch adds the following mount options: 'nostrictatime', 'lazytime', and 'nolazytime'. The MS_STRICTATIME mount flag already existed, and 'nostrictatime' was listed along with 'strictatime' in the comments of parser/mount.cc, so this patch adds a mapping for 'nostrictatime' to clear MS_STRICTATIME. Additionally, the Linux kernel includes the 'lazytime' option with MS_LAZYTIME mapping to (1<<25), so this patch adds MS_LAZYTIME to parser/mount.h and the corresponding mappings in parser/mount.cc for 'lazytime' and 'nolazytime'. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1005 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-04-27 17:14:29 +00:00
John Johansen	f3d5531516	regression tests: make mount regression tests report skipped options Don't silently skip options so that we know what is being tested. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-04-27 05:50:09 -07:00
John Johansen	89bc617d0d	parser: fix conflicting mnt flag values message to have a space The conflicting flags value message was hard to read conflicting flag value = lazytimenolazytime change it to conflicting flag values = lazytime, nolazytime Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-04-27 04:05:44 -07:00
John Johansen	b51602233d	docs apparmor.d: add missing mount options to man page Add the missing options nostrictatime, lazytime, and nolazytime to the apparmor.d manpage. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-04-27 04:05:44 -07:00
John Johansen	cfb77309d6	parse tests: add parse tests for missing mount options add simple parsing tests for nostrictatime, lazytime, nolazytime Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-04-27 04:05:44 -07:00
Oliver Calder	231c469d86	parser: added `nosymfollow` mount option Adds the corresponding `MS_NOSYMFOLLOW` flag to parser/mount.h as well, defined as (1 << 8) just as in the util-linux and the kernel. Signed-off-by: Oliver Calder <oliver.calder@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-04-27 03:21:26 -07:00
Oliver Calder	257b3cfbf6	Added MS_LAZYTIME to MS_ALL_FLAGS Signed-off-by: Oliver Calder <oliver.calder@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-04-27 03:20:34 -07:00
Oliver Calder	bc64b824fa	Issue 312: added missing kernel mount options This patch adds the following mount options: 'nostrictatime', 'lazytime', and 'nolazytime'. The MS_STRICTATIME mount flag already existed, and 'nostrictatime' was listed along with 'strictatime' in the comments of parser/mount.cc, so this patch adds a mapping for 'nostrictatime' to clear MS_STRICTATIME. Additionally, the Linux kernel includes the 'lazytime' option with MS_LAZYTIME mapping to (1<<25), so this patch adds MS_LAZYTIME to parser/mount.h and the corresponding mappings in parser/mount.cc for 'lazytime' and 'nolazytime'. Signed-off-by: Oliver Calder <oliver.calder@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-04-27 03:20:34 -07:00
John Johansen	a455b50c66	aa-status: allow profile/process counts to go to a file Make it so the output options that count profiles and processes can be output to a file. This does not add a user option to do so Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-04-27 01:45:59 -07:00
John Johansen	66279ea1c7	aa-status: allow pretty printed json to go to somewhere other than stdout Add basic enablement (but no option yet) to send pretty printed json to a specified file. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-04-27 01:45:59 -07:00
John Johansen	508f9184ea	aa-status: split file output from whether json is being produced For detailed output split up where output is going from whether json is being produced. This also allows none json output to go to a file. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-04-27 01:45:59 -07:00
John Johansen	4858110480	aa-status: fix indentation Make sure indentation conforms to the linux kernel style guide that we use. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-04-27 01:45:59 -07:00
John Johansen	ce13b28154	aa-status: switch commands dispatch to get_opt_long To allow for a richer command set switch arg handling to use get_opt_long. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-04-27 01:45:59 -07:00
John Johansen	cacb812b58	Merge parser: fix chfa quivalence class handling The chfa equivalence class shouldn't be a reference. Its needs to actually exist and be part of the class during later method calls. As a reference it leads to bad references when used later. Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1015 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: John Johansen <john@jjmx.net>	2023-04-26 06:22:54 +00:00
John Johansen	e6e5e7981f	Merge expand mount tests MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1006 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-04-25 13:55:03 +00:00
Georgia Garcia	608c8a1966	tests: fix profile generation for multiple qualifiers When the replacement regex for multiple qualifiers matches, the capture group variables ($1, $2, etc) are overwritten to match the most recent regex. Since there are no capture groups in the 's/,/ /g' regex, then $2 was empty, causing an error on policy generation. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-04-25 10:08:21 -03:00
Georgia Garcia	689e0c5ed0	tests: add options to mount tests This improvement only includes filesystem-independent mount options. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-04-25 10:08:21 -03:00
John Johansen	f8117a384f	parser: fix chfa quivalence class handling The chfa equivalence class shouldn't be a reference. Its needs to actually exist and be part of the class during later method calls. As a reference it leads to bad references when used later. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-04-25 05:55:34 -07:00
John Johansen	0e83933fa8	Merge Drop `profile_` filename prefix for named profiles Historically, if you create a `profile foo /bin/foo` with aa-logprof (by choosing "named exec"), it will be saved as `/etc/apparmor.d/profile_foo` This patch drops the `profile_` filename prefix so that the filename will be `/etc/apparmor.d/foo` MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1014 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-04-25 02:29:44 +00:00
John Johansen	30dd1cec42	Merge Fix error when choosing named exec with plane profile names When a user choooses to execute to a named profile (not: named child), make sure to get the profile filename in the correct way to avoid a crash. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/314 I propose this patch for 2.13..master. (Note: I verified that the bug already exists in 2.13, and that this patch fixes it.) Closes #314 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1013 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-04-25 02:28:28 +00:00
John Johansen	46c8dbe886	Merge CI: check extra profiles for local/ includes MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1012 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-04-25 02:27:00 +00:00
John Johansen	fa86a7f1d9	Merge abstractions/freedesktop.org: allow custom cursors ... by allowing to read all files below ~/.icons instead of only the directory listing. I propose this patch for all branches. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1008 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-04-25 02:24:50 +00:00
John Johansen	be9c0937dc	Merge Cleanup parser frontend in preparation for extended permissions The parser front end is inconsistent about how it handles permissions and rules. This makes extending the permission set and fixing inconsistencies between say file and af_unix rules difficult and prone to failures. This is a set of work to cleanup the frontend parse handling, and middle semantic checks, dedup, and processing of rules and their permissions. It also is starting to lay the ground work for the parser retaining more information to output better error, and debug messages. Signed-off-by: John Johansen <john.johansen@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/802 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: John Johansen <john@jjmx.net>	2023-04-25 02:15:53 +00:00
Christian Boltz	d4bcd50c5a	Drop `profile_` filename prefix for named profiles Historically, if you create a `profile foo /bin/foo` with aa-logprof (by choosing "named exec"), it will be saved as `/etc/apparmor.d/profile_foo` This patch drops the `profile_` filename prefix so that the filename will be `/etc/apparmor.d/foo`	2023-04-23 19:27:11 +02:00
Christian Boltz	103be8e14b	Fix error when choosing named exec with plane profile names When a user choooses to execute to a named profile (not: named child), make sure to get the profile filename in the correct way to avoid a crash. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/314	2023-04-23 14:49:35 +02:00
Christian Boltz	5bb867dbc0	Merge Add profile for rpcbind Noticed that this externally-visible service was not confined, so I put together a profile for it. Please backport to `apparmor-3.[01]` if it looks good! MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1011 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2023-04-19 20:15:51 +00:00
Christian Boltz	3ddb1677dd	CI: check extra profiles for local/ includes	2023-04-18 22:43:00 +02:00
Daniel Richard G	408e148109	Add profile for rpcbind	2023-04-18 16:35:34 -04:00
Christian Boltz	954b11fc50	abstractions/freedesktop.org: allow custom cursors ... by allowing to read all files below ~/.icons instead of only the directory listing.	2023-04-16 16:00:27 +02:00
Christian Boltz	8d9985ac0b	Merge abstractions/base: allow reading tzdata ICU zoneinfo DB This is used by various applications including libreoffice etc so it may as well be added to the base abstraction along with the existing zoneinfo DB access. AVC apparmor="DENIED" operation="open" class="file" profile="snap.libreoffice.calc" name="/usr/share/zoneinfo-icu/44/le/zoneinfo64.res" pid=44742 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Signed-off-by: Alex Murray <alex.murray@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1007 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Christian Boltz <apparmor@cboltz.de>	2023-04-11 19:21:08 +00:00
Alex Murray	c691b11d6e	abstractions/base: allow reading tzdata ICU zoneinfo DB This is used by various applications including libreoffice etc so it may as well be added to the base abstraction along with the existing zoneinfo DB access. AVC apparmor="DENIED" operation="open" class="file" profile="snap.libreoffice.calc" name="/usr/share/zoneinfo-icu/44/le/zoneinfo64.res" pid=44742 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Signed-off-by: Alex Murray <alex.murray@canonical.com>	2023-04-06 11:50:06 +09:30
John Johansen	1fc38dbd2a	regression tests: switch from bashism == to posix str comparison = the == string comparison is a bashism. switch to posix supported = Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-31 20:34:21 -07:00
John Johansen	f47d5c70a3	fix af_unix tests for v8 networking. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-31 20:27:52 -07:00
John Johansen	90b3b5e572	Merge Format aa-notify to follow PEP-8 Update (most of the) code and inline comments/docstrings to follow https://peps.python.org/pep-0008/ so that future maintenance is slightly easier. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/996 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-04-01 03:20:07 +00:00
John Johansen	7fa20770db	Merge tunables/etc: Improve comments which variable to use The description of @{etc_ro} and @{etc_rw} were not good enough in explaining which directories they should contain, and when to use which of the variables in a profile. I propose this patch for all branches. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1000 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-04-01 03:17:28 +00:00
John Johansen	cf6539b217	Merge Ignore 'x' in mixed file mode log events Probably thanks to O_MAYEXEC, denials for file access can now contain a mix of x (exec) and other file permissions. The actual exec should appear in a separate "exec" log event, therefore ignore 'x' in file events for now if it's mixed with other permissions. Note that file events ("open", "link" etc.) that contain denied_mask="x" without another permission will still cause an error. (So far, this hasn't been seen in the wild.) Fixes: https://gitlab.com/apparmor/apparmor/-/issues/303 Also add the log line from the bugreport and the (for now) expected result as test_multi testcase. I propose this patch for all branches. Closes #303 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1001 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-04-01 03:13:23 +00:00
John Johansen	6f65faa164	Merge syslogd: allow reading /dev/kmsg Fixes: https://gitlab.com/apparmor/apparmor/-/issues/307 I propose this patch for master and 3.x (the profile in 2.13 is very different which makes automatic merging impossible) Closes #307 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1003 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: John Johansen <john@jjmx.net>	2023-04-01 03:07:00 +00:00
John Johansen	e6e3f44ff9	parser: cleanup: drop unused add_local_entry and associated vars The code for add_local_entry is actually currently unused and will have to change anyways by the time it is. Some drop it and the associated variables. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-31 02:21:19 -07:00
John Johansen	68421547a1	refactor prefix and x check during parser Reduce duplicate code and another step towards converting file rules to rule_t Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-31 02:21:19 -07:00
John Johansen	9eb23475de	parser: refactor rules parser for a common block Another step towards having a block rule and retaining parsed rule structure. Setup the parse to use a common block pattern, that when we are ready will become an actual rule. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-31 02:21:19 -07:00
John Johansen	dad26e6cd2	parser: add a method for profiles to do rule merging In preparation for file rules converting to use rule_t add a method to do rule merging. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-31 02:21:19 -07:00
John Johansen	8470760e85	parser: add an integer based rule comparison that can be used by merge Instead of call operator< twice for merge have an integer based comparison fn. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-31 02:21:19 -07:00
John Johansen	b061155c9a	parser: add flags to rule_t In preparation for file rules and rule duplication removal add flags to rule_t with the first flag indicating if the rule is deleted. We do this instead of actually deleting the rule so we can hold on to the rule for debug and printing output in the future. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-31 02:21:19 -07:00
John Johansen	1acc90e06a	parser: add method to test if rules are mergeable/dedupable. in preparation for file rules switching to rule_t add a method to indicate whether a particular rule is mergeable/dedupable. Whether a rule merges or dedups will be up to the rules comparison and merge methods. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-31 02:21:19 -07:00
John Johansen	e248014171	parser: carry a rule_t on all rules not just rules that have a class In preparation for rule comparison and elemination have each rule carry a type that can be used as the base of comparison. The rule class is folded into this type. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-31 02:21:19 -07:00
John Johansen	a2d56c3c74	parser: consolidate rule class handling into aa_class Instead of having each rule individually handle the class info introduce a class_rule_t into the hierarchy and consolidate. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-31 02:21:19 -07:00
John Johansen	30206fc11e	Fix add prefix to cover more cases and prep for AUDIT_QUIET Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-31 02:21:19 -07:00
John Johansen	b3bb74c33c	parser: convert valid_prefix and add_prefix to use const The prefix can passed as a parameter can be const so it should be. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-31 02:21:19 -07:00
John Johansen	355730d8c7	parser: convert deny flag from bool to rule_mode We need to be able to support more rule types than allow and deny so convert to an enum. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-31 02:21:11 -07:00
John Johansen	f76d134b6c	parser: convert subset flag to a bool Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-31 02:17:28 -07:00
John Johansen	c36d4e9c03	parser: make alias_ignore a bool Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-31 02:17:28 -07:00
John Johansen	10a75c431f	parser: rename post_process() method and move code around The post_process() method is misnamed, it fires when the profile is finished parsing but fires before variable expansion. Rename it to better reflect what it does and move the trigger code into profile as a start of cleaning this stage up. Also document the order the hooks fire in Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-31 02:17:28 -07:00
John Johansen	28ae20983b	parser: further reduce duplication of prefix rule parsing The previous patch enable the prefix based rules all to use the same code pattern. Group them together Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-31 02:17:28 -07:00
John Johansen	d371458533	parser: make base classes for rules using prefixes and perms and use them Cleanup the parse code by making shared prefix and perms classes for rules and convert rules to use them. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-31 02:17:26 -07:00
John Johansen	fdf5b062a9	parser: fixup audit struct to audit enum This removes the struct wrapper used in the previous patch to ensure that all uses are properly converted. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-31 02:12:35 -07:00
John Johansen	7a318d99f2	parser: convert audit from bool to enum Audit control support is going to be extended to support allowing policy to which rules should quiet auditing. Update the frontend internals to prepare for this. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-31 02:08:20 -07:00
John Johansen	134e95f783	parser: fixup remove struct from the audit bool conversion This removes the struct wrapper used in the previous patch to ensure that all uses are properly converted. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-31 01:08:25 -07:00
John Johansen	44f3be091a	parser: convert the stored audit from a bit mask to a bool This delays the convertion of the audit flag until passing to the backend. This is a step towards fix the parser front end so that it doesn't use encoded permission mappings. Note: the patch embedds the bool conversion into a struct to ensure the compiler will fail to build unless every use is fixed. The struct is removed in the following patch. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-31 01:05:29 -07:00
Otto Kekäläinen	fff72ed4c4	Format aa-notify to follow PEP-8 Update (most of the) code and inline comments/docstrings to follow https://peps.python.org/pep-0008/ so that future maintenance is slightly easier. Continue to keep long lines as splitting them does not always improve the code readability.	2023-03-30 22:30:34 -07:00
Christian Boltz	a724c79483	Ignore 'x' in mixed file mode log events Probably thanks to O_MAYEXEC, denials for file access can now contain a mix of x (exec) and other file permissions. The actual exec should appear in a separate "exec" log event, therefore ignore 'x' in file events for now if it's mixed with other permissions. Note that file events ("open", "link" etc.) that contain denied_mask="x" without another permission will still cause an error. (So far, this hasn't been seen in the wild.) Fixes: https://gitlab.com/apparmor/apparmor/-/issues/303 Also add the log line from the bugreport and the (for now) expected result as test_multi testcase.	2023-03-30 13:30:33 +02:00
Christian Boltz	2d213ecdc9	syslogd: allow reading /dev/kmsg Fixes: https://gitlab.com/apparmor/apparmor/-/issues/307	2023-03-29 22:17:49 +02:00
John Johansen	4fd1f97102	parser: rename mount->allow to mount->perms and switch to perm_t Make mount permission set consistent with the other rule types. This is a step towards refactoring. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-29 10:52:31 -07:00
John Johansen	6f5dc0e176	parser: Don't merge rules based on audit flags This is a step towards restructuring how "audit" is handled so we can add quiet support and push mapping of audit bits later. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-29 10:45:44 -07:00
John Johansen	fd9a6fe133	parser: int mode to perms Move from using and int for permissions bit mask to a perms_t type. Also move any perms mask that uses the name mode to perms to avoid confusing it with other uses of mode. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-29 10:45:44 -07:00
John Johansen	b255ff8831	parser: cleanup Makefile header dependencies Recent work on the parser has surfaced missing header dependencies and other issues. Cleanup up and simplify the dependencies so it is harder to break them. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-29 10:45:44 -07:00
John Johansen	c1a1a3a923	Merge Fix mount rules encoding This is a partial fix for CVE-2016-1585, it address the frontend rule encoding problems particularly - Permissions being given that shouldn't happen - Multiple option conditionals in a single rule resulting in wider permission instead of multiple rules - optional flags not being handled correctly - multiple backend rules being created out of one frontend rule when they shouldn't be it does not address the backend issue of short cut permissions not being correctly updated when deny rules carve out permissions on an allow rule that has a short cut permission in the encoding. Thanks to the additional work by Alexander Mikhalitsyn for beating this MR into shape so we can land it Alexander Changelog: - rebased to an actual tree - addressed review comments from @wbumiller and @setharnold - fixed compiler warnings about class_mount_hdr is uninitialized - infinite loop fix - MS_MAKE_CMDS bitmask value fixed - fixed condition in `gen_flag_rules` to cover cases like `mount options in (bind) /d -> /4,` when flags are empty and only opt_flags are present - marked some tests as a FAIL case behavior was changed after `parser: add conflicting flags check for options= conditionals` commit MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/333 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-03-29 17:36:00 +00:00
Christian Boltz	e8e6476487	tunables/etc: Improve comments which variable to use The description of @{etc_ro} and @{etc_rw} were not good enough in explaining which directories they should contain, and when to use which of the variables in a profile.	2023-03-29 14:21:17 +02:00
John Johansen	05595eccda	Merge parser: fix definitely and possibly lost memory leaks MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/992 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-03-29 03:19:57 +00:00
Alexander Mikhalitsyn	4b7e868e54	parser: simple_tests: mount: mark ok_[16-19] tests as bad These tests contains incompatible mount options and broken after ("parser: add conflicting flags check for options= conditionals") Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com>	2023-03-28 20:07:05 -07:00
John Johansen	f09676f5f9	parser: fixup gen_flag_rules gen_flag_rules has a boolean vs bit and case where parenthesis are helpful to express the intended order of operations. It also doesn't handle the case where there are no matches. Fix this by causing that case to fail. also improve the debug of option extraction. Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-28 20:06:58 -07:00
John Johansen	1ec39fd437	parser: support multiple mount conditionals in a single rule Now that flag processing for mount rules with single option conditionals are fixed e-enable multiple mount conditionals on a single mount rule. The mount conditionals are equivalent to specifying multiple rules. mount options=(a,b,c) options=(c,d), is the same as mount options=(a,b,c), mount options=(c,d), and mount options in (a,b,c) options in (c,d), is the same as mount options in (a,b,c), mount options in (c,d), when multiple options= and options in are combined in a single rule it is the same as the cross product of the options. where mount options=(a,b,c) options in (d,e), is a single rule. mount options=(a,b,c) options=(d,e) options in (f), is equivalent to mount options=(a,b,c) options in (f), mount options=(d,e) options in (f), and while it is not recommended that multiple options= and options in conditions be used in a single rule. mount options=(a,b,c) options=(d,e) options in (f) options in (g), is equivalent to mount options=(a,b,c) options in (f), mount options=(a,b,c) options in (g), mount options=(d,e) options in (f), mount options=(d,e) options in (g), Bug Link: https://bugs.launchpad.net/apparmor/+bug/1597017 Signed-off-by: John Johansen <john.johansen@canonical.com> - rebased to `bba1a023bf` - fixed infinite loop in mnt_rule::gen_policy_re Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com>	2023-03-28 20:05:15 -07:00
John Johansen	ecfaf73300	parser: add conflicting flags check for options= conditionals Signed-off-by: John Johansen <john.johansen@canonical.com> - rebased to `bba1a023bf` - after this commit tests mount/ok_[16-19].sd are failing, but it's correct Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com>	2023-03-28 14:58:06 -07:00
John Johansen	300889c3a4	parser: fix option flag processing for single conditional rules The combined optional flag and exact match flag processing is problematic separate out the optional flag processing so it is only combined during match string generation. While doing so we fix the flag output so that multiple rules are not output when they shouldn't be. In addition we temporarily break multiple options= and 'options in' conditionals in a single rule, which we will fix in a separate patch. Bug Link: https://bugs.launchpad.net/apparmor/+bug/1597017 Signed-off-by: John Johansen <john.johansen@canonical.com> - rebased to `bba1a023bf` - made tests happy by changing condition in gen_policy_re() Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com>	2023-03-28 14:57:11 -07:00
John Johansen	ae1950b004	Cleanup mount commands flag masking for policy generation Simplify flag masking and fix the MS_MAKE_CMDS flag set. This is a step in fixing Bug Link: https://bugs.launchpad.net/apparmor/+bug/1597017 Signed-off-by: John Johansen <john.johansen@canonical.com> - rebased to `bba1a023bf` - fixed MS_MAKE_CMDS definition to the correct one. We shouldn't add (MS_ALL_FLAGS & ~(MNT_FLAGS)) to this bitmask. Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com>	2023-03-28 14:44:44 -07:00
John Johansen	206d199a07	Rework mount rule to specicial case multiple rule generation A step in cleaning up mount rule generation, split out the handling of mount rules that imply multiple rules to make it easier to see what is going on. Bug Link: https://bugs.launchpad.net/apparmor/+bug/1597017 Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-03-28 14:42:36 -07:00
John Johansen	f17e43392b	refactor: mount gen_policy_re Do a minimal code refactoring (ie. no functional changes, just moving code,adding boiler plate and glue) in preparation to fix bug https://bugs.launchpad.net/apparmor/+bug/1597017 Bug Link: https://bugs.launchpad.net/apparmor/+bug/1597017 Signed-off-by: John Johansen <john.johansen@canonical.com> - rebased to `bba1a023bf` - fixed compiler warnings: <built-in>: In member function ‘int mnt_rule::gen_policy_new_mount(Profile&, int&, unsigned int, unsigned int)’: <built-in>: note: by argument 1 of type ‘const char’ to ‘long unsigned int __builtin_strlen(const char)’ declared here mount.cc:880:14: note: ‘class_mount_hdr’ declared here 880 \| char class_mount_hdr[64]; Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com>	2023-03-28 14:41:29 -07:00
Alexandre Pujol	197f94244f	abstractions: vulkan, remove redundant directory listing.	2023-03-28 21:54:55 +01:00
Georgia Garcia	df1425f018	Merge .gitlab-ci.yml: add support to run coverity Run coverity from the CI. It only runs on a branch called "coverity" because of ``` only: refs: - coverity ``` Based on https://www.synopsys.com/blogs/software-security/integrating-coverity-scan-with-gitlab-ci/ MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/998 Approved-by: John Johansen <john@jjmx.net> Approved-by: Steve Beattie <gitlab@nxnw.org> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-03-28 19:14:48 +00:00
Georgia Garcia	904b733948	Merge tests: force dbus-daemon to generate an abstract socket dbus 1.14.4 changed the behavior of unix:tmpdir to be equivalent to unix:dir, which cases dbus-daemon to generate path based sockets, instead of the previous abstract sockets. [1] In this change we force dbus-daemon to generate an abstract socket by specifying the abstract socket address in the command. [1] https://gitlab.freedesktop.org/dbus/dbus/-/blob/dbus-1.14/NEWS#L64 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/999 Approved-by: John Johansen <john@jjmx.net> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-03-28 14:23:01 +00:00
Georgia Garcia	53d4e341e1	tests: force dbus-daemon to generate an abstract socket dbus 1.14.4 changed the behavior of unix:tmpdir to be equivalent to unix:dir, which cases dbus-daemon to generate path based sockets, instead of the previous abstract sockets. [1] In this change we force dbus-daemon to generate an abstract socket by specifying the abstract socket address in the command. [1] https://gitlab.freedesktop.org/dbus/dbus/-/blob/dbus-1.14/NEWS#L64 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-03-27 16:11:36 -03:00
Georgia Garcia	ae347d07fb	.gitlab-ci.yml: add support to run coverity Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-03-27 10:40:30 -03:00
Alexandre Pujol	bae7ed797e	abstractions: add nvidia profiles path & nvidia-xdriver. From: https://github.com/roddhjav/apparmor.d	2023-03-25 13:07:30 +00:00
Alexandre Pujol	b67a265de0	abstractions: gtk needs more path access. From: https://github.com/roddhjav/apparmor.d	2023-03-25 13:06:41 +00:00
Alexandre Pujol	1f0721b0ba	abstractions: add support for locally installed python lib. From: https://github.com/roddhjav/apparmor.d	2023-03-25 13:06:12 +00:00
Alexandre Pujol	745b176926	abstractions: dbus session improvement. - Add full access to unix stream over /tmp/dbus-* - Add at-spi dbus support From: https://github.com/roddhjav/apparmor.d	2023-03-25 13:04:44 +00:00
Alexandre Pujol	a8d392a204	abstractions: minor directory access fixes. From: https://github.com/roddhjav/apparmor.d	2023-03-25 13:02:48 +00:00
Georgia Garcia	3c033606e4	parser: fix definitely and possibly lost memory leaks Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-03-16 18:03:57 -03:00
Christian Boltz	bba1a023bf	Merge several fixes for samba-related profiles and the kerberos abstraction See the individual commits for details. Signed-off-by: Noel Power <noel.power@suse.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/989 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2023-03-14 20:03:01 +00:00
Christian Boltz	ff9bac7169	Merge Defer logger string formatting This MR continues #280 work by deferring string formatting in logger calls. `logging.Logger` logging methods accept a message as well as message format arguments (relevant Python documentation links: [1](https://docs.python.org/3/library/logging.html#logging.Logger.debug), [2](https://docs.python.org/3/howto/logging.html#optimization)). This allows for deferred message formatting: the logger will only format a message if its respective logging level is enabled. In this MR, `DebugLogger` methods are given `*args` parameters to allow for deferred string formatting, and `DebugLogger` method calls are changed to take advantage of this new feature. Note that although `logging.Logger` uses printf-style formatting, it internally handles this style's [quirks](https://docs.python.org/3/library/stdtypes.html#printf-style-string-formatting). MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/990 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2023-03-06 21:36:13 +00:00
Mark Grassi	37ef82fc51	Defer logger string formatting	2023-03-05 20:42:28 -05:00
Noel Power	e5654f1f81	prevent rename_src requesting 'r' access DENIES messages nmbd, windbind & smbd all trigger apparmor="DENIED" operation="rename_src" profile="/usr/sbin/nmbd" name="/var/log/samba/log.nmbd type messages. Signed-off-by: Noel Power <noel.power@suse.com>	2023-03-03 11:53:55 +00:00
Noel Power	0593a035f5	add kerberosclient to included abstractions for winbindd prevent messages like apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/winbindd" name="/usr/lib64/krb5/plugins/authdata/sssd_pac_plugin.so" pid=2798 comm="winbindd" requested_mask="m" denied_mask="m" fsuid=52311 ouid=0 Signed-off-by: Noel Power <noel.power@suse.com>	2023-03-03 11:47:38 +00:00
Noel Power	6e94794c68	Update kerberosclient abstraction for access to authdata directory For example winbindd when configured on a samba system using sssd can trigger apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/winbindd" name="/usr/lib64/krb5/plugins/authdata /sssd_pac_plugin.so" pid=2798 comm="winbindd" requested_mask="m" denied_mask="m" fsuid=52311 ouid=0 Signed-off-by: Noel Power <noel.power@suse.com>	2023-03-03 11:43:45 +00:00
Noel Power	b4f5414882	adjust winbindd profile to cater for sssd kdcinfo access winbindd (with nsswitch sssd configuration) is now getting type=AVC msg=audit(1677832823.657:119): apparmor="DENIED" operation="open" profile="/usr/sbin/winbindd" name="/var/lib/sss/pubconf/kdcinfo.TESTDOMAIN1.MY.COM" pid=3026 comm="winbindd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Signed-off-by: Noel Power <noel.power@suse.com>	2023-03-03 11:40:17 +00:00
John Johansen	b8a14e29b7	Bump library version to keep in sync with 3.1.3 library version change Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-02-27 17:32:42 -08:00
Christian Boltz	d420a7ee3e	Merge Update samba profiles # profiles/apparmor.d/samba: allow access to pid files directly in /run/ On Arch Linux, `samba-dcerpcd.pid` is in `/run/`, not `/run/samba/`. apparmor="DENIED" operation="mknod" profile="samba-dcerpcd" name="/run/samba-dcerpcd.pid" pid=80920 comm="samba-dcerpcd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 The same is true for `nmbd.pid`, `smbd.pid` and probably others too. # samba-dcerpcd requires access to `/var/cache/samba/names.tdb`. audit: type=1400 audit(1676835286.187:62): apparmor="DENIED" operation="open" profile="samba-dcerpcd" name="/var/cache/samba/names.tdb" pid=6948 comm="samba-dcerpcd" requested_mask="wrc" denied_mask="wrc" fsuid=0 ouid=0 See also https://bbs.archlinux.org/viewtopic.php?id=281411 Since `usr.sbin.winbindd` already has a rule for it, and `usr.sbin.nmbd` has similar ones, simply add `/var/cache/samba/.tdb rwk` to `abstractions/samba`. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/987 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2023-02-27 19:31:59 +00:00
nl6720	6f0d2ef7fe	profiles/apparmor.d/samba*: allow access to pid files directly in /run/ On Arch Linux, `samba-dcerpcd.pid` is in `/run/`, not `/run/samba/`. apparmor="DENIED" operation="mknod" profile="samba-dcerpcd" name="/run/samba-dcerpcd.pid" pid=80920 comm="samba-dcerpcd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 The same is true for `nmbd.pid`, `smbd.pid` and probably others too.	2023-02-27 15:07:35 +02:00
nl6720	763c4ecd23	profiles/apparmor.d/abstractions/samba: allow modifying /var/cache/samba/.tdb samba-dcerpcd requires access to `/var/cache/samba/names.tdb`. audit: type=1400 audit(1676835286.187:62): apparmor="DENIED" operation="open" profile="samba-dcerpcd" name="/var/cache/samba/names.tdb" pid=6948 comm="samba-dcerpcd" requested_mask="wrc" denied_mask="wrc" fsuid=0 ouid=0 See also https://bbs.archlinux.org/viewtopic.php?id=281411 Since `usr.sbin.winbindd` already has a rule for it, and `usr.sbin.nmbd` has similar ones, simply add `/var/cache/samba/.tdb rwk` to `abstractions/samba`.	2023-02-27 13:26:23 +02:00
John Johansen	f223ed063e	Merge abstractions/openssl: allow reading /etc/ssl/openssl-*.cnf openSUSE Tumbleweed uses /etc/ssl/openssl-1_1.cnf to make the migration to openssl 3 possible. References: https://bugzilla.opensuse.org/show_bug.cgi?id=1207911 I propose this patch for at least 3.1 and master, ideally for all branches (as long as it can easily be merged) MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/984 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-02-26 01:02:24 +00:00
Christian Boltz	853be0b716	Merge Improve Python string formatting This MR continues #280 work by changing string formatting in Python tests. `str.format()` is now used in places where bracket escapes are not necessary. In places where escapes would be necessary, I've ensured that format arguments are tuple-guarded. I also fixed some potential future bugs that I noticed in the process: - mutable default arguments that were luckily not being mutated - a tuple missing a comma that conveniently functioned properly because `iter('_')` and `iter(('_',))` are effectively the same Additionally, I fixed one current bug in the process: - `dict.keys()` no longer returns a list in Python 3, so you can no longer call `.sort()` on its return value I figured that the bug fixes are small enough that they don't deserve separate MRs, but if you disagree then I will happily split this up. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/985 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2023-02-23 21:25:46 +00:00
Mark Grassi	cc7f8fb4d6	Fix AttributeError caused by Python 3 migration	2023-02-19 17:18:08 -05:00
Mark Grassi	2742d1f1ee	Replace mutable default arguments in utils	2023-02-19 17:17:35 -05:00
Mark Grassi	2be41315e7	Add missing comma to tuple	2023-02-19 17:13:15 -05:00
Mark Grassi	14e01b5d73	Replace mutable default arguments in tests	2023-02-19 17:12:30 -05:00
Mark Grassi	844a4dc393	Change string formatting method in Python tests	2023-02-19 16:54:38 -05:00
Christian Boltz	d713f75086	Merge abstractioms/nvidia: add new cache directory Some applications (like Firefox or Steam, but for some reason not glxgears) now writes to ~/.cache/nvidia/*: ``` type=AVC msg=audit(1676115846.764:605): apparmor="DENIED" operation="open" profile="firefox" name="/home/vincas/.cache/nvidia/GLCache/2c0cfcdab4d7b05f8130d8f ba8838943/ec9a05ca3988cfd1/1fee83e04c0ea4d8.toc" pid=26827 comm="firefox" requested_mask="rac" denied_mask="rac" fsuid=1000 ouid=1000^]FSUID="vincas" OUID="v incas" ``` ``` type=AVC msg=audit(1676134465.264:2166): apparmor="DENIED" operation="open" profile="steam" name="/home/vincas/.cache/nvidia/GLCache/95f6d95b1adf9af310bc94af5f19e509/6b24ef0587ddc7e4/23b502f99abb563c.toc" pid=56082 comm="steam" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000^]FSUID="vincas" OUID="vincas" ``` Update nvidia abstraction to allow create caches in .cache subdirectory. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/982 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2023-02-16 17:40:44 +00:00
Vincas Dargis	15b92cd2ee	abstractioms/nvidia: add new cache directory Some applications (like Firefox or Steam, but for some reason not glxgears) now writes to ~/.cache/nvidia/*: ``` type=AVC msg=audit(1676115846.764:605): apparmor="DENIED" operation="open" profile="firefox" name="/home/vincas/.cache/nvidia/GLCache/2c0cfcdab4d7b05f8130d8f ba8838943/ec9a05ca3988cfd1/1fee83e04c0ea4d8.toc" pid=26827 comm="firefox" requested_mask="rac" denied_mask="rac" fsuid=1000 ouid=1000^]FSUID="vincas" OUID="v incas" ``` ``` type=AVC msg=audit(1676134465.264:2166): apparmor="DENIED" operation="open" profile="steam" name="/home/vincas/.cache/nvidia/GLCache/95f6d95b1adf9af310bc94af5f19e509/6b24ef0587ddc7e4/23b502f99abb563c.toc" pid=56082 comm="steam" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000^]FSUID="vincas" OUID="vincas" ``` Update nvidia abstraction to allow create caches in .cache subdirectory.	2023-02-16 19:31:31 +02:00
Christian Boltz	94d2faab71	Merge nvidia_modprobe: update for driver families and /sys path Debian have split NVIDIA drivers into current, tesla and legacy: ``` $ apt-file search /etc/nvidia/ \| grep -P -o -e "(?<=/etc/nvidia/).[^/]*/" \| sort -u current/ current-open/ legacy-340xx/ legacy-390xx/ tesla/ tesla-418/ tesla-450/ tesla-460/ tesla-470/ tesla-510/ ``` These paths are used by nvidia_modprobe -> kmod: ``` type=AVC msg=audit(1676135718.796:2592): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/etc/nvidia/tesla-470/nvidia-blacklists-nouveau.conf" pid=62094 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" type=AVC msg=audit(1676135718.796:2593): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/etc/nvidia/tesla-470/nvidia-options.conf" pid=62094 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" type=AVC msg=audit(1676135718.796:2594): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/etc/nvidia/tesla-470/nvidia-modprobe.conf" pid=62094 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" ``` Also, additional /sys path is accessed: ``` type=AVC msg=audit(1676136251.680:2956): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/sys/module/drm/initstate" pid=63642 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" ``` Update nvidia_modprobe profile to this these denials. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/983 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2023-02-14 18:39:10 +00:00
Christian Boltz	4188d2b7a5	abstractions/openssl: allow reading /etc/ssl/openssl-*.cnf openSUSE Tumbleweed uses /etc/ssl/openssl-1_1.cnf to make the migration to openssl 3 possible. References: https://bugzilla.opensuse.org/show_bug.cgi?id=1207911	2023-02-14 19:05:40 +01:00
Vincas Dargis	8e50c351e1	nvidia_modprobe: update for driver families and /sys path Debian have split NVIDIA drivers into current, tesla and legacy: ``` $ apt-file search /etc/nvidia/ \| grep -P -o -e "(?<=/etc/nvidia/).[^/]*/" \| sort -u current/ current-open/ legacy-340xx/ legacy-390xx/ tesla/ tesla-418/ tesla-450/ tesla-460/ tesla-470/ tesla-510/ ``` These paths are used by nvidia_modprobe -> kmod: ``` type=AVC msg=audit(1676135718.796:2592): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/etc/nvidia/tesla-470/nvidia-blacklists-nouveau.conf" pid=62094 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" type=AVC msg=audit(1676135718.796:2593): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/etc/nvidia/tesla-470/nvidia-options.conf" pid=62094 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" type=AVC msg=audit(1676135718.796:2594): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/etc/nvidia/tesla-470/nvidia-modprobe.conf" pid=62094 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" ``` Also, additional /sys path is accessed: ``` type=AVC msg=audit(1676136251.680:2956): apparmor="DENIED" operation="open" profile="nvidia_modprobe//kmod" name="/sys/module/drm/initstate" pid=63642 comm="modprobe" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" ``` Update nvidia_modprobe profile to this these denials.	2023-02-11 19:42:58 +02:00
John Johansen	3e89b4aab2	Merge postfix-tlsmgr: allow reading openssl.cnf Seen/needed on openSUSE Tumbleweed I propose this patch for all branches. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/981 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-02-09 08:16:51 +00:00
John Johansen	a5dbb4f795	documentation: update policy layout document Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-02-07 10:45:46 -08:00
Christian Boltz	30679f7cc4	postfix-tlsmgr: allow reading openssl.cnf Seen/needed on openSUSE Tumbleweed	2023-02-07 12:48:33 +01:00
John Johansen	0298d8df25	Merge Check if extra profiles have a local/ include ... now that they all got it added. Also remove a superfluous backslash in another make target. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/980 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-02-02 18:15:11 +00:00
Christian Boltz	8a34439593	Check if extra profiles have a local/ include ... now that they all got it added. Also remove a superfluous backslash in another make target.	2023-02-02 13:33:58 +01:00
John Johansen	0ec11e385c	Merge rename firefox and chromium_browser profile files ... to just the basename and profile name. This also means to make the firefox and firefox.sh profiles named profiles. Note: in the `firefox.sh` profile, the local include was added just today, therefore I think changing it (instead of adding) should be fine. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/975 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-02-02 04:10:32 +00:00
John Johansen	238eb8150b	Merge Add abstractions/groff with lots of groff/nroff helpers contributed by Werner Fink via https://bugzilla.opensuse.org/show_bug.cgi?id=1065388 comment 25 Note that - compared to the file in bugzilla - I removed the `rix` rules for /usr/bin/groff and /usr/bin/nroff so that people can choose to ix, Px or Cx groff/nroff as they wish, and then include the abstraction inside the target profile to allow executing all the helpers. I also added `include if exists <abstractions/groff.d>` MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/973 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-02-02 04:08:47 +00:00
John Johansen	cd023f486e	Merge Update utils/po/ with latest Launchpad translations This MR addresses step 1 of 6 in #280, i.e. merging Launchpad translations into `master`. Tests are currently failing in this branch due to newly-introduced hotkey conflicts. I therefore prefixed this MR's title with "Draft: " to prevent premature merging. How would you like these hotkey conflicts resolved? MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/966 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-02-02 04:04:00 +00:00
John Johansen	2c72dd5541	Merge avahi-daemon needs attach_disconnected ... for var/lib/nscd/passwd and var/lib/nscd/group I propose this patch for all branches. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/960 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-02-02 04:00:12 +00:00
John Johansen	5df8da3c37	Merge nscd: allow using systemd-userdb If systemd-userdb is used to configure some users, nscd needs to read the userdb files. See also https://www.freedesktop.org/software/systemd/man/nss-systemd.html for the list of possible filenames (and symlinks). Fixes: http://bugzilla.opensuse.org/show_bug.cgi?id=1207698 I propose this patch for all branches. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/977 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-02-02 03:55:23 +00:00
John Johansen	da7d3a2101	Merge Fix mode not being printed when debugging AF_UNIX socket rules. This was due to the values being defined in both af_unix and af_rule leaving the latter values unset. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/979 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-02-02 03:44:50 +00:00
Mark Grassi	4dd69ddd5b	Update utils/po/ with Launchpad translations revision #2507	2023-02-01 22:28:45 -05:00
Robert Ancell	618a2260a0	Fix mode not being printed when debugging AF_UNIX socket rules. This was due to the values being defined in both af_unix and af_rule leaving the latter values unset.	2023-02-02 11:10:04 +13:00
Georgia Garcia	608560ee43	Merge Fix spacing when printing out AF_UNIX addresses MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/978 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-02-01 13:35:38 +00:00
Robert Ancell	22b1267b6e	Fix spacing when printing out AF_UNIX addresses	2023-02-01 12:38:09 +13:00
Christian Boltz	cb83ab5163	nscd: allow using systemd-userdb If systemd-userdb is used to configure some users, nscd needs to read the userdb files. See also https://www.freedesktop.org/software/systemd/man/nss-systemd.html for the list of possible filenames (and symlinks). Fixes: http://bugzilla.opensuse.org/show_bug.cgi?id=1207698	2023-01-30 12:26:31 +01:00
Christian Boltz	d1fd198473	rename firefox and chromium_browser profile files ... to just the basename and profile name. This also means to make the firefox and firefox.sh profiles named profiles.	2023-01-30 12:06:13 +01:00
Christian Boltz	8895e00ef1	Merge Ensure all profiles in extras/ have optional local include + comment Recently got bitten by `usr.sbin.lighttpd` not having the local include, so I figured I'd bring all the `extras/` profiles up to parity. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/974 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2023-01-30 10:16:06 +00:00
Daniel Richard G	d0e32a326f	Ensure all profiles in extras/ have optional local include + comment	2023-01-30 00:54:30 -05:00
Christian Boltz	2ae2096cdf	Add abstractions/groff with lots of groff/nroff helpers contributed by Werner Fink via https://bugzilla.opensuse.org/show_bug.cgi?id=1065388 comment 25 Note that - compared to the file in bugzilla - I removed the `rix` rules for /usr/bin/groff and /usr/bin/nroff so that people can choose to ix, Px or Cx groff/nroff as they wish, and then include the abstraction inside the target profile to allow executing all the helpers. I also added `include if exists <abstractions/groff.d>`	2023-01-29 18:09:18 +01:00
Christian Boltz	ab3c26df9b	avahi-daemon needs attach_disconnected ... for var/lib/nscd/passwd and var/lib/nscd/group	2023-01-29 16:25:25 +01:00
Christian Boltz	478f2fb3fc	Merge Improve utils translation hotkey handling and test * Improve utils hotkey handling * Ensure all languages are always tested and all subprocesses run successfully. Picked from https://gitlab.com/apparmor/apparmor/-/merge_requests/966 (by Mark Grassi) so that code and translation changes are in separate MRs. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/971 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2023-01-29 14:51:15 +00:00
Mark Grassi	e188195344	Improve utils hotkey handling	2023-01-29 13:33:44 +01:00
Mark Grassi	e554fe9fd4	Improve utils translation hotkey test Ensure all languages are always tested and all subprocesses run successfully.	2023-01-29 13:28:10 +01:00
John Johansen	8bf2cd3979	update WIP dfa documentation Signed-off-by: John Johansen <john.johansen@canonical.com>	2023-01-24 16:30:09 -08:00
John Johansen	5fd8c25745	Merge Fix: Opening links with Brave Resolves #292. This fix is the same as !830 but for Brave. Opening links in Brave now works as intended. Note that now a separate denial is caused, related to WidevineCDM, is produced: ``` [ERROR:content_main_runner_impl.cc(415)] Unable to load CDM /home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so (error: /home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so: failed to map segment from shared object) ``` In the syslog: ``` audit: type=1400 audit(1671108748.090:117): apparmor="DENIED" operation="file_mmap" profile="/usr/bin/evince//sanitized_helper" name="/home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so" pid=65765 comm="brave" requested_mask="m" denied_mask="m" fsuid=1000 ouid=100 ``` I'm not sure if granting permission(s) for this is desirable. In either case, the potential relevant changes are out of the scope of this MR. If I disable WidevineCDM in Brave, I get the following denial on cap sys_admin: ``` audit: type=1400 audit(1671112807.666:174): apparmor="DENIED" operation="capable" profile="/usr/bin/evince//sanitized_helper" pid=112098 comm="brave" capability=21 capname="sys_admin" ``` which is fine, as mentioned by @jjohansen [here](https://gitlab.com/apparmor/apparmor/-/merge_requests/830#note_831915024). Closes #292 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/957 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-01-24 21:42:25 +00:00
John Johansen	a96fa35bd5	Merge libapparmor: add scanner support for dbus method In the [merge request that adds AppArmor support on D-Bus Broker](https://github.com/bus1/dbus-broker/pull/286), the word "method" is used instead of "member" on the auditing logs. So we are adding support to parse "method" the same way as "member" on D-Bus audit logs. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/958 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-01-24 21:41:07 +00:00
John Johansen	bb30df7843	Merge Extend crypto and ssl_certs abstractions - ssl_certs: /{etc,usr/share}/pki/trust/ has more than the 'anchors' subdirectory - crypoto: allow reading /etc/gcrypt/hwf.deny I propose this patch for 3.0..master (2.13 doesn't have abstractions/crypto). MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/961 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-01-24 21:38:19 +00:00
John Johansen	0ac3878207	Merge parser: send key as integer on the dfa of sysv mqueue The key of SYSV message queues is an integer and the kernel uses an integer to store the key. In order to improve performance when travelling the DFA in the kernel, we should use an integer instead of the string. This [patch](`5501f45f40`) contains a rough implementation of what that would look like on the kernel side MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/968 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-01-24 21:36:39 +00:00
Christian Boltz	dedb5d94cb	Merge Add pipewire client.conf to audio abstractions Fixes: https://bugs.launchpad.net/bugs/2003702 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/970 Approved-by: Jon Tourville <jon.tourville@canonical.com> Merged-by: Christian Boltz <apparmor@cboltz.de>	2023-01-23 20:34:57 +00:00
Adrian Heine	b5a7641dd3	Add pipewire client.conf to audio abstractions Fixes: https://bugs.launchpad.net/bugs/2003702	2023-01-23 20:35:29 +01:00
Christian Boltz	d61ccafcb3	Merge profiles: dnsmasq: add Waydroid pid file Waydroid uses LXC and some lxc-net equivalent scripts. Allow that. `b910c89174/data/scripts/waydroid-net.sh` https://web.archive.org/web/20221202141315/https://docs.waydro.id/debugging/known-issues MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/969 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2023-01-22 18:11:00 +00:00
Cameron Nemo	977e45c1dc	profiles: dnsmasq: add Waydroid pid file Waydroid uses LXC and some lxc-net equivalent scripts. Allow that. `b910c89174/data/scripts/waydroid-net.sh` https://web.archive.org/web/20221202141315/https://docs.waydro.id/debugging/known-issues Signed-off-by: Cameron Nemo <cam@nohom.org>	2023-01-16 17:52:11 -08:00
Georgia Garcia	bc89e37953	Merge fix uses of qualifier in the policy of mqueue tests MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/967 Approved-by: Jon Tourville <jon.tourville@canonical.com> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-01-12 17:50:51 +00:00
Georgia Garcia	106b3d16da	parser: send key as integer on the dfa of sysv mqueue The key of SYSV message queues is an integer and the kernel uses an integer to store the key. In order to improve performance when travelling the DFA in the kernel, we should use an integer instead of the string. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-01-11 21:58:03 +00:00
Georgia Garcia	6a3793eceb	tests: add qualifier option to mqueue profile generation Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-01-11 21:46:56 +00:00
Georgia Garcia	a93e1ee3cc	tests: fix use of deny qualifier on policy generation for mqueue tests The mqueue tests were using the previous format which was specific for capabilities. The qual= prefix should be used instead. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-01-11 21:45:53 +00:00
John Johansen	223036d952	Merge add dbus-broker support on regression tests dbus-broker requires some modification of the test suite. In summary: * refactor to support starting and stopping both dbus and dbus-broker. * Make it so we can run the tests on each, where appropriate * skip unrequested reply and eavesdrop tests for dbus broker because they are not supported. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/965 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-01-07 00:08:10 +00:00
Georgia Garcia	790b17e1dc	tests: add dbus-broker support on regression tests DBus Broker was enabled for the dbus_message and dbus_service regression tests. The dbus_eavesdropping test does not run with dbus-broker because eavesdropping was deprecated in favor or monitoring, so new tests for the "BecomeMonitor" method need to be added. The dbus_unrequested_reply test is also not supported by dbus-broker, therefore the tests are skipped. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-01-06 20:15:41 +00:00
John Johansen	f0bc1a89a4	Merge regression tests: fix bogon patch characters in Makefile Commit `8cf3534a5` ("tests regression: fix failure on older versions of Make") from https://gitlab.com/apparmor/apparmor/-/merge_requests/639 was incorrectly applied, including the `+` prefixes from the proposed patch. This causes the sysctl syscall() checks to not correctly be applied and results in a mismatch of expectations in the syscall_sysctl.sh test script, causing it and the testsuite to fail. Thus, remove the bogon `+` characters from the Makefile, to make USE_SYSCTL be set correctly. Fixes: `8cf3534a5` ("tests regression: fix failure on older versions of Make") Signed-off-by: Steve Beattie <steve.beattie@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/963 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Approved-by: Christian Boltz <apparmor@cboltz.de> Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-01-05 00:44:37 +00:00
Georgia Garcia	c42efa510e	tests: fix profile generation for dbus test The test "eavesdrop (confined w/o dbus perms)" was failing for the wrong reason. While it should fail because it is missing dbus rules, it was actually failing because it didn't have the required unix rule. The error message was: "FAIL: Failed to open connection to "session" message bus: Failed to open socket: Permission denied" Corresponding audit log: [28306.743863] audit: type=1400 audit(1671048091.505:297): apparmor="DENIED" operation="create" class="net" profile="/home/georgia/apparmor/tests/regression/apparmor/dbus_eavesdrop" pid=6787 comm="dbus_eavesdrop" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none After the change, the error message is: FAIL: Failed to open connection to "session" message bus: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus) Corresponding audit log: [28444.248268] audit: type=1107 audit(1671048229.009:300): pid=6826 uid=0 auid=1000 ses=5 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=6854 label="/home/georgia/apparmor/tests/regression/apparmor/dbus_eavesdrop" peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=0 hostname=? addr=? terminal=?' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-01-04 18:26:10 +00:00
Georgia Garcia	8d3aab9795	tests: add write permission to output on dbus test profile The profile generated by dbus did not include this rule which caused the following DENIED audit logs: [26937.013475] audit: type=1400 audit(1671046721.776:246): apparmor="DENIED" operation="getattr" class="file" profile="/home/georgia/apparmor/tests/regression/apparmor/dbus_message" name="/tmp/sdtest.5720-14413-VQMPsH/output.dbus_message" pid=5866 comm="dbus_message" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-01-04 18:26:10 +00:00
John Johansen	dfc9847f89	Merge aa-status: Fix malformed json output with unconfined processes As reported in issue #295, the json output from aa-status would be invalid if there were profiles defined for processes that were unconfined. Fix this by ensuring the json for the processes array is closed properly. Signed-off-by: Alex Murray <alex.murray@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/964 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2023-01-04 17:32:40 +00:00
Alex Murray	22aa9b6161	aa-status: Fix malformed json output with unconfined processes As reported in issue #295, the json output from aa-status would be invalid if there were profiles defined for processes that were unconfined. Fix this by ensuring the json for the processes array is closed properly. Signed-off-by: Alex Murray <alex.murray@canonical.com>	2023-01-04 12:32:59 +10:30
Georgia Garcia	c5ff2033e2	Merge tests: fix variable type for getopt getopt returns an int, not a char. Error caused by this issue could only be observed on non-x86 systems. Closes LP#2000359 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/962 Approved-by: Jon Tourville <jon.tourville@canonical.com> Approved-by: Steve Beattie <gitlab@nxnw.org> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-01-03 18:56:03 +00:00
Steve Beattie	11bd79e39a	regression tests: fix bogon patch characters in Makefile Commit `8cf3534a5` ("tests regression: fix failure on older versions of Make") from https://gitlab.com/apparmor/apparmor/-/merge_requests/639 was incorrectly applied, including the `+` prefixes from the proposed patch. This causes the sysctl syscall() checks to not correctly be applied and results in a mismatch of expectations in the syscall_sysctl.sh test script, causing it and the testsuite to fail. Thus, remove the bogon `+` characters from the Makefile, to make USE_SYSCTL be set correctly. Fixes: `8cf3534a5` ("tests regression: fix failure on older versions of Make") Signed-off-by: Steve Beattie <steve.beattie@canonical.com>	2023-01-03 10:03:32 -08:00
Georgia Garcia	47ffef4c39	tests: fix variable type for getopt getopt returns an int, not a char. Error caused by this issue could only be observed on non-x86 systems. Closes LP#2000359 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2023-01-03 14:08:59 -03:00
Christian Boltz	d15bfa999a	Extend crypto and ssl_certs abstractions - ssl_certs: /{etc,usr/share}/pki/trust/ has more than the 'anchors' subdirectory - crypoto: allow reading /etc/gcrypt/hwf.deny	2022-12-17 23:10:59 +01:00
Georgia Garcia	4f2d2a8cab	Merge log parsing fixes small fixes on log parsing MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/959 Approved-by: Jon Tourville <jon.tourville@canonical.com> Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>	2022-12-16 19:41:41 +00:00
Georgia Garcia	f91be85361	libapparmor: add scanner support for dbus method Add support to parse "method" the same way as "member" on D-Bus audit logs. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2022-12-16 10:53:58 -03:00
Georgia Garcia	e94cd809e4	utils: fix dbus access string formatting The AppArmorBug exception was missing the variable from the message Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2022-12-16 10:37:45 -03:00
Georgia Garcia	7618d69eca	utils: fix check for when there's no operation field in audit log If the "operation" field is not present, we get the following error: AttributeError: 'NoneType' object has no attribute 'startswith' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2022-12-16 10:13:04 -03:00
Rushil Ambati	00a8f8399b	Fix: Opening links with Brave	2022-12-15 13:36:28 +00:00
Christian Boltz	6f84aa2092	Merge Simplify FileRule perms_with_a() ... by returning early if there's nothing to do. The main improvement is more readable code, but there should also be a minor performance improvement. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/955 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Christian Boltz <apparmor@cboltz.de>	2022-12-12 17:41:28 +00:00
John Johansen	a7bce9be98	Merge parser: Fix invalid reference to transitions when building the chfa States are not guaranteed to have transitions, but when inserting a state into the chfa table there is an unconditional dereference to the states first transition. This will result in a bad reference and could result in an OOB flag being set on the state when it shouldn't be. Fixes: `16b67ddbd` ("add ability to use out of band transitions" Closes: https://gitlab.com/apparmor/apparmor/-/issues/290 Reported-by: Nobel Barakat <nobelbarakat@google.com> Reported-by: Oleksandr Tymoshenko <ovt@google.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Closes #290 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/956 Approved-by: Seth Arnold <seth.arnold@gmail.com> Merged-by: John Johansen <john@jjmx.net>	2022-12-10 07:02:26 +00:00
John Johansen	27d738c874	parser: Fix invalid reference to transitions when building the chfa States are not guaranteed to have transitions, but when inserting a state into the chfa table there is an unconditional dereference to the states first transition. This will result in a bad reference and could result in an OOB flag being set on the state when it shouldn't be. Fixes: `16b67ddbd` ("add ability to use out of band transitions" Closes: https://gitlab.com/apparmor/apparmor/-/issues/290 Reported-by: Nobel Barakat <nobelbarakat@google.com> Reported-by: Oleksandr Tymoshenko <ovt@google.com> Signed-off-by: John Johansen <john.johansen@canonical.com>	2022-12-09 16:11:26 -08:00
John Johansen	2bd9962611	Revert "parser: Set the DEBUG1 flag on profiles that use mqueue rules." This reverts commit `1aa474b25c`. This is a debug patch that unconditionally sets a profile debug flag if mqueue rules are present. It should not be present in merged code, and instead the user should set a debug flag on the profile if that is desired. This was merged with the patch to expedite the MR with the understanding that this patch would be reverted. Signed-off-by: John Johansen <john.johansen@canonical.com>	2022-12-04 19:05:53 -08:00
John Johansen	b5f558962f	Merge ipc message queue rule support MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/858 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2022-12-05 03:04:48 +00:00
Christian Boltz	b9997473b3	Simplify FileRule perms_with_a() ... by returning early if there's nothing to do. The main improvement is more readable code, but there should also be a minor performance improvement.	2022-11-30 18:35:33 +01:00
John Johansen	ba01d479e2	Merge smbd: allow reading /var/lib/nscd/netgroup (reported on the opensuse-factory mailinglist) I propose this patch for 2.13..master. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/948 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2022-11-29 20:55:20 +00:00
John Johansen	49514ebc9f	Merge expand user namespace tests This MR expands the user namespace regression tests to use unshare and setns. Note that setns associates itself to an existing user namespace, so it is not creating it. This is relevant because the mediation only happens on the namespace creation for now. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/952 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2022-11-29 20:54:39 +00:00
Christian Boltz	2597fd5db8	Merge abstractions/nvidia: allow reading @{pid}/comm On Debian Sid, NVIDIA driver spams log with: ``` type=AVC msg=audit(1669542108.552:11855): apparmor="DENIED" operation="open" profile="qtox" name="/proc/21222/comm" pid=21222 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas" ``` ``` type=AVC msg=audit(1669541506.703:11329): apparmor="DENIED" operation="open" profile="skypeforlinux" name="/proc/19851/comm" pid=19851 comm="skypeforlinux" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas" ``` Read is initiated within libnvidia-glcore.so: ``` Thread 1 "qtox" hit Catchpoint 1 (call to syscall openat), 0x00007fb797b16ed0 in __libc_open64 (file=file@entry=0x7fb742adbb50 "/proc/self/comm", oflag=0) at ../sysdeps/unix/sysv/linux/open64.c:41 41 in ../sysdeps/unix/sysv/linux/open64.c $27 = 0x7fb742adbb50 "/proc/self/comm" 0 0x00007fb797b16ed0 in __libc_open64 (file=file@entry=0x7fb742adbb50 "/proc/self/comm", oflag=0) at ../sysdeps/unix/sysv/linux/open64.c:41 1 0x00007fb797aa0862 in __GI__IO_file_open (fp=fp@entry=0x55795176e600, filename=filename@entry=0x7fb742adbb50 "/proc/self/comm", posix_mode=<optimized out>, prot=prot@entry=438, read_write=8, is32not64=<optimized out>) at ./libio/fileops.c:188 2 0x00007fb797aa0a1b in _IO_new_file_fopen (fp=fp@entry=0x55795176e600, filename=filename@entry=0x7fb742adbb50 "/proc/self/comm", mode=<optimized out>, mode@entry=0x7fb7428effe2 "r", is32not64=is32not64@entry=1) at ./libio/fileops.c:280 3 0x00007fb797a950f9 in __fopen_internal (filename=0x7fb742adbb50 "/proc/self/comm", mode=0x7fb7428effe2 "r", is32=1) at ./libio/iofopen.c:75 4 0x00007fb7423d791f in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03 5 0x00007fb7423d4515 in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03 6 0x00007fb7423d0226 in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03 7 0x00007fb7423e1961 in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03 8 0x00007fb74824bc79 in ?? () from /lib/x86_64-linux-gnu/libGLX_nvidia.so.0 9 0x00007fb7482b1c56 in ?? () from /lib/x86_64-linux-gnu/libGLX_nvidia.so.0 10 0x000000000000001d in ?? () 11 0x00005579518975f0 in ?? () 12 0x0000000000000001 in ?? () 13 0x00007fb74824b1eb in ?? () from /lib/x86_64-linux-gnu/libGLX_nvidia.so.0 14 0x00005579518975f0 in ?? () 15 0x00007fb79b2dda79 in call_init (env=0x7ffd92d7aac8, argv=0x7ffd92d7aab8, argc=-1831363648, l=0x7fb748516f70) at ./elf/dl-init.c:56 16 call_init (l=0x7fb748516f70, argc=-1831363648, argv=0x7ffd92d7aab8, env=0x7ffd92d7aac8) at ./elf/dl-init.c:26 17 0x00007fb79b2ddba4 in _dl_init (main_map=0x5579518975f0, argc=1, argv=0x7ffd92d7aab8, env=0x7ffd92d7aac8) at ./elf/dl-init.c:117 18 0x00007fb797b6def4 in __GI__dl_catch_exception (exception=<optimized out>, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:182 19 0x00007fb79b2e430e in dl_open_worker (a=a@entry=0x7ffd92d79f20) at ./elf/dl-open.c:808 20 0x00007fb797b6de9a in __GI__dl_catch_exception (exception=<optimized out>, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:208 21 0x00007fb79b2e46a8 in _dl_open (file=0x557951888020 "libGLX_nvidia.so.0", mode=<optimized out>, caller_dlopen=0x7fb78d7d4d27, nsid=<optimized out>, argc=1, argv=0x7ffd92d7aab8, env=0x7ffd92d7aac8) at ./elf/dl-open.c:884 22 0x00007fb797aa42d8 in dlopen_doit (a=a@entry=0x7ffd92d7a190) at ./dlfcn/dlopen.c:56 23 0x00007fb797b6de9a in __GI__dl_catch_exception (exception=exception@entry=0x7ffd92d7a0f0, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:208 24 0x00007fb797b6df4f in __GI__dl_catch_error (objname=0x7ffd92d7a148, errstring=0x7ffd92d7a150, mallocedp=0x7ffd92d7a147, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:227 25 0x00007fb797aa3dc7 in _dlerror_run (operate=operate@entry=0x7fb797aa4280 <dlopen_doit>, args=args@entry=0x7ffd92d7a190) at ./dlfcn/dlerror.c:138 26 0x00007fb797aa4389 in dlopen_implementation (dl_caller=<optimized out>, mode=<optimized out>, file=<optimized out>) at ./dlfcn/dlopen.c:71 27 ___dlopen (file=<optimized out>, mode=<optimized out>) at ./dlfcn/dlopen.c:81 28 0x00007fb78d7d4d27 in ?? () from /lib/x86_64-linux-gnu/libGLX.so.0 29 0x00007fb78d7d6335 in ?? () from /lib/x86_64-linux-gnu/libGLX.so.0 30 0x00007fb78d7cf9f8 in glXChooseFBConfig () from /lib/x86_64-linux-gnu/libGLX.so.0 31 0x00007fb748646f6a in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/xcbglintegrations/libqxcb-glx-integration.so 32 0x00007fb748644450 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/xcbglintegrations/libqxcb-glx-integration.so 33 0x00007fb7486421b7 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/xcbglintegrations/libqxcb-glx-integration.so 34 0x00007fb79838262d in QOpenGLContext::create() () from /lib/x86_64-linux-gnu/libQt5Gui.so.5 35 0x00007fb74bb4303c in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platformthemes/KDEPlasmaPlatformTheme.so 36 0x00007fb797eb7aaf in qt_call_pre_routines () at kernel/qcoreapplication.cpp:317 37 QCoreApplicationPrivate::init (this=<optimized out>) at kernel/qcoreapplication.cpp:849 38 0x00007fb7983379dc in QGuiApplicationPrivate::init() () from /lib/x86_64-linux-gnu/libQt5Gui.so.5 39 0x00007fb798b684c9 in QApplicationPrivate::init() () from /lib/x86_64-linux-gnu/libQt5Widgets.so.5 40 0x0000557950f1d597 in main () ``` Add read rule to allow reading @{pid}/comm. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/954 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2022-11-27 13:06:35 +00:00
Christian Boltz	495f68c797	Merge lsb_release: allow cat and cut lsb_release fails on Debian Sid: ``` $ sudo aa-exec -p lsb_release lsb_release /usr/bin/lsb_release: 70: cut: Permission denied /usr/bin/lsb_release: 70: cut: Permission denied ``` ``` $ sudo aa-exec -p lsb_release lsb_release -h /usr/bin/lsb_release: 11: cat: Permission denied ``` ``` type=AVC msg=audit(1669540199.087:2680): apparmor="DENIED" operation="exec" profile="lsb_release" name="/usr/bin/cut" pid=17419 comm="lsb_release" requested_mask="x" denied_mask="x" fsuid=0 ouid=0FSUID="root" OUID="root" ``` ``` type=AVC msg=audit(1669540392.244:2944): apparmor="DENIED" operation="exec" profile="lsb_release" name="/usr/bin/cat" pid=17847 comm="lsb_release" requested_mask="x" denied_mask="x" fsuid=0 ouid=0FSUID="root" OUID="root" ``` Update profile to allow lsb_release script to invoke required executables. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/953 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2022-11-27 13:00:07 +00:00
Vincas Dargis	948cbb56c3	abstractions/nvidia: allow reading @{pid}/comm On Debian Sid, NVIDIA driver spams log with: ``` type=AVC msg=audit(1669542108.552:11855): apparmor="DENIED" operation="open" profile="qtox" name="/proc/21222/comm" pid=21222 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas" ``` ``` type=AVC msg=audit(1669541506.703:11329): apparmor="DENIED" operation="open" profile="skypeforlinux" name="/proc/19851/comm" pid=19851 comm="skypeforlinux" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas" ``` Read is initiated within libnvidia-glcore.so: ``` Thread 1 "qtox" hit Catchpoint 1 (call to syscall openat), 0x00007fb797b16ed0 in __libc_open64 (file=file@entry=0x7fb742adbb50 "/proc/self/comm", oflag=0) at ../sysdeps/unix/sysv/linux/open64.c:41 41 in ../sysdeps/unix/sysv/linux/open64.c $27 = 0x7fb742adbb50 "/proc/self/comm" 0 0x00007fb797b16ed0 in __libc_open64 (file=file@entry=0x7fb742adbb50 "/proc/self/comm", oflag=0) at ../sysdeps/unix/sysv/linux/open64.c:41 1 0x00007fb797aa0862 in __GI__IO_file_open (fp=fp@entry=0x55795176e600, filename=filename@entry=0x7fb742adbb50 "/proc/self/comm", posix_mode=<optimized out>, prot=prot@entry=438, read_write=8, is32not64=<optimized out>) at ./libio/fileops.c:188 2 0x00007fb797aa0a1b in _IO_new_file_fopen (fp=fp@entry=0x55795176e600, filename=filename@entry=0x7fb742adbb50 "/proc/self/comm", mode=<optimized out>, mode@entry=0x7fb7428effe2 "r", is32not64=is32not64@entry=1) at ./libio/fileops.c:280 3 0x00007fb797a950f9 in __fopen_internal (filename=0x7fb742adbb50 "/proc/self/comm", mode=0x7fb7428effe2 "r", is32=1) at ./libio/iofopen.c:75 4 0x00007fb7423d791f in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03 5 0x00007fb7423d4515 in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03 6 0x00007fb7423d0226 in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03 7 0x00007fb7423e1961 in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03 8 0x00007fb74824bc79 in ?? () from /lib/x86_64-linux-gnu/libGLX_nvidia.so.0 9 0x00007fb7482b1c56 in ?? () from /lib/x86_64-linux-gnu/libGLX_nvidia.so.0 10 0x000000000000001d in ?? () 11 0x00005579518975f0 in ?? () 12 0x0000000000000001 in ?? () 13 0x00007fb74824b1eb in ?? () from /lib/x86_64-linux-gnu/libGLX_nvidia.so.0 14 0x00005579518975f0 in ?? () 15 0x00007fb79b2dda79 in call_init (env=0x7ffd92d7aac8, argv=0x7ffd92d7aab8, argc=-1831363648, l=0x7fb748516f70) at ./elf/dl-init.c:56 16 call_init (l=0x7fb748516f70, argc=-1831363648, argv=0x7ffd92d7aab8, env=0x7ffd92d7aac8) at ./elf/dl-init.c:26 17 0x00007fb79b2ddba4 in _dl_init (main_map=0x5579518975f0, argc=1, argv=0x7ffd92d7aab8, env=0x7ffd92d7aac8) at ./elf/dl-init.c:117 18 0x00007fb797b6def4 in __GI__dl_catch_exception (exception=<optimized out>, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:182 19 0x00007fb79b2e430e in dl_open_worker (a=a@entry=0x7ffd92d79f20) at ./elf/dl-open.c:808 20 0x00007fb797b6de9a in __GI__dl_catch_exception (exception=<optimized out>, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:208 21 0x00007fb79b2e46a8 in _dl_open (file=0x557951888020 "libGLX_nvidia.so.0", mode=<optimized out>, caller_dlopen=0x7fb78d7d4d27, nsid=<optimized out>, argc=1, argv=0x7ffd92d7aab8, env=0x7ffd92d7aac8) at ./elf/dl-open.c:884 22 0x00007fb797aa42d8 in dlopen_doit (a=a@entry=0x7ffd92d7a190) at ./dlfcn/dlopen.c:56 23 0x00007fb797b6de9a in __GI__dl_catch_exception (exception=exception@entry=0x7ffd92d7a0f0, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:208 24 0x00007fb797b6df4f in __GI__dl_catch_error (objname=0x7ffd92d7a148, errstring=0x7ffd92d7a150, mallocedp=0x7ffd92d7a147, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:227 25 0x00007fb797aa3dc7 in _dlerror_run (operate=operate@entry=0x7fb797aa4280 <dlopen_doit>, args=args@entry=0x7ffd92d7a190) at ./dlfcn/dlerror.c:138 26 0x00007fb797aa4389 in dlopen_implementation (dl_caller=<optimized out>, mode=<optimized out>, file=<optimized out>) at ./dlfcn/dlopen.c:71 27 ___dlopen (file=<optimized out>, mode=<optimized out>) at ./dlfcn/dlopen.c:81 28 0x00007fb78d7d4d27 in ?? () from /lib/x86_64-linux-gnu/libGLX.so.0 29 0x00007fb78d7d6335 in ?? () from /lib/x86_64-linux-gnu/libGLX.so.0 30 0x00007fb78d7cf9f8 in glXChooseFBConfig () from /lib/x86_64-linux-gnu/libGLX.so.0 31 0x00007fb748646f6a in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/xcbglintegrations/libqxcb-glx-integration.so 32 0x00007fb748644450 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/xcbglintegrations/libqxcb-glx-integration.so 33 0x00007fb7486421b7 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/xcbglintegrations/libqxcb-glx-integration.so 34 0x00007fb79838262d in QOpenGLContext::create() () from /lib/x86_64-linux-gnu/libQt5Gui.so.5 35 0x00007fb74bb4303c in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platformthemes/KDEPlasmaPlatformTheme.so 36 0x00007fb797eb7aaf in qt_call_pre_routines () at kernel/qcoreapplication.cpp:317 37 QCoreApplicationPrivate::init (this=<optimized out>) at kernel/qcoreapplication.cpp:849 38 0x00007fb7983379dc in QGuiApplicationPrivate::init() () from /lib/x86_64-linux-gnu/libQt5Gui.so.5 39 0x00007fb798b684c9 in QApplicationPrivate::init() () from /lib/x86_64-linux-gnu/libQt5Widgets.so.5 40 0x0000557950f1d597 in main () ``` Add read rule to allow reading @{pid}/comm.	2022-11-27 12:06:45 +02:00
Vincas Dargis	f596a17670	lsb_release: allow cat and cut lsb_release fails on Debian Sid: ``` $ sudo aa-exec -p lsb_release lsb_release /usr/bin/lsb_release: 70: cut: Permission denied /usr/bin/lsb_release: 70: cut: Permission denied ``` ``` $ sudo aa-exec -p lsb_release lsb_release -h /usr/bin/lsb_release: 11: cat: Permission denied ``` ``` type=AVC msg=audit(1669540199.087:2680): apparmor="DENIED" operation="exec" profile="lsb_release" name="/usr/bin/cut" pid=17419 comm="lsb_release" requested_mask="x" denied_mask="x" fsuid=0 ouid=0FSUID="root" OUID="root" ``` ``` type=AVC msg=audit(1669540392.244:2944): apparmor="DENIED" operation="exec" profile="lsb_release" name="/usr/bin/cat" pid=17847 comm="lsb_release" requested_mask="x" denied_mask="x" fsuid=0 ouid=0FSUID="root" OUID="root" ``` Update profile to allow lsb_release script to invoke required executables.	2022-11-27 11:14:59 +02:00
Georgia Garcia	3d422215ba	tests: add sysv message queue regression tests Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2022-11-22 19:31:15 +00:00
Georgia Garcia	8e7b6fd583	utils: add logparser support for mqueue Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2022-11-22 19:31:15 +00:00
John Johansen	6e74b7957b	parser: place perm on name as well as name && label combination Signed-off-by: John Johansen <john.johansen@canonical.com>	2022-11-22 19:31:15 +00:00
John Johansen	1aa474b25c	parser: Set the DEBUG1 flag on profiles that use mqueue rules. Signed-off-by: John Johansen <john.johansen@canonical.com>	2022-11-22 19:31:15 +00:00
John Johansen	3cc73ffe8d	parser: Add a set of debug flags that can be passed to the kernel The kernel will allow for a couple of debug flags on a profile that can be used to trigger debug messages for only profiles/labels that have the flag set. Add basic support for these to the parser. Signed-off-by: John Johansen <john.johansen@canonical.com>	2022-11-22 19:31:15 +00:00
Georgia Garcia	673e8f9d36	parser: add parser simple tests for mqueue rules Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2022-11-22 19:31:15 +00:00
Georgia Garcia	d4cbcf2f07	utils: add message queue rules parsing in python tools Based on what was done in the parser, replicate the logic so it can be used in the python tools. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2022-11-22 19:31:15 +00:00
Georgia Garcia	cd85ca9777	tests: add posix message queue regression tests Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>	2022-11-22 19:31:15 +00:00
Georgia Garcia	d98c5c4cf9	parser: add parser support for message queue mediation Message queue rules take the following format: mqueue [<access_mode>] [<type>] [<label>] [<mqueue name>], access_mode := 'r'\|'w'\|'rw'\|'read'\|'write'\| 'create'\|'open'\|'delete'\| 'getattr'\|'setattr' type := 'type' '=' ('posix'\|'sysv') label := 'label' '=' <target label> Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>	2022-11-22 19:31:15 +00:00
Christian Boltz	14e3709742	Merge dnsmasq//libvirt_leaseshelper: cleanup superfluous rules ... that are included in abstractions/base MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/947 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Christian Boltz <apparmor@cboltz.de>	2022-11-22 16:53:28 +00:00
Georgia Garcia	c6f1981cd8	tests: expand userns tests to use setns Setns is used to associate to an existing user namespace, so the kernel security hook for user namespace creation is not called. The restriction for setns is that it should have the capability sys_admin. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2022-11-22 14:45:54 +00:00
Georgia Garcia	592a0743f0	tests: add userns tests using unshare Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2022-11-22 14:28:33 +00:00
Christian Boltz	f03a3198a8	Merge Resolve string escape sequence DeprecationWarnings This MR closes #286. Strings with only invalid escape sequences were prefixed with an `r`. Strings containing both valid and invalid escape sequences were handled on a case-by-case basis, as simply changing to a raw string breaks valid escape sequences. Closes #286 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/951 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2022-11-22 12:40:55 +00:00
Mark Grassi	d94731ddf4	Resolve string escape sequence DeprecationWarnings	2022-11-21 22:08:42 -05:00
Mark Grassi	98817eecb6	Remove unnecessary regex backslashes	2022-11-21 22:07:49 -05:00
Christian Boltz	dd5a6c2e0a	Merge Include profile name in error message on directory exec ... to make the error message more helpful. Inspired by https://gitlab.com/apparmor/apparmor/-/issues/285 I propose this patch for 3.1 and master. (3.0 uses a different variable name - if we want it there, it needs a slightly different patch.) MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/949 Approved-by: Jon Tourville <jon.tourville@canonical.com> Merged-by: Christian Boltz <apparmor@cboltz.de>	2022-11-21 12:59:38 +00:00
Christian Boltz	fae88807c1	Merge Consolidate rule methods This MR closes #276. In `b150c40ed1`, I removed the big comment at the top of `BaseRule` stating what methods have to be implemented by subclasses. This was out-of-date, had redundant method descriptions, and was no longer necessary now that `BaseRule` has an `ABCMeta` metaclass and auto-enforces the implementation of abstract methods. `rule._logprof_header_localvars()` implementations weren't consistent, so I took the opportunity to clean them up in `db99138f56`. Return types differed, the presence of empty `header` lists differed, how size-two collections were returned differed, etc. Otherwise, this MR closely follows the discussion in #276. Closes #276 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/950 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2022-11-20 17:14:00 +00:00
Mark Grassi	db99138f56	Simplify rule._logprof_header_localvars() implementations	2022-11-20 10:38:42 -05:00
Mark Grassi	b150c40ed1	Unify rule._match() implementations	2022-11-20 10:38:42 -05:00
Christian Boltz	ef5c4b5085	Include profile name in error message on directory exec ... to make the error message more helpful. Inspired by https://gitlab.com/apparmor/apparmor/-/issues/285	2022-11-20 15:09:33 +01:00
Mark Grassi	b62efce6ba	Consolidate BaseRule.match()	2022-11-19 21:47:43 -05:00
Mark Grassi	d5c47ec900	Unify rule._match() calls	2022-11-19 21:47:43 -05:00
Mark Grassi	0fb7aed741	Unify rule.is_equal() type comparisons	2022-11-19 21:47:43 -05:00
Mark Grassi	e3eb5288cc	Make rule.*_localvars methods private	2022-11-19 21:46:44 -05:00
Christian Boltz	5eed9c071b	smbd: allow reading /var/lib/nscd/netgroup (reported on the opensuse-factory mailinglist)	2022-11-15 22:44:44 +01:00
Christian Boltz	f9d4e8e2a3	dnsmasq//libvirt_leaseshelper: cleanup superfluous rules ... that are included in abstractions/base	2022-11-15 22:37:58 +01:00
Christian Boltz	b904fe78a7	Merge Make BaseRule a proper abstract base class This closes #277 by introducing the following changes: 1. `BaseRule` was made a "proper" abstract base class in that it now enforces that subclasses implement all abstract methods. 2. As a consequence of this change, `BaseRule` can no longer be directly instantiated; tests were changed accordingly. 3. These test changes led to test failures, the reason being that many rule methods hardcoded class names, breaking inheritance. I made a commit to address this. 4. Once tests were passing, code coverage regressed due to the fact that there was now effectively-unreachable code in abstract instance methods. This code, which was only raising `NotImplementedError`s, was removed. I say "effectively-unreachable" here because it could be reached by calling `super()` via a subclass. 5. There are three "bonus" commits as well; one bug fix, one typo fix, and one cleanup. Closes #277 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/930 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2022-11-15 21:14:19 +00:00
Christian Boltz	50074a3c01	Merge Catch PermissionError when trying to write a profile ... and re-raise it as AppArmorException so that only the actual error (without a backtrace) gets displayed. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/282 I propose this patch for 3.0..master. Closes #282 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/946 Approved-by: Jon Tourville <jon.tourville@canonical.com> Merged-by: Christian Boltz <apparmor@cboltz.de>	2022-11-15 20:45:59 +00:00
Christian Ehrhardt	c159d0925a	Allow access to possible cpus for glibc-2.36 Glibc in 2.36 and later will [1] access sysfs at /sys/devices/system/cpu/possible when usig sysconf for _SC_NPROCESSORS_CONF. That will make a lot of different code, for example anything linked against libnuma, trigger this apparmor denial. apparmor="DENIED" operation="open" class="file" ... name="/sys/devices/system/cpu/possible" ... requested_mask="r" denied_mask="r" fsuid=0 ouid=0 This entry seems rather safe, and it follows others that are already in place. Instead of fixing each software individually this should go into the base profile as well. Initially reported via https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989073 Fixes: https://gitlab.com/apparmor/apparmor/-/issues/267 MR: none - ML Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>	2022-11-14 21:45:55 -08:00
Christian Boltz	d0ec2acaf2	Catch PermissionError when trying to write a profile ... and re-raise it as AppArmorException so that only the actual error (without a backtrace) gets displayed. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/282	2022-11-14 22:50:27 +01:00
Mark Grassi	7bb9f45047	Empty enforced abstract instance methods	2022-11-13 19:56:53 -05:00
Mark Grassi	436a5774be	Fix typo	2022-11-13 19:41:48 -05:00
Mark Grassi	0b625e92b7	Fix AttributeError missed in Python 3 migration	2022-11-13 19:41:48 -05:00
Mark Grassi	8300615833	Remove hardcoded class names	2022-11-13 19:41:48 -05:00
Mark Grassi	852169948f	Make BaseRule a proper abstract base class	2022-11-13 19:32:01 -05:00
John Johansen	9107a0d891	sync library version with 3.1 release The 3.1 release bumped its library version, and for consistency needs to be bumped here as well. Signed-off-by: John Johansen <john.johansen@canonical.com>	2022-11-08 11:35:41 -08:00
Christian Boltz	1c04b4e2bd	Merge utils: add userns python tool support MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/944 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2022-11-04 15:57:38 +00:00
Georgia Garcia	4fb9b3d42b	utils: add userns python tool support Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2022-11-04 12:39:18 +00:00
John Johansen	6151a917ce	Merge Support rule qualifiers in regression tests This allows regression tests to generate profiles that use rule qualifiers, such as allow, deny, and audit. Qualifiers can be specified for a rule by prepending 'qual=', followed by a comma-separated list of rule qualifiers, then a ':', then the rule itself. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/925 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2022-11-04 10:32:36 +00:00
Jon Tourville	f6bfd141bd	Support rule qualifiers in regression tests This allows regression tests to generate profiles that use rule qualifiers, such as allow, deny, and audit. Qualifiers can be specified for a rule by prepending 'qual=', followed by a comma-separated list of rule qualifiers, then a ':', then the rule itself. Signed-off-by: Jon Tourville <jon.tourville@canonical.com>	2022-11-04 09:27:17 +00:00
Georgia Garcia	5e82f522c1	Merge add user namespace regression tests These tests run for both root and user, and for that I'm using @jontourville's !941 Test cases were based on the description in the [unprivileged_userns_restriction](https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction) wiki page MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/943 Approved-by: John Johansen <john@jjmx.net> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>	2022-11-04 09:10:01 +00:00
Georgia Garcia	0727da47b3	tests: add userns regression tests Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2022-11-04 08:29:45 +00:00
Georgia Garcia	ffd74aadb1	tests: extend kernel_features to support check for feature in file The test kernel_features only checked if the feature file exists, but there are cases when we need to check if the feature is part of the file's content. For example, we might want to check if a mode is present in the feature "mask" file. This is already supported by libapparmor's aa_features_supports. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2022-11-04 08:29:07 +00:00
John Johansen	571cec5036	Merge Add regression test summary Print out a summary of the tests that passed and failed at the end of the regression tests. Merge the tests and alltests make targets since they only differ in which tests are run. Signed-off-by: Jon Tourville <jon.tourville@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/942 Approved-by: Steve Beattie <gitlab@nxnw.org> Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2022-11-03 13:20:20 +00:00
John Johansen	f044d92166	Merge Add ability to execute tests as different users This update to the regression test framework allows a test script to execute a test binary as a different user by passing '-u <username>' to the settest function. Signed-off-by: Jon Tourville <jon.tourville@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/941 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2022-11-03 13:19:08 +00:00
Jon Tourville	e30696c484	Add regression test summary Print out a summary of the tests that passed and failed at the end of the regression tests. Merge the tests and alltests make targets since they only differ in which tests are run. Signed-off-by: Jon Tourville <jon.tourville@canonical.com>	2022-11-03 12:44:21 +00:00
Jon Tourville	f525706407	Add ability to execute tests as different users This update to the regression test framework allows a test script to execute a test binary as a different user by passing '-u <username>' to the settest function. Signed-off-by: Jon Tourville <jon.tourville@canonical.com>	2022-11-01 15:40:18 +00:00
John Johansen	8fa77e9e6c	Merge Adds WSL programmatic management of /etc/resolv.conf. When WSL automatically generates a resolv.conf for an instance, the /etc/resolv.conf file is a symlink to /mnt/wsl/resolv.conf. This patch adds an entry for this to the other policies to handle such management. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/935 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2022-10-29 12:51:42 +00:00
John Johansen	37f0f77425	Merge Allow reading /sys/devices/system/cpu/possible ... in the dnsmasq//libvirt_leaseshelper profile Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1202849 I propose this patch for 3.0, 3.1 and master. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/917 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: John Johansen <john@jjmx.net>	2022-10-29 12:50:44 +00:00
John Johansen	e049b31c04	Merge syslog-ng: allow reading .journal in flatter directory structure On openSUSE Leap 15.4 (and probably also 15.3), the journal lives in /var/log/journal/.journal - without an additional subdirectory level. I propose this patch for 2.13..master. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/932 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2022-10-28 12:45:48 +00:00
John Johansen	299a7386f4	Merge tests/regression: Add simple e2e test This adds a single e2e test to check that raw_data of a loaded policy matches the generated policy (cached). Signed-off-by: Spyros Seimenis <spyros.seimenis@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/929 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2022-10-28 12:44:31 +00:00
John Johansen	bed1471144	Merge Hardcode and check the expected libapparmor.so name/number ... to prevent wrong/unexpected numbering (like https://gitlab.com/apparmor/apparmor/-/issues/266) in future releases. I propose this patch for master and 3.1. Backporting to 3.0 and 2.x might also make sense, but of course needs a different .so number. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/915 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2022-10-28 12:35:53 +00:00
John Johansen	7f83444f93	Merge Add test for nfs file access Add test to verify that file access on a mounted NFS share is determined by file rules and not network rules. This relies on a kernel patch, so the tests are marked xpass. https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1784499 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/895 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2022-10-28 12:34:31 +00:00
John Johansen	b911ca16d9	Merge add userns log entry in libapparmor tests Log entries for userns add `class`, `requested`, and `denied`, so I cherry-picked the commits that handle that from the message queue MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/858 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/939 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2022-10-28 10:29:44 +00:00
John Johansen	0d61139e2a	Merge libapparmor: allow parsing of logs with 0x1d + uppercase items audit.log lines on Arch have an additional FSUID="username" OUID="username", separated from the previous part of the log line with 0x1d. Extend the log parsing to accept 0x1d as whitespace, and to recognize (and ignore) FSUID and OUID. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/271 Also add one of the log lines from #271 as test_multi test case. I propose this patch for 3.0..master. Closes #271 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/940 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2022-10-28 10:25:23 +00:00
Christian Boltz	fab4b4e762	Merge samba-rpcd-spoolss: allow mkdir /var/cache/samba/printing/ Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993572 I propose this fix for 3.0..master. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/937 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Christian Boltz <apparmor@cboltz.de>	2022-10-27 22:33:56 +00:00
Christian Boltz	e933b08bd9	Add test_multi testcase from #271 This testcase from https://gitlab.com/apparmor/apparmor/-/issues/271 has a log line with FSUID and OUID, separated by 0x1d.	2022-10-27 21:04:53 +02:00
Christian Boltz	87e4d302cd	libapparmor: allow parsing of logs with 0x1d + uppercase items audit.log lines on Arch have an additional FSUID="username" OUID="username", separated from the previous part of the log line with 0x1d. Extend the log parsing to accept 0x1d as whitespace, and to recognize (and ignore) FSUID and OUID. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/271	2022-10-27 21:01:37 +02:00
Georgia Garcia	e492eb34b1	libapparmor tests: add userns denied logs Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2022-10-27 18:24:55 +00:00
Steve Beattie	be61c5d22d	libapparmor: fix a typo in grammar.y MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/938 Approved-by: Steve Beattie <steve@nxnw.org> Merged-by: Steve Beattie <steve@nxnw.org>	2022-10-27 18:21:57 +00:00
Georgia Garcia	5cc7a26e78	libapparmor: add support for class in logparsing We want to use the class field to identify operations such as posix_mqueue Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2022-10-27 18:16:53 +00:00
Georgia Garcia	a05c9483f3	libapparmor: add support for requested and denied on logparsing In order to decrease the number of characters in the audit logs from the kernel, we will drop the "_mask" from the fields "requested_mask" and "denied_mask". Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2022-10-27 18:16:53 +00:00
Georgia Garcia	19e7016068	Merge add support for user namespace creation the only supported mode for the moment is `create`, so the following rules have the same effect ``` userns, userns create, ``` MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/927 Approved-by: John Johansen <john@jjmx.net> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>	2022-10-27 18:16:11 +00:00
Christian Boltz	5f36521e9f	Fix a typo in libapparmor grammar.y	2022-10-27 20:08:07 +02:00
Georgia Garcia	ef54144357	parser tests: add userns simple tests Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2022-10-27 17:54:42 +00:00
Georgia Garcia	f400b41c4a	parser: add support for user namespace creation Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2022-10-27 17:54:42 +00:00
Christian Boltz	6920daea49	samba-rpcd-spoolss: allow mkdir /var/cache/samba/printing/ Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993572	2022-10-27 18:32:46 +02:00
Christian Boltz	18d1b06b0c	Merge abstactions/kde: update for kwinrc, kdedefaults/* files GUI applications such as KDE dragon player, qTox, LibreOffice tries to access .config/kwinrc, .config/kdedefaults/kwinrc and .config/kdedefaults/kdeglobals. Update abstractions/kde to fix denials for applications running under KDE. Some examples: ``` type=AVC msg=audit(1666458796.112:5561): apparmor="DENIED" operation="open" profile="libreoffice-soffice" name="/home/vincas/.config/kdedefaults/kdeglobals" pid=43868 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas" type=AVC msg=audit(1666458796.204:5683): apparmor="DENIED" operation="open" profile="libreoffice-soffice" name="/home/vincas/.config/kdedefaults/kwinrc" pid=43868 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas" ``` ``` type=AVC msg=audit(1666462415.255:3640): apparmor="DENIED" operation="open" profile="kde-dragon-player" name="/home/vincas/.config/kdedefaults/kdeglobals" pid=8344 comm="dragon" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas" type=AVC msg=audit(1666462415.343:3641): apparmor="DENIED" operation="open" profile="kde-dragon-player" name="/home/vincas/.config/kdedefaults/kwinrc" pid=8344 comm="dragon" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas" ``` ``` type=AVC msg=audit(1666459466.968:5852): apparmor="DENIED" operation="open" profile="qtox" name="/home/vincas/.config/kdedefaults/kdeglobals" pid=44561 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas" type=AVC msg=audit(1666459467.076:6057): apparmor="DENIED" operation="open" profile="qtox" name="/home/vincas/.config/kdedefaults/kwinrc" pid=44561 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas" type=AVC msg=audit(1666459467.076:6058): apparmor="DENIED" operation="open" profile="qtox" name="/home/vincas/.config/kwinrc" pid=44561 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas" ``` MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/936 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2022-10-22 19:28:25 +00:00
Vincas Dargis	d9dc0b61e3	abstactions/kde: update for kwinrc, kdedefaults/* files GUI applications such as KDE dragon player, qTox, LibreOffice tries to access .config/kwinrc, .config/kdedefaults/kwinrc and .config/kdedefaults/kdeglobals. Update abstractions/kde to fix denials for applications running under KDE.	2022-10-22 21:58:17 +03:00
Alistair Young	5232eaa2d5	Adds /mnt/wsl/resolv.conf to nameservices.	2022-10-21 16:33:46 +00:00
Christian Boltz	fed907431e	syslog-ng: allow reading .journal in flatter directory structure On openSUSE Leap 15.4 (and probably also 15.3), the journal lives in /var/log/journal/.journal - without an additional subdirectory level.	2022-10-09 21:02:17 +02:00
Christian Boltz	05d7bdd655	Merge parser: fix DISTRO variable in Makefile A single '$()' results in variable expansion, which makes "$(rpm --eval ..)" always an empty string. Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/928 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2022-10-07 19:44:55 +00:00
Spyros Seimenis	75a6679be5	tests/regression: Add simple e2e test This adds a single e2e test to check that raw_data of a loaded policy matches the generated policy (cached). Signed-off-by: Spyros Seimenis <spyros.seimenis@canonical.com>	2022-10-05 20:39:37 +03:00
Alexey Kodanev	1df547ee8f	parser: fix DISTRO variable in Makefile A single '$()' results in variable expansion, which makes "$(rpm --eval ..)" always an empty string. Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>	2022-09-30 14:22:27 +03:00
John Johansen	e1cc90f3a2	Merge profiles/apparmor.d: Update samba profile Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1990692 Signed-off-by: Spyros Seimenis <spyros.seimenis@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/926 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2022-09-30 09:59:14 +00:00
Spyros Seimenis	96aff5a5c5	profiles/apparmor.d: Update samba profile Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1990692 Signed-off-by: Spyros Seimenis <spyros.seimenis@canonical.com>	2022-09-29 16:02:20 +03:00
Christian Boltz	c038682745	Merge Simplify combine profname Closes #275. Closes #275 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/921 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2022-09-12 19:12:47 +00:00
Mark Grassi	084e35e3be	Change apparmor.common.combine_profname arguments from list to tuple literals.	2022-09-11 21:56:26 -04:00
Mark Grassi	179ac34113	Simplify apparmor.common.combine_profname	2022-09-11 21:55:40 -04:00
Mark Grassi	5dc10264d2	Fix error in AppArmorBug exception text	2022-09-11 21:51:42 -04:00
Christian Boltz	7f6ffd33b2	Merge Rename BaseRule parse() and _parse() methods As discussed in !920, this MR renames BaseRule's `parse()` and `_parse()` methods to `create_instance()` and `_create_instance()`, respectively. It then removes the `selection_to_rule_obj` function from `apparmor.aa`, which is now an unnecessary alias for the renamed public method. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/923 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2022-09-11 09:18:18 +00:00
Christian Boltz	46e51abbb3	Merge Remove `if True:` conditionals Closes #274. Closes #274 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/922 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2022-09-11 09:04:56 +00:00
Mark Grassi	86ae50b79e	Remove selection_to_rule_obj() function from apparmor.aa	2022-09-10 20:50:22 -04:00
Mark Grassi	c7d1d5ea93	Rename BaseRule's _parse() method to _create_instance()	2022-09-10 19:54:35 -04:00
Mark Grassi	accc2debe9	Rename BaseRule's parse() method to create_instance()	2022-09-10 19:54:35 -04:00
Mark Grassi	170d7db186	Remove `if True:` conditionals	2022-09-10 18:11:01 -04:00
Christian Boltz	8c2a05469f	Merge Change direct type comparisons to `isinstance()` calls where applicable. This MR addresses #269. Notes: - In all `is_equal_localvars()` Rule methods, `type(self)` is now used instead of the explicit class. This approach works better with inheritance, and was already used in `IncludeRule` for this reason. - Remaining direct type comparisons were changed to use `is`/`is not` instead of `==`/`!=`. - I fixed two typos in `alias.py`; the plural of alias is aliases, not aliass. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/920 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2022-09-10 22:01:14 +00:00
Mark Grassi	9725e66981	Change direct type comparisons to `isinstance()` calls where applicable.	2022-09-10 22:01:13 +00:00
Christian Boltz	f5594fbb7c	Merge Prevent crash on log entries for non-existing profile If audit.log contains entries for a profile that doesn't exist (for example when working with a log file from another system), skip these log entries instead of crashing. Reproducer (crashes without this patch): aa-logprof -f <(echo 'type=AVC msg=audit(1661739121.578:77893): apparmor="DENIED" operation="open" profile="no_such_profile" name="/run/" pid=33099 comm="no" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0') I propose this patch for 3.1 and master. (3.0 and older are not affected and do not need this fix.) MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/919 Approved-by: Jon Tourville <jon.tourville@canonical.com> Merged-by: Christian Boltz <apparmor@cboltz.de>	2022-08-29 19:56:01 +00:00
Christian Boltz	94c7c79c8b	Prevent crash on log entries for non-existing profile If audit.log contains entries for a profile that doesn't exist (for example when working with a log file from another system), skip these log entries instead of crashing. Reproducer (crashes without this patch): aa-logprof -f <(echo 'type=AVC msg=audit(1661739121.578:77893): apparmor="DENIED" operation="open" profile="no_such_profile" name="/run/" pid=33099 comm="no" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0')	2022-08-29 14:36:18 +02:00
Christian Boltz	447199029e	Merge Replace `exit()` with `sys.exit()`. Addresses #270. The `mk_features_file.py` changes are just for clarity, as shadowing built-ins confuses readers. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/918 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2022-08-29 11:46:39 +00:00
Mark Grassi	380bed3c9b	Replace `exit()` with `sys.exit()`.	2022-08-28 22:40:28 -04:00
Christian Boltz	ace8e04477	Allow reading /sys/devices/system/cpu/possible ... in the dnsmasq//libvirt_leaseshelper profile Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1202849	2022-08-28 12:32:17 +02:00
Christian Boltz	4dcab85ce6	Merge Narrow broad except statements. As discussed in #241 and !906, there are some overly broad `except` statements that should be fixed. This MR does so. Some notes: - `profile_dir` in `aa.py` may be `None`, hence the `TypeError` catches. The other globals are not caught in the code, however. E.g. there are possibilities of TypeErrors due to `extra_profile_dir` being `None`. - I added a TODO in `common.py` that I'd like some eyes on. I do not think that `os.path.normpath` can raise an exception (the [Python docs](https://docs.python.org/3/library/os.path.html?#os.path.normpath) don't mention exceptions, and none are raised in the [CPython source code](https://github.com/python/cpython/blob/main/Lib/posixpath.py#L345)). [After discussing this in the MR, the `os.path.normpath` check was removed.] - The `except Exception: raise` occurrences throughout `test-aa-easyprof.py` do nothing, so I removed them. - In `valgrind_simple.py`, I fixed a possible `NameError` in the `finally` clause. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/912 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2022-08-27 17:58:52 +00:00
Mark Grassi	e754e8aed7	Narrow broad except statements.	2022-08-27 17:58:51 +00:00
Christian Boltz	4e6ff1ad17	Hardcode and check the expected libapparmor.so name/number ... to prevent wrong/unexpected numbering (like https://gitlab.com/apparmor/apparmor/-/issues/266) in future releases.	2022-08-26 21:43:17 +02:00
Christian Boltz	d024100efe	Merge profiles: permit php-fpm pid files directly under run/ The upstream php-fpm.conf file carries the following pid file example path: [global] ; Pid file ; Note: the default prefix is @EXPANDED_LOCALSTATEDIR@ ; Default Value: none ;pid = run/php-fpm.pid Add this path to profiles/apparmor.d/php-fpm, alongside the current nested "@{run}/php{,-fpm}/php*-fpm.pid" wildcard. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/267 Suggested-by: Ali Abdallah <ali.abdallah@suse.com> Signed-off-by: David Disseldorp <ddiss@suse.de> Closes #267 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/914 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2022-08-26 10:35:49 +00:00
David Disseldorp	d8533ec851	profiles: permit php-fpm pid files directly under run/ The upstream php-fpm.conf file carries the following pid file example path: [global] ; Pid file ; Note: the default prefix is @EXPANDED_LOCALSTATEDIR@ ; Default Value: none ;pid = run/php-fpm.pid Add this path to profiles/apparmor.d/php-fpm, alongside the current nested "@{run}/php{,-fpm}/php*-fpm.pid" wildcard. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/267 Suggested-by: Ali Abdallah <ali.abdallah@suse.com> Signed-off-by: David Disseldorp <ddiss@suse.de>	2022-08-26 00:04:36 +02:00
Georgia Garcia	8e8aad4eae	Merge [3.1] libapparmor: fix mistaken SO version bump In commit `7c7224004` ("Prepare for AppArmor 3.1 release"), as preperation for the AppArmor 3.1.0 release, the SO versioning information was adjusted, using a more significant bump to give prior AppArmor releases room to address bugs in libapparmor without ending up with conflicting SO versions. Unfortunately, that process was untested and because AA_LIB_AGE was not incremented by the same amount as AA_LIB_CURRENT, this resulted in an accidental major SO versions bump with the library SO version being: libapparmor.so.4.9.0 This commit increments AA_LIB_AGE by the same amount, resulting in a library versioned as: libapparmor.so.1.12.0 and adds a note to mention that AA_LIB_AGE needs to be incremented in the same way as AA_LIB_CURRENT. This fix is intended to address this for the 3.1 branch; I'd like to find a better approach for the development branch that can be used in future AppArmor primary releases. In general, thanks to symbol versioning (see `libraries/libapparmor/src/libapparmor.map`) we should not need to ever bump the SO version except in an extreme case. Fixes: `7c7224004` ("Prepare for AppArmor 3.1 release") Signed-off-by: Steve Beattie <steve.beattie@canonical.com> Bug: https://gitlab.com/apparmor/apparmor/-/issues/266 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/913 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Georgia Garcia <georgia.garcia@canonical.com> (cherry picked from commit `075c69a4eb`) `f9dbaa38` [3.1] libapparmor: fix mistaken SO version bump	2022-08-25 20:10:43 +00:00
John Johansen	7c7224004c	Prepare for AppArmor 3.1 release - update version file - update library version Signed-off-by: John Johansen <john.johansen@canonical.com>	2022-08-23 13:39:18 -07:00
John Johansen	db246ddbb5	parser: begin deprecation process for #include by adding a warning flag that is disabled by default. This will enable devs to find when and where #include is in use by adding the compile flag --warn=pound-include and can even abort policy compiles by using --warn=pound-include --Werror=pound-include The resulting messages look like Warning from /etc/apparmor.d/usr.sbin.cupsd (/etc/apparmor.d/usr.sbin.cupsd line 5): deprecated use of '#include' Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Time-out	2022-08-22 15:03:26 -07:00
John Johansen	a382452a54	libapparmor: update rules around the library version This change tries to give us some room to deal with versioning issues like we had in `145136f6` Fix 2.13 libapparmor so version which revered the library version bump in `5c47e448` libapparmor: Bump revision in preparation for release. which was done because of the symbol added by `351014c3` libapparmor: add _aa_asprintf to private symbols unfortunately this collided with the 3.0 library symbol versioning which had a different set of symbols with the same version numbering. Leaving us no way to increase the version number to when fixing an exported symbol version in a released library. Ideally this would have been fixed with library version synchs but in this case that option wasn't open as we were dealing with two released versions of the library. Bumping the current version by 5 on the larger releases gives us room to deal with these kind of bugs in the future. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Time-out	2022-08-22 14:52:37 -07:00
John Johansen	f51049ea2e	Merge dnsmasq: Add missing r permissions for libvirt_leaseshelper Note: This was reported for /usr/libexec/libvirt_leaseshelper, but since this is probably unrelated to the path or a path change, this commit also adds r permissions for the previous path. Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1202161 I propose this patch for 3.0 and master (optionally also for 2.12 and 2.13 - please tell me if you want that after reviewing the patch, or just merge ;-) MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/905 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2022-08-22 21:44:12 +00:00
Christian Boltz	406b6398af	Merge dnsmasq: allow paths for podman dnsname plugin in rootless mode In rootless mode, files needed to access are under /run/user/, so those needs to be defined separately. similar change than https://gitlab.com/apparmor/apparmor/-/merge_requests/800 but adds permissions for rootless mode. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/909 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2022-08-22 11:57:21 +00:00
Christian Boltz	bcffe7c92c	Merge Address Style Guide Infractions This MR addresses much of #241. Each commit handles a different aspect of the style guide. All commits are style-only. Lacking from this MR are changes that would alter behavior and/or break backward-compatibility. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/906 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2022-08-22 10:47:33 +00:00
IIkka Ollakka	86069dd934	dnsmasq: allow paths for podman dnsname plugin in rootless mode In rootless mode, files needed to access are under /run/user/, so those needs to be defined separately.	2022-08-22 13:20:40 +03:00
Mark Grassi	2f9068e37c	Remove duplicate regex "or" comments.	2022-08-21 11:15:07 -04:00
Mark Grassi	46a2be31a7	Remove outdated/incorrect comment.	2022-08-21 11:15:07 -04:00
Mark Grassi	e8b60e46fe	Improve regex formatting.	2022-08-21 11:15:07 -04:00
Mark Grassi	b1c2aeaa76	Be consistent with return statements when only returning None.	2022-08-21 11:15:07 -04:00
Mark Grassi	091c6ad59d	Use string startswith() and endswith() methods instead of slicing to check for prefixes and suffixes.	2022-08-21 11:15:07 -04:00
Mark Grassi	854602c0d9	Use the fact that empty sequences are false.	2022-08-21 11:15:07 -04:00
Mark Grassi	68e3f12c2c	Avoid escaping quotation marks where possible.	2022-08-21 11:15:07 -04:00
Mark Grassi	c57138f255	Order imports and module-level dunder name assignments.	2022-08-21 11:15:07 -04:00
Mark Grassi	ea3fb60007	Break lines before binary operators.	2022-08-21 11:15:07 -04:00
Mark Grassi	ef2e6c62e7	Ensure variables inside functions are lower_case_with_underscores.	2022-08-21 11:15:07 -04:00
Mark Grassi	dc384c48a8	Use triple double-quoted strings for docstrings.	2022-08-21 11:15:07 -04:00
Mark Grassi	de3aa3c5f0	Correct misspelling.	2022-08-21 11:15:07 -04:00
Mark Grassi	f590a66e50	Remove redundant backslashes, and unnecessary semicolons and pass statements.	2022-08-21 11:15:07 -04:00
Mark Grassi	813c831468	Ensure non-membership tests are "not in".	2022-08-21 11:15:07 -04:00
Mark Grassi	96f7121944	Fix most PEP 8 whitespace, indentation, and major line length violations.	2022-08-21 11:15:07 -04:00
Mark Grassi	e4f88cc3a8	Indent line continuations per PEP 8.	2022-08-21 11:15:07 -04:00
Mark Grassi	aff9bb8f81	Ensure no bool comparisons use equality comparisons.	2022-08-21 11:15:07 -04:00
Mark Grassi	62f99465e9	Ensure all None comparisons use `is` or `is not`.	2022-08-21 11:15:07 -04:00
Mark Grassi	0375ea1257	Change tabs to spaces in Python files.	2022-08-21 11:15:07 -04:00
Christian Boltz	c06ea77445	Merge Set (instead of compare) exresult Interestingly this accidentally worked because `if exresult` is true for both a non-empty string ("PASS") as well as a real `True` value. Found by Mark Grassi as part of https://gitlab.com/apparmor/apparmor/-/merge_requests/906 I propose this patch for all branches. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/907 Approved-by: Jon Tourville <jon.tourville@canonical.com> Merged-by: Christian Boltz <apparmor@cboltz.de>	2022-08-16 19:25:49 +00:00
Christian Boltz	5a2fb8569c	Set (instead of compare) exresult Interestingly this accidentally worked because `if exresult` is true for both a non-empty string ("PASS") as well as a real `True` value. Found by Mark Grassi as part of https://gitlab.com/apparmor/apparmor/-/merge_requests/906	2022-08-14 12:33:56 +02:00
Christian Boltz	c9c5208f77	dnsmasq: Add missing r permissions for libvirt_leaseshelper Note: This was reported for /usr/libexec/libvirt_leaseshelper, but since this is probably unrelated to the path or a path change, this commit also adds r permissions for the previous path. Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1202161	2022-08-08 20:48:58 +02:00
Georgia Garcia	a555ccd9f4	Merge Fix setuptools version detection in buildpath.py libraries/libapparmor/swig/python/test/buildpath.py: The changes introduced in `cc7f549665` targetted a wrong setuptools version (61.2). The change in build directory naming has been introduced with 62.0. Fixes #259 Fixes #39 Closes #39 and #259 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/904 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>	2022-08-03 17:21:50 +00:00
David Runge	1ff0c2c7d6	Use basepath.py in profiles Makefile profiles/Makefile: Set PYTHON_DIST_BUILD_PATH using libraries/libapparmor/swig/python/test/buildpath.py as it solves the problem of setting the build directory generically.	2022-08-03 10:56:51 +02:00
David Runge	fda390983f	Fix setuptools version detection in buildpath.py libraries/libapparmor/swig/python/test/buildpath.py: The changes introduced in `cc7f549665` targetted a wrong setuptools version (61.2). The change in build directory naming has been introduced with 62.1 (`1c23f5e1e4`).	2022-08-03 10:56:47 +02:00
John Johansen	b65fbf5fbd	Sync Library version from 3.0.5 release See v3.0.5 `704c82c574` Signed-off-by: John Johansen <john.johansen@canonical.com>	2022-07-25 15:29:12 -07:00
Georgia Garcia	0afc2cbb84	parser: fix LTO build The previous fix for LTO builds in `b6d3daa7` did not take into consideration that LTO support could be added through CFLAGS,in which case the fix would not be applied. This patch applied the fix -flto-partition=none even if CFLAGS is already defined. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> Closes #214 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/901 Acked-by: John Johansen <john@jjmx.net> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>	2022-07-25 17:34:27 -03:00
Christian Boltz	1f3a817c11	Merge dirtest.sh: don't rely on apparmor_parser -N's output sort order to be deterministic I've seen this test fail because "apparmor_parser -N" returned the expected lines, but in a different order than what's expected (dirtest.out). To fix this, sort both the expected and actual output. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/900 Approved-by: Jon Tourville <jon.tourville@canonical.com> Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de>	2022-07-25 20:09:16 +00:00
Jon Tourville	421223c757	Add test for nfs file access Add test to verify that file access on a mounted NFS share is determined by file rules and not network rules. This relies on a kernel patch, so the tests are marked xpass. https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1784499	2022-07-12 16:49:46 +00:00
Georgia Garcia	b2a1544d94	binutils: add aa-load aa-load is a tool that loads cached (compiled) policies into the kernel. It can receive as argument a file, a cache directory containing the hash subtree, and a directory containing cached files directly underneath - no hash. This tool can be used in the as a guide for other init systems to load the cached policies directly. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2021-07-26 20:52:34 -03:00
Georgia Garcia	50054ff03d	add aa_split_overlay_str This commit adds a helper function that splits a string of overlay directories by either , (comma) or : (colon) Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2021-07-26 20:52:34 -03:00
Georgia Garcia	e7d4a509a7	expose aa_features_check Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>	2021-07-26 20:52:34 -03:00

1125 changed files with 36358 additions and 11195 deletions

15

.gitignore vendored

View File

@@ -6,6 +6,7 @@ binutils/aa-exec
 binutils/aa-exec.1
 binutils/aa-features-abi
 binutils/aa-features-abi.1
 binutils/aa-load
 binutils/aa-status
 binutils/aa-status.8
 binutils/cJSON.o
@@ -28,6 +29,7 @@ parser/parser_yacc.h
 parser/pod2htm*.tmp
 parser/af_rule.o
 parser/af_unix.o
 parser/all_rule.o
 parser/common_optarg.o
 parser/dbus.o
 parser/default_features.o
@@ -39,6 +41,7 @@ parser/libapparmor_re/hfa.o
 parser/libapparmor_re/libapparmor_re.a
 parser/libapparmor_re/parse.o
 parser/mount.o
 parser/mqueue.o
 parser/network.o
 parser/parser_alias.o
 parser/parser_common.o
@@ -58,6 +61,8 @@ parser/profile.o
 parser/ptrace.o
 parser/rule.o
 parser/signal.o
 parser/userns.o
 parser/io_uring.o
 parser/*.7
 parser/*.5
 parser/*.8
@@ -253,17 +258,23 @@ tests/regression/apparmor/fd_inheritance
 tests/regression/apparmor/fd_inheritor
 tests/regression/apparmor/fork
 tests/regression/apparmor/introspect
 tests/regression/apparmor/io_uring
 tests/regression/apparmor/link
 tests/regression/apparmor/link_subset
 tests/regression/apparmor/mkdir
 tests/regression/apparmor/mmap
 tests/regression/apparmor/mount
 tests/regression/apparmor/move_mount
 tests/regression/apparmor/named_pipe
 tests/regression/apparmor/net_inet_rcv
 tests/regression/apparmor/net_inet_snd
 tests/regression/apparmor/net_raw
 tests/regression/apparmor/open
 tests/regression/apparmor/openat
 tests/regression/apparmor/pipe
 tests/regression/apparmor/pivot_root
 tests/regression/apparmor/posix_mq_rcv
 tests/regression/apparmor/posix_mq_snd
 tests/regression/apparmor/ptrace
 tests/regression/apparmor/ptrace_helper
 tests/regression/apparmor/pwrite
@@ -287,6 +298,8 @@ tests/regression/apparmor/syscall_setpriority
 tests/regression/apparmor/syscall_setscheduler
 tests/regression/apparmor/syscall_sysctl
 tests/regression/apparmor/sysctl_proc
 tests/regression/apparmor/sysv_mq_rcv
 tests/regression/apparmor/sysv_mq_snd
 tests/regression/apparmor/tcp
 tests/regression/apparmor/transition
 tests/regression/apparmor/unix_fd_client
@@ -294,6 +307,8 @@ tests/regression/apparmor/unix_fd_server
 tests/regression/apparmor/unix_socket
 tests/regression/apparmor/unix_socket_client
 tests/regression/apparmor/unlink
 tests/regression/apparmor/userns
 tests/regression/apparmor/userns_setns
 tests/regression/apparmor/uservars.inc
 tests/regression/apparmor/xattrs
 tests/regression/apparmor/xattrs_profile

									
										32

.gitlab-ci.yml
									
												View File
												
				@@ -17,7 +17,7 @@ stages:

				    - uname -a

				.install-c-build-deps: &install-c-build-deps

				  - apt-get install --no-install-recommends -y build-essential apache2-dev autoconf automake bison dejagnu flex libpam-dev libtool pkg-config python3-all-dev python3-setuptools ruby-dev swig zlib1g-dev

				  - apt-get install --no-install-recommends -y build-essential apache2-dev autoconf autoconf-archive automake bison dejagnu flex libpam-dev libtool pkg-config python3-all-dev python3-setuptools ruby-dev swig zlib1g-dev

				build-all:

				  stage: build

				@@ -104,6 +104,7 @@ test-profiles:

				  script:

				    - make -C profiles check-parser

				    - make -C profiles check-abstractions.d

				    - make -C profiles check-extras

				shellcheck:

				  stage: test

				@@ -111,7 +112,7 @@ shellcheck:

				  extends:

				    - .ubuntu-before_script

				  script:

				  - apt-get install --no-install-recommends -y file shellcheck xmlstarlet

				  - apt-get install --no-install-recommends -y python3-minimal file shellcheck xmlstarlet

				  - shellcheck --version

				  - './tests/bin/shellcheck-tree --format=checkstyle

				       | xmlstarlet tr tests/checkstyle2junit.xslt

				@@ -136,3 +137,30 @@ include:

				variables:

				  SAST_EXCLUDED_ANALYZERS: "eslint,flawfinder,semgrep,spotbugs"

				  SAST_BANDIT_EXCLUDED_PATHS: "*/tst/*, */test/*"

				.send-to-coverity: &send-to-coverity

				  - curl https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME

				    --form token=$COVERITY_SCAN_TOKEN --form email=$GITLAB_USER_EMAIL

				    --form file=@$(ls apparmor-*-cov-int.tar.gz) --form version="$(git describe --tags)"

				    --form description="$(git describe --tags) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID"

				coverity:

				  stage: .post

				  extends:

				    - .ubuntu-before_script

				  only:

				    refs:

				      - master

				  script:

				      - apt-get install --no-install-recommends -y curl git texlive-latex-recommended

				      - *install-c-build-deps

				      - curl -o /tmp/cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64

				        --form project=$COVERITY_SCAN_PROJECT_NAME --form token=$COVERITY_SCAN_TOKEN

				      - tar xfz /tmp/cov-analysis-linux64.tgz

				      - COV_VERSION=$(ls -dt cov-analysis-linux64-* | head -1)

				      - PATH=$PATH:$(pwd)/$COV_VERSION/bin

				      - make coverity

				      - *send-to-coverity

				  artifacts:

				    paths:

				      - "apparmor-*.tar.gz"

									
										3

README.md
									
												View File
												
				@@ -181,6 +181,9 @@ $ make check	# depends on the parser having been built first

				$ make install

				```

				Note that the empty local/* profile sniplets no longer get created by default.

				If you want them, run `make local` before running `make check`.

				[Note that for the parser, binutils, and utils, if you only wish to build/use

				 some of the locale languages, you can override the default by passing

				 the LANGS arguments to make; e.g. make all install "LANGS=en_US fr".]

									
										7

binutils/Makefile
									
												View File
												
				@@ -48,10 +48,10 @@ endif

				# Internationalization support. Define a package and a LOCALEDIR

				EXTRA_CFLAGS+=-DPACKAGE=\"${NAME}\" -DLOCALEDIR=\"${LOCALEDIR}\"

				SRCS = aa_enabled.c

				SRCS = aa_enabled.c aa_load.c

				HDRS =

				BINTOOLS = aa-enabled aa-exec aa-features-abi

				SBINTOOLS = aa-status

				SBINTOOLS = aa-status aa-load

				AALIB = -Wl,-Bstatic -lapparmor  -Wl,-Bdynamic -lpthread

				@@ -126,6 +126,9 @@ endif

				aa-features-abi: aa_features_abi.c $(LIBAPPARMOR_A)

					$(CC) $(LDFLAGS) $(EXTRA_CFLAGS) -o $@ $< $(LIBS) $(AALIB)

				aa-load: aa_load.c $(LIBAPPARMOR_A)

					$(CC) $(LDFLAGS) $(EXTRA_CFLAGS) -o $@ $< $(LIBS) $(AALIB)

				aa-enabled: aa_enabled.c $(LIBAPPARMOR_A)

					$(CC) $(LDFLAGS) $(EXTRA_CFLAGS) -o $@ $< $(LIBS) $(AALIB)

53

binutils/aa-status.pod

View File

@@ -72,11 +72,18 @@ displays the number of loaded non-enforcing AppArmor policies.
 =item --kill
 displays the number of loaded enforcing AppArmor policies that will kill tasks on policy violations.
 displays the number of loaded enforcing AppArmor policies that will
 kill tasks on policy violations.
 =item --prompt
 displays the number of loaded enforcing AppArmor policies, with
 fallback to userspace mediation.
 =item --special-unconfined
 displays the number of loaded non-enforcing AppArmor policies that are in the special unconfined mode.
 displays the number of loaded non-enforcing AppArmor policies that are
 in the special unconfined mode.
 =item --process-mixed
 displays the number of processes confined by profile stacks with
@@ -97,6 +104,40 @@ set in a JSON format, fit for machine consumption.
 same as --json, formatted to be readable by humans as well
 as by machines.
 =item --show
 what data sets to show information about. Currently I<processes>,
 I<profiles>, I<all> for both processes and profiles. The default is
 I<all>.
 =item --count
 display only counts for selected information.
 =item --filter.mode=filter
 Allows specifying a posix regular expression filter that will be
 applied against the displayed processess and profiles apparmor profile
 mode, reducing the output.
 =item --filter.profiles=filter
 Allows specifying a posix regular expression filter that will be
 applied against the displayed processess and profiles confining
 profile, reducing the output.
 =item --filter.pid=filter
 Allows specifying a posix regular expression filter that will be
 applied against the displayed processes, so that only processes pids
 matching the expression will be displayed.
 =item --filter.exe=filter
 Allows specifying a posix regular expression filter that will be
 applied against the displayed processes, so that only processes
 executable name matching the expression will be displayed.
 =item --help
 displays a short usage statement.
@@ -124,7 +165,8 @@ if apparmor is enabled but no policy is loaded.
 =item B<3>
 if the apparmor control files aren't available under /sys/kernel/security/.
 if the apparmor control files aren't available under
 /sys/kernel/security/.
 =item B<4>
@@ -140,8 +182,9 @@ if an internal error occurred.
 =head1 BUGS
 B<aa-status> must be run as root to read the state of the loaded
 policy from the apparmor module. It uses the /proc filesystem to determine
 which processes are confined and so is susceptible to race conditions.
 policy from the apparmor module. It uses the /proc filesystem to
 determine which processes are confined and so is susceptible to race
 conditions.
 If you find any additional bugs, please report them at
 L<https://gitlab.com/apparmor/apparmor/-/issues>.

									
										408

binutils/aa_load.c
									
										Normal file
									
												View File
												
				@@ -0,0 +1,408 @@

				/*

				 *   Copyright (C) 2020 Canonical Ltd.

				 *

				 *   This program is free software; you can redistribute it and/or

				 *   modify it under the terms of version 2 of the GNU General Public

				 *   License published by the Free Software Foundation.

				 */

				#define _GNU_SOURCE /* for asprintf() */

				#include <stdio.h>

				#include <errno.h>

				#include <getopt.h>

				#include <stdlib.h>

				#include <unistd.h>

				#include <stdarg.h>

				#include <stddef.h>

				#include <fcntl.h>

				#include <string.h>

				#include <dirent.h>

				#include <sys/types.h>

				#include <sys/stat.h>

				#include <sys/apparmor.h>

				#include <libintl.h>

				#define _(s) gettext(s)

				/* TODO: implement config locations - value can change */

				#define DEFAULT_CONFIG_LOCATIONS "/etc/apparmor/parser.conf"

				#define DEFAULT_POLICY_LOCATIONS "/var/cache/apparmor:/etc/apparmor.d/cache.d:/etc/apparmor.d/cache"

				#define CACHE_FEATURES_FILE ".features"

				bool opt_debug = false;

				bool opt_verbose = false;

				bool opt_dryrun = false;

				bool opt_force = false;

				bool opt_config = false;

				#define warning(fmt, args...) _error(_("aa-load: WARN: " fmt "\n"), ## args)

				#define error(fmt, args...) _error(_("aa-load: ERROR: " fmt "\n"), ## args)

				static void _error(const char *fmt, ...)

				{

					va_list args;

					va_start(args, fmt);

					vfprintf(stderr, fmt, args);

					va_end(args);

				}

				#define verbose(fmt, args...) _debug(opt_verbose, _(fmt "\n"), ## args)

				#define debug(fmt, args...) _debug(opt_debug, _("aa-load: DEBUG: " fmt "\n"), ## args)

				static void _debug(bool opt_displayit, const char *fmt, ...)

				{

					va_list args;

					if (!opt_displayit)

						return;

					va_start(args, fmt);

					vfprintf(stderr, fmt, args);

					va_end(args);

				}

				static int have_enough_privilege(const char *command)

				{

					uid_t uid, euid;

					uid = getuid();

					euid = geteuid();

					if (uid != 0 && euid != 0) {

						error("%s: Sorry. You need root privileges to run this program.\n",

						      command);

						return EPERM;

					}

					if (uid != 0 && euid == 0) {

						error("%s: Aborting! You've set this program setuid root.\n"

						      "Anybody who can run this program can update "

						      "your AppArmor profiles.\n", command);

						exit(EXIT_FAILURE);

					}

					return 0;

				}

				static int load_config(const char *file)

				{

					/* TODO */

					return ENOENT;

				}

				/**

				 * load a single policy cache file to the kernel

				 */

				static int load_policy_file(const char *file)

				{

					int rc = 0;

					struct aa_kernel_interface *kernel_interface;

					if (aa_kernel_interface_new(&kernel_interface, NULL, NULL)) {

						rc = -errno;

						error("Failed to open kernel interface '%s': %m", file);

						return rc;

					}

					if (!opt_dryrun &&

					    aa_kernel_interface_replace_policy_from_file(kernel_interface,

											 AT_FDCWD, file)) {

						rc = -errno;

						error("Failed to load policy into kernel '%s': %m", file);

					}

					aa_kernel_interface_unref(kernel_interface);

					return rc;

				}

				static void validate_features(const char *dir_path)

				{

					aa_features *kernel_features;

					if (aa_features_new_from_kernel(&kernel_features) == -1) {

						error("Failed to obtain features: %m");

						return;

					}

					if (aa_features_check(AT_FDCWD, dir_path, kernel_features) == -1) {

						if (errno == ENOENT) {

							/* features file does not exist

							 * not an issue when loading cache policies from dir

							 */

						}

						else if (errno == EEXIST) {

							warning("Overlay features do not match kernel features");

						}

					}

					aa_features_unref(kernel_features);

				}

				/**

				 * load a directory of policy cache files to the kernel

				 * This does not do a subdir search to find the kernel match but

				 * tries to load the dir regardless of whether its features match

				 *

				 * The hierarchy looks like

				 *

				 * dir/

				 *     .features

				 *     profile1

				 *     ...

				 */

				static int load_policy_dir(const char *dir_path)

				{

					DIR *d;

					struct dirent *dir;

					int rc = 0;

					char *file;

					size_t len;

					validate_features(dir_path);

					d = opendir(dir_path);

					if (!d) {

						rc = -errno;

						error("Failed to open directory '%s': %m", dir_path);

						return rc;

					}

					while ((dir = readdir(d)) != NULL) {

						/* Only check regular files for now */

						if (dir->d_type == DT_REG) {

							len = strnlen(dir->d_name, PATH_MAX);

							/* Ignores .features */

							if (strncmp(dir->d_name, CACHE_FEATURES_FILE, len) == 0) {

								continue;

							}

							if (asprintf(&file, "%s/%s", dir_path, dir->d_name) == -1) {

								error("Failure allocating memory");

								closedir(d);

								return -1;

							}

							load_policy_file(file);

							free(file);

							file = NULL;

						}

					}

					closedir(d);

					return 0;

				}

				/**

				 * load_hashed_policy - find policy hashed dir and load it

				 *

				 * load/replace all policy from a policy hierarchy directory

				 *

				 * Returns: 0 on success < -errno

				 *

				 * It will find the subdir that matches the kernel and load all

				 * precompiled policy files from it.

				 *

				 * The hierarchy looks something like

				 *

				 * location/

				 *          kernel_hash1.0/

				 *                         .features

				 *                         profile1

				 *                         ...

				 *          kernel_hash2.0/

				 *                        .features

				 *                        profile1

				 *                        ...

				 */

				static int load_policy_by_hash(const char *location)

				{

					aa_policy_cache *policy_cache = NULL;

					int rc;

					if ((rc = aa_policy_cache_new(&policy_cache, NULL, AT_FDCWD, location, 0))) {

						rc = -errno;

						error("Failed to open policy cache '%s': %m", location);

						return rc;

					}

					if (opt_debug) {

						/* show hash directory under location that matches the

						 * current kernel

						 */

						char *cache_loc = aa_policy_cache_dir_path_preview(NULL, AT_FDCWD, location);

						if (!cache_loc) {

							rc = -errno;

							error("Failed to find cache location '%s': %m", location);

							goto out;

						}

						debug("Loading cache from '%s'\n", cache_loc);

						free(cache_loc);

					}

					if (!opt_dryrun) {

						if ((rc = aa_policy_cache_replace_all(policy_cache, NULL)) < 0) {

							error("Failed to load policy cache '%s': %m", location);

						} else {

							verbose("Success - Loaded policy cache '%s'", location);

						}

					}

				out:

					aa_policy_cache_unref(policy_cache);

					return rc;

				}

				/**

				 * load_arg - calls specific load functions for files and directories

				 *

				 * load/replace all policy files/dir in arg

				 *

				 * Returns: 0 on success, 1 on failure.

				 *

				 * It will load by hash subtree first, and fallback to a cache dir

				 * If not a directory, it will try to load it as a cache file

				 */

				static int load_arg(char *arg)

				{

					char **location = NULL;

					int i, n, rc = 0;

					/* arg can specify an overlay of multiple cache locations */

					if ((n = aa_split_overlay_str(arg, &location, 0, true)) == -1) {

						error("Failed to parse overlay locations: %m");

						return 1;

					}

					for (i = 0; i < n; i++) {

						struct stat st;

						debug("Trying to open %s", location[i]);

						if (stat(location[i], &st) == -1) {

							error("Failed stat of '%s': %m", location[i]);

							rc = 1;

							continue;

						}

						if (S_ISDIR(st.st_mode)) {

							/* try hash dir subtree first */

							if (load_policy_by_hash(location[i]) < 0) {

								error("Failed load policy by hash '%s': %m", location[i]);

								rc = 1;

							}

							/* fall back to cache dir */

							if (load_policy_dir(location[i]) < 0) {

								error("Failed load policy by directory '%s': %m", location[i]);

								rc = 1;

							}

						} else if (load_policy_file(location[i]) < 0) {

							rc = 1;

						}

					}

					for (i = 0; i < n; i++)

						free(location[i]);

					free(location);

					return rc;

				}

				static void print_usage(const char *command)

				{

					printf("Usage: %s [OPTIONS] (cache file|cache dir|cache base dir)]*\n"

					       "Load Precompiled AppArmor policy from a cache location or \n"

					       "locations.\n\n"

					       "Options:\n"

					       "  -f, --force     load policy even if abi does not match the kernel\n"

					       "  -d, --debug     display debug messages\n"

					       "  -v, --verbose   display progress and error messages\n"

					       "  -n, --dry-run   do everything except actual load\n"

					       "  -h, --help      this message\n",

					       command);

				}

				static const char *short_options = "c:dfvnh";

				struct option long_options[] = {

					{"config",	1, 0, 'c'},

					{"debug",	0, 0, 'd'},

					{"force",	0, 0, 'f'},

					{"verbose",	0, 0, 'v'},

					{"dry-run",	0, 0, 'n'},

					{"help",	0, 0, 'h'},

					{NULL, 0, 0, 0},

				};

				static int process_args(int argc, char **argv)

				{

					int c, o;

					opterr = 1;

					while ((c = getopt_long(argc, argv, short_options, long_options, &o)) != -1) {

						switch(c) {

						case 0:

							error("error in argument processing\n");

							exit(1);

							break;

						case 'd':

							opt_debug = true;

							break;

						case 'f':

							opt_force = true;

							break;

						case 'v':

							opt_verbose = true;

							break;

						case 'n':

							opt_dryrun = true;

							break;

						case 'h':

							print_usage(argv[0]);

							exit(0);

							break;

						case 'c':

							/* TODO: reserved config location,

							 *  act as a bad arg for now, when added update usage

							 */

							//opt_config = true; uncomment when implemented

							/* Fall through */

						default:

							error("unknown argument: '%s'\n\n", optarg);

							print_usage(argv[1]);

							exit(1);

							break;

						}

					}

					return optind;

				}

				int main(int argc, char **argv)

				{

					int i, rc = 0;

					optind = process_args(argc, argv);

					if (!opt_dryrun && have_enough_privilege(argv[0]))

						return 1;

					/* if no location use the default one */

					if (optind == argc) {

						if (!opt_config && load_config(DEFAULT_CONFIG_LOCATIONS) == 0) {

							verbose("Loaded policy config");

						}

						if ((rc = load_arg(DEFAULT_POLICY_LOCATIONS)))

							verbose("Loading policy from default location '%s'", DEFAULT_POLICY_LOCATIONS);

						else

							debug("No policy specified, and no policy config or policy in default locations");

					}

					for (i = optind; i < argc; i++) {

						/* Try to load all policy locations even if one fails

						 * but always return an error if any fail

						 */

						int tmp = load_arg(argv[i]);

						if (!rc)

							rc = tmp;

					}

					return rc;

				}

942

binutils/aa_status.c

View File

File diff suppressed because it is too large Load Diff

4

changehat/pam_apparmor/README

View File

@@ -67,10 +67,10 @@ to syslog.
 References
 ----------
 Project webpage:
 http://developer.novell.com/wiki/index.php/Novell_AppArmor
 https://apparmor.net/
 To provide feedback or ask questions please contact the
 apparmor-dev@forge.novell.com mail list. This is the development list
 apparmor@lists.ubuntu.com mail list. This is the development list
 for the AppArmor team.
 See also: change_hat(3), and the Linux-PAM online documentation at

11

changehat/tomcat_apparmor/tomcat_5_0/README.tomcat_apparmor

View File

@@ -188,10 +188,9 @@ parent context.
 . Feedback/Resources
    -----------------
 To provide feedback or ask questions please contact the
 apparmor-dev@forge.novell.com mail list. This is the development list for the
 AppArmor team.
 Project webpage:
 https://apparmor.net/
 To provide feedback or ask questions please contact the
 apparmor@lists.ubuntu.com mail list. This is the development list
 for the AppArmor team.

11

changehat/tomcat_apparmor/tomcat_5_5/README.tomcat_apparmor

View File

@@ -188,10 +188,9 @@ parent context.
 . Feedback/Resources
    -----------------
 To provide feedback or ask questions please contact the
 apparmor-dev@forge.novell.com mail list. This is the development list for the
 AppArmor team.
 Project webpage:
 https://apparmor.net/
 To provide feedback or ask questions please contact the
 apparmor@lists.ubuntu.com mail list. This is the development list
 for the AppArmor team.

1

common/Make.rules

View File

@@ -42,6 +42,7 @@ endif
 define nl
 endef
 REPO_VERSION_CMD=[ -x /usr/bin/git ] && /usr/bin/git describe --tags --long --abbrev=16 --match 'v*' 2> /dev/null || awk '{ print $2 }' common/.stamp_rev

2

common/Version

View File

@@ -1 +1 @@
 .0.98
 .0.2

BIN
documentation/AppArmor_Developer_2-policy_layout_and_encoding.odt

View File

Binary file not shown.

8

libraries/libapparmor/configure.ac

View File

@@ -92,6 +92,14 @@ if test "$ac_cv_prog_cc_c99" = "no"; then
   AC_MSG_ERROR([C99 mode is required to build libapparmor])
 fi
 m4_ifndef([AX_CHECK_COMPILE_FLAG], [AC_MSG_ERROR(['autoconf-archive' missing])])
 EXTRA_CFLAGS="-Wall $EXTRA_WARNINGS -fPIC"
 AX_CHECK_COMPILE_FLAG([-flto-partition=none], , , [-Werror])
 AS_VAR_IF([ax_cv_check_cflags__Werror__flto_partition_none], [yes],
 	[EXTRA_CFLAGS="$EXTRA_CFLAGS -flto-partition=none"]
 	,)
 AC_SUBST([AM_CFLAGS], ["$EXTRA_CFLAGS"])
 AC_OUTPUT(
 Makefile
 doc/Makefile

8

libraries/libapparmor/doc/aa_getcon.pod

View File

@@ -116,6 +116,14 @@ The specified I<file/task> does not exist or is not visible.
 The confinement data is too large to fit in the supplied buffer.
 =item B<ENOPROTOOPT>
 The kernel doesn't support the SO_PEERLABEL option in sockets. This happens
 mainly when the kernel lacks 'fine grained unix mediation' support. It also
 can happen on LSM stacking kernels where another LSM has claimed this
 interface and decides to return this error, although this is really a
 corner case.
 =back
 =head1 NOTES

5

libraries/libapparmor/doc/aa_stack_profile.pod

View File

@@ -109,12 +109,12 @@ To immediately stack a profile named "profile_a", as performed with
 aa_stack_profile("profile_a"), the equivalent of this shell command can be
 used:
  $ echo -n "stackprofile profile_a" > /proc/self/attr/current
  $ echo -n "stack profile_a" > /proc/self/attr/current
 To stack a profile named "profile_a" at the next exec, as performed with
 aa_stack_onexec("profile_a"), the equivalent of this shell command can be used:
  $ echo -n "stackexec profile_a" > /proc/self/attr/exec
  $ echo -n "stack profile_a" > /proc/self/attr/exec
 These raw AppArmor filesystem operations must only be used when using
 libapparmor is not a viable option.
@@ -184,6 +184,7 @@ with apparmor_parser(8):
      /etc/passwd               r,
      # Needed for aa_stack_profile()
      change-profile -> &i_cant_be_trusted_anymore,
      /usr/lib/libapparmor*.so* mr,
      /proc/[0-9]*/attr/current w,
  }

									
										2

libraries/libapparmor/include/aalogparse.h
									
												View File
												
				@@ -159,6 +159,8 @@ typedef struct

					char *fs_type;

					char *flags;

					char *src_name;

					char *class;

				} aa_log_record;

				/**

									
										4

libraries/libapparmor/include/sys/apparmor.h
									
												View File
												
				@@ -157,6 +157,8 @@ extern int aa_features_write_to_file(aa_features *features,

								     int dirfd, const char *path);

				extern bool aa_features_is_equal(aa_features *features1,

								 aa_features *features2);

				extern int aa_features_check(int dirfd, const char *path,

							     aa_features *features);

				extern bool aa_features_supports(aa_features *features, const char *str);

				extern char *aa_features_id(aa_features *features);

				extern char *aa_features_value(aa_features *features, const char *str, size_t *len);

				@@ -209,6 +211,8 @@ extern char *aa_policy_cache_filename(aa_policy_cache *policy_cache, const char

				extern char *aa_policy_cache_dir_path_preview(aa_features *kernel_features,

									      int dirfd, const char *path);

				extern int aa_split_overlay_str(char *str, char ***vec, size_t max_size, bool immutable);

				#ifdef __cplusplus

				}

				#endif

									
										22

libraries/libapparmor/src/Makefile.am
									
												View File
												
				@@ -11,9 +11,13 @@ INCLUDES = $(all_includes)

				# 3. If any interfaces have been added, removed, or changed since the last

				#    update,

				#    - increment AA_LIB_CURRENT

				#      - by 1 if bugfix release

				#      - by 5 on larger releases. This gives room to fix library interface

				#        problems in the unlikely event where an interface has to break.

				#    - set AA_LIB_REVISION to 0.

				# 4. If any interfaces have been added since the last public release, then

				#    - increment AA_LIB_AGE.

				#    - increment AA_LIB_AGE by the same amount that AA_LIB_CURRENT was

				#      incremented.

				# 5. If any interfaces have been removed or changed since the last public

				#    release, then

				#    - set AA_LIB_AGE to 0.

				@@ -26,9 +30,12 @@ INCLUDES = $(all_includes)

				# For more information, see:

				# http://www.gnu.org/software/libtool/manual/html_node/Libtool-versioning.html

				#

				AA_LIB_CURRENT = 9

				AA_LIB_REVISION = 2

				AA_LIB_AGE = 8

				# After changing the AA_LIB_* variables, also update EXPECTED_SO_NAME.

				AA_LIB_CURRENT = 19

				AA_LIB_REVISION = 0

				AA_LIB_AGE = 18

				EXPECTED_SO_NAME = libapparmor.so.1.18.0

				SUFFIXES = .pc.in .pc

				@@ -38,7 +45,6 @@ include $(COMMONDIR)/Make.rules

				BUILT_SOURCES = grammar.h scanner.h af_protos.h

				AM_LFLAGS = -v

				AM_YFLAGS = -d -p aalogparse_

				AM_CFLAGS = -Wall $(EXTRA_WARNINGS) -fPIC -flto-partition=none

				AM_CPPFLAGS = -D_GNU_SOURCE -I$(top_srcdir)/include/

				scanner.h: scanner.l

					$(LEX) -v $<

				@@ -52,7 +58,7 @@ lib_LTLIBRARIES = libapparmor.la

				noinst_HEADERS = grammar.h parser.h scanner.h af_protos.h private.h PMurHash.h

				libapparmor_la_SOURCES = grammar.y libaalogparse.c kernel.c scanner.c private.c features.c kernel_interface.c policy_cache.c PMurHash.c

				libapparmor_la_LDFLAGS = -version-info $(AA_LIB_CURRENT):$(AA_LIB_REVISION):$(AA_LIB_AGE) -XCClinker -dynamic -pthread \

				libapparmor_la_LDFLAGS = -version-info $(AA_LIB_CURRENT):$(AA_LIB_REVISION):$(AA_LIB_AGE) -XCClinker -Bdynamic -pthread \

					-Wl,--version-script=$(top_srcdir)/src/libapparmor.map

				pkgconfigdir = $(libdir)/pkgconfig

				@@ -77,4 +83,8 @@ tst_kernel_LDFLAGS = -pthread

				check_PROGRAMS = tst_aalogmisc tst_features tst_kernel

				TESTS = $(check_PROGRAMS)

				.PHONY: check-local

				check-local:

					test -f ./.libs/$(EXPECTED_SO_NAME) || { echo '*** unexpected .so name/number for libapparmor (expected $(EXPECTED_SO_NAME), the actual filename is shown below) ***' ; ls -l ./.libs/libapparmor.so.*.* ; exit 1; }

				EXTRA_DIST = grammar.y scanner.l libapparmor.map libapparmor.pc

									
										39

libraries/libapparmor/src/features.c
									
												View File
												
				@@ -35,6 +35,7 @@

				#include "PMurHash.h"

				#define FEATURES_FILE "/sys/kernel/security/apparmor/features"

				#define CACHE_FEATURES_FILE ".features"

				#define HASH_SIZE (8 + 1) /* 32 bits binary to hex + NUL terminator */

				#define STRING_SIZE 8192

				@@ -658,6 +659,44 @@ bool aa_features_is_equal(aa_features *features1, aa_features *features2)

					       strcmp(features1->string, features2->string) == 0;

				}

				/**

				 * aa_features_check - check if features from a directory matches an aa_features object

				 * @dirfd: a directory file descriptory or AT_FDCWD (see openat(2))

				 * @path: the path containing the features

				 * @features: features to be matched against

				 *

				 * Returns: 0 on success, -1 on failure. errno is set to EEXIST when there's not a match

				 */

				int aa_features_check(int dirfd, const char *path,

						      aa_features *features)

				{

					aa_features *local_features = NULL;

					autofree char *name = NULL;

					bool rc;

					int len;

					len = asprintf(&name, "%s/%s", path, CACHE_FEATURES_FILE);

					if (len == -1) {

						errno = ENOMEM;

						return -1;

					}

					/* verify that path dir .features matches */

					if (aa_features_new(&local_features, dirfd, name)) {

						PDEBUG("could not setup new features object for dirfd '%d' '%s'\n", dirfd, name);

						return -1;

					}

					rc = aa_features_is_equal(local_features, features);

					aa_features_unref(local_features);

					if (!rc) {

						errno = EEXIST;

						return -1;

					}

					return 0;

				}

				static const char *features_lookup(aa_features *features, const char *str)

				{

					const char *features_string = features->string;

11

libraries/libapparmor/src/grammar.y

View File

@@ -159,7 +159,9 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_NAMESPACE
 %token TOK_KEY_ERROR
 %token TOK_KEY_FSUID
 %token TOK_KEY_FSUID_UPPER
 %token TOK_KEY_OUID
 %token TOK_KEY_OUID_UPPER
 %token TOK_KEY_UID
 %token TOK_KEY_AUID
 %token TOK_KEY_SAUID
@@ -185,6 +187,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_FSTYPE
 %token TOK_KEY_FLAGS
 %token TOK_KEY_SRCNAME
 %token TOK_KEY_CLASS
 %token TOK_SOCKLOGD_KERNEL
 %token TOK_SYSLOG_KERNEL
@@ -246,7 +249,7 @@ syslog_type:
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
 	| syslog_date syslog_id TOK_DMESG_STAMP key_type audit_id key_list
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
 	/* needs update: hard newline in handling mutiline log messages */
 	/* needs update: hard newline in handling multiline log messages */
 	| syslog_date syslog_id TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_partial_tail
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($3); }
 	| syslog_date syslog_id TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id audit_user_msg_tail
@@ -351,6 +354,10 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->fsuid = $3;}
 	| TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
 	{ ret_record->ouid = $3;}
 	| TOK_KEY_FSUID_UPPER TOK_EQUALS TOK_QUOTED_STRING
 	{ free($3);} /* Ignore - fsuid username */
 	| TOK_KEY_OUID_UPPER TOK_EQUALS TOK_QUOTED_STRING
 	{ free($3);} /* Ignore - ouid username */
 	| TOK_KEY_SAUID TOK_EQUALS TOK_DIGITS
 	{ /* Ignore - Source audit ID from user AVC messages */ }
 	| TOK_KEY_HOSTNAME TOK_EQUALS safe_string
@@ -425,6 +432,8 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 		ret_record->event = AA_RECORD_INVALID;
 		ret_record->info = $1;
 	}
 	| TOK_KEY_CLASS TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->class = $3; }
 	;
 apparmor_event:

									
										133

libraries/libapparmor/src/kernel.c
									
												View File
												
				@@ -463,7 +463,7 @@ static char *procattr_path(pid_t pid, const char *attr)

				static int procattr_open(pid_t tid, const char *attr, int flags)

				{

					char *tmp;

					autofree char *tmp = NULL;

					int fd;

					tmp = procattr_path(tid, attr);

				@@ -471,7 +471,7 @@ static int procattr_open(pid_t tid, const char *attr, int flags)

						return -1;

					}

					fd = open(tmp, flags);

					free(tmp);

					/* Test is we can fallback to the old interface (this is ugly).

					 * If we haven't tried the old interface already

					 *    proc_attr_base == proc_attr_base_old - no fallback

				@@ -483,11 +483,14 @@ static int procattr_open(pid_t tid, const char *attr, int flags)

					 *       old interface where is_enabled() is only successful if

					 *       the old interface is available to apparmor.

					 */

					if (fd == -1 && tmp != proc_attr_base_old && param_check_enabled() != 0) {

						if (asprintf(&tmp, proc_attr_base_old, tid, attr) < 0)

							return -1;

						fd = open(tmp, flags);

					if (fd == -1 && param_check_enabled() != 0 && strncmp(tmp, proc_attr_base_old, strlen(proc_attr_base_old)) != 0) {

						free(tmp);

						if (asprintf(&tmp, proc_attr_base_old, tid, attr) < 0) {

							/* tmp is undefined, make sure it is null for autofree*/

							tmp = NULL;

							return -1;

						}

						fd = open(tmp, flags);

					}

					return fd;

				@@ -1355,3 +1358,121 @@ int aa_query_link_path(const char *label, const char *target, const char *link,

								      strlen(target), link, strlen(link),

								      allowed, audited);

				}

				static int alloc_substring(char ***v, char *s, char *p,

							   size_t max_size, size_t n, bool immutable)

				{

					if (max_size) {

						if (n >= max_size) {

							errno = E2BIG;

							return -1;

						}

					} else {

						char ** tmpv;

						tmpv = (char **) realloc(*v, (n + 1) * sizeof(char *));

						if (tmpv == NULL) {

							errno = ENOMEM;

							return -1;

						}

						*v = tmpv;

					}

					if (immutable) {

						char *tmp;

						tmp = (char *) malloc(p - s + 1);

						if (tmp == NULL) {

							errno = ENOMEM;

							return -1;

						}

						memcpy(tmp, s, p - s);

						tmp[p - s] = 0;

						(*v)[n] = tmp;

					} else {

						(*v)[n] = s;

						if (*p)

							*p = 0;

					}

					return 0;

				}

				/**

				 * aa_split_overlay_str - split a string into potentially multiple strings

				 * @str: the string to split

				 * @vec: vector to put string pointers into, IF null will be allocated

				 * @max_size: maximum number of ents to put in @vec, IF 0 dynamic

				 * @immutable: true if @str should not be modified.

				 *

				 * Returns: the number of entries in vec on success. -1 on error and errno set.

				 *

				 * Split a comma or colon separated string into substrings.

				 *

				 * IF @vec == NULL

				 *    the vec will be dynamically allocated

				 * ELSE

				 *    passed in @vec will be used, and NOT updated/extended

				 *

				 * IF @max_size == 0 && @vec == NULL

				 *    @vec will be dynamically resized

				 * ELSE

				 *    @vec will be fixed at @max_size

				 *

				 * IF @immutable is true

				 *    the substrings placed in @vec will be allocated copies.

				 * ELSE

				 *    @str will be updated in place and @vec[x] will point into @str

				 */

				int aa_split_overlay_str(char *str, char ***vec, size_t max_size, bool immutable)

				{

					char *s = str;

					char *p = str;

					int rc, n = 0;

					char **v = *vec;

					if (!*vec) {

						if (max_size) {

							v = (char **) malloc(max_size * sizeof(char *));

							if (v == NULL) {

								rc = ENOMEM;

								goto err;

							}

						}

					}

					while (*p) {

						if (*p == '\\') {

							if (*(p + 1) != 0)

								p++;

						} else if (*p == ',' || *p == ':') {

							if (p != s) {

								if (alloc_substring(&v, s, p, max_size, n, immutable) == -1) {

									rc = errno;

									goto err;

								}

								n++;

							}

							p++;

							s = p;

						} else

							p++;

					}

					if (p != s) {

						if (alloc_substring(&v, s, p, max_size, n, immutable) == -1) {

							rc = errno;

							goto err;

						}

						n++;

					}

					*vec = v;

					return n;

				err:

					if (immutable) {

						for (int i = 0; i < n; i++) {

							free(v[i]);

						}

					}

					if (!*vec)

						free(v);

					errno = rc;

					return -1;

				}

									
										2

libraries/libapparmor/src/libaalogparse.c
									
												View File
												
				@@ -103,6 +103,8 @@ void free_record(aa_log_record *record)

							free(record->flags);

						if (record->src_name != NULL)

							free(record->src_name);

						if (record->class != NULL)

							free(record->class);

						free(record);

					}

7

libraries/libapparmor/src/libapparmor.map

View File

@@ -124,6 +124,13 @@ APPARMOR_3.0 {
 	*;
 } APPARMOR_2.13.1;
 APPARMOR_3.1 {
   global:
 	aa_features_check;
   local:
 	*;
 } APPARMOR_3.0;
 PRIVATE {
 	global:
 		_aa_is_blacklisted;

									
										42

libraries/libapparmor/src/policy_cache.c
									
												View File
												
				@@ -147,36 +147,6 @@ repeat:

					return path;

				}

				static int cache_check_features(int dirfd, const char *cache_name,

								aa_features *features)

				{

					aa_features *local_features = NULL;

					autofree char *name = NULL;

					bool rc;

					int len;

					len = asprintf(&name, "%s/%s", cache_name, CACHE_FEATURES_FILE);

					if (len == -1) {

						errno = ENOMEM;

						return -1;

					}

					/* verify that cache dir .features matches */

					if (aa_features_new(&local_features, dirfd, name)) {

						PDEBUG("could not setup new features object for dirfd '%d' '%s'\n", dirfd, name);

						return -1;

					}

					rc = aa_features_is_equal(local_features, features);

					aa_features_unref(local_features);

					if (!rc) {

						errno = EEXIST;

						return -1;

					}

					return 0;

				}

				static int create_cache(aa_policy_cache *policy_cache, aa_features *features)

				{

					if (aa_policy_cache_remove(policy_cache->dirfd[0], "."))

				@@ -194,8 +164,8 @@ static int create_cache(aa_policy_cache *policy_cache, aa_features *features)

				static int init_cache_features(aa_policy_cache *policy_cache,

							       aa_features *kernel_features, bool create)

				{

					if (cache_check_features(policy_cache->dirfd[0], ".",

								 kernel_features)) {

					if (aa_features_check(policy_cache->dirfd[0], ".",

							      kernel_features)) {

						/* EEXIST must come before ENOENT for short circuit eval */

						if (!create || errno == EEXIST || errno != ENOENT)

							return -1;

				@@ -231,13 +201,13 @@ static int cache_miss_cb(int dirfd, const struct dirent *ent, void *arg)

						errno = ENOMEM;

						return -1;

					}

					if (!cache_check_features(dirfd, cache_name, data->features) || errno == ENOENT) {

					if (!aa_features_check(dirfd, cache_name, data->features) || errno == ENOENT) {

						/* found cache dir matching pattern */

						data->cache_name = cache_name;

						/* return 1 to stop iteration and signal dir found */

						return 1;

					}  else if (errno != EEXIST) {

						PDEBUG("cache_check_features() failed for dirfd '%d' '%s'\n", dirfd, cache_name);

						PDEBUG("aa_features_check() failed for dirfd '%d' '%s'\n", dirfd, cache_name);

						free(cache_name);

						return -1;

					}

				@@ -273,12 +243,12 @@ static int cache_dir_from_path_and_features(char **cache_path,

					if (len == -1)

						return -1;

					if (!cache_check_features(dirfd, cache_dir, features) || errno == ENOENT) {

					if (!aa_features_check(dirfd, cache_dir, features) || errno == ENOENT) {

						PDEBUG("cache_dir_from_path_and_features() found '%s'\n", cache_dir);

						*cache_path = cache_dir;

						return 0;

					} else if (errno != EEXIST) {

						PDEBUG("cache_check_features() failed for dirfd '%d' %s\n", dirfd, cache_dir);

						PDEBUG("aa_features_check() failed for dirfd '%d' %s\n", dirfd, cache_dir);

						free(cache_dir);

						return -1;

					}

24

libraries/libapparmor/src/scanner.l

View File

@@ -72,7 +72,7 @@ void string_buf_append(unsigned int length, char *text)
 %}
 ws		[ \t\r\n]
 ws		[ \t\r\n\x1d]
 equals		"="
 digit		[[:digit:]]
@@ -121,6 +121,8 @@ key_namespace		"namespace"
 key_mask		"mask"
 key_denied_mask		"denied_mask"
 key_requested_mask	"requested_mask"
 key_denied		"denied"
 key_requested		"requested"
 key_attribute		"attribute"
 key_task		"task"
 key_parent		"parent"
@@ -138,7 +140,9 @@ key_sock_type		"sock_type"
 key_protocol		"protocol"
 key_error		"error"
 key_fsuid		"fsuid"
 key_fsuid_upper		"FSUID"
 key_ouid		"ouid"
 key_ouid_upper		"OUID"
 key_uid			"uid"
 key_auid		"auid"
 key_sauid		"sauid"
@@ -153,19 +157,26 @@ key_capname		"capname"
 key_offset		"offset"
 key_target		"target"
 key_laddr		"laddr"
 key_saddr		"saddr"
 key_faddr		"faddr"
 key_daddr		"daddr"
 key_lport		"lport"
 key_srcport		"src"
 key_fport		"fport"
 key_destport		"dest"
 key_bus			"bus"
 key_dest		"dest"
 key_path		"path"
 key_interface		"interface"
 key_member		"member"
 key_method		"method"
 key_signal		"signal"
 key_peer		"peer"
 key_fstype		"fstype"
 key_flags		"flags"
 key_srcname		"srcname"
 key_class		"class"
 key_tcontext		"tcontext"
 audit			"audit"
 /* network addrs */
@@ -307,6 +318,8 @@ yy_flex_debug = 0;
 {key_mask}		{ return(TOK_KEY_MASK); }
 {key_denied_mask}	{ return(TOK_KEY_DENIED_MASK); }
 {key_requested_mask}	{ return(TOK_KEY_REQUESTED_MASK); }
 {key_denied}		{ return(TOK_KEY_DENIED_MASK); }
 {key_requested}		{ return(TOK_KEY_REQUESTED_MASK); }
 {key_attribute}		{ BEGIN(sub_id); return(TOK_KEY_ATTRIBUTE); }
 {key_task}		{ return(TOK_KEY_TASK); }
 {key_parent}		{ return(TOK_KEY_PARENT); }
@@ -319,12 +332,15 @@ yy_flex_debug = 0;
 {key_peer_profile}	{ BEGIN(safe_string); return(TOK_KEY_PEER_PROFILE); }
 {key_label}		{ BEGIN(safe_string); return(TOK_KEY_LABEL); }
 {key_peer_label}	{ BEGIN(safe_string); return(TOK_KEY_PEER_LABEL); }
 {key_tcontext}		{ BEGIN(safe_string); return(TOK_KEY_PEER_LABEL); }
 {key_family}		{ return(TOK_KEY_FAMILY); }
 {key_sock_type}		{ return(TOK_KEY_SOCK_TYPE); }
 {key_protocol}		{ return(TOK_KEY_PROTOCOL); }
 {key_error}		{ return(TOK_KEY_ERROR); }
 {key_fsuid}		{ return(TOK_KEY_FSUID); }
 {key_fsuid_upper}	{ return(TOK_KEY_FSUID_UPPER); }
 {key_ouid}		{ return(TOK_KEY_OUID); }
 {key_ouid_upper}	{ return(TOK_KEY_OUID_UPPER); }
 {key_uid}		{ return(TOK_KEY_UID); }
 {key_auid}		{ return(TOK_KEY_AUID); }
 {key_sauid}		{ return(TOK_KEY_SAUID); }
@@ -339,18 +355,24 @@ yy_flex_debug = 0;
 {key_offset}		{ return(TOK_KEY_OFFSET); }
 {key_target}		{ return(TOK_KEY_TARGET); }
 {key_laddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
 {key_saddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
 {key_faddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
 {key_daddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
 {key_lport}		{ return(TOK_KEY_LPORT); }
 {key_srcport}		{ return(TOK_KEY_LPORT); }
 {key_fport}		{ return(TOK_KEY_FPORT); }
 {key_destport}		{ return(TOK_KEY_FPORT); }
 {key_bus}		{ return(TOK_KEY_BUS); }
 {key_path}		{ return(TOK_KEY_PATH); }
 {key_interface}		{ return(TOK_KEY_INTERFACE); }
 {key_member}		{ return(TOK_KEY_MEMBER); }
 {key_method}		{ return(TOK_KEY_MEMBER); }
 {key_signal}		{ BEGIN(sub_id); return(TOK_KEY_SIGNAL); }
 {key_peer}		{ BEGIN(safe_string); return(TOK_KEY_PEER); }
 {key_fstype}		{ return(TOK_KEY_FSTYPE); }
 {key_flags}		{ BEGIN(safe_string); return(TOK_KEY_FLAGS); }
 {key_srcname}		{ BEGIN(safe_string); return(TOK_KEY_SRCNAME); }
 {key_class}		{ BEGIN(safe_string); return(TOK_KEY_CLASS); }
 {socklogd_kernel}	{ BEGIN(dmesg_timestamp); return(TOK_SOCKLOGD_KERNEL); }
 {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }

									
										2

libraries/libapparmor/swig/python/Makefile.am
									
												View File
												
				@@ -14,7 +14,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.py

				all-local: libapparmor_wrap.c setup.py

					if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi

					CC="$(CC)" CFLAGS="$(PYTHON_CPPFLAGS) $(EXTRA_WARNINGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(PYTHON_LDFLAGS) $(LDFLAGS)" $(PYTHON) setup.py build

					CC="$(CC)" CFLAGS="$(PYTHON_CPPFLAGS) $(CFLAGS) $(EXTRA_WARNINGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(PYTHON_LDFLAGS) $(LDFLAGS)" $(PYTHON) setup.py build

				install-exec-local:

					$(PYTHON) setup.py install --root="/$(DESTDIR)" --prefix="$(prefix)"

									
										10

libraries/libapparmor/swig/python/test/buildpath.py
									
												View File
												
				@@ -1,10 +1,14 @@

				#!/usr/bin/python3

				# the build path has changed in setuptools 61.2

				# the build path has changed in setuptools 62.1:

				# https://github.com/pypa/setuptools/commit/1c23f5e1e4b18b50081cbabb2dea22bf345f5894

				import sys

				import sysconfig

				import setuptools

				if tuple(map(int,setuptools.__version__.split("."))) >= (61, 2):

				if tuple(map(int, setuptools.__version__.split("."))) >= (62, 1):

				    identifier = sys.implementation.cache_tag

				else:

				    identifier = "%d.%d" % sys.version_info[:2]

				print("lib.%s-%s" % (sysconfig.get_platform(), identifier))

				print("lib.{}-{}".format(sysconfig.get_platform(), identifier))

									
										25

libraries/libapparmor/swig/python/test/test_python.py.in
									
												View File
												
				@@ -13,6 +13,7 @@

				import ctypes

				import os

				import unittest

				import LibAppArmor as libapparmor

				TESTDIR = "../../../testsuite/test_multi"

				@@ -34,6 +35,7 @@ OUTPUT_MAP = {

				    'Local port':       'net_local_port',

				    'Foreign port':     'net_foreign_port',

				    'Audit subid':      'audit_sub_id',

				    'Class':            '_class',

				}

				# FIXME: pull this automatically out of LibAppArmor, but swig

				@@ -62,8 +64,8 @@ class AAPythonBindingsTests(unittest.TestCase):

				        self.maxDiff = None

				    def _runtest(self, testname):

				        infile = "%s.in" % (testname)

				        outfile = "%s.out" % (testname)

				        infile = testname + ".in"

				        outfile = testname + ".out"

				        # infile *should* only contain one line

				        with open(os.path.join(TESTDIR, infile), 'r') as f:

				            line = f.read()

				@@ -75,11 +77,11 @@ class AAPythonBindingsTests(unittest.TestCase):

				        expected = self.parse_output_file(outfile)

				        self.assertEqual(expected, record,

				                          "expected records did not match\n" +

				                          "expected = %s\nactual = %s" % (expected, record))

				                         "expected records did not match\n"

				                         "expected = {}\nactual = {}".format(expected, record))

				    def parse_output_file(self, outfile):

				        '''parse testcase .out file and return dict'''

				        """parse testcase .out file and return dict"""

				        output = dict()

				        with open(os.path.join(TESTDIR, outfile), 'r') as f:

				@@ -91,7 +93,7 @@ class AAPythonBindingsTests(unittest.TestCase):

				            count += 1

				            if line == "START":

				                self.assertEqual(count, 1,

				                                  "Unexpected output format in %s" % (outfile))

				                                 "Unexpected output format in " + outfile)

				                continue

				            else:

				                key, value = line.split(": ", 1)

				@@ -105,10 +107,10 @@ class AAPythonBindingsTests(unittest.TestCase):

				        return output

				    def create_record_dict(self, record):

				        '''parse the swig created record and construct a dict from it'''

				        """parse the swig created record and construct a dict from it"""

				        new_record = dict()

				        for key in [x for x in dir(record) if not (x.startswith('_') or x == 'this')]:

				        for key in [x for x in dir(record) if not (x.startswith('__') or x == 'this')]:

				            value = getattr(record, key)

				            if key == "event" and value in EVENT_MAP:

				                new_record[key] = EVENT_MAP[value]

				@@ -128,7 +130,7 @@ class AAPythonBindingsTests(unittest.TestCase):

				def find_testcases(testdir):

				    '''dig testcases out of passed directory'''

				    """dig testcases out of passed directory"""

				    for f in os.listdir(testdir):

				        if f.endswith(".in"):

				@@ -139,9 +141,10 @@ def main():

				    for f in find_testcases(TESTDIR):

				        def stub_test(self, testname=f):

				            self._runtest(testname)

				        stub_test.__doc__ = "test %s" % (f)

				        setattr(AAPythonBindingsTests, 'test_%s' % (f), stub_test)

				        stub_test.__doc__ = "test " + f

				        setattr(AAPythonBindingsTests, 'test_' + f, stub_test)

				    return unittest.main(verbosity=2)

				if __name__ == "__main__":

				    main()

									
										2

libraries/libapparmor/testsuite/test_multi.c
									
												View File
												
				@@ -134,6 +134,8 @@ int print_results(aa_log_record *record)

						print_string("Flags", record->flags);

						print_string("Src name", record->src_name);

						print_string("Class", record->class);

						print_long("Epoch", record->epoch, 0);

						print_long("Audit subid", (long) record->audit_sub_id, 0);

					return(0);

0

libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.err Normal file

View File

1

libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.in Normal file

View File

				`@@ -0,0 +1 @@`
				`type=AVC msg=audit(1661734785.992:270): apparmor="ALLOWED" operation="open" profile="/usr/bin/dolphin" name="/home/otis/.config/kdedefaults/kdeglobals" pid=3483 comm="dolphin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0FSUID="otis" OUID="root"`

15

libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.out Normal file

View File

@@ -0,0 +1,15 @@
 START
 File: 0x1d-uppercase-FSUID-OUID.in
 Event type: AA_RECORD_ALLOWED
 Audit ID: 1661734785.992:270
 Operation: open
 Mask: r
 Denied Mask: r
 fsuid: 1000
 ouid: 0
 Profile: /usr/bin/dolphin
 Name: /home/otis/.config/kdedefaults/kdeglobals
 Command: dolphin
 PID: 3483
 Epoch: 1661734785
 Audit subid: 270

4

libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.profile Normal file

View File

@@ -0,0 +1,4 @@
 /usr/bin/dolphin {
   /home/otis/.config/kdedefaults/kdeglobals r,
 }

0

libraries/libapparmor/testsuite/test_multi/file_xm.err Normal file

View File

1

libraries/libapparmor/testsuite/test_multi/file_xm.in Normal file

View File

				`@@ -0,0 +1 @@`
				`type=AVC msg=audit(1676978994.840:1493): apparmor="DENIED" operation="link" profile="cargo" name="/var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/libbootstrap.rlib" pid=12412 comm="cargo" requested_mask="xm" denied_mask="xm" fsuid=250 ouid=250 target="/var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/deps/libbootstrap-4542dd99e796257e.rlib"FSUID="portage" OUID="portage"`

16

libraries/libapparmor/testsuite/test_multi/file_xm.out Normal file

View File

@@ -0,0 +1,16 @@
 START
 File: file_xm.in
 Event type: AA_RECORD_DENIED
 Audit ID: 1676978994.840:1493
 Operation: link
 Mask: xm
 Denied Mask: xm
 fsuid: 250
 ouid: 250
 Profile: cargo
 Name: /var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/libbootstrap.rlib
 Command: cargo
 Name2: /var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/deps/libbootstrap-4542dd99e796257e.rlib
 PID: 12412
 Epoch: 1676978994
 Audit subid: 1493

4

libraries/libapparmor/testsuite/test_multi/file_xm.profile Normal file

View File

@@ -0,0 +1,4 @@
 profile cargo {
   owner /var/tmp/portage/dev-lang/rust-1.67.1/work/rustc-1.67.1-src/build/bootstrap/debug/libbootstrap.rlib m,
 }

0

libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.err Normal file

View File

1

libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.in Normal file

View File

				`@@ -0,0 +1 @@`
				`Dec 15 17:32:17 kinetic kernel: [4835959.046111] audit: type=1107 audit(1671125537.724:209): pid=7308 uid=0 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" method="Hello" mask="send" label="/tmp/apparmor/tests/regression/apparmor/dbus_message" peer_label="unconfined" exe="/usr/local/bin/dbus-broker" sauid=0 hostname=? addr=? terminal=?'`

15

libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.out Normal file

View File

@@ -0,0 +1,15 @@
 START
 File: testcase_dbus_11.in
 Event type: AA_RECORD_DENIED
 Audit ID: 1671125537.724:209
 Operation: dbus_method_call
 Denied Mask: send
 Profile: /tmp/apparmor/tests/regression/apparmor/dbus_message
 Peer profile: unconfined
 Command: /usr/local/bin/dbus-broker
 DBus bus: session
 DBus path: /org/freedesktop/DBus
 DBus interface: org.freedesktop.DBus
 DBus member: Hello
 Epoch: 1671125537
 Audit subid: 209

4

libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.profile Normal file

View File

@@ -0,0 +1,4 @@
 /tmp/apparmor/tests/regression/apparmor/dbus_message {
   dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(label=unconfined),
 }

0

libraries/libapparmor/testsuite/test_multi/testcase_io_uring_01.err Normal file

View File

1

libraries/libapparmor/testsuite/test_multi/testcase_io_uring_01.in Normal file

View File

				`@@ -0,0 +1 @@`
				`[ 4584.703379] audit: type=1400 audit(1680266735.359:69): apparmor="DENIED" operation="uring_sqpoll" class="io_uring" profile="/root/apparmor/tests/regression/apparmor/io_uring" pid=1320 comm="io_uring" requested="sqpoll" denied="sqpoll"`

13

libraries/libapparmor/testsuite/test_multi/testcase_io_uring_01.out Normal file

View File

@@ -0,0 +1,13 @@
 START
 File: testcase_io_uring_01.in
 Event type: AA_RECORD_DENIED
 Audit ID: 1680266735.359:69
 Operation: uring_sqpoll
 Mask: sqpoll
 Denied Mask: sqpoll
 Profile: /root/apparmor/tests/regression/apparmor/io_uring
 Command: io_uring
 PID: 1320
 Class: io_uring
 Epoch: 1680266735
 Audit subid: 69

4

libraries/libapparmor/testsuite/test_multi/testcase_io_uring_01.profile Normal file

View File

@@ -0,0 +1,4 @@
 /root/apparmor/tests/regression/apparmor/io_uring {
   io_uring sqpoll,
 }

0

libraries/libapparmor/testsuite/test_multi/testcase_io_uring_02.err Normal file

View File

1

libraries/libapparmor/testsuite/test_multi/testcase_io_uring_02.in Normal file

View File

				`@@ -0,0 +1 @@`
				`[ 4584.491076] audit: type=1400 audit(1680266735.147:63): apparmor="DENIED" operation="uring_override" class="io_uring" profile="/root/apparmor/tests/regression/apparmor/io_uring" pid=1193 comm="io_uring" requested="override_creds" denied="override_creds" tcontext="/root/apparmor/tests/regression/apparmor/io_uring"`

14

libraries/libapparmor/testsuite/test_multi/testcase_io_uring_02.out Normal file

View File

@@ -0,0 +1,14 @@
 START
 File: testcase_io_uring_02.in
 Event type: AA_RECORD_DENIED
 Audit ID: 1680266735.147:63
 Operation: uring_override
 Mask: override_creds
 Denied Mask: override_creds
 Profile: /root/apparmor/tests/regression/apparmor/io_uring
 Peer profile: /root/apparmor/tests/regression/apparmor/io_uring
 Command: io_uring
 PID: 1193
 Class: io_uring
 Epoch: 1680266735
 Audit subid: 63

4

libraries/libapparmor/testsuite/test_multi/testcase_io_uring_02.profile Normal file

View File

@@ -0,0 +1,4 @@
 /root/apparmor/tests/regression/apparmor/io_uring {
   io_uring override_creds label=/root/apparmor/tests/regression/apparmor/io_uring,
 }

2

libraries/libapparmor/testsuite/test_multi/testcase_mount_01.profile

View File

@@ -1,4 +1,4 @@
 /home/ubuntu/bzr/apparmor/tests/regression/apparmor/mount {
   mount fstype=ext2 options="rw, mand" /dev/loop0/ -> /tmp/sdtest.19033-29001-MPfz98/mountpoint/,
   mount fstype=(ext2) options=(mand, rw) /dev/loop0/ -> /tmp/sdtest.19033-29001-MPfz98/mountpoint/,
 }

0

libraries/libapparmor/testsuite/test_multi/testcase_mount_02.err Normal file

View File

1

libraries/libapparmor/testsuite/test_multi/testcase_mount_02.in Normal file

View File

				`@@ -0,0 +1 @@`
				`type=AVC msg=audit(1715045678.914:344186): apparmor="ALLOWED" operation="mount" info="failed flags match" error=-13 profile="steam" name="/newroot/dev/" pid=26487 comm="srt-bwrap" flags="rw, nosuid, nodev, remount, bind, silent, relatime"`

14

libraries/libapparmor/testsuite/test_multi/testcase_mount_02.out Normal file

View File

@@ -0,0 +1,14 @@
 START
 File: testcase_mount_02.in
 Event type: AA_RECORD_ALLOWED
 Audit ID: 1715045678.914:344186
 Operation: mount
 Profile: steam
 Name: /newroot/dev/
 Command: srt-bwrap
 Info: failed flags match
 ErrorCode: 13
 PID: 26487
 Flags: rw, nosuid, nodev, remount, bind, silent, relatime
 Epoch: 1715045678
 Audit subid: 344186

4

libraries/libapparmor/testsuite/test_multi/testcase_mount_02.profile Normal file

View File

@@ -0,0 +1,4 @@
 profile steam {
   mount options=(bind, nodev, nosuid, relatime, remount, rw, silent) -> /newroot/dev/,
 }

0

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_01.err Normal file

View File

1

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_01.in Normal file

View File

				`@@ -0,0 +1 @@`
				`Apr 05 19:36:19 ubuntu kernel: audit: type=1400 audit(1649187379.660:255): apparmor="DENIED" operation="create" profile="/root/apparmor/tests/regression/apparmor/posix_mq_rcv" name="/queuename" pid=791 comm="posix_mq_rcv" requested="create" denied="create" class="posix_mqueue" fsuid=0 ouid=0`

16

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_01.out Normal file

View File

@@ -0,0 +1,16 @@
 START
 File: testcase_mqueue_01.in
 Event type: AA_RECORD_DENIED
 Audit ID: 1649187379.660:255
 Operation: create
 Mask: create
 Denied Mask: create
 fsuid: 0
 ouid: 0
 Profile: /root/apparmor/tests/regression/apparmor/posix_mq_rcv
 Name: /queuename
 Command: posix_mq_rcv
 PID: 791
 Class: posix_mqueue
 Epoch: 1649187379
 Audit subid: 255

4

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_01.profile Normal file

View File

@@ -0,0 +1,4 @@
 /root/apparmor/tests/regression/apparmor/posix_mq_rcv {
   mqueue create type=posix /queuename,
 }

0

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_02.err Normal file

View File

2

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_02.in Normal file

View File

				`@@ -0,0 +1,2 @@`
				`Apr 05 19:36:29 ubuntu kernel: audit: type=1400 audit(1649187389.828:262): apparmor="DENIED" operation="open" profile="/root/apparmor/tests/regression/apparmor/posix_mq_rcv" name="/queuename" pid=848 comm="posix_mq_rcv" requested="read create" denied="read" class="posix_mqueue" fsuid=0 ouid=0`

16

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_02.out Normal file

View File

@@ -0,0 +1,16 @@
 START
 File: testcase_mqueue_02.in
 Event type: AA_RECORD_DENIED
 Audit ID: 1649187389.828:262
 Operation: open
 Mask: read create
 Denied Mask: read
 fsuid: 0
 ouid: 0
 Profile: /root/apparmor/tests/regression/apparmor/posix_mq_rcv
 Name: /queuename
 Command: posix_mq_rcv
 PID: 848
 Class: posix_mqueue
 Epoch: 1649187389
 Audit subid: 262

4

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_02.profile Normal file

View File

@@ -0,0 +1,4 @@
 /root/apparmor/tests/regression/apparmor/posix_mq_rcv {
   mqueue read type=posix /queuename,
 }

0

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_03.err Normal file

View File

1

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_03.in Normal file

View File

				`@@ -0,0 +1 @@`
				`Apr 05 19:36:39 ubuntu kernel: audit: type=1400 audit(1649187399.973:265): apparmor="DENIED" operation="unlink" profile="/root/apparmor/tests/regression/apparmor/posix_mq_rcv" name="/queuename" pid=897 comm="posix_mq_rcv" requested="delete" denied="delete" class="posix_mqueue" fsuid=0 ouid=0`

16

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_03.out Normal file

View File

@@ -0,0 +1,16 @@
 START
 File: testcase_mqueue_03.in
 Event type: AA_RECORD_DENIED
 Audit ID: 1649187399.973:265
 Operation: unlink
 Mask: delete
 Denied Mask: delete
 fsuid: 0
 ouid: 0
 Profile: /root/apparmor/tests/regression/apparmor/posix_mq_rcv
 Name: /queuename
 Command: posix_mq_rcv
 PID: 897
 Class: posix_mqueue
 Epoch: 1649187399
 Audit subid: 265

4

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_03.profile Normal file

View File

@@ -0,0 +1,4 @@
 /root/apparmor/tests/regression/apparmor/posix_mq_rcv {
   mqueue delete type=posix /queuename,
 }

0

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_04.err Normal file

View File

1

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_04.in Normal file

View File

				`@@ -0,0 +1 @@`
				`Jun 02 16:58:20 ubuntu kernel: audit: type=1400 audit(1654189100.680:1011): apparmor="DENIED" operation="sysv_mqueue" profile="/root/apparmor/tests/regression/apparmor/sysv_mq_rcv" name="123" pid=13574 comm="sysv_mq_rcv" requested="create" denied="create" class="sysv_mqueue" fsuid=0 ouid=0`

16

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_04.out Normal file

View File

@@ -0,0 +1,16 @@
 START
 File: testcase_mqueue_04.in
 Event type: AA_RECORD_DENIED
 Audit ID: 1654189100.680:1011
 Operation: sysv_mqueue
 Mask: create
 Denied Mask: create
 fsuid: 0
 ouid: 0
 Profile: /root/apparmor/tests/regression/apparmor/sysv_mq_rcv
 Name: 123
 Command: sysv_mq_rcv
 PID: 13574
 Class: sysv_mqueue
 Epoch: 1654189100
 Audit subid: 1011

4

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_04.profile Normal file

View File

@@ -0,0 +1,4 @@
 /root/apparmor/tests/regression/apparmor/sysv_mq_rcv {
   mqueue create type=sysv 123,
 }

0

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_05.err Normal file

View File

1

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_05.in Normal file

View File

				`@@ -0,0 +1 @@`
				`Jun 02 17:15:45 ubuntu kernel: audit: type=1400 audit(1654190145.439:1135): apparmor="DENIED" operation="sysv_mqueue" profile="/root/apparmor/tests/regression/apparmor/sysv_mq_snd" name="123" pid=15849 comm="sysv_mq_snd" requested="open" denied="open" class="sysv_mqueue"`

14

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_05.out Normal file

View File

@@ -0,0 +1,14 @@
 START
 File: testcase_mqueue_05.in
 Event type: AA_RECORD_DENIED
 Audit ID: 1654190145.439:1135
 Operation: sysv_mqueue
 Mask: open
 Denied Mask: open
 Profile: /root/apparmor/tests/regression/apparmor/sysv_mq_snd
 Name: 123
 Command: sysv_mq_snd
 PID: 15849
 Class: sysv_mqueue
 Epoch: 1654190145
 Audit subid: 1135

4

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_05.profile Normal file

View File

@@ -0,0 +1,4 @@
 /root/apparmor/tests/regression/apparmor/sysv_mq_snd {
   mqueue open type=sysv 123,
 }

0

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_06.err Normal file

View File

1

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_06.in Normal file

View File

				`@@ -0,0 +1 @@`
				`Jun 02 17:15:37 ubuntu kernel: audit: type=1400 audit(1654190137.559:1122): apparmor="DENIED" operation="sysv_mqueue" profile="/root/apparmor/tests/regression/apparmor/sysv_mq_rcv" name="123" pid=15632 comm="sysv_mq_rcv" requested="read" denied="read" class="sysv_mqueue" fsuid=0 ouid=0`

16

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_06.out Normal file

View File

@@ -0,0 +1,16 @@
 START
 File: testcase_mqueue_06.in
 Event type: AA_RECORD_DENIED
 Audit ID: 1654190137.559:1122
 Operation: sysv_mqueue
 Mask: read
 Denied Mask: read
 fsuid: 0
 ouid: 0
 Profile: /root/apparmor/tests/regression/apparmor/sysv_mq_rcv
 Name: 123
 Command: sysv_mq_rcv
 PID: 15632
 Class: sysv_mqueue
 Epoch: 1654190137
 Audit subid: 1122

4

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_06.profile Normal file

View File

@@ -0,0 +1,4 @@
 /root/apparmor/tests/regression/apparmor/sysv_mq_rcv {
   mqueue read type=sysv 123,
 }

0

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_07.err Normal file

View File

1

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_07.in Normal file

View File

				`@@ -0,0 +1 @@`
				`Jun 02 17:15:51 ubuntu kernel: audit: type=1400 audit(1654190151.003:1145): apparmor="DENIED" operation="sysv_mqueue" profile="/root/apparmor/tests/regression/apparmor/sysv_mq_rcv" name="123" pid=15973 comm="sysv_mq_rcv" requested="delete" denied="delete" class="sysv_mqueue" fsuid=1001 ouid=1001`

16

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_07.out Normal file

View File

@@ -0,0 +1,16 @@
 START
 File: testcase_mqueue_07.in
 Event type: AA_RECORD_DENIED
 Audit ID: 1654190151.003:1145
 Operation: sysv_mqueue
 Mask: delete
 Denied Mask: delete
 fsuid: 1001
 ouid: 1001
 Profile: /root/apparmor/tests/regression/apparmor/sysv_mq_rcv
 Name: 123
 Command: sysv_mq_rcv
 PID: 15973
 Class: sysv_mqueue
 Epoch: 1654190151
 Audit subid: 1145

4

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_07.profile Normal file

View File

@@ -0,0 +1,4 @@
 /root/apparmor/tests/regression/apparmor/sysv_mq_rcv {
   mqueue delete type=sysv 123,
 }

0

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_08.err Normal file

View File

1

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_08.in Normal file

View File

				`@@ -0,0 +1 @@`
				`Jun 02 17:15:55 ubuntu kernel: audit: type=1400 audit(1654190155.699:1155): apparmor="DENIED" operation="sysv_mqueue" profile="/root/apparmor/tests/regression/apparmor/sysv_mq_snd" name="123" pid=16148 comm="sysv_mq_snd" requested="write" denied="write" class="sysv_mqueue" fsuid=1001 ouid=1001`

16

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_08.out Normal file

View File

@@ -0,0 +1,16 @@
 START
 File: testcase_mqueue_08.in
 Event type: AA_RECORD_DENIED
 Audit ID: 1654190155.699:1155
 Operation: sysv_mqueue
 Mask: write
 Denied Mask: write
 fsuid: 1001
 ouid: 1001
 Profile: /root/apparmor/tests/regression/apparmor/sysv_mq_snd
 Name: 123
 Command: sysv_mq_snd
 PID: 16148
 Class: sysv_mqueue
 Epoch: 1654190155
 Audit subid: 1155

4

libraries/libapparmor/testsuite/test_multi/testcase_mqueue_08.profile Normal file

View File

@@ -0,0 +1,4 @@
 /root/apparmor/tests/regression/apparmor/sysv_mq_snd {
   mqueue write type=sysv 123,
 }

0

libraries/libapparmor/testsuite/test_multi/testcase_remount_01.err Normal file

View File

1

libraries/libapparmor/testsuite/test_multi/testcase_remount_01.in Normal file

View File

				`@@ -0,0 +1 @@`
				`type=AVC msg=audit(1709108389.303:12383): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="/home/user/test/testmount" name="/tmp/foo/" pid=14155 comm="testmount" flags="ro, remount"`

15

libraries/libapparmor/testsuite/test_multi/testcase_remount_01.out Normal file

View File

@@ -0,0 +1,15 @@
 START
 File: testcase_remount_01.in
 Event type: AA_RECORD_DENIED
 Audit ID: 1709108389.303:12383
 Operation: mount
 Profile: /home/user/test/testmount
 Name: /tmp/foo/
 Command: testmount
 Info: failed mntpnt match
 ErrorCode: 13
 PID: 14155
 Flags: ro, remount
 Class: mount
 Epoch: 1709108389
 Audit subid: 12383

4

libraries/libapparmor/testsuite/test_multi/testcase_remount_01.profile Normal file

View File

@@ -0,0 +1,4 @@
 /home/user/test/testmount {
   mount options=(remount, ro) -> /tmp/foo/,
 }

0

libraries/libapparmor/testsuite/test_multi/testcase_umount_01.err Normal file

View File

1

libraries/libapparmor/testsuite/test_multi/testcase_umount_01.in Normal file

View File

				`@@ -0,0 +1 @@`
				`type=AVC msg=audit(1709025786.045:43147): apparmor="DENIED" operation="umount" class="mount" profile="/home/user/test/testmount" name="/mnt/a/" pid=26697 comm="testmount"`

12

libraries/libapparmor/testsuite/test_multi/testcase_umount_01.out Normal file

View File

@@ -0,0 +1,12 @@
 START
 File: testcase_umount_01.in
 Event type: AA_RECORD_DENIED
 Audit ID: 1709025786.045:43147
 Operation: umount
 Profile: /home/user/test/testmount
 Name: /mnt/a/
 Command: testmount
 PID: 26697
 Class: mount
 Epoch: 1709025786
 Audit subid: 43147

4

libraries/libapparmor/testsuite/test_multi/testcase_umount_01.profile Normal file

View File

@@ -0,0 +1,4 @@
 /home/user/test/testmount {
   umount /mnt/a/,
 }

0

libraries/libapparmor/testsuite/test_multi/testcase_userns_01.err Normal file

View File

1

libraries/libapparmor/testsuite/test_multi/testcase_userns_01.in Normal file

View File

				`@@ -0,0 +1 @@`
				`[ 176.385388] audit: type=1400 audit(1666891380.570:78): apparmor="DENIED" operation="userns_create" class="namespace" profile="/usr/bin/userns_child_exec" pid=1785 comm="userns_child_ex" requested="userns_create" denied="userns_create"`

13

libraries/libapparmor/testsuite/test_multi/testcase_userns_01.out Normal file

View File

@@ -0,0 +1,13 @@
 START
 File: testcase_userns_01.in
 Event type: AA_RECORD_DENIED
 Audit ID: 1666891380.570:78
 Operation: userns_create
 Mask: userns_create
 Denied Mask: userns_create
 Profile: /usr/bin/userns_child_exec
 Command: userns_child_ex
 PID: 1785
 Class: namespace
 Epoch: 1666891380
 Audit subid: 78

4

libraries/libapparmor/testsuite/test_multi/testcase_userns_01.profile Normal file

View File

@@ -0,0 +1,4 @@
 /usr/bin/userns_child_exec {
   userns create,
 }

									
										125

parser/Makefile
									
												View File
												
				@@ -60,7 +60,7 @@ WARNINGS = -Wall

				CXX_WARNINGS = ${WARNINGS} ${EXTRA_WARNINGS}

				CPP_WARNINGS =

				ifndef CFLAGS

				CFLAGS	= -g -O2 -pipe -flto-partition=none

				CFLAGS	= -g -O2 -pipe

				ifdef DEBUG

				CFLAGS += -pg -D DEBUG

				@@ -70,6 +70,11 @@ CFLAGS = -g -pg -fprofile-arcs -ftest-coverage

				endif

				endif #CFLAGS

				HAVE_FLTO_PARTITION_NONE:=$(shell ${CC} -E -flto-partition=none /dev/null 1>/dev/null 2>&1 && echo true)

				ifeq ($(HAVE_FLTO_PARTITION_NONE),true)

					CFLAGS += -flto-partition=none

				endif

				EXTRA_CXXFLAGS = ${CFLAGS} ${CPPFLAGS} ${CXX_WARNINGS} -std=gnu++0x

				EXTRA_CFLAGS = ${EXTRA_CXXFLAGS} ${CPP_WARNINGS}

				@@ -97,12 +102,21 @@ EXTRA_CFLAGS+=-DPACKAGE=\"${NAME}\" -DLOCALEDIR=\"${LOCALEDIR}\"

				SRCS = parser_common.c parser_include.c parser_interface.c parser_lex.c \

				       parser_main.c parser_misc.c parser_merge.c parser_symtab.c \

				       parser_yacc.c parser_regex.c parser_variable.c parser_policy.c \

				       parser_alias.c common_optarg.c lib.c network.c \

				       parser_alias.c common_optarg.c lib.c network.cc \

				       mount.cc dbus.cc profile.cc rule.cc signal.cc ptrace.cc \

				       af_rule.cc af_unix.cc policy_cache.c default_features.c

				HDRS = parser.h parser_include.h immunix.h mount.h dbus.h lib.h profile.h \

				       rule.h common_optarg.h signal.h ptrace.h network.h af_rule.h af_unix.h \

				       policy_cache.h file_cache.h

				       af_rule.cc af_unix.cc policy_cache.c default_features.c userns.cc \

				       mqueue.cc io_uring.cc all_rule.cc

				STATIC_HDRS = af_rule.h af_unix.h capability.h common_optarg.h dbus.h \

				       file_cache.h immunix.h lib.h mount.h network.h parser.h \

				       parser_include.h parser_version.h policy_cache.h policydb.h \

				       profile.h ptrace.h rule.h signal.h userns.h mqueue.h io_uring.h \

				       common_flags.h bignum.h all_rule.h

				SPECIAL_HDRS = parser_yacc.h unit_test.h base_cap_names.h

				GENERATED_HDRS = af_names.h generated_af_names.h \

				       cap_names.h generated_cap_names.h parser_version.h

				LIBAA_HDRS = libapparmor_re/apparmor_re.h libapparmor_re/aare_rules.h

				TOOLS = apparmor_parser

				OBJECTS = $(patsubst %.cc, %.o, $(SRCS:.c=.o))

				@@ -164,8 +178,11 @@ else

				endif

				export Q VERBOSE BUILD_OUTPUT

				po/${NAME}.pot: ${SRCS} ${HDRS}

					$(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}"

				HDRS=$(STATIC_HDRS) $(GENERATED_HDRS) parser_yacc.h $(LIBAA_HDRS) $(APPARMOR_H)

				po/${NAME}.pot: ${SRCS} ${STATIC_HDRS}

					$(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${STATIC_HDRS}"

				techdoc.pdf: techdoc.tex

					timestamp=$(shell date --utc "+%Y%m%d%H%M%S%z" -r $< );\

				@@ -215,88 +232,100 @@ apparmor_parser: $(OBJECTS) $(AAREOBJECTS) $(LIBAPPARMOR_A)

					$(CXX) $(LDFLAGS) $(EXTRA_CFLAGS) -o $@ $(OBJECTS) $(LIBS) \

					      ${LEXLIB}  $(AAREOBJECTS) $(AARE_LDFLAGS) $(AALIB)

				parser_yacc.c parser_yacc.h: parser_yacc.y parser.h profile.h file_cache.h

				parser_yacc.c parser_yacc.h: parser_yacc.y $(STATIC_HDRS) $(DYNAMIC_HDRS)

					$(YACC) $(YFLAGS) -o parser_yacc.c parser_yacc.y

				parser_lex.c: parser_lex.l parser_yacc.h parser.h profile.h mount.h dbus.h policy_cache.h file_cache.h

				parser_lex.c: parser_lex.l $(HDRS)

					$(LEX) ${LEXFLAGS} -o$@ $<

				parser_lex.o: parser_lex.c parser.h parser_yacc.h

				parser_lex.o: parser_lex.c $(HDRS)

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				parser_misc.o: parser_misc.c parser.h parser_yacc.h profile.h cap_names.h $(APPARMOR_H)

				parser_misc.o: parser_misc.c $(HDRS) unit_test.h

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				parser_yacc.o: parser_yacc.c parser_yacc.h $(APPARMOR_H)

				parser_yacc.o: parser_yacc.c $(HDRS)

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				parser_main.o: parser_main.c parser.h parser_version.h policy_cache.h file_cache.h libapparmor_re/apparmor_re.h $(APPARMOR_H)

				parser_main.o: parser_main.c $(HDRS)

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				parser_interface.o: parser_interface.c parser.h profile.h libapparmor_re/apparmor_re.h

				parser_interface.o: parser_interface.c $(HDRS)

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				parser_include.o: parser_include.c parser.h parser_include.h file_cache.h

				parser_include.o: parser_include.c $(HDRS)

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				parser_merge.o: parser_merge.c parser.h profile.h

				parser_merge.o: parser_merge.c $(HDRS)

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				parser_regex.o: parser_regex.c parser.h profile.h libapparmor_re/apparmor_re.h libapparmor_re/aare_rules.h $(APPARMOR_H)

				parser_regex.o: parser_regex.c $(HDRS) unit_test.h

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				parser_symtab.o: parser_symtab.c parser.h

				parser_symtab.o: parser_symtab.c $(HDRS) unit_test.h

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				parser_variable.o: parser_variable.c parser.h profile.h

				parser_variable.o: parser_variable.c $(HDRS) unit_test.h

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				parser_policy.o: parser_policy.c parser.h parser_yacc.h profile.h

				parser_policy.o: parser_policy.c $(HDRS)

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				parser_alias.o: parser_alias.c parser.h profile.h

				parser_alias.o: parser_alias.c $(HDRS)

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				parser_common.o: parser_common.c parser.h file_cache.h

				parser_common.o: parser_common.c $(HDRS)

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				mount.o: mount.cc mount.h parser.h immunix.h rule.h

				mount.o: mount.cc mount.h $(HDRS)

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				common_optarg.o: common_optarg.c common_optarg.h parser.h libapparmor_re/apparmor_re.h

				common_optarg.o: common_optarg.c $(HDRS)

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				policy_cache.o: policy_cache.c policy_cache.h parser.h lib.h

				policy_cache.o: policy_cache.c $(HDRS)

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				lib.o: lib.c lib.h parser.h

				lib.o: lib.c $(HDRS) unit_test.h

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				dbus.o: dbus.cc dbus.h parser.h immunix.h parser_yacc.h rule.h $(APPARMOR_H)

				dbus.o: dbus.cc $(HDRS)

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				signal.o: signal.cc signal.h parser.h immunix.h parser_yacc.h rule.h $(APPARMOR_H)

				signal.o: signal.cc $(HDRS)

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				ptrace.o: ptrace.cc ptrace.h parser.h immunix.h parser_yacc.h rule.h $(APPARMOR_H)

				ptrace.o: ptrace.cc $(HDRS)

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				network.o: network.c network.h parser.h immunix.h parser_yacc.h rule.h af_names.h $(APPARMOR_H)

				network.o: network.cc $(HDRS)

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				default_features.o: default_features.c parser.h

				default_features.o: default_features.c $(HDRS)

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				af_rule.o: af_rule.cc af_rule.h network.h parser.h profile.h immunix.h parser_yacc.h rule.h $(APPARMOR_H)

				af_rule.o: af_rule.cc $(HDRS)

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				af_unix.o: af_unix.cc af_unix.h network.h af_rule.h parser.h profile.h immunix.h parser_yacc.h $(APPARMOR_H)

				af_unix.o: af_unix.cc $(HDRS)

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				profile.o: profile.cc profile.h parser.h network.h

				profile.o: profile.cc $(HDRS)

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				rule.o: rule.cc rule.h policydb.h

				rule.o: rule.cc $(HDRS)

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				userns.o: userns.cc $(HDRS)

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				mqueue.o: mqueue.cc $(HDRS)

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				io_uring.o: io_uring.cc $(HDRS)

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				all_rule.o: all_rule.cc $(HDRS)

					$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<

				parser_version.h: Makefile

				@@ -311,7 +340,7 @@ generated_af_names.h: ../common/list_af_names.sh

					../common/list_af_names.sh > $@

				af_names.h: generated_af_names.h base_af_names.h

					cat base_af_names.h | diff -u - generated_af_names.h | grep -v '^.AF_MAX' | grep '^\+[^+]' ; \

					@cat base_af_names.h | diff -u - generated_af_names.h | grep -v '^.AF_MAX' | grep '^\+[^+]' ; \

					if [ $$? -eq 1 ] ; then \

						cat base_af_names.h | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g'  -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n#  define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n/pg' > $@ ; \

						cat base_af_names.h | LC_ALL=C sed -n -e 's/AF_MAX[ \t]\+\([0-9]\+\),\?.*/\n#define AA_AF_MAX \1\n/p' >> $@ ; \

				@@ -350,13 +379,8 @@ tests: apparmor_parser ${TESTS}

				$(AAREOBJECT): FORCE

					$(MAKE) -C $(AAREDIR) CFLAGS="$(EXTRA_CXXFLAGS)"

				.PHONY: install-rhel4

				install-rhel4: install-redhat

				.PHONY: install-redhat

				install-redhat:

					install -m 755 -d $(DESTDIR)/etc/init.d

					install -m 755 rc.apparmor.$(subst install-,,$@) $(DESTDIR)/etc/init.d/apparmor

				install-redhat: install-systemd

				.PHONY: install-suse

				install-suse: install-systemd

				@@ -384,12 +408,12 @@ DISTRO=$(shell if [ -f /etc/slackware-version ] ; then \

					       elif [ -f /etc/debian_version ] ; then \

					         echo debian ;\

					       elif which rpm > /dev/null ; then \

					         if [ "$(rpm --eval '0%{?suse_version}')" != "0" ] ; then \

					         if [ "$$(rpm --eval '0%{?suse_version}')" != "0" ] ; then \

					             echo suse ;\

					         elif [ "$(rpm --eval '%{_host_vendor}')" = redhat ] ; then \

					            echo rhel4 ;\

					         elif [ "$(rpm --eval '0%{?fedora}')" != "0" ] ; then \

					            echo rhel4 ;\

					         elif [ "$$(rpm --eval '%{_host_vendor}')" = redhat ] ; then \

					            echo redhat ;\

					         elif [ "$$(rpm --eval '0%{?fedora}')" != "0" ] ; then \

					            echo redhat ;\

					         else \

					            echo unknown ;\

					         fi ;\

				@@ -416,7 +440,6 @@ install-arch: $(INSTALLDEPS)

				install-indep: indep

					install -m 755 -d $(INSTALL_CONFDIR)

					install -m 644 parser.conf $(INSTALL_CONFDIR)

					install -m 755 -d ${DESTDIR}/var/lib/apparmor

					install -m 755 -d $(APPARMOR_BIN_PREFIX)

					install -m 755 rc.apparmor.functions $(APPARMOR_BIN_PREFIX)

					install -m 755 profile-load $(APPARMOR_BIN_PREFIX)

				@@ -441,10 +464,8 @@ clean: pod_clean

					rm -f $(TOOLS) $(TESTS)

					rm -f $(LEX_C_FILES)

					rm -f $(YACC_C_FILES)

					rm -f parser_version.h

					rm -f $(NAME)*.tar.gz $(NAME)*.tgz

					rm -f af_names.h generated_af_names.h

					rm -f cap_names.h generated_cap_names.h

					rm -f $(GENERATED_HDRS)

					rm -rf techdoc.aux techdoc.out techdoc.log techdoc.pdf techdoc.toc techdoc.txt techdoc/

					$(MAKE) -s -C $(AAREDIR) clean

					$(MAKE) -s -C po clean

Compare commits

761 Commits fix-dirtes ... v4.0.2

15 .gitignore vendored Unescape Escape View File

32 .gitlab-ci.yml Unescape Escape View File

3 README.md Unescape Escape View File

7 binutils/Makefile Unescape Escape View File

53 binutils/aa-status.pod Unescape Escape View File

408 binutils/aa_load.c Normal file Unescape Escape View File

942 binutils/aa_status.c View File

4 changehat/pam_apparmor/README Unescape Escape View File

11 changehat/tomcat_apparmor/tomcat_5_0/README.tomcat_apparmor Unescape Escape View File

11 changehat/tomcat_apparmor/tomcat_5_5/README.tomcat_apparmor Unescape Escape View File

1 common/Make.rules Unescape Escape View File

2 common/Version Unescape Escape View File

BIN documentation/AppArmor_Developer_2-policy_layout_and_encoding.odt View File

8 libraries/libapparmor/configure.ac Unescape Escape View File

8 libraries/libapparmor/doc/aa_getcon.pod Unescape Escape View File

5 libraries/libapparmor/doc/aa_stack_profile.pod Unescape Escape View File

2 libraries/libapparmor/include/aalogparse.h Unescape Escape View File

4 libraries/libapparmor/include/sys/apparmor.h Unescape Escape View File

22 libraries/libapparmor/src/Makefile.am Unescape Escape View File

39 libraries/libapparmor/src/features.c Unescape Escape View File

11 libraries/libapparmor/src/grammar.y Unescape Escape View File

133 libraries/libapparmor/src/kernel.c Unescape Escape View File

2 libraries/libapparmor/src/libaalogparse.c Unescape Escape View File

7 libraries/libapparmor/src/libapparmor.map Unescape Escape View File

42 libraries/libapparmor/src/policy_cache.c Unescape Escape View File

24 libraries/libapparmor/src/scanner.l Unescape Escape View File

2 libraries/libapparmor/swig/python/Makefile.am Unescape Escape View File

10 libraries/libapparmor/swig/python/test/buildpath.py Unescape Escape View File

25 libraries/libapparmor/swig/python/test/test_python.py.in Unescape Escape View File

2 libraries/libapparmor/testsuite/test_multi.c Unescape Escape View File

0 libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.err Normal file Unescape Escape View File

1 libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.in Normal file Unescape Escape View File

15 libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.out Normal file Unescape Escape View File

4 libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.profile Normal file Unescape Escape View File

0 libraries/libapparmor/testsuite/test_multi/file_xm.err Normal file Unescape Escape View File

1 libraries/libapparmor/testsuite/test_multi/file_xm.in Normal file Unescape Escape View File

16 libraries/libapparmor/testsuite/test_multi/file_xm.out Normal file Unescape Escape View File

4 libraries/libapparmor/testsuite/test_multi/file_xm.profile Normal file Unescape Escape View File

0 libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.err Normal file Unescape Escape View File

1 libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.in Normal file Unescape Escape View File

15 libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.out Normal file Unescape Escape View File

4 libraries/libapparmor/testsuite/test_multi/testcase_dbus_11.profile Normal file Unescape Escape View File

0 libraries/libapparmor/testsuite/test_multi/testcase_io_uring_01.err Normal file Unescape Escape View File

1 libraries/libapparmor/testsuite/test_multi/testcase_io_uring_01.in Normal file Unescape Escape View File

13 libraries/libapparmor/testsuite/test_multi/testcase_io_uring_01.out Normal file Unescape Escape View File

4 libraries/libapparmor/testsuite/test_multi/testcase_io_uring_01.profile Normal file Unescape Escape View File

0 libraries/libapparmor/testsuite/test_multi/testcase_io_uring_02.err Normal file Unescape Escape View File

1 libraries/libapparmor/testsuite/test_multi/testcase_io_uring_02.in Normal file Unescape Escape View File

14 libraries/libapparmor/testsuite/test_multi/testcase_io_uring_02.out Normal file Unescape Escape View File

4 libraries/libapparmor/testsuite/test_multi/testcase_io_uring_02.profile Normal file Unescape Escape View File

2 libraries/libapparmor/testsuite/test_multi/testcase_mount_01.profile Unescape Escape View File

0 libraries/libapparmor/testsuite/test_multi/testcase_mount_02.err Normal file Unescape Escape View File

1 libraries/libapparmor/testsuite/test_multi/testcase_mount_02.in Normal file Unescape Escape View File

14 libraries/libapparmor/testsuite/test_multi/testcase_mount_02.out Normal file Unescape Escape View File

4 libraries/libapparmor/testsuite/test_multi/testcase_mount_02.profile Normal file Unescape Escape View File

0 libraries/libapparmor/testsuite/test_multi/testcase_mqueue_01.err Normal file Unescape Escape View File

1 libraries/libapparmor/testsuite/test_multi/testcase_mqueue_01.in Normal file Unescape Escape View File

16 libraries/libapparmor/testsuite/test_multi/testcase_mqueue_01.out Normal file Unescape Escape View File

4 libraries/libapparmor/testsuite/test_multi/testcase_mqueue_01.profile Normal file Unescape Escape View File

0 libraries/libapparmor/testsuite/test_multi/testcase_mqueue_02.err Normal file Unescape Escape View File

2 libraries/libapparmor/testsuite/test_multi/testcase_mqueue_02.in Normal file Unescape Escape View File

16 libraries/libapparmor/testsuite/test_multi/testcase_mqueue_02.out Normal file Unescape Escape View File

4 libraries/libapparmor/testsuite/test_multi/testcase_mqueue_02.profile Normal file Unescape Escape View File

0 libraries/libapparmor/testsuite/test_multi/testcase_mqueue_03.err Normal file Unescape Escape View File

1 libraries/libapparmor/testsuite/test_multi/testcase_mqueue_03.in Normal file Unescape Escape View File

16 libraries/libapparmor/testsuite/test_multi/testcase_mqueue_03.out Normal file Unescape Escape View File

4 libraries/libapparmor/testsuite/test_multi/testcase_mqueue_03.profile Normal file Unescape Escape View File

0 libraries/libapparmor/testsuite/test_multi/testcase_mqueue_04.err Normal file Unescape Escape View File

1 libraries/libapparmor/testsuite/test_multi/testcase_mqueue_04.in Normal file Unescape Escape View File

16 libraries/libapparmor/testsuite/test_multi/testcase_mqueue_04.out Normal file Unescape Escape View File

4 libraries/libapparmor/testsuite/test_multi/testcase_mqueue_04.profile Normal file Unescape Escape View File

0 libraries/libapparmor/testsuite/test_multi/testcase_mqueue_05.err Normal file Unescape Escape View File

1 libraries/libapparmor/testsuite/test_multi/testcase_mqueue_05.in Normal file Unescape Escape View File

14 libraries/libapparmor/testsuite/test_multi/testcase_mqueue_05.out Normal file Unescape Escape View File

4 libraries/libapparmor/testsuite/test_multi/testcase_mqueue_05.profile Normal file Unescape Escape View File

0 libraries/libapparmor/testsuite/test_multi/testcase_mqueue_06.err Normal file Unescape Escape View File

1 libraries/libapparmor/testsuite/test_multi/testcase_mqueue_06.in Normal file Unescape Escape View File

16 libraries/libapparmor/testsuite/test_multi/testcase_mqueue_06.out Normal file Unescape Escape View File

761 Commits

fix-dirtes ... v4.0.2