Glibc in 2.36 and later will [1] access sysfs at
/sys/devices/system/cpu/possible when usig sysconf
for _SC_NPROCESSORS_CONF.
That will make a lot of different code, for example
anything linked against libnuma, trigger this apparmor
denial.
apparmor="DENIED" operation="open" class="file" ...
name="/sys/devices/system/cpu/possible" ...
requested_mask="r" denied_mask="r" fsuid=0 ouid=0

This entry seems rather safe, and it follows others
that are already in place. Instead of fixing each
software individually this should go into the base
profile as well.
Initially reported via
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989073
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/267
MR: none - ML
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit c159d0925a)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Note: This was reported for /usr/libexec/libvirt_leaseshelper, but since
this is probably unrelated to the path or a path change, this commit
also adds r permissions for the previous path.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1202161
I propose this patch for 3.0 and master (optionally also for 2.12 and 2.13 - please tell me if you want that after reviewing the patch, or just merge ;-)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/905
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit f51049ea2e)
c9c5208f dnsmasq: Add missing r permissions for libvirt_leaseshelper
... which will be removed in Python 3.12, and that probably won't be
used on systems running the AppArmor 2.1x branches.
This prevents CI failures on gitlab.com, which uses a new-enough python
to show
DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
For 3.0 and master, the proper fix (switching to setuptools) was done in
!813.
I propose this patch for 2.11, 2.12 and 2.13.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/908
Approved-by: John Johansen <john@jjmx.net>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit fd1b463643)
ca3e5be5 Grep away deprecation warning for distutils
The snap_browsers abstraction requires more permissions
due to updates on snaps.
Some of the permissions are not required in older versions of
Ubuntu that use 2.12 and 2.13, but are introduced for unification
and ease of maintenance purposes. These include:
```
all dbus permissions,
@{PROC}/sys/kernel/random/uuid r,
owner @{PROC}/@{pid}/cgroup r,
/var/lib/snapd/sequence/{chromium,firefox,opera}.json r,
```
I also propose a cherry-pick of this commit to 2.12, 2.13 and 3.0
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/877
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit bfa67b369d)
Signed-off-by: John Johansen <john.johansen@canonical.com>
similar to commit 2f9d172c64
we discovered that there was a service outage
when dovecot tried to send a usr1 signal
type=AVC msg=audit(1648024138.249:184964): apparmor="DENIED" operation="signal" profile="dovecot" pid=1690 comm="dovecot" requested_mask="send" denied_mask="send" signal=usr1 peer="dovecot-imap-login"
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/865
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 83685ba703)
f0919f83 Allow dovecot to use all signals
Whenever the evince deb package tries to open a snap browser which was
selected as the default, we get the following denial:
audit[2110]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/bin/snap" pid=2110 comm="env" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
As a short-term solution, we are adding a snap-browsers profile
which restricts what snaps opened by evince can do.
The long-term solution is currently not available, but could be
accomplished by using enhanced environment variable filtering/mediation
and delegation of open fds.
Bug: https://launchpad.net/bugs/1794064
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit fb3283f37e)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/863
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
If apparmor_parser -N (in profiles_names_list()) fails,
aa-remove-unknown possibly gets an incomplete list of profiles in
/etc/apparmor.d/ and therefore might remove more profiles than it
should.
Replace the profiles_names_list() call with a direct apparmor_parser
call, and abort aa-remove-unknown if it exits with $? != 0
Before:
```
aa-remove-unknown -n
AppArmor parser error for /etc/apparmor.d/broken in profile /etc/apparmor.d/broken at line 1: syntax error, unexpected TOK_ID, expecting TOK_OPEN
Would remove 'delete_me'
```
After:
```
./aa-remove-unknown -n
AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/zbroken at line 1: syntax error, unexpected TOK_ID, expecting TOK_OPEN
apparmor_parser exited with failure, aborting.
```
And of course, after fixing the broken profile:
```
./aa-remove-unknown -n
Would remove 'delete_me'
```
(cherry picked from commit 5053a01d84)
This backports the fix in `aa-remove-unknown` from !836, but doesn't backport the cleanup in `rc.apparmor.functions`.
I propose this patch for 3.0 and all 2.x branches.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/859
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit c6324c2a3e)
Signed-off-by: John Johansen <john.johansen@canonical.com>
add a missing slash at the end of the sys rule
See merge request apparmor/apparmor!791
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.12..master
(cherry picked from commit 4fd7bcc289)
b3dcd02d add a missing slash at the end of the sys rule
Currently for directory includes the directory timestamp is ignored.
This is wrong as operations like removing a file from the dir won't
be considered in the timestamp check.
Fix this by updating the timestamp check to include the included
directories timestamp.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/760
Signed-off-by: John Johansen <john@jjmx.net>
Acked-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit 3d1232e640)
Currently the wutmp abstraction has the following rules:
/var/log/lastlog rwk,
/var/log/wtmp wk,
@{run}/utmp rwk,
According to what I see in my apparmor profiles, just a few apps want
to interact with the files listed above, especially with the
/var/log/wtmp . But when the apps do this, they sometimes want the
read access to this file. An example could be the last command. Is
there any reason for not having the r in the rule? The second thing
is the file /var/log/btmp (which isn't included in the
abstracion). Whenever I see an app, which wants to access the
/var/log/wtmp file, it also tries to interact with the /var/log/btmp
file, for instance lightdm/sddm or su . Most of the time they need
just wk permissions, but sometimes apps need also r on this file, an
example could be the lastb command, which is just a link to last.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/152
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/724
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit d4e0a94511)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The backport of
855dbd4a parser: fix rule downgrade for unix rules
using the rule_t::warn_once which doesn't exist in the 2.x parser
series. Switch this the the static function warn_once.
8b481b5f parser: fix rule downgrade for unix rules
Signed-off-by: John Johansen <john.johansen@canonical.com>
Rule downgrades are used to provide some confinement when a feature
is only partially supported by the kernel.
Eg. On a kernel that doesn't support fine grained af_unix mediation
but does support network mediation.
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
will be downgraded to
network unix type=stream,
Which while more permissive still provides some mediation while
allowing the appication to still function. However making the rule
a deny rule result in tightening the profile.
Eg.
deny unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
will be downgraded to
deny network unix type=stream,
and that deny rule will take priority over any allow rule. Which means
that if the profile also had unix allow rules they will get blocked by
the downgraded deny rule, because deny rules have a higher priority,
and the application will break. Even worse there is no way to add the
functionality back to the profile without deleting the offending deny
rule.
To fix this we drop deny rules that can't be downgraded in a way that
won't break the application.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1180766
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/700
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 855dbd4ac8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
My main user account is managed by systemd-homed. When I enable
AppArmor and have nscd running, I get inconsistent behavior with my
user account - sometimes I can't log in, sometimes I can log in but
not use sudo, etc.
This is the output of getent passwd:
$ getent passwd
root❌0:0::/root:/usr/bin/zsh
bin❌1:1::/:/sbin/nologin
daemon❌2:2::/:/sbin/nologin
mail❌8:12::/var/spool/mail:/sbin/nologin
ftp❌14:11::/srv/ftp:/sbin/nologin
http❌33:33::/srv/http:/sbin/nologin
nobody❌65534:65534:Nobody:/:/sbin/nologin
dbus❌81:81:System Message Bus:/:/sbin/nologin
[...]
rose❌1000:1000:Rose Kunkel:/home/rose:/usr/bin/zsh
But getent passwd rose and getent passwd 1000 both return no output.
Stopping nscd.service fixes these problems. Checking the apparmor
logs, I noticed that nscd was denied access to
/etc/machine-id. Allowing access to that file seems to have fixed the
issue.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/707
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/145
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit ee5303c8a0)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Ubuntu 18.04, Firefox 60.0.1+build2-0ubuntu0.18.04.1
Running firefix, then going to netflix.com and attempting to play a
movie. The widevinecdm plugin crashes, the following is found in
syslog:
Jun 15 19:13:22 xplt kernel: [301351.553043] audit: type=1400 audit(1529046802.585:246): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16118 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
Jun 15 19:13:22 xplt kernel: [301351.553236] audit: type=1400 audit(1529046802.585:247): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
Jun 15 19:13:22 xplt kernel: [301351.553259] plugin-containe[16118]: segfault at 0 ip 00007fcdfdaa76af sp 00007ffc1ff03e28 error 6 in libxul.so[7fcdfb77a000+6111000]
Jun 15 19:13:22 xplt snmpd[2334]: error on subcontainer 'ia_addr' insert
...
Fixes: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1777070
Reported-by: Xav Paice <xav.paice@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/684
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 656f2103ed)
Signed-off-by: John Johansen <john.johansen@canonical.com>
job scaling allows the parser to resample the number of cpus available
and increase the number of jobs that can be launched if cpu available
increases.
Unfortunately job scaling was being applied even when a fixed number
of jobs was specified. So
--jobs=2
doesn't actually clamp the compile at 2 jobs.
Instead job scaling should only be applied when --jobs=auto or when
jobs are set to a multiple of the cpus.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/703
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 65ba20b955)
(cherry picked from commit 7cf54f2cd8 /
ca0d9f758b)
Note that the original commit also included fixes for de.po and sv.po
which are not needed in the 2.12 branch.
This is needed to catch conflicts between uppercase and lowercase
hotkeys of the same letter, as seen with `(B)enannt` and `A(b)lehnen` in
the german utils translations.
(cherry picked from commit 07bd11390e)
Dovecot is hit with this denial on Debian 10 (buster):
```
type=AVC msg=audit(1603647096.369:24514): apparmor="DENIED"
operation="open" profile="dovecot" name="/usr/share/dovecot/dh.pem"
pid=28774 comm="doveconf" requested_mask="r" denied_mask="r" fsuid=0
ouid=0
```
This results in fatal error:
```
Oct 25 19:31:36 dovecot[28774]: doveconf: Fatal: Error in configuration
file /etc/dovecot/conf.d/10-ssl.conf line 50: ssl_dh: Can't open file
/usr/share/dovecot/dh.pem: Permission denied
```
Add rule to allow reading dh.pem.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/671
(cherry picked from commit 9d8e111abe)
Signed-off-by: John Johansen <john.johansen@canonical.com>
While `include/sys/apparmor.h` makes use of `socklen_t`, it doesn't
include the `<sys/socket.h>` header to make its declaration available.
While this works on systems using glibc via transitive includes, it
breaks compilation on musl libc.
Fix the issue by including the header.
Signed-off-by: Patrick Steinhardt <ps@pks.im>
(cherry picked from commit 47263a3a74)
Signed-off-by: John Johansen <john.johansen@canonical.com>
While `_aa_asprintf` is supposed to be of private visibility, it's used
by apparmor_parser and thus required to be visible when linking. This
commit thus adds it to the list of private symbols to make it available
for linking in apparmor_parser.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/643
Signed-off-by: Patrick Steinhardt <ps@pks.im>
(cherry picked from commit 9a8fee6bf1)
The parser is supposed to add a rule to profiles if they are a hat
or contain hats granting write access to the kernel interfaces
used to perform the change_hat operation.
Unfortunately the check is broken and currently won't add the
rule to hats (it does add it for the parent).
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/625
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Acked-by: Steve Beattie <steve.beattie@canonical.com>
(cherry picked from commit 5b850c154f)
prologue.inc:settest() in same cases invokes a sed command that uses
'~' as a pattern separator, on things that can contain filesystem
paths. However, in the debian/ubuntu world, '~' can be used in version
strings, particularly for pre-release versions, and when this happens
and the version is embedded in the path, the sed command breaks
because of the extraneous separator. Fix this by using '#' as a
separator, which has the benefit of being considered a comment if
accidentally interpreted by a shell.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/599
(cherry picked from commit efc6590409)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Nobody told the tools that log events with operation="symlink" exist.
Add this keyword to the list of file or network operations (I don't
expect network symlinks ;-) but keeping everything in that list makes
things easier than special-casing it.)
Also add the log sample and expected result to the libapparmor tests.
Fixes https://gitlab.com/apparmor/apparmor/-/issues/107
(cherry picked from commit 98bf187323)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The commit c8b6d8b393 ("profiles: Update 'make check' to select tools
based on USE_SYSTEM") set a bunch of variables but neglected to apply
them when invoking aa-logprof. This commit addresses this by:
* correcting the PYTHONPATH used with aa-logprof
* setting LD_LIBRARY_PATH when invoking aa-logprof
* adjusting LD_LIBRARY_PATH to include both the directory location
of libapparmor but also the swig libapparmor library needed for
python tools to function.
* adjusts the test for the presence of libapparmor to not use
LD_LIBRARY_PATH but instead a libapparmor specific variable
LIBAPPARMOR_PATH
Bug: https://gitlab.com/apparmor/apparmor/-/issues/98
Fixes: c8b6d8b393
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/586
The profiles dirs make check is not always using the correct tools.
Update it to be similar to other Makefiles where the var USE_SYSTEM
make check USE_SYSTEM=1
is used to indicated that the system installed tools should be used
and
make check
is used to run the tests against the in tree tools
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/580
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit c8b6d8b393)
[2.11..2.13] fix setting apparmor.aa.profile_dir in some tests
cherry picked from commit 6fe4b5e59a -
but only the test-aa.py changes because test-profile-list.py didn't have
the affected tests in 2.13 yet.
See merge request apparmor/apparmor!574
Acked-by: Steve Beattie <steve.beattie@canonical.com> for 2.11..2.13
(cherry picked from commit ac4bf706e5)
583ea724 fix setting apparmor.aa.profile_dir in some tests
Seen on openSUSE Tumbleweed with the mail users in a mysql database.
(cherry picked from commit f7ab91f423)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This is needed when using the "apparmor" plugin which means dovecot
switches to user-specific hats.
Seen on openSUSE Tumbleweed.
(backported from commit 6a388859f8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
When a filesystem is mounted with the option *user*, the file selection
dialogue, e.g. in *Evince*, triggers an access of */run/mount/utab*, which
comes from *libmount* and should be allowed.
Reported-by: JrgSommer[m] in #apparmor
(cherry picked from commit cd3532f792)
Signed-off-by: John Johansen <john.johansen@canonical.com>
strip_quotes() assumed its parameter is at least one character long, and
errored out on an empty string.
It also converted a string consisting of a single quote to an empty
string because that single quote had a quote as first and last char.
This commit fixes these two bugs.
Also rewrite TestStripQuotes to use tests[], and add some test for an empty
string, a one-char path (just a slash) and a single quote.
(cherry picked from commit 373e8e23b1)
Signed-off-by: John Johansen <john.johansen@canonical.com>
apparmor.vim: allow leading whitespace for alias rules
See merge request apparmor/apparmor!527
Acked-by: Steve Beattie <steve.beattie@canonical.com> for 2.11..master
(cherry picked from commit ae70ecfbaa)
c636580f apparmor.vim: allow leading whitespace for alias rules
[2.11..2.13] Fix showing the local inactive profile in json mode
See merge request apparmor/apparmor!516
Acked-by: Steve Beattie <steve.beattie@canonical.com> for 2.12 and 2.13
(cherry picked from commit eb5185c961)
6e9dd649 Split off UI_ShowFile() from UI_Changes
da07cdf7 Fix showing the local inactive profile in json mode
usr.sbin.dnsmasq: update to support dnsmasq 2.81
See merge request apparmor/apparmor!475
Acked-by: Christian Boltz for 2.11..master
(cherry picked from commit acafe9de82)
88c142c6 usr.sbin.dnsmasq: allow reading @{PROC}/@{pid}/fd/ as is needed by dnsmasq 2.81
abstractions/base: allow read access to /run/uuidd/request
See merge request apparmor/apparmor!445
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
(cherry picked from commit 80bf920929)
45fffc12 abstractions/base: allow read access to /run/uuidd/request
abstractions/base: allow read access to top-level ecryptfs directories
See merge request apparmor/apparmor!443
Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master
(cherry picked from commit 24895ea302)
fbd8981e abstractions/base: allow read access to top-level ecryptfs directories
Backporting the abstractions/gnome changes resulted in invalid profiles
because 2.11 and 2.12 don't have @{user_share_dirs} defined.
Therefore add/copy over tunables/share from master, and include it in
tunables/global.
Allow /usr/etc/ in abstractions/authentication
openSUSE (and hopefully some other distributions) work on moving shipped
config files from /etc/ to /usr/etc/ so that /etc/ only contains files
written by the admin of each system.
See https://en.opensuse.org/openSUSE:Packaging_UsrEtc for details and
the first moved files.
Updating abstractions/authentication is the first step, and also fixes
bugzilla.opensuse.org/show_bug.cgi?id=1153162
See merge request apparmor/apparmor!426
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12..master
(cherry picked from commit 1cfd4d4bbc)
ee7194a7 Allow /usr/etc/ in abstractions/authentication
abstractions/kerberosclient: allow reading /etc/krb5.conf.d/
See merge request apparmor/apparmor!425
Acked-by: Steve Beattie <steve@nxnw.org> for 2.10..master
Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..master
(cherry picked from commit 663546c284)
dffed831 abstractions/kerberosclient: allow reading /etc/krb5.conf.d/
Drop 'localinclude' in parse_profile_data() and ProfileStorage
See merge request apparmor/apparmor!427
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12..master
Acked-by: Steve Beattie <steve@nxnw.org> for 2.12..master
(cherry picked from commit b017f8f8a9)
001ea9e3 Drop 'localinclude' in parse_profile_data() and ProfileStorage
879531b36ec3dfc7f9b72475c68c30e4f4b7b6af changed access for
@{HOME}/.{,cache/}fontconfig/** to include 'w'rite. Fontconfig has been
a source of CVEs. Confined applications should absolutely have read
access, but write access could lead to breaking out of the sandbox if a
confined application can write a malformed font cache file since
unconfined applications could then pick them up and be controlled via
the malformed cache. The breakout is dependent on the fontconfig
vulnerability, but this is the sort of thing AppArmor is meant to help
guard against.
(cherry picked from commit c5968c70d0)
PR: https://gitlab.com/apparmor/apparmor/merge_requests/420
Signed-off-by: John Johansen <john.johansen@canonical.com>
When dc010bc034 was
backported to the apparmor-2.13 branch (in commit
75236d62e2), it did not take into
account cb8c3377ba, which creates the
common/list_af_names.sh script as used in the test case, was not also
backported to the apparmor-2.13 branch.
Change the test case to get the list of network AF names via the same
make invocation taken by the utils/vim/create-apparmor.vim.py script
before the common/list_af_names.sh existed.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/391
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 0c65b9aeb9)
Found this path is used by gtk_compose_hash_get_cache_path() in
gtkcomposetable.c.
(cherry picked from commit 6da7ed2a78)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add file rule to allow reading application profiles for NVIDIA
Linux graphics driver.
(cherry picked from commit f2e0fdc72b)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The parser currently skips the cache if optimizations are specified
because it can not determine if the cached policy was compiled
with the specified optimization. However this causes cache misses
even if policy is cached with those options, and distros are setting
some optimizations by default.
Instead of skipping reading the cache if optimizations are set, users
can force overwriting the cache if needed, until the parser can
store aditional meta info in the cache.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/385
BugLink: http://bugs.launchpad.net/bugs/1820068
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit f6cd5c01c1)
[2.12+2.13] make abstractions/postfix-common compatible with latest postfix profiles
See merge request apparmor/apparmor!387
Seth Arnold <seth.arnold@canonical.com>
(cherry picked from commit 9318977332)
4573d252 make abstractions/postfix-common compatible with latest postfix profiles
[2.12] profile backports from 2.13
Backport two profile fixes that made it into 2.13, but not into 2.12:
* dovecot/lmtp: allow dac_read_search
* Allow dovecot-lda to read anything under /usr/share/dovecot/protocols.d/.
See merge request apparmor/apparmor!386
Acked-by: Seth Arnold <seth.arnold@canonical.com>
On current Debian sid it needs to read
/usr/share/dovecot/protocols.d/imapd.protocol, which is not surprising given it
already needed read access to /usr/share/dovecot/protocols.d/.
(cherry picked from commit 1b51dac4c9)
looping through the first 16 loop devices to find a free device will
fail if those mount devices are taken, and unfortunately there are
now services that use an excessive amount of loop devices causing
the regression test to fail.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/379
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
(cherry picked from commit ab0f2af1da)
Add several libapparmor/swig/ruby files to gitignore
See merge request apparmor/apparmor!366
(cherry picked from commit 9c11ce37c6)
7ed1a16a Add several libapparmor/swig/ruby files to gitignore
Fix error 'KeyError: 'logfiles'' when no logprof.conf exists
See merge request apparmor/apparmor!365
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.12..master
(cherry picked from commit cece787182)
455c4413 aa.py: Ensure there is always a fallback falue for the logfile location
3c7e1668 aa.py: Indicate permission error if log file is found but cannot be opened
update network keyword list in utils and add test
See merge request apparmor/apparmor!350
Acked-by: Eric Chiang <ericchiang@google.com> for 2.12..master
(cherry picked from commit dc010bc034)
49849ed7 update network keyword list in utils and add test
apparmor.d manpage: update list of network domain keywords
See merge request apparmor/apparmor!349
Acked-by: Eric Chiang <ericchiang@google.com> for 2.12..master
(cherry picked from commit 6416ccebf6)
6b276563 apparmor.d manpage: update list of network domain keywords
The length of a xmatch is used to prioritize multiple profiles that
match the same path, with the intent that the more specific match wins.
Currently, the length of a xmatch is computed by the position of the
first regex character.
While trying to work around issues with no_new_privs by combining
profiles, we noticed that the xmatch length computation doesn't work as
expected for multiple regexs. Consider the following two profiles:
profile all /** { }
profile bins /{,usr/,usr/local/}bin/** { }
xmatch_len is currently computed as "1" for both profiles, even though
"bins" is clearly more specific.
When determining the length of a regex, compute the smallest possible
match and use that for xmatch priority instead of the position of the
first regex character.
(cherry picked from commit cc09794fbd)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The parser is not correctly handling some error conditions when
dealing with work units. Failure to spawn work, access files, etc
should be returned where appropriate, and be able to abort processing
if abort_on_error is set.
In addition some errors are leading to a direct exit without checking
for abort_on_error.
BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921866
BugLink: http://bugs.launchpad.net/bugs/1815294
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Eric Chiang <ericchiang@google.com>
(backported from 2.13 commit 394d086e58)
Conflicts:
parser/parser_main.c
Reason:
commit 1328a42d5 not backported
misc dovecot fixes (take #2)
See merge request apparmor/apparmor!336
Acked-by: Christian Boltz <apparmor@cboltz.de> for master..2.10
(cherry picked from commit e68beb988a)
a57f01d8 dovecot: allow FD passing between dovecot and dovecot's anvil
d0aa863f dovecot: allow chroot'ing the auth processes
9afeb225 dovecot: let dovecot/anvil rw the auth-penalty socket
17db8f38 dovecot: auth processes need to read from postfix auth socket
6a7c49b1 dovecot: add abstractions/ssl_certs to lmtp
Debian and Ubuntu have releases coming out with usr-merge in place. For
these systems, /bin and /sbin are symlinks to their respective /usr
directories. This breaks a few tests in the python utils and in the
regression tests. This patch series fixes them, mostly by performing
realpath() calls when necessary. For the ptrace regression test,
it copies the called /bin/true binary into the created temporary
directory and executes it from there. (Good for other reasons, too.)
(cherry picked from commit b4ab8476e4)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/merge_requests/331
Backport kde abstraction to 2.13
See merge request apparmor/apparmor!327
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.12 and 2.13
(cherry picked from commit 6779402786)
aae838fa Update kde abstraction for common settings
dc3b73da kde: fix global settings access for Kubuntu and openSUSE
aa-logprof errors out if it hits a log event for a non-existing profile while a profile file with the default filename for that non-existing profile exists. This can for example happen after adding a profile name to a profile if audit.log still contains events for the attachment-based profile name.
Since we ignore log events for non-existing profiles in general, drop the code for the special case "but a file matching the default filename for that non-existing profile exists" and also silently ignore events for this very special non-existing profile.
Also drop the now unused function get_profile_filename()
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1120472
PR: https://gitlab.com/apparmor/apparmor/merge_requests/297
Acked-by: Eric Chiang <ericchiang@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
This updates the mysqld to what I use on my servers nowadays.
Note: my profile also has capability sys_resource,, but I'm not sure
why I had to add this and therefore didn't include it in this merge
request.
Speaking about "why I had added $whatever" - these changes were
collected over the last years and of course ;-) I don't remember any
details.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/310
(cherry picked from commit 0199edf8e7)
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
dnsmasq: allow peer=libvirtd to support named profile
See merge request apparmor/apparmor!304
Acked-by: Eric Chiang <ericchiang@google.com> for 2.12..master
(cherry picked from commit 5d384d9625)
20fe099c dnsmasq: allow peer=libvirtd to support named profile
abstractions/ssl_{certs,keys}: dehydrated uses /var/lib on Debian
See merge request apparmor/apparmor!299
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit 1f53de174d)
1306f9a6 abstractions/ssl_{certs,keys}: dehydrated uses /var/lib on Debian
c5a89d5d abstractions/ssl_{certs,keys}: sort the alternation for dehydrated and drop...
04b2842e abstractions/ssl_{certs,keys}: allow reading ocsp.der maintained by dehydrated for OCSP stapling
aa-logprof errors out if it hits a log event for a non-existing profile
while a profile file with the default filename for that non-existing
profile exists. This can for example happen after adding a profile name
to a profile if audit.log still contains events for the attachment-based
profile name.
Since we ignore log events for non-existing profiles in general, drop
the code for the special case "but a file matching the default filename
for that non-existing profile exists" and also silently ignore events
for this very special non-existing profile.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1120472
(cherry picked from commit 03ea5b82b7)
aa-genprof checks if one of the profiles in the extra profile dir
matches the binary, and proposes to use that profile as a starting
point.
Since 4d722f1839 the "(V)iew profile"
option to display the proposed profile was broken.
The easiest fix is to remember the filename in the extras directory, and
display the file from there.
Sidenote: when choosing to use the extra profile, it gets written to
disk without any problems, so this bug really only affected "(V)iew
profile" to preview the proposed extra profile.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/268
(cherry picked from commit 8b4e76a7d5)
Signed-off-by: John Johansen <john.johansen@canonical.com>
In the 2.13 branch (and older), 'options' is not always a dict, but can
also be None or an empty string.
Adjust the if condition in serialize_profile() so that "View changes
between clean profiles" doesn't error out.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/268
Signed-off-by: John Johansen <john.johansen@canonical.com>
Technical stuff first:
Replace existing_profiles (a dict with the filenames for both active and
inactive profiles) with active_profiles and extra_profiles which are
ProfileList()s and store the active profiles and those in the extra
directory separately. Thanks to ProfileList, now also the relation
between attachments and filenames is easily available.
Also replace all usage of existing_profiles with active_profiles and
extra_profiles, and adjust it to the ProfileList syntax everywhere.
With this change, several bugs in aa-complain and the other minitools
get fixed:
- aa-complain etc. never found profiles that have a profile name
(the attachment wasn't checked)
- even if the profile name was given as parameter to aa-complain, it
first did "which $parameter" so it never matched on named profiles
- profile names with alternations (without attachment specification)
also never matched because the old code didn't use AARE.
References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882047#92
(search for "As usual" ;-)
Just for completeness - the matching still doesn't honor/expand
variables in the profile name.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/268
(cherry picked from commit 4d722f1839)
Signed-off-by: John Johansen <john.johansen@canonical.com>
parse_profile_data() returns the parsed profiles, but writes to
existing_profiles directly.
read_profiles() calls parse_profile_data() and already handles adding
the parsed profiles to aa, original_aa or extras, which means updating
existing_profiles there is a much better place.
This commit also includes a hidden change: Previously, when parsing
include files, they were also added to existing_profiles. This is
superfluous, only real profiles need to be stored there.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/268
(cherry picked from commit 8809218ac8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Split get_profile_filename() into
- get_profile_filename_from_profile_name() (parameter: a profile name)
- get_profile_filename_from_attachment() (parameter: an attachment)
Currently both functions call get_profile_filename_orig() (formerly
get_profile_filename()) so the behaviour doesn't change yet.
The most important part of this commit is changing all
get_profile_filename() calls to use one of the new functions to make
clear if they specify a profile or an attachment/executable as
parameter.
As promised, the is_attachment parameter starts to get used in this
patch ;-)
Note: The get_new parameter (which I'll explain in the patch actually
using it) is set to True in all calls to the new functions.
The long term plan is to get rid of it in most cases (hence defaulting
to False), but that will need more testing.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/268
(cherry picked from commit ec741424f8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
The minitools call write_profile(), write_profile_feedback_ui() and
serialize_profile() with the _attachment_ as parameter.
However, aa-logprof etc. call them with the _profile name_ as parameter.
This patch adds an is_attachment parameter to write_profile() and
write_profile_feedback_ui(). It also passes it through to
serialize_profile() via the options parameter.
If is_attachment is True, the parameter will be handled as attachment,
otherwise it is expected to be a profile name.
tools.py gets changed to set is_attachment to True when calling the
functions listed above to make clear that the parameter is an attachment.
Note: This patch only adds the is_attachment parameter/option, but
doesn't change any behaviour. That will happen in the next patch.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/268
(cherry picked from commit bc783372b8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
i.e. move '*' from beginning to before suffix.
Commit 025c7dc6 ("dnsmasq: Add permission to open log files") added
pattern, which is not compatible with SELinux. As this pattern has been
in SELinux since 2011 (with recent change to accept '.log' suffix +
logrotate patterns which are not relevant to AppArmor) IMHO it's better
to adjust our profile.
Fixes: 025c7dc6 ("dnsmasq: Add permission to open log files")
PR: PR: https://gitlab.com/apparmor/apparmor/merge_requests/288
Signed-off-by: Petr Vorel <pvorel@suse.cz>
(cherry picked from commit 3ef8df6ac0)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add /etc/letsencrypt/archive to ssl_key abstraction
See merge request apparmor/apparmor!283
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit 0a666b8e48)
cb468786 Add /etc/letsencrypt stuff to ssl_keys/ssl_certs abstraction
Commit aa06528790 made @{sys} tunable
available by default.
Update profiles and abstractions to actually use @{sys} tunable for
better confinement in the future (when @{sys} becomes kernel var).
Closes LP#1728551
(this is backport of 2438179b76 for
AppArmor 2.12)
'lastline' gets merged into 'line' (and reset to None) when reading the
next line. If 'lastline' isn't empty after reading the whole profile,
this means there's something unparseable at the end of the profile,
therefore parse_profile_data() should error out.
Also remove some simple_tests testcases from the 'exception_not_raised'
list - they only didn't raise the exception because the invalid rule was
the last line in the affected profile.
Thanks to Eric Chiang for accidently (and maybe even unnoticedly ;-)
discovering this bug while adding some xattr testcases that surprisingly
didn't fail in the tools.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/271
(cherry picked from commit 4efff35bf8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
[2.12+2.13] use serialize_profile() for the new profile in (V)iew Changes
See merge request apparmor/apparmor!267
Acked-by: John Johansen <john.johansen@canonical.com> for 2.12 and 2.13
(cherry picked from commit f4d7f8ae57)
dd4c2b05 use serialize_profile() for the new profile in (V)iew Changes
1b32d764 delete serialize_profile_from_old_profile()
disable abi/ok_10 and abi/ok_12 tests
See merge request apparmor/apparmor!259
(cherry picked from commit 608af94dff)
a3305b51 disable abi/ok_10 and abi/ok_12 tests
(cache file that gets created when running the tests with python2)
(cherry picked from commit 63d17ecf16)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Add profile names to all profiles with {bin,sbin} attachment
See merge request apparmor/apparmor!242
Acked-by: intrigeri <intrigeri@debian.org>
(cherry picked from commit fd68a5eb64)
b77116e6 Add profile names to all profiles with {bin,sbin} attachment
profiles/Makefile: test abstractions against apparmor_parser
See merge request apparmor/apparmor!244
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10, 2.11 and 2.12.
Update Makefile to test abstractions by generating temporary profile, to
check for missing (not backported) abstractions or other issues.
This is backport of dc7ae28de0 for
2.10..2.12 series (without --config-file option).
AppArmor 3.0 requires policy to use a feature abi rule for access to
new features. However some policy may start using abi rules even if
they don't have rules that require new features. This is especially
true for out of tree policy being shipped in other packages.
Add enough support to older releases that the parser will ignore the
abi rule and warn that it is falling back to the apparmor 2.x
technique of using the system abi.
If the profile contains rules that the older parser does not
understand it will fail policy compilation at the unknown rule instead
of the abi rule.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/196
(backported form commit 83df7c4747)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Fix aa-mergeprof crash caused by accidentially initialzed hat
See merge request apparmor/apparmor!234
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 93445ca02d)
bc492533 Fix aa-mergeprof crash caused by accidentially initialzed hat
This excludes the /etc/apparmor.d/cache.d/ directory from aa-logprof
parsing because parsing the binary cache, well, takes a while :-/
Reported on the opensuse-factory mailinglist by Frank Krüger and
confirmed by others.
(cherry picked from commit 5b9497a8c6)
commit 94dfe15b28 attempted to remove
LD_RUN_PATH unfortunately
But all it actually does is cause the Makefile.perl to embed the rpath
"" instead. Which is still an rpath, only I guess an even worse one.
--
Eli Schwartz
Arch Linux Bug Wrangler and Trusted User
This is because it cleared the setting of the variable LD_RUN_PATH
which was expanded in the command
$(INST_DYNAMIC) : $(OBJECT) $(MYEXTLIB) $(INST_ARCHAUTODIR)$(DFSEP).exists $(EXPORT_LIST) $(PERL_ARCHIVEDEP) $(PERL_ARCHIVE_AFTER) $(INST_DYNAMIC_DEP)
$(RM_F) $@
LD_RUN_PATH="$(LD_RUN_PATH)" $(LD) $(LDDLFLAGS) $(LDFROM) $(OTHERLDFLAGS) -o $@ $(MYEXTLIB) \
$(PERL_ARCHIVE) $(LDLOADLIBS) $(PERL_ARCHIVE_AFTER) $(EXPORT_LIST) \
$(INST_DYNAMIC_FIX)
$(CHMOD) $(PERM_RWX) $@
resulting in LD_RUN_PATH="" being passed to the command.
Finish removing LD_RUN_PATH from Makefile.perl by removing it from
the command invocation if it is present.
Note: we use \x24 instead of $ in the regex as there seems to be a bug
and no level of escaping $ would allow it to be used.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/207
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 958cc28876)
--log-facility option needs to have permission to open files.
Use '*' to allow using more files (for using more dnsmasq instances).
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Jamie Strandboge <jamie@canonical.com>
(cherry picked from commit 025c7dc6a1)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
parser: fix Makefile hardcoded paths to flex and bison
Closes#4
See merge request apparmor/apparmor!224
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit 34cf085036)
17e059a2 parser: fix Makefile hardcoded paths to flex and bison
backport "Set flags for profiles represented by a glob" to 2.12
Backport/cherry-pick 5e187daa ("Set flags for profiles represented by a glob") and the follow-up fixes f472b6bb and 0dca959c to 2.12.
Besides backporting this "bugfix feature" to 2.12, this is needed to fix minitools_test.py.
See merge request apparmor/apparmor!218
Acked-by: John Johansen <john.johansen@canonical.com>
Add missing paths to usr.sbin.nmbd, usr.sbin.smbd and abstractions/samba
See merge request apparmor/apparmor!210
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit f76a718f28)
80e98f2d Update usr.sbin.nmbd & usr.sbin.smbd
Since the latest change, calling {get,set}_profile_flags() with the
profile name failed when attachment was specified ("profile foo /bar").
Catched by the unittests.
Also fix a whitespace issue.
(cherry picked from commit f472b6bb34)
Getting and Setting profile represented by a glob does not work correctly
because they are checked for equality. Use a glob match to check for them.
Also, add a warning stating that the profile being set represents multiple programs.
traceroute is an example whose profile name is represented as
/usr/{sbin/traceroute,bin/traceroute.db} and exhibits the issue:
Setting /usr/sbin/traceroute to enforce mode.
ERROR: /etc/apparmor.d/usr.sbin.traceroute contains no profile
Signed-off-by: Goldwyn <goldwyn@fiona.lan>
(cherry picked from commit 5e187daa0b)
2.13: Add basic support for abi rules to the tools
Add basic "understand and keep" support for abi rules, where
"understand" means to not error out when seeing an abi rule, and "keep"
simply means to keep the original abi rule when serializing a profile.
On the long term, abi rules should be parsed (similar to include rules),
but for now, this patch is the smallest possible changeset and easy to
backport.
Note that the only added test is via cleanprof_test.* which is used by
minitools_test.py - and does not run if you do a 'make check'.
Oh, and of course the simple_tests/abi/ files also get parsed by
test-parser-simple-tests.py.
BTW: Even serialize_profile_from_old_profile() can handle abi rules :-)
This is a backport of 072d3e04 / !202 (merged) to
2.13 (with some adjustments because that commit didn't appy cleanly)
I propose this patch for 2.10..2.13
PR: https://gitlab.com/apparmor/apparmor/merge_requests/216
Acked-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit ab91f7bfa3)
420aea62 Add basic support for abi rules to the tools
Qt GUI applications that uses "platforminputcontexts"-class of plugins
might need reading and/or writing compose cache. Add read-only rule in
qt5 abstraction and create new writing dedicated for compose cache
writing.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/159
(cherry picked from commit 67816c42cf)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Qt-based applications stores QFileDialog (latest browsed directory) and
other shared user settings inside ~/.config/QtProject.conf. Currently
available qt abstraction only allows to read it (by design), so this
patch introduces abstraction that grants permissions for writing.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/159
(cherry picked from commit 69c4cabb93)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Harden abstractions part ii
- abstractions/private-files: disallow access to the dirs of private files
- private-files{,-strict}: disallow writes to parent dirs too
- user-files: disallow writes to parents dirs
PR: https://gitlab.com/apparmor/apparmor/merge_requests/206
Signed-off-by: John Johansen <john.johansen@canonical.com>
Harden abstractions
Harden abstractions
remove antiquated abstractions/launchpad-integration
abstractions/private-files-strict: disallow access to the dirs of private files
abstractions/private-files: disallow writes to thumbnailer dir (LP: #1788929)
ubuntu-browsers.d/user-files: disallow access to the dirs of private files
Nominating launchpad-integration and opencl-nvidia for 2.13. Nominating private-files-strict, private-files and user-files for 2.10 and higher
PR: https://gitlab.com/apparmor/apparmor/merge_requests/203
Signed-off-by: John Johansen <john.johansen@canonical.com>
Also add /usr/share/dnsmasq/, DNSSEC trust anchors are kept there.
(cherry picked from commit 5bc7a9fbd6)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Move README to README.md to provide better integration with gitlab
and sync changes from master branch so we have badges, build info
etc.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The URL redirect ends up at a page in the new wiki that doesn't exist.
We have to link directly to the gitlab URL here since the current URL
redirect doesn't let us use a wiki.apparmor.net URL and still reach the
expected Profiles page.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Revert backporting cboltz-fix-complain-named-profiles to 2.12
See merge request apparmor/apparmor!186
Revert commit 995c0e96 in the 2.12 branch
set_profile_flags(): allow named profiles without attachment
See merge request apparmor/apparmor!142
This commit/fix is only needed in 2.13+ because of changes introduced in
2.13 (matching profile names with globs in aa-complain), and actually
breaks 2.12.
(The alternative is to backport the profile name glob matching to 2.12.)
Acked-by: John Johansen <john.johansen@canonical.com>
Revert commit 995c0e96f8 in the 2.12 branch
set_profile_flags(): allow named profiles without attachment
See merge request apparmor/apparmor!142
This commit/fix is only needed in 2.13+ because of changes introduced in
2.13 (matching profile names with globs in aa-complain), and actually
breaks 2.12.
... instead of overwriting them with the flags of the main profile.
This fixes a longstanding issue with aa-complain, aa-enforce and
aa-audit which broke the flags of child profiles and hats if they
differed from the main profile.
It also fixes several issues documented in the tests (which obviously
need adjustment to match the fixed behaviour).
Also change the "no profile found" cases to AppArmorException - errors
in a profile are not worth triggering AppArmorBug ;-)
(cherry picked from commit b00aab0843)
All callers call change_profile_flags(), so it makes sense to test this
function instead of set_profile_flags().
Besides that, set_profile_flags() will be merged into
change_profile_flags() in the next commit ;-)
Note that this commit adds some '# XXX' notes to the tests. These will
be addressed in later commits.
(cherry picked from commit abd124c00d)
If the old flags are given as str (or None), call split_flags() to
convert them to a list.
This allows to simplify change_profile_flags() which now doesn't need to
call split_flags() on its own.
Also add some tests with a str for the old flags
(cherry picked from commit e80caa130a +
conflict resolution)
... and change change_profile_flags() to use it instead of doing it
itsself
Also add some tests for split_flags()
Cherry-picked from ce7ea062c5 + conflict
resolution
... instead of set_profile_flags() to keep possibly existing flags like
attach_disconnected.
Note that this function is unused (meant to be used with the
no-longer-existing profile repo), therefore nobody noticed that
set_profile_flags() was called with the wrong number of parameters ;-)
Each coverity command writes its debugging output to
cov-int/build-log.txt, which means that multiple runs of cov-build
overwrite previous logs, resulting in only the last invocation's output
remaining at the end of the build, making debugging why failures to
capture coverity output difficult. Fix this by renaming the build-log to
per-directory log files.
(This would still be an issue even if we had a single build command
for the entire tree, as capturing python and other interpreted
files requires a second invocation of cov-build to scan for those
file types.)
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/145
(cherry picked from commit fed101920b)
Signed-off-by: John Johansen <john.johansen@canonical.com>
When creating a new profile with aa-genprof, get_profile() searches for
an inactive ("extra") profile and, if it finds one, removes the filename
from that profile so that it gets stored in /etc/apparmor.d/ later.
However, it used .pop() to remove the filename, which explodes since
ProfileStorage is a class now.
This patch fixes this (tested manually).
PR: !140
(cherry picked from commit 73b33bdf36)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Allow /usr/local/lib/python3/dist-packages in abstractions/python
See merge request apparmor/apparmor!160
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master
(cherry picked from commit 763a6787d8)
6a10f076 Allow /usr/local/lib/python3/dist-packages in abstractions/python
use_group is only honored if it is defined.
The "real" permission check is reading the logfile - the group check
in aa-notify is just an annoying additional check, and the default
"admin" only works on Ubuntu (other distributions typically use
"wheel").
This commit comments out use_group in the default config, which allows
everybody to use aa-notify. Permissions for reading the log file are of
course still needed.
PR: https://gitlab.com/apparmor/apparmor/merge_requests/82
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1058787
(cherry picked from commit 86ec3dd658)
Acked-by: Christian Boltz <apparmor@cboltz.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
parse_profile_start(): Error out on nested child profiles
See merge request apparmor/apparmor!136
Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..master
(cherry picked from commit b7a4f37cbb)
8462c39b parse_profile_start(): Error out on nested child profiles
Writing a "link subset" rule missed a space, which resulted in something
like
link subset/foo -> /bar,
Also add a test rule to tests/cleanprof.* to ensure this doesn't break
again.
(cherry picked from commit 514535608f)
Acked-by: Steve Beattie <steve@nxnw.org>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/117
Fix ubuntu-browsers for 64bit openSUSE
See merge request apparmor/apparmor!87
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.9..master
(cherry picked from commit 06069cc47a)
0c2690d8 Fix ubuntu-browsers for 64bit openSUSE
Merge branch 'sh-helper-read-locale' into 'master'
See merge request apparmor/apparmor!76
Signed-off-by: Steve Beattie <steve@nxnw.org>
(cherry picked from commit 130958a4a4)
2bc64070 tests: Allow shell helper test read the locale
Coverity now supports scanning python (and other languages). Apply the
fs-capture-search option to the libapparmor and utils directpries to
capture the python source.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit d66720ef07)
Right now, if you have a named profile with regular expressions to
match binaries, the profile will be shown in aa-status under the
"process list", which doesn't make sense. Instead, show the actual
executable name, and if the profile name differs, report it at the
end (or as a separate field in the json output mode).
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: John Johansen <john.johansen@canonical.com>
set DBUS_SESSION_BUS_ADDRESS, needed by notify-send
See merge request apparmor/apparmor!53
Acked-by: intrigeri <intrigeri@debian.org> for 2.9..master
(cherry picked from commit 0eefeeb0e7)
cb5cdf26 set DBUS_SESSION_BUS_ADDRESS, needed by notify-send
Update base abstraction for ld.so.conf and friends.
See merge request apparmor/apparmor!62
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.9..master
(cherry picked from commit e88af93322)
6d22c871 Update base abstraction for ld.so.conf and friends.
The tools don't support having multiple rules in one line (they expect
\n after each rule), therefore mark some of the bare_include_tests as
known failures.
(cherry picked from commit 26af640fda)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Some of the regression tests are missing conditionals or have the
wrong conditionals so that they fail on current upstream kernels.
Fix this by adding and changing conditionals and requires where
appropriate. With the patches the tests report passing on 4.14 and
4.15 kernels.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Time out
(cherry picked from commit 6f1d054468)
This is a minimal patch to add conditional includes to the profile
language.
The syntax for conditional includes is similar to regular includes
except with the addition of "if exists" after "include"
include if exists <foo/bar>
include if exists "foo/bar"
include if exists "/foo/bar"
include if exists foo/bar
Note: The patch is designed to be backportable with minimum
effort. Cleanups and code refactoring are planned for follow up
patches that won't be back ported.
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 2ea3309942)
This is a minimal patch so that it can be backported to 2.11 and 2.10
which reverts the abort on error failure when the cache can not be
created and write-cache is set.
This is meant as a temporary fix for
https://bugzilla.suse.com/show_bug.cgi?id=1069906https://bugzilla.opensuse.org/show_bug.cgi?id=1074429
where the cache location is being mounted readonly and the cache
creation failure is causing policy to not be loaded. And the
thrown parser error to cause issues for openQA.
Note: A cache failure warning will be reported after the policy load.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz apparmor@cboltz.de
(cherry picked from commit 42b68b65fe1861609ffe31e05be02a007d11ca1c)
This patch supports rolling a tarball for a release, as well as doing
'make tag'. Only stuff that's been committed should get incorporated
into the tarball.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Denying it means netstat -p (actually tested with -tulpen) can't find
out the program name.
sys_ptrace is "only" needed for tracing processes that run under a
different uid.
Also add ptrace (read), for systems that support ptrace rules.
For now we only allow quoted absolute paths without spaces in the name
due to:
- 1738877: include rules don't handle files with spaces in the name
- 1738879: include rules don't handle absolute paths without quotes in
some versions of parser
- 1738880: include rules don't handle relative paths in some versions of
the parser
.gitignore additions for libapparmor tests, binutils, and the vim syntax highlighting files
See merge request apparmor/apparmor!43
Acked-by: Christian Boltz <apparmor@cboltz.de>
- dict needs abstractions/openssl (seen with dovecot 2.2.31 since
using openssl 1.1)
- imap needs to write tempfiles (seen with dovecot 2.2.31)
- managesieve-login needs access to the login-master-notify socket
(seen with dovecot 2.2.33)
- pop3-login needs access to the anvil socket (reported by pfak on
IRC some months ago)
- extend available_buttons() to display an "owner permissions on/off"
button if the rule supports it
- extend ask_the_questions() to handle these buttons
- add some tests to test-translations.py to avoid hotkey conflicts with
the newly added buttons
- move the code of set_options_audit_mode() to a new function
set_options_mode() and make set_options_audit_mode() a wrapper for it.
- add set_options_owner_mode() as another wrapper for set_options_mode()
and add code to switch the owner flag to set_options_mode()
- add tests for set_options_owner_mode()
This flag defines if the "Owner permissions on/off" button gets
displayed in aa-logprof.
False by default for all rule types (most of them don't support the
owner conditional). Also false for non-owner FileRule.
True only for FileRule if owner=True.
Several log examples result in rules where the 'owner' conditional
should be added. With logparser.py fixed to handle owner-only events, we
need to add the owner conditional to several test_multi/*.profile files.
I verified all log files for the changed profiles and made sure that
- the log line contains fsuid= and ouid=
- fsuid == ouid
I also did a quick check on all log events containing ouid= and for
those with fsuid == ouid, I checked that the profile has the owner
conditional.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.11
(see mail from 2017-07-31)
logparser.py failed to notice if file events are owner-only in modern
audit.log (using fsuid=... and ouid=...).
This patch adds a comparison of fsuid and ouid and marks file events
as 'owner' if they match.
Note that log events without fsuid=... or ouid=... will have
18446744073709551615 as fsuid / ouid value (that's 2^64 - 1).
'None' would clearly be better ;-)
References: https://bugs.launchpad.net/apparmor/+bug/1538340
Exit rather than returning from shell snippets in Makefiles. It is
reported that returning causes the following error message with bash:
/bin/sh: line 4: return: can only `return' from a function or sourced script
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reported-by: Christian Boltz <apparmor@cboltz.de>
The utils have tests that rely on the in-tree parser to be built so it
should be documented that the parser should be built first.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
The test-aa-easyprof.py script relies on the parser to be built so the
check target of the utils/test/Makefile should detect if the parser
exists before running any tests.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reported-by: Christian Boltz <apparmor@cboltz.de>
Since some kernel versions, inherit (ix) needs mmap permissions. Instead
of annoying the user with an avoidable question after adding an ix rule,
always add m permissions.
Together with the already existing code, this means newly added inherit
rules will now have 'mrix' permissions.
autodep() calls read_inactive_profiles() each time it's called (= for
each binary). The result is a "Conflicting profile" error (showing the
same filename twice) if autodep() runs more than once. This can easily
happen when using "aa-autodep /usr/bin/*".
This patch adds an attribute to read_inactive_profiles() that lets the
function return without doing anything if was called before.
check_po.pl lists lots of false positives saying that
msgstr ""
does not have the (h)otkey translated.
This patch whitelists those untranslated strings.
I also tested (by manually "breaking" a translation) that missing
hotkeys still get noticed.
This bug probably exists since forever, therefore I propose this patch
for 2.9..trunk. (OTOH, nobody noticed it, so maybe trunk is enough ;-)
Note: I still get a few false positives for ru.po (no idea why, similar
texts in the other languages don't cause this) - ideas and fixes welcome.
* Alter paths to allow Java version 8 and up.
* Add file rules to fix IcedTea browser plugin.
* Refactor to keep path consistensy against parent and child profile,
reduce repetitive rules.
Allow to read pulseaudio config subdirectories
See merge request apparmor/apparmor!12
Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.9, 2.10, 2.11 and trunk
After using "view changes", the selection got reset to the first changed
profile. This could mislead the user into saving the wrong profile.
This patch ensures the selection is kept.
I propose this patch for trunk and 2.11.
(2.11 will need different indentation again.)
I'm not sure if we should also apply this in 2.10 and 2.9 - they have
the same behaviour, but OTOH I'm not sure if changing behaviour (even if
it's an improvement) in those old releases is a good idea.
Opinions?
The last change in save_profiles() sorted() the order in which the
changed profiles get displayed. However, it did not honor the sorting
when displaying changes or saving the selected profile, leading to the
wrong profile displayed or saved.
This patch fixes picking the selected profile, and at the same time
replaces the duplicated code for doing this with a single instance.
I propose this patch for trunk and 2.11.
Note that the 2.11 branch needs a slightly different patch (different
indentation).
Also note that this regression made it into 2.11.1, so distributions
shipping 2.11.1 should add this patch.
The RETURN VALUE section contained two typos where "kernel_features" was
used instead of "kernel_interface".
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Callers of aa_features_unref(), aa_kernel_interface_unref(), and
aa_policy_cache_unref() had to store off errno and restore it after
calling those functions in error paths. This patch preserves errno
across those *_unref() functions so that callers don't have to.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Ignoring cscope.* files allows users of cscope to not be bothered by
`git status` reporting that an unknown file is in the source tree.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
[](https://gitlab.com/apparmor/apparmor/pipelines)
[](https://bestpractices.coreinfrastructure.org/projects/1699)
------------
Introduction
------------
@@ -17,9 +23,45 @@ library, available under the LGPL license, which allows change_hat(2)
and change_profile(2) to be used by non-GPL binaries).
For more information, you can read the techdoc.pdf (available after
building the parser) and by visiting the http://apparmor.net/ web
building the parser) and by visiting the https://apparmor.net/ web
site.
----------------
Getting in Touch
----------------
Please send all complaints, feature requests, rants about the software,
Security issues can be filed as security bugs on launchpad
or directed to `security@apparmor.net`. Additional details can be found
in the [wiki](https://gitlab.com/apparmor/apparmor/wikis/home#reporting-security-vulnerabilities).
--------------
Privacy Policy
--------------
The AppArmor security project respects users privacy and data and does not collect data from or on its users beyond what is required for a given component to function.
The AppArmor kernel security module will log violations to the audit subsystem, and those will be logged/forwarded/recorded on the user's system(s) according to how the administrator has logging configured. Again this is not forwarded to or collected by the AppArmor project.
The AppArmor userspace tools do not collect information on the system user beyond the logs and information needed to interact with the user. This is not forwarded to, nor collected by the AppArmor project.
Users may submit information as part of an email, bug report or merge request, etc. and that will be recorded as part of the mailing list, bug/issue tracker, or code repository but only as part of a user initiated action.
The AppArmor project does not collect information from contributors beyond their interactions with the AppArmor project, code, and community. However contributors are subject to the terms and conditions and privacy policy of the individual platforms (currently GitLab and LaunchPad) should they choose to contribute through those platforms. And those platforms may collect data on the user that the AppArmor project does not.
Currently both GitLab an LaunchPad require a user account to submit patches or report bugs and issues. If a contributor does not wish to create an account for these platforms the mailing list is available. Membership in the list is not required. Content from non-list members will be sent to moderation, to ensure that it is on topic, so there may be a delay in choosing to interact in this way.
-------------
Source Layout
@@ -27,6 +69,7 @@ Source Layout
AppArmor consists of several different parts:
```
binutils/ source for basic utilities written in compiled languages
changehat/ source for using changehat with Apache, PAM and Tomcat
common/ common makefile rules
@@ -37,6 +80,7 @@ parser/ source for parser/loader and corresponding documentation
profiles/ configuration files, reference profiles and abstractions
tests/ regression and stress testsuites
utils/ high-level utilities for working with AppArmor
```
--------------------------------------
Important note on AppArmor kernel code
@@ -57,60 +101,86 @@ Building and Installing AppArmor Userspace
------------------------------------------
To build and install AppArmor userspace on your system, build and install in
the following order.
the following order. Some systems may need to export various python-related
environment variables to complete the build. For example, before building
anything on these systems, use something along the lines of:
@@ -138,7 +138,7 @@ my $ratelimit_saved = sysctl_read($ratelimit_sysctl);
END { sysctl_write($ratelimit_sysctl, $ratelimit_saved); }
sysctl_write($ratelimit_sysctl, 0);
UI_Info(gettext("\nBefore you begin, you may wish to check if a\nprofile already exists for the application you\nwish to confine. See the following wiki page for\nmore information:\nhttp://wiki.apparmor.net/index.php/Profiles"));
UI_Info(gettext("\nBefore you begin, you may wish to check if a\nprofile already exists for the application you\nwish to confine. See the following wiki page for\nmore information:\nhttps://gitlab.com/apparmor/apparmor/wikis/Profiles"));
UI_Important(gettext("Please start the application to be profiled in \nanother window and exercise its functionality now.\n\nOnce completed, select the \"Scan\" button below in \norder to scan the system logs for AppArmor events. \n\nFor each AppArmor event, you will be given the \nopportunity to choose whether the access should be \nallowed or denied."));
@@ -195,7 +195,7 @@ for my $p (sort keys %helpers) {
}
UI_Info(gettext("Reloaded AppArmor profiles in enforce mode."));
UI_Info(gettext("\nPlease consider contributing your new profile! See\nthe following wiki page for more information:\nhttp://wiki.apparmor.net/index.php/Profiles\n"));
UI_Info(gettext("\nPlease consider contributing your new profile! See\nthe following wiki page for more information:\nhttps://gitlab.com/apparmor/apparmor/wikis/Profiles\n"));
UI_Info(sprintf(gettext('Finished generating profile for %s.'), $fqdbin));
#=DESCRIPTION abi testing - abi relative path no quotes
#=EXRESULT PASS
#
abi abi/4.19,
/does/not/exist {
}
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
