ldd exits with $? == 1 if a file is 'not a dynamic executable'.
This is correct behaviour of ldd, so we should handle it instead of
raising an exception ;-)
[not in 2.9 and 2.10] Also extend fake_ldd and add a test to test-aa.py to cover this.
Note that 2.10 and 2.9 don't have tests for get_reqs() nor fake_ldd,
so those branches will only get the aa.py changes.
Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9.
nmbd needs some additional permissions:
- k for /var/cache/samba/lck/* (via abstractions/samba)
- rw for /var/cache/samba/msg/ (the log only mentioned r, but that
directory needs to be created first)
- w for /var/cache/samba/msg/* (the log didn't indicate any read access)
Reported by FLD on IRC, audit log on https://paste.debian.net/902010/
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
openSUSE uses "php7" (not just "php") in several paths, so also allow that.
Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9.
Sometimes network events come with an operation keyword looking like
file_perm which makes them look like file events. Instead of ignoring
these events (which was a hotfix to avoid crashes), improve the type
detection.
In detail, this means:
- replace OPERATION_TYPES (which was basically a list of network event
keywords) with OP_TYPE_FILE_OR_NET (which is a list of keywords for
file and network events)
- change op_type() parameters to expect the whole event, not only the
operation keyword, and rebuild the type detection based on the event
details
- as a side effect, this simplifies the detection for file event
operations in parse_event_for_tree()
- remove workaround code from parse_event_for_tree()
Also add 4 new testcases with log messages that were ignored before.
References:
a) various bugreports about crashes caused by unexpected operation keywords:
https://bugs.launchpad.net/apparmor/+bug/1466812https://bugs.launchpad.net/apparmor/+bug/1509030https://bugs.launchpad.net/apparmor/+bug/1540562https://bugs.launchpad.net/apparmor/+bug/1577051https://bugs.launchpad.net/apparmor/+bug/1582374
b) the summary bug for this patch
https://bugs.launchpad.net/apparmor/+bug/1613061
Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.10.
Note: in 2.10, the test_multi/*.profile files are unexpected and not
checked because this part of the tests is trunk-only, therefore I don't
include them.
dev head -r3592
aa-unconfined currently does not check/display ipv6 fix this
and -r3593
In testing, I did notice one thing not getting turned up, from
netstat -nlp46 output:
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
On servers with not too much memory ("only" 16 GB), dovecot logins fail:
Nov 25 21:35:15 server dovecot[28737]: master: Fatal: setrlimit(RLIMIT_DATA, 268435456): Permission denied
Nov 25 21:35:15 server dovecot[28731]: master: Error: service(auth): command startup failed, throttling for 2 secs
Nov 25 21:35:15 server dovecot[28737]: auth: Fatal: master: service(auth): child 25976 returned error 89 (Fatal failure)
audit.log messages are:
... apparmor="DENIED" operation="capable" profile="/usr/sbin/dovecot" pid=25000 comm="dovecot" capability=24 capname="sys_resource"
... apparmor="DENIED" operation="setrlimit" profile="/usr/sbin/dovecot" pid=25000 comm="dovecot" rlimit=data value=268435456
After allowing capability sys_resource, dovecot can increase the limit
and works again.
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
Storing these event details depending on the operation type only makes
things more difficult because it's hard to differenciate between file
and network events.
Note that this happens at the first log parsing stage (libapparmor log
event -> temporary python array) and therefore doesn't add a serious
memory footprint. The event tree will still only contain the elements
relevant for the actual event type.
This change means that lots of testcases now get 3 more fields (all
None) when testing parse_event(), so update all affected testcases.
(test-network doesn't need a change for probably obvious reasons.)
Also rename a misnamed test in test-change_profile.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10.
Note: 2.10 has fewer rule classes, therefore less test-*.py files need
to be changed. Also, I had to slightly adjust the logparser.py patch
because 2.10 doesn't have support for signal events.
The latest glibc (including nscd) in openSUSE Tumbleweed comes with
glibc-2.3.3-nscd-db-path.diff: Move persistent nscd databases to
/var/lib/nscd
This needs updates (adding /var/lib/nscd/) to abstractions/nameservice
and the nscd profile.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9
nmbd, winbindd (and most probably also smbd - but it has a more
permissive profile that already allows this) need rw access to
/var/cache/samba/lck/* on Debian 8.6.
Reported by FLD on IRC.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9
The apparmor.d description about alias rules was broken in multiple
ways. The manpage
- didn't include the alias keyword
- listed alias rules in the "COMMA RULES" section - while that's correct
for the comma requirement, it's also wrong because COMMA RULES is
meant to be inside a profile
- didn't list alias rules in the PREAMBLE section
This patch fixes this.
It also moves the definition of VARIABLE, VARIABLE ASSIGNMENT (both
unchanged) and ALIAS RULE next to PREAMBLE.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10
Merge from trunk revision 3582.
Fix import errors with swig > 3.0.8 with the libapparmor python
bindings. Do this by removing the code to rename the generated
LibAppArmor.py, and instead use a stub __init__.py that automatically
imports everything from LibAppArmor.py. Also adjust bzrignore to
compensate for the autogenerated file name changing.
Bug: https://bugzilla.opensuse.org/show_bug.cgi?id=987607
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Newer kernels need m permissions for the binary the profile covers,
so add it before someone hits this problem in the wild ;-)
Also add a note that the mlmmj-recieve profile is probably superfluous
because upstream renamed the misspelled binary.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9
This patch updates the mlmmj profiles in the extras directory to the
profiles that are used on lists.opensuse.org now. Besides adding lots
of trailing slashes for directories, several permissions were added.
Also, usr.bin.mlmmj-receive gets added - it seems upstream renamed
mlmmj-recieve to fix a typo.
These profiles were provided by Per Jessen.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1000201
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
Merged from trunk commit 3566.
Add a basic wayland abstraction.
Include the wayland abstraction from the gnome one.
This is the least invasive solution to the problem I'm trying to
solve right now (Evince not starting in GNOME on Wayland, and probably
similar issues for other GNOME applications I suppose).
Bug: https://bugs.debian.org/827335
Bug: https://bugs.debian.org/807880
These files are needed for disk-based buffering (added in syslog-ng 3.8).
This was reported to me by Peter Czanik, one of the syslog-ng developers.
Note: I'm not sure about adding @{CHROOT_BASE} to this rule, so for now
I prefer not to do it - adding it later is easy, but finding out if it
could be removed is hard ;-)
Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9.
- dovecot/auth: allow to read stats-user
- dovecot/config: allow to read /usr/share/dovecot/**
- dovecot/imap: allow to ix doveconf, read /etc/dovecot/ and
/usr/share/dovecot/**
These things were reported by Félix Sipma in Debian Bug#835826
(with some help from sarnold on IRC)
References: https://bugs.debian.org/835826
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
Also allow reading ~/.dovecot.svbin (that's the default filename in the
dovecot config) in dovecot/lmtp profile.
(*.svbin files can probably also appear inside @{DOVECOT_MAILSTORE}, but
that's already covered by the existing rules.)
References: https://bugs.debian.org/835826 (again)
Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9
The latest version of pyflakes (1.3.0 / python 3.5) complains that
CMD_CONTINUE is defined twice in ui.py (with different texts).
Funnily CMD_CONTINUE isn't used anywhere, so we can just drop both.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9
The switch to FileRule made some bugs visible that survived unnoticed
with hasher for years.
If aa-logprof sees an exec event for a non-existing profile _and_ a
profile file matching the expected profile filename exists in
/etc/apparmor.d/, it asks for the exec mode nevertheless (instead of
being silent). In the old code, this created a superfluous entry
somewhere in the aa hasher, and caused the existing profile to be
rewritten (without changes).
However, with FileRule it causes a crash saying
File ".../utils/apparmor/aa.py", line 1335, in handle_children
aa[profile][hat]['file'].add(FileRule(exec_target, file_perm, exec_mode, rule_to_name, owner=False, log_event=True))
AttributeError: 'collections.defaultdict' object has no attribute 'add'
This patch makes sure exec events for unknown profiles get ignored.
Reproducer:
python3 aa-logprof -f <(echo 'type=AVC msg=audit(1407865079.883:215): apparmor="ALLOWED" operation="exec" profile="/sbin/klogd" name="/does/not/exist" pid=11832 comm="foo" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/sbin/klogd//null-1"')
This causes a crash without this patch because
/etc/apparmor.d/sbin.klogd exists, but has
profile klogd /{usr/,}sbin/klogd {
References: https://bugs.launchpad.net/bugs/1379874
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
*** *** *** backport
*** *** *** --fixes lp:1379874
In 2011 (r1803), the traceroute profile was changed to also match
/usr/bin/traceroute.db:
/usr/{sbin/traceroute,bin/traceroute.db} {
However, permissions for /usr/bin/traceroute.db were never added.
This patch fixes this.
While on it, also change the /usr/sbin/traceroute permissions from
rmix to the less confusing mrix.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
Fixes build error when attempting to build and test the 2.10.95 release
on Ubuntu 14.04:
$ (cd libraries/libapparmor/ && ./autogen.sh && ./configure && \
make && make check) > /dev/null
...
libtool: Version mismatch error. This is libtool 2.4.6 Debian-2.4.6-0.1, but the
libtool: definition of this LT_INIT comes from libtool 2.4.2.
libtool: You should recreate aclocal.m4 with macros from libtool 2.4.6 Debian-2.4.6-0.1
libtool: and run autoconf again.
make[2]: *** [grammar.lo] Error 63
make[1]: *** [all] Error 2
make: *** [all-recursive] Error 1
The --force option is needed to regenerate the libtool file in
libraries/libapparmor/.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This turned out to be a simple case of misinterpreting the promptUser()
result - it returns the answer and the selected option, and
"surprisingly" something like
('CMD_ADDHAT', 0)
never matched
'CMD_ADDHAT'
;-)
I also noticed that the new hat doesn't get initialized as
profile_storage(), and that the changed profile doesn't get marked as
changed. This is also fixed by this patch.
References: https://bugs.launchpad.net/apparmor/+bug/1538306
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
pyflakes3 doesn't check sys.version and therefore complains about
'unicode' being undefined.
This patch defines unicode as alias of str to make pyflakes3 happy, and
as a side effect, simplifies type_is_str().
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10.
By calling self.delete() inside the delete_duplicates() loop, the
self.rules list was modified. This resulted in some rules not being
checked and therefore (some, not all) superfluous rules not being
removed.
This patch switches to a temporary variable to loop over, and rebuilds
self.rules with the rules that are not superfluous.
This also fixes some strange issues already marked with a "Huh?" comment
in the tests.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10.
Note that in 2.10 cleanprof_test.* doesn't contain a ptrace rule,
therefore the cleanprof_test.out change doesn't make sense for 2.10.
Network events can come with an operation= that looks like a file event.
Nevertheless, if the event has a typical network parameter (like
net_protocol) set, make sure to store the network-related flags in ev.
This fixes the test failure introduced in my last commit.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for trunk, 2.10 and 2.9
We already ignore network events that look like file events (based on
the operation keyword) if they have a request_mask of 'send' or
'receive' to avoid aa-logprof crashes because of "unknown" permissions.
It turned out that both can happen at once, so we should also ignore
this case.
Also add the now-ignored log event as test_multi testcase.
References: https://bugs.launchpad.net/apparmor/+bug/1577051#13
Acked-by: Tyler Hicks <tyhicks@canonical.com> for trunk, 2.10 and 2.9.
Date: Tue, 21 Jun 2016 18:18:45 +0100
Subject: abstractions/nameservice: also support ConnMan-managed resolv.conf
Follow the same logic we already did for NetworkManager,
resolvconf and systemd-resolved. The wonderful thing about
standards is that there are so many to choose from.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
[modified by sarnold to fit the surroundings]
Thanks to reading the wrong directory in read_inactive_profiles()
(profile_dir instead of extra_profile_dir), aa-genprof never asked about
using a profile from the extra_profile_dir.
Sounds like an easy fix, right? ;-)
After fixing this (last chunk), several other errors popped up, one
after the other:
- get_profile() missed a required parameter in a serialize_profile() call
- when saving the profile, it was written to extra_profile_dir, not to
profile_dir where it (as a now-active profile) should be. This is
fixed by removing the filename from existing_profiles{} so that it can
pick up the default name.
- CMD_FINISHED (when asking if the extra profile should be used or a new
one) behaved exactly like CMD_CREATE_PROFILE, but this is surprising
for the user. Remove it to avoid confusion.
- displaying the extra profile was only implemented in YaST mode
- get_pager() returned None, not an actual pager. Since we have 'less'
hardcoded at several places, also return it in get_pager()
Finally, also remove CMD_FINISHED from the get_profile() test in
test-translations.py.
(test-translations.py is only in trunk, therefore this part of the patch
is obviously trunk-only.)
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk
Acked-by: John Johansen <john.johansen@canonical.com> for trunk + a 50% ACK for 2.10 and 2.9
Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for trunk, 2.10 and 2.9
The latest iputils merged ping and ping6 into a single binary that does
both IPv4 and IPv6 pings (by default, it really does both).
This means we need to allow network inet6 raw in the ping profile.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=980596
(contains more details and example output)
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
Date: Wed, 4 May 2016 13:48:36 +0100
Subject: dbus-session-strict: allow access to the user bus socket
If dbus is configured with --enable-user-bus (for example in the
dbus-user-session package in Debian and its derivatives), and the user
session is started with systemd, then the "dbus-daemon --session" will be
started by "systemd --user" and listen on $XDG_RUNTIME_DIR/bus. Similarly,
on systems where dbus-daemon has been replaced with kdbus, the
bridge/proxy used to provide compatibility with the traditional D-Bus
protocol listens on that same socket.
In practice, $XDG_RUNTIME_DIR is /run/user/$uid on all systemd systems,
where $uid represents the numeric uid. I have not used /{var/,}run here,
because systemd does not support configurations where /var/run and /run
are distinct; in practice, /var/run is a symbolic link.
Based on a patch by Sjoerd Simons, which originally used the historical
path /run/user/*/dbus/user_bus_socket. That path was popularized by the
user-session-units git repository, but has never been used in a released
version of dbus and should be considered unsupported.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
Date: Wed, 11 May 2016 13:52:56 +0100
Subject: syscall_sysctl test: correctly skip if CONFIG_SYSCTL_SYSCALL=n
This test attempts to auto-skip the sysctl() part if that syscall
was not compiled into the current kernel, via
CONFIG_SYSCTL_SYSCALL=n. Unfortunately, this didn't actually work,
for two reasons:
* Because "${test} ro" wasn't in "&&", "||", a pipeline or an "if",
and it had nonzero exit status, the trap on ERR was triggered,
causing execution of the error_handler() shell function, which
aborts the test with a failed status. The rules for ERR are the
same as for "set -e", so we can circumvent it in the same ways.
* Because sysctl_syscall.c prints its diagnostic message to stderr,
but the $() operator only captures stdout, it never matched
in the string comparison. This is easily solved by redirecting
its stderr to stdout.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Variables can be used in several rule types (from the existing *Rule
classes: change_profile, dbus, ptrace, signal). It seems nobody uses
variables with those rules, otherwise we'd have received a bugreport ;-)
I noticed this while working on FileRule, where usage of variables is
more common. The file code in bzr (not using a *Rule class) already
loads the variables, so old versions don't need changes for file rule
handling.
However, 2.10 already has ChangeProfileRule and therefore also needs
this fix.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10.
BugLink: http://bugs.launchpad.net/bugs/1551950
The apparmor_parser is incorrectly outputting the names of child profiles
and hats, by adding a : between the parent and the child profile name
Eg.
/usr/sbin/httpd{,2}-prefork
/usr/sbin/httpd{,2}-prefork://DEFAULT_URI
/usr/sbin/httpd{,2}-prefork://HANDLING_UNTRUSTED_INPUT
instead of what it should be
/usr/sbin/httpd{,2}-prefork
/usr/sbin/httpd{,2}-prefork//DEFAULT_URI
/usr/sbin/httpd{,2}-prefork//HANDLING_UNTRUSTED_INPUT
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
https://launchpad.net/bugs/1569316
When Ubuntu made the jump from network-manager 1.0.4 to 1.1.93, the
dnsmasq process spawned from network-manager started hitting a
disconnected path denial:
audit: type=1400 audit(1460463960.943:31702): apparmor="ALLOWED"
operation="connect" info="Failed name lookup - disconnected path"
error=-13 profile="/usr/sbin/dnsmasq"
name="run/dbus/system_bus_socket" pid=3448 comm="dnsmasq"
requested_mask="wr" denied_mask="wr" fsuid=65534 ouid=0
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Since the latest openSUSE Tumbleweed update (dovecot 2.2.21 -> 2.2.22),
dovecot/auth writes to /var/run/dovecot/stats-user.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
acmetool is an alternative client for Let's Encrypt.
(https://github.com/hlandau/acme/)
It stores the certificates etc. in the following directory layout:
/var/lib/acme/live/<domain> -> ../certs/<hash>
/var/lib/acme/certs/<hash>/cert
/var/lib/acme/certs/<hash>/chain
/var/lib/acme/certs/<hash>/privkey -> ../../keys/<hash>/privkey
/var/lib/acme/certs/<hash>/url
/var/lib/acme/certs/<hash>/fullchain
/var/lib/acme/keys/<hash>/privkey
This patch adds the needed permissions to the ssl_certs and ssl_keys
abstractions so that the certificates can be used.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
In /etc/nscd.conf there is an option allowing to restart nscd after a
certain time. However, this requires reading /proc/self/cmdline -
otherwise nscd will disable paranoia mode.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=971790
Acked-By: Jamie Strandboge <jamie@canonical.com> for trunk, 2.10 and 2.9
Merge from trunk commit 3391
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1480492
If python3-apparmor is not installed, aa-status aborts due to the
ded
import to handle fancier exception handling failing. This patch makes
aa-status(8) work even in that case, falling back to normal python
exceptions, to keep its required dependencies as small as possible.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
write_prof_data[hat] is correct (it only contains one profile, see bug 1528139),
write_prof_data[profile][hat] is not and returns an empty (sub)hasher.
This affects RE_PROFILE_START and RE_PROFILE_BARE_FILE_ENTRY.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for trunk, 2.9 and 2.10
If a profile file contains multiple profiles and one of those profiles
contains a rule managed by a *Ruleset class,
serialize_profile_from_old_profile() crashes with an AttributeError.
This happens because profile_data / write_prof_data contain only one
profile with its hats, which explodes if a file contains multiple
profiles, as reported in lp#1528139
Fixing this would need lots of
write_prof_data[hat] -> write_prof_data[profile][hat]
changes (and of course also a change in the calling code) or, better
option, a full rewrite of serialize_profile_from_old_profile().
Unfortunately I don't have the time to do the rewrite at the moment (I
have other things on my TODO list), and changing write_prof_data[hat] ->
write_prof_data[profile][hat] is something that might introduce more
breakage, so I'm not too keen to do that.
Therefore this patch wraps the serialize_profile_from_old_profile() call
in try/except. If it fails, the diff will include an error message and
recommend to use 'View Changes b/w (C)lean profiles' instead, which is
known to work.
Note: I know using an error message as 'newprofile' isn't an usual way
to display an error message, but I found it more intuitive than
displaying it as a warning (without $PAGER).
References: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1528139
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10
dovecot-lda needs to read and write /tmp/dovecot.lda.*.
It also needs to be able to execute sendmail to send sieve vacation
mails.
For now, I'm using a child profile for sendmail to avoid introducing a
new profile with possible regressions. This child profile is based on
the usr.sbin.sendmail profile in extras and should cover both postfix'
and sendmail's sendmail.
I also mixed in some bits that were needed for (postfix) sendmail on my
servers, and dropped some rules that were obsolete (directory rules not
ending with a /) or covered by an abstraction.
In the future, we might want to provide a stand-alone profile for
sendmail (based on this child profile) and change the rule in the
dovecot-lda profile to Px.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=954959https://bugzilla.opensuse.org/show_bug.cgi?id=954958
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
parser/tst/simple_tests/profile/profile_ns_bad8.sd was added in r3376
(trunk) / r3312 (2.10 branch) and contains the profile name ':ns/t'
which misses the terminating ':' for the namespace.
Unfortunately the tools don't understand namespaces yet and just use the
full profile name. This also means this test doesn't fail as expected
when tested against the utils code.
This patch adds profile_ns_bad8.sd to the exception list of
test-parser-simple-tests.py.
Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.10.
https://launchpad.net/bugs/1546455
Don't filter out AF_UNSPEC from the list of valid protocol families so
that the parser will accept rules such as 'network unspec,'.
There are certain syscalls, such as socket(2), where the LSM hooks are
called before the protocol family is validated. In these cases, AppArmor
was emitting denials even though socket(2) will eventually fail. There
may be cases where AF_UNSPEC sockets are accepted and we need to make
sure that we're mediating those appropriately.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Suggested-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
[cboltz: Add 'unspec' to the network domain keywords of the utils]
https://launchpad.net/bugs/1540666
Reuse the new parse_label() function to initialize named_transition
structs so that transition targets, when used with change_profile, are
properly seperated into a profile namespace and profile name.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
https://launchpad.net/bugs/1544387
Don't split namespaces from profile names using YACC grammar. Instead,
treat the entire string as a label in the grammer. The label can then be
split into a namespace and a profile name using the new parse_label()
function.
This fixes a bug that caused the profile keyword to not be used with a
label containing a namespace in the profile declaration.
Fixing this bug uncovered a bad parser test case at
simple_tests/profile/profile_ns_ok1.sd. The test case mistakenly
included two definitions of the :foo:unattached profile despite being
marked as expected to pass. I've adjusted the name of one of the
profiles to :foo:unattached2.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
If a profile file contains multiple profiles, aa-mergeprof crashes on
saving in write_profile() because the second profile in the file is not
listed in 'changed'. (This happens only if the second profile didn't
change.)
This patch first checks if 'changed' contains the profile before
pop()ing it.
Reproducer: copy utils/test/cleanprof_test.in to your profile directory
and run aa-mergeprof utils/test/cleanprof_test.out. Then just press
's' to save the profile.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for trunk, 2.10 and 2.9
If autodep() is called with a pname starting with / (which can happen
for (N)amed exec depending on the user input), this pname is mapped to
bin_name.
This might look like a good idea, however if the given pname doesn't
exist as file on-disk, autodep() returns None instead of a (mostly
empty) profile. (Reproducer: choose (N)amed, enter "/foo/bar")
Further down the road, this results in two things:
a) the None result gets written as empty profile file (with only a "Last
modified" line)
b) a crash if someone chooses to add an abstraction to the None, because
None doesn't support the delete_duplicates() method for obvious
reasons ;-)
Unfortunately this patch also introduces a regression - aa-logprof now
fails to follow the exec and doesn't ask about the log events for the
exec target anymore. However this doesn't really matter because of a) -
asking and saving to /dev/null vs. not asking isn't a real difference
;-)
Actually the patch slightly improves things - it creates a profile for
the exec target, but only with the depmod() defaults (abstractions/base)
and always in complain mode.
I'd prefer a patch that also creates a complete profile for the exec
target, but that isn't as easy as fixing the issues mentioned above and
therefore is something for a future fix. To avoid we forget it, I opened
https://bugs.launchpad.net/apparmor/+bug/1545155
Note: 2.9 "only" writes an empty file and doesn't crash - but writing
an empty profile is still an improvement.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for trunk, 2.10 and 2.9
deny rules don't allow ix, Px, Ux etc. - only 'deny /foo x,' is allowed.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10
Note: Seth mentioned in the mail that he doesn't like the 'deny x'
section too much, but we didn't find a better solution when discussing
it on IRC. Therefore I keep the patch unchanged, but will happily
review a follow-up patch if someone sends one ;-)
Most probably-file log events can also be network events. Therefore
check for request_mask in all events, not only file_perm, file_inherit
and (from the latest bugreport) file_receive.
References: https://bugs.launchpad.net/apparmor/+bug/1540562
Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for trunk, 2.10 and 2.9.
If reading /dev/urandom failed, the corresponding file descriptor was
leaked through the error path.
Coverity CID #56012
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
I suspect that the incorrect description of EPERM was copied from
the aa_change_hat man page, where it is possible to see EPERM if the
application is not confined by AppArmor.
This patch corrects the description by documenting that the only
possible way to see EPERM is if a confined application has the
no_new_privs bit set.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reported-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
It is possible that file descriptors will be revalidated after an
aa_change_profile() but there is a lot of complexity involved that
doesn't need to be spelled out in the man page. Instead, mention that
revalidation is possible but the only way to ensure that file
descriptors are not passed on is to close them.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reported-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
The statement was meant to convey the difference between aa_change_hat()
and aa_change_profile(). Unfortunately, it read as if there was
something preventing a program from using aa_change_profile() twice to
move from profile A to profile B and back to profile A, even if profiles
A and B contained the necessary rules.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reported-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Merge from trunk revision 3353
On Debian and Ubuntu it's possible to have multiple ruby interpreters
installed, and the default to use is handled by the ruby-defaults
package, which includes a symlink from /usr/bin/ruby to the versioned
ruby interpreter.
This patch makes aa.py:get_interpreter_and_abstraction() take that into
account by using a regex to match possible versions of ruby. Testcases
are included. (I noticed this lack of support because on Ubuntu the
ruby test was failing because get_interpreter_and_abstraction()
would get the complete path, which on my 16.04 laptop would get
/usr/bin/ruby2.2.)
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
When hitting an unknown line while parsing a profile, it's a good idea
to include that line in the error message ;-)
Note: 2.9 would print a literal \n because it doesn't have apparmor.fail,
so it will get a slightly different patch with spaces instead of \n.
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9.
Bug: https://launchpad.net/bugs/1525119
If a *Ruleset is empty, let __repr__() print/return
<FooRuleset (empty) />
instead of
<FooRuleset>
</FooRuleset>
Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.10.
Bug: https://launchpad.net/bugs/1523297
'!' is a reserved symbol and needs to be escaped in AARE.
Note: aare.py only exists in trunk, therefore this part is trunk-only.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9 as needed.
The capnames list missed a comma, which lead to the funny
"mac_overridesyslog" capability name.
__debug_capabilities() seems to be the only user of capnames, which
might explain why this bug wasn't noticed earlier.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
BugLink: http://bugs.launchpad.net/bugs/1534405
Patch -r 2952 switched over to using the library kernel interface, and
added a kernel_interface parameter to the dir_cb struct, that is used
to process directories.
Unfortunately kernel_interface parameter of the dir_cb struct is not being
properly initialized resulting in odd failures and sefaults when the parser
is processing directories.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
If parse_event_for_tree() raises an AppArmorException (for example
because of an invalid/unknown request_mask), catch it in read_log() and
re-raise it together with the log line causing the Exception.
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9.
handle_children() has some special code for handling link events with
denied_mask = 'l'. Unfortunately this special code depends on a regex
that matches the old, obsolete log format - in a not really parsed
format ("^from .* to .*$").
The result was that aa-logprof did not ask about events containing 'l'
in denied_mask.
Fortunately the fix is easy - delete the code with the special handling
for 'l' events, and the remaining code that handles other file
permissions will handle it :-)
References: Bugreport by pfak on IRC
Testcase (with hand-tuned log event):
aa-logprof -f <( echo 'Jan 7 03:11:24 mail kernel: [191223.562261] type=1400 audit(1452136284.727:344): apparmor="ALLOWED" operation="link" profile="/usr/sbin/smbd" name="/foo" pid=10262 comm=616D617669736420286368362D3130 requested_mask="l" denied_mask="l" fsuid=110 ouid=110 target="/bar"')
should ask to add '/foo l,' to the profile.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
allow read on /run/systemd/resolve/resolv.conf for systems using networkd
(LP: #1529074)
Signed-Off-By: Jamie Strandboge <jamie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
r2637 added support for parsing unix rules, but forgot to add write
support. The result was that a profile lost its unix rules when it was
saved.
This patch adds the write_unix_rules() and write_unix() functions (based
on the write_pivot_root() and write_pivot_root_rules() functions) and
makes sure they get called at the right place.
The cleanprof testcase gets an unix rule added to ensure it's not
deleted when writing the profile. (Note that minitools_test.py is not
part of the default "make check", however I always run it.)
References: https://bugs.launchpad.net/apparmor/+bug/1522938https://bugzilla.opensuse.org/show_bug.cgi?id=954104
Acked-by: Tyler Hicks <tyhicks@canonical.com> for trunk, 2.10 and 2.9.
This means:
- expect unicode (instead of str) when reading from a file in py2
- convert keys() result to a set to avoid test failures because of
dict_keys type
After this change, all tests work for both py2 and py3.
Acked-by: Tyler Hicks <tyhicks@canonical.com> for trunk and 2.10.
python 3 uses only the 'str' type, while python 2 also uses 'unicode'.
This patch adds a type_is_str() function to common.py - depending on the
python version, it checks for both. This helper function is used to keep
the complexity outside of the rule classes.
The rule classes get adjusted to use type_is_str() instead of checking
for type(x) == str, which means they support both python versions.
Finally, add test-common.py with some tests for type_is_str().
References: https://bugs.launchpad.net/apparmor/+bug/1513880
Acked-by: Tyler Hicks <tyhicks@canonical.com> for trunk and 2.10
Note: 2.10 doesn't contain SignalRule and aare.py, and rule/__init__.py
doesn't have check_and_split_list(), therefore it doesn't get those
parts of the patch.
Don't catch AppArmorExceptions in aa-easyprof any longer and rely on
apparmor.fail to print the exception to stderr.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
https://launchpad.net/bugs/1526085
Revno 2934 'Add fns to handle profile removal to the kernel interface'
introduced a regression in the parser's namespace support by causing the
--namespace-string option to be ignored. This resulted in the profile(s)
being loaded into the global namespace rather than the namespace
specified on the command line.
This patch fixes the bug by setting the Profile object's ns member, if
the --namespace-string option was specified, immediately after the
Profile object is allocated.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
'change_hat' events have the target profile in 'name2', not in 'name'
(which is None and therefore causes a crash when checking if it contains
'//')
Also add the log event causing this crash to the libapparmor testsuite.
References: https://bugs.launchpad.net/apparmor/+bug/1523297
Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9.
Parsing variables was broken in several ways:
- empty quotes (representing an intentionally empty value) were lost,
causing parser failures
- items consisting of only one letter were lost due to a bug in RE_VARS
- RE_VARS didn't start with ^, which means leading garbage (= syntax
errors) was ignored
- trailing garbage was also ignored
This patch fixes those issues in separate_vars() and changes
var_transform() to write out empty quotes (instead of nothing) for empty
values.
Also add some tests for separate_vars() with empty quotes and adjust
several tests with invalid syntax to expect an AppArmorException.
var_transform() gets some tests added.
Finally, remove 3 testcases from the "fails to raise an exception" list
in test-parser-simple-tests.py.
Acked-by: John Johansen <john.johansen@canonical.com> for trunk and 2.9
(which also implies 2.10)
Note: 2.9 doesn't have test-parser-simple-tests.py, therefore it won't
get that part of the patch.
As Kshitij mentioned, abstract methods should use NotImplementedError
instead of AppArmorBug.
While changing this, I noticed that __repr__() needs to be robust against
NotImplementedError because get_raw() is not available in BaseRule.
Therefore the patch changes __repr__() to catch NotImplementedError.
Of course the change to NotImplementedError also needs several
adjustments in the tests.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
(long before branching off 2.10, therefore I also commit to 2.10)
Note: 2.10 doesn't have test-signal.py, which means it can't be patched ;-)
Creating a file is in theory covered by the 'a' permission, however
discussion on IRC brought up that depending on the open flags it might
not be enough (real-world example: creating the apache pid file).
Therefore change the mapping to 'w' permissions. That might allow more
than needed in some cases, but makes sure the profile always works.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for 2.9, 2.10 and trunk
For debugging, it's helpful to know which part of the code initialized a
profile_storage and for which profile and hat this was done.
This patch adds an 'info' array with that information, adds the
corresponding parameters to profile_storage() and changes the callers to
deliver some useful content.
Acked-by: John Johansen <john.johansen@canonical.com> for trunk and 2.10
We replaced parse_audit_allow() with parse_modifiers() in r2833, but
overlooked that parse_modifiers() returns allow/deny as boolean. This
resulted in storing bare file rules in aa[profile][hat]['path'][False]
instead of aa[profile][hat]['path']['allow'] (or True instead of 'deny'
for 'deny file,' rules), with the user-visible result of loosing bare
file rules when saving the profile.
This patch converts the boolean value from parse_modifiers back to a
string.
Note: 2.9 is not affected because the old parse_audit_allow() returns
'allow' or 'deny' as string, not as boolean.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for trunk and 2.10
The last utils/test/Makefile change switched to using the in-tree
libapparmor by default (unless USE_SYSTEM=1 is given). However, I missed
to add the swig/python parts of libapparmor to PYTHONPATH, so the
system-wide LibAppArmor/__init__.py was always used.
This patch adds the in-tree libapparmor python module to PYTHONPATH.
I'm sorry for the interesting[tm] way to find out that path, but
a) I don't know a better / less ugly way and
b) a similar monster already works in libapparmor/swig/python/test/ ;-)
Acked-by: John Johansen <john.johansen@canonical.com> for 2.9 and trunk
(that also implies 2.10 ;-)
To make things more interesting, /usr/bin/python and /usr/bin/python[23]
are symlinks to /usr/bin/python[23].[0-9], so we have to explicitely
list several versions.
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9, 2.10 and trunk
2.9.x and 2.10 had some time stamp bugs around cache handling that
result in the cache getting a wrong time stamp, and then not getting
correctly updated when policy changes.
Force cache recompiles for these versions by bumping the parser abi
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
syslog-ng needs to access both the permanent /var/log/journal/ and the
non-permanent /run/journal/.
I also included /var/run/journal/ to stay consistent with supporting
both /run/ and /var/run/.
Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9.
This makes print()ing a class object much more helpful - instead of
<apparmor.rule.network.NetworkRule object at 0x7f416b239e48>
we now get something like
<NetworkRule> network inet stream,
(based on get_raw())
A NetworkRuleset will be printed as (also based on get_raw())
<NetworkRuleset>
network inet stream,
allow network inet stream, # comment
</NetworkRuleset>
Also add tests to test-network.py to ensure that __repr__() works as
expected.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
aa-logprof is able to parse all profiles, so there is no longer a
reason to skip this test.
This patch reverts r2097 and r2098 from 2013-01-02.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
Acked-by: John Johansen <john.johansen@canonical.com>
(and now that the tests work even if logprof.conf doesn't exist,
Steve's NACK is no longer valid)
This patch checks if the cfg object is empty (happens if logprof.conf
doesn't exist). If so, it adds some empty sections to prevent various
failures in code that expects those sections to exist.
Another source of failures was using cfg['section']['setting']. The
patch changes various places to cfg['section'].get('setting') to prevent
those failures. (Those places all have a 'or ...' fallback.)
Finally, find_first_file() in config.py crashed if file_list was Null.
This is fixed by adding an "if file_list:" check before trying to
split() it.
With all those changes applied, 'make check' will work even if
/etc/apparmor/logprof.conf doesn't exist.
The patch also fixes the default value for inactive_profiledir
(I missed aa.py when I changed it to /usr/share/apparmor/extra-profiles/)
References: https://bugs.launchpad.net/apparmor/+bug/1393979
Acked-by: John Johansen <john.johansen@canonical.com>
Both create_new_profile() and handle_children() check if the given exec
target is a script and add permissions for the interpreter and a
matching abstraction.
This patch merges that into the get_interpreter_and_abstraction()
function and changes create_new_profile() and handle_children() to use
this function.
A nice side effect is that handle_children() now knows more abstractions
(its original list was incomplete).
The behaviour of create_new_profile() doesn't change.
Also add tests for get_interpreter_and_abstraction() to make sure it
does what we expect.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
Bug: https://launchpad.net/bugs/1505775
These tests ensure that create_new_profile() sets the expected basic
permissions for scripts and non-script files.
Acked-by: John Johansen <john.johansen@canonical.com>
oftc_ftw reported on IRC that Arch Linux has a symlink /bin -> /usr/bin.
This means we have to update paths for /bin/ in several profiles to also
allow /usr/bin/
Acked-by: John Johansen <john.johansen@canonical.com> for trunk and 2.9
Also add support for the USE_SYSTEM variable, which means:
- test against the in-tree libapparmor and python modules by default
- test against the system libapparmor and python modules if USE_SYSTEM
is set
The old behaviour was a mix of both - it always used the in-tree python
modules and the system libapparmor.
For obvious reasons, you'll need to build libapparmor before running the
tests (unless you specify USE_SYSTEM=1 as parameter to make check).
Acked-by: John Johansen <john.johansen@canonical.com> for trunk and 2.9
Add a testcase that parses all tests in the parser/tst/simple_tests/
directory with parse_profile_data() to ensure that everything with valid
syntax is accepted, and that all tests marked as FAIL raise an
exception.
This already resulted in
- several patches to fix low-hanging fruits (including some bugs in the
parser simple_tests itsself)
- a list of tests that don't behave as expected. Those files get their
expected result reverted to make sure we notice any change in the
tools behaviour, especially changing to the really expected resulted.
This method also makes sure that the testcase doesn't report any of
the known failures.
- a 5% improvement in test coverage - mostly caused by nearly completely
covering parse_profile_data.
- addition of some missing testcased (as noticed by missing coverage),
for example several "rule outside of a profile" testcases.
As indicated above, the tools don't work as expected on all test
profiles - most of the failures happen on expected-to-fail tests that
pass parse_profile_data() without raising an exception. There are also
some tests failing despite valid syntax, often with rarely used syntax
like if conditions and qualifier blocks.
Most of the failing (generated) tests are caused by features not
implemented in the tools yet:
- validating dbus rules (currently we just store them without any parsing)
- checks for conflicting x permissions
- permissions before path ("r /foo,")
- 'safe' and 'unsafe' keywords for *x rules
- 'Pux' and 'Cux' permissions (which actually mean PUx and CUx, and get
rejected by the tools - ideally the generator script should create
PUx and CUx tests instead)
skip_startswith excludes several generated tests from being run. I know
that skip_startswith also excludes tests that would not fail, but the
generated filenames (especially generated_x/exact-*) don't have a
pattern that I could easily use to exclude less tests - and I'm not too
keen to add a list with 1000 single filenames ;-)
Acked-by: John Johansen <john.johansen@canonical.com>
The global variable 'logger' in aa.py is only used by aa-genprof.
This patch changes aa_genprof to use the (new) logger_path() function,
and moves the code for finding the logger path to that function.
Also make the error message more helpful if logger can't be found.
Acked-by: John Johansen <john.johansen@canonical.com>
The 'ldd' variable in aa.py is only used by get_reqs(), therefore move
setting it (based on the configfile) into the function.
get_reqs() doesn't run too often (only called by create_new_profile(),
which means aa-genprof or when adding a Px or Cx rule to a non-existing
profile). This might even lead to a minor performance win - on average,
I'd guess not every aa-logprof run will lead to a completely new profile
or child profile. And, more important, we get rid of a global variable.
Acked-by: John Johansen <john.johansen@canonical.com>
create_new_profile() didn't init missing required_hats as
profile_storage(), which might lead to crashes when creating a profile
for an application listed in the required_hats config option (= in very
rare cases).
This patch adds the missing profile_storage() call.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
This also means the duplicate detection can use the hat's filename instead
of the (possibly wrong) main profile's filename.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
This patch is based on a SLE12 patch to allow executing the
--dhcp-script. We already have most parts of that patch since r2841,
except /dev/tty rw which is needed for the shell's stdout and stderr.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=940749 (non-public)
Acked by Seth Arnold on IRC (with "owner" added)
With this addition, all globbing styles (as documented in apparmor.d(5))
are covered in the convert_regexp() tests.
Acked-by: Seth Arnold <seth.arnold@canonical.com>
load_include() used a custom os.listdir call instead of
include_dir_filelist() for directory includes, which means it also read
skippable files like *.rpmnew or README. (It seems nobody created a
README inside an included directory, otherwise we'd have seen a
bugreport ;-)
This patch changes load_include() to use include_dir_filelist(). This
function is used in some more places already and removes skippable files
from the file list.
Acked-by <timeout>
load_include() has a "if not incdata:" block which would be entered if
parse_profile_data() returns None. However, parse_profile_data() always
returns a hasher with [incfile][incfile] = profile_storage(), so that
"if not incdata:" never matches.
Acked-by <timeout>
The "already loaded?" check in load_include() was done at the beginning
of the function, before entering the loop and before the individual
files of directory includes were added to the filelist. This resulted in
a (wrong) "Conflicting profiles" error for directory includes.
This patch moves the "alreay loaded?" check inside the loop, so that
it's executed for all files, including those of directory includes.
Acked-by <timeout>
TL;DR: aa-genprof crashes with a wrong 'Conflicting profiles' error.
aa-genprof uses autodep() to create a basic profile, which is then
stored in aa and original_aa. After that, read_profiles() is called,
which reads all profiles (including the new one) from disk, causing a
(wrong) 'Conflicting profiles' error in attach_profile_data() because
the autodep()-generated profile is already there.
Therefore this patch resets aa and original_aa in read_profiles() to
avoid that problem.
Acked-by <timeout>
The tests for convert_regexp() were hidden in common_test.py, where they
were never executed.
This patch moves them to the new file test-aare.py and also converts the
regex_tests.ini to a tests[] array to have the test data inside the test
file. (All tests from regex_tests.ini are in test-aare.py, and two tests
with prepended and appended path segments were added.)
Also add some tests that check the raw behaviour of convert_regexp() -
the tests "by example" are probably more useful and for sure more
readable ;-) but I want to have some examples of the converted regexes
available.
Acked-by <timeout>
logparser.py does a regex check on log lines as performance improvement
so that it only hands over lines that look like AppArmor events to
LibAppArmor parsing. Those regexes were incomplete and didn't cover all
log formats LibAppArmor accepts, with the end result of "overlooking"
events.
This patch splits off common parts of the regex, adds more regexes for
several log types and finally merges everything into one regex.
test-libapparmor-test_multi.py now also checks all test_multi log lines
against the regex to ensure logparser.py doesn't silently ignore events.
test-logparser.py gets adjusted to the merged RE_LOG_ALL regex.
Finally, add a new test that was posted on IRC to the test_multi set.
As already threatened nearly a month ago,
Acked by <timeout> for trunk and 2.9
This patch is based on a SLE12 patch to allow executing the
--dhcp-script. We already have most parts of that patch since r2841,
however the SLE bugreport indicates that /bin/sh is executed (which is
usually a symlink to /bin/bash or /bin/dash), so we should also allow
/bin/sh
References: https://bugzilla.opensuse.org/show_bug.cgi?id=940749 (non-public)
Acked-by: Seth Arnold <seth.arnold@canonicalc.com> for trunk and 2.9
Add some permissions that I need on my system:
- execute nm-dhcp-helper
- read and write /var/lib/dhcp6/dhclient.leases
- read /var/lib/NetworkManager/dhclient-*.conf
- read and write /var/lib/NetworkManager/dhclient-*.conf
Looks-good-by: Steve Beattie <steve@nxnw.org>
Acked-by: <timeout> for trunk and 2.9
This testcase will parse all libraries/libapparmor/testsuite/test_multi
tests and compare the result with the *.out files.
It also include a "ToDo list" of keywords that are not yet supported in
the python code - those are typically related to rule types not
supported in the tools yet (dbus, signal etc.).
An interesting special case are exec events with network details:
testcase01.in, testcase12.in, testcase13.in
which might be hand-made, invalid logs, but nobody remembers ;-)
Acked-by <timeout>
Drop the reference to the libapparmor policy_cache pseudo object when
the parser is done.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Fix memory leaks when parsing dmesg timestamps as well as when handling
message the library does not understand.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
In recent commits, Tyler fixed some problems with the caching behavior
of the parser, as well as adjusting and improving the caching test
script to verify these behaviors.
In doing so, the test script adjusts the mtime of various
files and ensures that the written files have the expected mtime
timestamp. Unfortunately, the os.utime() function used to adjust mtime
in python 3.2 (as included in Ubuntu 12.04 LTS) does not update with
nanosecond precision, even though the timestamps returned by os.stat()
do have precision to nanoseconds. This causes the tests to fail when
running under python 3.2 with errors like the following:
======================================================================
FAIL: test_abstraction_newer_rewrites_cache (__main__.AAParserCachingTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/��PKGBUILDDIR��/parser/tst/testlib.py", line 50, in new_unittest_func
return unittest_func(self)
File "./caching.py", line 424, in test_abstraction_newer_rewrites_cache
self._set_mtime(self.abstraction, abstraction_mtime)
File "./caching.py", line 238, in _set_mtime
self.assertEquals(os.stat(path).st_mtime, mtime)
AssertionError: 1440337039.40212 != 1440337039.4021206
The following patch creates a new time stamp equality assertion
function that detects if it's running on python 3.2 or earlier, and
loosens the equality bounds when comparing the passed timestamps. On
python 3.3 and newer, where writing timestamps with nanosecond precision
is supported, the strict equality assertion is used.
(Note: I did not convert all time stamp comparisons, just ones where
the timestamp written and checked could be based on a timestamp
derived from os.stat().)
Reference: https://bugs.python.org/issue12904
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
/usr/share/locale-bundle/ contains translations packaged in
bundle-lang-* packages in openSUSE.
Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
The contents of the policy cache files varies based on kernel feature
support found in apparmorfs but the caching tests are mostly about
whether or not a cache file was generated and with the right timestamps.
This patch makes it so that the tests are not entirely skipped when
apparmorfs is not available. Instead, a flat features file will be used
in most cases and only the specific tests that require apparmorfs will
be skipped.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
This makes several improvements to the parser caching tests to verify
that the parser is properly consuming the mtime of profiles and
abstractions when dealing with the policy cache.
It introduces a simple abstraction file and tests the mtime handling by
changing the mtime on the profile, abstraction, apparmor_parser, and
cache file in various combinations to check the parser's behavior.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch fixes a regression in setting the cache file's timestamp
handling that was introduced in r3079:
Set cache file tstamp to the mtime of most recent policy file tstamp
The previously used utimes(2) syscall requires a two element timeval
array. The first element in the array is the atime to be used and the
second element is the mtime. The equivalent of a one element timeval
array was being passed to it, resulting in garbage being used for the
mtime value. The utimes(2) syscall either failed, due to the invalid
input, or set mtime to an unexpected value. The return code wasn't being
checked so the failure went unknown.
This patch switches to utimensat(2) for a couple reasons. The UTIME_OMIT
special value allows us to preserve the inode's atime without calling
stat(2) to fetch the atime. It also allows for nanosecond precision
which better aligns with what stat(2) returns on the input profile and
abstraction files. That means that we can have the exact same mtime on
the input profile or abstraction file and the output cache file.
https://launchpad.net/bugs/1484178
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
In testing against the 4.1 kernel, the syscall_sysctl testcase started
failing even in the unconfined case. What the test program does is
attempt to adjust the kernel.threads-max sysctl to be slightly larger
and see if the operation succeeds by reading the value back out. It
also attempts to save the original value and restore it. The test
was failing because (in VMs at least) the default value chosen by
the kernel for the kernel.threads-max setting was high enough that
attempts to increase it would be ignored (likely to prevent too much
use of kernel memory by threads), helpfully without any message being
report to dmesg. Thus, the initial read of the current value would
succeed, the write of that value + 1024 would appear to succeed,
but then reading the value back out and comparing it to the expected
value would fail, as it would still be the original value, not the
expected new value.
This patch attempts to address this by first attempting to raise
the value, and if that does not appear to work, to then attempt
to lower it. It also refactors the code a bit by creating helper
functions to perform the actual sysctl(2) calls to make the code a
bit easier to read.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Having two profiles for the same binary is "technically allowed", but it
leads to interesting[tm] behaviour because one of them "wins" depending
on the load order. To make things even more interesting, the kernel load
order can be different from the tools load order, leading to even more
fun.
Short version: you do _not_ want that situation ;-)
This patch adds a duplicate check to attach_profile_data() so that it
errors out if it finds duplicate profiles or hats, and lists the profile
files that contain them.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for both trunk and 2.9.
In some cases, the return value of name_to_prof_filename() is undefined.
This happens when deleting the to-be-confined binary while running
aa-genprof and leads to a not-too-helpful
File "/usr/lib/python3/dist-packages/apparmor/aa.py", line 265, in enforce
prof_filename, name = name_to_prof_filename(path)
TypeError: 'NoneType' object is not iterable
(reported by maslen on IRC)
This patch makes sure name_to_prof_filename() always returns None, None
(instead of undefined aka just None) so that at least the caller can
successfully split it into two None values.
For the exotic aa-genprof usecase given above, this at least improves
the error message to
Can't find $binary_name
(raised by enforce() via fatal_error())
The patch also changes fatal_error() to display the traceback first, and
the human-readable message at the end, which makes it more likely that
the user actually notices the human-readable message.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for both trunk and 2.9.
Profile name and attachment can contain variables, so the
RE_PROFILE_START regex should accept it.
(Note: the variable content isn't checked.)
Also add some tests with variables.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
add_event_to_tree() is a hard-to-test function because it hands over its
result to add_to_tree().
This patch converts add_event_to_tree() to a simple wrapper function and
moves the main code into parse_event_for_tree() and map_log_type(). These
two new functions return their results and are therefore easier to test.
Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
"rcapparmor kill" results in a funny error message:
/lib/apparmor/rc.apparmor.functions: line 441: return: -v: invalid option
return: usage: return [n]
SLE12 includes a patch that prevents this error message, but also
prevents that $? is handed over correctly to rc_status. This means that
"rcapparmor kill" will happily display "done" even with a compiled-in
apparmor module that can't be unloaded.
This patch is the improved version - it adds a small helper function to
set $? (as handed over to aa_log_end_msg()) and then calls rc_status -v.
This means that "rcapparmor kill" now shows "failed" because it's
impossible to unload something that is compiled directly into the
kernel.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=862170 (non-public)
Acked-by: Seth Arnold <seth.arnold@canonical.com> for 2.9 and trunk
dconf abstraction: allow reading /etc/dconf/**.
That's needed e.g. for Totem on current Debian Jessie.
Acked-By: Jamie Strandboge <jamie@canonical.com>
The '#!/usr/bin/env python' line in apparmor/rule/*.py is superfluous
and causes "non-executable script" rpmlint warnings on openSUSE.
Acked-by: Tyler Hicks <tyhicks@canonical.com>
2015-07-17 21:57:26 +02:00
167 changed files with 2574 additions and 652 deletions
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
