Release: Bumper version for the 2.10.5 release

Signed-off-by: John Johansen <john.johansen@canonical.com>
dnsmasq: Add permission to open log files
2025-09-03 15:55:46 +00:00 · 2019-06-18 13:18:17 -07:00 · 2019-06-18 04:23:40 -07:00 · 2019-06-13 17:43:17 -07:00 · 2019-06-13 17:37:41 -07:00 · 2019-06-04 21:52:49 -07:00
18 changed files with 48 additions and 32 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -8,6 +8,7 @@ binutils/po/*.mo
 parser/po/*.mo
 parser/af_names.h
 parser/cap_names.h
+parser/tst_lib
 parser/tst_misc
 parser/tst_regex
 parser/tst_symtab
@@ -56,6 +57,7 @@ parser/*.7.html
 parser/*.5.html
 parser/*.8.html
 parser/apparmor_parser
+parser/libapparmor_re/parse.cc
 parser/libapparmor_re/regexp.cc
 parser/techdoc.aux
 parser/techdoc.log
@@ -161,8 +163,14 @@ libraries/libapparmor/swig/python/test/test-suite.log
 libraries/libapparmor/swig/python/test/test_python.py
 libraries/libapparmor/swig/python/test/test_python.py.log
 libraries/libapparmor/swig/python/test/test_python.py.trs
+libraries/libapparmor/swig/ruby/LibAppArmor.so
+libraries/libapparmor/swig/ruby/LibAppArmor_wrap.c
+libraries/libapparmor/swig/ruby/LibAppArmor_wrap.o
 libraries/libapparmor/swig/ruby/Makefile
 libraries/libapparmor/swig/ruby/Makefile.in
+libraries/libapparmor/swig/ruby/Makefile.new
+libraries/libapparmor/swig/ruby/Makefile.ruby
+libraries/libapparmor/swig/ruby/mkmf.log
 libraries/libapparmor/testsuite/.deps
 libraries/libapparmor/testsuite/.libs
 libraries/libapparmor/testsuite/Makefile
--- a/common/Version
+++ b/common/Version
@@ -1 +1 @@
-2.10.4
+2.10.5
--- a/libraries/libapparmor/swig/python/test/test_python.py.in
+++ b/libraries/libapparmor/swig/python/test/test_python.py.in
@@ -109,7 +109,7 @@ class AAPythonBindingsTests(unittest.TestCase):

        new_record = dict()
        for key in [x for x in dir(record) if not (x.startswith('_') or x == 'this')]:
-            value = record.__getattr__(key)
+            value = getattr(record, key)
            if key == "event" and value in EVENT_MAP:
                new_record[key] = EVENT_MAP[value]
            elif key == "version":
--- a/parser/parser_lex.l
+++ b/parser/parser_lex.l
@@ -317,9 +317,12 @@ LT_EQUAL	<=
 <ABI_MODE>{
 	(\<(([^"\>\t\r\n]+)|{QUOTED_ID})\>|{QUOTED_ID}|{IDS})	{ /* <filename> | <"filename"> | "filename" | filename */
 		int lt = *yytext == '<'  ? 1 : 0;
-		char *filename = processid(yytext + lt, yyleng - lt*2);
+		char *filename;
 		bool exists = YYSTATE == INCLUDE_EXISTS;

+		if (yyleng - lt < 1)
+			yyerror(_("Bad filename\n"));
+		filename = processid(yytext + lt, yyleng - lt*2);
 		if (!filename)
 			yyerror(_("Failed to process filename\n"));
 		yylval.id = filename;
@@ -594,7 +597,7 @@ include/{WS}	{

 {CARET}		{ PUSH_AND_RETURN(SUB_ID, TOK_CARET); }

-{ARROW}		{ RETURN_TOKEN(TOK_ARROW); }
+{ARROW}		{ PUSH_AND_RETURN(SUB_ID_WS, TOK_ARROW); }

 {EQUALS}	{ PUSH_AND_RETURN(ASSIGN_MODE, TOK_EQUALS); }

--- a/profiles/apparmor.d/abstractions/fonts
+++ b/profiles/apparmor.d/abstractions/fonts
@@ -18,7 +18,9 @@
  /usr/share/fonts/**                   r,

  /etc/fonts/**                         r,
-  /usr/share/fontconfig/conf.avail/**   r,
+  # Debian, openSUSE paths are different
+  /usr/share/{fontconfig,fonts-config,*-fonts}/conf.avail/{,**} r,
+  /usr/share/ghostscript/fonts/{,**}    r,

  /opt/kde3/share/fonts/**              r,

--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@@ -39,7 +39,7 @@
  /etc/resolv.conf        r,
  # On systems where /etc/resolv.conf is managed programmatically, it is
  # a symlink to /{,var/}run/(whatever program is managing it)/resolv.conf.
-  /{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman}/resolv.conf r,
+  /{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
  /etc/resolvconf/run/resolv.conf r,

  /etc/samba/lmhosts      r,
--- a/profiles/apparmor.d/abstractions/qt5-compose-cache-write
+++ b/profiles/apparmor.d/abstractions/qt5-compose-cache-write
@@ -3,5 +3,6 @@

  # User files

-  owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rw,
+  owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9],
+  owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory)

--- a/profiles/apparmor.d/abstractions/qt5-settings-write
+++ b/profiles/apparmor.d/abstractions/qt5-settings-write
@@ -3,9 +3,9 @@

  # User files

-  owner @{HOME}/.config/#[0-9]* rw,
-  owner @{HOME}/.config/QtProject.conf rw,
-  owner @{HOME}/.config/QtProject.conf.?????? l -> @{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],
-  owner @{HOME}/.config/QtProject.conf.?????? rw, # for temporary files like QtProject.conf.Aqrgeb
+  owner @{HOME}/.config/#[0-9]*[0-9] rw,
+  owner @{HOME}/.config/QtProject.conf rwl -> @{HOME}/.config/#[0-9]*[0-9],
+  # for temporary files like QtProject.conf.Aqrgeb
+  owner @{HOME}/.config/QtProject.conf.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9],
  owner @{HOME}/.config/QtProject.conf.lock rwk,

--- a/profiles/apparmor.d/abstractions/ssl_certs
+++ b/profiles/apparmor.d/abstractions/ssl_certs
@@ -29,9 +29,10 @@
  /var/lib/acme/certs/*/cert r,

  # dehydrated
-  /etc/dehydrated/certs/*/cert-*.pem r,
-  /etc/dehydrated/certs/*/chain-*.pem r,
-  /etc/dehydrated/certs/*/fullchain-*.pem r,
+  /{etc,var/lib}/dehydrated/certs/*/cert*.pem r,
+  /{etc,var/lib}/dehydrated/certs/*/chain*.pem r,
+  /{etc,var/lib}/dehydrated/certs/*/fullchain*.pem r,
+  /{etc,var/lib}/dehydrated/certs/*/ocsp*.der r,

  # certbot
  /etc/letsencrypt/archive/*/cert*.pem r,
--- a/profiles/apparmor.d/abstractions/ssl_keys
+++ b/profiles/apparmor.d/abstractions/ssl_keys
@@ -22,7 +22,7 @@
  /var/lib/acme/keys/** r,

  # dehydrated
-  /etc/dehydrated/certs/*/privkey-*.pem r,
+  /{etc,var/lib}/dehydrated/certs/*/privkey*.pem r,

  # certbot / letsencrypt
  /etc/letsencrypt/archive/*/privkey*.pem r,
--- a/profiles/apparmor.d/sbin.syslog-ng
+++ b/profiles/apparmor.d/sbin.syslog-ng
@@ -21,6 +21,7 @@ profile syslog-ng /{usr/,}sbin/syslog-ng {
  #include <abstractions/nameservice>
  #include <abstractions/mysql>
  #include <abstractions/openssl>
+  #include <abstractions/python>

  capability chown,
  capability dac_override,
--- a/profiles/apparmor.d/usr.lib.dovecot.anvil
+++ b/profiles/apparmor.d/usr.lib.dovecot.anvil
@@ -18,7 +18,10 @@
  capability setuid,
  capability sys_chroot,

+  unix (receive, send) type=stream peer=(label=dovecot),
+
  /run/dovecot/anvil rw,
+  /run/dovecot/anvil-auth-penalty rw,
  /usr/lib/dovecot/anvil mr,

  # Site-specific additions and overrides. See local/README for details.
--- a/profiles/apparmor.d/usr.lib.dovecot.auth
+++ b/profiles/apparmor.d/usr.lib.dovecot.auth
@@ -25,6 +25,7 @@
  capability dac_override,
  capability dac_read_search,
  capability setuid,
+  capability sys_chroot,

  /etc/my.cnf r,
  /etc/my.cnf.d/ r,
@@ -32,6 +33,7 @@

  /etc/dovecot/* r,
  /usr/lib/dovecot/auth mr,
+  /var/lib/dovecot/auth-chroot/* r,

  # kerberos replay cache
  /var/tmp/imap_* rw,
@@ -40,6 +42,7 @@
  /var/tmp/smtp_* rw,

  /run/dovecot/auth-master rw,
+  /run/dovecot/auth-userdb rw,
  /run/dovecot/auth-worker rw,
  /run/dovecot/login/login rw,
  /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
@@ -47,7 +50,7 @@
  /{var/,}run/dovecot/stats-user rw,
  /{var/,}run/dovecot/anvil-auth-penalty rw,

-  /var/spool/postfix/private/auth w,
+  /var/spool/postfix/private/auth rw,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.lib.dovecot.auth>
--- a/profiles/apparmor.d/usr.lib.dovecot.lmtp
+++ b/profiles/apparmor.d/usr.lib.dovecot.lmtp
@@ -17,6 +17,7 @@
  #include <abstractions/nameservice>
  #include <abstractions/dovecot-common>
  #include <abstractions/openssl>
+  #include <abstractions/ssl_certs>
  #include <abstractions/ssl_keys>

  capability dac_override,
--- a/profiles/apparmor.d/usr.sbin.dnsmasq
+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
@@ -40,6 +40,8 @@

  /usr/sbin/dnsmasq mr,

+  /var/log/*dnsmasq.log w,
+
  /{,var/}run/*dnsmasq*.pid w,
  /{,var/}run/dnsmasq-forwarders.conf r,
  /{,var/}run/dnsmasq/ r,
--- a/profiles/apparmor.d/usr.sbin.dovecot
+++ b/profiles/apparmor.d/usr.sbin.dovecot
@@ -31,7 +31,9 @@
  capability sys_chroot,
  capability sys_resource,

-  signal send set=(int,quit) peer=/usr/lib/dovecot/*,
+  signal send set=(int,quit,term) peer=/usr/lib/dovecot/*,
+
+  unix (receive, send) type=stream peer=(label=/usr/lib/dovecot/anvil),

  /etc/dovecot/** r,
  /etc/mtab r,
--- a/profiles/apparmor.d/usr.sbin.identd
+++ b/profiles/apparmor.d/usr.sbin.identd
@@ -17,6 +17,7 @@
  capability net_bind_service,
  capability setgid,
  capability setuid,
+  network netlink dgram,
  /etc/identd.conf         r,
  /etc/identd.key          r,
  /etc/identd.pid          w,
--- a/tests/regression/apparmor/mount.sh
+++ b/tests/regression/apparmor/mount.sh
@@ -67,21 +67,9 @@ if [ ! -b /dev/loop0 ] ; then
 	modprobe loop
 fi

-# kinda ugly way of atomically finding a free loop device
-for i in $(seq 0 15) 
-do
-	if [ "$loop_device" = "unset" ] 
-	then
-		if /sbin/losetup /dev/loop$i ${mount_file} > /dev/null 2> /dev/null
-		then 
-			loop_device=/dev/loop$i;
-		fi
-	fi
-done
-if [ "$loop_device" = "unset" ] 
-then
-	fatalerror 'Unable to find a free loop device'
-fi
+# find the next free loop device and mount it
+loop_device=$(losetup -f) || fatalerror 'Unable to find a free loop device'
+/sbin/losetup "$loop_device" ${mount_file} > /dev/null 2> /dev/null


 # TEST 1.  Make sure can mount and umount unconfined
Author	SHA1	Message	Date
John Johansen	6a871a5082	Release: Bumper version for the 2.10.5 release Signed-off-by: John Johansen <john.johansen@canonical.com>	2019-06-18 13:18:17 -07:00
Petr Vorel	3dd6034839	dnsmasq: Add permission to open log files --log-facility option needs to have permission to open files. Use '*' to allow using more files (for using more dnsmasq instances). Signed-off-by: Petr Vorel <pvorel@suse.cz> Signed-off-by: Jamie Strandboge <jamie@canonical.com> (cherry picked from commit `025c7dc6a1`) Signed-off-by: Steve Beattie <steve.beattie@canonical.com>	2019-06-18 04:23:40 -07:00
Christian Boltz	84791175e8	syslog-ng: add abstractions/python for python-parser When running syslog-ng with a defined python-parser, it needs access to python libraries. For details about python-parser, see https://www.syslog-ng.com/community/b/blog/posts/format-your-log-messages-in-python References: https://github.com/balabit/syslog-ng/issues/2625 PR: https://gitlab.com/apparmor/apparmor/merge_requests/361 (cherry picked from commit `234a924480`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2019-06-13 17:43:17 -07:00
Jörg Sommer	f1bca36c18	parser: Fix parsing of arrow “px -> …” The parser failed to read the profile name after the the arrow. Rules with `-> foo-bar;` failed with “Found unexpected character: '-'”. Rules with `-> @{tgt};` compiled fine, but failed at runtime with “profile transition not found”. The patch was written by sbeattie and published on https://paste.ubuntu.com/p/tzxxmVwGJ8/ https://matrix.to/#/!pNJIrowvqsuGgjXsEY:matrix.org/$15477566201815716pmube:matrix.org?via=matrix.org&via=alea.gnuu.de PR: https://gitlab.com/apparmor/apparmor/merge_requests/334 (cherry picked from commit `0e0663e99e`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2019-06-13 17:37:41 -07:00
John Johansen	5a2db81f93	libapparmor python: Fix 'aa_log_record' object has no attribute '__getattr__' When building with swig 4 we are seeing the error AttributeError: 'aa_log_record' object has no attribute '__getattr__' Which forces swig to use modern classes which do not generate __getattr__ methods. issue: https://gitlab.com/apparmor/apparmor/issues/33 Acked-by: Seth Arnold <seth.arnold@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> Signed-off-by: John Johansen <john.johansen@canonical.com> (cherry picked from commit `a6ac6f4cfc`)	2019-06-04 21:52:49 -07:00
John Johansen	d86c290e85	tests/regression: fix mount test to use next available loop device looping through the first 16 loop devices to find a free device will fail if those mount devices are taken, and unfortunately there are now services that use an excessive amount of loop devices causing the regression test to fail. PR: https://gitlab.com/apparmor/apparmor/merge_requests/379 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> (cherry picked from commit `ab0f2af1da`)	2019-05-11 22:28:24 -07:00
Christian Boltz	593b1fb930	Merge branch 'cboltz-gitignore' into 'master' Add several libapparmor/swig/ruby files to gitignore See merge request apparmor/apparmor!366 (cherry picked from commit `9c11ce37c6`) `7ed1a16a` Add several libapparmor/swig/ruby files to gitignore	2019-04-26 16:17:09 +00:00
Goldwyn Rodrigues	b27e323ded	identd: Add network netlink dgram identd requires access to network netlink dgram. (cherry picked from commit `1d75abba3f`) PR: https://gitlab.com/apparmor/apparmor/merge_requests/353 Signed-off-by: John Johansen <john.johansen@canonical.com>	2019-03-29 01:09:09 -07:00
Simon Deziel	6377b1c492	dovecot: master SIGTERM child that are slow to die When doing a service reload, I noticed the following: ```Mar 22 15:52:27 smtp dovecot: master: Warning: SIGHUP received - reloading configuration Mar 22 15:52:27 smtp dovecot: imap(simon): Server shutting down. in=35309 out=232805 Mar 22 15:52:27 smtp dovecot: imap(simon): Server shutting down. in=24600 out=1688166 Mar 22 15:52:27 smtp dovecot: imap(simon): Server shutting down. in=14026 out=95516 Mar 22 15:52:27 smtp dovecot: imap(simon): Server shutting down. in=13776 out=141513 Mar 22 15:52:33 smtp dovecot: master: Warning: Processes aren't dying after reload, sending SIGTERM. Mar 22 15:52:33 smtp dovecot: master: Error: service(imap): kill(5806, 15) failed: Permission denied Mar 22 15:52:33 smtp dovecot: master: Error: service(imap-login): kill(5804, 15) failed: Permission denied Mar 22 15:52:33 smtp dovecot: master: Error: service(config): kill(506, 15) failed: Permission denied Mar 22 15:52:33 smtp kernel: [65542.184326] audit: type=1400 audit(1553284353.609:82): apparmor="DENIED" operation="signal" profile="dovecot" pid=414 comm="dovecot" requested_mask="send" denied_mask="send" signal=term peer="/usr/lib/dovecot/imap" Mar 22 15:52:33 smtp kernel: [65542.197596] audit: type=1400 audit(1553284353.625:83): apparmor="DENIED" operation="signal" profile="dovecot" pid=414 comm="dovecot" requested_mask="send" denied_mask="send" signal=term peer="/usr/lib/dovecot/imap-login" Mar 22 15:52:33 smtp kernel: [65542.197635] audit: type=1400 audit(1553284353.625:84): apparmor="DENIED" operation="signal" profile="dovecot" pid=414 comm="dovecot" requested_mask="send" denied_mask="send" signal=term peer="/usr/lib/dovecot/config" Mar 22 15:52:36 smtp dovecot: imap(simon): Server shutting down. in=17882 out=104004 ``` The server was heavily loaded which is probably why it ended up trying to SIGTERM those. Signed-off-by: Simon Deziel <simon@sdeziel.info> (cherry picked from commit `f01fd38ca0`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2019-03-22 16:08:46 -07:00
Christian Boltz	4b33ae0e03	Merge branch 'dovecot-fixes-no-doveadm' into 'master' misc dovecot fixes (take #2) See merge request apparmor/apparmor!336 Acked-by: Christian Boltz <apparmor@cboltz.de> for master..2.10 (cherry picked from commit `e68beb988a`) `a57f01d8` dovecot: allow FD passing between dovecot and dovecot's anvil `d0aa863f` dovecot: allow chroot'ing the auth processes `9afeb225` dovecot: let dovecot/anvil rw the auth-penalty socket `17db8f38` dovecot: auth processes need to read from postfix auth socket `6a7c49b1` dovecot: add abstractions/ssl_certs to lmtp	2019-02-17 21:05:09 +00:00
John Johansen	47e348d5c5	Merge: [2.10] Add two parser files to .bzrignore parser/libapparmor_re/parse.cc is autogenerated during build parser/tst_lib gets compiled during "make check" Both files get deleted by make clean. This is the only remaining difference between 2.10 and newer .gitignore files, and the two files already get generated in 2.10. PR: https://gitlab.com/apparmor/apparmor/merge_requests/319 (cherry picked from commit `9d5934f5`) Signed-off-by: John Johansen john.johansen@canonical.com	2019-01-29 10:53:27 +00:00
Christian Boltz	4b56928dc9	Add two parser files to .bzrignore - parser/libapparmor_re/parse.cc is autogenerated during build - parser/tst_lib gets compiled during "make check" Both files get deleted by make clean. Acked-by: John Johansen <john.johansen@canonical.com> for trunk and 2.11. (cherry picked from commit `9d5934f5ff`)	2019-01-27 21:46:04 +01:00
Marius Tomaschewski	88d513a8ca	abstractions/nameservice: allow /run/netconfig/resolv.conf Latest netconfig in openSUSE writes /run/netconfig/resolv.conf, and only has a symlink to it in /etc References: https://bugzilla.opensuse.org/show_bug.cgi?id=1097370 Acked-by: Christian Boltz <apparmor@cboltz.de> Signed-off-by: John Johansen <john.johansen@canonical.com> (cherry picked from commit `b0bacba9db`)	2019-01-24 02:46:52 -08:00
Jamie Strandboge	30a3e58464	Merge branch 'update-fonts' into 'master' Update fonts for Debian and openSUSE - Allow to read conf-avail dir itself. - Add various openSUSE-specific font config directories. See merge request !96 (merged) for details. PR: https://gitlab.com/apparmor/apparmor/merge_requests/309 (cherry picked from commit `7bd3029f25`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2019-01-23 20:13:24 -08:00
Christian Boltz	8916f1f4ad	Merge branch 'fix-compose-cache' into 'master' qt5-compose-cache-write: fix anonymous shared memory access See merge request apparmor/apparmor!301 Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master (cherry picked from commit `027dcdb23f`) `12504024` qt5-compose-cache-write: fix anonymous shared memory access	2019-01-14 20:51:53 +00:00
Christian Boltz	ba67b0cc98	Merge branch 'fix-qt5-settings' into 'master' qt5-settings-write: fix anonymous shared memory access See merge request apparmor/apparmor!302 Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master (cherry picked from commit `3e3c90152f`) `f1200873` qt5-settings-write: fix anonymous shared memory access `8f6a8fb1` Refactor qt5-settings-write	2019-01-14 20:49:05 +00:00
Christian Boltz	6ff8c1ec1a	Merge branch 'var-lib-dehydrated' into 'master' abstractions/ssl_{certs,keys}: dehydrated uses /var/lib on Debian See merge request apparmor/apparmor!299 Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.10..master (cherry picked from commit `1f53de174d`) `1306f9a6` abstractions/ssl_{certs,keys}: dehydrated uses /var/lib on Debian `c5a89d5d` abstractions/ssl_{certs,keys}: sort the alternation for dehydrated and drop... `04b2842e` abstractions/ssl_{certs,keys}: allow reading ocsp.der maintained by dehydrated for OCSP stapling	2019-01-03 17:33:35 +00:00
John Johansen	384ce01def	parser: fix abi rule core dump abi rule skipping is core dumping on some bad abi rule file names. [ 112s] # Failed test './simple_tests//abi/bad_10.sd: Produced core dump (signal 6): abi testing - abi path quotes in <> with spaces' [ 112s] # at simple.pl line 126. [ 112s] [ 112s] # Failed test './simple_tests//abi/bad_11.sd: Produced core dump (signal 6): abi testing - abi path quotes in <> with spaces' [ 112s] # at simple.pl line 126. [ 112s] [ 112s] # Failed test './simple_tests//abi/bad_12.sd: Produced core dump (signal 6): abi testing - abi path quotes in <> with spaces' [ 112s] # at simple.pl line 126. This is caused by calling processquoted without ensuring that that the length being processed is valid. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de>	2019-01-02 13:44:35 -08:00
@@ -1 +1 @@
 .10.4
 .10.5