Release: Bump revision for 2.10.6 release

Signed-off-by: John Johansen <john.johansen@canonical.com>

.gitignore

@@ -8,6 +8,7 @@ binutils/po/*.mo
 parser/po/*.mo
 parser/af_names.h
 parser/cap_names.h
+parser/tst_lib
 parser/tst_misc
 parser/tst_regex
 parser/tst_symtab
@@ -56,6 +57,7 @@ parser/*.7.html
 parser/*.5.html
 parser/*.8.html
 parser/apparmor_parser
+parser/libapparmor_re/parse.cc
 parser/libapparmor_re/regexp.cc
 parser/techdoc.aux
 parser/techdoc.log
@@ -161,8 +163,14 @@ libraries/libapparmor/swig/python/test/test-suite.log
 libraries/libapparmor/swig/python/test/test_python.py
 libraries/libapparmor/swig/python/test/test_python.py.log
 libraries/libapparmor/swig/python/test/test_python.py.trs
+libraries/libapparmor/swig/ruby/LibAppArmor.so
+libraries/libapparmor/swig/ruby/LibAppArmor_wrap.c
+libraries/libapparmor/swig/ruby/LibAppArmor_wrap.o
 libraries/libapparmor/swig/ruby/Makefile
 libraries/libapparmor/swig/ruby/Makefile.in
+libraries/libapparmor/swig/ruby/Makefile.new
+libraries/libapparmor/swig/ruby/Makefile.ruby
+libraries/libapparmor/swig/ruby/mkmf.log
 libraries/libapparmor/testsuite/.deps
 libraries/libapparmor/testsuite/.libs
 libraries/libapparmor/testsuite/Makefile

common/Version

@@ -1 +1 @@
-2.10.4
+2.10.6

libraries/libapparmor/include/sys/apparmor.h

@@ -20,6 +20,7 @@
 
 #include <stdbool.h>
 #include <stdint.h>
+#include <sys/socket.h>
 #include <sys/types.h>
 
 __BEGIN_DECLS

libraries/libapparmor/src/libapparmor.map

@@ -90,6 +90,7 @@ APPARMOR_2.10 {
 PRIVATE {
 	global:
 		_aa_is_blacklisted;
+		_aa_asprintf;
 		_aa_autofree;
 		_aa_autoclose;
 		_aa_autofclose;

libraries/libapparmor/swig/python/test/test_python.py.in

@@ -109,7 +109,7 @@ class AAPythonBindingsTests(unittest.TestCase):
 
         new_record = dict()
         for key in [x for x in dir(record) if not (x.startswith('_') or x == 'this')]:
-            value = record.__getattr__(key)
+            value = getattr(record, key)
             if key == "event" and value in EVENT_MAP:
                 new_record[key] = EVENT_MAP[value]
             elif key == "version":

libraries/libapparmor/testsuite/test_multi/unbalanced_parenthesis.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1562529588.082:3153): apparmor="DENIED" operation="open" profile="unbalanced_parenthesis" name="/dev/shm/test(me" pid=888 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

libraries/libapparmor/testsuite/test_multi/unbalanced_parenthesis.out

@@ -0,0 +1,15 @@
+START
+File: unbalanced_parenthesis.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1562529588.082:3153
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 1000
+Profile: unbalanced_parenthesis
+Name: /dev/shm/test(me
+Command: cat
+PID: 888
+Epoch: 1562529588
+Audit subid: 3153

libraries/libapparmor/testsuite/test_multi/unbalanced_parenthesis.profile

@@ -0,0 +1,4 @@
+profile unbalanced_parenthesis {
+  owner /dev/shm/test(me r,
+
+}

parser/af_unix.cc

@@ -151,9 +151,11 @@ int unix_rule::expand_variables(void)
 	error = expand_entry_variables(&addr);
 	if (error)
 		return error;
+	filter_slashes(addr);
 	error = expand_entry_variables(&peer_addr);
 	if (error)
 		return error;
+	filter_slashes(peer_addr);
 
 	return 0;
 }

parser/apparmor.d.pod

@@ -1032,7 +1032,7 @@ Example AppArmor DBus rules:
          peer=(name=(com.example.ExampleName1|com.example.ExampleName2)),
 
     # Allow receive access for all unconfined peers
-    dbus receive peer=(label=unconfined)),
+    dbus receive peer=(label=unconfined),
 
     # Allow eavesdropping on the system bus
     dbus eavesdrop bus=system,
@@ -1152,7 +1152,7 @@ E.G.
 
     network unix stream,   =>  unix stream,
 
-Fine grained mediation rules however can not be lossly converted back
+Fine grained mediation rules however can not be losslessly converted back
 to the coarse grained network rule; e.g.
 
    unix bind addr=@example,

parser/dbus.cc

@@ -179,6 +179,7 @@ int dbus_rule::expand_variables(void)
 	error = expand_entry_variables(&path);
 	if (error)
 		return error;
+	filter_slashes(path);
 	error = expand_entry_variables(&interface);
 	if (error)
 		return error;

parser/mount.cc

@@ -486,18 +486,32 @@ ostream &mnt_rule::dump(ostream &os)
 /* does not currently support expansion of vars in options */
 int mnt_rule::expand_variables(void)
 {
+	struct value_list *ent;
 	int error = 0;
 
 	error = expand_entry_variables(&mnt_point);
 	if (error)
 		return error;
+	filter_slashes(mnt_point);
 	error = expand_entry_variables(&device);
 	if (error)
 		return error;
+	filter_slashes(device);
 	error = expand_entry_variables(&trans);
 	if (error)
 		return error;
 
+	list_for_each(dev_type, ent) {
+		error = expand_entry_variables(&ent->value);
+		if (error)
+			return error;
+	}
+	list_for_each(opts, ent) {
+		error = expand_entry_variables(&ent->value);
+		if (error)
+			return error;
+	}
+
 	return 0;
 }
 

parser/parser.h

@@ -364,6 +364,7 @@ extern int post_process_entry(struct cod_entry *entry);
 extern int process_policydb(Profile *prof);
 
 extern int process_policy_ents(Profile *prof);
+extern void filter_slashes(char *path);
 
 /* parser_variable.c */
 int expand_entry_variables(char **name);

parser/parser_lex.l

@@ -317,9 +317,12 @@ LT_EQUAL	<=
 <ABI_MODE>{
 	(\<(([^"\>\t\r\n]+)|{QUOTED_ID})\>|{QUOTED_ID}|{IDS})	{ /* <filename> | <"filename"> | "filename" | filename */
 		int lt = *yytext == '<'  ? 1 : 0;
-		char *filename = processid(yytext + lt, yyleng - lt*2);
+		char *filename;
 		bool exists = YYSTATE == INCLUDE_EXISTS;
 
+		if (yyleng - lt < 1)
+			yyerror(_("Bad filename\n"));
+		filename = processid(yytext + lt, yyleng - lt*2);
 		if (!filename)
 			yyerror(_("Failed to process filename\n"));
 		yylval.id = filename;
@@ -594,7 +597,7 @@ include/{WS}	{
 
 {CARET}		{ PUSH_AND_RETURN(SUB_ID, TOK_CARET); }
 
-{ARROW}		{ RETURN_TOKEN(TOK_ARROW); }
+{ARROW}		{ PUSH_AND_RETURN(SUB_ID_WS, TOK_ARROW); }
 
 {EQUALS}	{ PUSH_AND_RETURN(ASSIGN_MODE, TOK_EQUALS); }
 

parser/parser_regex.c

@@ -47,7 +47,7 @@ enum error_type {
  * that's a distinct namespace in linux) and trailing slashes.
  * NOTE: modifies in place the contents of the path argument */
 
-static void filter_slashes(char *path)
+void filter_slashes(char *path)
 {
 	char *sptr, *dptr;
 	BOOL seen_slash = 0;

profiles/apparmor.d/abstractions/X

@@ -55,6 +55,8 @@
 
   # Xcompose
   owner @{HOME}/.XCompose         r,
+  /var/cache/libx11/compose/*     r,
+  deny /var/cache/libx11/compose/* wlk,
 
   # mouse themes
   /etc/X11/cursors/               r,

profiles/apparmor.d/abstractions/fonts

@@ -18,7 +18,9 @@
   /usr/share/fonts/**                   r,
 
   /etc/fonts/**                         r,
-  /usr/share/fontconfig/conf.avail/**   r,
+  # Debian, openSUSE paths are different
+  /usr/share/{fontconfig,fonts-config,*-fonts}/conf.avail/{,**} r,
+  /usr/share/ghostscript/fonts/{,**}    r,
 
   /opt/kde3/share/fonts/**              r,
 

profiles/apparmor.d/abstractions/kerberosclient

@@ -22,6 +22,8 @@
 
   /etc/krb5.keytab            rk,
   /etc/krb5.conf              r,
+  /etc/krb5.conf.d/           r,
+  /etc/krb5.conf.d/*          r,
 
   # config files found via strings on libs
   /etc/krb.conf               r,

profiles/apparmor.d/abstractions/nameservice

@@ -39,7 +39,7 @@
   /etc/resolv.conf        r,
   # On systems where /etc/resolv.conf is managed programmatically, it is
   # a symlink to /{,var/}run/(whatever program is managing it)/resolv.conf.
-  /{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman}/resolv.conf r,
+  /{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
   /etc/resolvconf/run/resolv.conf r,
 
   /etc/samba/lmhosts      r,

profiles/apparmor.d/abstractions/qt5-compose-cache-write

@@ -3,5 +3,6 @@
 
   # User files
 
-  owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rw,
+  owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rwl -> @{HOME}/.cache/#[0-9]*[0-9],
+  owner @{HOME}/.cache/#[0-9]*[0-9] rw, # QSaveFile (anonymous shared memory)
 

profiles/apparmor.d/abstractions/qt5-settings-write

@@ -3,9 +3,9 @@
 
   # User files
 
-  owner @{HOME}/.config/#[0-9]* rw,
+  owner @{HOME}/.config/#[0-9]*[0-9] rw,
-  owner @{HOME}/.config/QtProject.conf rw,
+  owner @{HOME}/.config/QtProject.conf rwl -> @{HOME}/.config/#[0-9]*[0-9],
-  owner @{HOME}/.config/QtProject.conf.?????? l -> @{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],
+  # for temporary files like QtProject.conf.Aqrgeb
-  owner @{HOME}/.config/QtProject.conf.?????? rw, # for temporary files like QtProject.conf.Aqrgeb
+  owner @{HOME}/.config/QtProject.conf.?????? rwl -> @{HOME}/.config/#[0-9]*[0-9],
   owner @{HOME}/.config/QtProject.conf.lock rwk,
 

profiles/apparmor.d/abstractions/ssl_certs

@@ -29,11 +29,16 @@
   /var/lib/acme/certs/*/cert r,
 
   # dehydrated
-  /etc/dehydrated/certs/*/cert-*.pem r,
+  /{etc,var/lib}/dehydrated/certs/*/cert*.pem r,
-  /etc/dehydrated/certs/*/chain-*.pem r,
+  /{etc,var/lib}/dehydrated/certs/*/chain*.pem r,
-  /etc/dehydrated/certs/*/fullchain-*.pem r,
+  /{etc,var/lib}/dehydrated/certs/*/fullchain*.pem r,
+  /{etc,var/lib}/dehydrated/certs/*/ocsp*.der r,
 
   # certbot
   /etc/letsencrypt/archive/*/cert*.pem r,
   /etc/letsencrypt/archive/*/chain*.pem r,
   /etc/letsencrypt/archive/*/fullchain*.pem r,
+
+  /etc/certbot/archive/*/cert*.pem r,
+  /etc/certbot/archive/*/chain*.pem r,
+  /etc/certbot/archive/*/fullchain*.pem r,

profiles/apparmor.d/abstractions/ssl_keys

@@ -22,7 +22,9 @@
   /var/lib/acme/keys/** r,
 
   # dehydrated
-  /etc/dehydrated/certs/*/privkey-*.pem r,
+  /{etc,var/lib}/dehydrated/certs/*/privkey*.pem r,
 
   # certbot / letsencrypt
   /etc/letsencrypt/archive/*/privkey*.pem r,
+
+  /etc/certbot/archive/*/privkey*.pem r,

profiles/apparmor.d/sbin.syslog-ng

@@ -21,6 +21,7 @@ profile syslog-ng /{usr/,}sbin/syslog-ng {
   #include <abstractions/nameservice>
   #include <abstractions/mysql>
   #include <abstractions/openssl>
+  #include <abstractions/python>
 
   capability chown,
   capability dac_override,

profiles/apparmor.d/usr.lib.dovecot.anvil

@@ -18,7 +18,10 @@
   capability setuid,
   capability sys_chroot,
 
+  unix (receive, send) type=stream peer=(label=dovecot),
+
   /run/dovecot/anvil rw,
+  /run/dovecot/anvil-auth-penalty rw,
   /usr/lib/dovecot/anvil mr,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/usr.lib.dovecot.auth

@@ -25,6 +25,7 @@
   capability dac_override,
   capability dac_read_search,
   capability setuid,
+  capability sys_chroot,
 
   /etc/my.cnf r,
   /etc/my.cnf.d/ r,
@@ -32,6 +33,7 @@
 
   /etc/dovecot/* r,
   /usr/lib/dovecot/auth mr,
+  /var/lib/dovecot/auth-chroot/* r,
 
   # kerberos replay cache
   /var/tmp/imap_* rw,
@@ -40,6 +42,7 @@
   /var/tmp/smtp_* rw,
 
   /run/dovecot/auth-master rw,
+  /run/dovecot/auth-userdb rw,
   /run/dovecot/auth-worker rw,
   /run/dovecot/login/login rw,
   /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
@@ -47,7 +50,7 @@
   /{var/,}run/dovecot/stats-user rw,
   /{var/,}run/dovecot/anvil-auth-penalty rw,
 
-  /var/spool/postfix/private/auth w,
+  /var/spool/postfix/private/auth rw,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.lib.dovecot.auth>

profiles/apparmor.d/usr.lib.dovecot.lmtp

@@ -17,6 +17,7 @@
   #include <abstractions/nameservice>
   #include <abstractions/dovecot-common>
   #include <abstractions/openssl>
+  #include <abstractions/ssl_certs>
   #include <abstractions/ssl_keys>
 
   capability dac_override,

profiles/apparmor.d/usr.sbin.dnsmasq

@@ -40,6 +40,8 @@
 
   /usr/sbin/dnsmasq mr,
 
+  /var/log/*dnsmasq.log w,
+
   /{,var/}run/*dnsmasq*.pid w,
   /{,var/}run/dnsmasq-forwarders.conf r,
   /{,var/}run/dnsmasq/ r,

profiles/apparmor.d/usr.sbin.dovecot

@@ -31,7 +31,9 @@
   capability sys_chroot,
   capability sys_resource,
 
-  signal send set=(int,quit) peer=/usr/lib/dovecot/*,
+  signal send set=(int,quit,term) peer=/usr/lib/dovecot/*,
+
+  unix (receive, send) type=stream peer=(label=/usr/lib/dovecot/anvil),
 
   /etc/dovecot/** r,
   /etc/mtab r,

profiles/apparmor.d/usr.sbin.identd

@@ -17,6 +17,7 @@
   capability net_bind_service,
   capability setgid,
   capability setuid,
+  network netlink dgram,
   /etc/identd.conf         r,
   /etc/identd.key          r,
   /etc/identd.pid          w,

tests/regression/apparmor/Makefile

@@ -48,6 +48,9 @@ endif # USE_SYSTEM
 
 CFLAGS += -g -O0 -Wall -Wstrict-prototypes
 
+USE_SYSCTL:=$(shell echo "#include <sys/sysctl.h>" | cpp -dM >/dev/null 2>/dev/null && echo true)
+
+
 SRC=access.c \
     introspect.c \
     changeprofile.c \
@@ -109,7 +112,6 @@ SRC=access.c \
     syscall_sethostname.c \
     syscall_setdomainname.c \
     syscall_setscheduler.c \
-    syscall_sysctl.c \
     sysctl_proc.c \
     tcp.c \
     unix_fd_client.c \
@@ -124,6 +126,12 @@ ifneq (,$(findstring $(shell uname -i),i386 i486 i586 i686 x86 x86_64))
 SRC+=syscall_ioperm.c syscall_iopl.c
 endif
 
+#only do sysctl syscall test if defines installed and OR supported by the
+# kernel
+ifeq ($(USE_SYSCTL),true)
+SRC+=syscall_sysctl.c
+endif
+
 #only do dbus if proper libs are installl
 ifneq (,$(shell pkg-config --exists dbus-1 && echo TRUE))
 SRC+=dbus_eavesdrop.c dbus_message.c dbus_service.c dbus_unrequested_reply.c

tests/regression/apparmor/mount.sh

@@ -67,21 +67,9 @@ if [ ! -b /dev/loop0 ] ; then
 	modprobe loop
 fi
 
-# kinda ugly way of atomically finding a free loop device
+# find the next free loop device and mount it
-for i in $(seq 0 15) 
+loop_device=$(losetup -f) || fatalerror 'Unable to find a free loop device'
-do
+/sbin/losetup "$loop_device" ${mount_file} > /dev/null 2> /dev/null
-	if [ "$loop_device" = "unset" ] 
-	then
-		if /sbin/losetup /dev/loop$i ${mount_file} > /dev/null 2> /dev/null
-		then 
-			loop_device=/dev/loop$i;
-		fi
-	fi
-done
-if [ "$loop_device" = "unset" ] 
-then
-	fatalerror 'Unable to find a free loop device'
-fi
 
 
 # TEST 1.  Make sure can mount and umount unconfined

tests/regression/apparmor/syscall_sysctl.sh

@@ -148,11 +148,18 @@ test_sysctl_proc()
 # check if the kernel supports CONFIG_SYSCTL_SYSCALL
 # generally we want to encourage kernels to disable it, but if it's
 # enabled we want to test against it
-settest syscall_sysctl
+# In addition test that sysctl exists in the kernel headers, if it does't
-if ! res="$(${test} ro 2>&1)" && [ "$res" = "FAIL: sysctl read failed - Function not implemented" ] ; then
+# then we can't even built the syscall_sysctl test
-    echo "	WARNING: syscall sysctl not implemented, skipping tests ..."
+if  echo "#include <sys/sysctl.h>" | cpp -dM >/dev/null 2>/dev/null ; then
+    settest syscall_sysctl
+
+    if ! res="$(${test} ro 2>&1)" && [ "$res" = "FAIL: sysctl read failed - Function not implemented" ] ; then
+	echo "	WARNING: syscall sysctl not implemented, skipping tests ..."
+    else
+	test_syscall_sysctl
+    fi
 else
-    test_syscall_sysctl
+    echo "	WARNING: syscall sysctl not supported by kernel headers, skipping tests ..."
 fi
 
 # now test /proc/sys/ paths

utils/aa-status

@@ -109,7 +109,7 @@ def get_profiles():
         sys.exit(4)
 
     for p in f.readlines():
-        match = re.search("^([^\(]+)\s+\((\w+)\)$", p)
+        match = re.search("^(.+)\s+\((\w+)\)$", p)
         profiles[match.group(1)] = match.group(2)
 
     f.close()

utils/apparmor/common.py

@@ -213,6 +213,9 @@ def hasher():
 def convert_regexp(regexp):
     regex_paren = re.compile('^(.*){([^}]*)}(.*)$')
     regexp = regexp.strip()
+
+    regexp = regexp.replace('(', '\\(').replace(')', '\\)')  # escape '(' and ')'
+
     new_reg = re.sub(r'(?<!\\)(\.|\+|\$)', r'\\\1', regexp)
 
     while regex_paren.search(new_reg):

utils/severity.db

@@ -2,6 +2,7 @@
 #
 #    Copyright (C) 2002-2005 Novell/SUSE
 #    Copyright (C) 2014 Canonical Ltd.
+#    Copyright (C) 2020 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -28,6 +29,8 @@
        CAP_SETGID 9
        CAP_SETUID 9
        CAP_FOWNER 9
+       CAP_BPF 9
+       CAP_CHECKPOINT_RESTORE 9
 # Denial of service, bypass audit controls, information leak
        CAP_SYS_TIME 8
        CAP_NET_ADMIN 8
@@ -49,6 +52,7 @@
        CAP_BLOCK_SUSPEND 8
        CAP_DAC_READ_SEARCH 7
        CAP_AUDIT_READ 7
+       CAP_PERFMON 7
 # unused
        CAP_NET_BROADCAST 0
 

utils/vim/create-apparmor.vim.py

@@ -19,7 +19,7 @@ danger_caps = ["audit_control",
                "audit_write",
                "mac_override",
                "mac_admin",
-               "set_fcap",
+               "setfcap",
                "sys_admin",
                "sys_module",
                "sys_rawio"]