Release: Bump revision for 2.10.6 release

Signed-off-by: John Johansen <john.johansen@canonical.com>
abstractions/X: Allow (only) reading X compose cache
2025-08-31 22:35:35 +00:00 · 2020-12-07 04:39:38 -08:00 · 2020-11-17 02:09:41 -08:00 · 2020-10-15 03:07:16 -07:00 · 2020-10-15 03:06:48 -07:00 · 2020-10-09 02:46:08 -07:00
23 changed files with 83 additions and 11 deletions
--- a/common/Version
+++ b/common/Version
@@ -1 +1 @@
-2.10.5
+2.10.6
--- a/libraries/libapparmor/include/sys/apparmor.h
+++ b/libraries/libapparmor/include/sys/apparmor.h
@@ -20,6 +20,7 @@

 #include <stdbool.h>
 #include <stdint.h>
+#include <sys/socket.h>
 #include <sys/types.h>

 __BEGIN_DECLS
--- a/libraries/libapparmor/src/libapparmor.map
+++ b/libraries/libapparmor/src/libapparmor.map
@@ -90,6 +90,7 @@ APPARMOR_2.10 {
 PRIVATE {
 	global:
 		_aa_is_blacklisted;
+		_aa_asprintf;
 		_aa_autofree;
 		_aa_autoclose;
 		_aa_autofclose;
--- a/libraries/libapparmor/testsuite/test_multi/unbalanced_parenthesis.err
+++ b/libraries/libapparmor/testsuite/test_multi/unbalanced_parenthesis.err
--- a/libraries/libapparmor/testsuite/test_multi/unbalanced_parenthesis.in
+++ b/libraries/libapparmor/testsuite/test_multi/unbalanced_parenthesis.in
@@ -0,0 +1 @@
+type=AVC msg=audit(1562529588.082:3153): apparmor="DENIED" operation="open" profile="unbalanced_parenthesis" name="/dev/shm/test(me" pid=888 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
--- a/libraries/libapparmor/testsuite/test_multi/unbalanced_parenthesis.out
+++ b/libraries/libapparmor/testsuite/test_multi/unbalanced_parenthesis.out
@@ -0,0 +1,15 @@
+START
+File: unbalanced_parenthesis.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1562529588.082:3153
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 1000
+Profile: unbalanced_parenthesis
+Name: /dev/shm/test(me
+Command: cat
+PID: 888
+Epoch: 1562529588
+Audit subid: 3153
--- a/libraries/libapparmor/testsuite/test_multi/unbalanced_parenthesis.profile
+++ b/libraries/libapparmor/testsuite/test_multi/unbalanced_parenthesis.profile
@@ -0,0 +1,4 @@
+profile unbalanced_parenthesis {
+  owner /dev/shm/test(me r,
+
+}
--- a/parser/af_unix.cc
+++ b/parser/af_unix.cc
@@ -151,9 +151,11 @@ int unix_rule::expand_variables(void)
 	error = expand_entry_variables(&addr);
 	if (error)
 		return error;
+	filter_slashes(addr);
 	error = expand_entry_variables(&peer_addr);
 	if (error)
 		return error;
+	filter_slashes(peer_addr);

 	return 0;
 }
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@@ -1032,7 +1032,7 @@ Example AppArmor DBus rules:
         peer=(name=(com.example.ExampleName1|com.example.ExampleName2)),

    # Allow receive access for all unconfined peers
-    dbus receive peer=(label=unconfined)),
+    dbus receive peer=(label=unconfined),

    # Allow eavesdropping on the system bus
    dbus eavesdrop bus=system,
@@ -1152,7 +1152,7 @@ E.G.

    network unix stream,   =>  unix stream,

-Fine grained mediation rules however can not be lossly converted back
+Fine grained mediation rules however can not be losslessly converted back
 to the coarse grained network rule; e.g.

   unix bind addr=@example,
--- a/parser/dbus.cc
+++ b/parser/dbus.cc
@@ -179,6 +179,7 @@ int dbus_rule::expand_variables(void)
 	error = expand_entry_variables(&path);
 	if (error)
 		return error;
+	filter_slashes(path);
 	error = expand_entry_variables(&interface);
 	if (error)
 		return error;
--- a/parser/mount.cc
+++ b/parser/mount.cc
@@ -486,18 +486,32 @@ ostream &mnt_rule::dump(ostream &os)
 /* does not currently support expansion of vars in options */
 int mnt_rule::expand_variables(void)
 {
+	struct value_list *ent;
 	int error = 0;

 	error = expand_entry_variables(&mnt_point);
 	if (error)
 		return error;
+	filter_slashes(mnt_point);
 	error = expand_entry_variables(&device);
 	if (error)
 		return error;
+	filter_slashes(device);
 	error = expand_entry_variables(&trans);
 	if (error)
 		return error;

+	list_for_each(dev_type, ent) {
+		error = expand_entry_variables(&ent->value);
+		if (error)
+			return error;
+	}
+	list_for_each(opts, ent) {
+		error = expand_entry_variables(&ent->value);
+		if (error)
+			return error;
+	}
+
 	return 0;
 }

--- a/parser/parser.h
+++ b/parser/parser.h
@@ -364,6 +364,7 @@ extern int post_process_entry(struct cod_entry *entry);
 extern int process_policydb(Profile *prof);

 extern int process_policy_ents(Profile *prof);
+extern void filter_slashes(char *path);

 /* parser_variable.c */
 int expand_entry_variables(char **name);
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -47,7 +47,7 @@ enum error_type {
 * that's a distinct namespace in linux) and trailing slashes.
 * NOTE: modifies in place the contents of the path argument */

-static void filter_slashes(char *path)
+void filter_slashes(char *path)
 {
 	char *sptr, *dptr;
 	BOOL seen_slash = 0;
--- a/profiles/apparmor.d/abstractions/X
+++ b/profiles/apparmor.d/abstractions/X
@@ -55,6 +55,8 @@

  # Xcompose
  owner @{HOME}/.XCompose         r,
+  /var/cache/libx11/compose/*     r,
+  deny /var/cache/libx11/compose/* wlk,

  # mouse themes
  /etc/X11/cursors/               r,
--- a/profiles/apparmor.d/abstractions/kerberosclient
+++ b/profiles/apparmor.d/abstractions/kerberosclient
@@ -22,6 +22,8 @@

  /etc/krb5.keytab            rk,
  /etc/krb5.conf              r,
+  /etc/krb5.conf.d/           r,
+  /etc/krb5.conf.d/*          r,

  # config files found via strings on libs
  /etc/krb.conf               r,
--- a/profiles/apparmor.d/abstractions/ssl_certs
+++ b/profiles/apparmor.d/abstractions/ssl_certs
@@ -38,3 +38,7 @@
  /etc/letsencrypt/archive/*/cert*.pem r,
  /etc/letsencrypt/archive/*/chain*.pem r,
  /etc/letsencrypt/archive/*/fullchain*.pem r,
+
+  /etc/certbot/archive/*/cert*.pem r,
+  /etc/certbot/archive/*/chain*.pem r,
+  /etc/certbot/archive/*/fullchain*.pem r,
--- a/profiles/apparmor.d/abstractions/ssl_keys
+++ b/profiles/apparmor.d/abstractions/ssl_keys
@@ -26,3 +26,5 @@

  # certbot / letsencrypt
  /etc/letsencrypt/archive/*/privkey*.pem r,
+
+  /etc/certbot/archive/*/privkey*.pem r,
--- a/tests/regression/apparmor/Makefile
+++ b/tests/regression/apparmor/Makefile
@@ -48,6 +48,9 @@ endif # USE_SYSTEM

 CFLAGS += -g -O0 -Wall -Wstrict-prototypes

+USE_SYSCTL:=$(shell echo "#include <sys/sysctl.h>" | cpp -dM >/dev/null 2>/dev/null && echo true)
+
+
 SRC=access.c \
    introspect.c \
    changeprofile.c \
@@ -109,7 +112,6 @@ SRC=access.c \
    syscall_sethostname.c \
    syscall_setdomainname.c \
    syscall_setscheduler.c \
-    syscall_sysctl.c \
    sysctl_proc.c \
    tcp.c \
    unix_fd_client.c \
@@ -124,6 +126,12 @@ ifneq (,$(findstring $(shell uname -i),i386 i486 i586 i686 x86 x86_64))
 SRC+=syscall_ioperm.c syscall_iopl.c
 endif

+#only do sysctl syscall test if defines installed and OR supported by the
+# kernel
+ifeq ($(USE_SYSCTL),true)
+SRC+=syscall_sysctl.c
+endif
+
 #only do dbus if proper libs are installl
 ifneq (,$(shell pkg-config --exists dbus-1 && echo TRUE))
 SRC+=dbus_eavesdrop.c dbus_message.c dbus_service.c dbus_unrequested_reply.c
--- a/tests/regression/apparmor/syscall_sysctl.sh
+++ b/tests/regression/apparmor/syscall_sysctl.sh
@@ -148,11 +148,18 @@ test_sysctl_proc()
 # check if the kernel supports CONFIG_SYSCTL_SYSCALL
 # generally we want to encourage kernels to disable it, but if it's
 # enabled we want to test against it
-settest syscall_sysctl
-if ! res="$(${test} ro 2>&1)" && [ "$res" = "FAIL: sysctl read failed - Function not implemented" ] ; then
-    echo "	WARNING: syscall sysctl not implemented, skipping tests ..."
+# In addition test that sysctl exists in the kernel headers, if it does't
+# then we can't even built the syscall_sysctl test
+if  echo "#include <sys/sysctl.h>" | cpp -dM >/dev/null 2>/dev/null ; then
+    settest syscall_sysctl
+
+    if ! res="$(${test} ro 2>&1)" && [ "$res" = "FAIL: sysctl read failed - Function not implemented" ] ; then
+	echo "	WARNING: syscall sysctl not implemented, skipping tests ..."
+    else
+	test_syscall_sysctl
+    fi
 else
-    test_syscall_sysctl
+    echo "	WARNING: syscall sysctl not supported by kernel headers, skipping tests ..."
 fi

 # now test /proc/sys/ paths
--- a/utils/aa-status
+++ b/utils/aa-status
@@ -109,7 +109,7 @@ def get_profiles():
        sys.exit(4)

    for p in f.readlines():
-        match = re.search("^([^\(]+)\s+\((\w+)\)$", p)
+        match = re.search("^(.+)\s+\((\w+)\)$", p)
        profiles[match.group(1)] = match.group(2)

    f.close()
--- a/utils/apparmor/common.py
+++ b/utils/apparmor/common.py
@@ -213,6 +213,9 @@ def hasher():
 def convert_regexp(regexp):
    regex_paren = re.compile('^(.*){([^}]*)}(.*)$')
    regexp = regexp.strip()
+
+    regexp = regexp.replace('(', '\\(').replace(')', '\\)')  # escape '(' and ')'
+
    new_reg = re.sub(r'(?<!\\)(\.|\+|\$)', r'\\\1', regexp)

    while regex_paren.search(new_reg):
--- a/utils/severity.db
+++ b/utils/severity.db
@@ -2,6 +2,7 @@
 #
 #    Copyright (C) 2002-2005 Novell/SUSE
 #    Copyright (C) 2014 Canonical Ltd.
+#    Copyright (C) 2020 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -28,6 +29,8 @@
       CAP_SETGID 9
       CAP_SETUID 9
       CAP_FOWNER 9
+       CAP_BPF 9
+       CAP_CHECKPOINT_RESTORE 9
 # Denial of service, bypass audit controls, information leak
       CAP_SYS_TIME 8
       CAP_NET_ADMIN 8
@@ -49,6 +52,7 @@
       CAP_BLOCK_SUSPEND 8
       CAP_DAC_READ_SEARCH 7
       CAP_AUDIT_READ 7
+       CAP_PERFMON 7
 # unused
       CAP_NET_BROADCAST 0

--- a/utils/vim/create-apparmor.vim.py
+++ b/utils/vim/create-apparmor.vim.py
@@ -19,7 +19,7 @@ danger_caps = ["audit_control",
               "audit_write",
               "mac_override",
               "mac_admin",
-               "set_fcap",
+               "setfcap",
               "sys_admin",
               "sys_module",
               "sys_rawio"]
Author	SHA1	Message	Date
John Johansen	ac03ae4e72	Release: Bump revision for 2.10.6 release Signed-off-by: John Johansen <john.johansen@canonical.com>	2020-12-07 04:39:38 -08:00
Christian Boltz	085d4cd0e2	abstractions/X: Allow (only) reading X compose cache ... (/var/cache/libx11/compose/*), and deny any write attempts Reported by darix, https://git.nordisch.org/darix/apparmor-profiles-nordisch/-/blob/master/apparmor.d/teams MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/685 (cherry picked from commit `78bd811e2a`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2020-11-17 02:09:41 -08:00
Christian Boltz	f305bb1831	Add CAP_CHECKPOINT_RESTORE to severity.db MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/656 Signed-off-by: John Johansen <john.johansen@canonical.com> (cherry picked from commit `2c2dbdc3a3`)	2020-10-15 03:07:16 -07:00
Christian Boltz	9f0415e1ab	Add CAP_BPF and CAP_PERFMON to severity.db These capabilities were introduced in Linux 5.8 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/589 References: https://bugs.launchpad.net/bugs/1890547 (cherry picked from commit `ae01250209`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2020-10-15 03:06:48 -07:00
John Johansen	0acc2cd67c	parser: call filter slashes for mount conditionals The mnt_point and devices conditionals in mount rules are generally paths and should have slashes filtered after variable expansion. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607 Signed-off-by: John Johansen <john.johansen@canonical.com> (cherry picked from commit `a1978fb1b2`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2020-10-09 02:46:08 -07:00
John Johansen	41091fd411	parser: call filter slashes for the dbus path conditional Similar to unix addr rules, the dbus path conditional is more a path than a profile name and should get its slashes filtered after variable expansion. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607 Signed-off-by: John Johansen <john.johansen@canonical.com> (cherry picked from commit `35f6d49ec6`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2020-10-09 02:46:08 -07:00
John Johansen	b5ffee530b	parser: enable variable expansion for mount type= and options= Currently mount options type= and options= do not expand variables but they should. Fix it. Note: this does not treat either as paths because their use is too device dependent for it to be safe to filter slashes. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/99 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/638 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve.beattie@canonical.com> (cherry picked from commit `882380ad3d`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2020-10-09 02:46:08 -07:00
Patrick Steinhardt	ab49c3dbb0	libapparmor: add missing include for `socklen_t` While `include/sys/apparmor.h` makes use of `socklen_t`, it doesn't include the `<sys/socket.h>` header to make its declaration available. While this works on systems using glibc via transitive includes, it breaks compilation on musl libc. Fix the issue by including the header. Signed-off-by: Patrick Steinhardt <ps@pks.im> (cherry picked from commit `47263a3a74`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2020-10-03 13:22:57 -07:00
Patrick Steinhardt	92a6360570	libapparmor: add _aa_asprintf to private symbols While `_aa_asprintf` is supposed to be of private visibility, it's used by apparmor_parser and thus required to be visible when linking. This commit thus adds it to the list of private symbols to make it available for linking in apparmor_parser. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/643 Signed-off-by: Patrick Steinhardt <ps@pks.im> (cherry picked from commit `9a8fee6bf1`)	2020-10-03 12:26:37 -07:00
John Johansen	f4346f63f6	parser: Fix expansion of variables in unix rules addr= conditional The parser is not treating unix addr as a path and filtering slashes after variable expansion. This can lead to errors where @{foo}=/a/ unix bind addr=@{foo}/bar, will always fail because addr is being matched as /a//bar instead of /a/bar. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607 Fixes: https://bugs.launchpad.net/apparmor/+bug/1856738 Signed-off-by: John Johansen <john.johansen@canonical.com> (cherry picked from commit `6af05006d9`)	2020-09-29 12:02:32 -07:00
John Johansen	6eef48828c	regression tests: Don't build syscall_sysctl if missing kernel headers sys/sysctl.h is not guaranteed to exist anymore since https://sourceware.org/pipermail/glibc-cvs/2020q2/069366.html which is a follow on to the kernel commit 61a47c1ad3a4 sysctl: Remove the sysctl system call While the syscall_sysctl currently checks if the kernel supports sysctrs before running the tests. The tests can't even build if the kernel headers don't have the sysctl defines. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/119 Fixes: https://bugs.launchpad.net/apparmor/+bug/1897288 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/637 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve.beattie@canonical.com> (cherry picked from commit `2e5a266eb7`)	2020-09-29 11:58:02 -07:00
Ian Johnson	8e0cfd04f4	docs: fix typo in man doc of unix rules Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org> (cherry picked from commit `f4220a19be`)	2020-01-31 22:24:18 -08:00
Christian Boltz	bb9bc18a0e	Merge branch 'cboltz-abstractions-kerberos' into 'master' abstractions/kerberosclient: allow reading /etc/krb5.conf.d/ See merge request apparmor/apparmor!425 Acked-by: Steve Beattie <steve@nxnw.org> for 2.10..master Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..master (cherry picked from commit `663546c284`) `dffed831` abstractions/kerberosclient: allow reading /etc/krb5.conf.d/	2019-11-18 21:36:17 +00:00
Christian Boltz	e3b04d4f81	Merge branch 'cboltz-status-parenthesis' into 'master' aa-status: handle profile names containing '(' Closes #51 See merge request apparmor/apparmor!415 Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..master (cherry picked from commit `b76567ce10`) `41d26b01` aa-status: handle profile names containing '('	2019-09-23 18:56:15 +00:00
Paulo Gomes	9bdd2a3f6f	Fix capability mispelling. PR: https://gitlab.com/apparmor/apparmor/merge_requests/421 (cherry picked from commit `2d19d4d159`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2019-09-20 02:17:47 -07:00
Tyler Hicks	46fb957dd4	parser: Fix typoed example dbus rule in apparmor.d(5) man page Remove extra closing parenthesis. Bug: https://launchpad.net/bugs/1838991 Fixes: `46586a6334` ("parser: Add example dbus rule for unconfined peers") Signed-off-by: Tyler Hicks <tyhicks@canonical.com> (cherry picked from commit `7df48adae5`) Ref: https://gitlab.com/apparmor/apparmor/merge_requests/410 Acked-by: Christian Boltz <apparmor@cboltz.de> Signed-off-by: Tyler Hicks <tyhicks@canonical.com>	2019-08-05 17:12:39 +00:00
Christian Boltz	f59bc8b952	Merge branch 'cboltz-unbalanced-parenthesis' into 'master' Fix crash on unbalanced parenthesis in filename See merge request apparmor/apparmor!402 Seth Arnold <seth.arnold@canonical.com> for 2.10..master (cherry picked from commit `db1f391844`) `8f74ac02` Fix crash on unbalanced parenthesis in filename	2019-07-09 19:46:08 +00:00
Christian Boltz	5278708ea0	Merge branch 'cboltz-2.13-certbot' into 'apparmor-2.13' [2.10..2.13] Add for Certbot on openSUSE Leap See merge request apparmor/apparmor!398 Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..2.13 (cherry picked from commit `14a11e67a5`) `8b766451` Add for Certbot on openSUSE Leap	2019-06-30 07:15:17 +00:00
@@ -1 +1 @@
 .10.5
 .10.6
				`@@ -0,0 +1 @@`
				`type=AVC msg=audit(1562529588.082:3153): apparmor="DENIED" operation="open" profile="unbalanced_parenthesis" name="/dev/shm/test(me" pid=888 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000`