John Johansen
ac03ae4e72
Release: Bump revision for 2.10.6 release
...
Signed-off-by: John Johansen <john.johansen@canonical.com >
2020-12-07 04:39:38 -08:00
Christian Boltz
085d4cd0e2
abstractions/X: Allow (only) reading X compose cache
...
... (/var/cache/libx11/compose/*), and deny any write attempts
Reported by darix,
https://git.nordisch.org/darix/apparmor-profiles-nordisch/-/blob/master/apparmor.d/teams
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/685
(cherry picked from commit 78bd811e2a
)
Signed-off-by: John Johansen <john.johansen@canonical.com >
2020-11-17 02:09:41 -08:00
Christian Boltz
f305bb1831
Add CAP_CHECKPOINT_RESTORE to severity.db
...
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/656
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from commit 2c2dbdc3a3
)
2020-10-15 03:07:16 -07:00
Christian Boltz
9f0415e1ab
Add CAP_BPF and CAP_PERFMON to severity.db
...
These capabilities were introduced in Linux 5.8
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/589
References: https://bugs.launchpad.net/bugs/1890547
(cherry picked from commit ae01250209
)
Signed-off-by: John Johansen <john.johansen@canonical.com >
2020-10-15 03:06:48 -07:00
John Johansen
0acc2cd67c
parser: call filter slashes for mount conditionals
...
The mnt_point and devices conditionals in mount rules are generally
paths and should have slashes filtered after variable expansion.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from commit a1978fb1b2
)
Signed-off-by: John Johansen <john.johansen@canonical.com >
2020-10-09 02:46:08 -07:00
John Johansen
41091fd411
parser: call filter slashes for the dbus path conditional
...
Similar to unix addr rules, the dbus path conditional is more a path
than a profile name and should get its slashes filtered after variable
expansion.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from commit 35f6d49ec6
)
Signed-off-by: John Johansen <john.johansen@canonical.com >
2020-10-09 02:46:08 -07:00
John Johansen
b5ffee530b
parser: enable variable expansion for mount type= and options=
...
Currently mount options type= and options= do not expand variables
but they should. Fix it.
Note: this does not treat either as paths because their use is
too device dependent for it to be safe to filter slashes.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/99
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/638
Signed-off-by: John Johansen <john.johansen@canonical.com >
Acked-by: Steve Beattie <steve.beattie@canonical.com >
(cherry picked from commit 882380ad3d
)
Signed-off-by: John Johansen <john.johansen@canonical.com >
2020-10-09 02:46:08 -07:00
Patrick Steinhardt
ab49c3dbb0
libapparmor: add missing include for socklen_t
...
While `include/sys/apparmor.h` makes use of `socklen_t`, it doesn't
include the `<sys/socket.h>` header to make its declaration available.
While this works on systems using glibc via transitive includes, it
breaks compilation on musl libc.
Fix the issue by including the header.
Signed-off-by: Patrick Steinhardt <ps@pks.im >
(cherry picked from commit 47263a3a74
)
Signed-off-by: John Johansen <john.johansen@canonical.com >
2020-10-03 13:22:57 -07:00
Patrick Steinhardt
92a6360570
libapparmor: add _aa_asprintf to private symbols
...
While `_aa_asprintf` is supposed to be of private visibility, it's used
by apparmor_parser and thus required to be visible when linking. This
commit thus adds it to the list of private symbols to make it available
for linking in apparmor_parser.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/643
Signed-off-by: Patrick Steinhardt <ps@pks.im >
(cherry picked from commit 9a8fee6bf1
)
2020-10-03 12:26:37 -07:00
John Johansen
f4346f63f6
parser: Fix expansion of variables in unix rules addr= conditional
...
The parser is not treating unix addr as a path and filtering slashes
after variable expansion. This can lead to errors where
@{foo}=/a/
unix bind addr=@{foo}/bar,
will always fail because addr is being matched as /a//bar instead of
/a/bar.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/607
Fixes: https://bugs.launchpad.net/apparmor/+bug/1856738
Signed-off-by: John Johansen <john.johansen@canonical.com >
(cherry picked from commit 6af05006d9
)
2020-09-29 12:02:32 -07:00
John Johansen
6eef48828c
regression tests: Don't build syscall_sysctl if missing kernel headers
...
sys/sysctl.h is not guaranteed to exist anymore since
https://sourceware.org/pipermail/glibc-cvs/2020q2/069366.html
which is a follow on to the kernel commit
61a47c1ad3a4 sysctl: Remove the sysctl system call
While the syscall_sysctl currently checks if the kernel supports
sysctrs before running the tests. The tests can't even build if the
kernel headers don't have the sysctl defines.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/119
Fixes: https://bugs.launchpad.net/apparmor/+bug/1897288
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/637
Signed-off-by: John Johansen <john.johansen@canonical.com >
Acked-by: Steve Beattie <steve.beattie@canonical.com >
(cherry picked from commit 2e5a266eb7
)
2020-09-29 11:58:02 -07:00
Ian Johnson
8e0cfd04f4
docs: fix typo in man doc of unix rules
...
Signed-off-by: John Johansen <john.johansen@canonical.com >
Acked-by: Steve Beattie <steve@nxnw.org >
(cherry picked from commit f4220a19be
)
2020-01-31 22:24:18 -08:00
Christian Boltz
bb9bc18a0e
Merge branch 'cboltz-abstractions-kerberos' into 'master'
...
abstractions/kerberosclient: allow reading /etc/krb5.conf.d/
See merge request apparmor/apparmor!425
Acked-by: Steve Beattie <steve@nxnw.org > for 2.10..master
Acked-by: John Johansen <john.johansen@canonical.com > for 2.10..master
(cherry picked from commit 663546c284
)
dffed831
abstractions/kerberosclient: allow reading /etc/krb5.conf.d/
2019-11-18 21:36:17 +00:00
Christian Boltz
e3b04d4f81
Merge branch 'cboltz-status-parenthesis' into 'master'
...
aa-status: handle profile names containing '('
Closes #51
See merge request apparmor/apparmor!415
Acked-by: John Johansen <john.johansen@canonical.com > for 2.10..master
(cherry picked from commit b76567ce10
)
41d26b01
aa-status: handle profile names containing '('
2019-09-23 18:56:15 +00:00
Paulo Gomes
9bdd2a3f6f
Fix capability mispelling.
...
PR: https://gitlab.com/apparmor/apparmor/merge_requests/421
(cherry picked from commit 2d19d4d159
)
Signed-off-by: John Johansen <john.johansen@canonical.com >
2019-09-20 02:17:47 -07:00
Tyler Hicks
46fb957dd4
parser: Fix typoed example dbus rule in apparmor.d(5) man page
...
Remove extra closing parenthesis.
Bug: https://launchpad.net/bugs/1838991
Fixes: 46586a6334
("parser: Add example dbus rule for unconfined peers")
Signed-off-by: Tyler Hicks <tyhicks@canonical.com >
(cherry picked from commit 7df48adae5
)
Ref: https://gitlab.com/apparmor/apparmor/merge_requests/410
Acked-by: Christian Boltz <apparmor@cboltz.de >
Signed-off-by: Tyler Hicks <tyhicks@canonical.com >
2019-08-05 17:12:39 +00:00
Christian Boltz
f59bc8b952
Merge branch 'cboltz-unbalanced-parenthesis' into 'master'
...
Fix crash on unbalanced parenthesis in filename
See merge request apparmor/apparmor!402
Seth Arnold <seth.arnold@canonical.com > for 2.10..master
(cherry picked from commit db1f391844
)
8f74ac02
Fix crash on unbalanced parenthesis in filename
2019-07-09 19:46:08 +00:00
Christian Boltz
5278708ea0
Merge branch 'cboltz-2.13-certbot' into 'apparmor-2.13'
...
[2.10..2.13] Add for Certbot on openSUSE Leap
See merge request apparmor/apparmor!398
Acked-by: John Johansen <john.johansen@canonical.com > for 2.10..2.13
(cherry picked from commit 14a11e67a5
)
8b766451
Add for Certbot on openSUSE Leap
2019-06-30 07:15:17 +00:00