Release: Bump revisions for 2.13.6 release

Signed-off-by: John Johansen <john.johansen@canonical.com>
aa-autodep: load abstractions on start
2025-09-02 07:15:18 +00:00 · 2020-12-07 03:27:44 -08:00 · 2020-11-28 05:13:51 -08:00 · 2020-11-17 02:07:11 -08:00 · 2020-11-03 09:43:39 +00:00 · 2020-11-01 22:58:19 +01:00
13 changed files with 59 additions and 41 deletions
--- a/common/Version
+++ b/common/Version
@@ -1 +1 @@
-2.13.5
+2.13.6
--- a/libraries/libapparmor/src/Makefile.am
+++ b/libraries/libapparmor/src/Makefile.am
@@ -28,7 +28,7 @@ INCLUDES = $(all_includes)
 #
 AA_LIB_CURRENT = 7
 AA_LIB_REVISION = 3
-AA_LIB_AGE = 7
+AA_LIB_AGE = 6

 SUFFIXES = .pc.in .pc

--- a/profiles/apparmor.d/abstractions/X
+++ b/profiles/apparmor.d/abstractions/X
@@ -49,6 +49,8 @@

  # Xcompose
  owner @{HOME}/.XCompose         r,
+  /var/cache/libx11/compose/*     r,
+  deny /var/cache/libx11/compose/* wlk,

  # mouse themes
  /etc/X11/cursors/               r,
--- a/profiles/apparmor.d/usr.lib.dovecot.script-login
+++ b/profiles/apparmor.d/usr.lib.dovecot.script-login
@@ -0,0 +1,33 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2020 Michael Hirmke
+#    Copyright (C) 2020 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+profile dovecot-script-login /usr/lib/dovecot/script-login {
+  #include <abstractions/base>
+  #include <abstractions/dovecot-common>
+  #include <abstractions/nameservice>
+
+  capability setuid,
+
+  /usr/lib/dovecot/script-login mrPx,
+
+  # NOTE: You'll need to allow execution of your actual login script.
+  # The recommended way is to add a rule for it in local/usr.lib.dovecot.script-login
+  # for example
+  #   /home/vmail/bin/postlogin.sh Px,
+  # and then to create the profile for the script.
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.dovecot.script-login>
+}
+
--- a/profiles/apparmor.d/usr.sbin.dovecot
+++ b/profiles/apparmor.d/usr.sbin.dovecot
@@ -31,7 +31,8 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
  capability sys_chroot,
  capability sys_resource,

-  signal send set=(int,quit,term) peer=/usr/lib/dovecot/*,
+  signal send set=(int,quit,term,kill) peer=/usr/lib/dovecot/*,
+  signal send set=(int,quit,term,kill) peer=dovecot-*,

  unix (receive, send) type=stream peer=(label=/usr/lib/dovecot/anvil),

@@ -55,10 +56,12 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
  /usr/lib/dovecot/managesieve-login Pxmr,
  /usr/lib/dovecot/pop3 mrPx,
  /usr/lib/dovecot/pop3-login Pxmr,
+  /usr/lib/dovecot/script-login Px,
  /usr/lib/dovecot/ssl-build-param rix,
  /usr/lib/dovecot/ssl-params mrPx,
  /usr/lib/dovecot/stats Px,
  /usr/{bin,sbin}/dovecot mrix,
+  /usr/share/dovecot/dh.pem r,
  /usr/share/dovecot/protocols.d/   r,
  /usr/share/dovecot/protocols.d/** r,
  /var/lib/dovecot/ w,
--- a/utils/aa-genprof
+++ b/utils/aa-genprof
@@ -72,20 +72,14 @@ if args.json:
    aaui.set_json_mode()

 profiling = args.program
-profiledir = args.dir

-apparmor.init_aa()
+apparmor.init_aa(profiledir=args.dir)
 apparmor.set_logfile(args.file)

 aa_mountpoint = apparmor.check_for_apparmor()
 if not aa_mountpoint:
    raise apparmor.AppArmorException(_('It seems AppArmor was not started. Please enable AppArmor and try again.'))

-if profiledir:
-    apparmor.profile_dir = apparmor.get_full_path(profiledir)
-    if not os.path.isdir(apparmor.profile_dir):
-        raise apparmor.AppArmorException(_("%s is not a directory.") %profiledir)
-
 program = None
 #if os.path.exists(apparmor.which(profiling.strip())):
 if os.path.exists(profiling):
--- a/utils/aa-logprof
+++ b/utils/aa-logprof
@@ -13,7 +13,6 @@
 #
 # ----------------------------------------------------------------------
 import argparse
-import os

 import apparmor.aa as apparmor
 import apparmor.ui as aaui
@@ -36,21 +35,16 @@ args = parser.parse_args()
 if args.json:
    aaui.set_json_mode()

-profiledir = args.dir
 logmark = args.mark or ''

-apparmor.init_aa()
+apparmor.init_aa(profiledir=args.dir)
+
 apparmor.set_logfile(args.file)

 aa_mountpoint = apparmor.check_for_apparmor()
 if not aa_mountpoint:
    raise apparmor.AppArmorException(_('It seems AppArmor was not started. Please enable AppArmor and try again.'))

-if profiledir:
-    apparmor.profile_dir = apparmor.get_full_path(profiledir)
-    if not os.path.isdir(apparmor.profile_dir):
-        raise apparmor.AppArmorException("%s is not a directory."%profiledir)
-
 apparmor.loadincludes()

 apparmor.do_logprof_pass(logmark)
--- a/utils/aa-mergeprof
+++ b/utils/aa-mergeprof
@@ -14,7 +14,6 @@
 #
 # ----------------------------------------------------------------------
 import argparse
-import os

 import apparmor.aa
 import apparmor.aamode
@@ -23,7 +22,6 @@ import apparmor.severity
 import apparmor.cleanprofile as cleanprofile
 import apparmor.ui as aaui

-from apparmor.common import AppArmorException
 from apparmor.regex import re_match_include


@@ -43,15 +41,10 @@ args = parser.parse_args()

 args.other = None

-apparmor.aa.init_aa()
+apparmor.aa.init_aa(profiledir=args.dir)

 profiles = args.files

-profiledir = args.dir
-if profiledir:
-    apparmor.aa.profile_dir = apparmor.aa.get_full_path(profiledir)
-    if not os.path.isdir(apparmor.aa.profile_dir):
-        raise AppArmorException(_("%s is not a directory.") %profiledir)

 def reset_aa():
    apparmor.aa.aa = apparmor.aa.hasher()
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -3233,7 +3233,7 @@ def logger_path():

 ######Initialisations######

-def init_aa(confdir="/etc/apparmor"):
+def init_aa(confdir="/etc/apparmor", profiledir=None):
    global CONFDIR
    global conf
    global cfg
@@ -3256,7 +3256,11 @@ def init_aa(confdir="/etc/apparmor"):
    if cfg['settings'].get('default_owner_prompt', False):
        cfg['settings']['default_owner_prompt'] = ''

-    profile_dir = conf.find_first_dir(cfg['settings'].get('profiledir')) or '/etc/apparmor.d'
+    if profiledir:
+        profile_dir = profiledir
+    else:
+        profile_dir = conf.find_first_dir(cfg['settings'].get('profiledir')) or '/etc/apparmor.d'
+    profile_dir = os.path.abspath(profile_dir)
    if not os.path.isdir(profile_dir):
        raise AppArmorException('Can\'t find AppArmor profiles in %s' % (profile_dir))

--- a/utils/apparmor/tools.py
+++ b/utils/apparmor/tools.py
@@ -25,10 +25,9 @@ _ = init_translation()

 class aa_tools:
    def __init__(self, tool_name, args):
-        apparmor.init_aa()
+        apparmor.init_aa(profiledir=args.dir)

        self.name = tool_name
-        self.profiledir = args.dir
        self.profiling = args.program
        self.check_profile_dir()
        self.silent = None
@@ -43,11 +42,6 @@ class aa_tools:
            self.silent = args.silent

    def check_profile_dir(self):
-        if self.profiledir:
-            apparmor.profile_dir = apparmor.get_full_path(self.profiledir)
-            if not os.path.isdir(apparmor.profile_dir):
-                raise apparmor.AppArmorException("%s is not a directory." % self.profiledir)
-
        if not user_perm(apparmor.profile_dir):
            raise apparmor.AppArmorException("Cannot write to profile directory: %s" % (apparmor.profile_dir))

@@ -183,6 +177,7 @@ class aa_tools:

    def cmd_autodep(self):
        apparmor.read_profiles()
+        apparmor.loadincludes()

        for (program, profile) in self.get_next_to_profile():
            if not program:
--- a/utils/po/id.po
+++ b/utils/po/id.po
@@ -1147,11 +1147,11 @@ msgstr "(B)aru"

 #: ../apparmor/ui.py:254
 msgid "(G)lob"
-msgstr "(G)umpal"
+msgstr "G(u)mpal"

 #: ../apparmor/ui.py:255
 msgid "Glob with (E)xtension"
-msgstr "Gumpal dengan (E)kstensi"
+msgstr "Gumpal dengan E(k)stensi"

 #: ../apparmor/ui.py:256
 msgid "(A)dd Requested Hat"
@@ -1159,7 +1159,7 @@ msgstr "(T)ambahkan Topi yang Diminta"

 #: ../apparmor/ui.py:257
 msgid "(U)se Default Hat"
-msgstr "(G)unakan Topi Default"
+msgstr "Gunakan Topi (D)efault"

 #: ../apparmor/ui.py:258
 msgid "(S)can system log for AppArmor events"
@@ -1175,7 +1175,7 @@ msgstr "(L)ihat Profil"

 #: ../apparmor/ui.py:261
 msgid "(U)se Profile"
-msgstr "(G)unakan Profil"
+msgstr "Gunakan (P)rofil"

 #: ../apparmor/ui.py:262
 msgid "(C)reate New Profile"
--- a/utils/po/sv.po
+++ b/utils/po/sv.po
@@ -990,7 +990,7 @@ msgstr ""

 #: ../apparmor/ui.py:223
 msgid "(A)llow"
-msgstr "(T)illåt"
+msgstr "Ti(l)låt"

 #: ../apparmor/ui.py:224
 msgid "(M)ore"
--- a/utils/test/test-translations.py
+++ b/utils/test/test-translations.py
@@ -62,7 +62,7 @@ class TestHotkeyConflicts(AATest):
            keys = dict()
            for key in params:
                text = t.gettext(CMDS[key])
-                hotkey = get_translated_hotkey(text)
+                hotkey = get_translated_hotkey(text).lower()

                if keys.get(hotkey):
                    raise Exception("Hotkey conflict: '%s' and '%s' in language %s" % (keys[hotkey], text, language))
Author	SHA1	Message	Date
John Johansen	c16fff8cb4	Release: Bump revisions for 2.13.6 release Signed-off-by: John Johansen <john.johansen@canonical.com>	2020-12-07 03:27:44 -08:00
Christian Boltz	2db3d94ce2	aa-autodep: load abstractions on start So far, aa-autodep "accidently" loaded the abstractions when parsing the existing profiles. Obviously, this only worked if there is at least one profile in the active or extra profile directory. Without any existing profiles, aa-autodep crashed with KeyError: '/tmp/apparmor.d/abstractions/base' Prevent this crash by explicitely loading the abstractions on start. Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1178527#c1 [1] MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/682 (cherry picked from commit `f6b3de7116`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2020-11-28 05:13:51 -08:00
Christian Boltz	b174705a31	abstractions/X: Allow (only) reading X compose cache ... (/var/cache/libx11/compose/*), and deny any write attempts Reported by darix, https://git.nordisch.org/darix/apparmor-profiles-nordisch/-/blob/master/apparmor.d/teams MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/685 (cherry picked from commit `78bd811e2a`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2020-11-17 02:07:11 -08:00
John Johansen	56cc87aace	Merge [2.13] Check hotkey conflicts case-insensitive This is needed to catch conflicts between uppercase and lowercase hotkeys of the same letter, as seen with `(B)enannt` and `A(b)lehnen` in the german utils translations. (cherry picked from commit `07bd11390e`) Also fix hotkey conflict in utils id.po and sv.po (cherry picked from commit `7cf54f2cd8`) Note that `7cf54f2cd8` also included fixes for de.po which are not needed in the 2.13 branch. This is the 2.13 variant of MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/675. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/678 Acked-by: John Johansen <john.johansen@canonical.com>	2020-11-03 09:43:39 +00:00
Christian Boltz	ca0d9f758b	Fix hotkey conflict in utils id.po and sv.po (cherry picked from commit `7cf54f2cd8`) Note that `7cf54f2cd8` also included fixes for de.po which are not needed in the 2.13 branch.	2020-11-01 22:58:19 +01:00
Christian Boltz	a606a59d96	Check hotkey conflicts case-insensitive This is needed to catch conflicts between uppercase and lowercase hotkeys of the same letter, as seen with `(B)enannt` and `A(b)lehnen` in the german utils translations. (cherry picked from commit `07bd11390e`)	2020-11-01 22:39:49 +01:00
John Johansen	6a8a5de637	Merge dovecot: backport usr.lib.dovecot.script-login to 2.13 Backport profile to fix denials in Debian Buster+Bullseye. Add hashes for #include's, remove abi specification. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/672 Acked-by: Christian Boltz <apparmor@cboltz.de> Acked-by: John Johansen <john.johansen@canonical.com>	2020-10-27 20:56:09 +00:00
Vincas Dargis	1bcf85737b	dovecot: backport usr.lib.dovecot.script-login to 2.13 Backport profile to fix denials in Debian Buster+Bullseye. Add hashes for #include's, remove abi specification.	2020-10-27 21:14:37 +02:00
Vincas Dargis	ea55ef22e7	dovecot: allow reading dh.pem Dovecot is hit with this denial on Debian 10 (buster): ``` type=AVC msg=audit(1603647096.369:24514): apparmor="DENIED" operation="open" profile="dovecot" name="/usr/share/dovecot/dh.pem" pid=28774 comm="doveconf" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ``` This results in fatal error: ``` Oct 25 19:31:36 dovecot[28774]: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 50: ssl_dh: Can't open file /usr/share/dovecot/dh.pem: Permission denied ``` Add rule to allow reading dh.pem. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/671 (cherry picked from commit `9d8e111abe`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2020-10-26 15:20:31 -07:00
Vincas Dargis	dc3e2c39fb	dovecot: allow kill signal Dovecot might try to kill related processes: ``` type=AVC msg=audit(1601314853.031:9327): apparmor="DENIED" operation="signal" profile="dovecot" pid=21223 comm="dovecot" requested_mask="send" denied_mask="send" signal=kill peer="/usr/lib/dovecot/auth" type=AVC msg=audit(1601315453.655:9369): apparmor="DENIED" operation="signal" profile="dovecot" pid=21223 comm="dovecot" requested_mask="send" denied_mask="send" signal=kill peer="/usr/lib/dovecot/pop3" type=AVC msg=audit(1602939754.145:101362): apparmor="DENIED" operation="signal" profile="dovecot" pid=31632 comm="dovecot" requested_mask="send" denied_mask="send" signal=kill peer="/usr/lib/dovecot/pop3-login" ``` This discovered on low-power high-load machine (last resort timeout handling?). Update signal rule to allow SIGKILL. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/671 (cherry picked from commit `2f9d172c64`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2020-10-26 15:20:14 -07:00
John Johansen	1335b80ff4	utils: fix make -C profiles check-logprof fails On arch make -C profiles check-logprof fails with * Checking profiles from ./apparmor.d against logprof ERROR: Can't find AppArmor profiles in /etc/apparmor.d make: * [Makefile:113: check-logprof] Error 1 make: Leaving directory '/build/apparmor/src/apparmor-2.13.3/profiles' because /etc/apparmor.d/ is not available in the build environment and aa-logprofs --dir argument, is not being passed to init_aa() but used to update profiles_dir after the fact. Fix this by passing profiledir as an argument to init_aa() Fixes: https://gitlab.com/apparmor/apparmor/-/issues/36 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/663 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de> (backported from commit `15dc06248c`)	2020-10-25 01:44:11 -07:00
John Johansen	1808d14e35	Merge Fix 2.13 libapparmor so version `ab0f4ab2ed` increased `AA_LIB_REVISION` and `AA_LIB_AGE`, with the result that 2.13.5 builds `libapparmor.so.0.7.3`, while 2.13.4 had `libapparmor-1.6.2` This patch reverts the `AA_LIB_AGE` increase to fix the so name so that we'll get `libapparmor-1.6.3`. Note: If you want to apply this fix on top of the 2.13.5 tarball, you'll need to also apply the patch to `Makefile.in`. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/658 Acked-by: John Johansen <john.johansen@canonical.com>	2020-10-20 10:39:27 +00:00
Christian Boltz	145136f604	Fix 2.13 libapparmor so version `ab0f4ab2ed` increased AA_LIB_REVISION and AA_LIB_AGE, with the result that 2.13.5 builds libapparmor.so.0.7.3, while 2.13.4 had libapparmor-1.6.2 This patch reverts the AA_LIB_AGE increase to fix the so name so that we'll get libapparmor-1.6.3. Note: If you want to apply this fix on top of the 2.13.5 tarball, you'll need to also apply the patch to Makefile.in.	2020-10-17 17:30:39 +02:00
@@ -1 +1 @@
 .13.5
 .13.6