Merge libapparmor: fix feature matching for aa_feature_supports

The feature matching done in aa_feature_supports calls walk_one to
traverse the features string. This function is supposed to match on
the feature and return, but it matches the feature based on the length
of the feature to check. If the feature to check shorter, then it
would return as if the feature was not present - which was the case
for the following example:

feature_file contains (shortened for example purposes):

```
network_v9 {af_unix {yes
}
}
network_v8 {af_inet {yes
}
}
network {af_unix {yes
}
}
```

if the feature to be checked was simply "network", then walk_one would
return that the feature was not present.

Fix this by restarting the matching if there was not a full match at
the end of the feaure to check.

Fixes: https://bugs.launchpad.net/apparmor/+bug/2105986

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1608
Approved-by: Ryan Lee <rlee287@yahoo.com>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 69355d41f7)
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

.gitlab-ci.yml

@@ -1,5 +1,5 @@
 ---
-image: ubuntu:latest
+image: ubuntu:jammy
 before_script:
   - export DEBIAN_FRONTEND=noninteractive && apt-get update -qq && apt-get install --no-install-recommends -y build-essential apache2-dev autoconf automake bison dejagnu flex libpam-dev libtool perl liblocale-gettext-perl pkg-config python-all-dev python3-all-dev pyflakes3 ruby-dev swig lsb-release python3-notify2 python3-psutil python3-setuptools zlib1g-dev
   - lsb_release -a

common/Version

@@ -1 +1 @@
-2.13.8
+2.13.11

libraries/libapparmor/doc/aa_getcon.pod

@@ -116,6 +116,14 @@ The specified I<file/task> does not exist or is not visible.
 
 The confinement data is too large to fit in the supplied buffer.
 
+=item B<ENOPROTOOPT>
+
+The kernel doesn't support the SO_PEERLABEL option in sockets. This happens
+mainly when the kernel lacks 'fine grained unix mediation' support. It also
+can happen on LSM stacking kernels where another LSM has claimed this
+interface and decides to return this error, although this is really a
+corner case.
+
 =back
 
 =head1 NOTES

libraries/libapparmor/doc/aa_stack_profile.pod

@@ -109,12 +109,12 @@ To immediately stack a profile named "profile_a", as performed with
 aa_stack_profile("profile_a"), the equivalent of this shell command can be
 used:
 
- $ echo -n "stackprofile profile_a" > /proc/self/attr/current
+ $ echo -n "stack profile_a" > /proc/self/attr/current
 
 To stack a profile named "profile_a" at the next exec, as performed with
 aa_stack_onexec("profile_a"), the equivalent of this shell command can be used:
 
- $ echo -n "stackexec profile_a" > /proc/self/attr/exec
+ $ echo -n "stack profile_a" > /proc/self/attr/exec
 
 These raw AppArmor filesystem operations must only be used when using
 libapparmor is not a viable option.
@@ -184,6 +184,7 @@ with apparmor_parser(8):
      /etc/passwd               r,
 
      # Needed for aa_stack_profile()
+     change-profile -> &i_cant_be_trusted_anymore,
      /usr/lib/libapparmor*.so* mr,
      /proc/[0-9]*/attr/current w,
  }

libraries/libapparmor/src/Makefile.am

@@ -43,7 +43,7 @@ scanner.h: scanner.l
 scanner.c: scanner.l
 
 af_protos.h:
-	 echo '#include <netinet/in.h>' | $(CC) -E -dM - | LC_ALL=C  sed  -n -e "/IPPROTO_MAX/d"  -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" > $@
+	 echo '#include <netinet/in.h>' | $(CC) -E -dD - | LC_ALL=C  sed  -n -e "/IPPROTO_MAX/d"  -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" > $@
 
 lib_LTLIBRARIES = libapparmor.la
 noinst_HEADERS = grammar.h parser.h scanner.h af_protos.h private.h PMurHash.h

libraries/libapparmor/src/features.c

@@ -375,6 +375,10 @@ static bool walk_one(const char **str, const struct component *component,
 			i = 0;
 
 		cur++;
+
+		/* Partial match, continue to search */
+		if (i == component->len && !isbrace_space_or_nul(*cur))
+			i = 0;
 	}
 
 	/* Return false if a full match was not found */

libraries/libapparmor/src/tst_features.c

@@ -135,7 +135,7 @@ static int do_test_walk_one(const char **str, const struct component *component,
 
 static int test_walk_one(void)
 {
-	struct component c;
+	struct component c = (struct component) { NULL, 0 };
 	const char *str;
 	int rc = 0;
 

libraries/libapparmor/swig/SWIG/libapparmor.i

@@ -55,7 +55,7 @@ extern int aa_getprocattr_raw(pid_t tid, const char *attr, char *buf, int len,
 extern int aa_getprocattr(pid_t tid, const char *attr, char **buf, char **mode);
 extern int aa_gettaskcon(pid_t target, char **label, char **mode);
 extern int aa_getcon(char **label, char **mode);
-extern int aa_getpeercon_raw(int fd, char *buf, int *len, char **mode);
+extern int aa_getpeercon_raw(int fd, char *buf, socklen_t *len, char **mode);
 extern int aa_getpeercon(int fd, char **label, char **mode);
 extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
 			  int *audit);

parser/libapparmor_re/expr-tree.cc

@@ -170,6 +170,19 @@ void Node::dump_syntax_tree(ostream &os)
  *        a   b                    c   T
  *
  */
+
+
+static Node *simplify_eps_pair(Node *t)
+{
+	if (dynamic_cast<TwoChildNode *>(t) &&
+	    t->child[0] == &epsnode &&
+	    t->child[1] == &epsnode) {
+		t->release();
+		return &epsnode;
+	}
+	return t;
+}
+
 static void rotate_node(Node *t, int dir)
 {
 	// (a | b) | c -> a | (b | c)
@@ -178,7 +191,9 @@ static void rotate_node(Node *t, int dir)
 	t->child[dir] = left->child[dir];
 	left->child[dir] = left->child[!dir];
 	left->child[!dir] = t->child[!dir];
-	t->child[!dir] = left;
+
+        // check that rotation didn't create (E | E)
+	t->child[!dir] = simplify_eps_pair(left);
 }
 
 /* return False if no work done */
@@ -190,13 +205,7 @@ int TwoChildNode::normalize_eps(int dir)
 		// Ea -> aE
 		// Test for E | (E | E) and E . (E . E) which will
 		// result in an infinite loop
-		Node *c = child[!dir];
-		if (dynamic_cast<TwoChildNode *>(c) &&
-		    &epsnode == c->child[dir] &&
-		    &epsnode == c->child[!dir]) {
-			c->release();
-			c = &epsnode;
-		}
+		Node *c = simplify_eps_pair(child[!dir]);
 		child[!dir] = child[dir];
 		child[dir] = c;
 		return 1;

parser/mount.cc

@@ -831,15 +831,28 @@ int mnt_rule::gen_policy_change_mount_type(Profile &prof, int &count,
 	std::string optsbuf;
 	char class_mount_hdr[64];
 	const char *vec[5];
+	char *mountpoint = mnt_point;
 
 	sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
 
-	/* change type base rules can not be conditional on device,
-	 * device type or data
+	/* change type base rules can specify the mount point by using
+	 * the parser token position reserved to device. that's why if
+	 * the mount point is not specified, we use device in its
+	 * place. this is a deprecated behavior.
+	 *
+	 * change type base rules can not be conditional on device
+	 * (source), device type or data
 	 */
 	/* rule class single byte header */
 	mntbuf.assign(class_mount_hdr);
-	if (!convert_entry(mntbuf, mnt_point))
+	if (flags && flags != MS_ALL_FLAGS && device && mnt_point) {
+		PERROR("source and mount point cannot be used at the "
+		       "same time for propagation type flags");
+		goto fail;
+	} else if (device && !mnt_point) {
+		mountpoint = device;
+	}
+	if (!convert_entry(mntbuf, mountpoint))
 		goto fail;
 	vec[0] = mntbuf.c_str();
 	/* skip device and type */
@@ -981,7 +994,7 @@ int mnt_rule::gen_flag_rules(Profile &prof, int &count, unsigned int flags,
 		if (!dev_type && !opts &&
 		    gen_policy_bind_mount(prof, count, flags, opt_flags) == RULE_ERROR)
 			return RULE_ERROR;
-		if (!device && !dev_type && !opts &&
+		if ((!device || !mnt_point) && !dev_type && !opts &&
 		    gen_policy_change_mount_type(prof, count, flags, opt_flags) == RULE_ERROR)
 			return RULE_ERROR;
 		if (!dev_type && !opts &&
@@ -997,7 +1010,7 @@ int mnt_rule::gen_flag_rules(Profile &prof, int &count, unsigned int flags,
 		return gen_policy_bind_mount(prof, count, flags, opt_flags);
 	} else if ((allow & AA_MAY_MOUNT) &&
 		   (flags & (MS_MAKE_CMDS))
-		   && !device && !dev_type && !opts) {
+		   && (!device || !mnt_point) && !dev_type && !opts) {
 		return gen_policy_change_mount_type(prof, count, flags, opt_flags);
 	} else if ((allow & AA_MAY_MOUNT) && (flags & MS_MOVE)
 		   && !dev_type && !opts) {

parser/parser_interface.c

@@ -273,7 +273,7 @@ static inline void sd_write_aligned_blob(std::ostringstream &buf, void *b, int b
 	buf.write((const char *) b, b_size);
 }
 
-static void sd_write_strn(std::ostringstream &buf, char *b, int size, const char *name)
+static void sd_write_strn(std::ostringstream &buf, const char *b, int size, const char *name)
 {
 	sd_write_name(buf, name);
 	sd_write8(buf, SD_STRING);
@@ -281,7 +281,7 @@ static void sd_write_strn(std::ostringstream &buf, char *b, int size, const char
 	buf.write(b, size);
 }
 
-static inline void sd_write_string(std::ostringstream &buf, char *b, const char *name)
+static inline void sd_write_string(std::ostringstream &buf, const char *b, const char *name)
 {
 	sd_write_strn(buf, b, strlen(b) + 1, name);
 }
@@ -378,11 +378,7 @@ void sd_serialize_profile(std::ostringstream &buf, Profile *profile,
 	sd_write_struct(buf, "profile");
 	if (flattened) {
 		assert(profile->parent);
-		autofree char *name = (char *) malloc(3 + strlen(profile->name) + strlen(profile->parent->name));
-		if (!name)
-			return;
-		sprintf(name, "%s//%s", profile->parent->name, profile->name);
-		sd_write_string(buf, name, NULL);
+		sd_write_string(buf, profile->get_name(false).c_str(), NULL);
 	} else {
 		sd_write_string(buf, profile->name, NULL);
 	}

parser/tst/equality.sh

@@ -563,6 +563,17 @@ verify_binary_equality "link rules slash filtering" \
                         @{BAR}=/mnt/
                            /t { link @{FOO}/foo -> @{BAR}/bar, }" \
 
+
+# This can potentially fail as ideally it requires a better dfa comparison
+# routine as it can generates hormomorphic dfas. The enumeration of the
+# dfas dumped will be different, even if the binary is the same
+# Note: this test in the future will require -O filter-deny and
+# -O minimize and -O remove-unreachable.
+verify_binary_equality "mount specific deny doesn't affect non-overlapping" \
+			"/t { mount options=bind /e/ -> /**, }" \
+			"/t { audit deny mount /s/** -> /**,
+			      mount options=bind /e/ -> /**, }"
+
 if [ $fails -ne 0 -o $errors -ne 0 ]
 then
 	printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 2>&1

parser/tst/simple_tests/mount/bad_opt_32.sd

@@ -0,0 +1,6 @@
+#
+#=Description test we fail make rules with source and mntpnt associated with MR 1054
+#=EXRESULT FAIL
+/usr/bin/foo {
+    mount options=(slave) /snap/bin/** -> /**,
+}

parser/tst/simple_tests/mount/bad_opt_35.sd

@@ -0,0 +1,6 @@
+#
+#=Description test we fail make rules with source and mntpnt associated with MR 1054
+#=EXRESULT FAIL
+/usr/bin/foo {
+    mount options=(rslave) /snap/bin/** -> /**,
+}

parser/tst/simple_tests/mount/bad_opt_36.sd

@@ -0,0 +1,6 @@
+#
+#=Description test we fail make rules with source and mntpnt associated with MR 1054
+#=EXRESULT FAIL
+/usr/bin/foo {
+    mount options=(unbindable) /snap/bin/** -> /**,
+}

parser/tst/simple_tests/mount/bad_opt_37.sd

@@ -0,0 +1,6 @@
+#
+#=Description test we fail make rules with source and mntpnt associated with MR 1054
+#=EXRESULT FAIL
+/usr/bin/foo {
+    mount options=(runbindable) /snap/bin/** -> /**,
+}

parser/tst/simple_tests/mount/bad_opt_38.sd

@@ -0,0 +1,6 @@
+#
+#=Description test we fail make rules with source and mntpnt associated with MR 1054
+#=EXRESULT FAIL
+/usr/bin/foo {
+    mount options=(private) /snap/bin/** -> /**,
+}

parser/tst/simple_tests/mount/bad_opt_39.sd

@@ -0,0 +1,6 @@
+#
+#=Description test we fail make rules with source and mntpnt associated with MR 1054
+#=EXRESULT FAIL
+/usr/bin/foo {
+    mount options=(rprivate) /snap/bin/** -> /**,
+}

parser/tst/simple_tests/mount/bad_opt_40.sd

@@ -0,0 +1,6 @@
+#
+#=Description test we fail make rules with source and mntpnt associated with MR 1054
+#=EXRESULT FAIL
+/usr/bin/foo {
+    mount options=(shared) /snap/bin/** -> /**,
+}

parser/tst/simple_tests/mount/bad_opt_41.sd

@@ -0,0 +1,6 @@
+#
+#=Description test we fail make rules with source and mntpnt associated with MR 1054
+#=EXRESULT FAIL
+/usr/bin/foo {
+    mount options=(rshared) /snap/bin/** -> /**,
+}

parser/tst/simple_tests/mount/ok_opt_68.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "unbindable" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=unbindable /1,
+  mount options=(unbindable) /2,
+  mount options=(rw,unbindable) /3,
+  mount options in (unbindable) /4,
+  mount options in (ro,unbindable) /5,
+}

parser/tst/simple_tests/mount/ok_opt_69.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "runbindable" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=runbindable /1,
+  mount options=(runbindable) /2,
+  mount options=(rw,runbindable) /3,
+  mount options in (runbindable) /4,
+  mount options in (ro,runbindable) /5,
+}

parser/tst/simple_tests/mount/ok_opt_70.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "rprivate" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=rprivate /1,
+  mount options=(rprivate) /2,
+  mount options=(rw,rprivate) /3,
+  mount options in (rprivate) /4,
+  mount options in (ro,rprivate) /5,
+}

parser/tst/simple_tests/mount/ok_opt_71.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "private" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=private /1,
+  mount options=(private) /2,
+  mount options=(rw,private) /3,
+  mount options in (private) /4,
+  mount options in (ro,private) /5,
+}

parser/tst/simple_tests/mount/ok_opt_72.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "slave" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=slave /1,
+  mount options=(slave) /2,
+  mount options=(rw,slave) /3,
+  mount options in (slave) /4,
+  mount options in (ro,slave) /5,
+}

parser/tst/simple_tests/mount/ok_opt_73.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "rslave" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=rslave /1,
+  mount options=(rslave) /2,
+  mount options=(rw,rslave) /3,
+  mount options in (rslave) /4,
+  mount options in (ro,rslave) /5,
+}

parser/tst/simple_tests/mount/ok_opt_74.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "shared" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=shared /1,
+  mount options=(shared) /2,
+  mount options=(rw,shared) /3,
+  mount options in (shared) /4,
+  mount options in (ro,shared) /5,
+}

parser/tst/simple_tests/mount/ok_opt_75.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "rshared" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=rshared /1,
+  mount options=(rshared) /2,
+  mount options=(rw,rshared) /3,
+  mount options in (rshared) /4,
+  mount options in (ro,rshared) /5,
+}

parser/tst/simple_tests/mount/ok_opt_76.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "make-unbindable" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=make-unbindable /1,
+  mount options=(make-unbindable) /2,
+  mount options=(rw,make-unbindable) /3,
+  mount options in (make-unbindable) /4,
+  mount options in (ro,make-unbindable) /5,
+}

parser/tst/simple_tests/mount/ok_opt_77.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "make-runbindable" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=make-runbindable /1,
+  mount options=(make-runbindable) /2,
+  mount options=(rw,make-runbindable) /3,
+  mount options in (make-runbindable) /4,
+  mount options in (ro,make-runbindable) /5,
+}

parser/tst/simple_tests/mount/ok_opt_78.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "make-private" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=make-private /1,
+  mount options=(make-private) /2,
+  mount options=(rw,make-private) /3,
+  mount options in (make-private) /4,
+  mount options in (ro,make-private) /5,
+}

parser/tst/simple_tests/mount/ok_opt_79.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "make-rprivate" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=make-rprivate /1,
+  mount options=(make-rprivate) /2,
+  mount options=(rw,make-rprivate) /3,
+  mount options in (make-rprivate) /4,
+  mount options in (ro,make-rprivate) /5,
+}

parser/tst/simple_tests/mount/ok_opt_80.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "make-slave" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=make-slave /1,
+  mount options=(make-slave) /2,
+  mount options=(rw,make-slave) /3,
+  mount options in (make-slave) /4,
+  mount options in (ro,make-slave) /5,
+}

parser/tst/simple_tests/mount/ok_opt_81.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "make-shared" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=make-shared /1,
+  mount options=(make-shared) /2,
+  mount options=(rw,make-shared) /3,
+  mount options in (make-shared) /4,
+  mount options in (ro,make-shared) /5,
+}

parser/tst/simple_tests/mount/ok_opt_82.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "make-rslave" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=make-rslave /1,
+  mount options=(make-rslave) /2,
+  mount options=(rw,make-rslave) /3,
+  mount options in (make-rslave) /4,
+  mount options in (ro,make-rslave) /5,
+}

parser/tst/simple_tests/mount/ok_opt_83.sd

@@ -0,0 +1,10 @@
+#
+#=Description basic rules to test the "make-rshared" mount option passing mount point as source (should emit a deprecation warning)
+#=EXRESULT PASS
+/usr/bin/foo {
+  mount options=make-rshared /1,
+  mount options=(make-rshared) /2,
+  mount options=(rw,make-rshared) /3,
+  mount options in (make-rshared) /4,
+  mount options in (ro,make-rshared) /5,
+}

parser/tst/simple_tests/mount/ok_opt_84.sd

@@ -0,0 +1,8 @@
+#
+#=Description test we can parse rules associated with MR 1054
+#=EXRESULT PASS
+/usr/bin/foo {
+    mount options=(slave) /**,
+    mount options=(slave) -> /**,
+    mount /snap/bin/** -> /**,
+}

parser/tst/simple_tests/regressions/ok_normalize.sd

@@ -0,0 +1,25 @@
+#
+#=Description caused an infinite loop in expr normalization
+#=EXRESULT PASS
+
+# This test triggers an infinite loop bug in expr normalization
+# Note: this test might be able to be reduced more but, each element appears
+# to be required to trigger the bug.
+# that is the initial var assignment, += with the "comment" at the end
+# (which is a separate bug), the expansion in the 2nd variable and then
+# the use of the 2nd variable.
+# This seems to be due to difference in consistency check between expansion
+# at parse time and variable expansion.
+# eg. expanding @{exec_path} manually will result in a failure to parse
+# see: https://gitlab.com/apparmor/apparmor/-/issues/398
+
+@{var}=*-linux-gnu*
+@{var}+=*-suse-linux*  #aa:only opensuse
+
+@{exec_path} = /{,@{var}/}t
+
+profile test {
+
+
+  @{exec_path} mr,
+}

profiles/apparmor.d/abstractions/authentication

@@ -30,6 +30,11 @@
   /{usr/,}lib/@{multiarch}/security/pam_*.so      mr,
   /{usr/,}lib/@{multiarch}/security/              r,
 
+  # gssapi
+  /etc/gss/mech               r,
+  /etc/gss/mech.d/            r,
+  /etc/gss/mech.d/*.conf      r,
+
   # kerberos
   #include <abstractions/kerberosclient>
   # SuSE's pwdutils are different:

profiles/apparmor.d/abstractions/base

@@ -60,6 +60,7 @@
   /etc/ld.so.conf                r,
   /etc/ld.so.conf.d/{,*.conf}    r,
   /etc/ld.so.preload             r,
+  /etc/ld-musl-*.path            r,
   /{usr/,}lib{,32,64}/ld{,32,64}-*.so   mr,
   /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so    mr,
   /{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so     mr,
@@ -88,6 +89,9 @@
   # best place -- but many profiles require it, and it is quite harmless.
   @{PROC}/sys/kernel/ngroups_max r,
 
+  # Used to determine if Linux is running in FIPS mode
+  @{PROC}/sys/crypto/fips_enabled r,
+
   # glibc's sysconf(3) routine to determine free memory, etc
   @{PROC}/meminfo                r,
   @{PROC}/stat                   r,
@@ -96,6 +100,9 @@
   @{sys}/devices/system/cpu/online r,
   @{sys}/devices/system/cpu/possible r,
 
+  # transparent hugepage support
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
   # glibc's *printf protections read the maps file
   @{PROC}/@{pid}/{maps,auxv,status} r,
 

profiles/apparmor.d/abstractions/fonts

@@ -45,7 +45,7 @@
   owner @{HOME}/.local/share/fonts/**   r,
   owner @{HOME}/.fonts.cache-2          mr,
   owner @{HOME}/.{,cache/}fontconfig/   rw,
-  owner @{HOME}/.{,cache/}fontconfig/** mrl,
+  owner @{HOME}/.{,cache/}fontconfig/** mrwkl,
   owner @{HOME}/.fonts.conf.d/          r,
   owner @{HOME}/.fonts.conf.d/**        r,
   owner @{HOME}/.config/fontconfig/     r,

profiles/apparmor.d/abstractions/kde

@@ -25,6 +25,9 @@
 /etc/kde4rc r,
 /etc/xdg/kdeglobals r,
 /etc/xdg/Trolltech.conf r,
+/usr/share/desktop-base/kf5-settings/baloofilerc r,
+/usr/share/desktop-base/kf5-settings/kdeglobals r,
+/usr/share/desktop-base/kf5-settings/kscreenlockerrc r,
 /usr/share/knotifications5/*.notifyrc r, # KNotification::sendEvent()
 /usr/share/kubuntu-default-settings/kf5-settings/* r,
 

profiles/apparmor.d/abstractions/nameservice

@@ -21,6 +21,9 @@
   /etc/passwd             r,
   /etc/protocols          r,
 
+  # On systems with authselect installed, /etc/nsswitch.conf is a symlink to /etc/authselect/nsswitch.conf
+  /{usr/,}etc/authselect/nsswitch.conf r,
+
   # libtirpc (used for NIS/YP login) needs this
   /etc/netconfig r,
 

profiles/apparmor.d/abstractions/openssl

@@ -10,8 +10,8 @@
 
   /etc/ssl/openssl.cnf r,
   /etc/ssl/openssl-*.cnf r,
-  /etc/ssl/{engdef,engines}.d/ r,
-  /etc/ssl/{engdef,engines}.d/*.cnf r,
+  /etc/ssl/{engdef*,engines*}.d/ r,
+  /etc/ssl/{engdef*,engines*}.d/*.cnf r,
   /usr/share/ssl/openssl.cnf r,
   @{PROC}/sys/crypto/fips_enabled r,
 

profiles/apparmor.d/abstractions/snap_browsers

@@ -38,5 +38,6 @@ profile snap_browsers {
   /snap/opera/[0-9]*/meta/{snap.yaml,hooks/} r,
 
   /var/lib/snapd/sequence/{chromium,firefox,opera}.json r,
+  /var/lib/snapd/inhibit/{chromium,firefox,opera}.lock rk,
   # add other browsers here
 }

profiles/apparmor.d/abstractions/ubuntu-browsers.d/kde

@@ -5,3 +5,6 @@
 
   #include <abstractions/kde>
   /usr/bin/kde4-config Cx -> sanitized_helper,
+
+  # https://bugs.kde.org/show_bug.cgi?id=397399
+  /usr/bin/plasma-browser-integration-host Cx -> sanitized_helper,

tests/regression/apparmor/capabilities.sh

@@ -49,14 +49,20 @@ CAPABILITIES="chown dac_override dac_read_search fowner fsetid kill \
 	      sys_admin sys_boot sys_nice sys_resource sys_time \
 	      sys_tty_config mknod lease audit_write audit_control"
 
+# lockdown thwarts both ioperm and iopl
+notlockeddown=TRUE
+if [ -f /sys/kernel/security/lockdown ] && ! grep -q "\[none\]" /sys/kernel/security/lockdown; then
+  notlockeddown=FALSE
+fi
+
 # defines which test+capability pairs should succeed.
 syscall_reboot_sys_boot=TRUE
 syscall_sethostname_sys_admin=TRUE
 syscall_setdomainname_sys_admin=TRUE
 syscall_setpriority_sys_nice=TRUE
 syscall_setscheduler_sys_nice=TRUE
-syscall_ioperm_sys_rawio=TRUE
-syscall_iopl_sys_rawio=TRUE
+syscall_ioperm_sys_rawio=$notlockeddown
+syscall_iopl_sys_rawio=$notlockeddown
 syscall_chroot_sys_chroot=TRUE
 syscall_mlockall_ipc_lock=TRUE
 syscall_sysctl_sys_admin=TRUE
@@ -93,7 +99,13 @@ for TEST in ${TESTS} ; do
 
 	settest ${TEST}
 	# base case, unconfined
-	runchecktest "${TEST} -- unconfined" pass ${my_arg}
+	if [ "${TEST}" = "syscall_ioperm" -a "$notlockeddown" = "FALSE" ] ||
+	   [ "${TEST}" = "syscall_iopl" -a "$notlockeddown" = "FALSE" ]; then
+	    expected=fail
+	else
+	    expected=pass
+	fi
+	runchecktest "${TEST} -- unconfined" ${expected} ${my_arg}
 
 	# no capabilities allowed
 	genprofile ${my_entries}
@@ -107,11 +119,13 @@ for TEST in ${TESTS} ; do
 
 	# all capabilities allowed
 	genprofile cap:ALL ${my_entries}
-	runchecktest "${TEST} -- all caps" pass ${my_arg}
+	runchecktest "${TEST} -- all caps" ${expected} ${my_arg}
 
 	# iterate through each of the capabilities
 	for cap in ${CAPABILITIES} ; do
-		if [ "X$(eval echo \${${TEST}_${cap}})" = "XTRUE" ] ; then
+		if [ ${expected} = "fail" ]; then
+			expected_result=fail
+		elif [ "X$(eval echo \${${TEST}_${cap}})" = "XTRUE" ] ; then
 			expected_result=pass
 		elif [ "${TEST}" = "syscall_ptrace" -a "$(kernel_features ptrace)" = "true" ]; then
 			expected_result=pass
@@ -136,10 +150,12 @@ for TEST in ${TESTS} ; do
 
 	# all capabilities allowed
 	genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} cap:ALL ${my_entries}
-	runchecktest "${TEST} changehat -- all caps" pass $bin/${TEST} ${my_arg}
+	runchecktest "${TEST} changehat -- all caps" ${expected} $bin/${TEST} ${my_arg}
 
 	for cap in ${CAPABILITIES} ; do
-		if [ "X$(eval echo \${${TEST}_${cap}})" = "XTRUE" ] ; then
+		if [ ${expected} = "fail" ]; then
+			expected_result=fail
+		elif [ "X$(eval echo \${${TEST}_${cap}})" = "XTRUE" ] ; then
 			expected_result=pass
 		elif [ "${TEST}" = "syscall_ptrace" -a "$(kernel_features ptrace)" = "true" ]; then
 			expected_result=pass

tests/regression/apparmor/mount.sh

@@ -218,6 +218,10 @@ test_propagation_options() {
 	runchecktest "MOUNT (confined cap mount propagation setup $1)" pass mount ${loop_device} ${mount_point}
 	genprofile cap:sys_admin "mount:options=($1)"
 	runchecktest "MOUNT (confined cap mount propagation $1)" pass mount none ${mount_point} -o $1
+	genprofile cap:sys_admin "mount:options=($1):-> ${mount_point}/"
+	runchecktest "MOUNT (confined cap mount propagation $1 mountpoint)" pass mount none ${mount_point} -o $1
+	genprofile cap:sys_admin "mount:options=($1):${mount_point}/"
+	runchecktest "MOUNT (confined cap mount propagation $1 source as mountpoint - deprecated)" pass mount none ${mount_point} -o $1
 	remove_mnt
 
 	genprofile cap:sys_admin "mount:ALL" "qual=deny:mount:options=($1)"
@@ -394,6 +398,16 @@ else
 	runchecktest "UMOUNT (confined cap umount:ALL)" pass umount ${loop_device} ${mount_point}
 	remove_mnt
 
+	# MR:https://gitlab.com/apparmor/apparmor/-/merge_requests/1054
+	# https://bugs.launchpad.net/apparmor/+bug/2023814
+	# https://bugzilla.opensuse.org/show_bug.cgi?id=1211989
+	# based on rules from profile in bug that triggered issue
+	genprofile cap:sys_admin "qual=deny:mount:/snap/bin/:-> /**" \
+				 "mount:options=(rw,bind):-> ${mount_point}/"
+
+	runchecktest "MOUNT (confined cap bind mount with deny mount that doesn't overlap)" pass mount ${mount_point2} ${mount_point} -o bind
+	remove_mnt
+
 	test_options
 fi
 

tests/regression/apparmor/syscall.sh

@@ -150,13 +150,19 @@ i386 | i486 | i586 | i686 | x86 | x86_64)
 # But don't run them on xen kernels
 if [ ! -d /proc/xen ] ; then
 
+# lockdown thwarts both ioperm and iopl
+expected=pass
+if [ -f /sys/kernel/security/lockdown ] && ! grep -q "\[none\]" /sys/kernel/security/lockdown; then
+  expected=fail
+fi
+
 ##
 ## F. IOPERM
 ##
 settest syscall_ioperm
 
 # TEST F1
-runchecktest "IOPERM (no confinement)" pass 0 0x3ff
+runchecktest "IOPERM (no confinement)" $expected 0 0x3ff
 
 # TEST F2. ioperm will fail
 genprofile
@@ -169,7 +175,7 @@ runchecktest "IOPERM (confinement)" fail 0 0x3ff
 settest syscall_iopl
 
 # TEST G1
-runchecktest "IOPL (no confinement)" pass 3
+runchecktest "IOPL (no confinement)" $expected 3
 
 # TEST G2. iopl will fail
 genprofile

tests/regression/apparmor/tcp.sh

@@ -14,8 +14,14 @@ pwd=`cd $pwd ; /bin/pwd`
 
 bin=$pwd
 
+# TODO:
+# need to update so we can run the test for ech supported
+# need to be able to modify the compile features to choose the
+# kernel feature supported
+# need to be able to query the parser if it supports the
+# kernel feature
 . $bin/prologue.inc
-requires_kernel_features network
+requires_any_of_kernel_features network network_v8
 
 port=34567
 ip="127.0.0.1"

utils/aa-unconfined

@@ -99,6 +99,15 @@ def get_pids_netstat(netstat='netstat'):
     return pids
 
 
+def escape_special_chars(data):
+    """escape special characters in program names so that they can't mess up the terminal"""
+    data = repr(data)
+    if len(data) > 1 and data.startswith("'") and data.endswith("'"):
+        return data[1:-1]
+    else:
+        return data
+
+
 pids = set()
 if paranoid:
     pids = get_all_pids()
@@ -110,6 +119,7 @@ else:
 for pid in sorted(map(int, pids)):
     try:
         prog = os.readlink("/proc/%s/exe" % pid)
+        prog = escape_special_chars(prog)
     except OSError:
         continue
     attr = None
@@ -127,6 +137,7 @@ for pid in sorted(map(int, pids)):
         pname = cmdline.split("\0")[0]
     if '/' in pname and pname != prog:
         pname = "(%s)" % pname
+        pname = escape_special_chars(pname)
     else:
         pname = ""
     regex_interpreter = re.compile(r"^(/usr)?/bin/(python|perl|bash|dash|sh)$")
@@ -134,6 +145,7 @@ for pid in sorted(map(int, pids)):
         if regex_interpreter.search(prog):
             cmdline = re.sub(r"\x00", " ", cmdline)
             cmdline = re.sub(r"\s+$", "", cmdline).strip()
+            cmdline = escape_special_chars(cmdline)
 
             ui.UI_Info(_("%(pid)s %(program)s (%(commandline)s) not confined") % {'pid': pid, 'program': prog, 'commandline': cmdline})
         else:
@@ -144,6 +156,7 @@ for pid in sorted(map(int, pids)):
         if regex_interpreter.search(prog):
             cmdline = re.sub(r"\0", " ", cmdline)
             cmdline = re.sub(r"\s+$", "", cmdline).strip()
+            cmdline = escape_special_chars(cmdline)
             ui.UI_Info(_("%(pid)s %(program)s (%(commandline)s) confined by '%(attribute)s'") % {'pid': pid, 'program': prog, 'commandline': cmdline, 'attribute': attr})
         else:
             if pname and pname[-1] == ')':

utils/apparmor/aa.py

@@ -2025,6 +2025,9 @@ def collapse_log():
 
                 ptrace = prelog[aamode][profile][hat]['ptrace']
                 for peer in ptrace.keys():
+                    if '//null-' in peer:
+                        continue  # ignore null-* peers
+
                     for access in ptrace[peer].keys():
                         ptrace_event = PtraceRule(access, peer, log_event=True)
                         if not hat_exists or not is_known_rule(aa[profile][hat], 'ptrace', ptrace_event):
@@ -2032,6 +2035,9 @@ def collapse_log():
 
                 sig = prelog[aamode][profile][hat]['signal']
                 for peer in sig.keys():
+                    if '//null-' in peer:
+                        continue  # ignore null-* peers
+
                     for access in sig[peer].keys():
                         for signal in sig[peer][access].keys():
                             signal_event = SignalRule(access, signal, peer, log_event=True)

utils/apparmor/logparser.py

@@ -17,6 +17,7 @@ import re
 import sys
 import time
 import LibAppArmor
+import apparmor.ui as aaui
 from apparmor.common import AppArmorException, AppArmorBug, open_file_read, DebugLogger
 
 from apparmor.aamode import validate_log_mode, log_str_to_mode, hide_log_mode, AA_MAY_EXEC
@@ -95,7 +96,13 @@ class ReadLog:
         if sys.version_info < (3, 0):
             # parse_record fails with u'foo' style strings hence typecasting to string
             msg = str(msg)
-        event = LibAppArmor.parse_record(msg)
+
+        try:
+            event = LibAppArmor.parse_record(msg)
+        except TypeError:
+            aaui.UI_Important(_("WARNING: Cannot process log message, skipping entry. Make sure log is plaintext."))
+            return None
+
         ev = dict()
         ev['resource'] = event.info
         ev['active_hat'] = event.active_hat

utils/test/test-parser-simple-tests.py

@@ -107,6 +107,14 @@ exception_not_raised = [
     'mount/bad_opt_29.sd',
     'mount/bad_opt_30.sd',
     'mount/bad_opt_31.sd',
+    'mount/bad_opt_32.sd',
+    'mount/bad_opt_35.sd',
+    'mount/bad_opt_36.sd',
+    'mount/bad_opt_37.sd',
+    'mount/bad_opt_38.sd',
+    'mount/bad_opt_39.sd',
+    'mount/bad_opt_40.sd',
+    'mount/bad_opt_41.sd',
     'profile/flags/flags_bad10.sd',
     'profile/flags/flags_bad11.sd',
     'profile/flags/flags_bad12.sd',