mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-04 00:05:14 +00:00
Code Issues Releases Wiki Activity

Compare commits

base: mir:v2.13.8
Branches Tags
mir:master mir:apparmor-4.0 mir:apparmor-4.1 mir:apparmor-3.1 mir:apparmor-3.0 mir:apparmor-2.13 mir:fix-priority2 mir:apparmor-2.12 mir:apparmor-2.11 mir:fix-dirtest mir:check-if-systemd-detect-virt-is-present mir:250-what-is-the-minimum-kernel-version-required-for-apparmor-3 mir:160-the-trash-abstraction mir:apparmor-2.10 mir:cherry-pick-d257afd3 mir:cherry-pick-d4296d21 mir:apparmor-2.9 mir:apparmor-2.8 mir:apparmor-2.7 mir:apparmor-2.6 mir:apparmor-2.5 mir:apparmor-2.3 mir:apparmor-2.1
mir:v5.0.0-alpha1 mir:v4.1.1 mir:v4.1.0 mir:v4.1.0-cherry-pick-point mir:v4.1.0-beta5 mir:v4.1.0-beta4 mir:v4.1.0-beta3 mir:v4.1.0-beta2 mir:v4.1.0-beta1 mir:v4.0.3 mir:v4.0.2 mir:v4.0.1 mir:v4.0.0 mir:v4.0.0-beta4 mir:v4.0.0-beta3 mir:v4.0.0-beta2 mir:v4.0.0-beta1 mir:v2.13.11 mir:v3.0.13 mir:v3.1.7 mir:v4.0.0-alpha4 mir:v4.0.0-alpha3 mir:v4.0.0-alpha2 mir:v4.0.0-alpha1 mir:v2.13.10 mir:v3.0.12 mir:v3.1.6 mir:v3.1.5 mir:v3.0.11 mir:v2.13.9 mir:v2.13.8 mir:v3.0.10 mir:v3.1.4 mir:v3.0.9 mir:v3.1.3 mir:v3.0.8 mir:v2.13.7 mir:v2.12.4 mir:v3.1.2 mir:v3.1.1 mir:v3.1.0 mir:v3.0.7 mir:v3.0.6 mir:v3.0.5 mir:v3.0.4 mir:v3.0.3 mir:v3.0.2 mir:v2.10.6 mir:v2.13.6 mir:v3.0.1 mir:v2.13.5 mir:v3.0.0 mir:v2.13.4 mir:v2.10.5 mir:v2.11.3 mir:v2.12.3 mir:v2.13.3 mir:v2.10.4 mir:v2.11.2 mir:v2.12.2 mir:v2.13.2 mir:v2.12.1 mir:v2.13.1 mir:v2.13 mir:v2.12 mir:git-conversion mir:v2.11.95 mir:v2.11.1 mir:v2.10.3 mir:v2.9.5 mir:v2.8.5 mir:v2.11-branchpoint mir:v2.11.0 mir:v2.10.2 mir:v2.9.4 mir:v2.10.1 mir:v2.9.3 mir:v2.10.95 mir:v2.10-branchpoint mir:v2.10 mir:v2.9.2 mir:v2.9.1 mir:v2.9.0 mir:v2.8.98 mir:v2.9-beta4 mir:v2.8.4 mir:v2.9-beta3 mir:v2.8.97 mir:v2.9-beta2 mir:v2.8.95 mir:v2.8.3 mir:v2.8.2 mir:v2.8.1 mir:v2.8.0 mir:v2.8-beta5 mir:v2.8-beta4 mir:v2.8-beta3 mir:v2.8-beta2 mir:v2.7.99 mir:v2.7.1 mir:v2.7.0 mir:v2.7.0-rc2 mir:v2.7.0-rc1 mir:v2.7.0-beta2 mir:v2.7.0-beta1 mir:v2.6.1 mir:v2.6.1-rc1 mir:v2.6-branchpoint mir:v2.5.2 mir:v2.6.0 mir:v2.6.0-rc1 mir:v2.5.2-rc1 mir:v2.5.1
...
compare: mir:v2.13.10
Branches Tags
mir:master mir:apparmor-4.0 mir:apparmor-4.1 mir:apparmor-3.1 mir:apparmor-3.0 mir:apparmor-2.13 mir:fix-priority2 mir:apparmor-2.12 mir:apparmor-2.11 mir:fix-dirtest mir:check-if-systemd-detect-virt-is-present mir:250-what-is-the-minimum-kernel-version-required-for-apparmor-3 mir:160-the-trash-abstraction mir:apparmor-2.10 mir:cherry-pick-d257afd3 mir:cherry-pick-d4296d21 mir:apparmor-2.9 mir:apparmor-2.8 mir:apparmor-2.7 mir:apparmor-2.6 mir:apparmor-2.5 mir:apparmor-2.3 mir:apparmor-2.1
mir:v5.0.0-alpha1 mir:v4.1.1 mir:v4.1.0 mir:v4.1.0-cherry-pick-point mir:v4.1.0-beta5 mir:v4.1.0-beta4 mir:v4.1.0-beta3 mir:v4.1.0-beta2 mir:v4.1.0-beta1 mir:v4.0.3 mir:v4.0.2 mir:v4.0.1 mir:v4.0.0 mir:v4.0.0-beta4 mir:v4.0.0-beta3 mir:v4.0.0-beta2 mir:v4.0.0-beta1 mir:v2.13.11 mir:v3.0.13 mir:v3.1.7 mir:v4.0.0-alpha4 mir:v4.0.0-alpha3 mir:v4.0.0-alpha2 mir:v4.0.0-alpha1 mir:v2.13.10 mir:v3.0.12 mir:v3.1.6 mir:v3.1.5 mir:v3.0.11 mir:v2.13.9 mir:v2.13.8 mir:v3.0.10 mir:v3.1.4 mir:v3.0.9 mir:v3.1.3 mir:v3.0.8 mir:v2.13.7 mir:v2.12.4 mir:v3.1.2 mir:v3.1.1 mir:v3.1.0 mir:v3.0.7 mir:v3.0.6 mir:v3.0.5 mir:v3.0.4 mir:v3.0.3 mir:v3.0.2 mir:v2.10.6 mir:v2.13.6 mir:v3.0.1 mir:v2.13.5 mir:v3.0.0 mir:v2.13.4 mir:v2.10.5 mir:v2.11.3 mir:v2.12.3 mir:v2.13.3 mir:v2.10.4 mir:v2.11.2 mir:v2.12.2 mir:v2.13.2 mir:v2.12.1 mir:v2.13.1 mir:v2.13 mir:v2.12 mir:git-conversion mir:v2.11.95 mir:v2.11.1 mir:v2.10.3 mir:v2.9.5 mir:v2.8.5 mir:v2.11-branchpoint mir:v2.11.0 mir:v2.10.2 mir:v2.9.4 mir:v2.10.1 mir:v2.9.3 mir:v2.10.95 mir:v2.10-branchpoint mir:v2.10 mir:v2.9.2 mir:v2.9.1 mir:v2.9.0 mir:v2.8.98 mir:v2.9-beta4 mir:v2.8.4 mir:v2.9-beta3 mir:v2.8.97 mir:v2.9-beta2 mir:v2.8.95 mir:v2.8.3 mir:v2.8.2 mir:v2.8.1 mir:v2.8.0 mir:v2.8-beta5 mir:v2.8-beta4 mir:v2.8-beta3 mir:v2.8-beta2 mir:v2.7.99 mir:v2.7.1 mir:v2.7.0 mir:v2.7.0-rc2 mir:v2.7.0-rc1 mir:v2.7.0-beta2 mir:v2.7.0-beta1 mir:v2.6.1 mir:v2.6.1-rc1 mir:v2.6-branchpoint mir:v2.5.2 mir:v2.6.0 mir:v2.6.0-rc1 mir:v2.5.2-rc1 mir:v2.5.1

10 Commits
v2.13.8 ... v2.13.10

Author SHA1 Message Date
John Johansen
b1d7dcab24 Prepare for AppArmor 2.13.10 release 
- update version file

Signed-off-by: John Johansen <john.johansen@canonical.com>

Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-06-21 14:08:55 -07:00
John Johansen
9525238bb0 Merge fix mount regression in 2.13 
Mount has regressed in two ways. That are affecting snapd confinement,
since landing the mount fixes for CVE-2016-1585 in 3.1.4 and the fix
for the mount change type regression in 3.1.5

    Bug Reports:

    https://bugs.launchpad.net/apparmor/+bug/2023814

    https://bugzilla.opensuse.org/show_bug.cgi?id=1211989

Issue 1: Denial of Mount
    ```
    [ 808.531909] audit: type=1400 audit(1686759578.010:158): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.test-snapd-lp-1803535" name="/tmp/.snap/etc/" pid=14529 comm="5" srcname="/etc/" flags="rw, rbind"
    ```

when the profile contains a rule that should match
    ```
    mount options=(rw, rbind) "/etc/" -> "/tmp/.snap/etc/",
    ```

Issue 2: change_type failure.
Denial of Mount in log
    ```
    type=AVC msg=audit(1686977968.399:763): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="snap-update-ns.authy" name="/var/cache/fontconfig/" pid=26702 comm="5" srcname="/var/lib/snapd/hostfs/var/cache/fontconfig/" flags="rw, bind"
    ...
    ```

    snapd error
    ```
    - Run configure hook of "chromium" snap if present (run hook "configure":
    -----
    update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/doc /usr/share/doc none bind,ro 0 0): permission denied
    update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/fonts /usr/share/fonts none bind,ro 0 0): permission denied
    update.go:85: cannot change mount namespace according to change mount (/var/snap/cups/common/run /var/cups none bind,rw 0 0): permission denied
    cannot update snap namespace: cannot create writable mimic over "/snap/chromium/2475": permission denied
    snap-update-ns failed with code 1
    ```

and NO mount rules in the profiles.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1054
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2023-06-21 01:31:55 -07:00
John Johansen
51d33c1a23 parser: fix rule flag generation change_mount type rules 
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1048
made it so rules like

  mount slave /snap/bin/** -> /**,

  mount /snap/bin/** -> /**,

would get passed into change_mount_type rule generation when they
shouldn't have been. This would result in two different errors.

1. If kernel mount flags were present on the rule. The error would
   be caught causing an error to be returned, causing profile compilation
   to fail.

2. If the rule did not contain explicit flags then rule would generate
   change_mount_type permissions based on souly the mount point. And
   the implied set of flags. However this is incorrect as it should
   not generate change_mount permissions for this type of rule. Not
   only does it ignore the source/device type condition but it
   generates permissions that were never intended.

   When used in combination with a deny prefix this overly broad
   rule can result in almost all mount rules being denied, as the
   denial takes priority over the allow mount rules.

Fixes: https://bugs.launchpad.net/apparmor/+bug/2023814
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1211989
Fixes: 9d3f8c6cc ("parser: fix parsing of source as mount point for propagation type flags")
Fixes: MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1048

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 86d193e183)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-06-21 01:31:31 -07:00
John Johansen
b3881198ba Merge abstractions/base: Add transparent hugepage support 
Found in testing a slimmed-down `usr.sbin.sshd` profile:
```
Jun  8 21:09:38 testvm kernel: [   54.847014] audit: type=1400 audit(1686272978.009:68): apparmor="DENIED" operation="open" profile="/usr/sbin/sshd" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=1035 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```
Not sure what glibc/system call uses this, but it seems pretty broadly applicable, and read access is presumably harmless. [THP reference](https://www.kernel.org/doc/html/latest/admin-guide/mm/transhuge.html)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1050
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit ad3750058d)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-06-09 01:51:00 -07:00
John Johansen
629467b74e Merge abstractions/authentication: Add GSSAPI mechanism modules config 
Found in testing a slimmed-down `usr.sbin.sshd` profile:
```
Jun  8 21:09:37 testvm kernel: [   54.770501] audit: type=1400 audit(1686272977.933:67): apparmor="DENIED" operation="open" profile="/usr/sbin/sshd" name="/etc/gss/mech.d/" pid=1036 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```
([Reference](https://web.mit.edu/kerberos/krb5-1.21/doc/admin/host_config.html#gssapi-mechanism-modules) for  GSSAPI mechanism modules)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1049
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit b41fcdce16)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-06-09 01:50:31 -07:00
John Johansen
2292c7baeb Prepare for AppArmor 2.13.9 release 
- update version file

Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-06-08 23:09:32 -07:00
John Johansen
44a7f6eca9 Fix build failure in df4ed537e allow reading of /etc/ld-musl-*.path 
2.13 does not support warn flags

Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-06-08 22:50:43 -07:00
John Johansen
df4ed537eb Merge profiles: allow reading of /etc/ld-musl-*.path 
/etc/ld-musl-*.path is required to perform dynamic linking on musl libc.
The wildcard is to match all CPU architectures, like x86_64.

type=AVC msg=audit(1686087677.497:67): apparmor="DENIED" operation="open" class="file" profile="syslog-ng" name="/etc/ld-musl-x86_64.path" pid=25866 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Closes #333

Signed-off-by: Nikita Romaniuk <kelvium@yahoo.com>

Closes #333
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1047
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

(cherry picked from commit 6e0d776f65)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-06-08 19:05:23 -07:00
John Johansen
e839782f7e Merge parser: fix parsing of source as mount point for propagation type flags 
Before 300889c3a, mount rules would compile policy when using source
as mount point for rules that contain propagation type flags, such as
unbindable, runbindable, private, rprivate, slave, rslave, shared, and
rshared. Even though it compiled, the rule generated would not work as
expected.

This commit fixes both issues. It allows the usage of source as mount
point for the specified flags, albeit with a deprecation warning, and
it correctly generates the mount rule.

The policy fails to load when both source and mount point are
specified, keeping the original behavior (reference
parser/tst/simple_tests/mount/bad_opt_10.sd for example).

Fixes: https://bugs.launchpad.net/bugs/1648245
Fixes: https://bugs.launchpad.net/bugs/2023025

It should be backported to versions 2.13, 3.0, 3.1.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1048
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 1e0d7bcbb7)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-06-08 18:55:40 -07:00
Georgia Garcia
f016792d09 Merge profiles: add lock file permission to snap browsers 
When opening snap browsers with evince using the snap_browsers
abstraction, we get the following AppArmor denials which prevent the
browsers from opening

audit: type=1400 audit(1685996894.479:225): apparmor="DENIED" operation="open" class="file" profile="/usr/bin/evince//snap_browsers" name="/var/lib/snapd/inhibit/firefox.lock" pid=13282 comm="snap" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

audit: type=1400 audit(1685997517.142:259): apparmor="DENIED" operation="file_lock" class="file" profile="/usr/bin/evince//snap_browsers" name="/var/lib/snapd/inhibit/firefox.lock" pid=14200 comm="snap" requested_mask="k" denied_mask="k" fsuid=1000 ouid=0

This MR should be cherry-picked into 2.13, 3.0, 3.1

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1045
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>


(cherry picked from commit a00ece5b6e)

daec4bc8 profiles: add lock file permission to snap browsers
 2023-06-06 11:15:06 +00:00
33 changed files with 280 additions and 6 deletions
Expand all files Collapse all files

2
common/Version
View File

@@ -1 +1 @@
2.13.8 2.13.10

25
parser/mount.cc
View File

@@ -831,15 +831,30 @@ int mnt_rule::gen_policy_change_mount_type(Profile &prof, int &count,
std::string optsbuf; std::string optsbuf;
char class_mount_hdr[64]; char class_mount_hdr[64];
const char *vec[5]; const char *vec[5];
char *mountpoint = mnt_point;
sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT); sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
/* change type base rules can not be conditional on device, /* change type base rules can specify the mount point by using
* device type or data * the parser token position reserved to device. that's why if
* the mount point is not specified, we use device in its
* place. this is a deprecated behavior.
*
* change type base rules can not be conditional on device
* (source), device type or data
*/ */
/* rule class single byte header */ /* rule class single byte header */
mntbuf.assign(class_mount_hdr); mntbuf.assign(class_mount_hdr);
if (!convert_entry(mntbuf, mnt_point)) if (flags && flags != MS_ALL_FLAGS && device && mnt_point) {
PERROR("source and mount point cannot be used at the "
"same time for propagation type flags");
goto fail;
} else if (device && !mnt_point) {
pwarn(_("The use of source as mount point for "
"propagation type flags is deprecated.\n"));
mountpoint = device;
}
if (!convert_entry(mntbuf, mountpoint))
goto fail; goto fail;
vec[0] = mntbuf.c_str(); vec[0] = mntbuf.c_str();
/* skip device and type */ /* skip device and type */
@@ -981,7 +996,7 @@ int mnt_rule::gen_flag_rules(Profile &prof, int &count, unsigned int flags,
if (!dev_type && !opts && if (!dev_type && !opts &&
gen_policy_bind_mount(prof, count, flags, opt_flags) == RULE_ERROR) gen_policy_bind_mount(prof, count, flags, opt_flags) == RULE_ERROR)
return RULE_ERROR; return RULE_ERROR;
if (!device && !dev_type && !opts && if ((!device || !mnt_point) && !dev_type && !opts &&
gen_policy_change_mount_type(prof, count, flags, opt_flags) == RULE_ERROR) gen_policy_change_mount_type(prof, count, flags, opt_flags) == RULE_ERROR)
return RULE_ERROR; return RULE_ERROR;
if (!dev_type && !opts && if (!dev_type && !opts &&
@@ -997,7 +1012,7 @@ int mnt_rule::gen_flag_rules(Profile &prof, int &count, unsigned int flags,
return gen_policy_bind_mount(prof, count, flags, opt_flags); return gen_policy_bind_mount(prof, count, flags, opt_flags);
} else if ((allow & AA_MAY_MOUNT) && } else if ((allow & AA_MAY_MOUNT) &&
(flags & (MS_MAKE_CMDS)) (flags & (MS_MAKE_CMDS))
&& !device && !dev_type && !opts) { && (!device || !mnt_point) && !dev_type && !opts) {
return gen_policy_change_mount_type(prof, count, flags, opt_flags); return gen_policy_change_mount_type(prof, count, flags, opt_flags);
} else if ((allow & AA_MAY_MOUNT) && (flags & MS_MOVE) } else if ((allow & AA_MAY_MOUNT) && (flags & MS_MOVE)
&& !dev_type && !opts) { && !dev_type && !opts) {

11
parser/tst/equality.sh
View File

@@ -563,6 +563,17 @@ verify_binary_equality "link rules slash filtering" \
@{BAR}=/mnt/ @{BAR}=/mnt/
/t { link @{FOO}/foo -> @{BAR}/bar, }" \ /t { link @{FOO}/foo -> @{BAR}/bar, }" \
# This can potentially fail as ideally it requires a better dfa comparison
# routine as it can generates hormomorphic dfas. The enumeration of the
# dfas dumped will be different, even if the binary is the same
# Note: this test in the future will require -O filter-deny and
# -O minimize and -O remove-unreachable.
verify_binary_equality "mount specific deny doesn't affect non-overlapping" \
"/t { mount options=bind /e/ -> /**, }" \
"/t { audit deny mount /s/** -> /**,
mount options=bind /e/ -> /**, }"
if [ $fails -ne 0 -o $errors -ne 0 ] if [ $fails -ne 0 -o $errors -ne 0 ]
then then
printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 2>&1 printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 2>&1

6
parser/tst/simple_tests/mount/bad_opt_32.sd Normal file
View File

@@ -0,0 +1,6 @@
#
#=Description test we fail make rules with source and mntpnt associated with MR 1054
#=EXRESULT FAIL
/usr/bin/foo {
mount options=(slave) /snap/bin/** -> /**,
}

6
parser/tst/simple_tests/mount/bad_opt_35.sd Normal file
View File

@@ -0,0 +1,6 @@
#
#=Description test we fail make rules with source and mntpnt associated with MR 1054
#=EXRESULT FAIL
/usr/bin/foo {
mount options=(rslave) /snap/bin/** -> /**,
}

6
parser/tst/simple_tests/mount/bad_opt_36.sd Normal file
View File

@@ -0,0 +1,6 @@
#
#=Description test we fail make rules with source and mntpnt associated with MR 1054
#=EXRESULT FAIL
/usr/bin/foo {
mount options=(unbindable) /snap/bin/** -> /**,
}

6
parser/tst/simple_tests/mount/bad_opt_37.sd Normal file
View File

@@ -0,0 +1,6 @@
#
#=Description test we fail make rules with source and mntpnt associated with MR 1054
#=EXRESULT FAIL
/usr/bin/foo {
mount options=(runbindable) /snap/bin/** -> /**,
}

6
parser/tst/simple_tests/mount/bad_opt_38.sd Normal file
View File

@@ -0,0 +1,6 @@
#
#=Description test we fail make rules with source and mntpnt associated with MR 1054
#=EXRESULT FAIL
/usr/bin/foo {
mount options=(private) /snap/bin/** -> /**,
}

6
parser/tst/simple_tests/mount/bad_opt_39.sd Normal file
View File

@@ -0,0 +1,6 @@
#
#=Description test we fail make rules with source and mntpnt associated with MR 1054
#=EXRESULT FAIL
/usr/bin/foo {
mount options=(rprivate) /snap/bin/** -> /**,
}

6
parser/tst/simple_tests/mount/bad_opt_40.sd Normal file
View File

@@ -0,0 +1,6 @@
#
#=Description test we fail make rules with source and mntpnt associated with MR 1054
#=EXRESULT FAIL
/usr/bin/foo {
mount options=(shared) /snap/bin/** -> /**,
}

6
parser/tst/simple_tests/mount/bad_opt_41.sd Normal file
View File

@@ -0,0 +1,6 @@
#
#=Description test we fail make rules with source and mntpnt associated with MR 1054
#=EXRESULT FAIL
/usr/bin/foo {
mount options=(rshared) /snap/bin/** -> /**,
}

10
parser/tst/simple_tests/mount/ok_opt_68.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "unbindable" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=unbindable /1,
mount options=(unbindable) /2,
mount options=(rw,unbindable) /3,
mount options in (unbindable) /4,
mount options in (ro,unbindable) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_69.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "runbindable" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=runbindable /1,
mount options=(runbindable) /2,
mount options=(rw,runbindable) /3,
mount options in (runbindable) /4,
mount options in (ro,runbindable) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_70.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "rprivate" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=rprivate /1,
mount options=(rprivate) /2,
mount options=(rw,rprivate) /3,
mount options in (rprivate) /4,
mount options in (ro,rprivate) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_71.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "private" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=private /1,
mount options=(private) /2,
mount options=(rw,private) /3,
mount options in (private) /4,
mount options in (ro,private) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_72.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "slave" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=slave /1,
mount options=(slave) /2,
mount options=(rw,slave) /3,
mount options in (slave) /4,
mount options in (ro,slave) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_73.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "rslave" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=rslave /1,
mount options=(rslave) /2,
mount options=(rw,rslave) /3,
mount options in (rslave) /4,
mount options in (ro,rslave) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_74.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "shared" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=shared /1,
mount options=(shared) /2,
mount options=(rw,shared) /3,
mount options in (shared) /4,
mount options in (ro,shared) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_75.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "rshared" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=rshared /1,
mount options=(rshared) /2,
mount options=(rw,rshared) /3,
mount options in (rshared) /4,
mount options in (ro,rshared) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_76.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "make-unbindable" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=make-unbindable /1,
mount options=(make-unbindable) /2,
mount options=(rw,make-unbindable) /3,
mount options in (make-unbindable) /4,
mount options in (ro,make-unbindable) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_77.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "make-runbindable" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=make-runbindable /1,
mount options=(make-runbindable) /2,
mount options=(rw,make-runbindable) /3,
mount options in (make-runbindable) /4,
mount options in (ro,make-runbindable) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_78.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "make-private" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=make-private /1,
mount options=(make-private) /2,
mount options=(rw,make-private) /3,
mount options in (make-private) /4,
mount options in (ro,make-private) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_79.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "make-rprivate" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=make-rprivate /1,
mount options=(make-rprivate) /2,
mount options=(rw,make-rprivate) /3,
mount options in (make-rprivate) /4,
mount options in (ro,make-rprivate) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_80.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "make-slave" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=make-slave /1,
mount options=(make-slave) /2,
mount options=(rw,make-slave) /3,
mount options in (make-slave) /4,
mount options in (ro,make-slave) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_81.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "make-shared" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=make-shared /1,
mount options=(make-shared) /2,
mount options=(rw,make-shared) /3,
mount options in (make-shared) /4,
mount options in (ro,make-shared) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_82.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "make-rslave" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=make-rslave /1,
mount options=(make-rslave) /2,
mount options=(rw,make-rslave) /3,
mount options in (make-rslave) /4,
mount options in (ro,make-rslave) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_83.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "make-rshared" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=make-rshared /1,
mount options=(make-rshared) /2,
mount options=(rw,make-rshared) /3,
mount options in (make-rshared) /4,
mount options in (ro,make-rshared) /5,
}

8
parser/tst/simple_tests/mount/ok_opt_84.sd Normal file
View File

@@ -0,0 +1,8 @@
#
#=Description test we can parse rules associated with MR 1054
#=EXRESULT PASS
/usr/bin/foo {
mount options=(slave) /**,
mount options=(slave) -> /**,
mount /snap/bin/** -> /**,
}

5
profiles/apparmor.d/abstractions/authentication
View File

@@ -30,6 +30,11 @@
/{usr/,}lib/@{multiarch}/security/pam_*.so mr, /{usr/,}lib/@{multiarch}/security/pam_*.so mr,
/{usr/,}lib/@{multiarch}/security/ r, /{usr/,}lib/@{multiarch}/security/ r,
# gssapi
/etc/gss/mech r,
/etc/gss/mech.d/ r,
/etc/gss/mech.d/*.conf r,
# kerberos # kerberos
#include <abstractions/kerberosclient> #include <abstractions/kerberosclient>
# SuSE's pwdutils are different: # SuSE's pwdutils are different:

4
profiles/apparmor.d/abstractions/base
View File

@@ -60,6 +60,7 @@
/etc/ld.so.conf r, /etc/ld.so.conf r,
/etc/ld.so.conf.d/{,*.conf} r, /etc/ld.so.conf.d/{,*.conf} r,
/etc/ld.so.preload r, /etc/ld.so.preload r,
/etc/ld-musl-*.path r,
/{usr/,}lib{,32,64}/ld{,32,64}-*.so mr, /{usr/,}lib{,32,64}/ld{,32,64}-*.so mr,
/{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mr, /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mr,
/{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr, /{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr,
@@ -96,6 +97,9 @@
@{sys}/devices/system/cpu/online r, @{sys}/devices/system/cpu/online r,
@{sys}/devices/system/cpu/possible r, @{sys}/devices/system/cpu/possible r,
# transparent hugepage support
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
# glibc's *printf protections read the maps file # glibc's *printf protections read the maps file
@{PROC}/@{pid}/{maps,auxv,status} r, @{PROC}/@{pid}/{maps,auxv,status} r,

1
profiles/apparmor.d/abstractions/snap_browsers
View File

@@ -38,5 +38,6 @@ profile snap_browsers {
/snap/opera/[0-9]*/meta/{snap.yaml,hooks/} r, /snap/opera/[0-9]*/meta/{snap.yaml,hooks/} r,
/var/lib/snapd/sequence/{chromium,firefox,opera}.json r, /var/lib/snapd/sequence/{chromium,firefox,opera}.json r,
/var/lib/snapd/inhibit/{chromium,firefox,opera}.lock rk,
# add other browsers here # add other browsers here
} }

14
tests/regression/apparmor/mount.sh
View File

@@ -218,6 +218,10 @@ test_propagation_options() {
runchecktest "MOUNT (confined cap mount propagation setup $1)" pass mount ${loop_device} ${mount_point} runchecktest "MOUNT (confined cap mount propagation setup $1)" pass mount ${loop_device} ${mount_point}
genprofile cap:sys_admin "mount:options=($1)" genprofile cap:sys_admin "mount:options=($1)"
runchecktest "MOUNT (confined cap mount propagation $1)" pass mount none ${mount_point} -o $1 runchecktest "MOUNT (confined cap mount propagation $1)" pass mount none ${mount_point} -o $1
genprofile cap:sys_admin "mount:options=($1):-> ${mount_point}/"
runchecktest "MOUNT (confined cap mount propagation $1 mountpoint)" pass mount none ${mount_point} -o $1
genprofile cap:sys_admin "mount:options=($1):${mount_point}/"
runchecktest "MOUNT (confined cap mount propagation $1 source as mountpoint - deprecated)" pass mount none ${mount_point} -o $1
remove_mnt remove_mnt
genprofile cap:sys_admin "mount:ALL" "qual=deny:mount:options=($1)" genprofile cap:sys_admin "mount:ALL" "qual=deny:mount:options=($1)"
@@ -394,6 +398,16 @@ else
runchecktest "UMOUNT (confined cap umount:ALL)" pass umount ${loop_device} ${mount_point} runchecktest "UMOUNT (confined cap umount:ALL)" pass umount ${loop_device} ${mount_point}
remove_mnt remove_mnt
# MR:https://gitlab.com/apparmor/apparmor/-/merge_requests/1054
# https://bugs.launchpad.net/apparmor/+bug/2023814
# https://bugzilla.opensuse.org/show_bug.cgi?id=1211989
# based on rules from profile in bug that triggered issue
genprofile cap:sys_admin "qual=deny:mount:/snap/bin/:-> /**" \
"mount:options=(rw,bind):-> ${mount_point}/"
runchecktest "MOUNT (confined cap bind mount with deny mount that doesn't overlap)" pass mount ${mount_point2} ${mount_point} -o bind
remove_mnt
test_options test_options
fi fi

8
utils/test/test-parser-simple-tests.py
View File

@@ -107,6 +107,14 @@ exception_not_raised = [
'mount/bad_opt_29.sd', 'mount/bad_opt_29.sd',
'mount/bad_opt_30.sd', 'mount/bad_opt_30.sd',
'mount/bad_opt_31.sd', 'mount/bad_opt_31.sd',
'mount/bad_opt_32.sd',
'mount/bad_opt_35.sd',
'mount/bad_opt_36.sd',
'mount/bad_opt_37.sd',
'mount/bad_opt_38.sd',
'mount/bad_opt_39.sd',
'mount/bad_opt_40.sd',
'mount/bad_opt_41.sd',
'profile/flags/flags_bad10.sd', 'profile/flags/flags_bad10.sd',
'profile/flags/flags_bad11.sd', 'profile/flags/flags_bad11.sd',
'profile/flags/flags_bad12.sd', 'profile/flags/flags_bad12.sd',