mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-01 06:45:38 +00:00
Code Issues Releases Wiki Activity

Compare commits

base: mir:v2.13.8
Branches Tags
mir:master mir:apparmor-4.0 mir:apparmor-4.1 mir:apparmor-3.1 mir:apparmor-3.0 mir:apparmor-2.13 mir:fix-priority2 mir:apparmor-2.12 mir:apparmor-2.11 mir:fix-dirtest mir:check-if-systemd-detect-virt-is-present mir:250-what-is-the-minimum-kernel-version-required-for-apparmor-3 mir:160-the-trash-abstraction mir:apparmor-2.10 mir:cherry-pick-d257afd3 mir:cherry-pick-d4296d21 mir:apparmor-2.9 mir:apparmor-2.8 mir:apparmor-2.7 mir:apparmor-2.6 mir:apparmor-2.5 mir:apparmor-2.3 mir:apparmor-2.1
mir:v5.0.0-alpha1 mir:v4.1.1 mir:v4.1.0 mir:v4.1.0-cherry-pick-point mir:v4.1.0-beta5 mir:v4.1.0-beta4 mir:v4.1.0-beta3 mir:v4.1.0-beta2 mir:v4.1.0-beta1 mir:v4.0.3 mir:v4.0.2 mir:v4.0.1 mir:v4.0.0 mir:v4.0.0-beta4 mir:v4.0.0-beta3 mir:v4.0.0-beta2 mir:v4.0.0-beta1 mir:v2.13.11 mir:v3.0.13 mir:v3.1.7 mir:v4.0.0-alpha4 mir:v4.0.0-alpha3 mir:v4.0.0-alpha2 mir:v4.0.0-alpha1 mir:v2.13.10 mir:v3.0.12 mir:v3.1.6 mir:v3.1.5 mir:v3.0.11 mir:v2.13.9 mir:v2.13.8 mir:v3.0.10 mir:v3.1.4 mir:v3.0.9 mir:v3.1.3 mir:v3.0.8 mir:v2.13.7 mir:v2.12.4 mir:v3.1.2 mir:v3.1.1 mir:v3.1.0 mir:v3.0.7 mir:v3.0.6 mir:v3.0.5 mir:v3.0.4 mir:v3.0.3 mir:v3.0.2 mir:v2.10.6 mir:v2.13.6 mir:v3.0.1 mir:v2.13.5 mir:v3.0.0 mir:v2.13.4 mir:v2.10.5 mir:v2.11.3 mir:v2.12.3 mir:v2.13.3 mir:v2.10.4 mir:v2.11.2 mir:v2.12.2 mir:v2.13.2 mir:v2.12.1 mir:v2.13.1 mir:v2.13 mir:v2.12 mir:git-conversion mir:v2.11.95 mir:v2.11.1 mir:v2.10.3 mir:v2.9.5 mir:v2.8.5 mir:v2.11-branchpoint mir:v2.11.0 mir:v2.10.2 mir:v2.9.4 mir:v2.10.1 mir:v2.9.3 mir:v2.10.95 mir:v2.10-branchpoint mir:v2.10 mir:v2.9.2 mir:v2.9.1 mir:v2.9.0 mir:v2.8.98 mir:v2.9-beta4 mir:v2.8.4 mir:v2.9-beta3 mir:v2.8.97 mir:v2.9-beta2 mir:v2.8.95 mir:v2.8.3 mir:v2.8.2 mir:v2.8.1 mir:v2.8.0 mir:v2.8-beta5 mir:v2.8-beta4 mir:v2.8-beta3 mir:v2.8-beta2 mir:v2.7.99 mir:v2.7.1 mir:v2.7.0 mir:v2.7.0-rc2 mir:v2.7.0-rc1 mir:v2.7.0-beta2 mir:v2.7.0-beta1 mir:v2.6.1 mir:v2.6.1-rc1 mir:v2.6-branchpoint mir:v2.5.2 mir:v2.6.0 mir:v2.6.0-rc1 mir:v2.5.2-rc1 mir:v2.5.1
...
compare: mir:v2.13.9
Branches Tags
mir:master mir:apparmor-4.0 mir:apparmor-4.1 mir:apparmor-3.1 mir:apparmor-3.0 mir:apparmor-2.13 mir:fix-priority2 mir:apparmor-2.12 mir:apparmor-2.11 mir:fix-dirtest mir:check-if-systemd-detect-virt-is-present mir:250-what-is-the-minimum-kernel-version-required-for-apparmor-3 mir:160-the-trash-abstraction mir:apparmor-2.10 mir:cherry-pick-d257afd3 mir:cherry-pick-d4296d21 mir:apparmor-2.9 mir:apparmor-2.8 mir:apparmor-2.7 mir:apparmor-2.6 mir:apparmor-2.5 mir:apparmor-2.3 mir:apparmor-2.1
mir:v5.0.0-alpha1 mir:v4.1.1 mir:v4.1.0 mir:v4.1.0-cherry-pick-point mir:v4.1.0-beta5 mir:v4.1.0-beta4 mir:v4.1.0-beta3 mir:v4.1.0-beta2 mir:v4.1.0-beta1 mir:v4.0.3 mir:v4.0.2 mir:v4.0.1 mir:v4.0.0 mir:v4.0.0-beta4 mir:v4.0.0-beta3 mir:v4.0.0-beta2 mir:v4.0.0-beta1 mir:v2.13.11 mir:v3.0.13 mir:v3.1.7 mir:v4.0.0-alpha4 mir:v4.0.0-alpha3 mir:v4.0.0-alpha2 mir:v4.0.0-alpha1 mir:v2.13.10 mir:v3.0.12 mir:v3.1.6 mir:v3.1.5 mir:v3.0.11 mir:v2.13.9 mir:v2.13.8 mir:v3.0.10 mir:v3.1.4 mir:v3.0.9 mir:v3.1.3 mir:v3.0.8 mir:v2.13.7 mir:v2.12.4 mir:v3.1.2 mir:v3.1.1 mir:v3.1.0 mir:v3.0.7 mir:v3.0.6 mir:v3.0.5 mir:v3.0.4 mir:v3.0.3 mir:v3.0.2 mir:v2.10.6 mir:v2.13.6 mir:v3.0.1 mir:v2.13.5 mir:v3.0.0 mir:v2.13.4 mir:v2.10.5 mir:v2.11.3 mir:v2.12.3 mir:v2.13.3 mir:v2.10.4 mir:v2.11.2 mir:v2.12.2 mir:v2.13.2 mir:v2.12.1 mir:v2.13.1 mir:v2.13 mir:v2.12 mir:git-conversion mir:v2.11.95 mir:v2.11.1 mir:v2.10.3 mir:v2.9.5 mir:v2.8.5 mir:v2.11-branchpoint mir:v2.11.0 mir:v2.10.2 mir:v2.9.4 mir:v2.10.1 mir:v2.9.3 mir:v2.10.95 mir:v2.10-branchpoint mir:v2.10 mir:v2.9.2 mir:v2.9.1 mir:v2.9.0 mir:v2.8.98 mir:v2.9-beta4 mir:v2.8.4 mir:v2.9-beta3 mir:v2.8.97 mir:v2.9-beta2 mir:v2.8.95 mir:v2.8.3 mir:v2.8.2 mir:v2.8.1 mir:v2.8.0 mir:v2.8-beta5 mir:v2.8-beta4 mir:v2.8-beta3 mir:v2.8-beta2 mir:v2.7.99 mir:v2.7.1 mir:v2.7.0 mir:v2.7.0-rc2 mir:v2.7.0-rc1 mir:v2.7.0-beta2 mir:v2.7.0-beta1 mir:v2.6.1 mir:v2.6.1-rc1 mir:v2.6-branchpoint mir:v2.5.2 mir:v2.6.0 mir:v2.6.0-rc1 mir:v2.5.2-rc1 mir:v2.5.1

5 Commits
v2.13.8 ... v2.13.9

Author SHA1 Message Date
John Johansen
2292c7baeb Prepare for AppArmor 2.13.9 release 
- update version file

Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-06-08 23:09:32 -07:00
John Johansen
44a7f6eca9 Fix build failure in df4ed537e allow reading of /etc/ld-musl-*.path 
2.13 does not support warn flags

Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-06-08 22:50:43 -07:00
John Johansen
df4ed537eb Merge profiles: allow reading of /etc/ld-musl-*.path 
/etc/ld-musl-*.path is required to perform dynamic linking on musl libc.
The wildcard is to match all CPU architectures, like x86_64.

type=AVC msg=audit(1686087677.497:67): apparmor="DENIED" operation="open" class="file" profile="syslog-ng" name="/etc/ld-musl-x86_64.path" pid=25866 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Closes #333

Signed-off-by: Nikita Romaniuk <kelvium@yahoo.com>

Closes #333
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1047
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

(cherry picked from commit 6e0d776f65)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-06-08 19:05:23 -07:00
John Johansen
e839782f7e Merge parser: fix parsing of source as mount point for propagation type flags 
Before 300889c3a, mount rules would compile policy when using source
as mount point for rules that contain propagation type flags, such as
unbindable, runbindable, private, rprivate, slave, rslave, shared, and
rshared. Even though it compiled, the rule generated would not work as
expected.

This commit fixes both issues. It allows the usage of source as mount
point for the specified flags, albeit with a deprecation warning, and
it correctly generates the mount rule.

The policy fails to load when both source and mount point are
specified, keeping the original behavior (reference
parser/tst/simple_tests/mount/bad_opt_10.sd for example).

Fixes: https://bugs.launchpad.net/bugs/1648245
Fixes: https://bugs.launchpad.net/bugs/2023025

It should be backported to versions 2.13, 3.0, 3.1.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1048
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 1e0d7bcbb7)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-06-08 18:55:40 -07:00
Georgia Garcia
f016792d09 Merge profiles: add lock file permission to snap browsers 
When opening snap browsers with evince using the snap_browsers
abstraction, we get the following AppArmor denials which prevent the
browsers from opening

audit: type=1400 audit(1685996894.479:225): apparmor="DENIED" operation="open" class="file" profile="/usr/bin/evince//snap_browsers" name="/var/lib/snapd/inhibit/firefox.lock" pid=13282 comm="snap" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

audit: type=1400 audit(1685997517.142:259): apparmor="DENIED" operation="file_lock" class="file" profile="/usr/bin/evince//snap_browsers" name="/var/lib/snapd/inhibit/firefox.lock" pid=14200 comm="snap" requested_mask="k" denied_mask="k" fsuid=1000 ouid=0

This MR should be cherry-picked into 2.13, 3.0, 3.1

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1045
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>


(cherry picked from commit a00ece5b6e)

daec4bc8 profiles: add lock file permission to snap browsers
 2023-06-06 11:15:06 +00:00
21 changed files with 187 additions and 6 deletions
Expand all files Collapse all files

2
common/Version
View File

@@ -1 +1 @@
2.13.8
2.13.9

25
parser/mount.cc
View File

@@ -831,15 +831,30 @@ int mnt_rule::gen_policy_change_mount_type(Profile &prof, int &count,
std::string optsbuf;
char class_mount_hdr[64];
const char *vec[5];
char *mountpoint = mnt_point;
sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
/* change type base rules can not be conditional on device,
* device type or data
/* change type base rules can specify the mount point by using
* the parser token position reserved to device. that's why if
* the mount point is not specified, we use device in its
* place. this is a deprecated behavior.
*
* change type base rules can not be conditional on device
* (source), device type or data
*/
/* rule class single byte header */
mntbuf.assign(class_mount_hdr);
if (!convert_entry(mntbuf, mnt_point))
if (flags && flags != MS_ALL_FLAGS && device && mnt_point) {
PERROR("source and mount point cannot be used at the "
"same time for propagation type flags");
goto fail;
} else if (device && !mnt_point) {
pwarn(_("The use of source as mount point for "
"propagation type flags is deprecated.\n"));
mountpoint = device;
}
if (!convert_entry(mntbuf, mountpoint))
goto fail;
vec[0] = mntbuf.c_str();
/* skip device and type */
@@ -981,7 +996,7 @@ int mnt_rule::gen_flag_rules(Profile &prof, int &count, unsigned int flags,
if (!dev_type && !opts &&
gen_policy_bind_mount(prof, count, flags, opt_flags) == RULE_ERROR)
return RULE_ERROR;
if (!device && !dev_type && !opts &&
if (!dev_type && !opts &&
gen_policy_change_mount_type(prof, count, flags, opt_flags) == RULE_ERROR)
return RULE_ERROR;
if (!dev_type && !opts &&
@@ -997,7 +1012,7 @@ int mnt_rule::gen_flag_rules(Profile &prof, int &count, unsigned int flags,
return gen_policy_bind_mount(prof, count, flags, opt_flags);
} else if ((allow & AA_MAY_MOUNT) &&
(flags & (MS_MAKE_CMDS))
&& !device && !dev_type && !opts) {
&& !dev_type && !opts) {
return gen_policy_change_mount_type(prof, count, flags, opt_flags);
} else if ((allow & AA_MAY_MOUNT) && (flags & MS_MOVE)
&& !dev_type && !opts) {

10
parser/tst/simple_tests/mount/ok_opt_68.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "unbindable" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=unbindable /1,
mount options=(unbindable) /2,
mount options=(rw,unbindable) /3,
mount options in (unbindable) /4,
mount options in (ro,unbindable) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_69.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "runbindable" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=runbindable /1,
mount options=(runbindable) /2,
mount options=(rw,runbindable) /3,
mount options in (runbindable) /4,
mount options in (ro,runbindable) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_70.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "rprivate" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=rprivate /1,
mount options=(rprivate) /2,
mount options=(rw,rprivate) /3,
mount options in (rprivate) /4,
mount options in (ro,rprivate) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_71.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "private" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=private /1,
mount options=(private) /2,
mount options=(rw,private) /3,
mount options in (private) /4,
mount options in (ro,private) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_72.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "slave" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=slave /1,
mount options=(slave) /2,
mount options=(rw,slave) /3,
mount options in (slave) /4,
mount options in (ro,slave) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_73.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "rslave" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=rslave /1,
mount options=(rslave) /2,
mount options=(rw,rslave) /3,
mount options in (rslave) /4,
mount options in (ro,rslave) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_74.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "shared" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=shared /1,
mount options=(shared) /2,
mount options=(rw,shared) /3,
mount options in (shared) /4,
mount options in (ro,shared) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_75.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "rshared" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=rshared /1,
mount options=(rshared) /2,
mount options=(rw,rshared) /3,
mount options in (rshared) /4,
mount options in (ro,rshared) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_76.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "make-unbindable" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=make-unbindable /1,
mount options=(make-unbindable) /2,
mount options=(rw,make-unbindable) /3,
mount options in (make-unbindable) /4,
mount options in (ro,make-unbindable) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_77.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "make-runbindable" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=make-runbindable /1,
mount options=(make-runbindable) /2,
mount options=(rw,make-runbindable) /3,
mount options in (make-runbindable) /4,
mount options in (ro,make-runbindable) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_78.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "make-private" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=make-private /1,
mount options=(make-private) /2,
mount options=(rw,make-private) /3,
mount options in (make-private) /4,
mount options in (ro,make-private) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_79.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "make-rprivate" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=make-rprivate /1,
mount options=(make-rprivate) /2,
mount options=(rw,make-rprivate) /3,
mount options in (make-rprivate) /4,
mount options in (ro,make-rprivate) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_80.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "make-slave" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=make-slave /1,
mount options=(make-slave) /2,
mount options=(rw,make-slave) /3,
mount options in (make-slave) /4,
mount options in (ro,make-slave) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_81.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "make-shared" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=make-shared /1,
mount options=(make-shared) /2,
mount options=(rw,make-shared) /3,
mount options in (make-shared) /4,
mount options in (ro,make-shared) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_82.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "make-rslave" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=make-rslave /1,
mount options=(make-rslave) /2,
mount options=(rw,make-rslave) /3,
mount options in (make-rslave) /4,
mount options in (ro,make-rslave) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_83.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "make-rshared" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=make-rshared /1,
mount options=(make-rshared) /2,
mount options=(rw,make-rshared) /3,
mount options in (make-rshared) /4,
mount options in (ro,make-rshared) /5,
}

1
profiles/apparmor.d/abstractions/base
View File

@@ -60,6 +60,7 @@
/etc/ld.so.conf r,
/etc/ld.so.conf.d/{,*.conf} r,
/etc/ld.so.preload r,
/etc/ld-musl-*.path r,
/{usr/,}lib{,32,64}/ld{,32,64}-*.so mr,
/{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mr,
/{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr,

1
profiles/apparmor.d/abstractions/snap_browsers
View File

@@ -38,5 +38,6 @@ profile snap_browsers {
/snap/opera/[0-9]*/meta/{snap.yaml,hooks/} r,
/var/lib/snapd/sequence/{chromium,firefox,opera}.json r,
/var/lib/snapd/inhibit/{chromium,firefox,opera}.lock rk,
# add other browsers here
}

4
tests/regression/apparmor/mount.sh
View File

@@ -218,6 +218,10 @@ test_propagation_options() {
runchecktest "MOUNT (confined cap mount propagation setup $1)" pass mount ${loop_device} ${mount_point}
genprofile cap:sys_admin "mount:options=($1)"
runchecktest "MOUNT (confined cap mount propagation $1)" pass mount none ${mount_point} -o $1
genprofile cap:sys_admin "mount:options=($1):-> ${mount_point}/"
runchecktest "MOUNT (confined cap mount propagation $1 mountpoint)" pass mount none ${mount_point} -o $1
genprofile cap:sys_admin "mount:options=($1):${mount_point}/"
runchecktest "MOUNT (confined cap mount propagation $1 source as mountpoint - deprecated)" pass mount none ${mount_point} -o $1
remove_mnt
genprofile cap:sys_admin "mount:ALL" "qual=deny:mount:options=($1)"