AppArmor 2.7

entries where the comm entry has been hex-encoded. This occurs when the
binary being confined contains a space or other problematic character in
its filename. A test case is included.

common/Version

@@ -1 +1 @@
-2.7.0~rc1
+2.7.0

libraries/libapparmor/src/grammar.y

@@ -246,7 +246,7 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->fsuid = $3;}
 	| TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
 	{ ret_record->ouid = $3;}
-	| TOK_KEY_COMM TOK_EQUALS TOK_QUOTED_STRING
+	| TOK_KEY_COMM TOK_EQUALS safe_string
 	{ ret_record->comm = $3;}
 	| TOK_KEY_APPARMOR TOK_EQUALS apparmor_event
 	| TOK_KEY_CAPABILITY TOK_EQUALS TOK_DIGITS

libraries/libapparmor/src/scanner.l

@@ -265,7 +265,7 @@ yy_flex_debug = 0;
 {key_error}		{ return(TOK_KEY_ERROR); }
 {key_fsuid}		{ return(TOK_KEY_FSUID); }
 {key_ouid}		{ return(TOK_KEY_OUID); }
-{key_comm}		{ return(TOK_KEY_COMM); }
+{key_comm}		{ BEGIN(safe_string); return(TOK_KEY_COMM); }
 {key_capability}	{ return(TOK_KEY_CAPABILITY); }
 {key_capname}		{ return(TOK_KEY_CAPNAME); }
 {key_offset}		{ return(TOK_KEY_OFFSET); }

libraries/libapparmor/swig/python/setup.py.in

@@ -13,7 +13,7 @@ setup(name		= 'LibAppArmor',
       ext_package	= 'LibAppArmor',
       ext_modules	= [Extension('_LibAppArmor', ['libapparmor_wrap.c'],
 					include_dirs=['@top_srcdir@/src'],
-					extra_link_args = string.split('-L@top_builddir@/src/.libs -lapparmor'),
-# static:				extra_link_args = string.split('@top_builddir@/src/.libs/libapparmor.a'),
+					extra_link_args = '-L@top_builddir@/src/.libs -lapparmor'.split(),
+# static:				extra_link_args = '@top_builddir@/src/.libs/libapparmor.a'.split(),
 			)],
       )

libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.in

@@ -0,0 +1 @@
+type=AVC msg=audit(1322676143.201:455): apparmor="ALLOWED" operation="open" parent=10357 profile=2F686F6D652F73746576652F746D702F6D792070726F672E7368 name=2F686F6D652F73746576652F746D702F6D792070726F672E7368 pid=22918 comm=6D792070726F672E7368 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

libraries/libapparmor/testsuite/test_multi/testcase_encoded_comm.out

@@ -0,0 +1,16 @@
+START
+File: test_multi/testcase_encoded_comm.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1322676143.201:455
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 1000
+Profile: /home/steve/tmp/my prog.sh
+Name: /home/steve/tmp/my prog.sh
+Command: my prog.sh
+Parent: 10357
+PID: 22918
+Epoch: 1322676143
+Audit subid: 455

libraries/libapparmor/testsuite/test_multi/testcase_encoded_profile.in

@@ -0,0 +1 @@
+Aug 23 17:29:45 hostname kernel: [289763.843292] type=1400 audit(1322614912.304:857): apparmor="ALLOWED" operation="getattr" parent=16001 profile=74657374207370616365 name="/lib/x86_64-linux-gnu/libdl-2.13.so" pid=17011 comm="bash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

libraries/libapparmor/testsuite/test_multi/testcase_encoded_profile.out

@@ -0,0 +1,16 @@
+START
+File: test_multi/testcase_encoded_profile.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1322614912.304:857
+Operation: getattr
+Mask: r
+Denied Mask: r
+fsuid: 0
+ouid: 0
+Profile: test space
+Name: /lib/x86_64-linux-gnu/libdl-2.13.so
+Command: bash
+Parent: 16001
+PID: 17011
+Epoch: 1322614912
+Audit subid: 857

parser/COPYING.GPL

@@ -1,15 +1,15 @@
 This license applies to all source files within the AppArmor parser
 package.
 
-		    GNU GENERAL PUBLIC LICENSE
-		       Version 2, June 1991
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 2, June 1991
 
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
 
-			    Preamble
+                            Preamble
 
   The licenses for most software are designed to take away your
 freedom to share and change it.  By contrast, the GNU General Public
@@ -18,7 +18,7 @@ software--to make sure the software is free for all its users.  This
 General Public License applies to most of the Free Software
 Foundation's software and to any other program whose authors commit to
 using it.  (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.)  You can apply it to
+the GNU Lesser General Public License instead.)  You can apply it to
 your programs, too.
 
   When we speak of free software, we are referring to freedom, not
@@ -58,8 +58,8 @@ patent must be licensed for everyone's free use or not licensed at all.
 
   The precise terms and conditions for copying, distribution and
 modification follow.
-
-		    GNU GENERAL PUBLIC LICENSE
+
+                    GNU GENERAL PUBLIC LICENSE
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 
   0. This License applies to any program or other work which contains
@@ -113,7 +113,7 @@ above, provided that you also meet all of these conditions:
     License.  (Exception: if the Program itself is interactive but
     does not normally print such an announcement, your work based on
     the Program is not required to print an announcement.)
-
+
 These requirements apply to the modified work as a whole.  If
 identifiable sections of that work are not derived from the Program,
 and can be reasonably considered independent and separate works in
@@ -171,7 +171,7 @@ access to copy from a designated place, then offering equivalent
 access to copy the source code from the same place counts as
 distribution of the source code, even though third parties are not
 compelled to copy the source along with the object code.
-
+
   4. You may not copy, modify, sublicense, or distribute the Program
 except as expressly provided under this License.  Any attempt
 otherwise to copy, modify, sublicense or distribute the Program is
@@ -228,7 +228,7 @@ impose that choice.
 
 This section is intended to make thoroughly clear what is believed to
 be a consequence of the rest of this License.
-
+
   8. If the distribution and/or use of the Program is restricted in
 certain countries either by patents or by copyrighted interfaces, the
 original copyright holder who places the Program under this License
@@ -258,7 +258,7 @@ make exceptions for this.  Our decision will be guided by the two goals
 of preserving the free status of all derivatives of our free software and
 of promoting the sharing and reuse of software generally.
 
-			    NO WARRANTY
+                            NO WARRANTY
 
   11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
 FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
@@ -280,9 +280,9 @@ YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
 PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGES.
 
-		     END OF TERMS AND CONDITIONS
-
-	    How to Apply These Terms to Your New Programs
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
 
   If you develop a new program, and you want it to be of the greatest
 possible use to the public, the best way to achieve this is to make it
@@ -294,7 +294,7 @@ convey the exclusion of warranty; and each file should have at least
 the "copyright" line and a pointer to where the full notice is found.
 
     <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) 19yy  <name of author>
+    Copyright (C) <year>  <name of author>
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -306,17 +306,16 @@ the "copyright" line and a pointer to where the full notice is found.
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     GNU General Public License for more details.
 
-    You should have received a copy of the GNU General Public License
-    along with this program; if not, write to the Free Software
-    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 
 Also add information on how to contact you by electronic and paper mail.
 
 If the program is interactive, make it output a short notice like this
 when it starts in an interactive mode:
 
-    Gnomovision version 69, Copyright (C) 19yy name of author
+    Gnomovision version 69, Copyright (C) year name of author
     Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
     This is free software, and you are welcome to redistribute it
     under certain conditions; type `show c' for details.
@@ -339,5 +338,5 @@ necessary.  Here is a sample; alter the names:
 This General Public License does not permit incorporating your program into
 proprietary programs.  If your program is a subroutine library, you may
 consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Library General
+library.  If this is what you want to do, use the GNU Lesser General
 Public License instead of this License.

parser/Makefile

@@ -115,7 +115,7 @@ endif
 export Q VERBOSE BUILD_OUTPUT
 
 po/${NAME}.pot: ${SRCS} ${HDRS}
-	make -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}"
+	$(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}"
 
 techdoc.pdf: techdoc.tex
 	while pdflatex $< ${BUILD_OUTPUT} || exit 1 ; \
@@ -141,7 +141,7 @@ pdf:	techdoc.pdf
 docs:	manpages htmlmanpages pdf
 
 indep: docs
-	$(Q)make -C po all
+	$(Q)$(MAKE) -C po all
 
 all:	arch indep
 
@@ -149,10 +149,10 @@ all:	arch indep
 .PHONY: libstdc++.a
 libstdc++.a:
 	rm -f ./libstdc++.a
-	ln -s `g++ -print-file-name=libstdc++.a`
+	ln -s `$(CXX) -print-file-name=libstdc++.a`
 
 apparmor_parser: $(OBJECTS) $(AAREOBJECTS)
-	g++ $(EXTRA_CFLAGS) -o $@ $(OBJECTS) $(LIBS) \
+	$(CXX) $(EXTRA_CFLAGS) -o $@ $(OBJECTS) $(LIBS) \
 	      ${LEXLIB}  $(AAREOBJECTS) $(AARE_LDFLAGS)
 
 parser_yacc.c parser_yacc.h: parser_yacc.y parser.h
@@ -231,13 +231,13 @@ check: tests
 .SILENT: tests
 tests: apparmor_parser ${TESTS}
 	sh -e -c 'for test in ${TESTS} ; do echo "*** running $${test}" && ./$${test}; done'
-	$(Q)make -s -C tst tests
+	$(Q)$(MAKE) -s -C tst tests
 
 # always need to rebuild.
 .SILENT: $(AAREOBJECT)
 .PHONY: $(AAREOBJECT)
 $(AAREOBJECT):
-	make -C $(AAREDIR) CFLAGS="$(EXTRA_CXXFLAGS)"
+	$(MAKE) -C $(AAREDIR) CFLAGS="$(EXTRA_CXXFLAGS)"
 
 .PHONY: install-rhel4
 install-rhel4: install-redhat
@@ -289,8 +289,8 @@ install-indep:
 	install -m 755 -d ${DESTDIR}/var/lib/apparmor
 	install -m 755 -d $(APPARMOR_BIN_PREFIX)
 	install -m 755 rc.apparmor.functions $(APPARMOR_BIN_PREFIX)
-	make -C po install NAME=${NAME} DESTDIR=${DESTDIR}
-	make install_manpages DESTDIR=${DESTDIR}
+	$(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR}
+	$(MAKE) install_manpages DESTDIR=${DESTDIR}
 
 .SILENT: clean
 .PHONY: clean
@@ -304,11 +304,11 @@ clean: _clean
 	rm -f af_names.h
 	rm -f cap_names.h
 	rm -rf techdoc.aux techdoc.log techdoc.pdf techdoc.toc techdor.txt techdoc/
-	make -s -C $(AAREDIR) clean
-	make -s -C po clean
-	make -s -C tst clean
+	$(MAKE) -s -C $(AAREDIR) clean
+	$(MAKE) -s -C po clean
+	$(MAKE) -s -C tst clean
 
 .SILENT: dist_clean
 dist_clean:
-	@make clean
+	@$(MAKE) clean
 	@rm -f $(LEX_C_FILES) $(YACC_C_FILES)

parser/rc.apparmor.functions

@@ -525,11 +525,11 @@ apparmor_status () {
 		${SD_STATUS} --verbose
 		return $?
 	fi
-	if ! is_apparmor_present apparmor subdomain ; then
+	if ! is_apparmor_loaded ; then
 		echo "AppArmor is not loaded."
 		rc=1
 	else
-		echo "AppArmor is enabled,"
+		echo "AppArmor is enabled."
 		rc=0
 	fi
 	echo "Install the apparmor-utils package to receive more detailed"

profiles/Makefile

@@ -52,6 +52,7 @@ install: local
 	install -m 755 -d ${PROFILES_DEST}
 	install -m 755 -d ${PROFILES_DEST}/abstractions \
                           ${PROFILES_DEST}/apache2.d \
+                          ${PROFILES_DEST}/disable \
                           ${PROFILES_DEST}/program-chunks \
                           ${PROFILES_DEST}/tunables \
                           ${PROFILES_DEST}/tunables/home.d \

profiles/apparmor.d/abstractions/ldapclient

@@ -0,0 +1,21 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2011 Novell/SUSE
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  # files required by LDAP clients (e.g. nss_ldap/pam_ldap)
+  /etc/ldap.conf            r,
+  /etc/ldap.secret          r,
+  /etc/openldap/*           r,
+  /etc/openldap/cacerts/*   r,
+
+  # SASL plugins and config
+  /etc/sasl2/*              r,
+  /usr/lib{,32,64}/sasl2/*  r,
+
+  #include <abstractions/ssl_certs>

profiles/apparmor.d/abstractions/nameservice

@@ -16,8 +16,6 @@
   /etc/group              r,
   /etc/host.conf          r,
   /etc/hosts              r,
-  /etc/ldap.conf          r,
-  /etc/ldap.secret        r,
   /etc/nsswitch.conf      r,
   /etc/gai.conf           r,
   /etc/passwd             r,
@@ -32,9 +30,6 @@
 
   /etc/samba/lmhosts      r,
   /etc/services           r,
-  # all openldap config
-  /etc/openldap/*         r,
-  /etc/ldap/**            r,
   # db backend
   /var/lib/misc/*.db      r,
   # The Name Service Cache Daemon can cache lookups, sometimes leading
@@ -60,6 +55,9 @@
   # nis
   #include <abstractions/nis>
 
+  # ldap
+  #include <abstractions/ldapclient>
+
   # winbind
   #include <abstractions/winbind>
 

profiles/apparmor.d/abstractions/python

@@ -29,3 +29,6 @@
 
   # wx paths
   /usr/lib/wx/python/*.pth r,
+
+  # python build configuration and headers
+  /usr/include/python{2,3}.[0-7]*/pyconfig.h

profiles/apparmor.d/abstractions/winbind

@@ -13,7 +13,7 @@
   /tmp/.winbindd/pipe  rw,
   /var/{lib,run}/samba/winbindd_privileged/pipe rw,
   /etc/samba/smb.conf         r,
-  /usr/lib/samba/valid.dat    r,
-  /usr/lib/samba/upcase.dat   r,
-  /usr/lib/samba/lowcase.dat  r,
+  /usr/lib*/samba/valid.dat   r,
+  /usr/lib*/samba/upcase.dat  r,
+  /usr/lib*/samba/lowcase.dat r,
 

profiles/apparmor.d/usr.sbin.smbd

@@ -24,6 +24,7 @@
   /etc/printcap r,
   /proc/*/mounts r,
   /proc/sys/kernel/core_pattern r,
+  /usr/lib*/samba/vfs/*.so mr,
   /usr/sbin/smbd mr,
   /etc/samba/* rwk,
   /var/cache/samba/** rwk,

profiles/apparmor.d/usr.sbin.traceroute

@@ -18,6 +18,7 @@
   capability net_raw,
 
   network inet raw,
+  network inet6 raw,
 
   /usr/sbin/traceroute rmix,
   @{PROC}/net/route r,

utils/Immunix/AppArmor.pm

@@ -2860,6 +2860,7 @@ sub add_event_to_tree ($) {
     } elsif ($e->{operation} eq "open" ||
              $e->{operation} eq "truncate" ||
              $e->{operation} eq "mkdir" ||
+             $e->{operation} eq "mknod" ||
              $e->{operation} eq "rename_src" ||
              $e->{operation} eq "rename_dest" ||
              $e->{operation} =~ m/^(unlink|rmdir|symlink_create|link)$/) {

utils/Makefile

@@ -36,7 +36,7 @@ MODULES = ${MODDIR}/AppArmor.pm ${MODDIR}/Repository.pm \
 MANPAGES = ${TOOLS:=.8} logprof.conf.5
 
 all: ${MANPAGES} ${HTMLMANPAGES}
-	make -C po all
+	$(MAKE) -C po all
 
 # need some better way of determining this
 DESTDIR=/
@@ -46,7 +46,7 @@ VENDOR_PERL=$(shell perl -e 'use Config; print $$Config{"vendorlib"};')
 PERLDIR=${DESTDIR}${VENDOR_PERL}/${MODDIR}
 
 po/${NAME}.pot: ${TOOLS}
-	make -C po ${NAME}.pot NAME=${NAME} SOURCES="${TOOLS} ${MODULES}"
+	$(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${TOOLS} ${MODULES}"
 
 .PHONY: install
 install: ${MANPAGES} ${HTMLMANPAGES}
@@ -57,8 +57,8 @@ install: ${MANPAGES} ${HTMLMANPAGES}
 	install -m 755 ${TOOLS} ${BINDIR}
 	install -d ${PERLDIR}
 	install -m 644 ${MODULES} ${PERLDIR}
-	make -C po install DESTDIR=${DESTDIR} NAME=${NAME}
-	make install_manpages DESTDIR=${DESTDIR}
+	$(MAKE) -C po install DESTDIR=${DESTDIR} NAME=${NAME}
+	$(MAKE) install_manpages DESTDIR=${DESTDIR}
 	ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8
 
 .PHONY: clean
@@ -66,7 +66,7 @@ install: ${MANPAGES} ${HTMLMANPAGES}
 clean: _clean
 	rm -f core core.* *.o *.s *.a *~
 	rm -f Make.rules
-	make -C po clean
+	$(MAKE) -C po clean
 
 check:
 	for i in ${MODULES} ${PERLTOOLS} ; do \

utils/aa-notify

@@ -151,7 +151,7 @@ if (-s $conf) {
     if (defined($prefs{use_group})) {
         my ($name, $passwd, $gid, $members) = getgrnam($prefs{use_group});
         if (not defined($members) or not defined($login) or (not grep { $_ eq $login } split(/ /, $members) and $login ne "root")) {
-            _error("'$login' must be in '$prefs{use_group}' group. Aborting");
+            _error("'$login' must be in '$prefs{use_group}' group. Aborting.\nAsk your admin to add you to this group or to change the group in\n$conf if you want to use aa-notify.");
         }
     }
 }