Bump release version to 2.8.5

The most important change is /proc/[0-9]*/cmdline to allow paranoid mode.


Acked-by: Seth Arnold <seth.arnold@canonical.com>

common/Version

@@ -1 +1 @@
-2.8.4
+2.8.5

libraries/libapparmor/src/Makefile.am

@@ -19,7 +19,7 @@ INCLUDES = $(all_includes)
 #    - set AA_LIB_AGE to 0.
 #
 AA_LIB_CURRENT = 1
-AA_LIB_REVISION = 6
+AA_LIB_REVISION = 7
 AA_LIB_AGE = 0
 
 SUFFIXES = .pc.in .pc

libraries/libapparmor/src/grammar.y

@@ -182,6 +182,10 @@ syslog_type:
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
 	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP key_type audit_id key_list
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
+	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
+	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_AUDIT TOK_COLON key_type audit_id key_list
+	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
 	;
 
 /* when audit dispatches a message it doesn't prepend the audit type string */

libraries/libapparmor/src/scanner.l

@@ -176,6 +176,7 @@ yy_flex_debug = 0;
 
 <audit_id>{
 	{digits}		{ yylval->t_str = strdup(yytext); return(TOK_AUDIT_DIGITS);}
+	{colon}{ws}		{ yy_pop_state(yyscanner); return(TOK_COLON); }
 	{colon}			{ return(TOK_COLON); }
 	{period}		{ return(TOK_PERIOD); }
 	{open_paren}		{ return(TOK_OPEN_PAREN); }

libraries/libapparmor/testsuite/test_multi/syslog_audit_01.in

@@ -0,0 +1 @@
+Sep  2 11:53:23 utopic-amd64 kernel: [182243.243324] audit: type=1400 audit(1409684003.960:273342): apparmor="DENIED" operation="mkdir" profile="/home/ubuntu/bzr/apparmor/tests/regression/apparmor/mkdir" name="/tmp/sdtest.7283-14445-r31VAP/tmpdir/" pid=7314 comm="mkdir" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

libraries/libapparmor/testsuite/test_multi/syslog_audit_01.out

@@ -0,0 +1,15 @@
+START
+File: test_multi/syslog_audit_01.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1409684003.960:273342
+Operation: mkdir
+Mask: c
+Denied Mask: c
+fsuid: 0
+ouid: 0
+Profile: /home/ubuntu/bzr/apparmor/tests/regression/apparmor/mkdir
+Name: /tmp/sdtest.7283-14445-r31VAP/tmpdir/
+Command: mkdir
+PID: 7314
+Epoch: 1409684003
+Audit subid: 273342

libraries/libapparmor/testsuite/test_multi/syslog_audit_02.in

@@ -0,0 +1 @@
+Dec  7 13:18:59 rosa kernel: audit: type=1400 audit(1417954745.397:82): apparmor="ALLOWED" operation="open" profile="/home/simi/bin/aa-test" name="/usr/bin/" pid=3231 comm="ls" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

libraries/libapparmor/testsuite/test_multi/syslog_audit_02.out

@@ -0,0 +1,15 @@
+START
+File: test_multi/syslog_audit_02.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1417954745.397:82
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /home/simi/bin/aa-test
+Name: /usr/bin/
+Command: ls
+PID: 3231
+Epoch: 1417954745
+Audit subid: 82

profiles/apparmor.d/abstractions/X

@@ -19,6 +19,8 @@
   @{HOME}/.Xauthority           r,
   owner /{,var/}run/gdm{,3}/*/database r,
   owner /{,var/}run/lightdm/authority/[0-9]* r,
+  owner /{,var/}run/lightdm/*/xauthority r,
+  owner /{,var/}run/user/*/gdm/Xauthority r,
 
   # the unix socket to use to connect to the display
   /tmp/.X11-unix/*           w,
@@ -32,9 +34,13 @@
   /usr/share/X11/**               r,
   /usr/X11R6/**.so*               mr,
 
+  # EGL
+  /usr/lib/@{multiarch}/egl/*.so* mr,
+
   # DRI
   /usr/lib{,32,64}/dri/**         mr,
   /usr/lib/@{multiarch}/dri/**    mr,
+  /usr/lib/fglrx/dri/**           mr,
   /dev/dri/**                     rw,
   /etc/drirc                      r,
   owner @{HOME}/.drirc            r,

profiles/apparmor.d/abstractions/aspell

@@ -8,4 +8,6 @@
   /usr/lib/aspell/ r,
   /usr/lib/aspell/* r,
   /usr/lib/aspell/*.so m,
+  /usr/share/aspell/ r,
+  /usr/share/aspell/* r,
   /var/lib/aspell/* r,

profiles/apparmor.d/abstractions/base

@@ -26,12 +26,14 @@
   /etc/locale/**                 r,
   /etc/locale.alias              r,
   /etc/localtime                 r,
+  /usr/share/locale-bundle/**    r,
   /usr/share/locale-langpack/**  r,
   /usr/share/locale/**           r,
   /usr/share/**/locale/**        r,
   /usr/share/zoneinfo/           r,
   /usr/share/zoneinfo/**         r,
   /usr/share/X11/locale/**       r,
+  /{,var/}run/systemd/journal/dev-log w,
 
   /usr/lib{,32,64}/locale/**             mr,
   /usr/lib{,32,64}/gconv/*.so            mr,
@@ -103,6 +105,9 @@
   # glibc malloc (man 5 proc)
   @{PROC}/sys/vm/overcommit_memory r,
 
+  # Allow determining the highest valid capability of the running kernel
+  @{PROC}/sys/kernel/cap_last_cap r,
+
   # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
   # filesystems generally. This does not appreciably decrease security with
   # Ubuntu profiles because the user is expected to have access to files owned

profiles/apparmor.d/abstractions/cups-client

@@ -12,7 +12,7 @@
   # discoverable system configuration for non-local cupsd
   /etc/cups/client.conf   r,
   # client should be able to talk the local cupsd
-  /{,var/}run/cups/cups.sock w,
+  /{,var/}run/cups/cups.sock rw,
   # client should be able to read user-specified cups configuration
   owner @{HOME}/.cups/client.conf r,
   owner @{HOME}/.cups/lpoptions r,

profiles/apparmor.d/abstractions/fonts

@@ -52,3 +52,6 @@
 
   # poppler CMap tables
   /usr/share/poppler/cMap/**            r,
+
+  # data files for LibThai
+  /usr/share/libthai/thbrk.tri          r,

profiles/apparmor.d/abstractions/freedesktop.org

@@ -11,6 +11,7 @@
 
   # system configuration
   /usr/share/applications/               r,
+  /usr/share/applications/defaults.list  r,
   /usr/share/applications/mimeinfo.cache r,
   /usr/share/applications/*.desktop      r,
   /usr/share/icons/               r,
@@ -30,6 +31,7 @@
   owner @{HOME}/.recently-used.xbel*    rw,
   owner @{HOME}/.local/share/recently-used.xbel* rw,
   owner @{HOME}/.config/user-dirs.dirs  r,
+  owner @{HOME}/.config/mimeapps.list   r,
   owner @{HOME}/.local/share/applications/               r,
   owner @{HOME}/.local/share/applications/*.desktop      r,
   owner @{HOME}/.local/share/applications/defaults.list  r,

profiles/apparmor.d/abstractions/nameservice

@@ -26,12 +26,21 @@
   /var/lib/extrausers/group  r,
   /var/lib/extrausers/passwd r,
 
+  # When using sssd, the passwd and group files are stored in an alternate path
+  # and the nss plugin also needs to talk to a pipe
+  /var/lib/sss/mc/group   r,
+  /var/lib/sss/mc/passwd  r,
+  /var/lib/sss/pipes/nss  rw,
+
   /etc/resolv.conf        r,
   # on systems using resolvconf, /etc/resolv.conf is a symlink to
   # /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in
   # /etc/resolvconf/run/resolv.conf
   /{,var/}run/resolvconf/resolv.conf r,
   /etc/resolvconf/run/resolv.conf r,
+  # on systems using systemd's networkd, /etc/resolv.conf is a symlink to
+  # /run/systemd/resolve/resolv.conf
+  /{,var/}run/systemd/resolve/resolv.conf r,
 
   /etc/samba/lmhosts      r,
   /etc/services           r,
@@ -41,7 +50,7 @@
   # to vast speed increases when working with network-based lookups.
   /{,var/}run/.nscd_socket   rw,
   /{,var/}run/nscd/socket    rw,
-  /{var/db,var/cache,var/run,run}/nscd/{passwd,group,services,host}    r,
+  /{var/db,var/cache,var/run,run}/nscd/{passwd,group,services,hosts}    r,
   # nscd renames and unlinks files in it's operation that clients will
   # have open
   /{,var/}run/nscd/db*  rmix,

profiles/apparmor.d/abstractions/p11-kit

@@ -19,6 +19,9 @@
   /usr/share/p11-kit/modules/  r,
   /usr/share/p11-kit/modules/* r,
 
+  # gnome-keyring pkcs11 module
+  owner /{,var/}run/user/[0-9]*/keyring*/pkcs11 rw,
+
   # p11-kit also supports reading user configuration from ~/.pkcs11 depending
   # on how /etc/pkcs11/pkcs11.conf is configured. This should generally not be
   # included in this abstraction.

profiles/apparmor.d/abstractions/php5

@@ -11,8 +11,8 @@
 # ------------------------------------------------------------------
 
   # shared snippets for config files
-  /etc/php5/{conf.d,apache2,cli,fastcgi,cgi}/ r,
-  /etc/php5/{conf.d,apache2,cli,fastcgi,cgi}/*.ini r,
+  /etc/php5/**/ r,
+  /etc/php5/**.ini r,
 
   # Xlibs
   /usr/X11R6/lib{,32,64}/lib*.so* mr,
@@ -30,3 +30,6 @@
 
   # MySQL extension
   /usr/share/mysql/** r,
+
+  # Zend opcache
+  /tmp/.ZendSem.* rwlk,

profiles/apparmor.d/abstractions/samba

@@ -13,7 +13,7 @@
   /usr/share/samba/*.dat r,
   /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
   /var/cache/samba/ w,
-  /var/lib/samba/**.tdb rwk,
+  /var/lib/samba/** rwk,
   /var/log/samba/cores/ rw,
   /var/log/samba/cores/** rw,
   /var/log/samba/log.* w,

profiles/apparmor.d/abstractions/ssl_certs

@@ -12,6 +12,10 @@
   /etc/ssl/ r,
   /etc/ssl/certs/ r,
   /etc/ssl/certs/* r,
+  /etc/pki/trust/ r,
+  /etc/pki/trust/* r,
+  /etc/pki/trust/anchors/ r,
+  /etc/pki/trust/anchors/** r,
   /usr/share/ca-certificates/ r,
   /usr/share/ca-certificates/** r,
   /usr/share/ssl/certs/ca-bundle.crt          r,
@@ -19,3 +23,7 @@
   /usr/local/share/ca-certificates/** r,
   /var/lib/ca-certificates/ r,
   /var/lib/ca-certificates/** r,
+
+  # acmetool
+  /var/lib/acme/certs/*/chain r,
+  /var/lib/acme/certs/*/cert r,

profiles/apparmor.d/abstractions/ssl_keys

@@ -16,3 +16,7 @@
   /etc/ssl/ r,
   /etc/ssl/** r,
 
+  # acmetool
+  /var/lib/acme/live/* r,
+  /var/lib/acme/certs/** r,
+  /var/lib/acme/keys/** r,

profiles/apparmor.d/abstractions/ubuntu-browsers.d/java

@@ -12,6 +12,8 @@
   /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> browser_java,
   /usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> browser_java,
   /usr/lib/j2*-ibm/jre/bin/java cx -> browser_java,
+  owner /{,var/}run/user/*/icedteaplugin-*/   rw,
+  owner /{,var/}run/user/*/icedteaplugin-*/** rwk,
 
   # Profile for the supported OpenJDK in Ubuntu. This doesn't require the
   # unfortunate workarounds of the proprietary Javas, so have a separate

profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia

@@ -55,3 +55,6 @@
 
   # Virus scanners
   /usr/bin/clamscan Cx -> sanitized_helper,
+
+  # gxine (LP: #1057642)
+  /var/lib/xine/gxine.desktop r,

profiles/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common

@@ -5,10 +5,10 @@
   #
   @{PROC}/[0-9]*/fd/ r,
   /usr/lib/** rm,
-  /bin/bash ixr,
-  /bin/dash ixr,
-  /bin/grep ixr,
-  /bin/sed ixr,
+  /{,usr/}bin/bash ixr,
+  /{,usr/}bin/dash ixr,
+  /{,usr/}bin/grep ixr,
+  /{,usr/}bin/sed ixr,
   /usr/bin/m4 ixr,
 
   # Since all the ubuntu-browsers.d abstractions need this, just include it

profiles/apparmor.d/abstractions/ubuntu-browsers.d/ubuntu-integration

@@ -33,3 +33,9 @@
   /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
   /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
   /etc/xdg/xfce4/helpers.rc r,
+
+  # unity webapps integration. Could go in its own abstraction
+  owner /run/user/*/dconf/user rw,
+  owner @{HOME}/.local/share/unity-webapps/availableapps*.db rwk,
+  /usr/bin/debconf-communicate Cxr -> sanitized_helper,
+  owner @{HOME}/.config/libaccounts-glib/accounts.db rk,

profiles/apparmor.d/abstractions/ubuntu-email

@@ -10,6 +10,8 @@
   /usr/bin/balsa Cx -> sanitized_helper,
   /usr/bin/claws-mail Cx -> sanitized_helper,
   /usr/bin/evolution Cx -> sanitized_helper,
+  /usr/bin/geary Cx -> sanitized_helper,
+  /usr/bin/gnome-gmail Cx -> sanitized_helper,
   /usr/lib/GNUstep/Applications/GNUMail.app/GNUMail Cx -> sanitized_helper,
   /usr/bin/kmail Cx -> sanitized_helper,
   /usr/bin/mailody Cx -> sanitized_helper,

profiles/apparmor.d/abstractions/ubuntu-helpers

@@ -33,6 +33,7 @@
 
 profile sanitized_helper {
   #include <abstractions/base>
+  #include <abstractions/X>
 
   # Allow all networking
   network inet,
@@ -53,11 +54,15 @@ profile sanitized_helper {
   # permissions for /usr/share, but for now just do this. (LP: #972367)
   /usr/share/software-center/* Pixr,
 
+  # Allow exec of texlive font build scripts (LP: #1010909)
+  /usr/share/texlive/texmf{,-dist}/web2c/{,**/}* Pixr,
+
   # While the chromium and chrome sandboxes are setuid root, they only link
   # in limited libraries so glibc's secure execution should be enough to not
   # require the santized_helper (ie, LD_PRELOAD will only use standard system
   # paths (man ld.so)).
   /usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
+  /usr/lib/chromium-browser/chrome-sandbox PUxr,
   /opt/google/chrome/chrome-sandbox PUxr,
   /opt/google/chrome/google-chrome Pixr,
   /opt/google/chrome/chrome Pixr,

profiles/apparmor.d/abstractions/user-mail

@@ -1,6 +1,7 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2006 Novell/SUSE
+#    Copyright (C) 2014 Canonical Ltd.
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -12,8 +13,8 @@
   owner @{HOME}/[mM]ail/      r,
   owner @{HOME}/[mM]ail/**    rwl,
   owner @{HOME}/postponed*    rwl,
-  /var/spool/mail/      r,
-  /var/spool/mail/*     rwl,
+  /var/{,spool/}mail/         r,
+  /var/{,spool/}mail/*        rwl,
   owner @{HOME}/mbox.lock*    rwl,
   owner @{HOME}/mbox          rw,
   owner @{HOME}/inbox         rw,

profiles/apparmor.d/apache2.d/phpsysinfo

@@ -5,36 +5,44 @@
     #include <abstractions/apache2-common>
     #include <abstractions/base>
     #include <abstractions/nameservice>
+    #include <abstractions/php5>
     #include <abstractions/python>
 
-    /bin/dash ixr,
-    /bin/df ixr,
-    /bin/mount ixr,
-    /bin/uname ixr,
+    /{,usr/}bin/dash ixr,
+    /{,usr/}bin/df ixr,
+    /{,usr/}bin/mount ixr,
+    /{,usr/}bin/uname ixr,
     /dev/bus/usb/ r,
     /dev/bus/usb/** r,
     /etc/debian_version r,
     /etc/lsb-release r,
     /etc/mtab r,
     /etc/phpsysinfo/config.php r,
+    /etc/udev/udev.conf r,
     /proc/** r,
+    /sys/bus/ r,
     /sys/bus/pci/devices/ r,
+    /sys/bus/pci/slots/ r,
+    /sys/bus/pci/slots/** r,
+    /sys/bus/usb/devices/ r,
+    /sys/class/ r,
     /sys/devices/** r,
+    /usr/bin/ r,
     /usr/bin/apt-cache ixr,
     /usr/bin/dpkg-query ixr,
     /usr/bin/lsb_release ixr,
     /usr/bin/lspci ixr,
     /usr/bin/who ixr,
-    /usr/sbin/lsusb ixr,
+    /usr/{,s}bin/lsusb ixr,
     /usr/share/phpsysinfo/** r,
+    /var/lib/dpkg/arch r,
     /var/lib/dpkg/available r,
     /var/lib/dpkg/status r,
     /var/lib/dpkg/triggers/* r,
     /var/lib/dpkg/updates/ r,
-    /var/lib/misc/usb.ids r,
+    /var/lib/{misc,usbutils}/usb.ids r,
     /var/log/apache2/access.log w,
     /var/log/apache2/error.log w,
     /{,var/}run/utmp rk,
     /usr/share/misc/pci.ids r,
-
   }

profiles/apparmor.d/sbin.syslog-ng

@@ -20,6 +20,7 @@
   #include <abstractions/consoles>
   #include <abstractions/nameservice>
   #include <abstractions/mysql>
+  #include <abstractions/openssl>
 
   capability chown,
   capability dac_override,
@@ -34,7 +35,10 @@
   /dev/syslog w,
   /dev/tty10 rw,
   /dev/xconsole rw,
+  /etc/machine-id r,
   /etc/syslog-ng/* r,
+  /etc/syslog-ng/conf.d/ r,
+  /etc/syslog-ng/conf.d/* r,
   @{PROC}/kmsg r,
   /etc/hosts.deny r,
   /etc/hosts.allow r,
@@ -47,6 +51,10 @@
   @{CHROOT_BASE}/var/log/** w,
   @{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw,
   @{CHROOT_BASE}/{,var/}run/syslog-ng.ctl rw,
+  /{var,var/run,run}/log/journal/ r,
+  /{var,var/run,run}/log/journal/*/ r,
+  /{var,var/run,run}/log/journal/*/*.journal r,
+  /{var/,}run/syslog-ng.ctl a,
   /{var/,}run/syslog-ng/additional-log-sockets.conf r,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/usr.sbin.identd

@@ -23,7 +23,9 @@
   /usr/sbin/identd	   rmix,
   @{PROC}/net/tcp          r,
   @{PROC}/net/tcp6         r,
-  /{,var/}run/identd.pid      w,
+  /{,var/}run/identd.pid   w,
+  /{,var/}run/identd/           w,
+  /{,var/}run/identd/identd.pid w,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.sbin.identd>

profiles/apparmor.d/usr.sbin.nscd

@@ -34,9 +34,10 @@
   /{,var/}run/nscd/ rw,
   /{,var/}run/nscd/db* rwl,
   /{,var/}run/nscd/socket wl,
-  /var/{cache,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
+  /{var/cache,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
   /{,var/}run/{nscd/,}nscd.pid rwl,
   /var/log/nscd.log rw,
+  @{PROC}/[0-9]*/cmdline r,
   @{PROC}/[0-9]*/fd/ r,
   @{PROC}/[0-9]*/fd/* r,
   @{PROC}/[0-9]*/maps r,

profiles/apparmor.d/usr.sbin.smbd

@@ -17,6 +17,7 @@
   capability net_bind_service,
   capability setgid,
   capability setuid,
+  capability sys_admin,  # needed to store ACLS in the security.NTACL namespace
   capability sys_resource,
   capability sys_tty_config,
 

profiles/apparmor.d/usr.sbin.smbldap-useradd

@@ -8,7 +8,7 @@
   #include <abstractions/perl>
 
   /dev/tty rw,
-  /bin/bash ix,
+  /{,usr/}bin/bash ix,
   /etc/init.d/nscd Cx,
   /etc/shadow r,
   /etc/smbldap-tools/smbldap.conf r,
@@ -26,9 +26,9 @@
 
     capability sys_ptrace,
 
-    /bin/bash r,
-    /bin/mountpoint rix,
-    /bin/systemctl rix,
+    /{,usr/}bin/bash r,
+    /{,usr/}bin/mountpoint rix,
+    /{,usr/}bin/systemctl rix,
     /dev/tty rw,
     /etc/init.d/nscd r,
     /etc/rc.status r,