mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-02 15:25:27 +00:00
Code Issues Releases Wiki Activity

Compare commits

base: mir:v3.0.10
Branches Tags
mir:master mir:apparmor-4.0 mir:apparmor-4.1 mir:apparmor-3.1 mir:apparmor-3.0 mir:apparmor-2.13 mir:fix-priority2 mir:apparmor-2.12 mir:apparmor-2.11 mir:fix-dirtest mir:check-if-systemd-detect-virt-is-present mir:250-what-is-the-minimum-kernel-version-required-for-apparmor-3 mir:160-the-trash-abstraction mir:apparmor-2.10 mir:cherry-pick-d257afd3 mir:cherry-pick-d4296d21 mir:apparmor-2.9 mir:apparmor-2.8 mir:apparmor-2.7 mir:apparmor-2.6 mir:apparmor-2.5 mir:apparmor-2.3 mir:apparmor-2.1
mir:v5.0.0-alpha1 mir:v4.1.1 mir:v4.1.0 mir:v4.1.0-cherry-pick-point mir:v4.1.0-beta5 mir:v4.1.0-beta4 mir:v4.1.0-beta3 mir:v4.1.0-beta2 mir:v4.1.0-beta1 mir:v4.0.3 mir:v4.0.2 mir:v4.0.1 mir:v4.0.0 mir:v4.0.0-beta4 mir:v4.0.0-beta3 mir:v4.0.0-beta2 mir:v4.0.0-beta1 mir:v2.13.11 mir:v3.0.13 mir:v3.1.7 mir:v4.0.0-alpha4 mir:v4.0.0-alpha3 mir:v4.0.0-alpha2 mir:v4.0.0-alpha1 mir:v2.13.10 mir:v3.0.12 mir:v3.1.6 mir:v3.1.5 mir:v3.0.11 mir:v2.13.9 mir:v2.13.8 mir:v3.0.10 mir:v3.1.4 mir:v3.0.9 mir:v3.1.3 mir:v3.0.8 mir:v2.13.7 mir:v2.12.4 mir:v3.1.2 mir:v3.1.1 mir:v3.1.0 mir:v3.0.7 mir:v3.0.6 mir:v3.0.5 mir:v3.0.4 mir:v3.0.3 mir:v3.0.2 mir:v2.10.6 mir:v2.13.6 mir:v3.0.1 mir:v2.13.5 mir:v3.0.0 mir:v2.13.4 mir:v2.10.5 mir:v2.11.3 mir:v2.12.3 mir:v2.13.3 mir:v2.10.4 mir:v2.11.2 mir:v2.12.2 mir:v2.13.2 mir:v2.12.1 mir:v2.13.1 mir:v2.13 mir:v2.12 mir:git-conversion mir:v2.11.95 mir:v2.11.1 mir:v2.10.3 mir:v2.9.5 mir:v2.8.5 mir:v2.11-branchpoint mir:v2.11.0 mir:v2.10.2 mir:v2.9.4 mir:v2.10.1 mir:v2.9.3 mir:v2.10.95 mir:v2.10-branchpoint mir:v2.10 mir:v2.9.2 mir:v2.9.1 mir:v2.9.0 mir:v2.8.98 mir:v2.9-beta4 mir:v2.8.4 mir:v2.9-beta3 mir:v2.8.97 mir:v2.9-beta2 mir:v2.8.95 mir:v2.8.3 mir:v2.8.2 mir:v2.8.1 mir:v2.8.0 mir:v2.8-beta5 mir:v2.8-beta4 mir:v2.8-beta3 mir:v2.8-beta2 mir:v2.7.99 mir:v2.7.1 mir:v2.7.0 mir:v2.7.0-rc2 mir:v2.7.0-rc1 mir:v2.7.0-beta2 mir:v2.7.0-beta1 mir:v2.6.1 mir:v2.6.1-rc1 mir:v2.6-branchpoint mir:v2.5.2 mir:v2.6.0 mir:v2.6.0-rc1 mir:v2.5.2-rc1 mir:v2.5.1
...
compare: mir:v3.0.12
Branches Tags
mir:master mir:apparmor-4.0 mir:apparmor-4.1 mir:apparmor-3.1 mir:apparmor-3.0 mir:apparmor-2.13 mir:fix-priority2 mir:apparmor-2.12 mir:apparmor-2.11 mir:fix-dirtest mir:check-if-systemd-detect-virt-is-present mir:250-what-is-the-minimum-kernel-version-required-for-apparmor-3 mir:160-the-trash-abstraction mir:apparmor-2.10 mir:cherry-pick-d257afd3 mir:cherry-pick-d4296d21 mir:apparmor-2.9 mir:apparmor-2.8 mir:apparmor-2.7 mir:apparmor-2.6 mir:apparmor-2.5 mir:apparmor-2.3 mir:apparmor-2.1
mir:v5.0.0-alpha1 mir:v4.1.1 mir:v4.1.0 mir:v4.1.0-cherry-pick-point mir:v4.1.0-beta5 mir:v4.1.0-beta4 mir:v4.1.0-beta3 mir:v4.1.0-beta2 mir:v4.1.0-beta1 mir:v4.0.3 mir:v4.0.2 mir:v4.0.1 mir:v4.0.0 mir:v4.0.0-beta4 mir:v4.0.0-beta3 mir:v4.0.0-beta2 mir:v4.0.0-beta1 mir:v2.13.11 mir:v3.0.13 mir:v3.1.7 mir:v4.0.0-alpha4 mir:v4.0.0-alpha3 mir:v4.0.0-alpha2 mir:v4.0.0-alpha1 mir:v2.13.10 mir:v3.0.12 mir:v3.1.6 mir:v3.1.5 mir:v3.0.11 mir:v2.13.9 mir:v2.13.8 mir:v3.0.10 mir:v3.1.4 mir:v3.0.9 mir:v3.1.3 mir:v3.0.8 mir:v2.13.7 mir:v2.12.4 mir:v3.1.2 mir:v3.1.1 mir:v3.1.0 mir:v3.0.7 mir:v3.0.6 mir:v3.0.5 mir:v3.0.4 mir:v3.0.3 mir:v3.0.2 mir:v2.10.6 mir:v2.13.6 mir:v3.0.1 mir:v2.13.5 mir:v3.0.0 mir:v2.13.4 mir:v2.10.5 mir:v2.11.3 mir:v2.12.3 mir:v2.13.3 mir:v2.10.4 mir:v2.11.2 mir:v2.12.2 mir:v2.13.2 mir:v2.12.1 mir:v2.13.1 mir:v2.13 mir:v2.12 mir:git-conversion mir:v2.11.95 mir:v2.11.1 mir:v2.10.3 mir:v2.9.5 mir:v2.8.5 mir:v2.11-branchpoint mir:v2.11.0 mir:v2.10.2 mir:v2.9.4 mir:v2.10.1 mir:v2.9.3 mir:v2.10.95 mir:v2.10-branchpoint mir:v2.10 mir:v2.9.2 mir:v2.9.1 mir:v2.9.0 mir:v2.8.98 mir:v2.9-beta4 mir:v2.8.4 mir:v2.9-beta3 mir:v2.8.97 mir:v2.9-beta2 mir:v2.8.95 mir:v2.8.3 mir:v2.8.2 mir:v2.8.1 mir:v2.8.0 mir:v2.8-beta5 mir:v2.8-beta4 mir:v2.8-beta3 mir:v2.8-beta2 mir:v2.7.99 mir:v2.7.1 mir:v2.7.0 mir:v2.7.0-rc2 mir:v2.7.0-rc1 mir:v2.7.0-beta2 mir:v2.7.0-beta1 mir:v2.6.1 mir:v2.6.1-rc1 mir:v2.6-branchpoint mir:v2.5.2 mir:v2.6.0 mir:v2.6.0-rc1 mir:v2.5.2-rc1 mir:v2.5.1

13 Commits
v3.0.10 ... v3.0.12

Author SHA1 Message Date
John Johansen
bc27a33d3e Prepare for AppArmor 3.0.12 release 
- update version file

Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-06-21 14:11:59 -07:00
John Johansen
a61f2802cb Merge fix mount regression in 3.1.5 
Mount has regressed in two ways. That are affecting snapd confinement,
since landing the mount fixes for CVE-2016-1585 in 3.1.4 and the fix
for the mount ch ange type regression in 3.1.5

    Bug Reports:

    https://bugs.launchpad.net/apparmor/+bug/2023814

    https://bugzilla.opensuse.org/show_bug.cgi?id=1211989

Issue 1: Denial of Mount
    ```
    [ 808.531909] audit: type=1400 audit(1686759578.010:158): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.test-snapd-lp-1803535" name="/tmp/.snap/etc/" pid=14529 comm="5" srcname="/etc/" flags="rw, rbind"
    ```

    when the profile contains a rule that should match
    ```
    mount options=(rw, rbind) "/etc/" -> "/tmp/.snap/etc/",
    ```

Issue 2: change_type failure.

Denial of Mount in log
    ```
    type=AVC msg=audit(1686977968.399:763): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="snap-update-ns.authy" name="/var/cache/fontconfig/" pid=26702 comm="5" srcname="/var/lib/snapd/hostfs/var/cache/fontconfig/" flags="rw, bind"
    ...
    ```

snapd error
    ```
    - Run configure hook of "chromium" snap if present (run hook "configure":
    -----
    update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/doc /usr/share/doc none bind,ro 0 0): permission denied
    update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/fonts /usr/share/fonts none bind,ro 0 0): permission denied
    update.go:85: cannot change mount namespace according to change mount (/var/snap/cups/common/run /var/cups none bind,rw 0 0): permission denied
    cannot update snap namespace: cannot create writable mimic over "/snap/chromium/2475": permission denied
    snap-update-ns failed with code 1
    ```

and NO mount rules in the profiles.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1054
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2023-06-21 01:21:02 -07:00
John Johansen
b85046648b parser: fix rule flag generation change_mount type rules 
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1048
made it so rules like

  mount slave /snap/bin/** -> /**,

  mount /snap/bin/** -> /**,

would get passed into change_mount_type rule generation when they
shouldn't have been. This would result in two different errors.

1. If kernel mount flags were present on the rule. The error would
   be caught causing an error to be returned, causing profile compilation
   to fail.

2. If the rule did not contain explicit flags then rule would generate
   change_mount_type permissions based on souly the mount point. And
   the implied set of flags. However this is incorrect as it should
   not generate change_mount permissions for this type of rule. Not
   only does it ignore the source/device type condition but it
   generates permissions that were never intended.

   When used in combination with a deny prefix this overly broad
   rule can result in almost all mount rules being denied, as the
   denial takes priority over the allow mount rules.

Fixes: https://bugs.launchpad.net/apparmor/+bug/2023814
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1211989
Fixes: 9d3f8c6cc ("parser: fix parsing of source as mount point for propagation type flags")
Fixes: MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1048

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 86d193e183)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-06-21 01:20:34 -07:00
John Johansen
0c52805b3d parser: Deprecation warning should not have been backported 
Outputing the deprecation warning is a change in behavior that is not
a bug fix.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit ca7f79174e)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-06-21 01:20:19 -07:00
John Johansen
d6db84b120 Merge abstractions/base: Add transparent hugepage support 
Found in testing a slimmed-down `usr.sbin.sshd` profile:
```
Jun  8 21:09:38 testvm kernel: [   54.847014] audit: type=1400 audit(1686272978.009:68): apparmor="DENIED" operation="open" profile="/usr/sbin/sshd" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=1035 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```
Not sure what glibc/system call uses this, but it seems pretty broadly applicable, and read access is presumably harmless. [THP reference](https://www.kernel.org/doc/html/latest/admin-guide/mm/transhuge.html)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1050
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit ad3750058d)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-06-09 01:48:45 -07:00
John Johansen
419541d5c8 Merge abstractions/authentication: Add GSSAPI mechanism modules config 
Found in testing a slimmed-down `usr.sbin.sshd` profile:
```
Jun  8 21:09:37 testvm kernel: [   54.770501] audit: type=1400 audit(1686272977.933:67): apparmor="DENIED" operation="open" profile="/usr/sbin/sshd" name="/etc/gss/mech.d/" pid=1036 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```
([Reference](https://web.mit.edu/kerberos/krb5-1.21/doc/admin/host_config.html#gssapi-mechanism-modules) for  GSSAPI mechanism modules)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1049
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit b41fcdce16)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-06-09 01:48:39 -07:00
John Johansen
26f1776094 Prepare for AppArmor 3.0.11 release 
- update version file

Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-06-08 23:34:08 -07:00
John Johansen
be6a31c327 Merge profiles: allow reading of /etc/ld-musl-*.path 
/etc/ld-musl-*.path is required to perform dynamic linking on musl libc.
The wildcard is to match all CPU architectures, like x86_64.

type=AVC msg=audit(1686087677.497:67): apparmor="DENIED" operation="open" class="file" profile="syslog-ng" name="/etc/ld-musl-x86_64.path" pid=25866 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Closes #333

Signed-off-by: Nikita Romaniuk <kelvium@yahoo.com>

Closes #333
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1047
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

(cherry picked from commit 6e0d776f65)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-06-08 19:00:59 -07:00
John Johansen
a8fc656db2 Merge parser: fix parsing of source as mount point for propagation type flags 
Before 300889c3a, mount rules would compile policy when using source
as mount point for rules that contain propagation type flags, such as
unbindable, runbindable, private, rprivate, slave, rslave, shared, and
rshared. Even though it compiled, the rule generated would not work as
expected.

This commit fixes both issues. It allows the usage of source as mount
point for the specified flags, albeit with a deprecation warning, and
it correctly generates the mount rule.

The policy fails to load when both source and mount point are
specified, keeping the original behavior (reference
parser/tst/simple_tests/mount/bad_opt_10.sd for example).

Fixes: https://bugs.launchpad.net/bugs/1648245
Fixes: https://bugs.launchpad.net/bugs/2023025

It should be backported to versions 2.13, 3.0, 3.1.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1048
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 1e0d7bcbb7)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-06-08 18:55:14 -07:00
John Johansen
fa85a532a8 Merge [3.0, 3.1] Fix invalid aa-status --json 
The previous patch changed the final  }}  to  }  - which is correct in
master, but breaks the code in the 3.x branches.

I propose this patch for 3.0 and 3.1.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1046
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit f34d60b1e8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-06-06 14:43:29 -07:00
Georgia Garcia
72c3aa5378 Merge profiles: add lock file permission to snap browsers 
When opening snap browsers with evince using the snap_browsers
abstraction, we get the following AppArmor denials which prevent the
browsers from opening

audit: type=1400 audit(1685996894.479:225): apparmor="DENIED" operation="open" class="file" profile="/usr/bin/evince//snap_browsers" name="/var/lib/snapd/inhibit/firefox.lock" pid=13282 comm="snap" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

audit: type=1400 audit(1685997517.142:259): apparmor="DENIED" operation="file_lock" class="file" profile="/usr/bin/evince//snap_browsers" name="/var/lib/snapd/inhibit/firefox.lock" pid=14200 comm="snap" requested_mask="k" denied_mask="k" fsuid=1000 ouid=0

This MR should be cherry-picked into 2.13, 3.0, 3.1

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1045
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>


(cherry picked from commit a00ece5b6e)

daec4bc8 profiles: add lock file permission to snap browsers
 2023-06-06 11:15:34 +00:00
John Johansen
2b980348a6 Merge Fix use-after-free of 'name' in parser_regex.c 
'name' gets used in the error message. Make sure it only gets freed
afterwards.

This bug was introduced in be0d2fa947 /
https://gitlab.com/apparmor/apparmor/-/merge_requests/727

Fixes coverity CID 254465:  Memory - illegal accesses  (USE_AFTER_FREE)

I propose this fix for 3.0..master.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1040
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 8d6358fa6d)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-05-30 13:03:06 -07:00
John Johansen
3bba4eeb20 Merge Fix order of if conditions to avoid unreachable code 
If `else if (preprocess_only)` is true, the more strict condition
`else if (!include_file && preprocess_only)` won't be reached if it gets
checked after the shorter condition.

Exchange the two sections so that both code paths can be reached.

Fixes coverity CID 312499:  Control flow issues  (DEADCODE)

This was probably introduced in 7dcf013bca / https://gitlab.com/apparmor/apparmor/-/merge_requests/743 which means we'll need to backport this fix to 3.0 and 3.1.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1039
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit dc8cbebdef)
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2023-05-29 15:30:55 -07:00
36 changed files with 288 additions and 12 deletions
Expand all files Collapse all files

2
binutils/aa_status.c
View File

@@ -548,7 +548,7 @@ static int detailed_output(FILE *json) {
if (need_finish > 0) {
fprintf(json, "]");
}
fprintf(json, "}\n");
fprintf(json, "}}\n");
}
exit:

2
common/Version
View File

@@ -1 +1 @@
3.0.10
3.0.12

23
parser/mount.cc
View File

@@ -819,15 +819,28 @@ int mnt_rule::gen_policy_change_mount_type(Profile &prof, int &count,
std::string optsbuf;
char class_mount_hdr[64];
const char *vec[5];
char *mountpoint = mnt_point;
sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
/* change type base rules can not be conditional on device,
* device type or data
/* change type base rules can specify the mount point by using
* the parser token position reserved to device. that's why if
* the mount point is not specified, we use device in its
* place. this is a deprecated behavior.
*
* change type base rules can not be conditional on device
* (source), device type or data
*/
/* rule class single byte header */
mntbuf.assign(class_mount_hdr);
if (!convert_entry(mntbuf, mnt_point))
if (flags && flags != MS_ALL_FLAGS && device && mnt_point) {
PERROR("source and mount point cannot be used at the "
"same time for propagation type flags");
goto fail;
} else if (device && !mnt_point) {
mountpoint = device;
}
if (!convert_entry(mntbuf, mountpoint))
goto fail;
vec[0] = mntbuf.c_str();
/* skip device and type */
@@ -969,7 +982,7 @@ int mnt_rule::gen_flag_rules(Profile &prof, int &count, unsigned int flags,
if (!dev_type && !opts &&
gen_policy_bind_mount(prof, count, flags, opt_flags) == RULE_ERROR)
return RULE_ERROR;
if (!device && !dev_type && !opts &&
if ((!device || !mnt_point) && !dev_type && !opts &&
gen_policy_change_mount_type(prof, count, flags, opt_flags) == RULE_ERROR)
return RULE_ERROR;
if (!dev_type && !opts &&
@@ -985,7 +998,7 @@ int mnt_rule::gen_flag_rules(Profile &prof, int &count, unsigned int flags,
return gen_policy_bind_mount(prof, count, flags, opt_flags);
} else if ((allow & AA_MAY_MOUNT) &&
(flags & (MS_MAKE_CMDS))
&& !device && !dev_type && !opts) {
&& (!device || !mnt_point) && !dev_type && !opts) {
return gen_policy_change_mount_type(prof, count, flags, opt_flags);
} else if ((allow & AA_MAY_MOUNT) && (flags & MS_MOVE)
&& !dev_type && !opts) {

4
parser/parser_lex.l
View File

@@ -167,10 +167,10 @@ void include_filename(char *filename, int search, bool if_exists)
include_file = search_path(filename, &fullpath, &cached);
if (!include_file && cached) {
goto skip;
} else if (preprocess_only) {
fprintf(yyout, "\n\n##included <%s>\n", filename);
} else if (!include_file && preprocess_only) {
fprintf(yyout, "\n\n##failed include <%s>\n", filename);
} else if (preprocess_only) {
fprintf(yyout, "\n\n##included <%s>\n", filename);
}
} else if (g_includecache->find(filename)) {

11
parser/parser_regex.c
View File

@@ -486,13 +486,18 @@ static int process_profile_name_xmatch(Profile *prof)
&prof->xmatch_len);
if (ptype == ePatternBasic)
prof->xmatch_len = strlen(name);
if (!prof->attachment)
free(name);
if (ptype == ePatternInvalid) {
PERROR(_("%s: Invalid profile name '%s' - bad regular expression\n"), progname, name);
if (!prof->attachment)
free(name);
return FALSE;
} else if (ptype == ePatternBasic && !(prof->altnames || prof->attachment || prof->xattrs.list)) {
}
if (!prof->attachment)
free(name);
if (ptype == ePatternBasic && !(prof->altnames || prof->attachment || prof->xattrs.list)) {
/* no regex so do not set xmatch */
prof->xmatch = NULL;
prof->xmatch_len = 0;

10
parser/tst/equality.sh
View File

@@ -643,6 +643,16 @@ verify_binary_equality "attachment slash filtering" \
@{FOO}=/foo
/t @{BAR}/@{FOO} { }"
# This can potentially fail as ideally it requires a better dfa comparison
# routine as it can generates hormomorphic dfas. The enumeration of the
# dfas dumped will be different, even if the binary is the same
# Note: this test in the future will require -O filter-deny and
# -O minimize and -O remove-unreachable.
verify_binary_equality "mount specific deny doesn't affect non-overlapping" \
"/t { mount options=bind /e/ -> /**, }" \
"/t { audit deny mount /s/** -> /**,
mount options=bind /e/ -> /**, }"
if [ $fails -ne 0 ] || [ $errors -ne 0 ]
then
printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 2>&1

6
parser/tst/simple_tests/mount/bad_opt_32.sd Normal file
View File

@@ -0,0 +1,6 @@
#
#=Description test we fail make rules with source and mntpnt associated with MR 1054
#=EXRESULT FAIL
/usr/bin/foo {
mount options=(slave) /snap/bin/** -> /**,
}

6
parser/tst/simple_tests/mount/bad_opt_35.sd Normal file
View File

@@ -0,0 +1,6 @@
#
#=Description test we fail make rules with source and mntpnt associated with MR 1054
#=EXRESULT FAIL
/usr/bin/foo {
mount options=(rslave) /snap/bin/** -> /**,
}

6
parser/tst/simple_tests/mount/bad_opt_36.sd Normal file
View File

@@ -0,0 +1,6 @@
#
#=Description test we fail make rules with source and mntpnt associated with MR 1054
#=EXRESULT FAIL
/usr/bin/foo {
mount options=(unbindable) /snap/bin/** -> /**,
}

6
parser/tst/simple_tests/mount/bad_opt_37.sd Normal file
View File

@@ -0,0 +1,6 @@
#
#=Description test we fail make rules with source and mntpnt associated with MR 1054
#=EXRESULT FAIL
/usr/bin/foo {
mount options=(runbindable) /snap/bin/** -> /**,
}

6
parser/tst/simple_tests/mount/bad_opt_38.sd Normal file
View File

@@ -0,0 +1,6 @@
#
#=Description test we fail make rules with source and mntpnt associated with MR 1054
#=EXRESULT FAIL
/usr/bin/foo {
mount options=(private) /snap/bin/** -> /**,
}

6
parser/tst/simple_tests/mount/bad_opt_39.sd Normal file
View File

@@ -0,0 +1,6 @@
#
#=Description test we fail make rules with source and mntpnt associated with MR 1054
#=EXRESULT FAIL
/usr/bin/foo {
mount options=(rprivate) /snap/bin/** -> /**,
}

6
parser/tst/simple_tests/mount/bad_opt_40.sd Normal file
View File

@@ -0,0 +1,6 @@
#
#=Description test we fail make rules with source and mntpnt associated with MR 1054
#=EXRESULT FAIL
/usr/bin/foo {
mount options=(shared) /snap/bin/** -> /**,
}

6
parser/tst/simple_tests/mount/bad_opt_41.sd Normal file
View File

@@ -0,0 +1,6 @@
#
#=Description test we fail make rules with source and mntpnt associated with MR 1054
#=EXRESULT FAIL
/usr/bin/foo {
mount options=(rshared) /snap/bin/** -> /**,
}

10
parser/tst/simple_tests/mount/ok_opt_68.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "unbindable" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=unbindable /1,
mount options=(unbindable) /2,
mount options=(rw,unbindable) /3,
mount options in (unbindable) /4,
mount options in (ro,unbindable) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_69.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "runbindable" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=runbindable /1,
mount options=(runbindable) /2,
mount options=(rw,runbindable) /3,
mount options in (runbindable) /4,
mount options in (ro,runbindable) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_70.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "rprivate" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=rprivate /1,
mount options=(rprivate) /2,
mount options=(rw,rprivate) /3,
mount options in (rprivate) /4,
mount options in (ro,rprivate) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_71.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "private" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=private /1,
mount options=(private) /2,
mount options=(rw,private) /3,
mount options in (private) /4,
mount options in (ro,private) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_72.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "slave" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=slave /1,
mount options=(slave) /2,
mount options=(rw,slave) /3,
mount options in (slave) /4,
mount options in (ro,slave) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_73.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "rslave" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=rslave /1,
mount options=(rslave) /2,
mount options=(rw,rslave) /3,
mount options in (rslave) /4,
mount options in (ro,rslave) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_74.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "shared" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=shared /1,
mount options=(shared) /2,
mount options=(rw,shared) /3,
mount options in (shared) /4,
mount options in (ro,shared) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_75.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "rshared" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=rshared /1,
mount options=(rshared) /2,
mount options=(rw,rshared) /3,
mount options in (rshared) /4,
mount options in (ro,rshared) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_76.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "make-unbindable" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=make-unbindable /1,
mount options=(make-unbindable) /2,
mount options=(rw,make-unbindable) /3,
mount options in (make-unbindable) /4,
mount options in (ro,make-unbindable) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_77.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "make-runbindable" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=make-runbindable /1,
mount options=(make-runbindable) /2,
mount options=(rw,make-runbindable) /3,
mount options in (make-runbindable) /4,
mount options in (ro,make-runbindable) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_78.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "make-private" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=make-private /1,
mount options=(make-private) /2,
mount options=(rw,make-private) /3,
mount options in (make-private) /4,
mount options in (ro,make-private) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_79.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "make-rprivate" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=make-rprivate /1,
mount options=(make-rprivate) /2,
mount options=(rw,make-rprivate) /3,
mount options in (make-rprivate) /4,
mount options in (ro,make-rprivate) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_80.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "make-slave" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=make-slave /1,
mount options=(make-slave) /2,
mount options=(rw,make-slave) /3,
mount options in (make-slave) /4,
mount options in (ro,make-slave) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_81.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "make-shared" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=make-shared /1,
mount options=(make-shared) /2,
mount options=(rw,make-shared) /3,
mount options in (make-shared) /4,
mount options in (ro,make-shared) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_82.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "make-rslave" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=make-rslave /1,
mount options=(make-rslave) /2,
mount options=(rw,make-rslave) /3,
mount options in (make-rslave) /4,
mount options in (ro,make-rslave) /5,
}

10
parser/tst/simple_tests/mount/ok_opt_83.sd Normal file
View File

@@ -0,0 +1,10 @@
#
#=Description basic rules to test the "make-rshared" mount option passing mount point as source (should emit a deprecation warning)
#=EXRESULT PASS
/usr/bin/foo {
mount options=make-rshared /1,
mount options=(make-rshared) /2,
mount options=(rw,make-rshared) /3,
mount options in (make-rshared) /4,
mount options in (ro,make-rshared) /5,
}

8
parser/tst/simple_tests/mount/ok_opt_84.sd Normal file
View File

@@ -0,0 +1,8 @@
#
#=Description test we can parse rules associated with MR 1054
#=EXRESULT PASS
/usr/bin/foo {
mount options=(slave) /**,
mount options=(slave) -> /**,
mount /snap/bin/** -> /**,
}

5
profiles/apparmor.d/abstractions/authentication
View File

@@ -31,6 +31,11 @@
/{usr/,}lib/@{multiarch}/security/pam_*.so mr,
/{usr/,}lib/@{multiarch}/security/ r,
# gssapi
@{etc_ro}/gss/mech r,
@{etc_ro}/gss/mech.d/ r,
@{etc_ro}/gss/mech.d/*.conf r,
# kerberos
include <abstractions/kerberosclient>
# SuSE's pwdutils are different:

4
profiles/apparmor.d/abstractions/base
View File

@@ -62,6 +62,7 @@
@{etc_ro}/ld.so.conf r,
@{etc_ro}/ld.so.conf.d/{,*.conf} r,
@{etc_ro}/ld.so.preload r,
@{etc_ro}/ld-musl-*.path r,
/{usr/,}lib{,32,64}/ld{,32,64}-*.so mr,
/{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mr,
/{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr,
@@ -103,6 +104,9 @@
@{sys}/devices/system/cpu/online r,
@{sys}/devices/system/cpu/possible r,
# transparent hugepage support
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
# glibc's *printf protections read the maps file
@{PROC}/@{pid}/{maps,auxv,status} r,

1
profiles/apparmor.d/abstractions/snap_browsers
View File

@@ -38,5 +38,6 @@ profile snap_browsers {
/snap/opera/[0-9]*/meta/{snap.yaml,hooks/} r,
/var/lib/snapd/sequence/{chromium,firefox,opera}.json r,
/var/lib/snapd/inhibit/{chromium,firefox,opera}.lock rk,
# add other browsers here
}

14
tests/regression/apparmor/mount.sh
View File

@@ -218,6 +218,10 @@ test_propagation_options() {
runchecktest "MOUNT (confined cap mount propagation setup $1)" pass mount ${loop_device} ${mount_point}
genprofile cap:sys_admin "mount:options=($1)"
runchecktest "MOUNT (confined cap mount propagation $1)" pass mount none ${mount_point} -o $1
genprofile cap:sys_admin "mount:options=($1):-> ${mount_point}/"
runchecktest "MOUNT (confined cap mount propagation $1 mountpoint)" pass mount none ${mount_point} -o $1
genprofile cap:sys_admin "mount:options=($1):${mount_point}/"
runchecktest "MOUNT (confined cap mount propagation $1 source as mountpoint - deprecated)" pass mount none ${mount_point} -o $1
remove_mnt
genprofile cap:sys_admin "mount:ALL" "qual=deny:mount:options=($1)"
@@ -394,6 +398,16 @@ else
runchecktest "UMOUNT (confined cap umount:ALL)" pass umount ${loop_device} ${mount_point}
remove_mnt
# MR:https://gitlab.com/apparmor/apparmor/-/merge_requests/1054
# https://bugs.launchpad.net/apparmor/+bug/2023814
# https://bugzilla.opensuse.org/show_bug.cgi?id=1211989
# based on rules from profile in bug that triggered issue
genprofile cap:sys_admin "qual=deny:mount:/snap/bin/:-> /**" \
"mount:options=(rw,bind):-> ${mount_point}/"
runchecktest "MOUNT (confined cap bind mount with deny mount that doesn't overlap)" pass mount ${mount_point2} ${mount_point} -o bind
remove_mnt
test_options
fi

8
utils/test/test-parser-simple-tests.py
View File

@@ -111,6 +111,14 @@ exception_not_raised = [
'mount/bad_opt_29.sd',
'mount/bad_opt_30.sd',
'mount/bad_opt_31.sd',
'mount/bad_opt_32.sd',
'mount/bad_opt_35.sd',
'mount/bad_opt_36.sd',
'mount/bad_opt_37.sd',
'mount/bad_opt_38.sd',
'mount/bad_opt_39.sd',
'mount/bad_opt_40.sd',
'mount/bad_opt_41.sd',
'profile/flags/flags_bad10.sd',
'profile/flags/flags_bad11.sd',
'profile/flags/flags_bad12.sd',