Abstractions should not generally include deny rules as this can unduly
constrain profiles which include them due to the precedent matching rules
between deny vs allow rules. Also as per the comment, this is not required
for exo-open to work, so simply omit it from the abstraction for
now. Finally, in Ubuntu, the evince profile includes the exo-open
abstraction and this deny rule causes evince to fail to initialise
correctly as it then assumes it cannot use gvfs.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/884
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit d7e3f33aa8)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This is a manual backport of
728dbde5e4 by Mark Grassi
For the records: the inconsistent return length was introduced when
splitting run_tests() into two functions in
500cbf89a7
The inverse character set lists the characters it doesn't match. If
the inverse character set contains an oob then that is NOT considered
a match. So length should be one.
However because of oobs are handle not containing an oob doesn't mean
there is a match either. Currently the only way to match an oob is
via a positive express (no inverse matches are possible).
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/872
Signed-off-by: John Johansen <john.johansen@canonical.com>
I noticed that some apps return the following errors when launched:
```
kernel: audit: type=1400 audit(1651244478.255:5501): apparmor="DENIED" operation="open" profile="some_app" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=1877976 comm="some_app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
kernel: audit: type=1400 audit(1651244478.255:5502): apparmor="DENIED" operation="open" profile="some_app" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=1877976 comm="some_app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
```
Blocking the files results in the following errors when the app is executed in a terminal:
```
MESA: error: Failed to query drm device.
libGL error: failed to create dri screen
libGL error: failed to load driver: crocus
MESA: error: Failed to query drm device.
libGL error: failed to create dri screen
libGL error: failed to load driver: crocus
```
Since they have something to do with MESA, I think the mesa abstraction should
be updated to fix the issue.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/879
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Without the change apparmor build fails on this week's gcc-13 snapshot as:
capability.h:66:6: error: variable or field '__debug_capabilities' declared void
66 | void __debug_capabilities(uint64_t capset, const char *name);
| ^~~~~~~~~~~~~~~~~~~~
capability.h:66:27: error: 'uint64_t' was not declared in this scope
66 | void __debug_capabilities(uint64_t capset, const char *name);
| ^~~~~~~~
capability.h:23:1: note: 'uint64_t' is defined in header '<cstdint>'; did you forget to '#include <cstdint>'?
22 | #include <linux/capability.h>
+++ |+#include <cstdint>
23 |
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/882
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Signed-off-by: John Johansen <john.johansen@canonical.com>
The snap_browsers abstraction requires more permissions
due to updates on snaps.
Some of the permissions are not required in older versions of
Ubuntu that use 2.12 and 2.13, but are introduced for unification
and ease of maintenance purposes. These include:
```
all dbus permissions,
@{PROC}/sys/kernel/random/uuid r,
owner @{PROC}/@{pid}/cgroup r,
/var/lib/snapd/sequence/{chromium,firefox,opera}.json r,
```
I also propose a cherry-pick of this commit to 2.12, 2.13 and 3.0
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/877
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit bfa67b369d)
Signed-off-by: John Johansen <john.johansen@canonical.com>
samba-4.16 has a completely new dcerpc subsystem, services that
used to be built into the smbd daemon itself (and deployed in forked
instances) are now hosted in standalone binaries. The following new
binaries now need new profiles
rpcd_classic
rpcd_epmapper
rpcd_fsrvp
rpcd_lsad
rpcd_mdssvc
rpcd_rpcecho
rpcd_spoolss
rpcd_winreg
samba-dcerpcd
Additionally smbd & winbindd need new entries because the exec
samba-dcerpcd
Signed-off-by: Noel Power <noel.power@suse.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/871
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 3d27977b1c)
c785bcbe profiles/apparmor.d: Add new profiles needed for samba-4.16
systemd will attempt to force socket buffer size using setsockopt
and param SO_SNDBUFFORCE (which require net_admin cap) if it's previous
attempt to set size was clipped by kernel limit.
- Silence 'type=AVC msg=audit(1648725005.727:201): apparmor="DENIED" operation="capable" profile="smbd" pid=3054 comm="smbd" capability=12 capname="net_admin"'
type entries.
Signed-off-by: Noel Power <noel.power@suse.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/867
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 4537a5014b)
Signed-off-by: John Johansen <john.johansen@canonical.com>
similar to commit 2f9d172c64
we discovered that there was a service outage
when dovecot tried to send a usr1 signal
type=AVC msg=audit(1648024138.249:184964): apparmor="DENIED" operation="signal" profile="dovecot" pid=1690 comm="dovecot" requested_mask="send" denied_mask="send" signal=usr1 peer="dovecot-imap-login"
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/865
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 83685ba703)
f0919f83 Allow dovecot to use all signals
- add pki/blacklist and pki/blocklist
- add /usr/share/pki/ in adddition to /etc/pki/
pki/blocklist was suggested by @darix, the other changes are things I noticed while adding it.
I propose this patch for 3.0 and master. (`abstractions/ssl_certs` on 2.x branches is quite different and needs a manual backport (or more cherry-picks) if you want to backport this MR.)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/864
Approved-by: Jon Tourville <jon.tourville@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit ff9e457189)
32cd90eb abstractions/ssh_certs: extend pki/trust directories
Whenever the evince deb package tries to open a snap browser which was
selected as the default, we get the following denial:
audit[2110]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/evince" name="/usr/bin/snap" pid=2110 comm="env" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
As a short-term solution, we are adding a snap-browsers profile
which restricts what snaps opened by evince can do.
The long-term solution is currently not available, but could be
accomplished by using enhanced environment variable filtering/mediation
and delegation of open fds.
Bug: https://launchpad.net/bugs/1794064
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
(cherry picked from commit fb3283f37e)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/863
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
If apparmor_parser -N (in profiles_names_list()) fails,
aa-remove-unknown possibly gets an incomplete list of profiles in
/etc/apparmor.d/ and therefore might remove more profiles than it
should.
Replace the profiles_names_list() call with a direct apparmor_parser
call, and abort aa-remove-unknown if it exits with $? != 0
Before:
```
aa-remove-unknown -n
AppArmor parser error for /etc/apparmor.d/broken in profile /etc/apparmor.d/broken at line 1: syntax error, unexpected TOK_ID, expecting TOK_OPEN
Would remove 'delete_me'
```
After:
```
./aa-remove-unknown -n
AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/zbroken at line 1: syntax error, unexpected TOK_ID, expecting TOK_OPEN
apparmor_parser exited with failure, aborting.
```
And of course, after fixing the broken profile:
```
./aa-remove-unknown -n
Would remove 'delete_me'
```
(cherry picked from commit 5053a01d84)
This backports the fix in `aa-remove-unknown` from !836, but doesn't backport the cleanup in `rc.apparmor.functions`.
I propose this patch for 3.0 and all 2.x branches.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/859
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
If apparmor_parser -N (in profiles_names_list()) fails,
aa-remove-unknown possibly gets an incomplete list of profiles in
/etc/apparmor.d/ and therefore might remove more profiles than it
should.
Replace the profiles_names_list() call with a direct apparmor_parser
call, and abort aa-remove-unknown if it exits with $? != 0
Before:
```
aa-remove-unknown -n
AppArmor parser error for /etc/apparmor.d/broken in profile /etc/apparmor.d/broken at line 1: syntax error, unexpected TOK_ID, expecting TOK_OPEN
Would remove 'delete_me'
```
After:
```
./aa-remove-unknown -n
AppArmor parser error for /etc/apparmor.d in profile /etc/apparmor.d/zbroken at line 1: syntax error, unexpected TOK_ID, expecting TOK_OPEN
apparmor_parser exited with failure, aborting.
```
And of course, after fixing the broken profile:
```
./aa-remove-unknown -n
Would remove 'delete_me'
```
(cherry picked from commit 5053a01d84)
libapparmor: fix handling of failed symlink traversal, fixed a couple
of directory walk issues that could cause failures. The test included
in this commit was supposed to be included in the previous commit,
but was accidentally dropped. Even worse the make file changes did
make it causing the previous commit to break the CI.
Fixes: MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/85
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit bd78b6b292)
Today, a normal user connected and did something (dunno what) that caused smbd to try to `/usr/share/samba/mdssvc/elasticsearch_mappings.json`:
Samba logs:
```
root@smb:~# journalctl -b0 -u smbd
-- Logs begin at Fri 2022-01-21 14:17:01 UTC, end at Thu 2022-02-17 23:56:02 UTC. --
Feb 17 14:01:20 smb systemd[1]: Starting Samba SMB Daemon...
Feb 17 14:01:26 smb smbd[113]: [2022/02/17 14:01:26.904865, 0] ../../lib/util/become_daemon.c:135(daemon_ready)
Feb 17 14:01:26 smb systemd[1]: Started Samba SMB Daemon.
Feb 17 14:01:26 smb smbd[113]: daemon_ready: daemon 'smbd' finished starting up and ready to serve connections
Feb 17 21:05:35 smb smbd[3084]: pam_unix(samba:session): session opened for user jdoe by (uid=0)
Feb 17 21:05:37 smb smbd[3084]: [2022/02/17 21:05:37.735182, 0] ../../source3/rpc_server/mdssvc/mdssvc_es.c:92(mdssvc_es_init)
Feb 17 21:05:37 smb smbd[3084]: mdssvc_es_init: Opening mapping file [/usr/share/samba/mdssvc/elasticsearch_mappings.json] failed: unable to open /usr/share/samba/mdssvc/elasticsearch_mappings.json: Permission denied
Feb 17 21:05:37 smb smbd[3084]: [2022/02/17 21:05:37.735436, 0] ../../source3/rpc_server/mdssvc/mdssvc.c:1490(mdssvc_init)
Feb 17 21:05:37 smb smbd[3084]: mdssvc_init: backend init failed
Feb 17 21:05:37 smb smbd[3084]: [2022/02/17 21:05:37.735562, 0] ../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:152(_mdssvc_open)
Feb 17 21:05:37 smb smbd[3084]: _mdssvc_open: Couldn't create policy handle for partage
Feb 17 23:56:02 smb smbd[3084]: pam_unix(samba:session): session closed for user jdoe
```
Since the 'smb' machine is a container, the Apparmor denial ended up in the host's log:
```
$ journalctl -o cat --grep samba -k --since today | cat
audit: type=1400 audit(1645131937.730:98): apparmor="DENIED" operation="open" namespace="root//lxd-smb_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/share/samba/mdssvc/elasticsearch_mappings.json" pid=35359 comm="smbd" requested_mask="r" denied_mask="r" fsuid=166549 ouid=165536
```
It is the first time it occurs in years of use but it seems legitimate as:
1) this file is installed by the package
2) `git grep -F elasticsearch_mappings` in Debian samba's source shows many hits:
```
$ git grep -F elasticsearch_mappings
debian/samba.install:usr/share/samba/mdssvc/elasticsearch_mappings.json
docs-xml/manpages/mdsearch.1.xml: <filename>/usr/share/samba/mdssvc/elasticsearch_mappings.json</filename>
docs-xml/smbdotconf/misc/elasticsearchmappings.xml: <value type="default">&pathconfig.SAMBA_DATADIR;/elasticsearch_mappings.json</value>
docs/manpages/mdfind.1:/usr/share/samba/mdssvc/elasticsearch_mappings\&.json
docs/manpages/smb.conf.5:\fI\fIelasticsearch:mappings\fR\fR\fI = \fR\fI${prefix}/var/samba/elasticsearch_mappings\&.json\fR\fI \fR
selftest/selftest.pl: elasticsearch:mappings = $srcdir_abs/source3/rpc_server/mdssvc/elasticsearch_mappings.json
selftest/target/Samba3.pm: elasticsearch:mappings = $srcdir_abs/source3/rpc_server/mdssvc/elasticsearch_mappings.json
source3/rpc_server/mdssvc/es_parser_test.c: "%s/mdssvc/elasticsearch_mappings.json",
source3/rpc_server/mdssvc/mdssvc_es.c: "%s/mdssvc/elasticsearch_mappings.json",
source3/rpc_server/wscript_build: 'mdssvc/elasticsearch_mappings.json')
```
While only the `mdssvc` sub-dir could be authorized, the whole dir content seemed OK for read access anyway:
```
root@smb:~# ll /usr/share/samba/
total 53
drwxr-xr-x 5 root root 10 Feb 1 14:08 ./
drwxr-xr-x 67 root root 67 Jun 22 2021 ../
-rwxr-xr-x 1 root root 1163 Jan 31 13:11 addshare.py*
drwxr-xr-x 3 root root 4 Feb 1 14:08 admx/
drwxr-xr-x 2 root root 3 Feb 1 14:08 mdssvc/
-rwxr-xr-x 1 root root 2059 Jan 31 13:11 panic-action*
-rwxr-xr-x 1 root root 1333 Jan 31 13:11 setoption.py*
drwxr-xr-x 5 root root 57 Feb 1 14:08 setup/
-rw-r--r-- 1 root root 8942 Jan 31 13:11 smb.conf
-rwxr-xr-x 1 root root 2682 Jan 31 13:11 update-apparmor-samba-profile*
```
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/853
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 6e5fdb5c05)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Update apache2-common so that other processes can trace the hats that include this file. The main `usr.sbin.apache2` profile includes `abstractions/base` which has these lines in it, which is why `ss -tnlp` sometimes fails and sometimes works.
See also: [Debian Bug #1003153](https://bugs.debian.org/1003153) for more details about how this occurs.
Fixes: https://bugs.debian.org/1003153
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/852
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 6fa2d528e9)
071935b9 Update apache2-common so that other processes can trace the hats that include...
In 73e124d4fb I've upstreamed the `is_container_with_internal_policy()` function, but so far it was not used anywhere upstream. This is the missing bit.
I could trace the history of that patch back to 2012 (2.7.102-0ubuntu3):
* debian/apparmor.init: do nothing in a container. This can be
removed once stacked profiles are supported and used by lxc.
(LP: #978297)
Context: I lack both knowledge and motivation to keep maintaining this as part of the Debian delta. I'd rather see upstream, and in particular folks more knowledgeable than me about LXC/LXD, or with external motivation factors to work on this part of the stack, take care of it.
Note: Debian has similar code in its [sysvinit script](https://salsa.debian.org/apparmor-team/apparmor/-/blob/debian/master/debian/apparmor.init). I'm not touching that one.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/840
Acked-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 5a41024bbe)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This allows distributions to start aa-notify automatically, should they wish so, by installing that file in a suitable location, such as `/etc/xdg/autostart`.
This file was introduced in Ubuntu 2.8.95~2430-0ubuntu3 package in 2014, replacing the `/etc/X11/Xsession.d` snippet that Ubuntu had added in 2010.
I'd like to stop having to care about this file as part of the Debian delta and to enable greater collaboration.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/839
Acked-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 046442741f)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
