Prepare for AppArmor 3.1.2 release

- update version file - update library version Signed-off-by: John Johansen <john.johansen@canonical.com>
Merge Hardcode and check the expected libapparmor.so name/number
2025-09-05 08:45:22 +00:00 · 2022-11-07 10:44:48 -08:00 · 2022-10-29 03:08:56 -07:00 · 2022-10-29 03:06:30 -07:00 · 2022-10-28 05:56:57 -07:00 · 2022-10-27 22:34:12 +00:00
18 changed files with 69 additions and 15 deletions
--- a/common/Version
+++ b/common/Version
@@ -1 +1 @@
-3.1.1
+3.1.2
--- a/libraries/libapparmor/src/Makefile.am
+++ b/libraries/libapparmor/src/Makefile.am
@@ -30,9 +30,12 @@ INCLUDES = $(all_includes)
 # For more information, see:
 # http://www.gnu.org/software/libtool/manual/html_node/Libtool-versioning.html
 #
+# After changing the AA_LIB_* variables, also update EXPECTED_SO_NAME.
+
 AA_LIB_CURRENT = 13
-AA_LIB_REVISION = 0
+AA_LIB_REVISION = 1
 AA_LIB_AGE = 12
+EXPECTED_SO_NAME = libapparmor.so.1.12.1

 SUFFIXES = .pc.in .pc

@@ -81,4 +84,8 @@ tst_kernel_LDFLAGS = -pthread
 check_PROGRAMS = tst_aalogmisc tst_features tst_kernel
 TESTS = $(check_PROGRAMS)

+.PHONY: check-local
+check-local:
+	test -f ./.libs/$(EXPECTED_SO_NAME) || { echo '*** unexpected .so name/number for libapparmor (expected $(EXPECTED_SO_NAME), the actual filename is shown below) ***' ; ls -l ./.libs/libapparmor.so.*.* ; exit 1; }
+
 EXTRA_DIST = grammar.y scanner.l libapparmor.map libapparmor.pc
--- a/libraries/libapparmor/src/grammar.y
+++ b/libraries/libapparmor/src/grammar.y
@@ -159,7 +159,9 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_NAMESPACE
 %token TOK_KEY_ERROR
 %token TOK_KEY_FSUID
+%token TOK_KEY_FSUID_UPPER
 %token TOK_KEY_OUID
+%token TOK_KEY_OUID_UPPER
 %token TOK_KEY_UID
 %token TOK_KEY_AUID
 %token TOK_KEY_SAUID
@@ -351,6 +353,10 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 	{ ret_record->fsuid = $3;}
 	| TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
 	{ ret_record->ouid = $3;}
+	| TOK_KEY_FSUID_UPPER TOK_EQUALS TOK_QUOTED_STRING
+	{ free($3);} /* Ignore - fsuid username */
+	| TOK_KEY_OUID_UPPER TOK_EQUALS TOK_QUOTED_STRING
+	{ free($3);} /* Ignore - ouid username */
 	| TOK_KEY_SAUID TOK_EQUALS TOK_DIGITS
 	{ /* Ignore - Source audit ID from user AVC messages */ }
 	| TOK_KEY_HOSTNAME TOK_EQUALS safe_string
--- a/libraries/libapparmor/src/scanner.l
+++ b/libraries/libapparmor/src/scanner.l
@@ -72,7 +72,7 @@ void string_buf_append(unsigned int length, char *text)

 %}

-ws		[ \t\r\n]
+ws		[ \t\r\n\x1d]

 equals		"="
 digit		[[:digit:]]
@@ -138,7 +138,9 @@ key_sock_type		"sock_type"
 key_protocol		"protocol"
 key_error		"error"
 key_fsuid		"fsuid"
+key_fsuid_upper		"FSUID"
 key_ouid		"ouid"
+key_ouid_upper		"OUID"
 key_uid			"uid"
 key_auid		"auid"
 key_sauid		"sauid"
@@ -324,7 +326,9 @@ yy_flex_debug = 0;
 {key_protocol}		{ return(TOK_KEY_PROTOCOL); }
 {key_error}		{ return(TOK_KEY_ERROR); }
 {key_fsuid}		{ return(TOK_KEY_FSUID); }
+{key_fsuid_upper}	{ return(TOK_KEY_FSUID_UPPER); }
 {key_ouid}		{ return(TOK_KEY_OUID); }
+{key_ouid_upper}	{ return(TOK_KEY_OUID_UPPER); }
 {key_uid}		{ return(TOK_KEY_UID); }
 {key_auid}		{ return(TOK_KEY_AUID); }
 {key_sauid}		{ return(TOK_KEY_SAUID); }
--- a/libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.err
+++ b/libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.err
--- a/libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.in
+++ b/libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.in
@@ -0,0 +1 @@
+type=AVC msg=audit(1661734785.992:270): apparmor="ALLOWED" operation="open" profile="/usr/bin/dolphin" name="/home/otis/.config/kdedefaults/kdeglobals" pid=3483 comm="dolphin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0FSUID="otis" OUID="root"
--- a/libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.out
+++ b/libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.out
@@ -0,0 +1,15 @@
+START
+File: 0x1d-uppercase-FSUID-OUID.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1661734785.992:270
+Operation: open
+Mask: r
+Denied Mask: r
+fsuid: 1000
+ouid: 0
+Profile: /usr/bin/dolphin
+Name: /home/otis/.config/kdedefaults/kdeglobals
+Command: dolphin
+PID: 3483
+Epoch: 1661734785
+Audit subid: 270
--- a/libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.profile
+++ b/libraries/libapparmor/testsuite/test_multi/0x1d-uppercase-FSUID-OUID.profile
@@ -0,0 +1,4 @@
+/usr/bin/dolphin {
+  /home/otis/.config/kdedefaults/kdeglobals r,
+
+}
--- a/parser/Makefile
+++ b/parser/Makefile
@@ -386,11 +386,11 @@ DISTRO=$(shell if [ -f /etc/slackware-version ] ; then \
 	       elif [ -f /etc/debian_version ] ; then \
 	         echo debian ;\
 	       elif which rpm > /dev/null ; then \
-	         if [ "$(rpm --eval '0%{?suse_version}')" != "0" ] ; then \
+	         if [ "$$(rpm --eval '0%{?suse_version}')" != "0" ] ; then \
 	             echo suse ;\
-	         elif [ "$(rpm --eval '%{_host_vendor}')" = redhat ] ; then \
+	         elif [ "$$(rpm --eval '%{_host_vendor}')" = redhat ] ; then \
 	            echo rhel4 ;\
-	         elif [ "$(rpm --eval '0%{?fedora}')" != "0" ] ; then \
+	         elif [ "$$(rpm --eval '0%{?fedora}')" != "0" ] ; then \
 	            echo rhel4 ;\
 	         else \
 	            echo unknown ;\
--- a/profiles/apparmor.d/abstractions/kde
+++ b/profiles/apparmor.d/abstractions/kde
@@ -41,8 +41,11 @@ owner @{HOME}/.config/Trolltech.conf rwk,
 owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
 owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
 owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
+owner @{HOME}/.config/kdedefaults/kdeglobals r, # QPlatformThemeFactory::create() -> KDEPlasmaPlatformTheme.so
+owner @{HOME}/.config/kdedefaults/kwinrc r, # QStyleFactory::create() -> qt5/plugins/styles/breeze.so
 owner @{HOME}/.config/kdeglobals r, # global settings, used by Breeze style, etc.
 owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
+owner @{HOME}/.config/kwinrc r, # QStyleFactory::create() -> qt5/plugins/styles/breeze.so
 owner @{HOME}/.config/trashrc r, # Used by KFileWidget

 /usr/share/X11/XKeysymDB r,
--- a/profiles/apparmor.d/abstractions/samba
+++ b/profiles/apparmor.d/abstractions/samba
@@ -25,9 +25,9 @@
  /var/log/samba/cores/** rw,
  /var/log/samba/* w,
  @{run}/{,lock/}samba/ w,
-  @{run}/{,lock/}samba/*.tdb rw,
-  @{run}/{,lock/}samba/msg.lock/ rwk,
-  @{run}/{,lock/}samba/msg.lock/[0-9]* rwk,
+  @{run}/{,lock/}samba/*.tdb rwk,
+  @{run}/{,lock/}samba/msg.{lock,sock}/ rwk,
+  @{run}/{,lock/}samba/msg.{lock,sock}/[0-9]* rwk,
  /var/cache/samba/msg.lock/ rwk,
  /var/cache/samba/msg.lock/[0-9]* rwk,

--- a/profiles/apparmor.d/samba-bgqd
+++ b/profiles/apparmor.d/samba-bgqd
@@ -16,7 +16,8 @@ profile samba-bgqd /usr/lib*/samba/{,samba/}samba-bgqd {

  @{run}/samba/samba-bgqd.pid wk,

-  /usr/lib*/samba/{,samba/}samba-bgqd m,
+  /usr/lib*/samba/{,samba/}samba-bgqd mr,
+  /var/cache/samba/printing/*.tdb rwk,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/samba-bgqd>
--- a/profiles/apparmor.d/samba-dcerpcd
+++ b/profiles/apparmor.d/samba-dcerpcd
@@ -18,8 +18,9 @@ profile samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {

  @{run}/samba/samba-dcerpcd.pid wk,

-  /usr/lib*/samba/{,samba/}samba-dcerpcd m,
+  /usr/lib*/samba/{,samba/}samba-dcerpcd mr,

+  /usr/lib*/samba/ r,
  /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} Px -> samba-rpcd,
  /usr/lib*/samba/{,samba/}rpcd_classic Px -> samba-rpcd-classic,
  /usr/lib*/samba/{,samba/}rpcd_spoolss Px -> samba-rpcd-spoolss,
--- a/profiles/apparmor.d/samba-rpcd
+++ b/profiles/apparmor.d/samba-rpcd
@@ -15,7 +15,10 @@ include <tunables/global>

 profile samba-rpcd /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} {
  include <abstractions/samba-rpcd>
-  /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} m,
+  /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} mr,
+
+  @{run}/samba/ncalrpc/np/winreg wr,
+
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/samba-rpcd>
 }
--- a/profiles/apparmor.d/samba-rpcd-classic
+++ b/profiles/apparmor.d/samba-rpcd-classic
@@ -17,7 +17,7 @@ profile samba-rpcd-classic /usr/lib*/samba/{,samba/}rpcd_classic {
  include <abstractions/samba-rpcd>
  include <abstractions/wutmp>

-  /usr/lib*/samba/{,samba/}rpcd_classic m,
+  /usr/lib*/samba/{,samba/}rpcd_classic mr,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/samba-rpcd-classic>
--- a/profiles/apparmor.d/samba-rpcd-spoolss
+++ b/profiles/apparmor.d/samba-rpcd-spoolss
@@ -16,8 +16,16 @@ include <tunables/global>
 profile samba-rpcd-spoolss /usr/lib*/samba/{,samba/}rpcd_spoolss {
  include <abstractions/samba-rpcd>

-  /usr/lib*/samba/{,samba/}rpcd_spoolss m,
+  /usr/lib*/samba/{,samba/}rpcd_spoolss mr,
  /usr/lib*/samba/{,samba/}samba-bgqd Px -> samba-bgqd,
+  /var/cache/samba/printing/ w,
+  /var/cache/samba/printing/*.tdb rwk,
+  @{run}/samba/samba-bgqd.pid rk,
+
+  /dev/urandom rw,
+
+  @{run}/samba/ncalrpc/ rw,
+  @{run}/samba/ncalrpc/** rw,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/samba-rpcd-spoolss>
--- a/profiles/apparmor.d/sbin.syslog-ng
+++ b/profiles/apparmor.d/sbin.syslog-ng
@@ -61,6 +61,7 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng {
  /{var,var/run,run}/log/journal/ r,
  /{var,var/run,run}/log/journal/*/ r,
  /{var,var/run,run}/log/journal/*/*.journal r,
+  /{var,var/run,run}/log/journal/*.journal r,
  @{run}/syslog-ng.ctl a,
  @{run}/syslog-ng/additional-log-sockets.conf r,

--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -1119,7 +1119,7 @@ def ask_the_questions(log_dict):
            else:
                sev_db.set_variables({})

-            if True:
+            if aa.get(profile):  # only continue/ask if the parent profile exists
                if not aa[profile].get(hat, {}).get('file'):
                    if aamode != 'merge':
                        # Ignore log events for a non-existing profile or child profile. Such events can occur
Author	SHA1	Message	Date
John Johansen	1fe80c0f85	Prepare for AppArmor 3.1.2 release - update version file - update library version Signed-off-by: John Johansen <john.johansen@canonical.com>	2022-11-07 10:44:48 -08:00
John Johansen	8043dda3f6	Merge Hardcode and check the expected libapparmor.so name/number ... to prevent wrong/unexpected numbering (like https://gitlab.com/apparmor/apparmor/-/issues/266) in future releases. I propose this patch for master and 3.1. Backporting to 3.0 and 2.x might also make sense, but of course needs a different .so number. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/915 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `bed1471144`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2022-10-29 03:08:56 -07:00
John Johansen	e95080e140	Merge libapparmor: allow parsing of logs with 0x1d + uppercase items audit.log lines on Arch have an additional FSUID="username" OUID="username", separated from the previous part of the log line with 0x1d. Extend the log parsing to accept 0x1d as whitespace, and to recognize (and ignore) FSUID and OUID. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/271 Also add one of the log lines from #271 as test_multi test case. I propose this patch for 3.0..master. Closes #271 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/940 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `0d61139e2a`) Signed-off-by: John Johansen <john.johansen@canonical.com>	2022-10-29 03:06:30 -07:00
John Johansen	45125cedd3	Merge syslog-ng: allow reading .journal in flatter directory structure On openSUSE Leap 15.4 (and probably also 15.3), the journal lives in /var/log/journal/.journal - without an additional subdirectory level. I propose this patch for 2.13..master. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/932 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2022-10-28 05:56:57 -07:00
Christian Boltz	969a8f7618	Merge samba-rpcd-spoolss: allow mkdir /var/cache/samba/printing/ Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993572 I propose this fix for 3.0..master. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/937 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Christian Boltz <apparmor@cboltz.de> (cherry picked from commit `fab4b4e762`) `6920daea` samba-rpcd-spoolss: allow mkdir /var/cache/samba/printing/	2022-10-27 22:34:12 +00:00
Christian Boltz	770b8f1e88	Merge abstactions/kde: update for kwinrc, kdedefaults/* files GUI applications such as KDE dragon player, qTox, LibreOffice tries to access .config/kwinrc, .config/kdedefaults/kwinrc and .config/kdedefaults/kdeglobals. Update abstractions/kde to fix denials for applications running under KDE. Some examples: ``` type=AVC msg=audit(1666458796.112:5561): apparmor="DENIED" operation="open" profile="libreoffice-soffice" name="/home/vincas/.config/kdedefaults/kdeglobals" pid=43868 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas" type=AVC msg=audit(1666458796.204:5683): apparmor="DENIED" operation="open" profile="libreoffice-soffice" name="/home/vincas/.config/kdedefaults/kwinrc" pid=43868 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas" ``` ``` type=AVC msg=audit(1666462415.255:3640): apparmor="DENIED" operation="open" profile="kde-dragon-player" name="/home/vincas/.config/kdedefaults/kdeglobals" pid=8344 comm="dragon" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas" type=AVC msg=audit(1666462415.343:3641): apparmor="DENIED" operation="open" profile="kde-dragon-player" name="/home/vincas/.config/kdedefaults/kwinrc" pid=8344 comm="dragon" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas" ``` ``` type=AVC msg=audit(1666459466.968:5852): apparmor="DENIED" operation="open" profile="qtox" name="/home/vincas/.config/kdedefaults/kdeglobals" pid=44561 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas" type=AVC msg=audit(1666459467.076:6057): apparmor="DENIED" operation="open" profile="qtox" name="/home/vincas/.config/kdedefaults/kwinrc" pid=44561 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas" type=AVC msg=audit(1666459467.076:6058): apparmor="DENIED" operation="open" profile="qtox" name="/home/vincas/.config/kwinrc" pid=44561 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas" ``` MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/936 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de> (cherry picked from commit `18d1b06b0c`) `d9dc0b61` abstactions/kde: update for kwinrc, kdedefaults/* files	2022-10-22 19:28:38 +00:00
Christian Boltz	3345250f72	Merge parser: fix DISTRO variable in Makefile A single '$()' results in variable expansion, which makes "$(rpm --eval ..)" always an empty string. Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/928 Approved-by: Christian Boltz <apparmor@cboltz.de> Merged-by: Christian Boltz <apparmor@cboltz.de> (cherry picked from commit `05d7bdd655`) `1df547ee` parser: fix DISTRO variable in Makefile	2022-10-07 19:54:08 +00:00
John Johansen	51cf0848c7	Merge profiles/apparmor.d: Update samba profile Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1990692 Signed-off-by: Spyros Seimenis <spyros.seimenis@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/926 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit `e1cc90f3a2`) `96aff5a5` profiles/apparmor.d: Update samba profile	2022-10-01 10:20:32 +00:00
Christian Boltz	e0c0a6a6a5	Merge Prevent crash on log entries for non-existing profile If audit.log contains entries for a profile that doesn't exist (for example when working with a log file from another system), skip these log entries instead of crashing. Reproducer (crashes without this patch): aa-logprof -f <(echo 'type=AVC msg=audit(1661739121.578:77893): apparmor="DENIED" operation="open" profile="no_such_profile" name="/run/" pid=33099 comm="no" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0') I propose this patch for 3.1 and master. (3.0 and older are not affected and do not need this fix.) MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/919 Approved-by: Jon Tourville <jon.tourville@canonical.com> Merged-by: Christian Boltz <apparmor@cboltz.de> (cherry picked from commit `f5594fbb7c`) `94c7c79c` Prevent crash on log entries for non-existing profile	2022-08-29 19:56:17 +00:00
@@ -1 +1 @@
 .1.1
 .1.2
				`@@ -0,0 +1 @@`
				`type=AVC msg=audit(1661734785.992:270): apparmor="ALLOWED" operation="open" profile="/usr/bin/dolphin" name="/home/otis/.config/kdedefaults/kdeglobals" pid=3483 comm="dolphin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0FSUID="otis" OUID="root"`